Professional Documents
Culture Documents
26 January 2009
ii 1424 SHDSL Router Copyright, safety and statements
User and reference manual
Document properties
Version 1.3
Code 550104
Copyright notice
The information and descriptions contained in this publication are the property of OneAccess. Such infor-
mation and descriptions must not be copied or reproduced by any means, or disseminated or distributed
without the express prior written permission of OneAccess.
This publication could include technical inaccuracies or typographical errors, for which OneAccess never
can or shall be held liable. Changes are made periodically to the information herein; these changes will
be incorporated in new editions of this publication. OneAccess may make improvements and/or changes
in the product(s) described in this publication at any time, without prior notice.
Safety requirements
Carefully read the safety instructions, installation precautions and connection precautions as stated in
chapter 2 - Installing and connecting the 1424 SHDSL Router on page 11.
1424 SHDSL Router Copyright, safety and statements iii
User and reference manual
Statements
Hereby, OneAccess declares that this 1424 SHDSL Router complies with the essential requirements
and other relevant provisions of Directive 1999/5/EC.
Hierbij verklaart OneAccess dat deze 1424 SHDSL Router overeenstemt met de essentiële vereisten en
andere relevante bepalingen van Richtlijn 1999/5/EC.
Par la présente, OneAccess déclare que ce 1424 SHDSL Router est en conformité avec les exigences
essentielles et autres articles applicables de la Directive 1999/5/EC.
Hiermit, OneAccess erklärt daß dieser 1424 SHDSL Router in Fügsamkeit ist mit den wesentlichen
Anforderungen und anderen relevanten Bereitstellungen von Direktive 1999/5/EC.
Mediante la presente, OneAccess declara que el 1424 SHDSL Router cumple con los requisitos esen-
ciales y las demás prescripciones relevantes de la Directiva 1999/5/CE.
A OneAccess declara que o 1424 SHDSL Router cumpre os principais requisitos e outras disposições
da Directiva 1999/5/EC.
Col presente, OneAccess dichiara che questo 1424 SHDSL Router è in acquiescenza coi requisiti
essenziali e stipulazioni attinenti ed altre di Direttivo 1999/5/EC.
Με το παρόν η OneAccess δηλώνει ότι το 1424 SHDSL Router είναι συµµορφούµενο µε τις βασικές
απαιτήσεις και µε τις υπόλοιπες σχετικές διατάξες της οδηγίας 1999/5/EC.
iv 1424 SHDSL Router Copyright, safety and statements
User and reference manual
Environmental information
The crossed-out wheeled bin means that within the European Union the product must be taken to separate
collection at the product end-of-life. This applies to the device but also to any accessories marked with this symbol.
Do not dispose of these products as unsorted municipal waste.
If you need more information on the collection points where you can present your end-of-life equipment for
recycling, please contact your local importer.
For Belgium, you can contact rma@oneaccess-net.com.
De doorstreepte container wil zeggen dat binnen de Europese gemeenschap het product voor gescheiden afvalverzameling moet
worden aangeboden aan het einde van de levensduur van het product. Dit geldt voor het toestel, maar ook voor alle toebehoren
die van dit symbool voorzien zijn. Bied deze producten niet aan bij het gewone huisvuil.
Indien u meer informatie wenst over het inzamelpunt waar u afgedankte apparatuur kan aanbieden voor recyclage, gelieve dan
uw lokale importateur te contacteren.
Voor Belgie kan u contact opnemen met rma@oneaccess-net.com.
Le symbole de la poubelle sur roues barrée d'une croix signifie que ce produit doit faire l'objet d'une collecte sélective en fin de vie
au sein de l'Union Européenne. Cette mesure s'applique non seulement à vorte appareil mais également à tout autre accessoire
marqué de ce symbole. Ne jetez pas ces produits dans les ordures ménagères non sujettes au tri sélectif.
Si vous souhaitez plus d'information concernant le point de collecte où vous pouvez présenter vos appareils fin-de-vie afin qu'ils
soient recycles, veuillez contacter votre importateur locale.
Pour la Belgique, vous pouvez prendre contact avec rma@oneaccess-net.com.
Das Symbol der durchgestrichenen Abfalltonne auf Rädern bedeutet dass das Produkt in der Europäischen Union einer
getrennten Mülsammlung zugeführt werden muss. Dies gilt sowohl für das Produkt selbst, als auch für alle mit diesem Symbol
gekennzeichneten Zubehörteile. Diese Produkte dürfen nicht über den unsortierten Hausmüll entsorgt werden.
Falls Sie weitere Auskünfte brauchen im Betracht der Sammelplätze für ausrangierte Apparate, wenden Sie sich bitte an Ihren
örtlichen Importeur.
Für Belgien, bitte kontaktieren sie rma@oneaccess-net.com.
1424 SHDSL Router Preface v
User and reference manual
Documentation set
For all devices, the documentation set currently consists of the following:
Document Description
1424 SHDSL Router manual This is the manual you are reading now.
(this manual) It shows you how to install and connect the 1424 SHDSL Router and
gives you a basic configuration. It also contains a complete descrip-
tion of all the configuration, status, performance and alarm parame-
ters for look-up purposes.
The proxy management (also called Orchid function) parameters are
described in the Orchid function manual.
maintenance and manage- The 1424 SHDSL Router can be maintained and managed by a vari-
ment application manuals ety of maintenance and management tools. Refer to 1.4 - Mainte-
nance and management tools on page 8 for an introduction on these
tools and for a reference to the manual of these tools.
cable documents A wide variety of cables exist to connect the 1424 SHDSL Router.
The Data cables document (PDF) and the Management cables doc-
ument (PDF) describe these cables.
Orchid function manual (PDF/ This manual explains what proxy management is (also called Orchid
CHM) function). It describes how to connect the 1424 SHDSL Router to
other OneAccess devices to be able to manage them. It also gives a
thorough explanation of the proxy management parameters.
All these documents, together with the free maintenance tool TMA and the firmware of the OneAccess
devices, can be found on the OneAccess Access Products distribution CD that is delivered with all
OneAccess products.
User manual shows you how to install and connect the 1424 SHDSL Router. It also gives a
basic configuration of the 1424 SHDSL Router.
Reference manual gives more detailed information on the 1424 SHDSL Router, such as software
download procedures, technical specifications, etc. It also contains a complete
description of all the configuration, status, performance and alarm parameters
for look-up purposes.
Refer to the Table of contents on page x for a detailed overview of this manual.
vi 1424 SHDSL Router Preface
User and reference manual
Typographical conventions
Narrow containment tree objects and attributes of a device when they are mentioned in
the normal text. I.e. when they are not a part of computer input or output.
E.g. Use the sysName attribute in order to …
<Narrow> containment tree objects or attributes or part of them that are variable. I.e.
depending on the product version, used interface, etc. the names of these
objects or attributes are slightly different.
E.g. topObject/<modularIf>/someAttribute means that the name of the object
<modularIf> depends on which modular interface you use. For example, v35 in
case of a V.35 interface, g703 in case of a G.703 interface, etc.
Graphical conventions
Basic attribute a basic attribute in the containment tree of the 1424 SHDSL Router.
Advanced attribute an advanced attribute in the containment tree of the 1424 SHDSL
Router.
Structured attribute a structured attribute within another attribute in the containment tree
of the 1424 SHDSL Router.
At several places in this manual DIP switch tables are shown. To enable you to read such a table in a
correct manner it is explained below.
A DIP switch table has the following layout:
The following table explains the DIP switch configuration table layout:
4 the possible settings of the DIP switch: on and off. The default setting is printed in bold.
At several places in this manual attribute strings are shown. To enable you to read such a string in a
correct manner it is explained below.
An attribute string has the following layout:
1 the attribute icon. It indicates that the string which follows is an attribute string. Refer to
Graphical conventions on page vii for more information.
TDRE version
The Total Dynamic Routing Engine (TDRE) is a feature-rich operating system that guarantees a com-
mon feature set across the different OneAccess product lines and a uniform support by maintenance
and management tools.
This manual describes the features, containment tree and attributes of the TDRE version 12.2.
Audience
This manual is intended for computer-literate people, who have a working knowledge of computing and
networking principles.
Your feedback
Your satisfaction about this purchase is an extremely important priority to all of us at OneAccess. Accord-
ingly, all electronic, functional and cosmetic aspects of this new unit have been carefully and thoroughly
tested and inspected. If any fault is found with this unit or should you have any other quality-related com-
ment concerning this delivery, please submit the Quality Comment Form on our web page at
www.oneaccess-net.com → Contact → Send a quality comment form.
x 1424 SHDSL Router Table of contents
User and reference manual
Table of contents
User manual............................................................................................ 1
1 Introducing the 1424 SHDSL Router ..................................................................3
1.1 General description .................................................................................................... 4
1.2 1424 SHDSL Router family overview ......................................................................... 6
1.3 Overview of features .................................................................................................. 7
1.4 Maintenance and management tools ......................................................................... 8
1.5 Maintenance and management tools connection possibilities ................................. 10
User manual
2 1424 SHDSL Router
User manual
1424 SHDSL Router Chapter 1 3
User manual Introducing the 1424 SHDSL Router
As of TDRE 12.0:
• the operating system has been adapted with an improved buffer management. It makes more effi-
cient use of Mbuf ‘s: there are 2000 normal Mbuf ‘s available, each with a size of 1500 bytes. Short
Mbuf ‘s exist as well, they are 64 bytes each, and are used in cell related switching.
Before TDRE 12.0, the size of the Mbuf ‘s was 220 bytes, with about 14000 Mbuf ‘s in total available.
This has an impact on the overall performance and in particular with some software modules like the
firewall.
In other words, it results in a more efficient use of the Mbuf ‘s, which means the performance is
increased. It must be taken into account however that the total number of available Mbuf ‘s is less
than before.
• a common packet driver is used for HDLC, ATM and ethernet. This results in an increased perform-
ance: per second, more packets can be treated by the 1424 SHDSL Router.
1424 SHDSL Router Chapter 1 5
User manual Introducing the 1424 SHDSL Router
The 1424 SHDSL Router is a secure SHDSL router for high bandwidth applications. The SHDSL multi-
pair interface offers a bandwidth up to 22Mbps over up to 4 copper pairs.
The 1424 SHDSL Router includes a high speed symmetrical bandwidth in various DSL networks and at
various local loop distances. It includes a SHDSL.bis interface with up to 4 copper pairs. This provides
line rates up to 22Mbps on short distances and up to 10Mbps on operator standard loop lengths. The
various pair bonding techniques make it suitable for any type of DSL infrastructure. The 1424 SHDSL
Router supports both ATM and EFM modes in single and multipair topologies.
A dedicated Ethernet interface is available as a backup when the DSL network is not available. Traffic
is automatically routed to the available network. Alternatively this interface can be used for a DMZ zone
(De-Militarised Zone).
Ethernet services
The 1424 SHDSL Router relies on the robust TDRE software, the OneAccess Bridging and Routing
Engine offering advanced layer 2 and layer 3 functions. Ethernet functionalities include Spanning Tree
Protocol, multiple bridge groups and VLAN features such as tagging, switching, QinQ, COS/TOS and
TOS/COS mapping and Ethernet QoS. VLANs and ATM PVCs have the status and statistics character-
istics of a physical interface.
On IP level, the equipment implements different routing protocols such as RIP, OSPF and BGP-4 and
Policy based routing. The 1424 SHDSL Router provides secured Internet access through a stateful
inspection firewall. The business applications can be used based on central databases through IP VPNs.
For this purpose, advanced VPN functions such as L2TP, GRE and IPSec with encryption are standard
included. It provides best-in-class IP Quality of Service features including real-time processing of high
priority, delay sensitive applications and guaranteed bandwidth for selected flows.
As all TDRE routers, the 1424 SHDSL Router is manageable through a variety of maintenance and man-
agement tools. These include:
• A free graphical user interface for local or remote maintenance.
• A customisable Web-configuration utility.
• A CLI to facilitate scripting.
• Easy integration into Network element management platforms such as TMA or HP OpenView.
Technicians or the customer install the units with a standard configuration. Once connected to the net-
work the 1424 SHDSL Router automatically retrieves all customer specific information from the service
provider’s databases and thus becomes ready for the service.
6 1424 SHDSL Router Chapter 1
User manual Introducing the 1424 SHDSL Router
Ethernet ports
Standard
version
Flash
RAM
1424 SHDSLBIS 1P 1 1+4 64MB 32MB
The following tables give an overview of which features are present on the OneAccess devices.
WAN encapsulations
Products 1424
Other features
Feature 1424
Hardware accelerator (HWA) X
DES encryption X
3DES encryption X
ATM CBR service category X
ATM VBR-rt &VBR-nrt service X
ATM OAM Performance Management (PM) X
Statefull inspection firewall & application layer gateway X
ISAKMP, IKE & IPSEC certificates X
BGP4, GRE, native IPSEC X
PPPoE client on the LAN X
Ready for IPv6 X
SSH & HTTPS server X
Customisable JAVA web interface X
Reset button
8 1424 SHDSL Router Chapter 1
User manual Introducing the 1424 SHDSL Router
The 1424 SHDSL Router is manageable in many different ways. This section gives a quick overview of
the various maintenance and management tools.
TMA for HP TMA for HP OpenView is the management application that runs on the widely
OpenView spread network management platform HP OpenView. It combines the easy to use
graphical interface of the stand-alone version of TMA with the advantages and fea-
tures of HP OpenView.
Refer to the TMA for HP OpenView manual (PDF) for more information.
TMA CLI TMA CLI (TMA Command Line Interface) enables you to use its commands in
scripts in order to automate management actions. This is particularly useful in
large networks. TMA CLI is a complementary product to TMA, TMA Element Man-
agement and TMA for HP OpenView.
Refer to the TMA CLI manual (PDF) for more information.
ATWIN ATWIN is a menu-driven user interface. You can read and change all attributes as
with TMA, but in a more basic, textual representation using a VT100 terminal.
Refer to the Maintenance tools manual (PDF) for more information.
CLI CLI is also a Command Line Interface, although not so extensive as TMA CLI.
Experienced users who are familiar with the syntax can access the OneAccess
devices more quickly than with TMA or ATWIN.
Refer to the Maintenance tools manual (PDF) for more information.
Web Interface The Web Interface is an ATWIN alike menu-driven user interface. You can read
and change all attributes as with TMA, but in a more basic representation using a
web browser.
Refer to the Maintenance tools manual (PDF) for more information.
Note that the HTTP interfaces are not only available on port 80, but also on
port 8080. This allows connecting to the HTTP interfaces in case a NAT
service is defined on port 80.
1424 SHDSL Router Chapter 1 9
User manual Introducing the 1424 SHDSL Router
SNMP You can manage the 1424 SHDSL Router through SNMP using any SNMP
browser. The 1424 SHDSL Router supports MIB2 and a private MIB, including
traps.
The private MIB files come with your copy of TMA. After installation of the TMA
data files, the private MIB files are available in directory C:\Program
Files\TMA\snmp1.
The “old” MIB files, from before the SNMPv2 era, can be recognised by the follow-
ing format: <filename>.mib2.
The “new” MIB files can be recognised by the following format:
<filename>_smiv2.mib
Refer to 5.3 - Managing devices using SNMP on page 65 for more information on
MIB ‘s and SNMP. Also refer to 11.11 - SNMP configuration attributes on page 796
and the documentation of your SNMP browser for more information.
Easy Configura- The Easy Configurator allows you to add HTML pages on top of the standard Web
tor Interface by adding a set of specific files on the file system of the 1424 SHDSL
Router. These files can be made either by OneAccess or by the customer itself.
The goal is to offer a simple, custom made web interface which allows only to
change or show those parameters that are relevant for a certain application or cus-
tomer.
Refer to the Maintenance tools manual (PDF) for more information.
Note that the HTTP interfaces are not only available on port 80, but also on
port 8080. This allows connecting to the HTTP interfaces in case a NAT
service is defined on port 80.
1. The first part of the directory path may be different if you did not choose the default path during
the installation of the TMA data files.
2. The filename is product dependent. To determine which MIB file corresponds with which prod-
uct, refer to the models.nms file (located in C:\Program Files\TMA\model1).
10 1424 SHDSL Router Chapter 1
User manual Introducing the 1424 SHDSL Router
The following table gives an overview of all the maintenance and management tools and how you can
connect them with the 1424 SHDSL Router:
Maintenance or manage- Tool - 1424 SHDSL Router con- Tool - management concentra-
ment tool nection tor connection1, 2
CLI X5 X6 X5 X6
ATWIN X5 X6 X5 X6
TMA X X X X
TMA CLI X X X X
SNMP7 X X
Web Interface8 X X
1. Examples of management concentrators are the Orchid 1003 LAN, the 1030 Router series, the
2300 SHDSL series, the 1040 Router series, etc. Refer to their corresponding manuals for
more information on how to set up these devices as management proxy.
2. Not applicable to 1431 and 1432 SHDSL CPE.
3. A serial connection is a connection between the COM port of your PC and the control connec-
tor of the OneAccess device using a male-female DB9 cable.
4. An IP connection is a connection between your PC and the 1424 SHDSL Router over an IP
network.
5. Using a VT100 terminal (emulation program).
6. Using Telnet.
7. Using an SNMP browser
8. Using a web browser
1424 SHDSL Router Chapter 2 11
User manual Installing and connecting the 1424 SHDSL Router
You are advised to read this chapter from the beginning to the end, without skipping any part. By doing
so, your 1424 SHDSL Router will be completely installed and ready for configuration when you reach the
end of this chapter.
• Disconnect the power supply before installing, adjusting or servicing the unit. Always disconnect the
AC input first.
• The external power supply is connected on the rear panel of the device, and may be delivered
together with the 1424 SHDSL Router.
• To connect the power supply, proceed as follows:
- Connect the DC input jack from the power supply to the DC 12V power input on the rear panel of
the device.
- Secure the power supply connection by installing the DC power supply cord into the foreseen clip.
- Connect the power supply to an AC electrical outlet (100-240 VAC). Plugging in the power supply
turns the router on.
• Do not use another type of power supply then the one prescribed by OneAccess.
• Over current Protection: This device requires that the building’s electrical installation is designed for
protection against short-circuit (over-current) protection. A fuse or circuit breaker no larger than 240
VAC, 10A must be used on the phase conductors.
SAFETY WARNING
• To avoid damage to the unit, please observe all procedures described in this chapter.
• It is essential that the earth stud on the back panel is effectively connected to earth. Otherwise, in
case of electrical problems, other devices connected to the 1424 SHDSL Router could be damaged.
Also refer to 2.6.2 - Back panel earth connection on page 21.
Ensure that the unit and its connected equipment all use the same power and ground, to reduce noise
interference and possible safety hazards caused by differences in ground or earth potentials.
1424 SHDSL Router Chapter 2 13
User manual Installing and connecting the 1424 SHDSL Router
2.2 Unpacking
Rough handling during shipping causes most early failures. Before installation, check the shipping car-
ton for signs of damage:
• If the shipping carton is damaged, please place a claim with the carrier company immediately.
• If the shipping carton is undamaged, do not dispose of it in case you need to store the unit or ship it
in the future.
14 1424 SHDSL Router Chapter 2
User manual Installing and connecting the 1424 SHDSL Router
WARNING
Always place the unit in such a way that the air vents are not blocked.
Install the unit in an area free of extreme temperatures, humidity, shock and vibration. Position it so that
you can easily see and access the front panel and its control indicators. Leave enough clearance at the
back for cables and wires. Position the unit within the correct distances for the different accesses and
within 2m of a power outlet.
1424 SHDSL Router Chapter 2 15
User manual Installing and connecting the 1424 SHDSL Router
Procedure
The backpanel of the 1424 SHDSL Router has 2 notches in order to enable wall mounting. Refer to the
figure below, for the position of these notches. By installing two screws at the required distance, the
router can be hung on any vertical surface.
In order to do so, proceed as follows:
Step Action
2 Insert two standard wall plugs in the holes. The plugs should have the following dimen-
sions:
• diameter: 6 mm
• length: < 50 mm
3 Screw in two standard screws in the plugs. Leave a distance of 5 mm between the wall
and the head of the screw. The screws should have the following dimensions:
• diameter: 4 mm
• length: 40 mm
• The head of the screws may have a diameter of maximum 8 mm.
4 Slide the 1424 SHDSL Router over the screws until it touches the wall, and gently push
it down. If necessary, adjust the screws in the notches of the router.
16 1424 SHDSL Router Chapter 2
User manual Installing and connecting the 1424 SHDSL Router
ESD WARNING
The circuit boards are sensitive to electrostatic discharges (ESD) and should be handled with care. It is
advisable to ensure an optimal electrical contact between yourself, the working area and a safety ground
before touching any circuit board. Take special care not to touch any component or connector on the
circuit board.
NOTE
The connectors of the 1424 SHDSL Router should only be connected to the following circuit types:
• SELV (Safety Extra Low Voltage): local connection (e.g. PC to 1424 SHDSL Router) or leased line
inside the building.
• TNV-1 (Telecom Network Voltage): leased line outside the building.
• TNV-2: PSTN from PABX inside the building.
• TNV-3: PSTN from operator PABX outside the building.
18 1424 SHDSL Router Chapter 2
User manual Installing and connecting the 1424 SHDSL Router
This section describes the 1424 SHDSL Router rear panel, so that the user can identify the interface
type and port numbering.
The following gives an overview of this section:
• 2.6.1 - Rear view of the 1424 SHDSL Router on page 19
• 2.6.2 - Back panel earth connection on page 21
1424 SHDSL Router Chapter 2 19
User manual Installing and connecting the 1424 SHDSL Router
The following figure shows the back panel of the 1424 SHDSL Router:
The following table gives an overview of the possible connectors located at the back of the 1424 SHDSL
Router and explains their function:
Label Function
CONSOLE This RJ45 connector is a V.24 DTE interface. This enables you to manage the
1424 SHDSL Router locally. For more information, refer to 18.4 - Console port
specifications on page 1185.
This is the earth stud. Connect the earth wire to this stud. Refer to 2.6.2 - Back
panel earth connection on page 21 for more information.
Contact the appropriate electrical inspection authority or an electrician if you are
uncertain that suitable grounding is available.
For optimum performance, the used line pairs have to be properly twisted.
Refer to 18.1 - SHDSL line specifications on page 1182 for the pin lay-out of this
connector.
LAN1 These RJ45 connectors are the Ethernet LAN connectors. There are 4+1 Ethernet
LAN2 LAN connectors on the 1424 SHDSL Router.
The separate Ethernet interface can be used as main WAN link or as a back-up
WAN link interface. The Ethernet switch is VLAN manageable.
Connect one side of an Ethernet LAN cable (not included) to the LAN connector of
the 1424 SHDSL Router and the other side to an Ethernet network outlet. Each
LAN interface supports 10/100 Mbps auto-sense and auto cross-over.
Refer to 18.2 - LAN interface specifications on page 1183 for the pin lay-out of this
connector.
12VDC-1A This is the power input. Insert the plug of the external power supply in this socket.
Secure the power supply connection by installing the DC power supply cord into
the plastic ring provided on the back panel.
Refer to 18.19 - Power requirements on page 1202 for the power specifications of
the 1424 SHDSL Router.
Safety
It is essential that the earth stud on the back panel is effectively connected to earth. Otherwise, in case
of electrical problems, other devices connected to the 1424 SHDSL Router could be damaged.
Earth Connection
To connect an earth wire to the clinching stud on the back panel, use:
• 2 round M3 washers; these are delivered with the 1424 SHDSL Router.
• 1 M3 nut; this is also delivered with the 1424 SHDSL Router.
• 1 M3 ring tongue; this is not delivered with the 1424 SHDSL Router.
Proceed as follows:
Step Action
2 If not already done so, the earth cable that will be connected to the clinching stud, must
be equipped with an M3 ring tongue.
3 Slide the M3 ring tongue of the earth cable over the clinching stud.
This section gives an overview of the front panel LEDs and what they indicate. The following gives an
overview of this section:
• 2.7.1 - Introducing the front panel LEDs on page 23
• 2.7.2 - LED states on page 24
1424 SHDSL Router Chapter 2 23
User manual Installing and connecting the 1424 SHDSL Router
When all the connections are made and the 1424 SHDSL Router is powered, the LEDs on the front panel
reflect the actual status of the device.
The following figure shows the front panel LED indicators of the 1424 SHDSL Router:
The front panel may be slightly different on specific versions of the 1424 SHDSL Router.
LED states
One front panel LED can reflect different status modes by the way it lights up. The front panel LEDs can
light up as follows:
blinking 50 % The LED is alternating 0,5 seconds ON, and 0,5 seconds OFF.
24 1424 SHDSL Router Chapter 2
User manual Installing and connecting the 1424 SHDSL Router
LAN1 Green • OFF: None of the ports on the Ethernet switch is active.
• ON - Green: At least one of the ports on the Ethernet switch is
active.
• Blinking green: Traffic in progress on at least one of the ports on
the Ethernet switch.
Self test
A few seconds after the power is switched on, the 1424 SHDSL Router performs a series of self-tests
and loads the software into memory (RAM), during which the PWR LED on the front panel blinks.
At the end of the software loading, after about 30 seconds, if:
• the PWR LED remains green continuously, it means that the software initialization was successful.
• the PWR LED blinks, it means that:
- the software was absent,
or,
- there was an error during the software loading process.
26 1424 SHDSL Router Chapter 2
User manual Installing and connecting the 1424 SHDSL Router
1424 SHDSL Router Chapter 3 27
User manual DIP switches of the 1424 SHDSL Router
The 1424 SHDSL Router motherboard is equipped with the following interfaces:
• SHDSL line connector
• Console port
• Managed switch with 4 ports
• Additional Ethernet port
For more information, refer to 2.6.1 - Rear view of the 1424 SHDSL Router on page 19.
1424 SHDSL Router Chapter 3 29
User manual DIP switches of the 1424 SHDSL Router
When you want to change the DIP switch settings, you have to open and close the housing. This section
explains how to do so.
Step Action
1 Disconnect the external power supply; always disconnect the AC input first, then discon-
nect the DC input jack on the device itself.
2 Unscrew both screws at the bottom of the unit and remove them.
3 Slide the cover backwards and remove it, but always keep the following in mind:
Slide the cover backwards by pressing underneath the wall mounting holes, as shown in
the picture below.
30 1424 SHDSL Router Chapter 3
User manual DIP switches of the 1424 SHDSL Router
Step Action
3 Reconnect the external power supply; first, connect the DC input jack on the device itself,
then connect the power supply to the AC mains.
1424 SHDSL Router Chapter 4 31
User manual Maintaining the 1424 SHDSL Router
First, this section introduces TMA. Then it describes how to start a session on the 1424 SHDSL Router.
The following gives an overview of this section:
• 4.1.1 - What is TMA? on page 33
• 4.1.2 - How to connect TMA? on page 33
• 4.1.3 - Connecting with TMA through the control connector on page 34
• 4.1.4 - Connecting with TMA over an IP network on page 36
1424 SHDSL Router Chapter 4 33
User manual Maintaining the 1424 SHDSL Router
TMA is the acronym for Total Maintenance Application. TMA is a free Windows software package that
enables you to maintain the 1424 SHDSL Router, i.e. to access its configuration attributes and look at
status, performance and alarm information using a user friendly graphical user interface.
TMA is an excellent tool for complete control of the OneAccess access devices. When using TMA in
combination with a network management system such as HP OpenView, complete networks can be
managed from one central site.
Consult the TMA manual (PDF) to find out how to install TMA and to get acquainted with the user inter-
face.
You will need a new version of the model file distribution if changes have been made to the attributes of
the 1424 SHDSL Router. The most recent model files and TMA engine can always be downloaded from
the OneAccess web site at http://www.oneaccess-net.com → Download Center.
There are two ways to establish a connection between the computer running TMA and the 1424 SHDSL
Router:
• through a serial connection, i.e. through the control connector of the device. Refer to 4.1.3 - Connect-
ing with TMA through the control connector on page 34.
• through an IP connection, i.e. through the LAN connector of the 1424 SHDSL Router. Refer to 4.1.4
- Connecting with TMA over an IP network on page 36.
34 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
To established a connection between TMA and the 1424 SHDSL Router through the control connector,
proceed as follows:
Step Action
2 Start TMA.
Step Action
8 After a couple of seconds, the attributes of the 1424 SHDSL Router appear in the TMA
window.
36 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
To established a connection between TMA and the 1424 SHDSL Router over an IP network, proceed as
follows:
Step Action
2 Start TMA.
Before you are able to establish a connection over an IP network, you have to con-
figure an IP address and a default gateway in the 1424 SHDSL Router.
You can do this by first connecting TMA to the 1424 SHDSL Router through the control
connector, and then configuring an IP address and a default gateway. Refer to the 5.2 -
Configuring IP addresses on page 53.
Step Action
8 After a couple of seconds, the attributes of the 1424 SHDSL Router appear in the TMA
window.
38 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
This section briefly introduces the terminology concerning the management of a OneAccess device. It
explains terms such as containment tree, group, object, attribute, value and action.
The following gives an overview of this section:
• 4.2.1 - Graphical representation of the containment tree on page 39
• 4.2.2 - Containment tree terminology on page 40
1424 SHDSL Router Chapter 4 39
User manual Maintaining the 1424 SHDSL Router
The most comprehensible graphical representation of the containment tree is given in TMA. The follow-
ing figure depicts the TMA window displaying a containment tree:
Refer to 4.2.2 - Containment tree terminology on page 40 for an explanation of the terms associated with
the containment tree.
40 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
Refer to 4.2.1 - Graphical representation of the containment tree on page 39 for a figure of a containment
tree.
The following table explains the terminology associated with the containment tree:
Term Description
containment tree The containment tree represents the hierarchical structure of the 1424 SHDSL
Router. It is composed of a number of objects that are ordered in a tree. This tree
resembles a Windows directory structure:
• it is also a levelled structure, with nodes which can be expanded or reduced.
• the containment tree objects can be compared with file folders.
• the objects contain attributes like file folders contain files.
parent and child Some objects are not present in the containment tree by default. If you want to use
object the features associated with such an object, then you have to add the object first.
You always add an object under another object. The object you add is called the
child object. The object under which you add this child object is called the parent
object.
Objects which you can add are also often referred to as user-instantiatable objects.
index name Of some objects more than one object is present in the containment tree. The dif-
ferent objects are distinguished from one another by adding an index. E.g. linePair[1]
and linePair[2], where 1 and 2 are the indexes. Also child objects are given an index
(by the user when adding the object).
An index name is also often referred to as index, instance value or instance name.
structured value Some attribute values contain underlying values: a structured value. These values
are displayed in the structured value window. If an attribute contains structured val-
ues, then a bit string, <Table> or <Struct> is displayed after the attribute:
• a bit string is a series of bits. The value of each of these bits can be 0 or 1, on
or off, enabled or disabled.
• a table contains columns and rows. Each column contains an attribute (which,
on its turn, can have a structured value). Each row is an entry in the table.
• a structure contains columns but only one row. A structure could be compared
to an attribute which contains several “sub-attributes”.
A structured value is also often referred to as bit string, table, structure or complex
value.
1424 SHDSL Router Chapter 4 41
User manual Maintaining the 1424 SHDSL Router
Term Description
element An element is an attribute within a structured value. In other words, they could be
considered as “sub-attributes”.
group Groups assemble a set of attributes related by functionality. There are four groups
in TMA, which correspond with the four tabs in the attribute window:
• configuration,
• status,
• performance,
• alarms.
action A group in combination with an object may have actions assigned to them. These
actions are displayed in the action window.
42 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
The following table lists the different objects of the 1424 SHDSL Router containment tree. It also speci-
fies whether the objects are present by default, whether you have to add them yourself or whether they
are added automatically.
> router1424
>> lanInterface1
>> lanInterface2
>> dslInterface
>>> channel[ ]
>>>> atm
>>>>> ima
>>>> efm
>>> line
>>>> linePair[ ]1
>>> repeater[ ]
>>> end2
>> profiles
>>> policy
>>>> traffic
>>>>> ipTrafficPolicy[ ]3
>>>>> bridgingTrafficPolicy[ ]3
>>>> priority
1. In case of a 1424 SHDSL Router 2 pair version, two linePair[ ] objects are present; In case of a
1424 SHDSL Router 4 pair version, four linePair[ ] objects are present.
2. Not present by default. Only appears when setting the eocHandling attribute. Refer to 5.5.3 -
Controlling the standard EOC message exchange on page 81.
3. Not present by default, has to be added. The index name is user defined. Refer to 4.4 - Adding
an object to the containment tree on page 45
1424 SHDSL Router Chapter 4 43
User manual Maintaining the 1424 SHDSL Router
>>>>> priorityPolicy[ ]3
>> bundle
>>> pppBundle[ ]3
>> ip
>>> router
>>>> tunnels
>>>> defaultNat
>>>> nat[ ]3
>>>> manualSA[ ]3
>>>> ikeSA[ ]3
>>>> routingFilter[ ]3
>>>> ospf
>>>>> area
>>>> bgp
>>>>> ePeer[ ]3
>>>>> iPeer[ ]3
>>>>> routeFilter[ ]3
>>>>> routeMap[ ]3
>>>> firewall
>>>> vrrp[ ]3
>>> vrfRouter[ ]3
>> bridge
>>> bridgeGroup
>>> vpnBridgeGroup[ ]3
44 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
>>> accessList[ ]3
>> snmp
>> management
>>> loopBack
>>> usrLoopback[ ]3
1424 SHDSL Router Chapter 4 45
User manual Maintaining the 1424 SHDSL Router
This section explains why and how you can add an object to the containment tree. It then explains why
and how to refer to this object.
The following gives an overview of this section:
• 4.4.1 - Why add an object to the containment tree? on page 46
• 4.4.2 - How to add an object to the containment tree? on page 47
• 4.4.3 - Referring to an added object on page 49
46 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
Some objects are not present in the containment tree by default but you can add them yourself because
…
• in this way the containment tree remains clear and surveyable,
• you possibly do not need the functions associated with such an object,
• you possibly need several of these objects so you can add as many objects as you like.
If you want to use the features associated with such an object, then you have to add the object first.
Section 4.3 - The objects in the 1424 SHDSL Router containment tree on page 42 gives you an overview
of all the objects in the containment tree. It also tells you which objects have to be added before you can
use them.
1424 SHDSL Router Chapter 4 47
User manual Maintaining the 1424 SHDSL Router
The section shows you, for each maintenance tool, how to add an object to the containment tree. The
following section, 4.4.3 - Referring to an added object on page 49, shows you how you can “refer” to this
added object somewhere else in the containment tree.
Step Action
Step Action
Step Action
1 Enter the parent object (e.g. go to the router object and press the enter key).
⇒The ATWIN window shows the sub-objects and attributes of the parent object.
2 Go to the line displaying the string <CREATE INSTANCE> and the name of the object you
want to add (e.g. routingFilter <CREATE INSTANCE>) and press the enter key.
⇒A new window appears, displaying the string Give the instanceValue.
3 Press the enter key and type the index name (i.e. the instance value) for the child object
(e.g. my_filter) and press the enter key again.
⇒The new child object is created (e.g. >.routingFilter [name:my_filter]).
Step Action
1 Enter the parent object (e.g. select the router object and double-click it or click on Open).
⇒The Web Interface window shows the sub-objects and attributes of the parent
object.
2 Select the line displaying the string <CREATE INSTANCE> and the name of the object you
want to add (e.g. routingFilter <CREATE INSTANCE>) and double-click it or click on
Open.
⇒A new window appears, displaying the string Give the instanceValue.
3 Type the index name (i.e. the instance value) for the child object (e.g. my_filter) and click
on exit.
⇒The new child object is created (e.g. >.routingFilter [name:my_filter]).
1424 SHDSL Router Chapter 4 49
User manual Maintaining the 1424 SHDSL Router
If at a certain place in the containment tree you want to apply the function associated with an object you
added, then you have to refer to this object.
Some attributes allow you to enter the index name (i.e. the instance value you assigned to the object) of
an added object. By doing so, the function associated with this object is applied there.
Example
Suppose you create a routingFilter object with the index name my_filter. The containment tree then looks as
follows:
Now, you want to use this filter on the LAN interface. In that case, in the ip/rip structure in the lanInterface
object, enter the index name of the routingFilter object under the element “filter”. This looks as follows:
50 1424 SHDSL Router Chapter 4
User manual Maintaining the 1424 SHDSL Router
The reference part of this manual explains all the attributes of the 1424 SHDSL Router. One chapter
describes one group of attributes:
• chapter 11 - Configuration attributes on page 491,
• chapter 12 - Status attributes on page 817,
• chapter 13 - Performance attributes on page 1013,
• chapte r14 - Alarm attributes on page 1119.
1424 SHDSL Router Chapter 5 51
User manual Basic configuration
5 Basic configuration
This chapter shows you how to configure the very basics of the 1424 SHDSL Router. This will allow you
to access the 1424 SHDSL Router over an IP connection with, for example, TMA. It also explains how
to configure passwords on the 1424 SHDSL Router. Furthermore, there is a section on configuration
actions, i.e. how to activate a configuration, how to load the default configuration, etc. Another section
redirects you to the explanation of the major features of the 1424 SHDSL Router. The last section briefly
explains what to check should you experience trouble when installing, configuring or operating the 1424
SHDSL Router.
The following gives an overview of this chapter:
• 5.1 - What is an interface? on page 52
• 5.2 - Configuring IP addresses on page 53
• 5.3 - Managing devices using SNMP on page 65
• 5.4 - Configuring the SHDSL line on page 75
• 5.5 - Enabling EOC message exchange on page 79
• 5.6 - Configuring passwords on page 87
• 5.7 - Executing configuration actions on page 89
• 5.8 - Troubleshooting the 1424 SHDSL Router on page 93
Refer to the Reference manual on page 489 for a complete overview of all the attributes of the 1424
SHDSL Router.
52 1424 SHDSL Router Chapter 5
User manual Basic configuration
The term interface, as it is used in this manual, can be divided into two groups:
physical A physical interface is an interface to which you can physically connect a cable. So
a physical interface has a physical connector. It also has some configuration
attributes that control the behaviour of the interface.
For example:
• The control interface (CTRL). It has a female 9-pins subD connector to which
you can connect a male 9-pins subD connector for maintenance purposes. It
has configuration attributes such as ctrlPortProtocol, cms2Address, etc.
• The LAN interface (LAN). It has a female RJ45 connector to which you can con-
nect a male RJ45 connector to connect to an Ethernet network. It has configu-
ration attributes such as ip, vlan, etc.
Other examples are the station clock interface, the alarm interfaces, the xDSL line
interfaces, etc.
logical A logical interface is an interface to which you can not physically connect a cable.
So a logical interface has no physical connector. However, it is part of the physical
interface, but on a higher level. One physical interface can “contain” several logical
interfaces. A logical interface also has some configuration attributes that control
the behaviour of the interface.
For example:
• An ATM PVC on an xDSL line. The xDSL line is the physical interface (it has a
physical connector) whereas the ATM PVC is the logical interface (it is located
on a higher level, i.e. layer 2 protocol level). You can have several ATM PVCs
on one xDSL line.
• a VLAN on the LAN interface. The LAN interface is the physical interface and
the VLAN is the logical interface.
Other examples are L2TP tunnels, links in a multi-link bundle, bridge groups, etc.
1424 SHDSL Router Chapter 5 53
User manual Basic configuration
The first thing you have to configure are the IP addresses of the 1424 SHDSL Router. First this section
lists which mechanisms there are to obtain an IP address automatically. Then it shows you, for each
interface, where you can find the IP related parameters. Finally this section explains these IP related
parameters.
The following gives an overview of this section:
• 5.2.1 - Automatically obtaining an IP address on page 54
• 5.2.2 - Where to find the IP parameters? on page 55
• 5.2.3 - Explaining the ip structure on page 56
• 5.2.4 - Configuring an IP address on the LAN interface on page 63
54 1424 SHDSL Router Chapter 5
User manual Basic configuration
The 1424 SHDSL Router supports several protocols to automatically obtain an IP address on its LAN
interface. Refer to 16 - Auto installing the 1424 SHDSL Router on page 1147 for more information on
auto-install.
An IP address that is obtained using a dynamic procedure is not displayed in the configuration window,
but can be found in the status window.
In case of …
• ATM, refer to …
- 6.2.3 - Automatically obtaining IP addresses in ATM on page 112.
- 16.3.2 - Auto-install in case of ATM on page 1157.
• Frame Relay, refer to …
- 6.6.3 - Automatically obtaining IP addresses in Frame Relay on page 152.
• PPP(oA), refer to 6.7.2 - Automatically obtaining IP addresses in PPP on page 165.
An IP address that is obtained using a dynamic procedure is not displayed in the configuration window,
but can be found in the status window.
1424 SHDSL Router Chapter 5 55
User manual Basic configuration
The following table shows where you can find the IP parameters of the different IP interfaces:
Important remark
If you set the configuration attribute mode to bridging, then the settings of the
configuration attribute ip are ignored. As a result, if you want to manage the 1424
SHDSL Router via IP, you have to configure an IP address in the bridgeGroup object
instead: ip.
VLAN on the In the ip structure of the vlan table which is located in the lanInterface object: vlan/ip.
LAN interface
ATM PVC In the ip structure of the pvcTable which is located in the atm object: pvcTable/ip.
L2TP tunnel In the ip structure of the l2tpTunnels table which is located in the tunnels object:
l2tpTunnels/ip.
IPSEC L2TP In the ip structure of the ipsecL2tpTunnels table which is located in the tunnels object:
tunnel ipsecL2tpTunnels/ip.
IPSEC tunnel In the ip structure of the ipsecTunnels table which is located in the tunnels object: ipsec-
Tunnels on page 674
GRE tunnel In the ip structure of the greTunnels table which is located in the tunnels object: greTun-
nels on page 684.
IPSEC GRE tun- In the ip structure of the greTunnels table which is located in the tunnels object: ipsec-
nel GreTunnels on page 687.
Refer to 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
56 1424 SHDSL Router Chapter 5
User manual Basic configuration
Because the ip structure occurs in several objects, it is described here once and referenced where nec-
essary. Refer to 5.2.2 - Where to find the IP parameters? on page 55 for the location of the ip structure.
This section lists all the elements that can be present in the ip structure. However, depending on the inter-
face, it is possible that not all of these elements are present.
Element Description
If you do not explicitly configure a local IP address using the address element,
then it can be learned. Refer to 5.2.1 - Automatically obtaining an IP address
on page 54.
An IP address that is obtained using a dynamic procedure is not displayed in the
configuration window, but can be found in the status window.
Element Description
sNet Use this element to add the interface to a secure net- Default:<opt>
work (SNet) so that it can be controlled by a (virtual) Range: choice, see below
firewall.
The sNet element is a choice element. The first part of the sNet element has the fol-
lowing values:
• name. Select this value if you want to add the interface to
one of the standard secure networks. In the second part
of the sNet element, use the drop-down box to select one
of the standard SNets: corp, dmz or internet.
Note that if you select the value <opt> (default), then the
interface is not added to a secure network.
If you do not explicitly configure a remote IP address using the remote ele-
ment, then it can be learned. Refer to 5.2.1 - Automatically obtaining an IP
address on page 54.
An IP address that is obtained using a dynamic procedure is not displayed in the
configuration window, but can be found in the status window.
58 1424 SHDSL Router Chapter 5
User manual Basic configuration
Element Description
Element Description
What is MTU?
The Maximum Transmission Unit (MTU) is the largest size packet or frame, spec-
ified in octets (eight-bit bytes), that can be sent in a packet- or frame-based net-
work (e.g. the Internet). The Ethernet standard MTU is 1500.
An MTU that is too large may result in retransmissions if the packet encounters a
router that cannot handle that large a packet. An MTU that is too small results in
relatively more header overhead and more acknowledgements that have to be
sent and handled.
The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. For
protocols other than TCP, different MTU sizes may apply.
IP packets with a size larger than the MTU and with the DF (Don’t Fragment)
bit set are dropped and an ICMP destination unreachable (type 3, code 4)
message is sent.
rip Use this element to configure the RIP related param- Default:-
eters of the interface. Range: structure, see below
Refer to 7.5.3 - Explaining the rip structure on page 208 for a detailed description
of the rip structure.
60 1424 SHDSL Router Chapter 5
User manual Basic configuration
Element Description
trafficPolicy Use this element to apply a traffic policy on the routed Default:<empty>
data on the interface. Range: 0 … 24 characters
Do this by entering the index name of the traffic policy you want to use. You can
create the traffic policy itself by adding a trafficPolicy object and by configuring the
attributes in this object.
Example
Example
Element Description
Refer to What is IGMP? and IGMP topology on page 916 for more information on
IGMP.
62 1424 SHDSL Router Chapter 5
User manual Basic configuration
Element Description
The 1424 SHDSL Router only substitutes addresses for the protocols which
are selected in the helperProtocols attribute. Refer to helperProtocols on page 626.
Refer to …
• 7.8 - Configuring address translation on page 225 for more information on NAT.
• 11.9.2 - NAT configuration attributes on page 652 for a detailed description of
the NAT configuration attributes.
Important remark
If you want to enable NAT on an interface but you also want that the inter-
face is inspected by the firewall, then enable NAT in the policies of the firewall and
not in the ip structure of the interface.
When configuring an IP address on the LAN interface, there are two different scenarios:
• The LAN interface mode is bridging (the configuration attribute mode is set to bridging). This is the
default setting.
• The LAN interface mode is routing (the configuration attribute mode is set to routing).
In this case the settings of the configuration attribute ip are ignored. If you want to manage the 1424
SHDSL Router via IP, then you have to configure an IP address in the bridgeGroup object instead: ip.
Suppose you want to assign IP address 10.0.8.210 with subnet mask 255.255.252.0 to the LAN inter-
face, then configure the appropriate attributes as follows:
64 1424 SHDSL Router Chapter 5
User manual Basic configuration
This section defines SNMP, and gives an overview of the different versions.
The following gives an overview of this section:
• 5.3.1 - Introducting SNMP on page 66
• 5.3.2 - What are the SNMP Basic Components? on page 67
• 5.3.3 - SNMP versions on page 68
• 5.3.4 - SNMP entity on page 70
• 5.3.5 - Introducing MIB ‘s on page 73
• 5.3.6 - Explaining the SNMP message format on page 74
• 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74
66 1424 SHDSL Router Chapter 5
User manual Basic configuration
Currently, three versions of SNMP have been defined: SNMP v1, SNMP v2 and SNMP v3. SNMP v2
makes certain additions and enhancements to the first verion, SNMP v1. SNMP v3 adds security and
remote configuration capabilities.
In practice, SNMP implementations often support multiple versions: typically SNMPv1, SNMPv2c, and
SNMPv3. Refer to RFC 3584 Coexistence between Version 1, Version 2, and Version 3 of the Internet-
standard Network Management Framework.
SNMP v1
• SNMP v1 defines highly structured tables that are used to group the instances of a tabular object (this
is an object that contains multiple variables). The tables are composed of zero or more rows, which
are indexed in a way that allows SNMP to retrieve or alter an entire row with a single Get, GetNext,
or Set command.
• SNMPv1 is the initial implementation of the SNMP protocol. It operates over protocols such as User
Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless Network Service (CLNS).
SNMPv1 is widely used and is the de facto network-management protocol in the Internet community.
• Version 1 has been criticized for its poor security. Authentication of clients is performed only by a
community string, in effect a type of password, which is transmitted in cleartext.
SNMP v2
• SNMP v2 makes certain additions and enhancements to SNMPv1, such as including bit strings, net-
work addresses, and counters. Bit strings are defined only in SNMPv2 and comprise zero or more
named bits that specify a value. Network addresses represent an address from a particular protocol
family. SNMPv1 supports only 32-bit IP addresses, but SNMPv2 can support other types of
addresses as well. Counters are non-negative integers that increase until they reach a maximum
value and then return to zero. In SNMPv1, a 32-bit counter size is specified. In SNMPv2, 32-bit and
64-bit counters are defined.
• Evolutions within SNMP v2 are:
- Simple Network Management Protocol version 2 (RFC 1441–RFC 1452), also known as SNMP
v2 or SNMP v2p, revises version 1 and includes improvements in the areas of performance, secu-
rity, confidentiality, and manager-to-manager communications. It introduced GETBULK, an alter-
native to iterative GETNEXTs for retrieving large amounts of management data in a single
request. However, the new party-based security system in SNMP v2 was not widely accepted.
- Community-Based Simple Network Management Protocol version 2, or SNMP v2c, is defined in
RFC 1901–RFC 1908. In its initial stages, this was also informally known as SNMP v1.5. SNMP
v2c comprises SNMP v2 without the controversial new SNMP v2 security model, using instead
the simple community-based security scheme of SNMP v1. While officially only a Draft Standard,
this is widely considered as the de facto SNMP v2 standard.
- User-Based Simple Network Management Protocol version 2, or SNMP v2u, is defined in RFC
1909–RFC 1910. This is a compromise that attempts to offer greater security than SNMP v1, but
without the high complexity of SNMP v2. A variant of this was commercialized as SNMP v2*, and
the mechanism was eventually adopted as one of two security frameworks in SNMP v3.
1424 SHDSL Router Chapter 5 69
User manual Basic configuration
SNMP v3
Each SNMP entity, or SNMP device, consists of an SNMP engine and one or more associated applica-
tions. The following figure shows the components of an SNMP entity.
SNMP engine
An SNMP engine provides services for sending and receiving messages, authenticating and encrypting
messages, and controlling access to managed objects. There is a one-to-one association between an
SNMP engine and the SNMP entity which contains it.
The engine contains:
• a Dispatcher
• a Message Processing Subsystem
• a Security Subsystem
• an Access Control Subsystem
snmpEngineId
Dispatcher
There is only one dispatcher in an SNMP engine. It allows for concurrent support of multiple versions of
SNMP messages in the SNMP engine. It does so by:
• sending and receiving SNMP messages to and from the network.
• determining the version of an SNMP message and interacting with the corresponding Message
Processing Model.
• providing an abstract interface to SNMP applications for delivery of a PDU to an application.
• providing an abstract interface for SNMP applications that allows them to send a PDU to a remote
SNMP entity.
The Message Processing Subsystem is responsible for preparing messages for sending, and extracting
data from received messages. It might contain multiple Message Processing Models.
Each Message Processing Model defines the format of a particular version of an SNMP message and
coordinates the preparation and extraction of each such version-specific message format.
Security Subsystem
The Security Subsystem provides security services such as the authentication and privacy of messages
and potentially contains multiple Security Models. It might contain multiple Security Models.
A Security Model specifies the threats against which it protects, the goals of its services, and the security
protocols used to provide security services such as authentication and privacy.
A Security Protocol specifies the mechanisms, procedures, and MIB objects used to provide a security
service such as authentication or privacy.
72 1424 SHDSL Router Chapter 5
User manual Basic configuration
The Access Control Subsystem provides authorization services by means of one or more Access Control
Models.
An Access Control Model defines a particular access decision function in order to support decisions
regarding access rights.
Applications
Every SNMP agent has an address book of all its objects, called the MIB or Management Information
Base. A MIB is a collection of information that is organized hierarchically. MIBs are comprised of man-
aged objects, and are identified by object identifiers:
• A managed object (sometimes called a MIB object, an object, or a MIB) is one of any number of spe-
cific characteristics of a managed device.
• An object identifier (or object ID or OID) uniquely identifies a managed object in the MIB hierarchy.
In an SNMP agent, parameters are arranged in a tree. SNMP uses OID ‘s to specify the exact param-
eter to set or get in the tree.
The MIB provides the name, OID, data type, read/write permissions, and a brief description for each
object in an SNMP agent.
• The release of SNMPv2 involves SNMP private MIB files that are different from the ones before
TDRE 12.0. Both versions however may co-exist in a network.
• The private MIB files come with your copy of TMA. After installation of the TMA data files, the private
MIB files are available in directory C:\Program Files\TMA\snmp1.
The “old” MIB files, from before the SNMPv2 era, can be recognised by the following format:
<filename>.mib.
The “new” MIB files can be recognised by the following format: <filename>_smiv2.mib
1. The first part of the directory path may be different if you did not choose the default path during
the installation of the TMA data files.
74 1424 SHDSL Router Chapter 5
User manual Basic configuration
The SNMP message format specifies which fields are included in the message and in which order. The
entire SNMP message is a Sequence of three smaller fields:
• the SNMP version. This field indicates the version of the SNMP message.
• the SNMP community string. This is used as a password in the SNMP communication.
• the SNMP PDU. The PDU is a complex data type made up of several smaller fields and contains the
actual body of an SNMP message.
With regards to SNMPv2 and SNMPv3, there are 2 new attributes in TMA that need explaining here:
snmpIndex and snmpIndexOffset:
• snmpIndex. This is a unique number, assigned to each individual object in the containment tree.
• snmpIndexOffset. With this attribute, the snmpIndex can be corrected in order to let it keep the same value
as before, after a manually added object has been removed from the containment tree. Refer to the
following example:
Within the router subtree, when Filter2 is removed, Filter3 would normally get snmpIndex 1062.
With snmpIndexOffset set to 1 for Filter3 however, the snmpIndex of Filter3 remains 1063.
1424 SHDSL Router Chapter 5 75
User manual Basic configuration
When you want to establish a line connection successfully, you have to configure some line attributes.
This section shows you which line attributes are essential. It also gives more information on how to select
a line speed (range). Then it explains the concept power back-off. Finally it explains how to configure the
Embedded Operations Channel (EOC) handling.
The following gives an overview of this section:
• 5.4.1 - Essential SHDSL line configuration attributes on page 76
• 5.4.2 - Selecting an SHDSL line speed (range) on page 77
• 5.4.3 - Power back-off on page 78
• 5.4.4 - Compatibility with other SHDSL devices on page 78
Important remarks
The following must be taken into account when configuring the SHDSL line:
• When using ATM as encapsulation on the SHDSL line, the following line pair speeds are supported:
- Single pair: all speeds are supported.
- Dual pair: all speeds are supported.
- Three pair: up to 5312Mbits/s per line pair is supported.
- Four pair: up to 3840Mbits/s per line pair supported.
This basically means that, in all cases, a maximum total line speed of up to 16 Mbit/s is supported
when using ATM.
Refer to 6.2 - Configuring ATM encapsulation on page 97 for more information about ATM.
• When using EFM as encapsulation on the SHDSL line, linePair1 must be configured on the central
device. As long as this is not the case, the EFM datapath can never be up.
Refer to 6.5 - Configuring EFM encapsulation on page 141 for more information about EFM.
76 1424 SHDSL Router Chapter 5
User manual Basic configuration
To establish a line connection successfully, it is essential to set the following configuration attributes cor-
rect:
region on page 581 For correct operation, select the correct SHDSL
standard. Normally, the auto setting should suffice.
maxLinePairSpeed Use this attribute to set the highest line speed the
1424 SHDSL Router may select.
Refer to 11.6 - SHDSL line configuration attributes on page 578 for a complete overview of the line con-
figuration attributes.
1424 SHDSL Router Chapter 5 77
User manual Basic configuration
The 1424 SHDSL Router features auto speed negotiation according to ITU-T G.994.1. During this nego-
tiation the 1424 SHDSL Router selects a speed within the range from the minimum speed up to the max-
imum speed as set with the minLinePairSpeed and maxLinePairSpeed attributes.
Important remark
In case of a 1424 SHDSL Router 2 or 4 pair version, define a speed range either on the central or on the
remote 1424 SHDSL Router, but not on both. Else the line pairs could train at a different speed which is
not allowed.
If you set the minLinePairSpeed and maxLinePairSpeed attribute to the same value, then the 1424 SHDSL
Router operates at a fixed speed.
Fall-back speed
When you define a speed range, the 1424 SHDSL Router will always try to operate at the maximum
speed. If the remote does not allow that speed or the signal quality deteriorates, then the 1424 SHDSL
Router tries to select the second speed down the range. If also this speed fails, the 1424 SHDSL Router
again lowers its speed. It does this until it reaches the minimum speed.
Modulation
The 1424 SHDSL Router features power back-off. Power back-off is a part of the ITU-T G.991.2 SHDSL
recommendation. It reduces the maximum transmit power level if the line conditions are sufficiently good
to operate at a lower transmit level.
Power back-off is performed by default (no configuration attribute). During the ITU-T G.994.1 hand-
shake, the two sides of the line mutually agree on the transmit level. The transmit level is lowered
between 0 and 6 dB in steps of 1dB.
The 1424 SHDSL Router can be used in combination with other (OneAccess) SHDSL devices. The doc-
ument “Interoperability for OneAccess SHDSL products” (PDF) gives an overview of the interoperability.
1424 SHDSL Router Chapter 5 79
User manual Basic configuration
This section introduces EOC message exchange and shows you how to enable this feature.
The following gives an overview of this section:
• 5.5.1 - Standard versus proprietary EOC message exchange on page 80
• 5.5.2 - Controlling the proprietary EOC message exchange on page 80
• 5.5.3 - Controlling the standard EOC message exchange on page 81
• 5.5.4 - Which standard EOC information is retrieved? on page 83
80 1424 SHDSL Router Chapter 5
User manual Basic configuration
On the OneAccess SHDSL devices you can distinguish two types of EOC message exchange:
• standard EOC message exchange. These are the messages as defined in the SHDSL standard
G.991.2. They are sent through the Embedded Operations Channel (EOC).
• proprietary EOC message exchange. This is the proprietary O10 management protocol. This is also
sent through the Embedded Operations Channel (EOC).
The proprietary EOC message exchange can be controlled by the configuration attribute management on
page 589. The management attribute has the following values:
Value Description
transparent No management data is forwarded over the SHDSL line. The data is passed trans-
parently over the line.
o10Management This forwards the proprietary OneAccess O10 protocol over the SHDSL line. This
allows you to manage the remote SHDSL device (and possibly other OneAccess
devices connected to the SHDSL device).
pathManagement This forwards path management information over the SHDSL line. This allows you
to manage complete paths instead of managing individual devices (i.e. elements).
For more information on path management, refer to the TMA Path Management
manual (PDF).
o10-PathManage- This forwards both the proprietary OneAccess O10 protocol as the path manage-
ment ment information over the SHDSL line.
1424 SHDSL Router Chapter 5 81
User manual Basic configuration
The standard EOC message exchange can be controlled by the configuration attribute eocHandling on
page 589. The eocHandling attribute has the following values:
Value Description
passive The 1424 SHDSL Router does not send any standard EOC messages. However,
the 1424 SHDSL Router does respond on standard EOC messages it receives.
Also, after getting into data state, no proprietary EOC messages will be sent for the
first 2 minutes, unless the 1424 SHDSL Router received a OneAccess specific
frame from the other side (e.g. O10 data, or a test or configuration frame).
This is the preferred value when connecting the 1424 SHDSL Router to the
2300 Series.
none Except for discovery probes, the 1424 SHDSL Router does not send standard
EOC messages. However, the 1424 SHDSL Router does respond on standard
EOC messages it receives.
discovery The 1424 SHDSL Router “scans” the SHDSL line. For every device it discovers, it
adds an object to the containment tree. Refer to Discovering devices on the
inventory
SHDSL line.
info
Then the 1424 SHDSL Router retrieves information from these devices and dis-
plays it in the corresponding objects. Exactly which information is retrieved
depends on the setting of the eocHandling attribute. Refer to 5.5.4 - Which standard
EOC information is retrieved? on page 83.
alarmConfiguration Also in this case the 1424 SHDSL Router “scans” the SHDSL line, adds the objects
to the containment tree and retrieves information from the devices. Refer to Dis-
covering devices on the SHDSL line and 5.5.4 - Which standard EOC information
is retrieved? on page 83.
Additionally, the central1 SHDSL device forces the remote2 SHDSL device to use
the link alarm thresholds lineAttenuationOn and signalNoiseOn as configured on the
central device. In other words, the settings of the lineAttenuationOn and signalNoiseOn
on the central device overrule those of the remote device.
1. The central device is the device on which the channel attribute is set to central.
2. The remote device is the device on which the channel attribute is set to remote.
82 1424 SHDSL Router Chapter 5
User manual Basic configuration
When you change the eocHandling attribute from none or passive to any other value, the 1424 SHDSL
Router starts “scanning” the SHDSL line in order to determine which devices are present between itself
and its remote counterpart.
So in this case, when the scan is finished, an end object is added to the containment
tree1 on the same level as the line object. This end object represents the remote
counterpart.
1. It can take up to 5 minutes before the new objects appear in the containment tree.
1424 SHDSL Router Chapter 5 83
User manual Basic configuration
As said in 5.5.3 - Controlling the standard EOC message exchange on page 81, exactly which standard
EOC information is retrieved from the remote SHDSL device(s) depends on the setting of the eocHandling
attribute.
This section gives an overview in which case which information is retrieved:
• Standard EOC status information on page 84
• Standard EOC performance information on page 85
• Standard EOC alarm information on page 86
Standard EOC status information Does the attribute or element display relevant information in case eocHandling is set to … ?
line eocAlarmThresholds No. The value is • On the central1: yes. The values are those as set in the linkA- Yes. The values are
(lineAttenuation, signal- always 0.0. larmThresholds attribute. those as set in the linkA-
84 1424 SHDSL Router
Noise) • On the remote2: no. The value is always 0.0. larmThresholds attribute
on the central device.3
numDiscoveredRepeaters Yes.
eocSoftVersion Yes.
shdslVersion Yes.
eocState Yes.
eocAlarmThresholds No. The value is always 0.0. Yes. The values are Yes. The values are
(lineAttenuation, signal- those as set in the linkA- those as set in the linkA-
Noise) larmThresholds attribute larmThresholds attribute
on the remote device. on the central device.
repeater[ ]/linePair[ ] lineAttenuation No repeater[ ] or No. The value is always 0.0. Yes. The values are the actual line attenuation
or end object is cre- and signal noise as measured on the remote
signalNoise
ated. device.
end/linePair[ ]
1. The central device is the device on which the channel attribute is set to central.
2. The remote device is the device on which the channel attribute is set to remote.
Basic configuration
Chapter 5
3. Refer to 5.5.3 - Controlling the standard EOC message exchange on page 81 for more information on the alarmConfiguration value.
Standard EOC performance information Does the attribute or element display relevant information in case eocHandling is set to … ?
repeater[ ]/linePair[ ] lineParameters No repeater[ ] or No. The value is always 0.0. Yes. The values are the same as those on the
or end object is cre- remote device.
performance
1424 SHDSL Router
h24Performance
d7LineParameters
d7Performance
Basic configuration
Chapter 5 85
Standard EOC alarm information Does the attribute or element display relevant information in case eocHandling is set to … ?
line/linePair[ ] lineAttenuation The thresholds as configured in the linkAlarmThresholds attribute on the local device The thresholds as con-
are used to generate the alarms. figured in the linkAlarm-
signalNoise
86 1424 SHDSL Router
Thresholds attribute on
the central1 device are
used to generate the
alarms2.
repeater[ ]/linePair[ ] lineAttenuation No repeater[ ] or No alarms are generated. The thresholds as con- The thresholds as con-
or end object is cre- figured in the linkAlarm- figured in the linkAlarm-
signalNoise
ated. Thresholds attribute on Thresholds attribute on
end/linePair[ ]
the local device are the central device are
used to generate the used to generate the
alarms. alarms.
1. The central device is the device on which the channel attribute is set to central.
2. Refer to 5.5.3 - Controlling the standard EOC message exchange on page 81 for more information on the alarmConfiguration value.
Basic configuration
Chapter 5
1424 SHDSL Router Chapter 5 87
User manual Basic configuration
This section shows you how to create a (list of) password(s) with associated access level in the security
table. It also explains how to correct the security table in case of error or in case you forgot your pass-
word. Furthermore, this section shows you how to enter the passwords in the different maintenance
tools.
The following gives an overview of this section:
• 5.6.1 - Creating passwords in the security table on page 88
• 5.6.2 - Entering passwords in the different management tools on page 88
88 1424 SHDSL Router Chapter 5
User manual Basic configuration
In order to avoid unauthorised access to the 1424 SHDSL Router and the network you can create a list
of passwords with associated access levels in the security table. Do this using the security attribute. Refer
to security on page 505.
Now that you created a (list of) password(s) in the 1424 SHDSL Router, you have to enter these pass-
words every time you want to access the 1424 SHDSL Router with one of the maintenance or manage-
ment tools.
The following table explains how to enter passwords in the different maintenance or management tools:
TMA CLI, TMA for HP Use the application TmaUserConf.exe to create a TMA user and assign a
OpenView and TMA password to this user. The password should correspond with a password
Element Management configured in the device.
Refer to the manual of TMA CLI manual (PDF), TMA for HP OpenView man-
ual (PDF) or TMA Element Management manual (PDF/CHM) for more infor-
mation.
CLI You are prompted to enter the password when the session starts.
ATWIN You are prompted to enter the password when the CLI session starts. Then
you can start an ATWIN session.
Web Interface You are prompted to enter the password when the session starts.
SNMP Define the password as community string. If no passwords are defined, then
you can use any string as community string.
TML Enter the password after the destination filename. Separate password and
filename by a ‘?’.
Example: tml –fsourcefile@destinationfile?pwd
(T)FTP Enter the password after the destination filename. Separate password and
filename by a ‘?’.
Example: put sourcefile destinationfile?pwd
1424 SHDSL Router Chapter 5 89
User manual Basic configuration
This section shows you how to execute actions on the configuration. The following gives an overview of
this section:
• 5.7.1 - What are the different configuration types? on page 90
• 5.7.2 - Activating the configuration on page 91
• 5.7.3 - Loading the default configuration on page 91
• 5.7.4 - Loading the preconfiguration on page 92
90 1424 SHDSL Router Chapter 5
User manual Basic configuration
This section explains the different configuration types that are present in the 1424 SHDSL Router.
When you configure the 1424 SHDSL Router, the following happens:
1 Connect the computer running the mainte- The non-active configuration is displayed
nance tool to the 1424 SHDSL Router. on the screen.
3 Complete the modifications on the non- The non-active configuration has to be acti-
active configuration. vated.
As explained in section 5.7.1 - What are the different configuration types? on page 90, when you finished
configuring the 1424 SHDSL Router you have to activate the configuration changes you made.
In case of …
• TMA, click on the TMA button Send all attributes to device: .
• any other maintenance tool than the graphical user interface based TMA (e.g. ATWIN, CLI, Web
Interface, EasyConnect terminal, TMA CLI), then execute the Activate Configuration action.
If you install the 1424 SHDSL Router for the first time, all configuration attributes have their default val-
ues (except if a preconfiguration is present, refer to 5.7.4 - Loading the preconfiguration on page 92). If
the 1424 SHDSL Router has already been configured but you want to start from scratch, then you can
revert to the default configuration.
You can load the default configuration using the Load Default Configuration …
• action. Refer to Load Default Configuration on page 507.
92 1424 SHDSL Router Chapter 5
User manual Basic configuration
In some cases, the 1424 SHDSL Router is preconfigured when it leaves the factory. In that case a file
named “precfg.cms” is present on the file system1. This means that not all attributes have their default
values, but some will have a preconfigured value. Now, if the 1424 SHDSL Router has already been con-
figured a couple of times, then you have the possibility to revert to the preconfiguration.
You can load the preconfiguration using the Load Preconfiguration action. Refer to Load Preconfiguration on
page 507.
Note that if no preconfiguration is present (i.e. the precfg.cms file is not present on the file system), then
this action does nothing.
1. If this file is not present, then no preconfiguration is present. If you want, you could create your
own preconfiguration by placing a custom made “precfg.cms” configuration file on the file sys-
tem.
1424 SHDSL Router Chapter 5 93
User manual Basic configuration
If you experience trouble when installing, configuring or operating the 1424 SHDSL Router, then check
the following:
Check Description
connections Are all the necessary cables connected to the 1424 SHDSL Router? Are they con-
nected to the correct connectors of the 1424 SHDSL Router? Are they connected
properly? Did you use the correct cables (straight, crossed, …)?
Refer to 2.6 - Connecting the 1424 SHDSL Router on page 18.
other devices Are the devices that are connected to the 1424 SHDSL Router working properly
(are they powered, are they operational, …)?
LEDs What indicate the LEDs of the 1424 SHDSL Router? Do they indicate a fault con-
dition?
Refer to 2.7 - The front panel LED indicators on page 22.
messages What messages are displayed in the messages table? This table displays informa-
tive and error messages.
Refer to router1424/messages on page 829.
status What indicate the status attributes of the 1424 SHDSL Router? What is the status
of the different interfaces (up, down, testing, …)?
Refer to 12 - Status attributes on page 817.
performance What indicate the performance attributes of the 1424 SHDSL Router? What is the
performance of the different interfaces (does the data pass the interface, is the
interface up or down, when did it go up or down, …)?
Refer to 13 - Performance attributes on page 1013.
alarms What indicate the alarm attributes of the 1424 SHDSL Router? What is the alarm
status of the different interfaces (link down, errors, …)?
Refer to 14 - Alarm attributes on page 1119.
94 1424 SHDSL Router Chapter 5
User manual Basic configuration
1424 SHDSL Router Chapter 6 95
User manual Configuring the WAN encapsulation protocols
Depending on the device, some protocols may or may not be present. Refer to the detailed features
overview.
Refer to the Reference manual on page 489 for a complete overview of the attributes of the 1424 SHDSL
Router.
96 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
On the SHDSL line, you can choose between several encapsulation protocols. So first select the encap-
sulation protocol you want to use. Do this using the encapsulation attribute. Refer to encapsulation on page 531.
Once you selected an encapsulation protocol you can configure it as described in this chapter.
1424 SHDSL Router Chapter 6 97
User manual Configuring the WAN encapsulation protocols
This section introduces the ATM encapsulation protocol and gives a short description of the attributes
you can use to configure this encapsulation protocol.
The following gives an overview of this section:
• 6.2.1 - Introducing ATM on page 98
• 6.2.2 - Configuring ATM PVCs on page 110
• 6.2.3 - Automatically obtaining IP addresses in ATM on page 112
• 6.2.4 - Configuring IP addresses in ATM on page 113
• 6.2.5 - Configuring the VPI and VCI on page 114
• 6.2.6 - Configuring UBR on page 115
• 6.2.7 - Configuring VBR-nrt on page 116
• 6.2.8 - Configuring VBR-rt on page 117
• 6.2.9 - Configuring CBR on page 118
• 6.2.10 - ATM PVC bandwidth assignment on page 119
• 6.2.11 - Configuring bridged/routed Ethernet/IP over ATM (RFC 2684) on page 121
• 6.2.12 - Configuring Classical IP (IPoA) on page 122
• 6.2.13 - Configuring PPP over ATM (PPPoA) on page 123
• 6.2.14 - Configuring PPP over Ethernet (PPPoE) on page 124
98 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is ATM?
ATM is a cell-switching and multiplexing technology that combines the benefits of circuit switching (guar-
anteed capacity and constant transmission delay) with those of packet switching (flexibility and efficiency
for intermittent traffic). It provides scalable bandwidth. Because of its asynchronous nature, ATM is more
efficient than synchronous technologies, such as time-division multiplexing (TDM).
With TDM, each user is assigned a time slot, and no other station can send in that time slot. If a station
has much data to send, it can send only when its time slot comes up, even if all other time slots are
empty. However, if a station has nothing to transmit when its time slot comes up, the time slot is sent
empty and is wasted. Because ATM is asynchronous, time slots are available on demand with informa-
tion identifying the source of the transmission contained in the header of each ATM cell.
ATM makes use of 53 byte cells; each cells contains:
• a 5 byte header.
• 48 bytes of payload.
ATM networks are fundamentally connection-oriented, which means that a virtual channel must be set
up across the ATM network prior to any data transfer. (A virtual channel is roughly equivalent to a Per-
manent Virtual Circuit or PVC.)
Two types of ATM connections exist:
• virtual paths, which are identified by Virtual Path Identifiers (VPIs).
• virtual channels, which are identified by the combination of a VPI and a Virtual Channel Identifier
(VCI).
A virtual path is a bundle of virtual channels, all of which are switched transparently across the ATM net-
work based on the common VPI. All VPIs and VCIs, however, have only local significance across a par-
ticular link and are remapped, as appropriate, at each switch.
A transmission path is the physical media that transports virtual channels and virtual paths. The following
figure illustrates how VCs concatenate to create VPs, which, in turn, traverse the media or transmission
path.
1424 SHDSL Router Chapter 6 99
User manual Configuring the WAN encapsulation protocols
Layer Description
physical layer Analogous to the physical layer of the OSI reference model, the ATM physical
layer manages the medium-dependent transmission.
ATM layer Combined with the ATM adaptation layer, the ATM layer is roughly analogous to
the data link layer of the OSI reference model. The ATM layer is responsible for
the simultaneous sharing of virtual circuits over a physical link (cell multiplexing)
and passing cells through the ATM network (cell relay). To do this, it uses the VPI
and VCI information in the header of each ATM cell.
ATM Adaptation Combined with the ATM layer, the AAL is roughly analogous to the data link layer
Layer (AAL) of the OSI model. The AAL is responsible for isolating higher-layer protocols from
the details of the ATM processes. The adaptation layer prepares user data for con-
version into cells and segments the data into 48-byte cell payloads.
At present, the four types of AAL recommended by the ITU-T are AAL1, AAL2,
AAL3/4, and AAL5:
• AAL1 is used for connection-oriented, delay-sensitive services requiring con-
stant bit rates, such as uncompressed video and other isochronous traffic.
• AAL2 is used for connection-oriented services that support a variable bit rate,
such as some isochronous video and voice traffic.
• AAL3/4 (merged from two initially distinct adaptation layers) supports both con-
nectionless and connection-oriented links but is used primarily for the transmis-
sion of SMDS packets over ATM networks.
• AAL5 supports connection-oriented VBR services and is used predominantly
for the transfer of classical IP over ATM and LANE traffic. AAL5 uses SEAL and
is the least complex of the current AAL recommendations. It offers low band-
width overhead and simpler processing requirements in exchange for reduced
bandwidth capacity and error-recovery capability.
higher layers Finally, the higher layers residing above the AAL accept user data, arrange it into
packets, and hand it to the AAL.
100 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
The Traffic Management Specification Version 4.0 defines five ATM service categories that describe the
traffic transmitted by users onto a network and the Quality of Service (QoS) that a network needs to pro-
vide for that traffic. The five service categories are:
• Constant Bit Rate (CBR)
• Variable Bit Rate real-time (VBR-rt)
• Variable Bit Rate non-real-time (VBR-nrt)
• Available Bit Rate (ABR)
• Unspecified Bit Rate (UBR)
The 1424 SHDSL Router supports CBR, VBR-rt, VBR-nrt and UBR.
The traffic parameters with which you can configure the ATM service categories are:
PCR The Peak Cell Rate (PCR) is the maximum rate at which you expect to transmit
data. Obviously, the maximum possible PCR is the physical speed of the cus-
tomer's access circuit into the ATM service provider.
Also refer to the peakCellRate element in the pvcTable; refer to the ATM configuration
attributes.
SCR The Sustainable Cell Rate (SCR) is the sustained rate at which you expect to
transmit data. Consider the SCR to be the true bandwidth of a PVC and not the
long-term average traffic rate.
Also refer to the sustCellRate element in the pvcTable; refer to the ATM configuration
attributes.
MBS The Maximum Burst Size (MBS) is the maximum number of cells that are allowed
to be sent above the SCR, with an upper limit which is PCR.
This is furhter explained in the next paragraph; also refer to the maxBurstSize ele-
ment in the pvcTable; refer to the ATM configuration attributes.
1424 SHDSL Router Chapter 6 101
User manual Configuring the WAN encapsulation protocols
• Definition
The Maximum Burst Size (MBS) is the maximum number of cells that are allowed to be sent above the
SCR, with an upper limit to the load of those cells, which is PCR.
In other words: MBS sets the limit for the number of cells that are allowed to be sent above the SCR;
PCR puts a maximum on the load of those cells.
The following figure illustrates the relation between MBS, SCR and PCR:
MBS will accommodate temporary bursts or short spikes in the traffic pattern. For example, an MBS of
100 cells allows a burst of three MTU-size Ethernet frames.
• Cell times
MBS is a number of cells, and is expressed in cell times.
Since each ATM cell has a certain length of time, this number of cells corresponds to a number of cell
time slots.
So, cell times is a unit expressed as a number of cells, which represent the amount of time that it takes
the ATM cells to pass an interface.
It can be converted into seconds using the following formula:
With:
- MBS: Maximum Burst Size; this is the total number of cells with a load higher than SCR.
- (424 bits per cell): ATM uses cells of 53 bytes, so that results in 424 bits per cell.
- PCR: Peak Cell Rate; this is the maximum data rate.
- SCR: Sustainable Cell Rate; this is the sustained data rate.
102 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is UBR?
The Unspecified Bit Rate (UBR) service category is a "best effort" service intended for non-critical appli-
cations, which do not require tightly constrained delay and delay variation, nor a specified quality of serv-
ice. UBR sources are expected to transmit non-continuous bursts of cells. UBR service supports a high
degree of statistical multiplexing among sources.
UBR service does not specify traffic related service guarantees. Specifically, UBR does not include the
notion of a per-connection negotiated bandwidth. There may not be any numerical commitments made
as to the cell loss ratio experienced by a UBR connection, or as to the cell transfer delay experienced by
cells on the connection: available bandwidth depends on other traffic on the connection.
The only traffic parameter you have to configure in case of UBR is the PCR. The PCR only provides an
indication of a physical bandwidth limitation within a PVC.
Examples of applications which can be seen as appropriate targets for the UBR service category are:
data transfer, messaging, etc.
The following figure shows the PCR, SCR and MBS relationship:
1424 SHDSL Router Chapter 6 103
User manual Configuring the WAN encapsulation protocols
What is VBR-nrt?
The non-real time VBR service category is intended for applications which have bursty traffic character-
istics and do not have tight constraints as to delay and delay variation. For those cells which are trans-
ferred within the traffic contract, the application expects a low Cell Loss Ratio (CLR). For all cells, it
expects a bound on the Cell Transfer Delay (CTD). Non-real time VBR service may support statistical
multiplexing of connections.
The traffic parameters you have to configure in case of VBR-nrt are:
• the Sustainable Cell Rate (SCR)
• the Peak Cell Rate (PCR)
• the Maximum Burst Size (MBS)
Examples of applications which can be seen as appropriate targets for the VBR-nrt service category are:
response-time critical transaction processing applications (e.g. airline reservations, banking transac-
tions, process monitoring), etc.
The following figure shows the PCR, SCR and MBS relationship:
104 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is VBR-rt?
The real-time VBR service category is intended for time-sensitive applications, (i.e., those requiring
tightly constrained delay and delay variation), as would be appropriate for voice and video applications.
Sources are expected to transmit at a rate which varies with time. Equivalently, the source can be
described as "bursty".
Cells which are delayed beyond the value specified by CTD are assumed to be of significantly less value
to the application. Real-time VBR service may support statistical multiplexing of real-time sources.
The traffic parameters you have to configure in case of VBR-rt are:
• the Sustainable Cell Rate (SCR)
• the Peak Cell Rate (PCR)
• the Maximum Burst Size (MBS)
Examples of applications which can be seen as appropriate targets for the VBR-rt service category are:
some classes of multimedia communications (e.g. compressed audio, interactive multimedia), etc.
The following figure shows the PCR, SCR and MBS relationship:
1424 SHDSL Router Chapter 6 105
User manual Configuring the WAN encapsulation protocols
What is CBR?
The CBR service category is used by connections that request a fixed (static) amount of bandwidth,
characterized by a Peak Cell Rate (PCR) value that is continuously available during the connection life-
time, independent from other traffic on the network. The source may emit cells at or below the PCR at
any time, and for any duration (or may be silent).
This category is intended for real-time applications, i.e., those requiring tightly constrained Cell Transfer
Delay (CTD) and Cell Delay Variation (CDV), but is not restricted to these applications. It would be
appropriate for voice and video applications, as well as for Circuit Emulation Services (CES).
The basic commitment made by the network is that once the connection is established, the negotiated
QoS is assured to all cells conforming to the relevant conformance tests. It is assumed that cells which
are delayed beyond the value specified by Cell Transfer Delay (CTD) may be of significantly less value
to the application.
The only traffic parameter you have to configure in case of CBR is the PCR.
Examples of applications which can be seen as appropriate targets for the CBR service category are:
video conferencing, interactive audio (e.g., telephony), audio/video distribution (e.g. television, distance
learning), audio/video retrieval (e.g. video-on-demand, audio library)
The following figure shows the PCR, SCR and MBS relationship:
106 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
As its name implies, multi-protocol encapsulation over ATM provides mechanisms for carrying traffic
other than just IP. Several different protocols can be used on top of ATM:
• Bridged/routed Ethernet/IP over ATM (formerly RFC 1483, now RFC 2684). This protocol makes the
router appear as a LAN device to the operating system.
• IP over ATM (IPoA, RFC 1577, similar to RFC 2684). Also in this case the protocol makes the router
appear as a LAN device to the operating system.
• Point to Point Protocol Over ATM ( PPPoA, RFC 2364). PPP provides session setup, user authenti-
cation (login), and encapsulation for upper layer protocols such as IP. The use of PPP makes the
router appear as a dial device to the operating system.
• Point to Point Protocol Over Ethernet (PPPoE, RFC 2516). This protocol makes the router appear as
a LAN device to the operating system. It allows multiple devices on an Ethernet to share a common
connection to the remote network (e.g. the Internet).
1424 SHDSL Router Chapter 6 107
User manual Configuring the WAN encapsulation protocols
As said before, you can encapsulate several protocols in ATM. The mechanisms to do this are:
Logical Link Control In this method, multiple protocol types can be carried across a single con-
(LLC) encapsulation nection with the type of encapsulated packet identified by a standard LLC/
SNAP header.
Virtual Connection Mul- In this method, only a single protocol is carried across an ATM connection,
tiplexing with the type of protocol implicitly identified at connection setup.
LLC encapsulation is provided to support routed and bridged protocols. In this encapsulation format,
PDUs from multiple protocols can be carried over the same virtual connection. The type of protocol is
indicated in the packet's SNAP header. By contrast, the virtual connection multiplexing method allows
for transport of just one protocol per virtual connection.
The following table gives an overview of which multi-protocol mechanism can be used for which higher
layer protocol encapsulation.
higherLayerProtocol multiProtocolMech
rfc2684 llcEncapsulation +
vcMultiplexing
ppp llcEncapsulation +
vcMultiplexing
pppOverEthernet llcEncapsulation
108 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
PPP over ATM adaptation layer 5 (AAL5) uses AAL5 as the framed protocol. It relies on RFC 2684, oper-
ating in either Logical Link Control Encapsulation or Virtual Connection Multiplexing mode. A Customer
Premises Equipment (CPE) device encapsulates the PPP session based on this RFC for transport
across the xDSL loop and the Digital Subscriber Line Access Multiplexer (DSLAM).
PPP over Ethernet (PPPoE) over ATM actually combines three protocols: Ethernet, PPP and ATM. The
Ethernet is encapsulated in PPP which, on its turn, is encapsulated in ATM:
• The Ethernet protocol provides the ability to connect a network of hosts over a simple bridging access
device to a remote access concentrator.
• The PPP protocol provides the ability that each host utilises its own PPP stack and that the user is
presented with a familiar user interface. Access control, billing and type of service can be done on a
per-user basis, rather than on a per-site basis.
• The ATM protocol provides service-provider digital subscriber line (DSL) support.
PPP over Ethernet (PPPoE) provides the ability to connect a network of hosts over a simple bridging
access device to a remote access concentrator. With this model, each host utilises its own PPP stack
and the user is presented with a familiar user interface. Access control, billing and type of service can
be done on a per-user basis, rather than on a per-site basis.
PPPoE has two distinct stages:
• a discovery stage.
• a PPP session stage.
When a host wants to initiate a PPPoE session, it must first perform discovery to identify the Ethernet
MAC address of the peer and establish a PPPoE session ID. While PPP defines a peer-to-peer relation-
ship, discovery is inherently a client-server relationship. In the discovery process, a host (the client) dis-
covers an access concentrator (the server). Based on the network topology, there may be more than
one access concentrator that the host can communicate with. The discovery stage allows the host to
discover all access concentrators and then select one. When discovery completes successfully, both the
host and the selected access concentrator have the information they will use to build their point-to-point
connection over Ethernet.
The discovery stage remains stateless until a PPP session is established. Once a PPP session is estab-
lished, both the host and the access concentrator must allocate the resources for a PPP virtual interface.
1424 SHDSL Router Chapter 6 109
User manual Configuring the WAN encapsulation protocols
What is CLP?
The Cell Loss Priority (CLP) indicates whether the cell should be discarded if it encounters extreme con-
gestion as it moves through the network. If the CLP bit equals 1, the cell should be discarded in prefer-
ence to cells with the CLP bit equal to 0.
What is EFCI?
The Explicit Forward Congestion Indication (EFCI) indicates whether a cell containing user data experi-
enced congestion as it moved through the network.
110 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
1 In the 1424 SHDSL Router containment tree, go to the atm object, select the pvcTable
attribute and add one or more entries to this table.
Use this attribute to set up ATM PVCs. Add a row to the pvcTable for each ATM PVC you
want to create.
2 Configure the elements of the ATM PVC you just created. These elements are:
• name. Use this element to assign an administrative name to the ATM PVC.
• adminStatus. Use this element to activate (up) or deactivate (down) the ATM PVC.
• mode. Use this element to determine whether, for the corresponding ATM PVC, the
packets are treated by the routing process, the bridging process or both.
• priorityPolicy. Use this element to apply a priority policy on the ATM PVC. Refer to
7.11.15 - Applying a priority policy on an interface on page 293 for more information.
• ip. Use this element to configure the IP related parameters of the ATM PVC. Refer to
5.2.3 - Explaining the ip structure on page 56 for more information.
• bridging. Use this element to configure the bridging related parameters of the ATM PVC
in case the PVC is in bridging mode (i.e. in case the mode element is set to bridging).
Refer to 8.2.6 - Explaining the bridging structure on page 318 for more information.
• atm. Use this element to configure the ATM specific parameters of the ATM PVC.
Refer to pvcTable/atm on page 536 for more information.
• ppp. Use this element to configure the PPP related parameters of the ATM PVC in
case you want to run PPP over ATM. Refer to 11.5.4 - PPP configuration attributes on
page 566 for a detailed description of the elements in the ppp structure.
The following figure gives an example of a local Ethernet segment connected to three different networks
through three different PVCs:
The following screenshot shows (part of) the pvcTable of the set-up depicted in the figure above:
112 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
In case of ATM, the 1424 SHDSL Router can perform an auto-install (refer to 16 - Auto installing the
1424 SHDSL Router on page 1147). This includes obtaining a local IP address of the ATM PVC. How-
ever, even if no auto-install is performed the 1424 SHDSL Router runs the following sequence to obtain
a local IP address of the ATM PVC:
If the ATM network supports the InARP (Inverse Address Resolution Protocol) protocol, then the 1424
SHDSL Router can learn the remote IP address of an ATM PVC.
1424 SHDSL Router Chapter 6 113
User manual Configuring the WAN encapsulation protocols
Step Action
Refer to …
• 5.2.3 - Explaining the ip structure on page 56 for a complete description of the ip structure.
• Example - configuring ATM PVCs on page 111 for an example.
114 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on VPI and VCI.
To configure the VPI and VCI of an ATM PVC, proceed as follows:
Step Action
Refer to …
• pvcTable/atm on page 536 for a complete description of the atm structure.
• Example - configuring ATM PVCs on page 111 for an example.
1424 SHDSL Router Chapter 6 115
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on UBR and related traffic parameters.
To configure UBR on an ATM PVC, proceed as follows:
Step Action
Refer to pvcTable/atm on page 536 for a complete description of the atm structure.
116 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on VBR-nrt and related traffic parame-
ters.
To configure VBR-nrt on an ATM PVC, proceed as follows:
Step Action
The PCR and MBS must be understood only as mechanisms to reduce latency and not
as a way to increase bandwidth. Thus, the PCR and MBS allow you to accommodate
short duration bursts of traffic without packet drops taking place. If long duration bursts
exist often in your specific traffic pattern, they should be taken under account when
choosing the value for SCR.
Refer to pvcTable/atm on page 536 for a complete description of the atm structure.
From the MBS it is possible to figure out how many time, in seconds, the 1424 SHDSL Router will be
able to transmit at PCR, by means of the following equation:
T = (MBS x 424 bits per cell) / (PCR - SCR)
So suppose the SCR and PCR are known to be 64 kbps and 256 kbps and suppose you set the MBS to
…
• 45 cells, then T = 100 ms which means you can have bursts up to approximately 3 kbytes.
• 90 cells, then T = 200 ms which means you can have bursts up to approximately 6 kbytes.
1424 SHDSL Router Chapter 6 117
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on VBR-rt and related traffic parameters.
To configure VBR-rt on an ATM PVC, proceed as follows:
Step Action
The PCR and MBS must be understood only as mechanisms to reduce latency and not
as a way to increase bandwidth. Thus, the PCR and MBS allow you to accommodate
short duration bursts of traffic without packet drops taking place. If long duration bursts
exist often in your specific traffic pattern, they should be taken under account when
choosing the value for SCR.
Refer to pvcTable/atm on page 536 for a complete description of the atm structure.
From the MBS it is possible to figure out how many time, in seconds, the 1424 SHDSL Router will be
able to transmit at PCR, by means of the following equation:
T = (MBS x 424 bits per cell) / (PCR - SCR)
So suppose the SCR and PCR are known to be 64 kbps and 256 kbps and suppose you set the MBS to
…
• 45 cells, then T = 100 ms which means you can have bursts up to approximately 3 kbytes.
• 90 cells, then T = 200 ms which means you can have bursts up to approximately 6 kbytes.
118 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on CBR and related traffic parameters.
To configure CBR on an ATM PVC, proceed as follows:
Step Action
When selecting a certain service category for an ATM PVC, the 1424 SHDSL Router assigns a certain
amount of bandwidth to this ATM PVC. The amount of bandwidth that is assigned by the 1424 SHDSL
Router does not necessarily correspond with the amount of bandwidth that you configured.
The way the 1424 SHDSL Router assigns bandwidth depends on factors such as available memory, the
service category, the minimum bandwidth, etc. The most important factors are:
Factor Description
service category The higher the importance of the requested service category, the closer the
importance assigned bandwidth comes to the requested bandwidth. The importance of the
service categories in descending order is as follows:
1. CBR (high)
2. VBR-rt
3. VBR-nrt
4. UBR (low)
Examples:
• Suppose you select the service category UBR and you set the PCR to 8 kbps.
In that case, it is possible that instead of 8 kbps, 16 kbps is assigned to the ATM
PVC.
• Suppose you select the service category CBR and you set the PCR to 8 kbps.
In that case, it is possible that instead of 8 kbps, 9 kbps is assigned to the ATM
PVC.
minimum The higher the requested bandwidth, the closer the assigned bandwidth comes to
requested band- the requested bandwidth.
width
Examples:
• Suppose you select the service category UBR and you set the PCR to 8 kbps.
In that case, it is possible that instead of 8 kbps, 16 kbps is assigned to the ATM
PVC. This is a deviation of 50%.
• Suppose you select the service category UBR and you set the PCR to 1024
kbps. In that case, it is possible that instead of 1024 kbps, 1032 kbps is
assigned to the ATM PVC. This is a deviation of only +- 0.8%.
120 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
The amount of bandwidth that is assigned can be checked in the ATM status attributes.
Switching
In case of switched ATM PVCs, there is no QoS translation between source and destination. This would
imply that when a switched ATM PVC comes through, it would get as much bandwidth as necessary to
serve the incoming data stream. This would mean that if the switched ATM PVC carries a high bandwidth
data stream, that the existing bridged or routed ATM PVCs (on the same physical interface) may suffer
from this, even if their service category is CBR.
To avoid this, the priority configuration element has been added to the ATM switching table. Using this
element, you can define in which “service category” the switched ATM PVC falls.
high CBR
medium VBR-rt
low VBR-nrt
You can define a different priority for each switched ATM PVC. However, all switched ATM PVCs that
have the same priority are treated equally.
Examples:
• Setting the priority of a switched ATM PVC to high, makes it of equal priority as a bridged or routed
ATM PVC with service category CBR. So both ATM PVCs will be treated equally as it comes to band-
width assignment.
• Setting the priority of a switched ATM PVC to high, makes it of higher priority as a bridged or routed
ATM PVC with service category VBR. So when the switched ATM PVC comes through, it will be given
priority over the bridged or routed ATM PVC.
1424 SHDSL Router Chapter 6 121
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on bridged/routed Ethernet/IP over ATM.
To configure bridged/routed Ethernet/IP (multi-protocol) over ATM on an ATM PVC, proceed as follows:
Step Action
Refer to pvcTable/atm on page 536 for a complete description of the atm structure.
122 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
Refer to pvcTable/atm on page 536 for a complete description of the atm structure.
Note that Inverse ARP is always in use. Therefore there is no dedicated attribute to enable or disable
InARP.
1424 SHDSL Router Chapter 6 123
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on PPP over ATM.
To configure PPP over ATM on an ATM PVC, proceed as follows:
Step Action
5 In the ppp structure, configure the PPP elements (link monitoring, authentication, etc.).
Refer to …
• 6.7 - Configuring PPP encapsulation on page 160 for more information on configuring
PPP.
• 11.5.4 - PPP configuration attributes on page 566 for a detailed description of the ele-
ments in the ppp structure.
124 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Refer to 6.2.1 - Introducing ATM on page 98 for an introduction on PPP over Ethernet.
To configure PPP over Ethernet on an ATM PVC, proceed as follows:
Step Action
5 In the ppp structure, configure the PPP elements (link monitoring, authentication, etc.).
Refer to …
• 6.7 - Configuring PPP encapsulation on page 160 for more information on configuring
PPP.
• 11.5.4 - PPP configuration attributes on page 566 for a detailed description of the ele-
ments in the ppp structure.
1424 SHDSL Router Chapter 6 125
User manual Configuring the WAN encapsulation protocols
This section introduces OAM on ATM interfaces, and gives a short description of the attributes you can
use to configure OAM.
The following gives an overview of this section:
• 6.3.1 - What is OAM? on page 126
• 6.3.2 - OAM functional overview on page 128
• 6.3.3 - OAM concepts on page 129
• 6.3.4 - OAM Fault and performance management on page 131
• 6.3.5 - OAM Loopback (LB) on page 133
• 6.3.6 - OAM Continuity Check (CC) on page 134
• 6.3.7 - OAM Performance Monitoring (PM) on page 136
• 6.3.8 - Activation/deactivation mechanism on page 137
126 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
• OAM (Operation, Administration and Maintenance) defines the ability to monitor the functionality of
VC's and VP's in the ATM network, detect failures, propagate these failures to ATM end nodes, and
monitor the performance of VC and VP links.
• OAM is basically a 'layer 1' feature of the VC's and VP's, i.e. OAM determines if the VC or VP is oper-
ational, and as such triggers higher layer functionality.
For example: OAM will bring the status of the pvc down if a defect has been detected between its
endpoints and subsequently will bring down the higher layer application (e.g. bridging and routing).
• Detecting the operational status of the VC/VP is done by two mechanisms:
- OAM Loopback: an endpoint sends out a loopback message at regular intervals which should be
replied by the remote endpoint. OAM Loopback must be activated manually.
Subsequent failures in receiving loopback replies results in an operational down of the VC/VP.
- OAM CC: an endpoint sends a CC message at regular intervals, which is interpreted by the
remote endpoint as a kind of 'keepalive' message. If the remote endpoint fails to receive CC mes-
sages, the VC/VP is considered operationally down, which is reported to the other endpoint by
sending AIS messages. OAM CC can either be activated manually, or automatically.
• Besides determining the operational status of a VC/VP, OAM also provides for performance monitor-
ing of VC's/VP's. This is accomplished with the help of the processor, which, if activated, determines
when a PM cell needs to be sent to the remote endpoint, and is able to independently interpret such
messages for statistics purposes. OAM PM can either be activated manually, or automatically.
1424 SHDSL Router Chapter 6 127
User manual Configuring the WAN encapsulation protocols
• OAM is used to maintain ATM VP’s and VC’s by sending a certain type of cells, OAM F4 and OAM
F5 cells:
- OAM on Virtual Path level is referred to as OAM F4.
- OAM on Virtual Channel level is referred to as OAM F5.
OAM F4 is functionally equal to OAM F5.
• The following principles have been considered in specifying the OAM functions:
- Performance monitoring (PM)
PM is a function which processes user information to produce maintenance information specific to
the user information. This maintenance information is added to the user information at the source of
a connection/link, and extracted at the sink of a connection/link. Analysis of the maintenance event
information at the sink of the connection allows estimation of the transport integrity.
- Defect and failure detection
Defects or failures affecting the transport of user information are detected by continuous or periodic
checking. As a result, maintenance event information or various alarms will be produced.
- System protection
The effect of a defect on the transport of user information is minimized by blocking or changeover to
other entities. As a result the failed entity is excluded from operation.
- Defect information
Defect information is given to other management entities. As a result, alarm indications are given to
other management planes. Response to a status report request will also be given.
- Fault localization
Internal or external test systems can determine a failed entity, if defect information is insufficient.
128 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
The ATM protocol features OAM LoopBack (LB) cells. These are used to verify whether a Virtual Chan-
nel/Path is truly up or down. This can be done on two levels:
• on Virtual Path (VP) level by using OAM F4 LB cells. The relevant configuration attributes can be
found in the vp table: refer to vp on page 549.
• on Virtual Channel (VC) level by using OAM F5 LB cells. The relevant configuration attributes can be
found in the pvcTable: refer to pvcTable on page 534.
The 1424 SHDSL Router always responds to OAM LB cells received from the peer ATM device (both
segment and end-to-end cells). However, when OAM LB is activated, the 1424 SHDSL Router only
sends end-to-end OAM LB request cells.
The ATM protocol features OAM Continuity Check (CC) cells. These are used to continuously monitor
the continuity of a Virtual Channel/Path. This can be done on two levels:
• on Virtual Path (VP) level by using OAM F4 CC cells. The relevant configuration attributes can be
found in the vp table: refer to vp on page 549.
• on Virtual Channel (VC) level by using OAM F5 CC cells. The relevant configuration attributes can
be found in the pvcTable: refer to pvcTable on page 534.
OAM performance Management gathers and analyzes statistical data to detect error conditions in the
flow of ATM data.
Performance Management works in both directions:
• FPM or forward performance monitoring: estimates performance over a specific connection.
• BR or backward reporting: reports gathered data to the backward direction.
Refer to 11.5.1 - ATM configuration attributes on page 533, 12.5.1 - ATM status attributes on page 847
and 13.5.1 - ATM performance attributes on page 1034 for more information about the respective con-
figuration, status and performance attributes of OAM.
1424 SHDSL Router Chapter 6 133
User manual Configuring the WAN encapsulation protocols
Forward/backward direction
• The Forward direction is the direction of the considered ATM cell flow.
E.g.: failure is detected at an interface at the rx side
- AIS cells are sent in the direction of the ATM cell rx flow, this means downstream.
- AIS cells are sent on the switched interface.
• The Backward direction is the reverse direction of the considered ATM cell flow.
E.g: failure is detected at an interface at the rx side
- RDI cells are sent in the backward direction of the ATM cell rx flow, this means upstream.
- RDI cells are sent on the interface which detected the fault
OAM AIS
OAM RDI
Purpose
• PM gathers and analyzes statistical data to detect error conditions in the flow of ATM data.
• OAM PM can either be activated manually, or automatically.
• PM monitors the QoS of a network connection and detects potential problems (i.e. due to malfunc-
tioning or failing ATM devices, overload in the network, ...). Some of the things that are monitored are:
- Cell Block Error ratio
- Cell Loss Ratio
- Misinserted cells
Refer to 13.5.1 - ATM performance attributes on page 1034 for more information on the OAM per-
formance attributes.
• FPM collects statistics of the forward (i.e. tx direction) ATM cell flow and sends this information to the
remote endpoint at regular times.
• FPM data is generated at the source endpoint.
• FPM data is interpreted at the sink endpoint: information contained in the FPM cells are compared
with the really received ATM cell flow. This allows for detection of lost, mis-inserted, … cells.
• FPM allows the sink to obtain statistics about its rx side (i.e. estimates performance about the forward
direction at the sink).
Mechanism
• The tx ATM cell flow is divided into blocks of cells of configurable size.
• Statistics are gathered per block.
• An FPM cell is inserted into the cell flow at the end of each block containing the gathered statistics.
• Statistics about the received cell flow are gathered per block.
• Blocks are bound by the received FPM cells.
• Each FPM cell is returned with additionally gathered statistics.
1424 SHDSL Router Chapter 6 137
User manual Configuring the WAN encapsulation protocols
• The activation/deactivation mechanism is a negotiation between endpoints to agree if and what OAM
functionality needs to be activated at both endpoints.
• It is used with CC and FPM.
• Necessary if on-demand activation of OAM CC or PM is needed, as both source and sink need to
agree on the activation (this in contrast with LB, AIS and RDI).
• The different activation/deactivation modes are:
- Deactivated: this mode will not start CC or PM in any case.
- Activated: CC/PM is started, no negotiation is done with the remote endpoint.
- Passive: the 1424 SHDSL Router is willing to accept activation/deactivation messages and
responds to it.
- InitActivation: this mode initiates the activation of the CC/PM process by sending activation mes-
sages.
138 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
This section introduces Inverse Multiplexing over ATM (ATM IMA) and gives a short description of how
to configure it.
The following gives an overview of this section:
• 6.4.1 - Introducing ATM IMA on page 139
• 6.4.2 - Configuring ATM IMA on page 140
1424 SHDSL Router Chapter 6 139
User manual Configuring the WAN encapsulation protocols
IMA is a technique enabling to split and reassemble an ATM cell stream over multiple physical links. It
was defined by the ATM Forum recommendation AF-PHY-0086.0001.
This technique is highly efficient to increase the capacity of transmission links: up to 4 DSL links can be
combined.
An IMA interface forms an IMA group. An IMA group is actually made up of several physical links. The
role of IMA is to split the incoming cell traffic over the different physical interfaces. The IMA group must
respectively reassemble the cell stream at the remote end. The IMA algorithm ensures the cell stream
is reassembled in the proper order and compensates for possible inter-link delays.
This is illustrated in the following figure:
Data cells
The data transiting over the DSL links are made up of:
• ATM cells. Tthe cells are sent over each link on a cell-by-cell basis.
• ICP (IMA Control Protocol) cells. These cells provide the definition of an IMA frame. The transmitter
must align the transmission of IMA frames on all links. This allows the receiver to adjust for differential
link delays among the physical links. The receiver can detect the differential delays by measuring the
arrival times of the IMA frames on each link.
• Filler cells (when no ATM cells have to be sent). At the transmitting end, the cells are transmitted con-
tinuously. If there are no ATM layer cells to be sent between ICP cells within an IMA frame, then the
IMA transmitter sends filler cells to maintain a continuous stream of cells at the physical layer. The
filler cells are discarded by the IMA receiver.
140 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
1 First of all, the encapsulation of the DSL interface must be set to atm, using the encapsula-
tion attribute:
2 The ATM encapsulation protocol itself must then be configured, and ima must be enabled
on the WAN intefrace:
This section introduces the EFM encapsulation protocol and gives a short description of the features.
The following gives an overview of this section:
• 6.5.1 - Introducing EFM on page 142
• 6.5.2 - OAM or Operation, Administration and Maintenance on page 143
142 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is EFM?
Ethernet in the First Mile or EFM, also known as IEEE 802.3ah, is a collection of protocols which define
Ethernet in access networks, or First or Last Mile. It allows much bigger speeds in the customer access
networks.
The Last Mile is the name traditionally given to the part of a public communication network that links the
last provider-owned node (the central office or CO, the street cabinet or pole) with the customer premises
equipment (CPE). The First Mile means the same, but viewed from the customer's perspective.
The Last Mile can be seen as a bottle neck in the communication network.
EFM does not improve or replace the existing Ethernet standard, it is an extension of Ethernet technol-
ogy.
It is a new standard, allowing users to run the Ethernet protocol over previously unsupported media, such
as single pairs of telephone wiring. This makes EFM suitable for use in subscriber access networks, i.e.
the networks that connect subscribers to their service provider.
Ethernet
Ethernet began as a broadcast local area network technology as a best effort delivery protocol. Occa-
sional frame disruptions due to collisions or signal noise were expected and tolerated.
These days, Ethernet is omnipresent. It is easy to configure, cost-effective, highly scalable and supports
a wide range of services such as data, voice and video. This makes it well suited to the demands of the
First Mile, bridging the gap between the provider network and the subscriber network, making use of
cable or Digital Subscriber Line (DSL).
However, quality demands in First Mile connection networks using EFM, are much higher compared to
LAN networks. High availability and sophisticated tools to manage and troubleshoot the EFM networks
are a must for providing the high level of service customers require. Performance must be monitored,
and any errors in the network must be detected and isolated very quickly.
Therefore, issues required for mass deployment of Ethernet services, such as OAM (Operation, Admin-
istration and Maintenance) and compatibility with existing technologies, have all been dealt with in the
EFM standard.
The use of EFM in subscriber access applications eliminates unnecessary network layers. The elimina-
tion of network layers reduces the number of network elements in a network, and that reduces equipment
costs, operational costs, and complexity.
1424 SHDSL Router Chapter 6 143
User manual Configuring the WAN encapsulation protocols
EFM OAM is a mechanism that provides DTE information, event notification, variable retrieval, and loop-
back controls.
The actual use of the OAM functionality is optional. A device is able to determine whether or not a remote
device has the OAM functionality enabled. The OAM Discovery mechanism ascertains the configured
parameters, such as maximum allowable OAMPDU size, and supported functions such as OAM remote
loopback, on a given link.
For more detailed information about the OAM mechanism, refer to section 5 of IEEE Std. 802.3-2005,
more specifically section 57. Operations, Administration, and Maintenance (OAM).
Refer to 11.5.5 - EFM configuration attributes on page 571 for a detailed explanation of the EFM and
OAM configuration attributes.
Purpose of OAM
OAM information is conveyed in protocol frames called OAM Protocol Data Units or OAMPDUs, that are
sent between two ends of a single link. OAMPDUs contain the appropriate control and status information
used to monitor, test and troubleshoot OAM-enabled links.
OAM discovery
• OAM remote loopback can be used for fault localization and link performance testing. Statistics from
both the local and remote DTE can be queried and compared at any time while the remote DTE is in
OAM remote loopback mode.
• OAM loopback is a process that is used to verify whether a link is truly up or down. This is done by
sending (and receiving) OAM LoopBack PDUs between both ends of the link.
• OAM loopback can be started or stopped on the device. Refer to the action oamRemoteLoopback in
12.5.5 - EFM status attributes on page 877.
• The Local DTE sends loopback control PDUs, the remote DTE acknowledges by sending information
PDUs with updated state information.
A device configured in active mode initiates the exchange of Information OAMPDUs. Once the Discovery
process completes, active devices are permitted to send any OAMPDU while connected to a remote
OAM device in active mode. Active devices operate in a limited respect if the remote OAM device is oper-
ating in passive mode. Active devices do not respond to OAM remote loopback commands and variable
requests from a passive device.
The 1424 SHDSL Router can be set to active mode using the oam attribute; also refer to 11.5.5 - EFM
configuration attributes on page 571.
The 1424 SHDSL Router in active mode:
• initiates the OAM Discovery process.
• sends Information PDUs.
• may send Event Notification PDUs.
• may send Variable Request/Response PDUs.
• may send Loopback Control PDUs.
The 1424 SHDSL Router in active mode does not:
• respond to Variable Request PDUs from other DTEs in Passive mode.
• react to Loopback Control PDUs from other DTEs in Passive mode.
1424 SHDSL Router Chapter 6 145
User manual Configuring the WAN encapsulation protocols
This section introduces the Frame Relay encapsulation protocol and gives a short description of the
attributes you can use to configure this encapsulation protocol.
The following gives an overview of this section:
• 6.6.1 - Introducing Frame Relay on page 146
• 6.6.2 - Configuring Frame Relay DLCIs on page 150
• 6.6.3 - Automatically obtaining IP addresses in Frame Relay on page 152
• 6.6.4 - Configuring IP addresses in Frame Relay on page 153
• 6.6.5 - Configuring LMI on page 156
• 6.6.6 - Configuring CIR and EIR on page 157
• 6.6.7 - Enabling Frame Relay fragmentation on page 159
146 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Frame Relay is a networking protocol that works at the bottom two levels of the OSI reference model:
the physical and data link layers. It is an example of packet-switching technology, which enables end
stations to dynamically share network resources.
Frame Relay devices fall into the following two general categories:
• Data Terminal Equipment (DTEs), which include terminals, personal computers, routers, and
bridges.
• Data Circuit Equipment (DCEs), which transmit the data through the network and are often carrier-
owned devices.
What is a DLCI?
Frame Relay networks transfer data using one of the following connection types:
• Switched Virtual Circuits (SVCs), which are temporary connections that are created for each data
transfer and then are terminated when the data transfer is complete (not a widely used connection).
• Permanent Virtual Circuits (PVCs), which are permanent connections.
The 1424 SHDSL Router makes use of Permanent Virtual Circuits. The Data Link Connection Identifier
(DLCI) is a value assigned to each virtual circuit and DTE device connection point in the Frame Relay
WAN. Two different connections can be assigned the same value within the same Frame Relay WAN,
one on each side of the virtual connection.
What is LMI?
A set of Frame Relay enhancements exists, called the Local Management Interface (LMI). The LMI
enhancements offer a number of features (referred to as extensions) for managing complex networks,
including:
• global addressing,
• virtual circuit status messages,
• multicasting.
LMI provides a status mechanism which gives an on-going status report on the DLCIs. These status
reports are exchanged between the Frame Relay access device (or Frame Relay DTE or user) and
Frame Relay node (or Frame Relay DCE or network).
1424 SHDSL Router Chapter 6 147
User manual Configuring the WAN encapsulation protocols
At regular intervals (typically every 1 minute), the Frame Relay user (e.g. a router) sends Full Status
Enquiry messages to the Frame Relay network (e.g. a Frame Relay switch). On its turn, the Frame Relay
network sends a Full Status Response to the Frame Relay user. In this response the Frame Relay net-
work reports which DLCIs are configured at its side and which of these DLCIs are up or down. Until the
first Full Status Enquiry exchange has occurred, the Frame Relay user does not know which DLCIs are
active and so no data transfer can take place.
At smaller intervals (typically every 10 seconds), the Frame Relay user sends Status Enquiry messages
to the Frame Relay network. On its turn, the Frame Relay network sends a Status Response to the
Frame Relay user. In this response the Frame Relay network only reports which DLCIs are up or down.
There are various LMI versions: LMI rev.1, ANSI T1.617 Annex D, Q.933 Annex A, etc. To ensure inter-
operability when your network consists of equipment from different vendors, the same version of LMI
protocol must be at each end of the Frame Relay link.
• CIR = BC / TC
• The Committed Information Rate (CIR) is the specified amount of guaranteed bandwidth (measured
in bits per second) on a Frame Relay service. Typically, when purchasing a Frame Relay service the
customer can specify the CIR level he wishes. The Frame Relay network provider guarantees that
traffic not exceeding this level will be delivered.
• The Committed Burst (BC) is the maximum amount of data (in bits) that the network agrees to trans-
fer, under normal conditions, during a time interval TC.
• EIR = BE / TC
• The Excess Information Rate (EIR) is the specified amount of unguaranteed bandwidth (measured
in bits per second) on a Frame Relay service. It is the traffic in excess of the CIR. This traffic may also
be delivered, but this is not guaranteed.
• The Excess Burst (BE) is the maximum amount of uncommitted data (in bits) in excess of BC that a
Frame Relay network can attempt to deliver during a time interval TC. Generally, BE data is delivered
with a lower probability than BC, and the network treats it as discard eligible.
What is TC?
The measurement interval (TC) is the time over which rates and burst sizes are measured. In general,
the duration of TC is proportional to the burstiness of traffic.
The following figure shows the relationship between BC, BE and TC:
148 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is DE?
When the CIR is exceeded, all subsequent frames get marked Discard Eligible by setting the Discard
Eligible (DE) bit in the Frame Relay header. This is performed at the local Frame Relay switch. If con-
gestion occurs at a node in the Frame Relay network, packets marked DE are the first to be dropped.
Upon detecting congestion, a Frame Relay switch will send a Backward Explicit Congestion Notifier
(BECN) message back to the source. If the source (e.g. the router) has sufficient intelligence to process
this message, it may throttle back to the CIR.
What is BECN?
Backward Explicit Congestion Notification (BECN) is a bit set by a Frame Relay network in frames trav-
elling in the opposite direction of frames encountering a congested path. DTEs receiving frames with the
BECN bit set can request that higher-level protocols take flow control action as appropriate.
What is FECN?
Forward Explicit Congestion Notification (FECN) is a bit set by a Frame Relay network to inform DTEs
receiving the frame that congestion was experienced in the path from source to destination. DTEs receiv-
ing frames with the FECN bit set can request that higher-level protocols take flow-control action as
appropriate.
Interface fragmentation is used in order to allow real-time and data frames to share the same (physical)
interface. The fragmentation is strictly local to the interface and provides the proper delay and delay var-
iation based upon the logical speed of the interface (the logical speed of an interface may be slower than
the physical clocking rate if a channelised physical interface is used). Since fragmentation is local to the
interface, the network can take advantage of the higher internal trunk speeds by transporting the com-
plete frames, which is more efficient than transporting a larger number of smaller fragments.
Interface fragmentation is also useful when there is a speed mismatch between the two DTEs at the ends
of a VC. It also allows the network to proxy for a DTE that does not implement end-to-end fragmentation.
Refer to What is end-to-end Frame Relay fragmentation? on page 149.
Interface fragmentation is not transparent to the Frame Relay network. I.e. the Frame Relay switches in
the network have to “understand” Frame Relay fragmentation.
End-to-end Frame Relay fragmentation is used on DLCIs only. It is most useful when peer Frame Relay
DTEs wish to exchange both real-time and non-real-time traffic using slower interface(s), but either one
or both (physical) interfaces does not support interface Frame Relay fragmentation. Refer to What is
interface Frame Relay fragmentation? on page 148.
End-to-end Frame Relay fragmentation is transparent to the Frame Relay network. I.e. the Frame Relay
switches in the network do not have to “know” about the fragmentation.
Because DLCI 0 is never carried end-to-end, it is never fragmented using end-to-end Frame Relay frag-
mentation.
What is MLFR?
Multilink Frame Relay (MLFR) provides physical interface emulation for Frame Relay devices. The emu-
lated physical interface consists of one or more physical links, called "bundle links", aggregated together
into a single "bundle" of bandwidth. This service provides a frame-based inverse multiplexing function,
sometimes referred to as an "IMUX".
The bundle provides the same order-preserving service as a physical layer for frames sent on a data link
connection. In addition, the bundle provides support for all Frame Relay services based on UNI and NNI
standards.
Refer to FRF.16 for more information on multilink Frame Relay.
What is LIP?
The Link Integrity Protocol (LIP) features a set of control messages to insure the integrity of a Frame
Relay bundle. These messages are:
Add Link The Add Link message notifies the peer endpoint that the local endpoint supports
frame processing. The message includes information required to verify bundle
membership and detect loopbacks. Both ends of a bundle link generate this mes-
sage when a bundle link endpoint is ready to become operational.
Add Link The Add Link Acknowledge message notifies the peer endpoint that the local end-
Acknowledge point has received a valid Add Link message.
Add Link Reject The Add Link Reject message notifies the peer endpoint that the local endpoint
has received an invalid Add Link message.
Hello The Hello message notifies the peer endpoint that the local endpoint remains in
the state up. Both ends of a bundle link generate this message on a periodic basis.
Hello Acknowl- The Hello Acknowledge message notifies the peer that the local endpoint has
edge received a valid Hello message.
Remove Link The Remove Link message notifies the peer that the local end layer management
function is removing the bundle link from bundle operation.
Remove Link The Remove Link Acknowledge message notifies the peer that the local end has
Acknowledge received a Remove Link message.
150 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
1 In the 1424 SHDSL Router containment tree, go to the frameRelay object, select the dlciT-
able attribute and add one or more entries to this table.
Use this attribute to set up Frame Relay DLCIs. Add a row to the dlciTable for each Frame
Relay DLCI you want to create.
2 Configure the elements of the Frame Relay DLCI you just created. These elements are:
• name. Use this element to assign an administrative name to the Frame Relay DLCI.
• adminStatus. Use this element to activate (up) or deactivate (down) the Frame Relay
DLCI.
• mode. Use this element to determine whether, for the corresponding Frame Relay
DLCI, the packets are treated by the routing process, the bridging process or both.
• priorityPolicy. Use this element to apply a priority policy on the Frame Relay DLCI. Refer
to 7.11.15 - Applying a priority policy on an interface on page 293 for more informa-
tion.
• ip. Use this element to configure the IP related parameters of the Frame Relay DLCI.
Refer to 5.2.3 - Explaining the ip structure on page 56 for more information.
• bridging. Use this element to configure the bridging related parameters of the Frame
Relay DLCI in case the DLCI is in bridging mode (i.e. in case the mode element is set
to bridging). Refer to 8.2.6 - Explaining the bridging structure on page 318 for more infor-
mation.
• frameRelay. Use this element to configure the Frame Relay specific parameters of the
Frame Relay DLCI. Refer to frameRelay on page 557 for more information.
The following figure gives an example of a local Ethernet segment connected to three different networks
through three different DLCIs:
The following screenshot shows (part of) the dlciTable of the set-up depicted in the figure above:
152 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
In case of Frame Relay, the 1424 SHDSL Router can perform an auto-install (refer to 16.3.3 - Auto-install
in case of Frame-Relay on page 1158). This includes obtaining a local IP address of the Frame Relay
DLCI. However, even if no auto-install is performed the 1424 SHDSL Router runs the following sequence
to obtain a local IP address of the Frame Relay DLCI:
If the Frame Relay network supports the InARP (Inverse Address Resolution Protocol) protocol, then the
1424 SHDSL Router can learn the remote IP address of an Frame Relay DLCI.
1424 SHDSL Router Chapter 6 153
User manual Configuring the WAN encapsulation protocols
When you use Frame Relay encapsulation on the WAN interface, you can configure the IP related
parameters on two levels:
Using the ip structure in the … Use this structure to configure the IP related parameters of …
dlciTable attribute. one specific DLCI. Refer to Example - DLCI specific IP.
Refer to 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
154 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
The characteristics of a set-up with a global IP address for the DLCIs are:
• Broadcasts are copied and sent over all DLCIs (that use the global IP address). E.g. pinging
10.0.0.255 results in a reply from 10.0.0.1, 10.0.0.2 and 10.0.0.3.
• Pinging 10.0.0.3 results in a reply when LMI is up.
• Routes learned over one DLCI are not passed to other DLCIs. E.g. a route learned over DLCI 16 is
not passed to DLCI 17. This means that split horizon is applicable.
• RIP only functions if the network is fully meshed. I.e. if every router is directly connected to its neigh-
bour with a DLCI (as in the example above).
1424 SHDSL Router Chapter 6 155
User manual Configuring the WAN encapsulation protocols
The characteristics of a set-up with a specific IP address for each DLCI are:
• Each DLCI is an IP interface.
• Pinging 10.1.0.1 results in a reply when the DLCI is up.
• Routes learned over one DLCI are passed to other DLCIs. E.g. a route learned over DLCI 16 is
passed to DLCI 17. This means that split horizon is not applicable.
156 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Refer to 6.6.1 - Introducing Frame Relay on page 146 for an introduction on LMI.
To configure LMI, proceed as follows:
Step Action
Refer to lmi on page 561 for a complete description of the lmi structure.
1424 SHDSL Router Chapter 6 157
User manual Configuring the WAN encapsulation protocols
Refer to 6.6.1 - Introducing Frame Relay on page 146 for an introduction on CIR and EIR.
As said before, CIR is the data rate which the user expects to pass into the Frame Relay network with
few problems. Note that the CIR is unrelated to the actual bit rate of the physical connection. A user could
have a physical connection operating at 2 Mbps, but a CIR across this physical connection of only 64
kbps. This would mean that the user’s average data rate would be 64 kbps, but data bursts up to 2 Mbps
would be possible (EIR).
To configure the CIR and EIR of a Frame Relay DLCI, proceed as follows:
Step Action
Important remarks
• Be careful not to over-dimension the CIR. I.e. do not let the sum of the CIRs of the DLCIs exceed the
bandwidth of the physical connection.
• When you do exceed the total bandwidth of the physical connection, then the 1424 SHDSL Router
first buffers the data. However, when the buffers of the 1424 SHDSL Router are completely filled up,
it has to discard the “excess” data.
• To obtain an optimal QoS for links that contain both voice and data DLCIs, it is advisable to use CIR
for the voice DLCIs and EIR for the data DLCIs. This decreases the amount of data packets that are
queued in a single burst, thereby reducing the transmission delay for voice packets.
158 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Examples
Refer to 6.6.1 - Introducing Frame Relay on page 146 for an introduction on Frame Relay fragmentation.
There are different cases of fragmentation. How to enable fragmentation in each of these cases is shown
in the following table:
This section introduces the PPP encapsulation protocol and gives a short description of the attributes
you can use to configure this encapsulation protocol.
The following gives an overview of this section:
• 6.7.1 - Introducing PPP on page 161
• 6.7.2 - Automatically obtaining IP addresses in PPP on page 165
• 6.7.3 - Configuring IP addresses in PPP on page 167
• 6.7.4 - Imposing IP addresses on the remote in PPP on page 168
• 6.7.5 - Configuring link monitoring on page 169
• 6.7.6 - Configuring PAP on page 170
• 6.7.7 - How does PAP work? on page 171
• 6.7.8 - Configuring CHAP on page 173
• 6.7.9 - How does CHAP work? on page 174
• 6.7.10 - Use which name and secret attributes for PPP authentication? on page 176
• 6.7.11 - Setting up multilink PPP on page 177
• 6.7.12 - Enabling PPP fragmentation on page 182
• 6.7.13 - Setting up multiclass PPP on page 183
1424 SHDSL Router Chapter 6 161
User manual Configuring the WAN encapsulation protocols
What is PPP?
The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for transporting IP
traffic over point-to-point links. PPP also established a standard for assigning and managing IP
addresses, asynchronous and bit-oriented synchronous encapsulation, network protocol multiplexing,
link configuration, link quality testing, error detection, and option negotiation for added networking capa-
bilities.
Also refer to What is PPPoA (RFC 2364)? on page 108.
PPP provides a method for transmitting datagrams over serial point-to-point links, which include the fol-
lowing components:
• A method for encapsulating datagrams over serial links.
• An extensible Link Control Protocol (LCP) which provides a method of establishing, configuring,
maintaining, and terminating the point-to-point connection.
• A family of Network Control Protocols (NCPs) for establishing and configuring different network layer
protocols such as the IP Control Protocol (IPCP) and the Bridge Control Protocol (BCP).
• A Compression Control Protocol (CCP) for configuring, enabling and disabling data compression
algorithms on both ends of the point-to-point link.
Phase Description
2 The Network Control Protocol (NCP, i.e. IPCP or BCP) builds the network layer.
PPP features link monitoring in order to check whether the PPP link is truly up or down. If link monitoring
is enabled, then echo request packets are sent over the link at regular intervals. If on consecutive
requests no reply is given, then the PPP link is declared down. Data traffic is stopped until the PPP hand-
shake succeeds again.
162 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
What is PAP?
The Password Authentication Protocol (PAP) is the most basic form of authentication (complies with RF
1334). It basically works the same way as a normal login procedure. The peer (the authenticating sys-
tem) authenticates itself by sending a username and password to the authenticator. The authenticator
compares this username and password to its secrets database. If the password matches, the peer is
authenticated and the session can be set up. PAP authentication can be performed in one direction or
in both directions.
The disadvantage of PAP is that it is vulnerable to eavesdroppers who may try to obtain the password
by listening in on the serial line, and to repeated trial and error attacks.
What is CHAP?
The Challenge Handshake Authentication Protocol (CHAP) is more secure than PAP.
With CHAP, the server (the authenticator) sends a randomly generated “challenge” string to the client
(the authenticating system). The client hashes the challenge string, its username and password using
the MD5 algorithm. This result is returned to the server. The server now performs the same computation
and compares this username and password to its secrets database. If the passwords match, the client
is authenticated and the session can be set up. CHAP authentication can be performed in one direction
or in both directions.
Another feature of CHAP is that it does not only requires the client to authenticate itself at start-up time,
but to do so at regular intervals. This to make sure the client has not been replaced by an intruder (for
instance by just switching lines).
What is MS-CHAP?
The Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is the Microsoft version of
CHAP and is an extension to RFC 1994. Like the standard version of CHAP, MS-CHAP is used for PPP
authentication. In this case, authentication occurs between a PC using Microsoft Windows and a router
or access server acting as a network access server (NAS).
The differences between the standard CHAP and MS-CHAP are:
• MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3, Authentication Protocol.
• The MS-CHAP Response packet is in a format designed to be compatible with Microsoft Windows.
This format does not require the authenticator to store a clear or reversibly encrypted password.
• MS-CHAP provides an authenticator-controlled authentication retry mechanism.
• MS-CHAP provides an authenticator-controlled change password mechanism.
• MS-CHAP defines a set a "reason for failure" codes returned in the Failure packet message field.
1424 SHDSL Router Chapter 6 163
User manual Configuring the WAN encapsulation protocols
MS-CHAP version 2 provides stronger security for remote access connections and also solves some
issues of MS-CHAP version 1:
LAN Manager encoding of the response used for MS-CHAP v2 no longer allows LAN Manager
backward compatibility with older Microsoft encoded responses.
remote access clients is cryptographically weak.
LAN Manager encoding of password changes is MS-CHAP v2 no longer allows LAN Manager
cryptographically weak. encoded password changes.
With 40-bit encryption, the cryptographic key is With MS-CHAP v2, the cryptographic key is
based on the user's password. Each time the user always based on the user's password and an arbi-
connects with the same password, the same cryp- trary challenge string. Each time the user con-
tographic key is generated. nects with the same password, a different
cryptographic key is used.
A single cryptographic key is used for data sent in With MS-CHAP v2, separate cryptographic keys
both directions on the connection. are generated for transmitted and received data.
What is MLPPP?
Multilink PPP (MLPPP) is a method of splitting, recombining, and sequencing datagrams across multiple
logical data links.
For all its strengths, PPP has one inherent limitation when it comes to network deployment: it is designed
to handle only one physical link at a time. MLPPP does away with this restriction. MLPPP is a higher-
level data link protocol that sits between PPP and the network protocol layer. It accommodates one or
more PPP links, with each PPP link representing either a separate physical WAN connection or a chan-
nel in a multi-channel switched service. MLPPP its ability to combine multiple lower-speed links into a
single, higher-speed data path is often referred to as WAN-independent or packet-based inverse multi-
plexing.
MLPPP negotiates configuration options the same way as conventional PPP. However, during the nego-
tiation process, one router or access device indicates to the other communicating device that it is willing
to combine multiple connections and treat them as a single physical pipe. It does this by sending along
a multilink option message as part of its initial LCP option negotiation.
Once a multilink session is successfully opened, MLPPP at the sending side receives network protocol
data units (PDUs) from higher-layer protocols or applications. It then fragments those PDUs into smaller
packets, adds an MLPPP header to each fragment and sends them over the available PPP links. On the
receiving end, the MLPPP software takes the fragmented packets from the different links, puts them in
their correct order based on their MLPPP headers and reconverts them to their original network-layer
PDUs.
164 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
In case of MLPPP you can enable packet fragmentation. When packet fragmentation is not enabled,
packets are sent whole across the channels. When packet fragmentation is enabled, larger packets are
divided into smaller fragments and distributed over all the channels in use. Sending the packets in this
way reduces transit times. The receiver collects the fragments, reassembles them, and delivers them in
the original intended order.
Multiclass PPP recovers some unused bits in the PPP multilink header to allow separate streams within
a single PPP session. This allows for Frame Relay like features within this PPP session. It also facilitates
QoS over a single PPP link. However, the number of sessions possible is small compared to Frame
Relay.
What is BAP?
The Bandwidth Allocation Protocol (BAP) can be used to manage the number of links in a multi-link bun-
dle. BAP defines datagrams to coordinate adding and removing individual links in a multi-link bundle, as
well as specifying which peer is responsible for various decisions regarding managing bandwidth during
a multi-link connection. The Bandwidth Allocation Control Protocol (BACP) is the associated control pro-
tocol for BAP. BACP defines control parameters for the BAP protocol to use.
1424 SHDSL Router Chapter 6 165
User manual Configuring the WAN encapsulation protocols
In case of PPP, the 1424 SHDSL Router can learn the local IP address of a PPP link.
166 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
In case of PPP, the 1424 SHDSL Router can learn the remote IP address of a PPP link.
1424 SHDSL Router Chapter 6 167
User manual Configuring the WAN encapsulation protocols
Step Action
Refer to 5.2.3 - Explaining the ip structure on page 56 for a complete description of the ip
structure.
168 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
As can be seen in 6.7.2 - Automatically obtaining IP addresses in PPP on page 165, in case of PPP the
1424 SHDSL Router can learn IP addresses from the remote side. What is more, in case of PPP the
1424 SHDSL Router itself can impose IP addresses on the remote.
To impose IP addresses on the remote, proceed as follows:
Step Action
1 On the 1424 SHDSL Router, configure a local and remote IP address on the PPP link.
Refer to 6.7.3 - Configuring IP addresses in PPP on page 167.
2 On the remote device (e.g. a 1031 Router), configure nor a local nor a remote address
on the PPP link.
⇒Once the PPP handshake reaches the IPCP stage, the 1031 Router will declare to
the 1424 SHDSL Router that it has no IP addresses on its PPP link. The 1424
SHDSL Router on its turn will impose the local and remote IP address of the PPP
link on the 1031 Router.
⇒What is more, the 1031 Router adds a route towards the 1424 SHDSL Router. Also
see the explanation of the element gatewayPreference on page 59.
Refer to 6.7.1 - Introducing PPP on page 161 for an introduction on link monitoring.
To configure link monitoring on a PPP(oA) link, proceed as follows:
Step Action
Refer to linkMonitoring on page 568 for a complete description of the linkMonitoring structure.
170 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
1 On the authenticating router, configure the PPP attributes authentication and authenPeriod.
• authentication. Use this attribute to set the PPP authentication to PAP.
• authenPeriod. Use this attribute to determine the interval at which the PPP link is
authenticated once it has been set up.
Refer to 11.5.4 - PPP configuration attributes on page 566 for a detailed description of
the ppp attributes.
3 Again on the authenticating router, go to the router object and configure the pppSecretTable.
In this table, enter the name and secret you configured on the peer in step 2. These are
used in the authentication process.
How exactly all these configuration attributes are used in the authentication process is explained in the
6.7.7 - How does PAP work? on page 171.
1424 SHDSL Router Chapter 6 171
User manual Configuring the WAN encapsulation protocols
The router authenticates after building its LCP layer and prior to building the IPCP layer. If the authenti-
cation succeeds, then the PPP link is built further until data can be sent. Else PPP starts its handshake
again.
Consider the following example: router A (the 1424 SHDSL Router) is the authenticator and router B is
the peer. Router A is configured for PAP authentication and router B is not. The authentication process
goes as follows:
Phase Description
1 Router B wants to establish a PPP link with router A (the 1424 SHDSL Router).
4 Router A looks up the name of router B in its pppSecretTable to find a corresponding secret.
If the secret found in the pppSecretTable matches the secret received from router B, then
the authentication succeeded and a PPP link is established. Else the authentication failed
and no PPP link is established.
If PAP authentication is enabled on both routers, then they both request and respond to the authentica-
tion. If the remote router is a router from another vendor, then read the documentation in order to find
out how to configure the PAP name and secret values.
1424 SHDSL Router Chapter 6 173
User manual Configuring the WAN encapsulation protocols
Step Action
1 On the authenticating router, configure the PPP attributes authentication and authenPeriod.
• authentication. Use this element to set the PPP authentication to CHAP (or MS-CHAP
or MS-CHAP v2).
• authenPeriod. Use this attribute to determine the interval at which the PPP link is
authenticated once it has been set up.
Refer to 11.5.4 - PPP configuration attributes on page 566 for a detailed description of
the ppp attributes.
3 Again on the authenticating router, go to the router object and configure the pppSecretTable.
In this table, enter the name and secret you configured on the peer in step 2. These are
used in the authentication process.
How exactly all these configuration attributes are used in the authentication process is explained in the
6.7.9 - How does CHAP work? on page 174.
174 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
The router authenticates after building its LCP layer and prior to building the IPCP layer. If the authenti-
cation succeeds, then the PPP link is built further until data can be sent. Else PPP starts its handshake
again.
Consider the following example: router A (the 1424 SHDSL Router) is the authenticator and router B is
the peer. Router A is configured for CHAP authentication and router B is not. The authentication process
goes as follows:
Phase Description
1 Router B wants to establish a PPP link with router A (the 1424 SHDSL Router).
The challenge packet also contains the sysName of router A. If the peer (router B)
is also a OneAccess Router, then it does nothing with it. Other vendors, however,
may use this sysName to determine which secret to use in the authentication proc-
ess. Check the vendor’s documentation.
3 Router B feeds the random value and its secret1 into the MD5 hash generator, resulting
in a hash value.
4 Router B sends a response packet containing the hash value and its name2.
5 Router A looks up the name of router B in its pppSecretTable to find a corresponding secret.
This secret found in the pppSecretTable and the random value router A sent in step 2 is fed
into the MD5 hash generator, resulting in a hash value. If this hash value equals the hash
value received from router B, then the authentication succeeded and a PPP link is estab-
lished. Else the authentication failed and no PPP link is established.
If CHAP authentication is enabled on both routers, then they both request and respond to the authenti-
cation. If the remote router is a router from another vendor, then read the documentation in order to find
out how to configure the CHAP name and secret values.
176 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
6.7.10 Use which name and secret attributes for PPP authentication?
Older firmware versions only used the sysName and the router/sysSecret attributes in their PPP authentica-
tion process. Newer firmware versions, however, have two new attributes for PPP authentication pur-
poses being: ppp/sessionName and ppp/sessionSecret. This enhancement allows you to define different
names and secrets for each PPP link (whereas before all PPP links used the same sysName and sysSecret
attribute).
So suppose you have several ATM PVCs on which you all run PPPoA, you can use a different name
and secret for each PPPoA link by configuring per PVC the sessionName and sessionSecret in the ppp struc-
ture of the atm/pvcTable attribute.
Refer to …
• sysName on page 504
• sysSecret on page 625
• sessionName on page 570
• sessionSecret on page 570
• pppoEClient on page 525
Important remarks
• If on a PPP link authentication is enabled and the sessionName/sessionSecret attributes are not filled in,
then the sysName/sysSecret attributes are used in the PPP authentication process for that link.
• If on a PPP link authentication is enabled and the sessionName/sessionSecret attributes are filled in, then
the sysName/sysSecret attributes are ignored and are not used in the PPP authentication process for
that link.
• If you have several PPP links and you use a different name and secret for each link (using the ses-
sionName/sessionSecret attributes), then do not forget to add all these names and secrets in the
pppSecretTable of the authenticator.
• The sysName/sysSecret attributes do not serve as “back-up” for the sessionName/sessionSecret attributes.
This means that if for some reason authentication using the sessionName/sessionSecret attributes fails
(e.g. because the secrets do not match), then the authenticator does not restart the authentication
process using the sysName/sysSecret attributes instead.
• If you have several PPP links, it is allowed to use a specific name and secret on some of them (using
the sessionName/sessionSecret attributes) and use a general name and secret for the rest (using the
sysName/sysSecret attributes). In that case, make sure that for the latter the sessionName/sessionSecret
attributes are not configured (i.e. their value fields are empty).
1424 SHDSL Router Chapter 6 177
User manual Configuring the WAN encapsulation protocols
MLPPP means running a PPP bundle over several physical interfaces. In case you only have one phys-
ical interface towards the WAN, setting up MLPPP seems a bit awkward. However, if you want to enable
PPP fragmentation or set up multiclass PPP links, then you have to set up a PPP bundle even if it means
setting up a bundle on just one physical interface. This because PPP fragmentation and multiclass PPP
are part of the MLPPP feature set.
Note that you can also set up MLPPP for a PPPoA link.
Step Action
4 Configure the attributes of the pppBundle[ ] object you just added. The most important
attributes are:
• members. Use this attribute to make the WAN interface a member of
the PPP bundle. Do this by adding one entry to the members table
and by typing “wan” as value of the interface element.
• ip. Use this attribute to configure the IP related parameters of the
PPP bundle.
• mode. Use this attribute to determine whether the packets are treated by the routing
process, the bridging process or both.
Refer to 11.8.1 - PPP bundle configuration attributes on page 611 for more information
on the configuration attributes of the PPP bundle.
178 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
1 Set up a PPPoA link. Refer to 6.2.13 - Configuring PPP over ATM (PPPoA) on page 123.
Note that it is important to set the operation element in the linkMonitoring structure to
enabled. This allows that when a member (i.e. a PPP link) of the PPP bundle goes
down, the PPP bundle falls back to a lower speed and vice versa.
3 Configure the attributes of the pppBundle[ ] object you just added. The most important
attributes are:
• members. Use this attribute to make an ATM PVC (running PPPoA)
a member of the PPP bundle. Do this by adding an entry to the mem-
bers table and by typing the name of the ATM PVC as value of the
interface element.
• ip. Use this attribute to configure the IP related parameters of the PPP bundle.
• mode. Use this attribute to determine whether the packets are treated by the routing
process, the bridging process or both.
Refer to 11.8.1 - PPP bundle configuration attributes on page 611 for more information
on the configuration attributes of the PPP bundle.
1424 SHDSL Router Chapter 6 179
User manual Configuring the WAN encapsulation protocols
Step Action
4 Configure the attributes of the pppBundle[ ] object you just added. The most important
attributes are:
• members. Use this attribute to determine which E1 interfaces (more
particularly, which E1 channels) are member of the PPP bundle. So
you have to add an entry to the members table for every E1 channel
that you want to include in the PPP bundle. Then type the index
name of the E1 channel as value of the interface element.
• ip. Use this attribute to configure the IP related parameters of the
PPP bundle.
• mode. Use this attribute to determine whether the packets are treated by the routing
process, the bridging process or both.
Refer to 11.8.1 - PPP bundle configuration attributes on page 611 for more information
on the configuration attributes of the PPP bundle.
180 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
4 Configure the attributes of the pppBundle[ ] object you just added. The most important
attributes are:
• members. Use this attribute to make the RS530 interface a member
of the PPP bundle. Do this by adding one entry to the members table
and by typing the name of the RS530 interface as value of the inter-
face element. By default, the name is “wan”.
• ip. Use this attribute to configure the IP related parameters of the PPP bundle.
• mode. Use this attribute to determine whether the packets are treated by the routing
process, the bridging process or both.
Refer to 11.8.1 - PPP bundle configuration attributes on page 611 for more information
on the configuration attributes of the PPP bundle.
1424 SHDSL Router Chapter 6 181
User manual Configuring the WAN encapsulation protocols
Step Action
2 In the 1424 SHDSL Router containment tree, go to the leasedLine[ ] object and set the
encapsulation attribute to ppp.
6 Configure the attributes of the pppBundle[ ] object you just added. The most important
attributes are:
• members. Use this attribute to make the BRI interface in leased line
mode a part of the PPP bundle. Do this by adding one or more
entries to the members table and by typing the index name of the
leasedLine[ ] object as value of the interface element.
• ip. Use this attribute to configure the IP related parameters of the PPP bundle.
• mode. Use this attribute to determine whether the packets are treated by the routing
process, the bridging process or both.
Refer to 11.8.1 - PPP bundle configuration attributes on page 611 for more information
on the configuration attributes of the PPP bundle.
182 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Setting up multilink PPP (MLPPP) allows you to enable PPP fragmentation. Refer to 6.7.1 - Introducing
PPP on page 161 for an introduction on PPP fragmentation.
Important remark
Note that PPP fragmentation is actually a part of the MLPPP feature set. So in case you want to enable
PPP fragmentation, you actually have to set up a PPP bundle. Even if you want to enable PPP fragmen-
tation on just one interface!
Step Action
2 In the pppBundle[ ] object you created in step 1, set the fragmentation attribute to enabled.
1424 SHDSL Router Chapter 6 183
User manual Configuring the WAN encapsulation protocols
Setting up multilink PPP (MLPPP) allows you to set up multiclass PPP. Refer to 6.7.1 - Introducing PPP
on page 161 for an introduction on multiclass PPP.
Important remark
Note that multiclass PPP is actually a part of the MLPPP feature set. So in case you want to set up mul-
ticlass PPP, you actually have to set up a PPP bundle. Even if you want to enable multiclass PPP on
just one interface!
Step Action
2 In the pppBundle[ ] object you created in step 1, select the multiclassInterfaces attribute and
add one or more entries to this table.
Use this attribute to set up multiclass PPP links. Add a row to the multiclassInterfaces table
for each multiclass PPP link you want to create.
184 1424 SHDSL Router Chapter 6
User manual Configuring the WAN encapsulation protocols
Step Action
3 Configure the elements of the multiclass PPP link you just created. These elements are:
• name. Use this element to assign an administrative name to the multiclass PPP link.
• adminStatus. Use this element to activate (up) or deactivate (down) the multiclass PPP
link.
• mode. Use this element to determine whether, for the corresponding multiclass PPP
link, the packets are treated by the routing process, the bridging process or the switch-
ing process.
• ip. Use this element to configure the IP related parameters of the multiclass PPP link.
Refer to 5.2.3 - Explaining the ip structure on page 56 for more information.
• bridging. Use this element to configure the bridging related parameters of the multiclass
PPP link in case the link is in bridging mode (i.e. in case the mode element is set to
bridging). Refer to 8.2.6 - Explaining the bridging structure on page 318 for more infor-
mation.
• multiclass. Use this element to configure the multiclass specific parameters of the mul-
ticlass PPP link. The multiclass element contains the following sub-elements:
- multiclass. Use this element to set a multiclass identifier for the multiclass PPP link.
- defaultQueue. Use this element to select a default queue. This allows you to easily
set up a traffic policy without having to create and apply traffic policy profiles. How-
ever, you still have to create and apply a priority policy profile to empty the queues.
Refer to 7.11.11 - The default queue attribute versus a traffic policy profile on
page 286 for more information.
7 Configuring routing
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view.
This chapter introduces routing on the 1424 SHDSL Router and lists the attributes you can use to con-
figure routing. It also introduces the most important features of the router besides routing and lists the
attributes you can use to configure these features.
The following gives an overview of this chapter:
• 7.1 - Introducing routing on page 186
• 7.2 - Enabling routing on an interface on page 187
• 7.3 - Configuring static routes on page 188
• 7.4 - Configuring policy based routing on page 197
• 7.5 - Configuring RIP on page 204
• 7.6 - Configuring OSPF on page 212
• 7.7 - Configuring BGP on page 221
• 7.8 - Configuring address translation on page 225
• 7.9 - Configuring VRRP on page 247
• 7.10 - Configuring Virtual Routing and Forwarding or VRF on page 254
• 7.11 - Applying QoS on routed traffic on page 259
Refer to the Reference manual on page 489 for a complete overview of the attributes of the 1424 SHDSL
Router.
186 1424 SHDSL Router Chapter 7
User manual Configuring routing
What is routing?
Routing is the act of moving information across an internetwork from a source to a destination.
Routing is often contrasted with bridging. At first sight, bridging might seem to do the same as routing.
The primary difference between the two is that bridging occurs at layer 2 (the link layer) of the OSI ref-
erence model, whereas routing occurs at Layer 3 (the network layer). In other words, bridging occurs at
a lower level and is therefore more of a hardware function whereas routing occurs at a higher level where
the software component is more important. And because routing occurs at a higher level, it can perform
more complex analysis to determine the optimal path for the packet.
In order to determine a routing path, routers initialise and maintain routing tables. These routing tables
contain a variety of information. For example:
• Destination/next hop associations tell a router that a particular destination can be reached optimally
by sending the packet to a particular router representing the "next hop" on the way to the final desti-
nation. When a router receives an incoming packet, it checks the destination address and attempts
to associate this address with a next hop.
• Desirability of a path. Routers use metrics to evaluate what path will be the best for a packet to travel.
Routers communicate with one another and maintain their routing tables through the transmission of a
variety of messages. The routing update message is one such message that generally consists of all or
a portion of a routing table. By analysing routing updates from all other routers, a router can build a
detailed picture of network topology.
Transporting packets
In most cases, a host determines that it must send a packet to another host. Having acquired a router's
address by some means, the source host sends a packet addressed specifically to a router's physical
(i.e. Media Access Control or MAC) address, this time with the protocol (i.e. network) address of the des-
tination host.
As it examines the packet's destination protocol address, the router determines that it either knows or
does not know how to forward the packet to the next hop. If the router does not know how to forward the
packet, it typically drops the packet. If the router knows how to forward the packet, however, it changes
the destination physical address to that of the next hop and transmits the packet.
The next hop may be the ultimate destination host. If not, the next hop is usually another router, which
executes the same switching decision process. As the packet moves through the internetwork, its phys-
ical address changes, but its protocol address remains constant.
1424 SHDSL Router Chapter 7 187
User manual Configuring routing
LAN interface Set the mode attribute to routing or routingAndBridging. The mode attribute can be found
in the lanInterface object: mode.
Important remark
• If you set the configuration attribute mode to bridging, then the settings of the con-
figuration attribute ip are ignored. As a result, if you want to manage the 1424
SHDSL Router via IP, you have to configure an IP address in the bridgeGroup
object instead: ip.
VLAN on the Set the mode element to routing or routingAndBridging. The mode element can be found
LAN interface in the vlan table which is located in the lanInterface object: vlan/mode.
ATM PVC Set the mode element to routing or routingAndBridging. The mode element can be found
in the pvcTable table which is located in the atm object: pvcTable/mode.
PPP link Set the mode element to routing or routingAndBridging. Refer to the PPP configuration
attributes.
Frame Relay Set the mode element to routing or routingAndBridging. The mode element can be found
PVC in the dlciTable table which is located in the frameRelay object: dlciTable/mode.
EFM Set the mode attribute to routing or routingAndBridging. Refer to the EFM configuration
attributes.
L2TP tunnel Set the mode element to routing or routingAndBridging. The mode element can be found
in the l2tpTunnels table which is located in the tunnels object: l2tpTunnels/mode.
IPSEC L2TP Set the mode element to routing or routingAndBridging. The mode element can be found
tunnel in the ipsecL2tpTunnels table which is located in the tunnels object: ipsecL2tpTunnels/
mode.
188 1424 SHDSL Router Chapter 7
User manual Configuring routing
This section introduces static routing and gives a short description of the attributes you can use to con-
figure static routing.
The following gives an overview of this section:
• 7.3.1 - Introducing static routing on page 189
• 7.3.2 - Configuring a default route on page 190
• 7.3.3 - Configuring the routing table on page 191
• 7.3.4 - Configuring the routing table - rules of thumb on page 194
• 7.3.5 - The rerouting principle on page 196
1424 SHDSL Router Chapter 7 189
User manual Configuring routing
The following table states the differences between static and dynamic routing:
static Static routing algorithms are hardly algorithms at all, but are table mappings estab-
lished by the network administrator before the beginning of routing. These map-
pings do not change unless the network administrator alters them. Static routing
algorithms work well in environments where network traffic is relatively predictable
and where network design is relatively simple.
dynamic Because static routing systems cannot react to network changes, they generally
are considered unsuitable for today's large, constantly changing networks. Most of
the dominant routing algorithms today are dynamic routing algorithms, which
adjust to changing network circumstances by analysing incoming routing update
messages. If the message indicates that a network change has occurred, the rout-
ing software recalculates routes and sends out new routing update messages.
These messages permeate the network, stimulating routers to rerun their algo-
rithms and change their routing tables accordingly.
Also refer to …
• 7.5.1 - Introducing RIP on page 205.
• 7.6.1 - Introducing OSPF on page 213.
static and Dynamic routing algorithms can be supplemented with static routes where appro-
dynamic priate. A router of last resort (a router to which all unroutable packets are sent), for
example, can be designated to act as a repository for all unroutable packets,
ensuring that all messages are at least handled in some way.
A default route is a route (also called gateway) that is used to direct packets addressed to networks not
explicitly listed in the routing table. A default route is also typically used when only one specific remote
network has to be reached.
The routing table is composed of a set of routes that are known to the router. It includes a list of known
addresses, as well as information to get a packet one router closer to its final destination. Routing tables
can be static (with routes manually entered by the network administrator) or dynamic (where routers
communicate to exchange connection and route information using e.g. RIP).
190 1424 SHDSL Router Chapter 7
User manual Configuring routing
Refer to 7.3.1 - Introducing static routing on page 189 for an introduction on the default route.
To configure a default route, proceed as follows:
Step Action
2 Configure the elements in the defaultRoute structure. The most important elements are:
• gateway. Use this element to specify the IP address of the next router that will route all
packets for which no specific (static or dynamic) route exists in the routing table.
• interface. Use this element to specify the interface through which the gateway can be
reached. Do this by typing the name of the interface as you assigned it using the con-
figuration attribute name (e.g. name). Note that this interface can also be a DLCI, PVC,
tunnel, etc.
Suppose network 1 is connected over a network of an operator to network 2. Network 1 only needs to
reach network 2. So for the router in network 1 it suffices to configure a default route towards network 2.
Refer to 7.3.1 - Introducing static routing on page 189 for an introduction on the routing table.
To configure the routing table, proceed as follows:
Step Action
Suppose network 1 is connected over a network of an operator to network 2. The two routers have an
IP address on their WAN interface.
To make network 192.168.48.0 reachable from network 192.168.47.0 and vice versa, you have to define
one static route in Router A and one static route in Router B. So configure the routingTable attribute of
Router A and B as follows:
1424 SHDSL Router Chapter 7 193
User manual Configuring routing
Suppose network 1 is connected over a network of an operator to network 2. The two routers do not have
an IP address on their WAN interface, only on their LAN interface.
To make network 192.168.48.0 reachable from network 192.168.47.0 and vice versa, you have to define
one static route in Router A and one static route in Router B. So configure the routingTable attribute of
Router A and B as follows:
194 1424 SHDSL Router Chapter 7
User manual Configuring routing
Some rules
The following table lists some rules when configuring the routingTable:
Rule Description
1 As a rule of thumb, one can say that the interface name has priority over the gateway.
2 In case you enter a correct (i.e. existing) interface name and in case it refers to a …
• point-to-point (PTP) interface, the route is always added to the routing table, no matter
which gateway (GW) is specified.
• multi-point (MP) interface, then …
- the route is only added to the routing table when a local gateway is specified.
- the route is not added to the routing table when no gateway is specified.
- a reroute occurs when no local gateway is specified.
3 In case you enter an incorrect interface name, the route is not added to the routing table.
1. In the routingTable status, the configured gateway will appear but for the routing itself the gate-
way is ignored.
1424 SHDSL Router Chapter 7 195
User manual Configuring routing
Gateway Field
It is important to note that, as of TDRE12, static routes that use an Ethernet-like interface (broadcast
interface) no longer require filling in the gateway field.
When such a route is used, an ARP look-up for the destination address of the packet is performed before
transmitting the packet, instead of a look-up for the gateway address.
Refer to the following example:
• Situation: the server with IP address 192.168.1.200, which was on Lan2 needs to be physically
placed in Lan1, but its IP address may not be changed.
• Solution: This can be solved by adding a static host route to that server on the router between the 2
networks. If proxy ARP is enabled on that router, both the hosts on Lan2 and the server will be able
to continue working without any modification to their network configuration.
196 1424 SHDSL Router Chapter 7
User manual Configuring routing
If the gateway of a route does not belong to the subnet of an interface, then the 1424 SHDSL Router
adds a special route. Then a second route look-up occurs, this time using the gateway field of the route.
This can be used as a back-up functionality as shown below.
Example
Now in order to reach network 172.31.75.0, PVC A is used. However, when PVC A goes down, the 1424
SHDSL Router automatically uses PVC B in order to reach network 172.31.75.0. I.e. it automatically
“reroutes” and this without the need of a routing protocol.
Important remarks
• This only works for the entries of the routing table, not for the default gateway.
• This type of route is always up.
• In the status information, the interface element of such a route displays internal.
1424 SHDSL Router Chapter 7 197
User manual Configuring routing
This section introduces the policy based routing and gives a short description of the attributes you can
use to configure policy based routing.
The following gives an overview of this section:
• 7.4.1 - Introducing policy based routing on page 198
• 7.4.2 - Setting up policy based routing on page 199
• 7.4.3 - Applying policy based routing on page 202
198 1424 SHDSL Router Chapter 7
User manual Configuring routing
Normal routing is based on the destination IP address. Policy based routing offers the possibility to
define different routing entries based on additional information. Traffic is routed to a certain interface or
gateway based on e.g. the source IP address, the IP protocol, etc.
1424 SHDSL Router Chapter 7 199
User manual Configuring routing
Refer to 7.4.1 - Introducing policy based routing on page 198 for an introduction.
To configure policy based routing, proceed as follows:
Step Action
3 Configure the policy criteria for the traffic policy method you selected in step 2.
If you choose then use the following attribute in the traffic policy object to
the method … configure the policy criteria:
trafficShaping, trafficShaping.
So using the elements in this table you can route traffic based on
IP source and destination address, TOS values, IP protocol, etc.
tosMapped, tos2QueueMapping.
So using the elements in this table you can route traffic based on
TOS values.
4 Now you have to determine to which interface and gateway the traffic is routed. Do this
using the interface and gateway elements that you find in the traffic policy tables you config-
ured in step 3.
200 1424 SHDSL Router Chapter 7
User manual Configuring routing
Suppose you have two networks which are interconnected over an ATM network. Network 1 carries a
mix of data and voice traffic. The traffic on this network is differentiated by setting the Type Of Service
(TOS) values in the IP packet headers (data = 0, voice = 10). When the traffic is routed from network 1
to network 2 you want that the data traffic and the voice traffic each go over a separate PVC.
Step Action
Since this is not the main subject of this example, refer for more information on creating
ATM PVCs to 6.2.2 - Configuring ATM PVCs on page 110.
2 Create and configure an IP traffic policy for policy based routing purposes.
For example:
• Create a trafficPolicy[myIpPol] object.
• Set the method attribute to tosMapped.
• In the tos2QueueMapping table, create two entries and define the startTos, endTos, interface
and gateway elements of each entry in such a way that the data traffic and the voice
traffic each go over a separate PVC.
1424 SHDSL Router Chapter 7 201
User manual Configuring routing
It is important to note that, when the data does not match with any line, the data will be discarded.
• This example continues from the example above, where the traffic policy myIpPol has been configured.
The following figure shows a default route that uses the traffic policy myIpPol as interface:
• The figure below shows how an accessPolicy is applied on the LAN interface:
1424 SHDSL Router Chapter 7 203
User manual Configuring routing
The IP address of the LAN interface must also be set in the traffic policy myIpPol2:
204 1424 SHDSL Router Chapter 7
User manual Configuring routing
This section introduces the Routing Information Protocol (RIP) and gives a short description of the
attributes you can use to configure RIP.
The following gives an overview of this section:
• 7.5.1 - Introducing RIP on page 205
• 7.5.2 - Enabling RIP on an interface on page 206
• 7.5.3 - Explaining the rip structure on page 208
• 7.5.4 - Enabling RIP authentication on an interface on page 211
1424 SHDSL Router Chapter 7 205
User manual Configuring routing
What is RIP?
The Routing Information Protocol (RIP) is a protocol that routers use to exchange dynamic routing infor-
mation. RIP can be enabled or disabled per interface.
There are two main RIP modes:
passive Received RIP updates are parsed, but no RIP updates are transmitted.
When RIP is enabled, the 1424 SHDSL Router advertises every 30 seconds its routing information to
adjacent routers. It also receives the routing information from the adjacent routers. With this information
it adapts its routing table dynamically. If after 180 seconds no information about a certain route has been
received, then this route is declared down. If after an additional 120 seconds (i.e. 300 seconds in total)
still no information about the route has been received, then this route is deleted from the routing table.
RIP support
The 1424 SHDSL Router supports RIP protocol version 1, 1-compatible and 2. RIP version 1 is a very
common routing protocol. Version 2 includes extra features like variable subnet masks and authentica-
tion. Check which RIP version is used by the other routers in the network.
Currently, the RIPv2 routing protocol requires the use of an IP address on the WAN interface.
RIP authentication
For security reasons the RIP updates that are exchanged between routers can be authenticated. RIP
authentication can be enabled or disabled per interface.
206 1424 SHDSL Router Chapter 7
User manual Configuring routing
Refer to …
• 7.3.1 - Introducing static routing on page 189 for a comparison between static and dynamic (e.g.
using RIP) routing.
• 7.5.1 - Introducing RIP on page 205 for an introduction on RIP.
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router object and set the routingPro-
tocol attribute to rip.
This activates the general RIP process on the 1424 SHDSL Router. Now you can activate
or deactivate RIP per IP interface. Note that by default RIP is activated on all IP inter-
faces.
2 Each IP interfaces has an ip structure. Within this ip structure you find a rip structure. Use
the following elements in the rip structure to activate or deactivate RIP per IP interface:
• mode. Use this element to set the transmission and/or reception of RIP updates on the
interface. By default the 1424 SHDSL Router transmits and receives RIP updates on
all interfaces.
• txVersion. Use this element to set the version of the RIP updates that are transmitted
on the interface.
• rxVersion. Use this element to set which version of received RIP updates is accepted
on the interface.
For example, the following shows the location of the rip structure on the LAN interface:
Refer to …
• 5.2.2 - Where to find the IP parameters? on page 55 for the location of the ip structure
on the different IP interfaces. The rip structure is located within the ip structure.
• 7.5.3 - Explaining the rip structure on page 208 for a detailed explanation of the rip
structure.
1424 SHDSL Router Chapter 7 207
User manual Configuring routing
Suppose you want to activate RIP on the LAN interface. What is more, you want that the LAN interface
does not transmit RIP updates but only parses received RIP updates (passive RIP). Furthermore, you
only want to accept RIP version 1 updates on the LAN interface.
The following figure shows how to configure this:
Note that since in this example the mode element is set to passive, the txVersion element is ignored.
208 1424 SHDSL Router Chapter 7
User manual Configuring routing
Because the rip structure occurs in several objects, it is described here once and referenced where nec-
essary. The rip structure is located within the ip structure. Refer to 5.2.2 - Where to find the IP parame-
ters? on page 55 for the location of the ip structure.
The rip structure contains the following elements:
Element Description
metric Use this element to determine with how much the Default:1
1424 SHDSL Router increments the metric parameter Range: 1 … 15
of a route.
Routing information includes a metric parameter. Every time a router is passed,
this parameter is incremented. Also the 1424 SHDSL Router increments the metric
parameter (default by 1) before it writes the route in the routing table. Hence, the
metric parameter indicates for each route how many routers have to be passed
before reaching the network. When several routes to a single network exist and
they all have the same preference, then the route with the smallest metric param-
eter is chosen.
However, using the metric element, you can increment the metric parameter by
more than 1 (up to a maximum of 15). You could do this, for instance, to indicate
that a certain interface is less desirable to route through. As a result, the 1424
SHDSL Router adds this value to the metric parameter of every route learnt
through that interface.
The metric parameter is also used to represent the directly connected subnets on
the LAN and WAN interfaces.
mode Use this element to set the transmission and/or recep- Default:active
tion of RIP updates on the interface. By default the Range: enumerated, see below
1424 SHDSL Router transmits and receives RIP
updates on all interfaces.
The mode element has the following values:
• active. RIP updates are transmitted and received on this interface.
• passive. RIP updates are not transmitted on this interface, but received updates
are parsed.
• disabled. RIP updates are nor transmitted nor received on this interface.
txVersion Use this element to set the version of the RIP updates Default:rip2
that are transmitted on the interface. Range: enumerated, see below
The txVersion element has the following values:
• rip1. The transmitted RIP updates are RIP version 1 updates.
• rip2. The transmitted RIP updates are RIP version 2 updates.
• rip1-compatible. The contents of the RIP update packet is a RIP version 2 packet,
but it is encapsulated as a RIP version 1 packet. This allows some older imple-
mentations of RIP 1 to be interoperable with RIP 2.
1424 SHDSL Router Chapter 7 209
User manual Configuring routing
Element Description
rxVersion Use this element to set which version of received RIP Default:rip2only
updates is accepted on the interface. Range: enumerated, see below
The rxVersion element has the following values:
• rip1only. Only RIP version 1 received RIP updates are accepted.
• rip2only. Only RIP version 2 received RIP updates are accepted.
• rip1&2. Both RIP version 1 and 2 received RIP updates are accepted.
If you want to accept RIP1-compatible updates on the interface, then set the
rxVersion attribute to rip1&2.
Element Description
Remarks
•If authentication is enabled (either text or md5), then only updates using that
authentication are processed. All other updates on that interface are discarded.
• If you use md5 and if for a certain interface multiple secrets are present in the
ripv2SecretTable, then the first entry in the ripv2SecretTable is used to transmit RIP
updates. Authentication of the received RIP updates is done by looking for the
first secret with a matching key.
• If you use text and if for a certain interface multiple secrets are present in the
ripv2SecretTable, then only the first entry in the ripv2SecretTable is used to transmit
and receive RIP updates.
filter Use this element to apply a filter on the RIP updates Default:<empty>
on the interface. Range: 0 … 24 characters
Do this by entering the index name of the filter you want to use. You can create the
filter itself by adding a routingFilter object and by configuring the attributes in this
object.
Example
Refer to 7.5.1 - Introducing RIP on page 205 for an introduction on RIP authentication.
To enable RIP authentication on a certain interface, proceed as follows:
Step Action
2 In the 1424 SHDSL Router containment tree, go to the router object, select the
ripv2SecretTable attribute and add one or more entries to this table.
This section introduces the OSPF protocol. The following gives an overview of this section:
• 7.6.1 - Introducing OSPF on page 213
• 7.6.2 - Activating OSPF on page 218
• 7.6.3 - Enabling OSPF authentication on page 219
1424 SHDSL Router Chapter 7 213
User manual Configuring routing
What is OSPF?
The Open Shortest Path First (OSPF) protocol is an Interior Gateway Protocol used to distribute routing
information within a single Autonomous System.
On the Internet, an autonomous system (AS) is either a single network or a group of networks that is
controlled by a common network administrator (or group of administrators) on behalf of a single admin-
istrative entity (such as a university, a business enterprise, or a business division). An autonomous sys-
tem is also sometimes referred to as a routing domain.
Using OSPF, a host that obtains a change to a routing table or detects a change in the network imme-
diately multicasts the information to all other hosts in the network so that all will have the same routing
table information. Unlike the RIP in which the entire routing table is sent, the host using OSPF sends
only the part that has changed. With RIP, the routing table is sent to a neighbour host every 30 seconds.
OSPF multicasts the updated information only when a change has taken place.
Rather than simply counting the number of hops, OSPF bases its path descriptions on "link states" that
take into account additional network information. That is why OSPF is called a link-state protocol. A link
can be seen as an interface on the router. The state of the link is a description of that interface and of its
relationship to its neighbouring routers. A description of the interface would include, for example, the IP
address of the interface, the mask, the type of network it is connected to, the routers connected to that
network and so on.
Each router in the Autonomous System originates one or more link state advertisements (LSAs). The
collection of LSAs forms the link-state database. Each separate type of LSA has a separate function.
There 4 distinct types of LSAs:
Router-LSAs • Describes the state and cost of the router ‘s links (interfaces) to the area,
i.e. intra-area.
• Each router will generate a Router-LSA for all of its interfaces.
OSPF has special restrictions when multiple areas are involved. If more than one area is configured, one
of these areas has be to be area 0. This is called the backbone. When designing networks it is good
practice to start with area 0 and then expand into other areas later on.
The backbone has to be at the centre of all other areas, i.e. all areas have to be physically connected to
the backbone. The reasoning behind this is that OSPF expects all areas to inject routing information into
the backbone and in turn the backbone will disseminate that information into other areas.
OSPF uses flooding to exchange link-state updates between routers. Any change in routing information
is flooded to all routers in the network. Areas are introduced to put a boundary on the explosion of link-
state updates. All routers within an area have the exact link-state database.
A router that has all of its interfaces within the same area is called an internal router (IR).
Routers that belong to multiple areas, and connect these areas to the backbone area are called area
border routers (ABR). ABRs must therefore maintain information describing the backbone areas and
other attached areas.
Routers that act as gateways (redistribution) between OSPF and other routing protocols (e.g. RIP) are
called autonomous system boundary routers (ASBR).
In order to minimize the amount of information exchange on a particular segment, OSPF elects one
router to be a designated router (DR), and one router to be a backup designated router (BDR), on each
multi-access segment. The BDR is elected as a backup mechanism in case the DR goes down (the DR
and BDR are elected based upon their OSPF priority). The idea behind this is that routers have a central
point of contact for information exchange. Instead of each router exchanging updates with every other
router on the segment, every router exchanges information with the DR and BDR. The DR and BDR
relay the information to everybody else.
1424 SHDSL Router Chapter 7 215
User manual Configuring routing
OSPF allows certain areas to be configured as stub areas. External networks, such as those redistrib-
uted from other protocols into OSPF, are not allowed to be flooded into a stub area. Routing from these
areas to the outside world is based on a default route. Configuring a stub area reduces the topological
database size inside an area and reduces the memory requirements of routers inside that area.
An area can be called a stub when there is a single exit point from that area or if routing to outside of the
area does not go via an optimal path. The latter description is just an indication that a stub area that has
multiple exit points, will have one or more area border routers injecting a default into that area.
All OSPF routers inside a stub area have to be configured as stub routers. This is because whenever an
area is configured as stub, all interfaces that belong to that area will start exchanging Hello packets with
a flag that indicates that the interface is stub. All routers that have a common segment have to agree on
that flag. If they don't, then they will not become neighbours and routing will not take effect.
Not-so-stubby areas are a type of stub area in which external routes can be flooded.
OSPF areas flood all external routes across area borders. In the presence of large number of external
routes, this may be a problem, as external routes cannot be summarized at the ABRs. Stub areas are
designed to alleviate the problem by preventing external routes from being injected into the stub area,
and instead a default route is injected. Stub areas are incapable of carrying external routes (Type 5
LSAs), and hence are incapable of supporting ASBRs.
NSSAs allow for supporting ASBRs within the NSSA, while maintaining the same behaviour as stub
areas of not injecting external (Type 5) routes coming from the backbone. Thus NSSA routers benefit
from the significant reduction of external routes coming from the backbone, while having the capability
to carry a limited number of externals that originate in the NSSA.
To provide the ability of carrying external routes originated in the NSSA, a new LSA type was defined,
Type 7 LSA. It has the structure and semantics of a Type 5 (External) LSA, with a two differences:
• Type 7 LSAs can be originated and propagated within the NSSA, they do not cross area borders like
Type 5 LSAs do.
• Type 5 LSAs are not supported in NSSA; they can be neither originated nor propagated in NSSA.
In order to allow limited exchange of external information across an NSSA border, NSSA border routers
will translate selected Type-7 LSAs received from the NSSA into Type-5 LSAs. These Type-5 LSAs will
be flooded to all Type-5 capable areas. NSSA border routers may be configured with address ranges so
that multiple Type-7 LSAs may be aggregated into a single Type-5 LSA. The NSSA border routers that
perform translation are configurable. In the absence of a configured translator one is elected.
216 1424 SHDSL Router Chapter 7
User manual Configuring routing
Routers that share a common segment become neighbours on that segment. Neighbours are discov-
ered via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast.
Routers become neighbours as soon as they see themselves listed in the neighbour’s Hello packet. This
way, a two way communication is guaranteed.
Adjacency is the next step after the neighbouring process. Adjacent routers are routers that go beyond
the simple Hello exchange and proceed into the database exchange process. In order to minimize the
amount of information exchange on a particular segment, OSPF elects one router to be a designated
router (DR), and one router to be a backup designated router (BDR), on each multi-access segment
(refer to What are areas and border routers? on page 214).
The cost of an interface in OSPF is an indication of the overhead required to send packets across a cer-
tain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A
higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved
in crossing a 56k serial line than crossing a 10M ethernet line.
The cost of an interface can either be calculated automatically, or the user can overrule the calculated
cost by using his own configuration so that some paths are given preference.
The formula used to calculate the cost is:
cost = reference bandwidth (in bps) / interface bandwidth (in bps)
The reference bandwidth can be set by the user.
Virtual links
OSPF authentication
It is possible to authenticate the OSPF packets so that routers can participate in routing domains based
on predefined passwords. By default, a router uses a Null authentication which means that routing
exchanges over a network are not authenticated. Two other authentication methods exist: Simple Pass-
word authentication and Message Digest authentication (MD-5):
Authentication Description
Simple Password This allows a password (key) to be configured per interface. Interfaces of dif-
authentication ferent routers that want to exchange OSPF information will have to be con-
figured with the same key.
Message Digest This is a cryptographic authentication. A key (password) and key-id are con-
authentication (MD-5) figured on each router. The router uses an algorithm based on the OSPF
packet, the key, and the key-id to generate a "message digest" that gets
appended to the packet. Unlike the simple authentication, the key is not
exchanged over the wire.
Refer to 7.6.1 - Introducing OSPF on page 213 for an introduction on OSPF authentication.
There are two authentication methods:
• simple password authentication. Refer to Enabling simple password authentication on page 219.
• MD-5 authentication. Refer to Enabling MD-5 authentication on page 220.
Step Action
1 In the containment tree, go to the router/ospf/Area[ ] object, and select the networks configu-
ration attribute. In the authentication structure, set the authentication type element to text.
Step Action
1 In the containment tree, go to the router/ospf object and select the keyChains configuration
attribute. In the keyChains table, add a new chain.
3 In the containment tree, go to the router/ospf/Area[ ] object, and select the networks configu-
ration attribute. In the authentication structure, set the authentication type element to md5.
4 In the authentication keyChain element, type the name of the key chain that will be used.
In the screenshots above, the authentication structure is explained as being part of the networks table. Note
that the authentication structure is also present in the virtualLinks table.
1424 SHDSL Router Chapter 7 221
User manual Configuring routing
Introduction
The Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol. An autonomous
system (AS) is a network or group of networks under a common administration and with common routing
policies.
BGP is used to exchange routing information for the internet and is the protocol used between Internet
service providers (ISPs). Customer networks, such as universities and corporations, usually employ an
Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing information within their
networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes.
When BGP is used between autonomous systems, the protocol is referred to as External BGP (EBGP).
If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as
Interior BGP (IBGP). Every service provider is identified by its AS number (ASN).
BGP came into being, because:
• Service providers must tell each other which addresses they manage.
• There was a need to manage lots of address ranges (prefixes): 150.000 to 250.000.
• Because of peering agreements best route is no longer a simple concept.
• There was a need for a routing protocol that can express not only reachability information but also
policy information
Routes learned via BGP have associated properties that are used to determine the best route to a des-
tination, when multiple paths exist to one specific destination.
Understanding how these BGP attributes influence route selection is required for the design of reliable
networks. The key attributes that BGP uses in the route selection process are:
• Weight: the weight attribute is local to a router. The weight attribute is not advertised to neighbouring
routers. If the router learns about more than one route to the same destination, the route with the high-
est weight will be preferred.
• Local preference: the localPreference attribute is used to prefer an exit point from the local autonomous
system (AS). Unlike the weight attribute, the localPreference attribute is propagated throughout the local
AS. If there are multiple exit points from the AS, the localPreference attribute is used to select the exit
point for a specific route.
• Multi-exit discriminator, or MED: the med or metric attribute is used as a suggestion to an external AS
regarding the preferred route into the AS that is advertising the metric. MEDs are advertised through-
out the local AS.
• Origin: the origin attribute indicates how BGP learned about a particular route.
• AS path: when a route advertisement passes through an AS, the AS number is added to an ordered
list of AS numbers that the route advertisement has passed.
Refer to BGP route selection process on page 223 for a description of how BGP selects a path for a des-
tination.
Refer to 11.9.9 - BGP configuration attributes on page 718 for more information about all BGP configu-
ration attributes.
1424 SHDSL Router Chapter 7 223
User manual Configuring routing
BGP can possibly receive multiple advertisements for the same route from multiple sources. Only one
path is selected as the best path.
When the path is selected, BGP puts the selected path in the IP routing table and propagates the path
to its neighbours.
BGP uses the following criteria, in consecutive order as stated here, to select a path for a destination:
Step Action
1 The path with the largest weight is always preferred (local to the router).
2 If the weights are the same, the path with the highest local preference (global in the AS)
is preferred.
3 If the local preferences are the same, the path that was originated by BGP running on
this router is preferred.
4 If no route was originated, the route that has the shortest AS path is preferred.
5 If all paths have the same AS path length, the path with the lowest origin type is preferred
(where IGP is lower than EGP, and EGP is lower than incomplete).
6 If the origin codes are the same, the path with the lowest med value is preferred.
7 If the paths have the same med, external paths (EBGP) are preferred over internal paths
(IBGP).
8 • In case of IBGP, if the paths are still the same, the path through the closest IGP neigh-
bour is preferred.
• In case of EBGP, the oldest, most stable path is preferred.
9 The path from the router with the lowest BGP router ID is preferred.
224 1424 SHDSL Router Chapter 7
User manual Configuring routing
BGP routeFilter
On each peer incoming and outgoing filters can be applied, simply allowing or denying certain routes to
be accepted or advertised through a peer.
If no entry is added in the inboundFilters or outboundFilters attributes on the peer, no filtering will be applied,
allowing all routes.
When entries are added referring to the routeFilter objects, the routeFilter objects are searched one by one
in the order of entry for a match in the filters table. As soon as a match is found, the filtering mode is
applied, be it allow or deny.
If after searching all routeFilter objects no match is found, the route is denied. The behaviour is as if all
filter tables were appended in one big filter table. By default the table is empty which means everything
will be denied: anything which is not explicitly allowed will be denied.
However, adding a new row will allow everything, because network 0.0.0.0/0 is the default value and the
asPath specification is empty.
Examples of the use of route maps could be:
• only accept routes for specific prefixes from the customer.
• only accept the default route from your ISP.
• only accept routes with a given AS path.
BGP routeMap
Even ‘simple’ internet connectivity scenarios require manipulation of route attributes. For this purpose,
route maps are used. Route maps give fine grained control of what is received and transmitted.
Examples of the use of route maps could be:
• modify the AS-Path before sending it to your ISP (consult your ISP before doing this).
• set attributes to enforce your policy.
Each peer has an inboundMaps and an outboundMaps table attribute, where each row refers to a route map
to be applied when accepting or advertising routes through a peer. When entries are added referring to
the routeMap objects, the routeMap objects are searched one by one in the order of entry for a match in the
routeFilter they are referring too. As soon as a match is found, the mode is checked: in mode allow, the
changes to the route are applied; in mode deny the route is passed unchanged.
If after searching all routeFilter objects no match is found, the route is passed unchanged.
If on a routeMap object no filter is defined, all routes will be adapted by this routeMap.
If no entry is added in the inboundMaps or outboundMaps attributes on the peer, no mapping will be applied,
passing all routes unchanged.
No real route filtering is applied by means of a routeMap. The reference to a routeFilter objects is only used
to specify which routes must be adapted and which ones may pass unchanged. Route filtering is only
possible through use of the inboundFilters and outboundFilters attributes on the peers.
1424 SHDSL Router Chapter 7 225
User manual Configuring routing
This section explains Network Address Translation (NAT) and Port Address Translation (PAT). Firstly, it
gives an introduction. Secondly, a table is presented that will help you to determine which translation
method meets your requirements. Then this section teaches you how to configure NAT and PAT.
The following gives an overview of this section:
• 7.8.1 - Introducing address translation on page 226
• 7.8.2 - When use NAT and/or PAT on page 227
• 7.8.3 - Enabling PAT on an interface on page 228
• 7.8.4 - How does PAT work? on page 230
• 7.8.5 - PAT limitations and work-arounds on page 233
• 7.8.6 - Enabling NAT on an interface on page 234
• 7.8.7 - Adding multiple NAT objects on page 236
• 7.8.8 - How does NAT work? on page 238
• 7.8.9 - Combining PAT and NAT on page 240
• 7.8.10 - Easy NAT on PPP on page 240
• 7.8.11 - Example: connecting a LAN to the Internet using NAT and PAT on page 243
• 7.8.12 - Example: using PAT with a minimum of official IP addresses on page 245
226 1424 SHDSL Router Chapter 7
User manual Configuring routing
Address translation is used to translate private IP addresses into official IP addresses. This is also known
as IP masquerading.
Each device connected to the Internet must have an official (i.e. unique) IP address. The success of the
Internet has caused a lack of these official IP addresses. As a result, your Internet Service Provider (ISP)
may offer you only one or a small number of official IP addresses.
If the number of IP devices on your local network is larger than the number of official IP addresses, you
can assign test or private IP addresses to your local network. In that case, you have to configure your
access router to translate IP addresses using NAT or PAT.
Even when there are sufficient official IP addresses available, you may still choose to use NAT e.g. for
preserving previously assigned test addresses to all the devices on your local network.
What is NAT?
Network Address Translation (NAT) is an Internet standard that enables a local area network (LAN) to
use one set of IP addresses for internal traffic (private IP addresses) and a second set of addresses for
external traffic (official IP addresses). The access router (located where the LAN meets the Internet)
makes all necessary IP address translations. This is a dynamic process.
NAT serves three main purposes:
• Provides a type of firewall by hiding internal IP addresses.
• Enables a company to use more internal IP addresses. Since these are used internally only, there is
no possibility of conflict with IP addresses used by other companies and organizations.
• Allows a company to combine multiple ISDN connections into a single Internet connection.
The number of simultaneous users with Internet access is limited to the number of official IP addresses.
What is PAT?
Port Address Translation (PAT) is a type of Network Address Translation. During PAT, each computer
on LAN is translated to the same IP address, but with a different port number assignment.
Only outgoing TCP sessions are supported.
The international authority IANA assigns the official (also called global) IP addresses. It has also defined
3 ranges of IP addresses for private use. This means that you can use these addresses without regis-
tration on your internal network, as long as you are not connected to the Internet.
You can define (sub-)networks in these ranges for your private IP addresses.
1424 SHDSL Router Chapter 7 227
User manual Configuring routing
Refer to 7.8.1 - Introducing address translation on page 226 for an introduction on NAT and PAT authen-
tication.
Check in the next table whether you need NAT and/or PAT:
Refer to 7.8.1 - Introducing address translation on page 226 for an introduction on PAT.
To enable PAT on a certain interface, proceed as follows:
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router/defaultNat object. In this
object, configure the patAddress attribute.
Use this attribute to enter the official IP address that has to be used for the Port Address
Translation. Entering an address different from the default value 0.0.0.0 automatically ena-
bles the general PAT process. Now you can activate or deactivate PAT per IP interface.
Note that by default PAT is deactivated on all IP interfaces.
Use this attribute to define the gateway address of routes on which PAT should be
applied. If you do not configure the gateway attribute, then PAT is applied on all routes
through this interface.
3 Each IP interfaces has an ip structure. Use the following element in the ip structure to acti-
vate or deactivate PAT per IP interface:
• nat. Use this element to enable address translation on the interface with the official IP
addresses. Do this by entering the string “default“ as nat element value. By doing so,
the settings are applied as defined in the router/defaultNat object.
For example, the following shows the location of the ip structure on the LAN interface:
Refer to 5.2.2 - Where to find the IP parameters? on page 55 for the location of the ip
structure on the different IP interfaces.
1424 SHDSL Router Chapter 7 229
User manual Configuring routing
Suppose your network is connected over a network of an operator to an Internet Service Provider (ISP).
You received only one single official IP address from you ISP, being 195.7.12.22.
Again consider the network topology as depicted in 7.8.3 - Enabling PAT on an interface on page 228.
The following two paragraphs explain how the 1424 SHDSL Router treats the outgoing and incoming
traffic when PAT is applied:
• Outgoing traffic (to the Internet) on page 230.
• Incoming traffic (from the Internet) on page 232.
The 1424 SHDSL Router replaces the source address by its PAT address in all the traffic coming from
the local network and destined for the Internet. Depending on the IP transport protocol and the number
of simultaneous users accessing the Internet, the 1424 SHDSL Router takes different actions:
Protocol
TCP Description This is a connection-oriented protocol: two devices communicating with the
TCP protocol build a session before exchanging user data. When they have
finished exchanging user data, the session is closed.
Examples of such applications are Telnet, HTTP and FTP. The TCP header
contains a port field indicating the higher-layer protocol.
Action When a session is started, a specific port number is assigned to this ses-
sion. All traffic from this session is assigned this specific port number.
The specific port number is freed within 5 minutes after the TCP session is
closed (i.e. after TCP Reset or TCP Finish is seen). If the session has not
been properly closed, the port number is freed 24 hours after the last ses-
sion traffic. This time is configurable (refer to tcpSocketTimeOut on page 655).
UDP Description This is a connection-less protocol: user data can be sent without first build-
ing a session.
Examples of such applications are SNMP and TFTP. Although TFTP is ses-
sion-oriented, it builds the session at a higher level and uses UDP for its
simplicity as transport protocol. The UDP header contains a port field indi-
cating the higher-layer protocol.
Action The source port number is replaced by a specific port number. All traffic
from this source IP address / port number pair is assigned this specific port
number.
If there is no traffic for 5 to 10 minutes, the specific port number is freed. If
the session has not been properly closed, the port number is freed 3 min-
utes after the last session traffic. This time is configurable (refer to udpSock-
etTimeOut on page 656).
1424 SHDSL Router Chapter 7 231
User manual Configuring routing
Protocol
ICMP Description This is a connection-less protocol: user data can be sent without first build-
ing a session.
An example of such an application is ping. These protocols do not have port
numbers.
Action Each ICMP packet is forwarded towards the Internet. Each ICMP packet is
considered as a new session.
If there is no traffic for 5 to 10 minutes, the session is closed.
The fact that it is possible to open a total of 2048 simultaneous sessions
and that each ICMP packet is considered as a new session, implies that for
instance a continuous series of ping requests at a rate of one per second
will allocate between 300 and 600 sessions.
232 1424 SHDSL Router Chapter 7
User manual Configuring routing
Suppose the WAN IP network depicted in 7.8.3 - Enabling PAT on an interface on page 228 works in
numbered mode1. The incoming traffic from the Internet may be destined either for the local network, or
for the router itself. The router treats incoming traffic on the PAT address as follows:
Note that the 1424 SHDSL Router only answers to ICMP requests on the public address of its WAN inter-
face if the LAN interface is up. I.e. when the TCP/UDP sessions can really “cross” the 1424 SHDSL
Router.
1. Numbered mode means that each WAN interface has an IP address. In that case, you need
the single official IP address for your WAN interface.
1424 SHDSL Router Chapter 7 233
User manual Configuring routing
PAT limitations
Attribute Description
portTranslations You can find this attribute in the router/defaultNat object. Use this attribute to define
specific port number ranges that should not be translated when using PAT.
Refer to portTranslations on page 653.
TMA is an example of an
application that does not
support port translation. If
you want to make TMA con-
nections from your local net-
work to the outside world, you have to list TMA port number 1728 in this table.
However, keep in mind that even then it is still not possible to have two simultane-
ous TMA sessions to the same outside world address.
If you do not want that UDP packets with port numbers in the range 2000 up to
3000 are sent to the outside world, then you also have to include those in the table.
servicesAvailable You can find this attribute in the router/defaultNat object. Use this attribute to define
specific port number ranges for incoming Internet traffic that should not be trans-
lated when using PAT. Instead it is sent to the corresponding private IP address.
Refer to servicesAvailable on page 654.
Refer to 7.8.1 - Introducing address translation on page 226 for an introduction on NAT.
Despite the work-arounds offered by the previous two PAT configuration attributes to overcome the lim-
itations of PAT (refer to 7.8.5 - PAT limitations and work-arounds on page 233), there are situations
where PAT is inadequate. For example, it is not possible to have several web servers on your local net-
work. It is also impossible to run an application with fixed source port numbers on several local devices
that are connected simultaneously to a single Internet device. This can only be solved by using several
official IP addresses: Network Address Translation.
To enable NAT on a certain interface, proceed as follows:
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router/defaultNat object or add your
own NAT object under the router object, e.g. router/nat[myNat] (refer to 4.4 - Adding an object
to the containment tree on page 45).
2 In the NAT object (default or user instantiated), select the addresses attribute and add one
or more entries to this table.
Use this attribute to enter all the official IP addresses that have to be used for Network
Address Translation. Entering an address in the addresses table automatically enables the
general NAT process. Now you can activate or deactivate NAT per IP interface. Note that
by default NAT is deactivated on all IP interfaces.
4 In the NAT object (default or user instantiated), configure the gateway attribute.
Use this attribute to define the gateway address of routes on which NAT should be
applied. If you do not configure the gateway attribute, then NAT is applied on all routes
through this interface.
1424 SHDSL Router Chapter 7 235
User manual Configuring routing
Step Action
5 Each IP interfaces has an ip structure. Use the following element in the ip structure to acti-
vate or deactivate NAT per IP interface:
• nat. Use this element to enable address translation on the interface with the official IP
addresses. Do this by entering the name of the NAT object you want to apply:
- If you want to apply the NAT settings as defined in the router/defaultNat
object, then enter the string “default“ as value for the nat element.
- If you want to apply the NAT settings as defined in a NAT object you
added yourself (e.g. router/nat[myNat]), then enter the index name of the
NAT object (in this case “myNat”) as value for the nat element.
For example, the following shows the location of the ip structure on the LAN interface:
Refer to 5.2.2 - Where to find the IP parameters? on page 55 for the location of the ip
structure on the different IP interfaces.
The above means that NAT is used on the LAN interface and the router uses the address 195.7.12.22
as official IP address.
The problem that arises here is that the router can no longer be managed via the LAN interface using
the management tool (TMA, Telnet, etc.). This because the NAT route has priority over the LAN route
and, because it is a NAT address, the router does not accept incoming traffic on the address
195.7.12.22.
The solution is to add the WAN IP address to the addresses table as private address:
router1424/router/addresses = { officialAddress = 195.7.12.22; privateAddress = 2.2.2.2 }. In that case, the manage-
ment tool “service” runs on the WAN IP address. This means however, that the WAN has to be up.
236 1424 SHDSL Router Chapter 7
User manual Configuring routing
It is possible to add multiple NAT objects (up to 5). This means that up to 5 interfaces can make use of
a dedicated NAT object.
Two or more interfaces pointing to one and the same NAT object is an invalid configuration of which the
result is unpredictable.
Example
Proceed as follows:
Step Action
4 In the 1421 SHDSL Router containment tree, go to the lanInterface object and select the ip
structure. In the nat element of the ip structure enter the string “default”.
⇒The NAT settings as defined in the router/defaultNat object are applied on the LAN
interface.
1424 SHDSL Router Chapter 7 237
User manual Configuring routing
Step Action
5 In the 1421 SHDSL Router containment tree, go to the wanInterface/ppp object and select
the ip structure. In the nat element of the ip structure enter the string “myNat”.
⇒The NAT settings as defined in the router/nat[myNat] object are applied on the WAN
interface.
238 1424 SHDSL Router Chapter 7
User manual Configuring routing
If a local station sends data to the Internet for the first time, NAT looks for an unused official IP address.
It assigns this official IP address to the local station. The amount of local stations that can have simulta-
neous Internet access equals the amount of NAT addresses you defined. If all sessions between a local
station and the Internet have been closed by the application (in case of TCP) or because of time-outs,
then the previously assigned official IP address is freed for another local station.
Optionally, the NAT address entry may contain a corresponding private IP address. This allows to per-
manently assign an official IP address to a local station. This is useful for stations or servers that should
have Internet access at all times. Another example of permanently assigned official IP addresses is a
network where only a limited number of users has Internet access.
NAT only converts IP addresses and thus allows traffic in both directions. However, incoming traffic on
one of the official IP addresses can only be forwarded to the local network if a corresponding private IP
address has been configured.
1424 SHDSL Router Chapter 7 239
User manual Configuring routing
Suppose your network is connected over a network of an operator to an Internet Service Provider (ISP).
You received 4 official IP address from you ISP, being 195.7.12.21 up to 195.7.12.24. You want to assign
one of these official addresses permanently to a web server which has private address 192.168.47.250.
All other official addresses have to be assigned dynamically.
• In the router/defaultNat object, set the gateway attribute to 195.7.12.254. If, however, you already defined
the router/defaultRoute attribute to be 195.7.12.254, then you can leave the gateway attribute empty. This
because if the gateway attribute is empty, then the defaultRoute attribute is taken as only gateway
addresses.
• In the ip structure of the WAN interface, type the string “default” as value of the nat element.
240 1424 SHDSL Router Chapter 7
User manual Configuring routing
It is possible to use a combination of PAT and NAT. In that case the router first assigns NAT addresses
until they are all used. Then it uses PAT addresses for further translations.
Make sure the PAT address does not appear in the NAT address table.
Easy NAT on PPP means that in a typical client / ISP setup NAT will automatically be enabled without
the need to specifically configure NAT.
A typical client / ISP setup would be, for example, a 1421 SHDSL Router on the client side and a 2400
on the ISP side connected over an SHDSL line.
Once the conditions as stated above are met, the following happens:
• The client router learns the local and remote IP address of the PPP link from the ISP router.
• The client router adds a route towards the ISP router.
• The client router enables NAT on the PPP interface.
1424 SHDSL Router Chapter 7 241
User manual Configuring routing
Once the PPP link is up and running, you will see that …
• the client router learns the local and remote IP address of the PPP link from the ISP router. You can
check this by looking at the IP status of the PPP link:
242 1424 SHDSL Router Chapter 7
User manual Configuring routing
• The client router adds a route towards the ISP router. You can check this by looking at the routing
table status:
• The client router enables NAT on the PPP interface. You can check this by looking at the NAT per-
formance. When a connection to the ISP is active, you will see that socketsFree attribute decreases
while the used sockets (xxxSocketsUsed) and allocation (xxxAllocs) attributes increase.
1424 SHDSL Router Chapter 7 243
User manual Configuring routing
7.8.11 Example: connecting a LAN to the Internet using NAT and PAT
This is another example of a local network that only uses private addresses.
Your site is connected to an Internet Service Provider. At your site a 1424 SHDSL Router is installed.
You only received 1 official IP address from the ISP. To reduce the number of official IP addresses, the
ISP also uses private IP addresses on the link. The central router its routing table has a host route to its
PAT address per customer.
246 1424 SHDSL Router Chapter 7
User manual Configuring routing
This section introduces the Virtual Router Redundancy Protocol (VRRP) and gives a short description
of the attributes you can use to configure VRRP.
The following gives an overview of this section:
• 7.9.1 - Introducing VRRP on page 248
• 7.9.2 - Setting up VRRP on page 250
248 1424 SHDSL Router Chapter 7
User manual Configuring routing
What is VRRP?
VRRP is designed to eliminate the single point of failure inherent in the static default routed environment.
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of
the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual
router is called the Master, and forwards packets sent to these IP addresses. The election process pro-
vides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of
the virtual router's IP addresses on a LAN can then be used as the default first hop router by end-hosts.
The advantage gained from using VRRP is a higher availability default path without requiring configura-
tion of dynamic routing or router discovery protocols on every end-host.
An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists
of a Virtual Router Identifier and a set of associated IP address(es) across a common LAN. A VRRP
router may backup one or more virtual routers.
The VRRP router that is assuming the responsibility of forwarding packets sent to the IP address(es)
associated with the virtual router, and answering ARP requests for these IP addresses. Note that if the
IP address owner is available, then it will always become the master.
The set of VRRP routers available to assume forwarding responsibility for a virtual router should the cur-
rent master fail.
The VRRP router that has the virtual router's IP address(es) as real interface address(es). This is the
router that, when up, will respond to packets addressed to one of these IP addresses for ICMP pings,
TCP connections, etc.
An IP address selected from the set of real interface addresses. One possible selection algorithm is to
always select the first address. VRRP advertisements are always sent using the primary IP address as
the source of the IP packet.
1424 SHDSL Router Chapter 7 249
User manual Configuring routing
In a VRRP set-up as shown below, there is one master virtual router and one (or more) backup virtual
router.
Step Action
1 Enable VRRP on the interface(s) of your choice. Do this by setting the vrrp element in the
ip structure of the interface to enabled.
For example, if you want to enable VRRP on the LAN interface, then proceed as follows:
1. In the containment tree of the 1424 SHDSL Router, select the configuration structure
ip.
2. In the ip structure, set the element vrrp to enabled.
3 Configure the virtual router. Do this by configuring the attributes of the vrrp object. The
most important attributes are:
• vrId. Use this attribute to set the identification of the virtual router. Specify a number
between 1 and 255. The VRID has to be set the same on all participating routers.
• ipAddresses. Use this attribute to configure one or more IP addresses on the virtual
router.
• interfaces. Use this attribute to add (IP) interfaces to the virtual router and assign a pri-
ority to them. This priority is used in the master virtual router election process.
• criticals. Use this attribute to specify which interfaces must be up before a router may
be elected as master virtual router.
Refer to 11.9.11 - VRRP configuration attributes on page 738 for more information.
1424 SHDSL Router Chapter 7 251
User manual Configuring routing
In the setup above, once Router A is configured for VRRP, it looks at the IP address of the virtual router
and compares it with the IP addresses of its own interface that is configured for VRRP on that VRID.
Since Router A owns the virtual router’s IP address, it declares itself the master and sends out an adver-
tisement to all of the other VRRP routers. The IP address owner is always the master as long as it is
available.
The host shown in the setup above is configured with the virtual router's IP address as its default gate-
way. The master forwards packets destined to remote subnets and responds to ARP requests. Since in
this example, the master is also the owner of the virtual router’s IP address, it also responds to ICMP
ping requests and IP datagrams destined for the virtual router’s IP address. The backup does not forward
any traffic on behalf of the virtual router, nor does it respond to ARP requests.
252 1424 SHDSL Router Chapter 7
User manual Configuring routing
If the master (in this case also the IP address owner) is not available, then the backup becomes the mas-
ter and takes over responsibility for packet forwarding and responding to ARP requests. However, since
this new master is not the IP address owner, it does not respond to ICMP ping requests and IP data-
grams destined to that address.
Each VRRP Router that is an IP address renter is configured with a priority between 1 and 254. Accord-
ing to the VRRP standard, an owner has a priority of 255.
It is not necessary for the virtual router IP address to be owned by one of the VRRP routers. In that case,
however, the election process to determine the master is different. The process involves comparing two
criteria:
• First, the VRRP router with the highest priority becomes the master.
• Second, if the priorities are the same, then the higher IP address wins and becomes the master.
1424 SHDSL Router Chapter 7 253
User manual Configuring routing
In this case the VRRP configuration is identical, except for the priority. Router A has its priority set to
200, which when compared to Router B’s priority of 100, will ensure that Router A is the master. There
is no virtual router IP address owner in this configuration, since neither VRRP router has the virtual router
IP address configured on a real interface address. So, both VRRP routers are considered renters.
254 1424 SHDSL Router Chapter 7
User manual Configuring routing
This section introduces Virtual Routing and Forwarding (VRF) and gives an overview of the attributes
you can use to configure VRF.
The following gives an overview of this section:
• 7.10.1 - Introducing VRF on page 255
• 7.10.2 - Setting up VRF on page 256
• 7.10.3 - Principle on page 257
1424 SHDSL Router Chapter 7 255
User manual Configuring routing
Virtual routing and forwarding or VRF allows a single router to use multiple routing tables. The main ben-
efit is enhanced VPN support. Multiple customers can now be connected to a single device without
address collisions, as they each have a seperate routing table assigned to them.
This increases functionality by allowing network paths to be segmented without using multiple devices.
Traffic is automatically segregated, i.e. prevented from being forwarded outside a specific VRF path, and
traffic that should remain outside the VRF path is also kept out. Hence, VRF increases network security
and can eliminate the need for encryption and authentication.
Internet service providers often use VRF to create separate virtual private networks (VPNs) for custom-
ers; therefore, the technology is also referred to as VPN routing and forwarding.
VRF acts like a logical router, but while a logical router may include many routing tables, a VRF instance
uses only a single routing table.
The following features are available on each virtual router:
• static routing
• OSPF
• RIP
• DHCP server
• Basic NAT
Furthermore BGP will know the concept of IP VPNs, so BGP can pass information of virtual routers. This
feature is only available on the default router however.
Tunneling, firewall and IPSEC is also limited to the default router, but is possible to pass data from a
VRF router over a tunnel.
256 1424 SHDSL Router Chapter 7
User manual Configuring routing
First of all, a vrfRouter[ ] object must be created and configured. An interface can then be assigned to the
VRF router, in order to become part of the VRF network.
The maximum allowed number of vrfRouter[ ] objects depends on the memory of the device.
vrfRouter[ ] object
To configure a VRF router, a vrfRouter[ ] object must be added to the containment tree first , since the
vrfRouter[ ] object is not present in the containment tree by default. For more information on how to add
the object, refer to 4.4 - Adding an object to the containment tree on page 45.
Following objects appear in the containment tree after adding the vrfRouter[ ] object:
• router1424/ip/vrfRouter[ ]. Use this to configure the general VRF router attributes; refer to 11.9.13 - Virtual
Routing and Forwarding (VRF) configuration attirbutes on page 769.
• router1424/ip/vrfRouter[ ]/ospf. Use this to configure the OSPF network the VRF router is part of; refer to
11.9.8 - OSPF configuration attributes on page 704.
Under the vrfRouter[ ] object, a routingFilter[ ] object can be manually added as well:
• router1424/ip/vrfRouter[ ]/routingFilter[ ]. Use this to set up a routing update filter; refer to 11.9.10 - Routing
filter configuration attributes on page 736.
This is illustrated in the following figure, where 2 vrfRouter[ ] objects have been created:
Other occurrences
There are other objects in the containment tree where a vrfRouter element is present:
• router1424/profiles/policy/traffic/ipTrafficPolicy[ ]. Use this to assign a traffic policy to a VRF router; refer to
11.7.1 - IP traffic policy configuration attributes on page 592.
• router1424/management/loopback and router1424/management/usrLoopback[ ]. Use these to add the loopback
interface to a VRF router; refer to 11.12 - Management configuration attributes on page 799.
• The ip structure, which occurs in several objects. The ip structure contains a vrfRouter element with
which you can assign an interface to a VRF Router. Refer to 5.2.2 - Where to find the IP parameters?
on page 55 and 5.2.3 - Explaining the ip structure on page 56.
1424 SHDSL Router Chapter 7 257
User manual Configuring routing
7.10.3 Principle
Situation
Network A and network B connect to the internet via the OneAccess device. Both routers use OSPF to
exchange routing information with the OneAccess device.
VRF
First, this section introduces QoS or Quality Of Service; it also introduces traffic policy on routed data,
and priority policy both on routed and on bridged data, since this is the same in both cases. Refer to the
following sections:
• 7.11.1 - Introducing QoS on page 260
• 7.11.2 - Introducing traffic and priority policy on page 262
• 7.11.3 - Traffic policy on routed and on bridged data on page 266
• 7.11.4 - Introducing priority policy for traffic shaping and policing on page 267
• 7.11.5 - Introducing priority policy for priority scheduling on page 268
This section also describes how to configure a traffic policy on routed data; refer to the following sections:
• 7.11.6 - IP traffic classification: 4 variants of IP traffic policy on page 269
• 7.11.7 - Configuring a traffic policy on routed data on page 273
• 7.11.8 - Creating a traffic policy on the router on page 274
• 7.11.9 - Applying a traffic policy on an IP interface of the router on page 276
• 7.11.10 - Applying a traffic policy as an extended access list on an IP interface on page 278
• 7.11.11 - The default queue attribute versus a traffic policy profile on page 286
Subsequently, it describes the configuration of priority policy on routed and bridged data; refer to the fol-
lowing sections:
• 7.11.12 - Priority policy on routed and on bridged data on page 289
• 7.11.13 - Configuring a priority policy on the router on page 290
• 7.11.14 - Creating a priority policy on page 291
• 7.11.15 - Applying a priority policy on an interface on page 293
What is QoS?
Quality of Service (QoS) is the capability of a network to provide better service to certain network traffic
over various technologies (e.g.Frame Relay, ATM, Ethernet and IP networks that use any or all of these
underlying technologies). The primary goal of QoS is to provide priority including dedicated bandwidth,
controlled jitter and latency, and improved loss characteristics. Also important is making sure that pro-
viding priority for one or more flows does not make other flows fail.
QoS is not one attribute that you can set to “low”, “medium” or “high” quality. QoS is a collection of con-
figuration attributes located on different levels (e.g. queueing, PPP fragmentation, bandwidth control,
etc.).
The following table gives an overview of the features that can be used for QoS:
Protocol Feature
All 7 queues: 5 user configurable queues, a low delay queue and a system queue.
All Priority policies: FIFO, round robin, absolute priority, WFQ, low delay WFQ.
Traffic classes
The Quality of Service mechanism is based on a total of 7 forwarding queues per interface, both physical
and logical. Queues are numbered 1 to 7 with 1 being the lowest priority and 7 the highest. Six of them
are for user data, while the last one is a system queue:
1-5 user configurable queue The user can decide which data goes into which queue.
6 low delay queue The user can decide which data goes into this queue. This
queue usually is addressed more often then the user con-
figurable queues.
7 system queue This queue is filled with mission critical data (e.g.link moni-
toring messages etc.) and has priority over all other queues.
262 1424 SHDSL Router Chapter 7
User manual Configuring routing
Because of the bursty nature of voice / video / data traffic, sometimes the amount of traffic exceeds the
speed of a link. At this point, the 1424 SHDSL Router has to decide what to do with this “excess” of traffic:
• Buffer the traffic in a single queue and let the first packet in be the first packet out?
• Or put packets into different queues and service certain queues more often (also known as priority
queuing)?
These questions are dealt with by the traffic and priority policy mechanisms:
• The traffic policy determines, on traffic overload conditions, how and which queues are filled with the
“excess” data. The traffic policy is not the same for routed data as the one for bridged data.
• The priority policy determines how and which queues are emptied. The priority policy is the same for
routed data as the one for bridged data. This is further dealt with in 7.11.4 - Introducing priority policy
for traffic shaping and policing on page 267, 7.11.5 - Introducing priority policy for priority scheduling
on page 268 and the following sections.
In other words, the mechanism to fill the queues is different for routed data and bridged data, but the
mechanism to empty the queues is the same for both routed and bridged data.
Using the traffic and priority policy features you can perform priority queuing. This allows you to define
how traffic is prioritised in the network. E.g. to ensure that voice, video or other streaming media is serv-
iced before (or after) other traffic types, to ensure that web response traffic is routed before normal web
browsing traffic, etc.
Per interface (both physical and logical), there are 7 queues:
1-5 user configurable queue The user can decide which data goes into which queue.
6 low delay queue The user can decide which data goes into this queue. This
queue usually is addressed more often then the user con-
figurable queues.
7 system queue This queue is filled with mission critical data (e.g.link moni-
toring messages etc.) and has priority over all other queues.
1424 SHDSL Router Chapter 7 263
User manual Configuring routing
What is DiffServ?
Differentiated Services (DiffServ) differentiates between multiple traffic flows. So, packets are marked,
and routers and switches can then make decisions based on those markings (e.g., dropping or forward-
ing decisions). You can mark packets either with IP Precedence or Differentiated Service Code Point
(DSCP) markings.
The Type Of Service (TOS) byte is an eight bit field inside an IPv4 header. Using these bits you can mark
packets either with IP Precedence or Differentiated Service Code Point (DSCP) markings. The TOS byte
is structured as follows:
0 1 2 3 4 5 6 7
What is IP Precedence?
IP Precedence uses the precedence bits (3 leftmost bits) of the TOS byte (see RFC 791). So IP Prece-
dence markings can range from 0 to 7. However, values 6 and 7 should not be used since they are
reserved for network use. IP precedence is being phased out in favour of DSCP, but is supported by
many applications and routers.
The TOS field is a four bit field in the TOS byte (see RFC 1349). The TOS field lets values from 0 to 15
be assigned to request special handling of traffic (for example, minimize delay, maximize throughput).
The TOS field is being phased out in favour of DSCP.
What is DSCP?
A next step in the definition and application of the TOS byte is DSCP. Differentiated Services Code Point
(DSCP) uses the DSCP bits (6 leftmost bits) of the TOS byte (see RFC 2474). This offers a bigger gran-
ularity over IP Precedence, since 6 bits yield 64 possible values (0 to 63)1. The problem with so many
values is that the value you choose to represent a certain level of priority can be treated differently by a
router under someone else’s administration.
To maintain relative levels of priority among devices, the Internet Engineering Task Force (IETF)
selected a subset of those 64 values for use. These values are called per-hop behaviours (PHBs),
because they indicate how packets should be treated by each router hop along the path from the source
to the destination.
The four categories of PHBs are:
• Best Effort (BE)
• Expedited Forwarding (EF)
• Assured Forwarding (AF)
• Class Selector (CS)
What is BE PHB?
Best Effort Per-Hop Behaviour (BE PHB) means that all DSCP bits are 0 (i.e. a DSCP value of 0).
Best Effort does not truly provide QoS, because there is no reordering of packets. Best Effort uses the
first-in first-out (FIFO) queuing strategy, where packets are emptied from a queue in the same order in
which they entered it.
What is EF PHB?
Expedited Forwarding Per-Hop Behaviour (EF PHB, see RFC 3246) has a DSCP value of 46. Latency-
sensitive traffic, such as voice, typically has an EF PHB.
What is AF PHB?
Assured Forwarding Per-Hop Behaviour (AF PHB, see RFC 2597) is the broadest category of PHBs.
These are shown in the following table:
AF PHB Low drop preference Medium drop preference High drop preference
Note that the AF PHBs are grouped into four classes. Within each AF PHB class there are three distinct
values which indicate a packet’s drop preference. Higher values in an AF PHB class are more likely to
be discarded during periods of congestion. For example, an AF13 packet is more likely to be discarded
than an AF11 packet.
Note that since IP Precedence only examines the 3 leftmost bits, all AF PHB class 1 values would be
interpreted by an IP Precedence aware router as an IP Precedence value of 1, AF PHB class 2 values
as an IP Precedence value of 2, etc.
What is CS PHB?
Class Selector Per-Hop Behaviour (CS PHB, see RFC 2474) is used for backward compatibility with IP
Precedence. This because, just like IP Precedence, CS PHB only examines the 3 leftmost bits of the
TOS byte.
1424 SHDSL Router Chapter 7 265
User manual Configuring routing
The IEEE 802.1P signalling technique (also often referred to as Class Of Service, COS) is an IEEE
endorsed specification for prioritising network traffic at the datalink/MAC sub-layer (layer 2).
802.1P is a spin-off of the 802.1Q (VLAN tagging) standard and they work in tandem. The 802.1Q stand-
ard specifies a tag that appends to a MAC frame. The VLAN tag carries VLAN information. The VLAN
tag has two parts: The VLAN ID (12-bit) and prioritisation (3-bit). The prioritisation field was never defined
in the VLAN standard. The 802.1P implementation defines this prioritisation field.
266 1424 SHDSL Router Chapter 7
User manual Configuring routing
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for an introduction.
The traffic policy, i.e. the policy to fill the queues, is not the same for routed data as the one for bridged
data:
Although a bridging traffic policy can still be configured, the preferred way to manipulate bridged traffic,
is to make use of access lists. These allow for extra configuration possiblities compared to bridge traffic
policies.
Refer to 8.5 - Bridge traffic classification by filtering on page 344 and 11.10.2 - Bridge access list config-
uration attributes on page 786 for more information.
• Whereas configuring a traffic policy for routed data is different than for bridged data, configuring a
priority policy is the same for both.
• The following figure shows the configuration attributes that have to be set for traffic shaping:
• On the Ethernet interfaces, a maximum outbound bandwidth can be configured. This allows limiting
the traffic sent out on the Ethernet interface below the physical bandwidth. Also refer to 9.3 - Tuning
the bandwidth on the LAN interface on page 376 for more information.
• Per queue, a committed information rate (CIR) and excess information rate (EIR) are configurable,
by setting the bandwidth attribute. Per queue the bandwidth is measured over a period of time. Traffic
above the CIR value is accepted up to a maximum rate CIR + EIR if there is sufficient bandwidth avail-
able, e.g. because there is currently no higher priority traffic on this outbound interface. If the maxi-
mum queue length is meanwhile reached, additional packets are dropped.
• The CIR and EIR traffic shaping parameters can be configured as absolute values or as relative val-
ues to the physical interface bandwidth, by setting the countingPolicy attribute.
• The CIR and EIR traffic shaping parameters have a configurable time interval. This can be set via the
tc attribute.
• The traffic shaping is applicable on inbound and outbound traffic.
• CIR and EIR statistics are available. The statistics include the number of packets that could be
directly transmitted, the number of packets that were first queued before they were sent, the number
of packets dropped, the total number of packets sent conform the CIR value and the total number of
packets sent conform the EIR value. The same statistics are also available expressed in bytes.
Refer to the ifOutPriorityQueues performance attribute for more information.
• Refer to 7.11.12 - Priority policy on routed and on bridged data on page 289 and the following sec-
tions for a detailed description of the configuration process of priority policies.
• Refer to 11.7.3 - Priority policy configuration attributes on page 605 for a detailed description of the
configuration attributes of priority policies.
268 1424 SHDSL Router Chapter 7
User manual Configuring routing
• Whereas configuring a traffic policy for routed data is different than for bridged data, configuring a
priority policy is the same for both.
• The following figure shows the configuration attributes that have to be set for traffic shaping:
• The way that the configurable queues are transmitting data can be selected according to different
algorithms; this is also called Priority Queuing (PQ). It can be set using the queueConfigurations attribute.
Each queue has a quotum and a weight parameter:
- The quotum defines how much data is taken from the queue each time and is expressed in bytes
or packets, which can be set using the countingPolicy attribute.
- The weight parameter defines the relative number of times this queue is emptied.
• The algorithms that have been implemented, which can be selected via the algorithm attribute, are the
following:
- FIFO (first in first out): no separate priority queues are in use.
- Round Robin: the configurable queues all have equal weight.
- Absolute Priority: the queues have no weight nor quotum. A lower priority queue is emptied only
if all higher priority queues are empty.
- Weighted Fair Queuing: weights are configurable per configurable queue .
If the traffic classification is based on DSCP (tosDiffServ) bits, this is commonly called WFQ.
If the traffic classification is using traffic shaping, this is commonly called Class Based Weighted
Fair Queuing (CBWFQ).
- Low delay Weighted Fair Queuing: weights are configurable per configurable queue. Data in the
low delay queue is always emptied prior to any data in the user configurable queues. This is com-
monly called Low Latency Queuing (LLC).
• The number of bytes or packets that is dequeued from the low delay queue when the queue is
addressed, can be set via the lowDelayQuotum attribute. Again, whether it is expressed in bytes or pack-
ets, can be set via the countingPolicy attribute.
• Refer to 7.11.12 - Priority policy on routed and on bridged data on page 289 and the following sec-
tions for a detailed description of the configuration process of priority policies.
• Refer to 11.7.3 - Priority policy configuration attributes on page 605for a detailed description of the
configuration attributes of priority policies.
1424 SHDSL Router Chapter 7 269
User manual Configuring routing
The classification of the traffic between the different queues occurs through an IP traffic policy. There
are 4 variants of IP traffic policy, which can be selected via the method attribute; these variants are:
• Customised policy.
• TosDiffserv.
• TosMapped.
• QueueMapped.
These are further explained below:
Customised policy
• Based on a variety of TCP/IP protocol parameters, a complete customised policy may be set. The
elements that define how the traffic is forwarded to a certain priority queue are the following:
- Source and destination IP address range
- Type Of Service (TOS) value range (8 bits in the IP header, also called DSCP bits)
- IP protocol (examples are any (0), ICMP (1), IGMP (2), TCP (6), UDP (17))
- Source and destination port range for UDP / TCP packets
- Existing priority colour (suitable for outbound traffic policies)
• Traffic that meets an entry in the traffic policy can be remarked with a different TOS/DSCP value, or
the priority can be coloured for further processing (independent of the TOS/DSCP setting). The max-
imum queue length in packets (before packets are dropped) is configurable via the dropLevels attribute.
• To configure traffic shaping, proceed as follows:
- Add an ipTrafficPolicy[ ] object.
- Set the method attribute to trafficShaping.
- Configure the trafficShaping tabel; refer to 11.7.1 - IP traffic policy configuration attributes on
page 592.
- Configure the maximum queue length using the dropLevels attribute.
These attributes are shown in the following figure:
• Refer to 7.11.7 - Configuring a traffic policy on routed data on page 273 for a detailed description of
the configuration process of IP traffic policies.
• Refer to 11.7.1 - IP traffic policy configuration attributes on page 592 for a detailed description of the
configuration attributes of IP traffic policies.
• Performance information is available on classified traffic: discarded packets and usage of each line
in the traffic-shaping table; refer to 13.10 - IP traffic policy performance attributes on page 1097.
270 1424 SHDSL Router Chapter 7
User manual Configuring routing
TosDiffServ
• The data is redirected to the queues based on DiffServ (RFCs 2474, 2475) regarding class and drop
precedence. This means that, depending on their Type Of Service (TOS) field, some packets are
moved to other queues and/or dropped sooner than other packets in case the queue is full.
• The highest 3 bits of the TOS/DSCP field are mapped as follows:
• The next 2 bits of the TOS/DSCP field define the drop levels:
00 and 01 the queue length exceeds a configurable maximum length, which can be set with
dropLevel1 element of the dropLevels attribute.
10 the queue length exceeds a configurable maximum length, which can be set with
dropLevel2 element of the dropLevels attribute.
11 the queue length exceeds a configurable maximum length, which can be set with
dropLevel3 element of the dropLevels attribute.
• Refer to 7.11.7 - Configuring a traffic policy on routed data on page 273 for a detailed description of
the configuration process of IP traffic policies.
• Refer to 11.7.1 - IP traffic policy configuration attributes on page 592 for a detailed description of the
configuration attributes of IP traffic policies.
1424 SHDSL Router Chapter 7 271
User manual Configuring routing
TosMapped
• This simple and flexible policy allows classifying the traffic based on a user-defined range of the TOS
field into one of the queues The maximum queue length in packets (before packets are dropped) is
configurable via the dropLevels attribute.
• Which traffic is forwarded to which specific priority queue is set in the tos2QueueMapping tabel. If an
overload condition occurs, then a packet is redirected to the specified queue when the criteria as
specified in the tos2QueueMapping table are met.
• To configure a tosMapped IP traffic policy, proceed as follows:
- Add an ipTrafficPolicy[ ] object.
- Set the method attribute to tosMapped.
- Configure the tos2QueueMapping tabel; refer to 11.7.1 - IP traffic policy configuration attributes on
page 592.
- Configure the maximum queue length using the dropLevels attribute.
These attributes are shown in the following figure:
• Refer to 7.11.7 - Configuring a traffic policy on routed data on page 273 for a detailed description of
the configuration process of IP traffic policies.
• Refer to 11.7.1 - IP traffic policy configuration attributes on page 592 for a detailed description of the
configuration attributes of IP traffic policies.
272 1424 SHDSL Router Chapter 7
User manual Configuring routing
QueueMapped
• This outbound policy maps previously coloured packets (packets that already have a certain priority,
e.g. by passing an inbound traffic policy) to a priority queue. This allows grouping differently coloured
packets to a single priority queue. The maximum queue length in packets (before packets are
dropped) is configurable via the dropLevels attribute.
• Which traffic is forwarded to which specific priority queue is set in the queue2QueueMapping tabel. If an
overload condition occurs, then a packet is redirected to the specified queue when the criteria as
specified in the queue2QueueMapping table are met.
• To configure a queueMapped IP traffic policy, proceed as follows:
- Add an ipTrafficPolicy[ ] object.
- Set the method attribute to queueMapped.
- Configure the queue2QueueMapping tabel; refer to 11.7.1 - IP traffic policy configuration attributes on
page 592.
- Configure the maximum queue length using the dropLevels attribute.
These attributes are shown in the following figure:
• Refer to 7.11.7 - Configuring a traffic policy on routed data on page 273 for a detailed description of
the configuration process of IP traffic policies.
• Refer to 11.7.1 - IP traffic policy configuration attributes on page 592 for a detailed description of the
configuration attributes of IP traffic policies.
1424 SHDSL Router Chapter 7 273
User manual Configuring routing
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for an introduction.
To configure a traffic and priority policy for the routed data on a certain interface, proceed as follows:
Step Action
To create and configure a traffic policy for the routed data on a certain interface, proceed as follows:
Step Action
3 Now, depending on which traffic policy method you selected, you have to configure the
actual policy criteria:
If you choose the then use the following attribute to configure the policy
method … criteria:
trafficShaping, • trafficShaping.
• dropLevels (only the dropLevel1 element).
tosDiffServ, dropLevels.
tosMapped, • tos2QueueMapping.
• dropLevels (only the dropLevel1 element).
queueMapped • queue2QueueMapping.
• dropLevels (only the dropLevel1 element).
Suppose you create a traffic policy which uses the traffic shaping method to fill the queues, on traffic
overload conditions, with the “excess” data. Suppose you want to do this for the UDP protocol only.
The following figure shows how to configure this:
276 1424 SHDSL Router Chapter 7
User manual Configuring routing
Refer to 7.11.7 - Configuring a traffic policy on routed data on page 273 for an overview on how to con-
figure a traffic policy.
To apply a traffic policy for the routed data on a certain interface, enter the index name of the earlier
created traffic policy object as value of the trafficPolicy element:
1. Add and configure a profiles/policy/traffic/ipTrafficPolicy[ ] object. E.g. ipTrafficPolicy[myOutList].
2. Apply the traffic policy by typing the index name of the ipTrafficPolicy[ ] object as value of the trafficPolicy
element in the ip structure (e.g. “myOutList”). The trafficPolicy element can be found in the ip structure of
the IP interface. Refer to 5.2.2 - Where to find the IP parameters? on page 55 for the location of the
ip structure on the different IP interfaces.
A traffic policy can also be applied as an access policy. This is actually a trafficPolicy that is being applied
before the actual routing takes place, so it can be seen an inbound access list. To apply an access policy
for the routed data on a certain interface, proceed as follows:
1. Add and configure a profiles/policy/traffic/ipTrafficPolicy[ ] object. E.g. ipTrafficPolicy[myInList].
2. Apply the traffic policy by typing the index name of the ipTrafficPolicy[ ] object as value of the accessPolicy
element in the ip structure (e.g. “myInList”).
The following figure illustrates the terms access policy and traffic policy:
1424 SHDSL Router Chapter 7 277
User manual Configuring routing
Suppose you created and configured a traffic policy object with index name myTrafPol (i.e. trafficPol-
icy[myTrafPol]), and you want to apply this traffic policy on an L2TP tunnel you created earlier.
The following figure shows how to configure this:
278 1424 SHDSL Router Chapter 7
User manual Configuring routing
Access lists control the access to or from an interface for a number of specified services or IP addresses.
The access list describes the condition to forward (permit) packets to an interface or to drop (deny) them.
When access lists are combined with NAT/PAT translation, then first the conditions of the access list are
applied before the NAT/PAT translation is done.
On the 1424 SHDSL Router, the extended access lists are implemented using the traffic policy function
and by defining traffic shaping rules.
1424 SHDSL Router Chapter 7 279
User manual Configuring routing
Step Action
2 In the traffic policy object you just created, make sure that the configuration attribute
method is set to trafficShaping (this is the default value):
3 Configure the configuration attribute trafficShaping to match you filter criteria; refer to 11.7.1
- IP traffic policy configuration attributes on page 592.
1. Go to the ip attribute of the interface on which you want to apply your extended access
list.
For example, suppose you want to apply an extended access list on the LAN inter-
face, then go to lanInterface object and then go to the ip attribute.
2. In the ip attribute, enter the index name of the traffic policy object you created in step
1 as value of the accessPolicy element.
In this example, enter the string myTrafPol as value of the accessPolicy element.
280 1424 SHDSL Router Chapter 7
User manual Configuring routing
Step Action
1. Go to the ip attribute of the interface on which you want to apply your extended access
list.
For example, suppose you want to apply an extended access list on the LAN inter-
face, then go to lanInterface object and then go to the ip attribute.
2. In the ip attribute, enter the index name of the traffic policy object you created in step
1 as value of the trafficPolicy element.
In this example, enter the string myTrafPol as value of the trafficPolicy element.
1424 SHDSL Router Chapter 7 281
User manual Configuring routing
Above, it is explained how to set up an extended access list, this section shows you how to tune the
access list. I.e. how to define the filter criteria.
You have to define your filter criteria in the trafficShaping attribute. This is a table, which is empty by default,
but to which you can add several lines (entries).
The following figure shows a screenshot of the trafficShaping table containing one line:
As it shows from the elements in the trafficShaping table, you can filter on several criteria:
So if you define 1 or more IP addresses in the trafficShaping table, then traffic from
(source) or to (destination) these IP addresses is allowed. All other traffic is dis-
carded.
IP protocol Specify an IP protocol using the ipProtocol element. Either select one of the common
IP protocols from the ipProtocol element its drop-down box, or directly type a specific
protocol number in the ipProtocol element field.
So if you define an IP protocol in the trafficShaping table, then traffic carrying this IP
protocol is allowed. All other traffic is discarded.
282 1424 SHDSL Router Chapter 7
User manual Configuring routing
port number • 1 port number: enter a port number in the element sourcePortStart and/or
destinationPortStart.
• port number range: enter a port number range using the elements …
- sourcePortStart and sourcePortEnd
- and/or
- destinationPortStart and destinationPortEnd
So if you define 1 or more port numbers in the trafficShaping table, then traffic carry-
ing these port numbers is allowed. All other traffic is discarded.
You can not filter on port numbers only. What is more, you can only filter on
port numbers when the IP protocol is set to TCP or UDP. So in other words,
if the IP protocol element is set to a value different from TCP or UDP, then
all the port elements are ignored.
Type Of Service • 1 TOS value: enter a TOS value in the element tosStartValue.
(TOS) value • TOS value range: enter a TOS value range using the elements tosStartValue and
tosEndValue.
So if you define 1 or more TOS values in the trafficShaping table, then traffic carrying
these TOS values is allowed. All other traffic is discarded.
1424 SHDSL Router Chapter 7 283
User manual Configuring routing
• By default, the entries in the trafficShaping table are “allow” rules. I.e. only the traffic defined in the table
is permitted, all other traffic is discarded (independent whether the traffic shaping table is used as an
access list, for priority policing or policy based routing). However, you can inverse an entry making it
a “deny” rule by entering “discard” as value of the interface element.
• If more than one entry applies to the same packet, then the entry which has the narrowest filter range
(when looking at the filter criteria from left to right) is chosen. For example: two rows in the trafficShaping
table apply to the same packet, but row 1 wants to forward packets to queue 3 and row 2 wants to
forward packets to the low delay queue. In that case, first the IP source address is considered. The
row with the smallest range wins. If the ranges are exactly the same, then the IP destination address
is considered. And so on. Should the two rows be completely identical except for the queue, then one
of the rows is chosen at random.
• You do not necessarily have to fill in IP addresses in the trafficShaping table. It is perfectly valid to filter
on IP protocol, IP protocol/port combination or TOS values only. However, you can not filter on port
numbers only. What is more, you can only filter on port numbers when the IP protocol is set to TCP
or UDP. So in other words, if the IP protocol element is set to a value different from TCP or UDP, then
all the port elements are ignored.
284 1424 SHDSL Router Chapter 7
User manual Configuring routing
This is an example of a network connected to the Internet and for which the following conditions are
required:
• only 5 stations may have access to the Internet.
• only the HTTP-port for web browsing is open for incoming packets from the Internet.
1424 SHDSL Router Chapter 7 285
User manual Configuring routing
The following figure shows how to configure the extended access lists:
286 1424 SHDSL Router Chapter 7
User manual Configuring routing
In case of a Frame Relay DLCIs and multiclass PPP links, it is possible to assign a default queue to the
link. This allows you to easily set up a traffic policy without having to create and apply a traffic policy
profile. As most setups that require QoS only split voice and data streams (often based on IP addresses
only), configuring such a setup becomes more straightforward.
To configure a default queue, proceed as follows:
Step Action
1 Create a …
• Frame Relay DLCI. Refer to 6.6.2 - Configuring Frame Relay DLCIs on page 150.
or
• multiclass PPP link. Refer to 6.7.13 - Setting up multiclass PPP on page 183.
2 In the dlciTable (Frame Relay) or the multiclassInterfaces table (PPP), set the defaultQueue ele-
ment to the desired queue (e.g. queue3).
⇒In case of an overload condition, this queue will be filled with the excess data.
3 Now you still have to create and apply a priority policy to empty the queue. Do this as
described in 7.11.14 - Creating a priority policy on page 291 and 7.11.15 - Applying a pri-
ority policy on an interface on page 293.
Suppose you have a network connected to two other networks over a Frame Relay backbone. Network
1 carries a mix of data and voice traffic. You want that the data traffic is routed from network 1 to network
2 and that the voice traffic is routed from network 1 to network 3. If congestion should occur you want
that the data is queued in queue 1 and that the voice is queued in the low delay queue. The algorithm
that you want to use to empty the queues is the low delay weighted fair queueing mechanism.
Step Action
Since this is not the main subject of this example, refer for more information on creating
Frame Relay DLCIs to 6.6.2 - Configuring Frame Relay DLCIs on page 150.
2 Set the correct default queue for the DLCIs you just created. I.e. queue 1 for the data
DLCI and queue 6 (i.e. low delay queue) for the voice DLCI.
3 Create and apply a priority policy. The priority policy uses the low delay weighted fair
queueing mechanism to empty the queues.
The following figure shows how to configure the traffic and priority policy you want to set up:
1424 SHDSL Router Chapter 7 289
User manual Configuring routing
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for an introduction.
To configure a traffic and priority policy for the routed data on a certain interface, proceed as follows:
Step Action
Whenever a priority policy is applied on an interface, a delay optimisation mechanism is activated auto-
matically in order to guarantee a minimum delay for high priority packets.
This applies to all types of priority policies, except fifo.
To create and configure a priority policy for a certain interface, proceed as follows:
Step Action
3 Configure the other attributes in the priority policy object. The most important are:
• queueConfigurations. Use this attribute to …
- set the number of bytes/packets that is dequeued from the user configurable
queue when the queue is addressed.
- set the relative importance of the user configurable queues.
Refer to queueConfigurations on page 608 for more information.
• lowDelayQuotum. Use this attribute to set the number of bytes/packets that is dequeued
from the low delay queue when the queue is addressed.
Refer to lowdelayQuotum on page 608 for more information.
• bandwidth. Use this attribute to set the Committed Information Rate (CIR) per queue.
Refer to bandwidth on page 609 for more information.
• tc. Use this attribute to set the time interval with which the CIR/EIR quota on the
queues is updated. The default value is 50 ms; the user can change this interval to
any multiple of 50 ms ranging from 50 ms up to 1 sec.
• countingPolicy. Use this attribute to define whether the quotum of the queues is
expressed in bytes or packets.
292 1424 SHDSL Router Chapter 7
User manual Configuring routing
Suppose you create a priority policy which uses the round-robin algorithm to empty the queues.
The following figure shows how to configure this:
1424 SHDSL Router Chapter 7 293
User manual Configuring routing
To apply a priority policy on a certain interface, enter the index name of the earlier created priorityPolicy[ ]
object as value of the priorityPolicy attribute. The priorityPolicy attribute can be specified for …
• the LAN interface;
• the EFM interface;
• each PPP bundle;
• each ATM PVC;
• L2TP tunnels;
• IPsec L2TP tunnels;
• GRE tunnels;
• IPsec GRE tunnels;
Refer to the configuration attributes of these items for more detailed information.
Suppose you created and configured a priority policy object with index name myPrioPol (i.e. priorityPol-
icy[myPrioPol]), and you want to apply this priority policy on an ATM PVC profile you created earlier.
The following figure shows how to configure this:
294 1424 SHDSL Router Chapter 7
User manual Configuring routing
Suppose you have two networks which are interconnected over an ATM network. Network 1 carries a
mix of data and voice traffic. The traffic on this network is differentiated by setting the Type Of Service
(TOS) values in the IP packet headers (data = 0, voice = 10). If congestion occurs when routing the traffic
from network 1 to network 2, then you want that the voice traffic is queued in the low delay queue and
that the data traffic is queued in queue 1. The algorithm that you want to use to empty the queues is the
low delay weighted fair queueing mechanism.
Step Action
3 Create a route that “points” to the traffic policy you created earlier.
For example:
Create an entry in the routingTable attribute in which you specify that traffic destined for net-
work 192.168.48.0 has to be sent to the IP traffic policy you created earlier.
1424 SHDSL Router Chapter 7 295
User manual Configuring routing
Depending on the location of the priorityPolicy[ ] and trafficPolicy[ ] objects in the tree, refer to the following
figures:
The following figure shows how to configure the traffic and priority policy you want to set up:
296 1424 SHDSL Router Chapter 7
User manual Configuring routing
The following figure shows how to configure the traffic and priority policy you want to set up:
1424 SHDSL Router Chapter 8 297
User manual Configuring bridging and VLANs
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view.
This chapter introduces bridging on the 1424 SHDSL Router and lists the attributes you can use to con-
figure bridging.
The following gives an overview of this chapter:
• 8.1 - Introducing bridging on page 298
• 8.2 - Configuring bridging on page 311
• 8.3 - Configuring VLANs on page 325
• 8.4 - Configuring VLANs on the 4 port Ethernet switch on page 336
• 8.5 - Bridge traffic classification by filtering on page 344
• 8.6 - Bridge traffic classification by applying QoS on bridged traffic on page 352
• 8.7 - Example: combining bridging and routing in a network on page 360
Refer to the Reference manual on page 489 for a complete overview of the attributes of the 1424 SHDSL
Router.
298 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
This section introduces the bridging concept. The following gives an overview of this section:
• 8.1.1 - What is bridging? on page 299
• 8.1.2 - The self-learning and Transparent Spanning Tree bridge on page 300
• 8.1.3 - The Rapid Spanning Tree and Multiple Spanning Tree Protocol on page 301
• 8.1.4 - The Spanning Tree root bridge on page 303
• 8.1.5 - The Spanning Tree topology on page 304
• 8.1.6 - The Spanning Tree bridge port states on page 306
• 8.1.7 - The Spanning Tree Bridge Protocol Data Unit on page 307
• 8.1.8 - The Spanning Tree behaviour on page 308
• 8.1.9 - The Spanning Tree priority and cost on page 309
1424 SHDSL Router Chapter 8 299
User manual Configuring bridging and VLANs
The 1424 SHDSL Router can be configured to act as a bridge. This enables you to split up your LAN
network into smaller parts or segments. This decreases the amount of data traffic on the separated LAN
segments and, consequently, increases the amount of available bandwidth.
Example
Data coming from network 1, will only be let through by the bridge if this data has a destination outside
network 1 or if it has a broadcast or multicast address. This means the bridge filters the data and
decreases the amount of data traffic on the separated LAN segments.
300 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
self-learning The bridge learns which data it has to forward to the other LAN segment and
which data it has to block. I.e. it builds its own bridging table.
In other words, you do not have to configure a bridging table with MAC
addresses of stations that are located on the separated LAN segments but that
have to be able to communicate with each other.
self-learning + STP This is based on the self-learning principle, but a protocol is used to implement
the STP algorithm.
Bridging loops
The primary goal of this algorithm is to avoid that bridging loops arise. A bridg-
ing loop occurs when two self-learning bridges are placed in parallel. This
results in data that keeps circling around as each bridge forwards the same
data.
Using the STP algorithm, bridges know of each others existence. By communi-
cating with each other, they establish one single path for reaching any particu-
lar network segment. If necessary, they may decide to disable some bridges in
the network in order to establish this single path.
This is a continuous process. So if a bridge fails, the remaining bridges will
reconfigure their bridging tables keeping each LAN segment reachable.
1424 SHDSL Router Chapter 8 301
User manual Configuring bridging and VLANs
8.1.3 The Rapid Spanning Tree and Multiple Spanning Tree Protocol
• RSTP supersedes the Spanning Tree Algorithm and Protocol (STP - IEEE 802.1D) that was already
implemented. RSTP interoperates with STP to facilitate migration. Bridges conforming to either spec-
ification can be used in the same network without configuration restrictions beyond those previously
imposed by STP.
• If it is absolutely necessary that the old STP protocol is used, it must be configured as such. Under
normal circomstances, the Rapid Spanning Tree Protocol is always applied.
• The Rapid Spanning Tree Protocol (RSTP) configures the port state of each bridge port. RSTP
ensures ...
- stable connectivity within the bridging network.
- that temporary loops in the active topology do not occur if the network has to reconfigure in
response to the failure, removal, or addition of a network component, and that erroneous station
location information is removed from the filtering database after reconfiguration.
Also refer to 11.10.1 - Bridge group configuration attributes on page 772 for more information.
302 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
• The design of the Multiple Spanning Tree Protocol (STP - IEEE 802.1Q) is based on that of the Rapid
Spanning Tree Protocol, extended to provide the capability for frames assigned to different VLANs
to be transmitted along different paths within MST Regions. In other words, MSTP allows frames
assigned to different VLANs to follow separate paths through the network.
• For this, VLAN groups must be created. Each VLAN group can have its own path within the spanning
tree domain.
• The path for each VLAN group is determined by the path cost, like RSTP but for each VLAN group
separately.
If, however, the path cost of two paths are identical, the priority of the interface determines the path.
• When VLAN groups are defined in the network, they must be configured consistently and identically
throughout the whole MSTP network. Otherwise, connection problems will arise.
• MSTP is compatible and interoperable with STP and RSTP, without requiring any extra settings or
adjustments.
• Different regions, each uniquely identifiable, can be interconnected into one big MST network.
• The following figure illustrates the principles of MSTP and VLAN groups:
Spanning Tree defines a tree with a root bridge and a loop-free path from the root to all bridges in the
extended network. The root bridge is the logical centre of the Spanning Tree topology.
Redundant data paths are forced into a stand-by (blocked) state. If a network segment in the spanning
tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topol-
ogy and activates the stand-by path.
All bridges in the network participating in Spanning Tree gather information about other bridges in the
network. They do this through an exchange of data messages called Bridge Protocol Data Units
(BPDUs).
This exchange of messages results in the following phases:
Phase Description
3 The removal of loops in the bridged network by blocking bridge ports connected to redun-
dant links.
304 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Port roles
The cost factor is used to calculate the distance from each port of a bridge to the root bridge. On the
basis of this, each port on a bridge is assigned one of the following roles:
root port The port that is closest to the root bridge, i.e. it provides that lowest cost path to
the root bridge. Only one port on each bridge is assigned as the root port.
designated port • Each LAN in the bridged Local Area Network has an associated root path cost.
This is the root path cost of the lowest cost bridge with a bridge port connected
to that LAN. This bridge is selected as the designated bridge for that LAN. If
there are two or more bridges with the same root path cost, then the bridge with
the best priority (least numerical value) is selected as the designated bridge.
• The bridge port on the designated bridge that is connected to the LAN is
assigned the role of designated port for that LAN. If the designated bridge has
two or more ports connected to the LAN, then the bridge port with the best pri-
ority port identifier (least numerical value) is selected as the designated port.
• The root bridge itself only has designated port.
disabled Frames (with the exception of Configuration BPDUs) are not accepted or transmit-
ted by the port when it is in the blocking state. The port can be said to be in stand-
by.
alternate and • Port roles of alternate port and backup port are assigned to bridge ports that
backup can provide connectivity if other network components fail.
• Any operational bridge port that is not a root or designated port is a backup port
if that bridge is the designated bridge for the attached LAN, and an alternate
port otherwise.
• An alternate port offers an alternate path in the direction of the root bridge to
that provided by the bridge’s own root port, whereas a backup port acts as a
backup for the path provided by a designated port in the direction of the leaves
of the spanning tree.
• Backup ports exist only where there are two or more connections from a given
bridge to a given LAN; hence, they (and the designated ports that they back up)
can only exist where two ports are connected together in loopback by a point-
to-point link, or where the bridge has two or more connections to a shared
media LAN.
master The role of master port has been introduced for the Multiple Spanning Tree Proto-
col.
A port which is a root port, and that receives spanning tree information from
another MST region, is assigned the role of master.
1424 SHDSL Router Chapter 8 305
User manual Configuring bridging and VLANs
Connectivity
• In a Bridged Local Area Network whose physical topology is stable, i.e RSTP has communicated con-
sistent information throughout the network, every LAN has one and only one designated port, and
every bridge with the exception of the root bridge has a single root port connected to a LAN.
Since each bridge provides connectivity between its root port and its designated ports, the resulting
active topology connects all LANs and will be loop free.
• Each port ’s role can change if a bridge, bridge port, or LAN fails, is added to, or removed from the
network.
Port state transitions to learning and forwarding are delayed, and ports can temporarily transition to
the discarding state to ensure that misordering and duplication rates remain negligible.
Example
An elementary example of a Spanning Tree topology is given in the figure below:
306 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
The following figure shows how a bridge port moves through the differ-
ent states when the bridge is powered:
When you enable Spanning Tree, every bridge in the network goes
through the transitory states of discarding and learning at power up. If
properly configured, each port stabilises to the forwarding or discarding
state.
When the spanning-tree algorithm places a port in the forwarding state,
the following process occurs:
1. The port is put into the discarding state while it waits for protocol
information that suggests it should go to the learning state.
2. The port waits for the expiration of the forward delay timer, moves
the port to the learning state, and resets the forward delay timer.
3. In the learning state, the port continues to block frame forwarding as
it learns station location information for the forwarding database.
4. The port waits for the expiration of the forward delay timer and then moves the port to the forwarding
state, where both learning and forwarding are enabled.
1424 SHDSL Router Chapter 8 307
User manual Configuring bridging and VLANs
What is a BPDU?
To establish a stable path, each bridge sends Configuration Bridge Protocol Data Units (BPDUs) to its
neighbouring bridges. These Configuration BPDU messages contain information about the spanning
tree topology. The contents of these frames only changes when the bridged network topology changes
or has not been established.
Each Configuration BPDU contains the following minimal information:
• The unique bridge identifier of the bridge that the transmitting bridge believes to be the root bridge.
• The cost of the path to the root from the transmitting port.
• The unique port identifier of the transmitting port.
When a bridge transmits a BPDU frame, all bridges connected to the LAN on which the frame is trans-
mitted receive the BPDU. When a bridge receives a BPDU, it does not forward the frame. Instead, it uses
the information in the frame to:
• calculate a BPDU,
• initiate a BPDU transmission if the topology changes.
When a bridged network is in a stable condition, switches continue to send Configuration BPDUs to its
neighbouring bridges at regular intervals. Configuration BPDUs are transmitted down the spanning tree
from designated ports to root ports. If a Configuration BPDU is not received by the root port of a bridge
within a predefined time interval (for example, because a bridge along the path has dropped out), the
port enters the listening state to re-determine a stable path.
Message age
To ensure that old information does not endlessly circulate through redundant paths in the network and
prevent propagation of new information, each configuration message includes a message age and a
maximum age. The message age is incremented on receipt, and the information discarded if it exceeds
the maximum. Thus the number of bridges the information can traverse is limited.
308 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
The following are some examples of how Spanning Tree behaves when certain events occur in your net-
work.
Bridging loops
Bridge failure
Network extension
In the example above, Bridge A is selected as the root bridge. This because the bridge priority of all the
bridges is set to the default value (32768) and Bridge A has the lowest MAC address. However, due to
traffic patterns or link types, Bridge A might not be the ideal root bridge.
By increasing the bridge priority (lowering the numerical priority value) of the ideal bridge so that it
becomes the root bridge, you force a Spanning Tree recalculation to form a new spanning-tree topology
with the ideal bridge as the root.
When the spanning-tree topology is calculated based on default parameters, the path between source
and destination stations in a bridged network might not be ideal. The goal is to make the fastest link the
root port.
For example, assume on Bridge B that …
• port 1, currently the root port, is an unshielded twisted-pair link,
• port 2 is a fibre-optic link.
Network traffic might be more efficient over the high-speed fibre-optic link. By changing the spanning-
tree port priority or path cost for port 2 to a higher priority (lower numerical value) than port 1, port 2
becomes the root port.
Note that path cost is linked to a port of the bridge, not to the bridge itself.
310 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Example
By changing the priority and/or the pathCost, you can create a "preferred" path:
By setting the path costs of the entry ports of Bridge B and C to a lower value than the path cost of the
entry port of Bridge Z, you can create a preferred path through Bridge B and C.
To get from bridge A to bridge D, the path cost via bridge B and C is 20; via bridge Z, it is 100. The path
through Bridge Z becomes the back-up path.
1424 SHDSL Router Chapter 8 311
User manual Configuring bridging and VLANs
This section lists the attributes you can use to configure bridging. The following gives an overview of this
section:
• 8.2.1 - Introducing the bridging attributes on page 312
• 8.2.2 - Configuring the bridge group on page 313
• 8.2.3 - Adding a bridge group on page 314
• 8.2.4 - Enabling bridging on an interface on page 316
• 8.2.5 - Configuring bridging on an interface on page 317
• 8.2.6 - Explaining the bridging structure on page 318
312 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
A bridge group comprises the main bridging process. So in the containment tree, the bridgeGroup object
contains the general bridging attributes.
The 1424 SHDSL Router offers the possibility to create multiple bridge groups. This means you can
group some interfaces in one bridge group while you group several other interfaces in another bridge
group. By doing so, it is as if you created several “simple” bridge devices within one device.
In addition to configuring the general bridging process using the configuration attributes of the bridge
group, you also have to configure bridging on each interface on which you want to use bridging.
1424 SHDSL Router Chapter 8 313
User manual Configuring bridging and VLANs
Refer to …
• 8.1 - Introducing bridging on page 298 for an introduction on bridging.
• 8.2.1 - Introducing the bridging attributes on page 312 for an introduction on the bridging attributes.
This section lists the most important configuration attributes of the bridge group.
Refer to 8.1.2 - The self-learning and Transparent Spanning Tree bridge on page 300 for an introduction.
Use the protocol element in the spanningTree structure to select the bridging protocol. Refer to spanningTree
on page 777.
Refer to 8.1.9 - The Spanning Tree priority and cost on page 309 for more information on bridge priority.
Use the bridgePriority element in the spanningTree structure to set the bridge priority. Refer to spanningTree on
page 777.
314 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
As said in 8.2.1 - Introducing the bridging attributes on page 312, you can add several bridge groups.
In order to add a bridge group, proceed as follows:
Step Action
2 In the vpnBridgeGroup[ ] object you just added, configure the attributes to your needs.
Example:
Suppose you configure an IP address on the bridge group, activate the spanning tree
protocol and set a bridge priority.
3 Now you can add interfaces to the bridge group you just created. Do this by entering the
name of the bridge group in the bridging/bridgeGroup element of the interfaces you want to
add.
Refer to 8.2.6 - Explaining the bridging structure on page 318 (more specifically to the
bridgeGroup element) for more information.
Example:
Suppose you want to add the LAN interface to the vpnBridgeGroup[my_bg] object you previ-
ously added, then type the string “my_bg” in the bridgeGroup element of the bridging structure
of the lanInterface object.
1424 SHDSL Router Chapter 8 315
User manual Configuring bridging and VLANs
Suppose …
• you have 2 VLANs (VLAN 1 and VLAN 2).
• you have 5 PVCs (PVC 1 up to PVC 5).
• you want to assign VLAN 1 and PVC 1 and 2 to
the default bridge group.
• you want to assign VLAN 2 and PVC 3, 4 and 5
to a bridge group you added yourself.
So first, add a bridge group to the containment tree (e.g. vpnBridgeGroup[my_bg]. Then assign the different
interfaces to the different bridge groups by specifying bridge group names in the bridging/bridgeGroup ele-
ments of the different interfaces. Also set the different interfaces in bridging mode.
The configuration looks as follows:
316 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Refer to …
• 8.1 - Introducing bridging on page 298 for an introduction on bridging.
• 8.2.1 - Introducing the bridging attributes on page 312 for an introduction on the bridging attributes.
Per IP interface you can determine whether you perform routing, bridging or both. The following table
shows, for each IP interface, how to enable bridging on this interface:
LAN interface Set the mode attribute to bridging or routingAndBridging. The mode attribute can be found
in the lanInterface object: mode.
Important remark
If you set the configuration attribute mode to bridging, then the settings of the
configuration attribute ip are ignored. As a result, if you want to manage the 1424
SHDSL Router via IP, you have to configure an IP address in the bridgeGroup object
instead: ip.
VLAN on the Set the mode element to bridging or routingAndBridging. The mode element can be found
LAN interface in the vlan table which is located in the lanInterface object: vlan/mode.
L2TP tunnel Set the mode element to bridging or routingAndBridging. The mode element can be found
in the l2tpTunnels table which is located in the tunnels object: l2tpTunnels/mode.
IPSEC L2TP Set the mode element to bridging or routingAndBridging. The mode element can be found
tunnel in the ipsecL2tpTunnels table which is located in the tunnels object: ipsecL2tpTunnels/
mode.
1424 SHDSL Router Chapter 8 317
User manual Configuring bridging and VLANs
Refer to …
• 8.1 - Introducing bridging on page 298 for an introduction on bridging.
• 8.2.1 - Introducing the bridging attributes on page 312 for an introduction on the bridging attributes.
Once the bridging process is enabled on the interface (refer to 8.2.4 - Enabling bridging on an interface
on page 316) you can configure the bridging parameters of this interface. Use the elements in the bridging
structure for this purpose. The following table shows you the location of the bridging structure for each
interface:
Important remark
If you set the configuration attribute mode to bridging, then the settings of the
configuration attribute ip are ignored. As a result, if you want to manage the 1424
SHDSL Router via IP, you have to configure an IP address in the bridgeGroup object
instead: ip.
VLAN on the In the bridging structure of the vlan table which is located in the lanInterface object: vlan/
LAN interface bridging.
L2TP tunnel In the bridging structure of the l2tpTunnels table which is located in the tunnels object:
l2tpTunnels/bridging.
IPSEC L2TP In the bridging structure of the ipsecL2tpTunnels table which is located in the tunnels
tunnel object: ipsecL2tpTunnels/bridging.
Refer to 8.2.6 - Explaining the bridging structure on page 318 for a detailed explanation of the bridging
structure.
318 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Because the bridging structure occurs in several objects, it is described here once and referenced where
necessary. Refer to 8.2.5 - Configuring bridging on an interface on page 317 for the location of the bridging
structure.
This section lists all the elements that can be present in the bridging structure. However, depending on
the interface, it is possible that not all of these elements are present.
Element Description
Example
inAccessList Use this element set up an inbound access list on the Default:<empty>
interface. Range: 0 … 24 characters
To do so, proceed in exectly the same way as described above, for the accessList
element.
1424 SHDSL Router Chapter 8 319
User manual Configuring bridging and VLANs
Element Description
Example
Although a bridging traffic policy can still be configured, the preferred way to
manipulate bridged traffic, is to make use of access lists. These allow for
extra configuration possiblities compared to bridge traffic policies.
Refer to ...
• 8.5 - Bridge traffic classification by filtering on page 344,
• 8.6 - Bridge traffic classification by applying QoS on bridged traffic on page 352
and
• 11.10.2 - Bridge access list configuration attributes on page 786
... for more information.
320 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Element Description
Examples
• By default, both the bridgeGroup element and the configuration attribute name of
the default bridge group are set to “bridge”. This means that by default the inter-
face is assigned to the default bridge group.
• Suppose you change the name of the default bridge group (by changing the
value of the configuration attribute name). If you still want to assign the interface
to the default bridge group, then you have to enter the new name of the default
bridge group in the bridgeGroup element of the interface.
• Suppose you add a bridge group with index name my_bg and you want to assign
the interface to this bridge group, then enter the index name as value for the
bridgeGroup element.
1424 SHDSL Router Chapter 8 321
User manual Configuring bridging and VLANs
Element Description
Example
maxCacheSize Use this element to set the maximum allowed number Default:0, unlimited
of dynamically learned MAC addresses in the bridge Range: 0 ... 10000
cache, via the interface. If set to 0, this means this
number is unlimited.
If a packet with an unknown MAC address is received, and the address will
not be entered in the bridge cache because either learning is set to disabled or
the maxCacheSize for this interface has been exceeded, the packet will be
dropped.
322 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Element Description
• shutdownTime. This is the time during which the Default:00000d 00h 00m 00s
interface is shut down. The interface can then Range: 00000d 00h 00m 05s -
automatically be restarted after this time, or a user 00000d 18h 12m 15s
action can be required. As long as the interface is
in shutDown state, an alarm is raised on the bridge group.
priority Use this element to set the port priority of the inter- Default:128
face. Range: 0 ... 255
Each port of a bridge has a unique port identifier. The priority element is a part of
this port identifier and allows you to change the priority of the port. It is taken as
the more significant part in priority comparisons.
The other part of the unique port identifier has a fixed relationship to the physical
or logical port. This assures the uniqueness of the unique port identifier among the
ports of a single bridge.
Refer to 8.1.9 - The Spanning Tree priority and cost on page 309 for more infor-
mation on port priority.
1424 SHDSL Router Chapter 8 323
User manual Configuring bridging and VLANs
Element Description
pathCost Use this element to set the path cost of the interface. Default:100
The path cost is the value that is added to the total Range: 1 … 65535
cost of the path to the root bridge, provided that this particular port is a root port.
I.e. that the path to the root goes through this port.
This value is used in RSTP, and in MSTP in the global common spanning tree.
The total cost of the path to the root bridge should not exceed 65500.
Refer to 8.1.9 - The Spanning Tree priority and cost on page 309 for more infor-
mation on port priority.
internalPathCost Use this element to set the path cost of the interface Default:100
for MSTP, i.e. this is the path cost to use internally in Range: 1 … 65535
a VLAN region.
This internal path cost can be overruled by the configuration of a VLAN group:
Bridge ports can be imported in a VLAN group by enabling the importBridgePorts
attribute in the vlanGroup[ ] object.
By setting the ports attribute in the vlanGroup[ ] object, the internalPathCost configured
here in the bridging structure, is overruled by the one set in the VLAN group.
Refer to 11.10.3 - VLAN group configuration attributes on page 793 for more infor-
mation.
Element Description
An edge port is located on the boundary of the spanning tree domain; it is con-
nected to a device or network which is not part of the spanning tree domain. This
means that no spanning tree messages are sent out via this port to the outside
world.
1424 SHDSL Router Chapter 8 325
User manual Configuring bridging and VLANs
This section introduces VLANs and gives a short description of the attributes you can use to configure
VLANs.
The following gives an overview of this section:
• 8.3.1 - Introducing VLANs on page 326
• 8.3.2 - Setting up a VLAN on a LAN interface on page 329
• 8.3.3 - Setting up a VLAN on the bridge group on page 331
• 8.3.4 - Configuring VLAN switching on page 332
• 8.3.5 - Adding a VLAN group on page 335
326 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
What is a VLAN?
A Virtual LAN (VLAN) is a group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same wire, when in fact they are
located on a number of different LAN segments. Because VLANs are based on logical instead of phys-
ical connections, they are extremely flexible.
The VLAN tag header is inserted immediately following the destination MAC address and source MAC
address fields of the frame. The VLAN tag header can be divided into two components:
• TPID (Tag Protocol Identifier). The 802.1Q Ethernet-encoded TPID is defined as two octets or 16 bits,
with the value “8100”.
• TCI (Tag Control Information). The TCI field is also two octets in length and contains:
- PCP (Priority Code Point) or user priority. The 3 user priority bits represent eight priority levels, 0
through 7. IEEE 802.1P defines the operation for these 3 user priority bits. The IEEE 802.1P sig-
nalling technique, also often referred to as Class Of Service or COS, is an IEEE endorsed speci-
fication for prioritising network traffic at the datalink/MAC sub-layer (layer 2).
- CFI (Canonical Format Indicator). The CFI bit indicates that all MAC address information carried
by the frame that may be present in the MAC data is in Canonical format.
- VID (VLAN Identifier). The 12-bit VID field identifies the VLAN to which the frame belongs. Three
VID values are reserved by the 802.1Q standard.
All this is illustrated in the following figure:
1424 SHDSL Router Chapter 8 327
User manual Configuring bridging and VLANs
Double tagging
The IEEE 802.1Q standard specifies a tag that appends to a MAC frame. In addition to one tag being
added, it is also possible that two tags are added, i.e. double tagging, also referred to as QinQ VLAN
stacking. In addition to the IEEE 802.1Q standard, the IEEE 802.1ad standard is also supported; this is
an amendment to IEEE 802.1Q.
The first VLAN tag header, or inner tag, is inserted immediately following the destination MAC address
and source MAC address fields of the frame. The 16-bit TPID field of the VLAN tag header is 802.1Q
Ethernet-encoded, with the value “8100”.
The second VLAN tag header, or outer tag, is again inserted immediately following the destination MAC
address and source MAC address fields of the frame. The 16-bit TPID field of this VLAN tag header can
have multiple values:
• a value of 0x8100, in order to identify the frame as an IEEE 802.1Q - tagged frame.
• a value of 0x88a8, in order to identify the frame as an IEEE 802.1ad - tagged frame.
These predefined values can be set using the tpid element in the vlan structure of the vlan table on an
Ethernet interface; refer to the vlan attribute in 11.3 - LAN interface configuration attributes on page 509
for more information. In principle, beside these two predefined values, any other value can be filled in by
the user manually.
328 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Step Action
1 In the 1424 SHDSL Router containment tree, go to the lanInterface object, select the vlan
attribute and add one or more entries to this table.
• Use this attribute to configure the VLANs you want to set up. Add a row to the vlan table
for each VLAN you want to set up.
• As long as no VLANs are created in the vlan table, the LAN interface accepts both
VLAN untagged and VLAN tagged frames.
• The VLAN untagged frames are bridged and/or routed (depending on the setting of
the mode attribute).
• The VLAN tagged frames are bridged (in case the mode attribute is set to bridging or
bridgingAndRouting, else they are discarded).
• As soon as a VLAN is created in the vlan table, the LAN interface still accepts VLAN
untagged frames but only accepts those VLAN tagged frames of which the VLAN ID
corresponds with the VLAN ID that has been configured in the vlan table (see the vid
element below). Other VLAN tagged frames are discarded.
Step Action
3 Configure the vlan structure in the vlan table. The most important elements in this structure
are:
• vid. Use this element to set the VLAN ID.
Important remark
You can also enter VLAN tag 0 as VLAN ID. This is not really a VLAN, but a way
to reverse the filtering:
- all the untagged data is passed, internally, to VLAN 0.
- all the other, tagged, data for which no VLANs are defined, are handled by the
main LAN interface.
This allows a set-up where a number of VLANs are VLAN switched, while other VLANs
and untagged data are bridged. This is particularly interesting for VLAN based networks
with Ethernet switch discovery protocols like Cisco CDP. Until now, this was not possible
since the VLAN switching mode did not allow flooding packets over multiple interfaces
(bridging), nor did it allow terminating management data in the device.
In such set-up, the configuration looks as follows:
- A first bridge group includes all VLANs that need to be switched. This bridge group
is set in VLAN switching mode.
- A second bridge group includes VLAN 0 and possibly also a VLAN for manage-
ment of the device.
- The interface VLAN table(s) include(s) entries for all switched VLANs, VLAN 0 and
possibly a VLAN for management.
• tpid. Use this element to set the Tag Protocol ID of the VLAN header. This is the value
to be used as the first 2 bytes of the VLAN tag when adding a VLAN header. Prede-
fined values are dot1Q and dot1ad.
• tagSignificance. Use this element to determine the significance of the VLAN tag: local, glo-
bal, cVlan or sVlan. Refer to vlan/vlan on page 517 for more detailed information.
1424 SHDSL Router Chapter 8 331
User manual Configuring bridging and VLANs
Step Action
1 In the 1424 SHDSL Router containment tree, go to the bridgeGroup object, select the vlan
attribute and add one or more entries to this table.
Use this attribute to configure the VLANs you want to set up. Add a row to the vlan table
for each VLAN you want to set up.
3 Configure the vlan structure in the vlan table. The elements in this structure are:
• vid. Use this element to set the VLAN ID.
• txCos. Use this element to set the default user priority (802.1P, also called COS) of the
transmitted VLAN frames.
• changeTos. Use this element to enable or disable the COS to TOS mapping.
If you set the changeTos attribute to disabled, then the element cosTosMap is ignored.
• cosTosMap. Use this element to determine how the VLAN user priority (COS) maps
onto the IP TOS byte value.
• tosCosMap. Use this element to determine how the IP TOS byte value maps onto the
VLAN user priority (COS).
• arp. Use this element to configure the Address Resolution Protocol (ARP) cache.
Step Action
1 In the 1424 SHDSL Router containment tree, go to the bridge/bridgeGroup object and set
the bridgeCache attribute to switching.
2 In the 1424 SHDSL Router containment tree, go to the bridge/bridgeGroup object, select the
vlanSwitching attribute and add one or more entries to this table.
Use this attribute to specify which VLANs you want to switch. Add a row to the vlanSwitching
table for each VLAN you want to switch.
1424 SHDSL Router Chapter 8 333
User manual Configuring bridging and VLANs
Step Action
Important remarks
•Note that one row in the vlanSwitching table represents a bidirectional connection.
I.e. data is switched from source to destination and vice versa.
• Also note that only point-to-point connections are possible. Point-to-multipoint con-
nections are not possible. In other words, a certain VLAN may only appear once in the
vlanSwitching table.
Refer to vlanSwitching on page 782 for more information on the elements of the vlanSwitching
configuration attribute.
334 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
The following figure shows the LAN interface carrying 3 VLANs that are switched to 3 different ATM
PVCs. One of the VLAN IDs is kept, one is changed and one is stripped.
The following figure shows how to configure the bridge group for VLAN switching.
1424 SHDSL Router Chapter 8 335
User manual Configuring bridging and VLANs
VLAN groups must be added when using the Multiple Spanning Tree Protocol or MSTP.
MSTP allows frames assigned to different VLANs to follow separate paths through the network. For this,
VLAN groups must be created. Each VLAN group can have its own path within the spanning tree
domain.
Refer to 8.3.1 - Introducing VLANs on page 326 for an introduction on VLAN ‘s; also refer to 8.1.3 - The
Rapid Spanning Tree and Multiple Spanning Tree Protocol on page 301 for more information about
MSTP.
To set up a VLAN group under the bridge group, proceed as follows:
Step Action
1 In the 1424 SHDSL Router containment tree, go to the bridge object, select the bridgeGroup
object and add a vlanGroup[ ] object. Refer to 4.4 - Adding an object to the containment
tree on page 45 for an explanation on how to add objects to the containment tree.
Refer to the following figure:
• filteringId. Use this attribute to set a unique identifier for the VLAN group.
• vlanMembers. Use this attribute to add VLAN ‘s to the VLAN group by means of their
VLAN ID. VLAN ‘s can be added individually, or by entering a range.
• importBridgePorts. Use this attribute to automatically import all bridging interfaces, which
are members of this bridge group, into the VLAN group. Do this by setting this attribute
to enabled.
• ports. Use this attribute to manually add ports to the VLAN group, or to overrule the
configuration values of the ports, which have been imported using the importBridgePorts
attribute, for this VLAN group.
• mst. Use this attribute to set priority of the VLAN group for Multiple Spanning Tree or
MST.
Refer to 11.10.3 - VLAN group configuration attributes on page 793 for more detailed
information.
336 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
This chapter is only relevant in case your 1424 SHDSL Router is equiped with a 4 port Ethernet switch.
You can use the 4 port Ethernet switch as an ordinary Ethernet switch on the one hand, but you can also
use it as a VLAN switch on the other hand. This section explains how you can create VLANs on the 4
port Ethernet switch.
The following gives an overview of this section:
• 8.4.1 - Introducing the 4 port Ethernet switch on page 337
• 8.4.2 - Setting up VLANs on the 4 port Ethernet switch on page 339
1424 SHDSL Router Chapter 8 337
User manual Configuring bridging and VLANs
The Ethernet switch that is used on the 1424 SHDSL Router is actually a 5 port Ethernet switch, with:
• 4 “external” ports.
• 1 “internal” port.
The 4 port Ethernet switch can be used as an ordinary Ethernet switch or as a VLAN switch.
In the lanInterface object of the 4 port Ethernet switch there are two attributes directly involved with the
configuration of VLANs:
• The ports attribute. Use this attribute to set up VLANs on the different ports of the 4 port Ethernet
switch. Depending on which type of VLAN tagging you select, VLAN IDs are stripped, added, etc.
• The vlan attribute. Use this attribute if you want that VLAN tagged packets inside the 4 port Ethernet
switch are forwarded to the bridging or routing function of the 1424 SHDSL Router.
338 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
You can define up to 16 different VLANs in the vlan attribute and the ports attribute together. If you con-
figure more than 16 VLANs in total, then only the first 16 VLANs are activated. For each VLAN that could
not be activated the following warning message is displayed in the messages status attribute: “Ethernet
switch configuration failed: too many different VIDs! VID x is not activated.”.
The order in which the configured VLANs are activated is the following:
1. First the VLANs that are configured in the ports attribute are activated. This is done in numerical port
order, i.e. from port 1 to 4.
2. Then the VLANs that are configured in the vlan attribute are activated.
Examples:
• Suppose you configure port 1 as a trunk port with 16 different VIDs and you configure port 2, 3 and
4 as tagged ports also all with different VIDs. That makes 19 different VIDs! In that case, only the
VIDs of port 1 are activated.
• Suppose you configure port 1, 2 and 3 as tagged ports, all with different VIDs. Suppose you configure
port 4 as a trunk port with another 8 different VIDs. Finally, you create 8 entries in the vlan attribute,
also with VIDs different from the others. That makes 19 different VIDs! In that case, the last 3 entries
of the vlan attribute are not activated.
1424 SHDSL Router Chapter 8 339
User manual Configuring bridging and VLANs
Refer to 8.4.1 - Introducing the 4 port Ethernet switch on page 337 for an introduction.
To create VLANs on the 4 port Ethernet switch, proceed as follows:
Step Action
1 If you want to create VLANs that only have a significance on the 4 port Ethernet switch,
in other words they do not have to be known by the protocol stack of the 1424 SHDSL
Router, then it suffices to create VLANs on the ports of the 4 port Ethernet switch. Do this
as follows:
1. In the 1424 SHDSL Router containment tree, go to the lanInterfaceX object and select
the ports attribute.
2. In the ports attribute, you can configure the adapter and crossover element for each port.
3. Set the switchMode attribute to dot1QSwitching to enable VLAN switching on the 4 port
Ethernet switch.
2 Configure the VLANs that the 1424 SHDSL Router needs to bridge or route in the vlan
attribute. If no VLANs are configured in the vlan attribute, then only local VLAN switching
between the Ethernet ports of the 4P switch is done.
Refer to 8.3.2 - Setting up a VLAN on a LAN interface on page 329 for more information
on the vlan attribute.
Important remark
As explained in VLAN switching restrictions on page 338, the sum of the unique VLANs configured in
the ports attribute and those configured in the vlan attribute may not exceed 16. This because the internal
VLAN table of the 4 port Ethernet switch can only handle up to 16 unique VLANs.
340 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
In this example, all ports are untagged and the VIDs are set to the same value.
Incoming untagged packets and null-VID tagged packets are internally tagged with VID 1 before they
are forwarded (except if they are forwarded to the local port, see below). Incoming packets tagged with
VID 1 are forwarded unaltered. Incoming packets tagged with a different VID are discarded.
Outgoing untagged packets are forwarded unaltered. Outgoing tagged packets their VLAN tag is
removed before they are forwarded.
What makes this case a special case is that since all VIDs on all ports are the same, there is no need
for the 1424 SHDSL Router itself to be able to make a distinction between the different packets coming
from the different ports (it is the same VLAN). So packets that are destined for the 1424 SHDSL Router
itself their VLAN tag is removed before they are forwarded through the local port. In other words, the
central CPU of the 1424 SHDSL Router receives untagged packets from the 4 port Ethernet switch.
1424 SHDSL Router Chapter 8 341
User manual Configuring bridging and VLANs
In this example, all ports are untagged and the VIDs are set to different values.
Depending on which port they arrive, incoming untagged packets and null-VID tagged packets are inter-
nally tagged with VID 10 or 20 before they are forwarded. Incoming tagged packets are forwarded unal-
tered if the VID corresponds with the one configured on the port. Incoming packets tagged with a
different VID are discarded.
Outgoing untagged packets are forwarded unaltered. Outgoing tagged packets their VLAN tag is
removed before they are forwarded.
As opposed to the previous case (Example 1 - creating VLANs on the 4 port Ethernet switch on
page 340), packets that are forwarded through the local port keep their VLAN tag. So in this case, if you
want that one or both VLANs are processed by the 1424 SHDSL Router itself (e.g. because they have
to be routed or bridged etc.), then add them to the vlan attribute.
So more concrete, if you want that both VLAN 10 and 20 are processed by the 1424 SHDSL Router itself,
then add 2 entries to the vlan attribute, one with VID = 10 and one with VID = 20.
342 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
In this example, all ports are tagged and the VIDs are set to different values.
Incoming untagged packets and null-VID tagged packets are discarded. Incoming tagged packets are
forwarded unaltered if the VID corresponds with the one configured on the port. Incoming packets tagged
with a different VID are discarded.
Outgoing tagged packets are forwarded unaltered if the VID corresponds with the one configured on the
port.
If you want that one or both VLANs are processed by the 1424 SHDSL Router itself (e.g. because they
have to be routed or bridged etc.), then add them to the vlan attribute.
In this example, 2 ports are untagged, 2 ports are tagged, but the VIDs are set to the same value.
The untagged and tagged ports behave as explained in the previous examples.
One thing that can be noted here is that although all VIDs are set to the same value, packets forwarded
to the local port keep their VLAN tag. This as opposed to the situation in Example 1 - creating VLANs on
the 4 port Ethernet switch on page 340.
So in this case, if you want that the VLAN is processed by the 1424 SHDSL Router itself (e.g. because
it has to be routed or bridged etc.), then add it to the vlan attribute.
1424 SHDSL Router Chapter 8 343
User manual Configuring bridging and VLANs
The untagged and tagged ports behave as explained in the previous examples.
The trunk port is a special kind of tagged port. It can be seen as a concentrator for packets of all other
ports or as an uplink to a backbone LAN. On a trunk you can configure more than one VID. Note that the
local port is actually a permanent trunk port, i.e. it concentrates all packets destined for the central CPU.
On a trunk port, incoming untagged packets and null-VID tagged packets are discarded. Incoming
tagged packets are forwarded unaltered if the VID corresponds with the one configured on the port.
Incoming packets tagged with a different VID are discarded.
Outgoing tagged packets are forwarded unaltered if the VID corresponds with the one configured on the
port.
If a port is configured as sniffer port, its normal function is suspended and this port starts to transmit all
packets it has to monitor. So on a sniffer port the VLAN filtering and incoming and outgoing tagging rules
are all disabled.
In the example above, all packets (including packets that do not successfully pass the validation proc-
ess) entering or exiting port 2 and that are tagged with VID 101 are copied to port 4 and transmitted unal-
tered there. If you then connect a VLAN-enabled sniffer program running on a PC, you can monitor all
traffic to and from port 2.
344 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
This section explains how bridge access lists can be used as a filter, simple or advanced, and if neces-
sary how a certain action can be applied on the filtered packets. It also explains how the access lists can
be applied on an interface.
For filtering purposes, access lists on the bridged interface can be used in three different ways:
• They can be used as a simple filter, based on the source MAC address, via the macAddress attribute.
• They can be used as an advanced filter, via the advancedFilter attribute.
• When using the advanced element of the advancedFilter attribute, even more sophisticated actions can
be applied on the filtered packets.
This section gives an overview of the bridge access list configuration attributes that are relevant for fil-
tering; refer to 11.10.2 - Bridge access list configuration attributes on page 786 for a detailed overview
of all bridge access list configuration attributes.
The following gives an overview of this section:
• 8.5.1 - Using an access list as a simple filter on page 345
• 8.5.2 - Using an access list as an advanced filter on page 346
• 8.5.3 - Using the advanced element of the advancedFilter attribute on page 347
• 8.5.4 - Applying an access list on an interface on page 350
Access lists can be added under the bridge object. By default, no accessList[ ] object is present in the con-
tainment tree. If you want to use this feature, an accesslist[ ] object must be added. Refer to 4.4 - Adding
an object to the containment tree on page 45.
1424 SHDSL Router Chapter 8 345
User manual Configuring bridging and VLANs
An access list can be used for simple filtering purposes via the macAddress attribute under the accessList[ ]
object. Refer to 11.10.2 - Bridge access list configuration attributes on page 786 and the following figure:
This is an outbound access list: packets coming from MAC addresses that are specified in the access
list are not sent out on the interface on which the access list is applied.
346 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
A more sophisticated way to filter bridged frames is to make us of the advancedFilter attribute under the
accessList[ ] object. This way, bridged frames can be filtered, taking into account:
• source and destination MAC address ranges. These ranges can be set using the sourceMacStart,
sourceMacEnd, destinationMacStart and destinationMacEnd elements.
• the layer 3 protocol field. To select a protocol, use the protocol element.
• VLAN tag and priority bits. To filter out specific VLAN ‘s, use the vlan element; to filter bridged frames
based on the priority bits in the VLAN header, use the priority element.
An action can be set, using the action element, that has to be executed on the filtered frames: deny, permit
or continue. This means:
• deny. Packets matching this line are dropped.
• permit. Packets matching this line are passed to the advanced action (if present) or permitted. For more
information about the advanced action, refer to 8.5.3 - Using the advanced element of the advancedFilter
attribute on page 347.
• continue. Packets matching this line are passed to the advanced action (if present) and processing of
the ACL continues.
Refer to 11.10.2 - Bridge access list configuration attributes on page 786 and the following figure:
• The advancedFilter table can contain many lines, each line with its own filter criteria; i.e. each line is a
separate filter, which can also be given a unique name with the name element.
• This type of classification can be configured per physical and logical interface both in inbound and
outbound directions.
1424 SHDSL Router Chapter 8 347
User manual Configuring bridging and VLANs
When using the advanced element of the advancedFilter attribute, even more sophisticated actions can be
applied on the filtered packets:
• Limit the number of TCP SYN packets per minute on page 348
• Jump over or jump to another entry in the access list on page 348
• Apply an IP traffic policy on page 349
Refer to 11.10.2 - Bridge access list configuration attributes on page 786 and the following figure, it
shows the attributes that can be set:
Note that the advancedFilter/advanced/mark element part is of the QoS features of the device, and therefore
has been described in 8.6 - Bridge traffic classification by applying QoS on bridged traffic on page 352.
348 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
TCP SYN packets are sent out by a host that wants to establish a TCP connection. The device that
receives the packets, stores these requests in a queue.
When a host sends out these packets with a fake source address, at a high rate, it can block the queue
of the device that receives the packets. And thereby making TCP connections from and to actual users
impossible.
The number of TCP SYN packets that are actually received, can be limited in time, so that a TCP SYN
attack cannot block the device.
This can be done:
• globally, taking into account the total number of received TCP SYN packets, or
• per MAC address.
Refer to 11.10.2 - Bridge access list configuration attributes on page 786 and the following figure:
Another way to filter bridged traffic is the use of an IP traffic policy. Refer to 7.11.3 - Traffic policy on
routed and on bridged data on page 266 for more information about IP traffic policies.
Refer to 11.10.2 - Bridge access list configuration attributes on page 786 and the following figure:
350 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Suppose you created and configured an access list object with index name myList (i.e. accessList[myList]),
and you want to apply this access list on the EFM link.
The following figure shows how to configure this:
This chapter explains the application of advanced access lists as advanced filter on bridged traffic, as
part of QoS on bridged traffic.
In the first section, 2 important concepts with regard to QoS are explained: TOS and COS. Then, it
explains in detail how to configure advanced filters for QoS and how to apply them on an interface.
This section gives an overview of the bridge access list configuration attributes that are relevant for QoS;
refer to 11.10.2 - Bridge access list configuration attributes on page 786 for a detailed overview of all
bridge access list configuration attributes.
The following gives an overview of this section:
• 8.6.1 - Defining TOS and COS on page 353
• 8.6.2 - Colouring of bridged packets on page 354
• 8.6.3 - Applying colouring on an interface on page 358
• Access lists can be added under the bridge object. By default, no accessList[ ] object is present in the
containment tree. If you want to use this feature, an accesslist[ ] object must be added. Refer to 4.4 -
Adding an object to the containment tree on page 45.
• Another aspect of QoS is the application of priority policies.
This is the same for routed and bridged data, and has therefore already been described in 7.11.12 -
Priority policy on routed and on bridged data on page 289 and the sections beyond; refer to these
sections for more information about priority policies.
1424 SHDSL Router Chapter 8 353
User manual Configuring bridging and VLANs
TOS and COS are 2 concepts which determine the prioritisation or classification of data packets. But on
2 different levels:
• COS is part of the data link layer or layer 2 of the OSI model. Also refer to 8.3.1 - Introducing VLANs
on page 326 for more information.
• TOS is part of the network layer or layer 3 of the OSI model. Also refer to 7.11.2 - Introducing traffic
and priority policy on page 262 for more information.
The prioritisation or classification of data packets is also referred to as colouring of the data packets.
Extended access lists can manipulate the priority of data packets: they can be set to a specific desired
value, or TOS can be mapped to an according COS.
The figures below illustrate the COS and TOS presence in the data packets on layer 2 and 3.
Priority at layer 2 is called Class Of Service or COS. 3 bits are used to set the priority, so this leads to 8
different priorities. The following figure shows a tagged ethernet frame with the priority field highlighted:
Priority at layer 3 is done via the TOS byte in an IP packet. In the OneAccess devices, all 8 bits can effec-
tively be used, so this allows for 256 possible priorities that can be set. The following figure shows an IP
packet with the TOS byte highlighted:
354 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
An important aspect within the accessList[ ]/advancedFilter/advanced element, is the colouring of bridged pack-
ets i.e. making certain changes to the bridged packets. Traffic colouring is a mechanism where data is
marked in order to belong to a specific traffic category.
This can be done by using the mark element in the advanced element of the advancedFilter attribute. Refer
to the following figure:
Either one of the following options can be applied on the filtered packets:
• Setting a destination queue on page 355; the element to be used for this, is marked in the figure
above with 1, and explained further below.
• Setting TOS and COS value on page 356; the element to be used for this, is marked in the figure
above with 2, and explained further below.
• Mapping the IP TOS byte onto the VLAN user priority (COS) on page 357; the element to be used for
this, is marked in the figure above with 3, and explained further below.
1424 SHDSL Router Chapter 8 355
User manual Configuring bridging and VLANs
Each physical or virtual interface has 6 queues that can be filled: queues 1 to 5, and a low delay queue.
On an interface the access list is applied to:
• the filtered packets can be assigned to one of the queues by setting the queue element.
• the user can set how many packets may be queued before they are dropped, or that no packets may
be dropped at all, by setting the dropLevel element.
Refer to the following figure:
356 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
On an interface the access list is applied to, the TOS byte and VLAN user priority (COS) of the filtered
packets can be set to a specific desired value:
• The TOS byte can be set to any value between 0 and 256, using the tos element. Entering 256 leaves
the TOS byte unchanged.
• The COS value can be set to any value between 0 and 8, using the cos element. Entering 8 leaves the
VLAN user priority unchanged.
In combination with this:
• the filtered packets can be assigned to one of the queues by setting the queue element.
• the user can set how many packets may be queued before they are dropped, or that no packets may
be dropped at all, by setting the dropLevel element.
Refer to the following figure:
For more information about the TOS byte and COS, refer to 7.11.2 - Introducing traffic and priority policy
on page 262 and 8.6.1 - Defining TOS and COS on page 353.
1424 SHDSL Router Chapter 8 357
User manual Configuring bridging and VLANs
Mapping the IP TOS byte onto the VLAN user priority (COS)
On an interface the access list is applied to, a TOS byte value range can be mapped onto the VLAN user
priority (COS):
• the TOS byte value range can be set using the startTos and endTos elements. They can be set to any
value between 0 and 256 (256 is for non IP data).
• The COS value can be set to any value between 0 and 8, using the cos element. Entering 8 leaves the
VLAN user priority unchanged.
In combination with this:
• the filtered packets can be assigned to one of the queues by setting the queue element.
• the user can set how many packets may be queued before they are dropped, or that no packets may
be dropped at all, by setting the dropLevel element.
Refer to the following figure:
358 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Applying an access list on an interface for colouring purposes can be done on inbound and outbound
traffic:
Colouring of outbound traffic
To apply an access list on outbound traffic, proceed as follows:
1. Add a bridge/accessList[ ] object, e.g. bridge/accessList[myList].
2. Configure the bridge/accessList[ ] object, more specifically the mark element in the advanced element of the
advancedFilter attribute, as explained in 8.6.2 - Colouring of bridged packets on page 354.
3. Apply the access list on an interface by typing the index name of the accessList[ ] object as value of the
accessList element in the bridging structure. The accessList element can be found in the bridging structure of
the interface. Refer to 8.2.4 - Enabling bridging on an interface on page 316 for the location of the bridging
structure on the different interfaces.
Suppose you created an access list object with index name myList (i.e. accessList[myList]). The access list
will be configured for queueing up to 100 packets in queue 1. If the queue is full, packets will be dropped.
This access list will be applied on an ATM pvc.
The following figure shows how to configure this:
360 1424 SHDSL Router Chapter 8
User manual Configuring bridging and VLANs
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view.
This chapter introduces the most important additional features of the 1424 SHDSL Router besides rout-
ing, bridging and switching and lists the attributes you can use to configure these features.
The following gives an overview of this chapter:
• 9.1 - Configuring DHCP on page 364
• 9.2 - Configuring the access restrictions on page 370
• 9.3 - Tuning the bandwidth on the LAN interface on page 376
• 9.4 - Configuring L2TP tunnels on page 379
• 9.5 - Configuring GRE tunnels on page 389
• 9.6 - Configuring IP security on page 407
• 9.7 - Configuring RADIUS on page 440
• 9.8 - Configuring the stateful inspection firewall on page 450
• 9.9 - IP SLA or traffic quality monitoring on page 474
• 9.10 - Logging of performance statistics on page 479
364 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
This section introduces the Dynamic Host Configuration Protocol (DHCP) and gives a short description
of the attributes you can use to configure DHCP.
The following gives an overview of this section:
• 9.1.1 - Introducing DHCP on page 365
• 9.1.2 - Assigning static IP addresses on page 366
• 9.1.3 - Assigning dynamic IP addresses on page 367
• 9.1.4 - Configuring the 1424 SHDSL Router as DHCP relay agent on page 369
1424 SHDSL Router Chapter 9 365
User manual Configuring the additional features
What is DHCP?
The DHCP protocol is a protocol for assigning IP addresses to devices on a network. DHCP can assign
dynamic or static IP addresses. With dynamic addressing, a device can have a different IP address every
time it connects to the network. What is more, the IP address can even change while the device is still
connected.
Dynamic addressing simplifies network administration because the software keeps track of IP addresses
rather than requiring an administrator to manage the task. This means that a new computer can be
added to a network without the hassle of manually assigning it a unique IP address.
Being a broadcast message, a DHCP request can not pass a router by default. To help a DHCP request
pass the router, IP helper addresses have to be configured. This adds additional information to the
request packets allowing servers on distant networks to send back the answer.
If you combine static and dynamic DHCP server tables, then on an incoming DHCP request first the
static table is scanned for matches and then the dynamic DHCP table is considered.
The DHCP server reacts on a BootP request as follows: the source MAC address of the incoming BootP
request packet is compared with the MAC addresses that have been entered in the dhcpStatic table. Then,
there are two possibilities:
• If the source MAC address corresponds with a MAC address in the dhcpStatic table, then the DHCP
server replies with a BootP reply packet. In this reply, the IP address that is linked with the MAC
address in question (as defined in the dhcpStatic table) is returned.
• If the source MAC address does not correspond with a MAC address in the dhcpStatic table, then the
DHCP server returns no response on that frame.
On DHCP level, it is regularly checked whether the device that has an IP address in lease is still con-
nected to the network. If it is not, the IP address is returned to the pool of free IP addresses.
On BootP level, however, such a check (or refresh) does not exist. What is more, a statistic IP address
lease is for an infinite time. Consequently, if the device that requested the IP address is no longer con-
nected to the network, this is not detected by the server. In that case, the statistical information will still
indicate that the IP address is leased although it is not.
366 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router object, select the dhcpStatic
attribute and add one or more entries to this table.
Use this attribute to assign a fixed IP address to an IP device and this for an infinite time.
Add a row to the dhcpStatic table for each IP address you want to assign.
2 Configure the elements of the dhcpStatic table. The most important are:
• ipAddress. Use this element to assign an IP address to a certain client. This client is
identified with its MAC address.
• mask. Use this element to set the client its subnet mask.
• gateway. Use this element to set the default gateway for the client its subnet. If the inter-
face element is left empty (default), then it is the gateway element that determines on
which interface the 1424 SHDSL Router will act as DHCP server. Namely the inter-
face through which the IP address as entered in the gateway element can be reached.
• interface. Use this element to specify the name of the interface on which you want the
1424 SHDSL Router to act as DHCP server.
• macAddress. Use this element to enter the client its MAC address.
Important remark
If you apply an access list on an interface1 of the 1424 SHDSL Router through which DHCP requests
have to be received, then make sure that this access list explicitly allows the passing of DHCP packets!
This to make sure that the DHCP packets are not dropped should you accidentally misconfigure the
access list.
Also when you activate the firewall, make sure that DHCP requests are allowed access to the protocol
stack of the 1424 SHDSL Router.
1. The term “interface” also implies the 1424 SHDSL Router its own protocol stack. So if an
access list is applied on the protocol stack, then also in this case make sure that the DHCP
packets are allowed to pass.
1424 SHDSL Router Chapter 9 367
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router object, select the dhcpDynamic
attribute and add one or more entries to this table.
2 Configure the elements of the dhcpDynamic table. The most important are:
• ipStartAddress. Use this element to define the start address of the IP address range. It
is from this range that an IP address will be dynamically assigned to a client.
• ipEndAddress. Use this element to define the end address of the IP address range. It is
from this range that an IP address will be dynamically assigned to a client.
• mask. Use this element to set the client its subnet mask for the specified IP address
range.
• gateway. Use this element to set the default gateway for the client its subnet. If the inter-
face element is left empty (default), then it is the gateway element that determines on
which interface the 1424 SHDSL Router will act as DHCP server. Namely the inter-
face through which the IP address as entered in the gateway element can be reached.
• interface. Use this element to specify the name of the interface on which you want the
1424 SHDSL Router to act as DHCP server.
• leaseTime. Use this element to set the maximum time a client can lease an IP address
from the specified IP address range. If 00000d 00h 00m 00s (default) is specified, then
the lease time is infinite.
Important remark
If you apply an access list on an interface1 of the 1424 SHDSL Router through which DHCP requests
have to be received, then make sure that this access list explicitly allows the passing of DHCP packets!
This to make sure that the DHCP packets are not dropped should you accidently misconfigure the
access list.
Also when you activate the firewall, make sure that DHCP requests are allowed access to the protocol
stack of the 1424 SHDSL Router.
1. The term “interface” also implies the 1424 SHDSL Router its own protocol stack. So if an
access list is applied on the protocol stack, then also in this case make sure that the DHCP
packets are allowed to pass.
1424 SHDSL Router Chapter 9 369
User manual Configuring the additional features
Step Action
1 Specify (a) helper IP address(es) using the helpers element in the ip structure. Refer to
5.2.3 - Explaining the ip structure on page 56 for more information.
This section explains how to control the access to the 1424 SHDSL Router for both management data
and user data.
Access can be restricted on three levels:
• On an IP interface.
• On a bridge interface.
• On the protocol stack.
This is further explained below:
Restricting access on an IP interface involves the use of an IP traffic policy. More specifically, applying
a traffic policy as an extended access list on an IP interface.
Access lists control the access to or from an interface for a number of specified services or IP addresses.
The access list describes the condition to forward (permit) packets to an interface or to drop (deny) them.
This has already been explained in the routing chapter, refer to 7.11.10 - Applying a traffic policy as an
extended access list on an IP interface on page 278 for a detailed explanation.
1424 SHDSL Router Chapter 9 371
User manual Configuring the additional features
Outbound simple access list 1. Add and configure a bridge/accessList[ ] object. E.g. accessList[myList].
with “deny” rules. 2. Apply the access list by typing the index name of the bridge/access-
List[ ] object as value of the accessList element in the bridging struc-
ture (e.g. “myList”).
Use the advanced filter to filter bridged frames, taking into account
source and destination MAC address ranges, the layer 3 protocol
field and VLAN tag and priority bits.
Refer to the advancedFilter attribute in 11.10.2 - Bridge access list con-
figuration attributes on page 786, and also 8.5 - Bridge traffic classi-
fication by filtering on page 344 for detailed information.
The advanced filters always have priority above the filters defined
using the macAddress attribute, i.e. the advanced filters will overrule the
filters defined using the macAddress attribute.
Using the advanced element of This means that access lists are applied as advanced access lists, as
the advancedFilter attribute part of QoS on bridged traffic, by setting the advanced element of the
advancedFilter attribute.
When using this feature, even more sophisticated actions can be
applied on the filtered packets.
Refer to the advanced element of the advancedFilter attribute in 11.10.2 -
Bridge access list configuration attributes on page 786, and also 8.6
- Bridge traffic classification by applying QoS on bridged traffic on
page 352 for detailed information.
Prevent broadcasts and multi- Configure the limitBroadcasts element in the bridging structure, refer to
casts from flooding to all inter- 8.2.6 - Explaining the bridging structure on page 318 for detailed infor-
faces mation.
372 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
1424 SHDSL Router Chapter 9 373
User manual Configuring the additional features
You can apply the following access restrictions on the protocol stack
Inbound simple access list Configure the accessList attribute in the management object.
with “allow” and/or “deny” Refer to 11.12 - Management configuration attributes on page 799 for
rules. detailed information.
Inbound extended access list 1. Add and configure a profiles/policy/traffic/ipTrafficPolicy[ ] object. E.g.
with “allow” and/or “deny” ipTrafficPolicy[myMgtList].
rules. 2. Apply the traffic policy by typing the index name of the ipTrafficPolicy[
] object as value of the accessPolicy attribute in the management
object (e.g. “myMgtList”).
Easy protocol restrictions Configure the telnet, ftp, tftp and snmp attributes in the management
without the need of an access object.
list (Telnet, FTP, TFTP, Refer to 11.12 - Management configuration attributes on page 799 for
SNMP: allow / deny).
detailed information.
Access restrictions per bridge Configure the localAccess attribute in the bridgeGroup object.
interface (on VLAN level: Refer to 11.10.1 - Bridge group configuration attributes on page 772
allow / deny) for detailed information.
374 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
1424 SHDSL Router Chapter 9 375
User manual Configuring the additional features
This section explains how to set up an extended access list, and how it can be applied on the protocol
stack.
Proceed as follows:
Step Action
2 In the traffic policy object you just created, make sure that the configuration attribute
method is set to trafficShaping (this is the default value).
3 Configure the configuration attribute trafficShaping to match you filter criteria. Also refer to
7.11.10 - Applying a traffic policy as an extended access list on an IP interface on
page 278.
4 Go to the management object and enter the index name of the traffic policy object you cre-
ated in step 1 as value of the accessPolicy attribute.
Important remark
It is possible that the 1424 SHDSL Router has to answer to DHCP requests or ter-
minate L2TP and IPsec tunnels. In that case, if you set up an access list on the protocol
stack, then make sure that these protocols are allowed access to the protocol stack.
376 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
This section explains how to tune the bandwidth on the LAN interface, both in inbound and outbound
direction.
A maximum inbound and outbound bandwidth can be configured. This allows limiting the traffic coming
in or sent out on the Ethernet interface.
This is suitable:
• in inbound direction, when the Ethernet interface is connected to another NTU device with a higher
bandwidth capacity.
• in outbound direction, when using the Ethernet interface as the network interface with another NTU
device with limited WAN bandwidth.
The following gives an overview of this section:
• 9.3.1 - Data rate on the LAN interface on page 377
• 9.3.2 - Calculation of the data size correction on the LAN interface on page 378
1424 SHDSL Router Chapter 9 377
User manual Configuring the additional features
• Outbound
It is possible to have the outbound bandwidth on the LAN interface tuned in such a way that further up
in the link, the remote device does not drop any data packets.
When the outgoing data rate on the LAN interface is too high, it is possible that the remote device which
has to forward the LAN data, will start dropping data packets because it receives too much data and does
not have the capacity to forward the data at the same rate. Therefore, the outbound bandwidth on the
LAN interface can be limited.
A bandwidth configuration attribute is present on the LAN interfaces, with the possibility to:
- set the Committed Information Rate or CIR.
- set the maximum length (number of packets) of the queues where the incoming data is queued
when the CIR quotum is exceeded.
- fine tune the bandwidth, using bandwidth calculation correction parameters.
• Inbound
It is possible to have the inbound bandwidth on the LAN interface tuned in such a way that the Ethernet
interface does not drop any data packets.
When the incoming data rate on the LAN interface is too high, it is possible that the Ethernet interface
will start dropping data packets because it receives too much data and does not have the capacity to
forward the data at the same rate. Therefore, the inbound bandwidth on the LAN interface can be limited.
An inboundBandwidth configuration attribute is present on the LAN interfaces, with the possibility to:
- set the Committed Information Rate or CIR.
- set the maximum length (number of packets) of the queues where the incoming data is queued
when the CIR quotum is exceeded.
- fine tune the bandwidth, using bandwidth calculation correction parameters.
- apply a priority policy.
Bandwidth correction
If the remote device forwards the data over a WAN link using an encapsulation which requires extra
headers, it is difficult to calculate the overhead which has been added (inbound) or will be added (out-
bound) to the data. The inboundBandwidth/correction and bandwidth/correction attributes help in doing this.
Refer to:
• the inboundBandwidth attribute in 11.3 - LAN interface configuration attributes on page 509 for a detailed
explanation of the inbound bandwidth configuration.
• the bandwidth attribute in 11.3 - LAN interface configuration attributes on page 509 for a detailed expla-
nation of the outbound bandwidth configuration.
• 9.3.2 - Calculation of the data size correction on the LAN interface on page 378 for an example .
378 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
The actual calculation in outbound direction is explained here by using an example, refer to the following:
The actual correction of the data size is done according to a specific formula as stated in the previous
figure, with:
• line data = the total amount of data that is sent out on the WAN line.
• LAN data = number of data bytes on the LAN interface.
• Actual data = LAN data - MAC header.
• Overhead = number of overhead bytes added by the WAN line encapsulation to the actual data.
• frameData = the actual amount of data bytes in 1 frame on the line.
• frameHeader = the actual amount of header bytes in 1 frame on the line.
As the bandwidth correction depends on the size of the packets that are sent out on the LAN, this cal-
culation is performed on each packet separately. This allows the actual number of bytes that are needed
on the WAN interface of the remote device to be adjusted for each packet individually.
This mechanism ensures that no data is lost in the remote device.
1424 SHDSL Router Chapter 9 379
User manual Configuring the additional features
This section introduces the Layer 2 Tunnelling Protocol (L2TP) and gives a short description of the
attributes you can use to configure L2TP.
The following gives an overview of this section:
• 9.4.1 - Introducing L2TP tunnels on page 380
• 9.4.2 - Setting up an L2TP tunnel on page 382
• 9.4.3 - How does an L2TP tunnel work? on page 385
• 9.4.4 - Setting up a main and back-up tunnel on page 386
380 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
The Layer 2 Tunnelling Protocol (L2TP) is a protocol used for connecting VPNs (Virtual Private Net-
works) over public lines. More specific, it allows you to set up virtual PPP connections. In other words,
an L2TP tunnel simulates an additional PPP interface which directly connects two routers with each
other.
Concrete, using the Layer 2 Tunnelling Protocol you can connect several private and physically dis-
persed local networks with each other over public lines (such as the Internet) in order to create one big
(virtual) local network. This without the need for address translation.
Term Description
L2TP Access Con- A node that acts as one side of an L2TP tunnel. It is a peer to the L2TP Network
centrator (LAC) Server (LNS). Packets sent from the LAC to the LNS require tunnelling with the
L2TP protocol.
L2TP Network A node that acts as one side of an L2TP tunnel. It is a peer to the L2TP Access
Server (LNS) Concentrator (LAC). The LNS is the logical termination point of a PPP session
that is being tunnelled from the remote system by the LAC.
Tunnel A tunnel exists between a LAC-LNS pair. The tunnel consists of a Control Con-
nection and zero or more L2TP sessions. The tunnel carries encapsulated PPP
datagrams and Control Messages between the LAC and the LNS.
Control Connection A control connection operates in-band over a tunnel to control the establish-
ment, release, and maintenance of sessions and of the tunnel itself.
Control Messages Control messages are exchanged between LAC and LNS pairs, operating in-
band within the tunnel protocol. Control messages govern aspects of the tunnel
and sessions within the tunnel.
1424 SHDSL Router Chapter 9 381
User manual Configuring the additional features
The following table shows the L2TP encapsulation on the LAN and WAN interface:
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the
l2tpTunnels attribute and add one or more entries to this table.
Use this attribute to configure the Layer 2 Tunnelling Protocol tunnels you want to set up.
Add a row to the l2tpTunnels table for each L2TP tunnel you want to set up.
Step Action
3 Configure the l2tp structure in the l2tpTunnels table. The most important elements in this
structure are:
• localIpAddress. Use this element to set the IP address that serves as start point of the
L2TP tunnel.
• remoteIpAddress. Use this element to set the IP address that serves as end point of the
L2TP tunnel.
• type. Use this element to specify the tunnel type (incoming or outgoing).
• mode. Use this element to set the L2TP mode of the 1424 SHDSL Router (LAC, LNS
or auto). Only use auto in case a OneAccess router is located at both sides of the tun-
nel.
Remarks
• L2TP tunnels can also be set up by an IP host. The 1424 SHDSL Router is transparent for tunnels
set up by a host.
• Multiple L2TP tunnels are possible on a single link. Currently, only one single PPP session is possible
per L2TP tunnel.
384 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Suppose private network 1 has to be interconnected to private network 2 over the Internet. For this pur-
pose you want to set up an L2TP tunnel between the two access routers of these private networks.
So first create a route between the WAN interfaces of Router A and B. Then set up the tunnel between
the WAN interfaces of Router A and B (i.e. the tunnel start point is IP address 207.46.197.101, the tunnel
end point is IP address 198.182.196.56).
The following figure shows how to set up the L2TP tunnel:
1424 SHDSL Router Chapter 9 385
User manual Configuring the additional features
Suppose a packet coming from the LAN has a destination address for a network that is accessible
through an L2TP tunnel. The following happens:
Phase Description
2 Then the packet goes through the routing decision process again. This time using the
outer IP header.
3 The packet is routed over the Internet using the outer IP header.
4 The packet is received in the tunnel's end point, where it is then routed again using the
original IP header.
386 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 Add two entries to the l2tpTunnels table: one entry for the main tunnel and one for the back-
up tunnel. Configure these entries as described in 9.4.2 - Setting up an L2TP tunnel on
page 382.
Typically the main tunnel is of the type outgoing leased line, whereas the back-up tunnel
usually is an outgoing dial tunnel.
2 Now, by adding two entries to the routingTable, create two routes to network 2: one main
route (through the main tunnel) and one back-up route (through the back-up tunnel).
Differentiate the main route from the back-up route by giving them a different preference:
the main route is preferred (i.e. it’s preference value is lower) above the back-up route (it’s
preference value is higher).
1424 SHDSL Router Chapter 9 387
User manual Configuring the additional features
Step Action
3 Now use the backup element in the l2tpTunnels table to optimise the back-up process. Con-
figuring the backup element allows you to quickly set up a back-up tunnel as soon as the
main tunnel goes down, instead of waiting on several time-outs before the back-up tunnel
is set up.
For the main tunnel, you could configure the backup structure as follows:
Some remarks
This section introduces GRE tunnels. The following gives an overview of this section:
• 9.5.1 - Introducing GRE tunnels on page 390
• 9.5.2 - Setting up a GRE tunnel on page 391
• 9.5.3 - When does a GRE tunnel come up? on page 393
• 9.5.4 - Combining GRE Tunnels with IPSEC on page 394
• 9.5.5 - Some remarks on GRE tunnels on page 394
• 9.5.6 - Example - configuring GRE tunnels on page 395
390 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
GRE tunnels with optional IPSEC have been added to the TDRE for inter vendor compatibility.
GRE stands for: Generic Routing Encapsulation. As the name indicates, a GRE tunnel is a generic tun-
nel that transports packets in IP packets. IP connectivity must be present in order to allow a GRE tunnel
to function.
A wide variety of protocol packet types can be encapsulated in IP tunnels, creating a virtual point-to-point
link at remote points over an IP internetwork.
GRE is capable of handling the transportation of multiprotocol and IP multicast traffic between two sites,
which only have IP unicast connectivity.
1424 SHDSL Router Chapter 9 391
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the gre-
Tunnels attribute and add one or more entries to this table:
Use this attribute to configure the GRE tunnels you want to set up. Add a row to the gre-
Tunnels table for each GRE tunnel you want to set up.
Step Action
3 Configure the gre structure in the greTunnels table. The elements in this structure are:
• localIpAddress. Use this element to set the official IP address that serves as start point
of the GRE tunnel.
• localInterface. Use this element to set the startpoint of the tunnel to the address of the
interface referenced by localInterface.
• remoteIpAddress. Use this element to set the official IP address that serves as end point
of the GRE tunnel.
• remoteRoute. Use this element to allow default route filtering.
• tos. Use this element to copy the TOS byte value from the IP header of the payload,
or to force the TOS byte to a fixed value of 0...255.
• dontfragmentBit. Use this element to copy the dontFragment bit value from the IP header
of the payload to the new GRE IP header.
• ttl. Use this element to copy the ttl byte value from the IP header of the payload, or to
force the ttl byte to a fixed value of 0...255.
• mtu.Use this element to set the Maximum Transmission Unit of the tunnel. This MTU
will override the MTU on the outgoing interface if it is smaller.
Configure the gre structure in the greTunnels table in 11.9.5 - GRE tunnel configuration
attributes on page 683 for more information.
1424 SHDSL Router Chapter 9 393
User manual Configuring the additional features
GRE tunnels are designed to be completely stateless. This means that each tunnel end-point does not
keep any information about the state or availability of the remote tunnel end-point. A consequence of this
is that the local tunnel end-point router does not have the ability to bring the line protocol of the GRE
tunnel interface down if the remote end of the tunnel is unreachable.
As soon as there is a route to the endpoint, which can be the default route, the tunnel status will be up.
This means the user can see an operational tunnel at both ends, even though it is possible that no traffic
can pass through the tunnel just yet.
The ability to mark an interface as down when the remote end of the link is not available, is used in order
to remove any routes (specifically static routes) in the routing table that use that interface as the out-
bound interface.
Specifically, if the line protocol for an interface is changed to down, then any static routes that point out
that interface are removed from the routing table. This allows for the installation of an alternate (floating)
static route or for Policy Based Routing (PBR) to select an alternate next-hop or interface.
Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as there
is a valid tunnel source address or interface which is up. The tunnel destination IP address must also be
routable.
This is true even if the other side of the tunnel has not been configured. This means that a static route
or PBR forwarding of packets via the GRE tunnel interface remains in effect even though the GRE tunnel
packets do not reach the other end of the tunnel.
394 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
The configuration in CLI format, for plain GRE, of the different devices is as follows:
T2000
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 1 - router 1"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface1
{
LIST
{
ip =
{
address = 172.31.96.93
netMask = 255.255.255.192
icmpRedirects = "disabled"
}
mode = "routing"
}
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.229
netMask = 255.255.255.252
}
mode = "routing"
}
}
SELECT ip
{
SELECT router
{
LIST
{
defaultRoute =
{
gateway = 172.31.96.125
}
routingTable =
{
[a] =
{
network = 172.31.124.232
mask = 255.255.255.248
gateway = 172.31.124.230
}
[a] =
{
network = 172.31.124.248
mask = 255.255.255.248
interface = "tunnel1"
}
[a] =
{
network = 172.31.124.240
mask = 255.255.255.248
interface = "tunnel2"
}
}
}
SELECT tunnels
{
LIST
{
greTunnels =
{
1424 SHDSL Router Chapter 9 397
User manual Configuring the additional features
[a] =
{
name = "tunnel1"
ip =
{
address = 1.1.1.1
remote = 1.1.1.2
}
gre =
{
localIpAddress = 172.31.124.229
remoteIpAddress = 172.31.124.233
}
}
[a] =
{
name = "tunnel2"
ip =
{
address = 1.1.2.1
remote = 1.1.2.2
}
gre =
{
localIpAddress = 172.31.124.229
remoteIpAddress = 172.31.124.234
}
}
}
}
}
}
}
SELECT management
{
LIST
{
cms2Address = 1
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
T2001
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 1 - router 2"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface1
{
LIST
{
ip =
{
address = 172.31.124.235
netMask = 255.255.255.248
}
mode = "routing"
}
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.230
netMask = 255.255.255.252
}
mode = "routing"
398 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
}
}
SELECT ip
{
SELECT router
{
LIST
{
defaultRoute =
{
gateway = 172.31.124.229
}
}
}
}
SELECT management
{
LIST
{
cms2Address = 2
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
T2002
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 1 - router 4"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.234
netMask = 255.255.255.248
}
mode = "routing"
}
}
SELECT ip
{
SELECT router
{
LIST
{
routingTable =
{
[a] =
{
mask = 0.0.0.0
interface = "tunnel2"
}
[a] =
{
mask = 0.0.0.0
gateway = 172.31.124.235
preference = 15
}
[a] =
{
network = 172.31.124.229
mask = 255.255.255.252
gateway = 172.31.124.235
}
}
}
SELECT tunnels
1424 SHDSL Router Chapter 9 399
User manual Configuring the additional features
{
LIST
{
greTunnels =
{
[a] =
{
name = "tunnel2"
ip =
{
address = 1.1.2.2
remote = 1.1.2.1
}
gre =
{
localIpAddress = 172.31.124.234
remoteIpAddress = 172.31.124.229
}
}
}
}
}
}
}
SELECT management
{
SELECT loopback
{
LIST
{
ipAddress = 172.31.124.241
}
}
}
SELECT management
{
LIST
{
cms2Address = 4
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
T2004
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 1 - router 3"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface
{
LIST
{
ip =
{
address = 172.31.124.233
netMask = 255.255.255.248
}
mode = "routing"
}
}
SELECT ip
{
SELECT router
{
LIST
{
routingTable =
{
[a] =
400 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
{
mask = 0.0.0.0
interface = "tunnel1"
}
[a] =
{
mask = 0.0.0.0
gateway = 172.31.124.235
preference = 15
}
[a] =
{
network = 172.31.124.229
mask = 255.255.255.252
gateway = 172.31.124.235
}
}
}
SELECT tunnels
{
LIST
{
greTunnels =
{
[a] =
{
name = "tunnel1"
ip =
{
address = 1.1.1.2
remote = 1.1.1.1
}
gre =
{
localIpAddress = 172.31.124.233
remoteIpAddress = 172.31.124.229
}
}
}
}
}
}
}
SELECT management
{
SELECT loopback
{
LIST
{
ipAddress = 172.31.124.249
ipNetMask = 255.255.255.248
}
}
}
SELECT management
{
LIST
{
cms2Address = 3
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
1424 SHDSL Router Chapter 9 401
User manual Configuring the additional features
The configuration in CLI format, for IPSEC GRE, of the different devices is as follows:
T2000
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 8 - router 1"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface1
{
LIST
{
ip =
{
address = 172.31.96.93
netMask = 255.255.255.192
icmpRedirects = "disabled"
}
mode = "routing"
}
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.229
netMask = 255.255.255.252
}
mode = "routing"
}
}
SELECT ip
{
SELECT router
{
LIST
{
defaultRoute =
{
gateway = 172.31.96.125
}
routingTable =
{
[a] =
{
network = 172.31.124.232
mask = 255.255.255.248
gateway = 172.31.124.230
}
[a] =
{
network = 172.31.124.248
mask = 255.255.255.248
interface = "tunnel1"
}
[a] =
{
network = 172.31.124.240
mask = 255.255.255.248
interface = "tunnel2"
}
}
}
SELECT tunnels
{
LIST
{
ipsecGreTunnels =
{
[a] =
402 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
{
name = "tunnel1"
ip =
{
address = 1.1.1.1
remote = 1.1.1.2
}
gre =
{
localIpAddress = 172.31.124.229
remoteIpAddress = 172.31.124.233
ipsec =
{
ikePresharedSA =
{
ikeSA = "ike"
localId =
{
ipAddress = 172.31.124.229
}
remoteId =
{
ipAddress = 172.31.124.233
}
}
}
}
}
[a] =
{
name = "tunnel2"
ip =
{
address = 1.1.2.1
remote = 1.1.2.2
}
gre =
{
localIpAddress = 172.31.124.229
remoteIpAddress = 172.31.124.234
ipsec =
{
ikePresharedSA =
{
ikeSA = "ike"
localId =
{
ipAddress = 172.31.124.229
}
remoteId =
{
ipAddress = 172.31.124.234
}
}
}
}
}
}
}
}
SELECT ikeSA[ike]
{
}
}
}
SELECT management
{
LIST
{
cms2Address = 1
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
T2001
action "Load Default Configuration"
SET
1424 SHDSL Router Chapter 9 403
User manual Configuring the additional features
{
LIST
{
sysName = "TTF GRE/Functional test 8 - router 2"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface1
{
LIST
{
ip =
{
address = 172.31.124.235
netMask = 255.255.255.248
}
mode = "routing"
}
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.230
netMask = 255.255.255.252
}
mode = "routing"
}
}
SELECT ip
{
SELECT router
{
LIST
{
defaultRoute =
{
gateway = 172.31.124.229
}
}
}
}
SELECT management
{
LIST
{
cms2Address = 2
ctrlPortProtocol = "management"
}
}
}
action "Activate Configuration"
T2002
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 8 - router 4"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface2
{
LIST
{
ip =
{
address = 172.31.124.234
netMask = 255.255.255.248
}
mode = "routing"
}
}
404 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
SELECT ip
{
SELECT router
{
LIST
{
routingTable =
{
[a] =
{
mask = 0.0.0.0
interface = "tunnel2"
}
[a] =
{
mask = 0.0.0.0
gateway = 172.31.124.235
preference = 15
}
[a] =
{
network = 172.31.124.229
mask = 255.255.255.252
gateway = 172.31.124.235
}
}
}
SELECT tunnels
{
LIST
{
ipsecGreTunnels =
{
[a] =
{
name = "tunnel2"
ip =
{
address = 1.1.2.2
remote = 1.1.2.1
}
gre =
{
localIpAddress = 172.31.124.234
remoteIpAddress = 172.31.124.229
ipsec =
{
ikePresharedSA =
{
ikeSA = "ike"
localId =
{
ipAddress = 172.31.124.234
}
remoteId =
{
ipAddress = 172.31.124.229
}
}
}
}
}
}
}
}
SELECT ikeSA[ike]
{
LIST
{
phase1 =
{
type = "server"
}
}
}
}
}
SELECT management
1424 SHDSL Router Chapter 9 405
User manual Configuring the additional features
{
LIST
{
cms2Address = 4
ctrlPortProtocol = "management"
}
SELECT loopback
{
LIST
{
ipAddress = 172.31.124.241
}
}
}
}
action "Activate Configuration"
T2004
action "Load Default Configuration"
SET
{
LIST
{
sysName = "TTF GRE/Functional test 8 - router 3"
sysContact = "stsy"
sysLocation = "Tecap Test Setup 38"
}
SELECT lanInterface
{
LIST
{
ip =
{
address = 172.31.124.233
netMask = 255.255.255.248
}
mode = "routing"
}
}
SELECT wanInterface
{
SELECT line
{
LIST
{
standard = "lite"
}
}
}
SELECT ip
{
SELECT router
{
LIST
{
routingTable =
{
[a] =
{
mask = 0.0.0.0
interface = "tunnel1"
}
[a] =
{
network = 172.31.124.229
mask = 255.255.255.252
gateway = 172.31.124.235
}
}
}
SELECT tunnels
{
LIST
{
ipsecGreTunnels =
{
[a] =
406 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
{
name = "tunnel1"
ip =
{
address = 1.1.1.2
remote = 1.1.1.1
}
gre =
{
localIpAddress = 172.31.124.233
remoteIpAddress = 172.31.124.229
ipsec =
{
ikePresharedSA =
{
ikeSA = "ike"
localId =
{
ipAddress = 172.31.124.233
}
remoteId =
{
ipAddress = 172.31.124.229
}
}
}
type = "incoming"
}
}
}
}
}
SELECT ikeSA[ike]
{
LIST
{
phase1 =
{
type = "server"
}
}
}
}
}
SELECT management
{
LIST
{
cms2Address = 3
ctrlPortProtocol = "management"
}
SELECT loopback
{
LIST
{
ipAddress = 172.31.124.249
ipNetMask = 255.255.255.248
}
}
}
}
action "Activate Configuration"
1424 SHDSL Router Chapter 9 407
User manual Configuring the additional features
This section introduces IP security (IPSEC) and gives a short description of the attributes you can use
to configure IPSEC.
The following gives an overview of this section:
• 9.6.1 - Introducing IPSEC on page 408
• 9.6.2 - Introducing IKE on page 411
• 9.6.3 - Introducing native IPSEC tunnels on page 416
• 9.6.4 - Setting up an IPSEC secured tunnel using a manual SA on page 417
• 9.6.5 - Setting up an IPSEC secured tunnel using an IKE preshared SA on page 419
• 9.6.6 - Setting up an IPSEC secured tunnel using an IKE certificate SA on page 420
• 9.6.7 - Setting up an IPSEC secured L2TP tunnel using a manual SA on page 421
• 9.6.8 - Setting up an IPSEC secured L2TP tunnel using an IKE preshared SA on page 423
• 9.6.9 - Setting up an IPSEC secured L2TP tunnel using an IKE certificate SA on page 425
• 9.6.10 - Setting up an IPsec secured GRE tunnel using a manual SA on page 427
• 9.6.11 - Setting up an IPsec secured GRE tunnel using an IKE preshared SA on page 429
• 9.6.12 - Setting up an IPsec secured GRE tunnel using an IKE certificate SA on page 431
• 9.6.13 - Obtaining security certificates manually on page 433
• 9.6.14 - Obtaining security certificates through SCEP on page 437
• 9.6.15 - The hardware accelerator (HWA) chip on page 439
408 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
What is IPSEC?
IPSEC (Internet Protocol Security) is a framework for a set of protocols for security at the network or
packet processing layer of network communication. Earlier security approaches have inserted security
at the application layer of the communications model. IPSEC is deployed widely to implement Virtual Pri-
vate Networks (VPNs). A big advantage of IPSEC is that security arrangements can be handled without
requiring changes to individual user computers.
IPSEC compatibility
IPSEC on the 1424 SHDSL Router is compatible with IPSEC on Cisco devices and on Linux.
The specific information associated with each of these services is inserted into the packet in a header
that follows the IP packet header.
1424 SHDSL Router Chapter 9 409
User manual Configuring the additional features
What is AH?
AH is a protocol used for authenticating a data stream. It uses a cryptographic hash function to produce
a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote
gateway to verify the integrity of the original IP packet, making sure the data has not been tampered with
on its way through the Internet.
Apart from the IP packet data, AH also authenticates parts of the IP header.
The AH protocol inserts an AH header after the original IP header, and in tunnel mode, the AH header
is inserted after the outer header, but before the original, inner, IP header.
What is ESP?
The ESP protocol is used for both encryption and authentication of the IP packet. It can also be used to
do either encryption only, or authentication only.
The ESP protocol inserts an ESP header after the original IP header, in tunnel mode, the ESP header
is inserted after the outer header, but before the original, inner, IP header.
All data after the ESP header is encrypted and/or authenticated. The difference from AH is that ESP also
provides encryption of the IP packet. The authentication phase also differs in that ESP only authenticates
the data after the ESP header; thus the outer IP header is left unprotected.
410 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
IPSEC provides different options for performing network encryption and authentication. The two com-
municating nodes must determine exactly which algorithms to use (e.g. DES or 3DES for encryption,
MD5 or SHA for integrity and authentication) and must share session keys. All this information is
described in the Security Association (SA). In other words, the security association is simply a statement
of the negotiated security policy between two devices.
An SA is, by nature, unidirectional. Hence the need for more than one SA per connection. In most cases,
where either ESP or AH is used, two SAs will be created for each connection: one describing the incom-
ing traffic and the other the outgoing. In cases where ESP and AH are used in conjunction, four SAs will
be created.
An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending
host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses
the SPI to identify and select the encryption algorithm and key used to decrypt packets.
The 1424 SHDSL Router currently supports Manual SA. This requires no negotiation. All values, includ-
ing the keys, are static and specified in the configuration. As a result, each peer must have the same
configured options for communication to take place.
In principle, security association is unidirectional (half-duplex). I.e. one SA for the inbound traffic and one
SA for the outbound traffic. The 1424 SHDSL Router also supports full-duplex SA (one SA for both
inbound and outbound traffic).
IPSEC encryption
You can encrypt the data using the Data Encryption Standard (DES or 3DES).
DES is a widely-used method of data encryption using a private (secret) key. Like other private key cryp-
tographic methods, both the sender and the receiver must know and use the same private key. DES
applies a 56-bit key to each 64-bit block of data. Triple DES applies three keys in succession.
IPSEC authentication
You can not only encrypt but also authenticate the data using the Keyed-Hashing for Message Authen-
tication (HMAC).
HMAC is a mechanism for message authentication using cryptographic hash functions. HMAC can be
used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret
shared key.
1424 SHDSL Router Chapter 9 411
User manual Configuring the additional features
What is IKE?
IKE (Internet Key Exchange) is an IPSEC protocol used to ensure security for VPN negotiation and
remote host or network access. IKE defines an automatic means of negotiation and authentication for
IPSEC security associations (SA).
IKE has three main tasks:
• Provide a means for the endpoints to authenticate each other.
• Establish new IPSEC connections (create SA pairs).
• Manage existing connections.
IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the security gate-
ways. Therefore, UDP port 500 packets must be permitted on any IP interface involved in connecting a
security gateway peer.
IKE negotiation
The process of negotiating session parameters consists of a number of phases and modes, which can
be briefly described as follows:
• IKE phase 1: Negotiate how IKE should be protected.
• IKE phase 2:
- Negotiate how IPSEC should be protected.
- Derive some fresh keying material from the key exchange in phase 1, to provide session keys to
be used in the encryption and authentication of the VPN data flow.
Both the IKE and the IPSEC connections have limited lifetimes, described both as time (seconds) and
data (kilobytes). These lifetimes prevent a connection from being used too long, which is desirable from
a cryptanalysis perspective.
The IPSEC lifetime is generally shorter than the IKE lifetime. This allows for the IPSEC connection to be
re-keyed simply by performing another phase 2 negotiation. There is no need to do another phase 1
negotiation until the IKE lifetime has expired.
An IKE proposal is a suggestion of how to protect data. The proposals contain all parameters needed,
such as algorithms used to encrypt and authenticate the data etc.
IKE encryption
The IKE encryption specifies the encryption algorithm used in the IKE negotiation, and depending on the
algorithm, the size of the encryption key used. Supported encryption algorithms are:
• Data Encryption Standard (DES).
• Advanced Encryption Standard (AES).
412 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
IKE authentication
The IKE authentication specifies the authentication algorithm used in the IKE negotiation. Supported
authentication algorithms are:
• HMAC MD5
• HMAC SHA-1
The IKE DH group specifies the Diffie-Hellman group to use when doing key exchanges in IKE. Sup-
ported Diffie-Hellman groups are:
• Diffie-Hellman group 1 (768 bit)
• Diffie-Hellman group 2 (1024 bit)
• Diffie-Hellman group 5 (1536 bit)
What is PFS?
Without PFS (Perfect Forwarding Secrecy), initial keying material is "created" during the key exchange
in phase 1 of the IKE negotiation. In phase 2 of the IKE negotiation, encryption and authentication ses-
sion keys will be extracted from this initial keying material.
When using PFS, completely new keying material will always be created upon re-key. Should one key
be compromised, no other key can be derived using that information.
This is a Diffie-Hellman group much like the one for IKE. However, this one is used solely for PFS.
With preshared key authentication, you must manually configure the same, shared symmetric key on
both systems. The preshared key is used only for the primary authentication. The two negotiating entities
then generate dynamic shared keys for the IKE SAs.
1424 SHDSL Router Chapter 9 413
User manual Configuring the additional features
Security certificates are used for public key cryptography, also referred to as asymmetric key cryptogra-
phy. Public key cryptography uses a pair of related, but different keys. One key, the private key, is asso-
ciated with a specific system or entity and is kept secret. The other key is the public key and can be
distributed freely. The public and private keys are mathematically related so that data encrypted with the
public key can only be decrypted with the private key.
There are 2 ways to obtain the right certificates in order to negotiate an SA with another device through
IKE:
• Manually: install all certificates yourself. In this case you have to transfer the certificates yourself.
• SCEP: Simple Certificate Enrollment Protocol. In this case the certificate is obtained without an actual
transfer taking place.
• Windows Vista
When using certificates in Windows Vista, the Enhanced Key Usage and Subject Alternative Name fields
are verified by Vista when the Verify Name and Usage attribute is ticked:
• OpenSSL
Certificates can also by created using OpenSSL, refer to http://www.openssl.org.
The self-certificate request must always be created on the 1424 SHDSL Router; the matching private
key must remain on the device.
• The Subject field
The Subject field of a certificate contains some official abbreviations that can be verified by the remote
device. They are the following:
• CN. This is the subject name.
• OU. This is the department name.
• O. This is the name of the organisation or company.
• L. This is the city where you are located.
• S. This is the state or province where you are located.
• C. This is the country where you are located.
1424 SHDSL Router Chapter 9 415
User manual Configuring the additional features
This information, or part of it, must be filled in when obtaining a self-certificate. For this, refer to router1424/
fileSystem/generateSelfCertificateRequest on page 1004 and router1424/fileSystem/getSelfCertificateScep on page 1008.
For an example, refer to the figures below:
What is NAT-T?
The problem with IKE and IPSEC protocols is that they were not designed to work through NAT. There-
fore, NAT-T (NAT Traversal) has evolved. NAT traversal (RFC 3947 and 3948) is an add-on to the IKE
and IPsec protocols that makes them work when going through NAT.
NAT-T makes the following changes to the IKE and IPSEC protocols:
• NAT-T support. NAT-T is only used if both ends support it. For this purpose, NAT-T aware VPNs send
out a special "vendor ID", telling the other end that it understand NAT-T and which specific versions
of the draft it supports.
• NAT detection. Both IPSEC peers send hashes of their own IP addresses along with the source UDP
port used in the IKE negotiations. This information is used to see whether the IP address and source
port each peer uses is the same as what the other peer sees. If the source address and port have
not changed, then the traffic has passed NAT along the way and NAT-T is not necessary. If the
source address and/or port has changed, then the traffic has passed NAT and NAT-T is used.
• UDP encapsulation. Once the IPSEC peers have decided that NAT-T is necessary, the IKE negotia-
tion is moved away from UDP port 500 to port 4500. This is necessary since certain NAT devices
treat UDP packet to port 500 differently from other UDP packets in an effort to work around the NAT
problems with IKE. The problem is that this special handling of IKE packets may in fact break the IKE
negotiations, which is why the UDP port used by IKE has changed.
Another problem NAT-T resolves is that the ESP protocol is an IP protocol. There is no port information
like in TCP and UDP, which makes it impossible to have more than one NATed client connected to the
same remote gateway at the same time. Because of this, ESP packets are encapsulated in UDP. The
ESP-UDP traffic is sent on port 4500, the same port as IKE when NAT-T is used. Once the port has been
changed all following IKE communications are done over port 4500. Keep-alive packets are also being
sent periodically to keep the NAT mapping alive.
416 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
As opposed to using IPSEC in transport mode with L2TP as transport protocol, IPSEC can also be used
in tunnel mode. This is referred to as native IPSEC tunnels. A performance increase can be noticed
because there is no control protocol: 10% increase with null encryption/null authentication, up to 70%
increase with DES, small packets.
Native IPSEC has been added to the TDRE for inter vendor compatibility.
Since the payload of an IPSEC packet in tunnel mode is not defined, the proxyId element has been added
to allow a tunnel to be setup with other vendors. The proxyId field must match with the access list of the
remote tunnel. Only 1 access list is supported per tunnel.
Refer to 11.9.4 - Native ipsec tunnel configuration attributes on page 673 for more information about the
proxyId element.
The proxyId of an IPSEC L2TP tunnel cannot be configured manually. It is always set to:
• UDP
• localIp
• 255.255.255.255
• 1701
• remoteIp
• 255.255.255.255
• 1701
Refer to 9.6 - Configuring IP security on page 407 for more information about IPSEC L2TP tunnels.
Implementation
A big difference with other encapsulations is that IPSEC tunnels are not handled as interfaces: the ip
element is not present in the configuration of the tunnel.
When a tunnel is up, i.e. always with Manual SA or when the IKE SA is up, data is directly routed to the
IPSEC engine. Received encrypted frames are decrypted and passed to the router where they are re-
routed using the destination address of the inner IP header.
The implementation has been done according to RFC 2402, RFC 2406, RFC2401. Ipsec tunnels are
state-less; nevertheless, some states have been introduced to follow up/set up IPSEC tunnels. Refer to
11.9.4 - Native ipsec tunnel configuration attributes on page 673 for the configuration attributes of native
IPSEC tunnels; refer to 12.9.5 - Native IPSEC tunnel status attributes on page 934 for the status
attributes.
1424 SHDSL Router Chapter 9 417
User manual Configuring the additional features
Step Action
2 Now configure the attributes of the manualSA[ ] object you added in step 1 to your needs.
These attribute are:
• espEncryptionAlgorithm. Use this attribute to select the algorithm that will be used to
encrypt the data when using IPSEC.
• espEncryptionKey. Use this attribute to define the key that will be used in the encryption
/ decryption process when using IPSEC.
• espAuthenticationAlgorithm. Use this attribute to select the algorithm that will be used to
authenticate the data when using IPSEC.
• espAuthenticationKey. Use this attribute to define the key that will be used in the authen-
tication process when using IPSEC.
• spi. Use this attribute to set the SPI value. Each security association must have a
unique SPI value because this value is used to identify the security association.
Refer to 11.9.6 - Manual SA configuration attributes on page 691 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
Tunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured tunnels you want to set up. Add a row to the
ipsecTunnels table for each IPSEC tunnel you want to set up.
418 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
• In case of half-duplex manual SA, the element hdxManualSA must be used, which is a
structure with following elements:
- inbound. To apply a security association on the inbound traffic, type the index name
of the manualSA[ ] object in this field.
- outbound. To apply a security association on the outbound traffic, type the index
name of the manualSA[ ] object in this field.
By doing so, you apply the security association on the IPSEC tunnel.
1424 SHDSL Router Chapter 9 419
User manual Configuring the additional features
Step Action
2 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
Tunnels attribute and add one or more entries to this table.
Use this attribute to configure the IPSEC tunnels you want to set up. Add a row to the
ipsecTunnels table for each IPSEC tunnel you want to set up.
Step Action
1 Obtain and load the necessary security certificates. You can do this either …
• manually. Refer to 9.6.13 - Obtaining security certificates manually on page 433.
or
• through SCEP. Refer to 9.6.14 - Obtaining security certificates through SCEP on
page 437.
3 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
4 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
Tunnels attribute and add one or more entries to this table.
Use this attribute to configure the IPSEC tunnels you want to set up. Add a row to the
ipsecTunnels table for each IPSEC tunnel you want to set up.
Step Action
2 Now configure the attributes of the manualSA[ ] object you added in step 1 to your needs.
These attribute are:
• espEncryptionAlgorithm. Use this attribute to select the algorithm that will be used to
encrypt the data when using IPSEC.
• espEncryptionKey. Use this attribute to define the key that will be used in the encryption
/ decryption process when using IPSEC.
• espAuthenticationAlgorithm. Use this attribute to select the algorithm that will be used to
authenticate the data when using IPSEC.
• espAuthenticationKey. Use this attribute to define the key that will be used in the authen-
tication process when using IPSEC.
• spi. Use this attribute to set the SPI value. Each security association must have a
unique SPI value because this value is used to identify the security association.
Refer to 11.9.6 - Manual SA configuration attributes on page 691 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the
ipsecL2tpTunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured Layer 2 Tunnelling Protocol tunnels you
want to set up. Add a row to the ipsecL2tpTunnels table for each IPSEC L2TP tunnel you
want to set up.
Step Action
5 In the ipsecL2tpTunnels table, go to the l2tp structure. In this structure, go to the ipsec ele-
ment:
• Set the first part of this element to fdxManualSA or hdxManualSA to choose between full-
duplex or half-duplex manual SA (refer to ipsecL2tpTunnels/l2tp/ipsec on page 667 for more
information).
• In the second part of this element, enter the index name of the manualSA[ ] object you
added in step 1 as value of the ipsec element.
By doing so, you apply the security association on the L2TP tunnel.
E.g. in our example, select fdxManualSA in the
first part of the ipsec element and enter the
string mySA in the second part of the ipsec
element.
1424 SHDSL Router Chapter 9 423
User manual Configuring the additional features
Step Action
2 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the
ipsecL2tpTunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured Layer 2 Tunnelling Protocol tunnels you
want to set up. Add a row to the ipsecL2tpTunnels table for each IPSEC L2TP tunnel you
want to set up.
Step Action
5 In the ipsecL2tpTunnels table, go to the l2tp structure. In this structure, go to the ipsec ele-
ment:
• Set the first part of this element to ikePresharedSA.
• The second part of this element is a structure which, on its turn, contains the following
elements:
- ikeSA. Use this element to apply a certain IKE preshared key security
association on the IPSEC L2TP tunnel. Do this by typing the ikeSA
object its index name in this field.
- localId. Use this element to set the local identifier for use in IKE phase 1 negotiation.
- remoteId. Use this element to set the remote identifier for use in IKE phase 1 nego-
tiation.
- preSharedKey. Use this element to set the preshared key string. This key string in
combination with the selected IKE DH group is used to calculate the key during the
key exchange in phase 1 of the IKE negotiation.
Step Action
1 Obtain and load the necessary security certificates. You can do this either …
• manually. Refer to 9.6.13 - Obtaining security certificates manually on page 433.
or
• through SCEP. Refer to 9.6.14 - Obtaining security certificates through SCEP on
page 437.
3 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
4 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the
ipsecL2tpTunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured Layer 2 Tunnelling Protocol tunnels you
want to set up. Add a row to the ipsecL2tpTunnels table for each IPSEC L2TP tunnel you
want to set up.
Step Action
6 In the ipsecL2tpTunnels table, go to the l2tp structure. In this structure, go to the ipsec ele-
ment:
• Set the first part of this element to ikeCertificateSA.
• The second part of this element is a structure which, on its turn, contains the following
elements:
- ikeSA. Use this element to apply a certain IKE certificate security asso-
ciation on the IPSEC L2TP tunnel. Do this by typing the ikeSA object its
index name in this field.
- localId. Use this element to set the local identifier for use in IKE phase 1 negotiation.
This has to be the same as the IP address / hostname / username in the certificate
of the local device.
- remoteId. Use this element to set the remote identifier for use in IKE phase 1 nego-
tiation. This has to be the same as the IP address / hostname / username in the
certificate of the remote device.
Step Action
2 Now configure the attributes of the manualSA[ ] object you added in step 1 to your needs.
These attribute are:
• espEncryptionAlgorithm. Use this attribute to select the algorithm that will be used to
encrypt the data when using IPsec.
• espEncryptionKey. Use this attribute to define the key that will be used in the encryption
/ decryption process when using IPsec.
• espAuthenticationAlgorithm. Use this attribute to select the algorithm that will be used to
authenticate the data when using IPsec.
• espAuthenticationKey. Use this attribute to define the key that will be used in the authen-
tication process when using IPsec.
• spi. Use this attribute to set the SPI value. Each security association must have a
unique SPI value because this value is used to identify the security association.
Refer to 11.9.6 - Manual SA configuration attributes on page 691 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
GreTunnels attribute and add one or more entries to this table:
Use this attribute to configure the IP secured GRE tunnels you want to set up. Add a row
to the ipsecGreTunnels table for each IPsec GRE tunnel you want to set up.
Step Action
5 In the ipsecGreTunnels table, go to the gre structure. In this structure, go to the ipsec element:
• Set the first part of this element to fdxManualSA or hdxManualSA to choose between full-
duplex or half-duplex manual SA (refer to the ipsecGreTunnels/gre element in 11.9.5 -
GRE tunnel configuration attributes on page 683 for more information).
• In the second part of this element, enter the index name of the manualSA[ ] object you
added in step 1 as value of the ipsec element.
By doing so, you apply the security association on the GRE tunnel.
E.g. in our example, select fdxManualSA in the first part of
the ipsec element and enter he string mySA in the second
part of the ipsec element.
1424 SHDSL Router Chapter 9 429
User manual Configuring the additional features
Step Action
2 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
3 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
GreTunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured GRE tunnels you want to set up. Add a row
to the ipsecGreTunnels table for each IPsec GRE tunnel you want to set up.
Step Action
5 In the ipsecGreTunnels table, go to the gre structure. In this structure, go to the ipsec element:
• Set the first part of this element to ikePresharedSA.
• The second part of this element is a structure which, on its turn, contains the following
elements:
- ikeSA. Use this element to apply a certain IKE preshared key security
association on the IPsec GRE tunnel. Do this by typing the ikeSA object
its index name in this field.
- localId. Use this element to set the local identifier for use in IKE phase 1 negotiation.
- remoteId. Use this element to set the remote identifier for use in IKE phase 1 nego-
tiation.
- preSharedKey. Use this element to set the preshared key string. This key string in
combination with the selected IKE DH group is used to calculate the key during the
key exchange in phase 1 of the IKE negotiation.
- proxyId. Use this element to set up a tunnel with other vendors, and define the type
of payload carried by the ipsec frame. This element must match with the access
list of the remote tunnel.
Step Action
1 Obtain and load the necessary security certificates. You can do this either …
• manually. Refer to 9.6.13 - Obtaining security certificates manually on page 433.
or
• through SCEP. Refer to 9.6.14 - Obtaining security certificates through SCEP on
page 437.
3 Now configure the attributes of the ikeSA[ ] object you added in step 1 to your needs.
These attribute are:
• phase1. Use this attribute to configure the parameters of phase 1 in the IKE negotiation
process. IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect
the IKE phase 2 negotiations.
• phase2. Use this attribute to configure the parameters of phase 2 in the IKE negotiation
process.
Refer to 11.9.7 - IKE SA configuration attributes on page 696 for more information.
4 In the 1424 SHDSL Router containment tree, go to the router/tunnels object, select the ipsec-
GreTunnels attribute and add one or more entries to this table.
Use this attribute to configure the IP secured GRE tunnels you want to set up. Add a row
to the ipsecGreTunnels table for each IPsec GRE tunnel you want to set up.
Step Action
6 In the ipsecGreTunnels table, go to the gre structure. In this structure, go to the ipsec element:
• Set the first part of this element to ikeCertificateSA.
• The second part of this element is a structure which, on its turn, contains the following
elements:
- ikeSA. Use this element to apply a certain IKE certificate security asso-
ciation on the IPsec GRE tunnel. Do this by typing the ikeSA object its
index name in this field.
- localId. Use this element to set the local identifier for use in IKE phase 1 negotiation.
This has to be the same as the IP address / hostname / username in the certificate
of the local device.
- remoteId. Use this element to set the remote identifier for use in IKE phase 1 nego-
tiation. This has to be the same as the IP address / hostname / username in the
certificate of the remote device.
- proxyId. Use this element to define the type of payload carried by the ipsec frame.
Step Action
1 Configure a valid timeserver since all certificates are tested on their validity. Refer to time-
Server on page 803 for more information.
Example
1. Download and install SCEP server software (e.g. the Microsoft SCEP Add-on for Cer-
tificate Services).
2. Once installed, surf to the Microsoft Certificate Services server.
3. Select Retrieve the CA certificate or certificate revocation list and click on the Next
button.
4. Select the current CA certificate (Current), the encoding (e.g. DER encoded) and
select Download CA certificate.
5. Save the trusted certificate on your computer. E.g. with filename certnew.cer.
3 Download the trusted certificate to the file system of the 1424 SHDSL Router. Refer to
29.9 - Downloading files to the file system on page 2081.
434 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
4 Load the trusted certificate into the memory of the 1424 SHDSL Router.
In the containment tree of the 1424 SHDSL Router, select the Status group and go to the
fileSystem object. Then execute the loadTrustedCertificate action with the previously down-
loaded trusted certificate filename as argument value.
⇒The trusted certificate is loaded into the 1424 SHDSL Router its memory. Once you
executed the saveCertificates action (refer to step 10), you may delete the original
trusted certificate file from the file system (in our example the certnew.cer file).
⇒The self-certificate request file is written to the file system and the 1424 SHDSL
Router generates a public/private key pair. Note that the longer the key length, the
longer it takes to generate the keys.
Important remarks
• It is important to note that at least one of the three following fields may not be left
empty: ipAddress, hostname and/or username. This information is written in the Subject
Alternative Name field of the certificate itself.
• Remember the private key name. You need it again later on in the procedure in order
to load the associated signed self-certificate into the memory of the 1424 SHDSL
Router.
• Do not reboot the 1424 SHDSL Router from this point onwards until you reach the end
of the procedure. Else the public/private key pair is lost making it impossible to load
the associated signed self-certificate into the memory of the 1424 SHDSL Router.
6 Download the self-certificate request file to your computer (e.g. using FTP or TFTP).
1424 SHDSL Router Chapter 9 435
User manual Configuring the additional features
Step Action
7 Let the CA sign the self-certificate request in order to obtain a signed self-certificate.
The following gives an example of this procedure with the Microsoft Certificate Services
(Chicken).
Example
8. Save the signed self-certificate on your computer. E.g. with filename selfcert.cer.
8 Download the signed self-certificate to the file system of the 1424 SHDSL Router. Refer
to 29.9 - Downloading files to the file system on page 2081.
436 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
9 Load the signed self-certificate into the memory of the 1424 SHDSL Router.
In the containment tree of the 1424 SHDSL Router, select the Status group and go to the
fileSystem object. Then execute the loadSelfCertificate action with the previously downloaded
signed self-certificate filename and the private key name you remember in step 5 as
argument values.
⇒The signed self-certificate is loaded into the 1424 SHDSL Router its memory. Once
you executed the saveCertificates action (refer to step 10), you may delete the origi-
nal signed self-certificate file from the file system (in our example the selfcert.cer
file).
11 You can check which trusted and signed self-certificates are loaded by looking at the sta-
tus attributes router1424/fileSystem/trustedCertificates on page 1002 and router1424/fileSystem/
selfCertificates on page 1002.
1424 SHDSL Router Chapter 9 437
User manual Configuring the additional features
Step Action
1 Configure a valid timeserver since all certificates are tested on their validity. Refer to time-
Server on page 803 for more information.
2 Make sure you have a SCEP server running (e.g. the Microsoft SCEP Add-on for Certif-
icate Services).
3 Load the trusted certificate into the memory of the 1424 SHDSL Router using SCEP.
In the containment tree of the 1424 SHDSL Router, select the Status group and go to the
fileSystem object. Then execute the getTrustedCertificateScep action with at least the SCEP
server IP address and the SCEP URL1 as argument values.
⇒The trusted certificate is loaded into the 1424 SHDSL Router its memory.
438 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
4 Load the signed self-certificate into the memory of the 1424 SHDSL Router using SCEP.
In the containment tree of the 1424 SHDSL Router, select the Status group and go to the
fileSystem object. Then execute the getSelfCertificateScep action with at least the SCEP
server IP address, the SCEP URL, a private key name and your IP address or hostname
or username as argument values.
It is important to note that at least one of the three following fields may not be left
empty: ipAddress, hostname and/or username. This information is written in the Subject
Alternative Name field of the certificate itself.
⇒The signed self-certificate is loaded into the 1424 SHDSL Router its memory.
5 Permanently store the certificates and generated public/private key pair.
In the containment tree of the 1424 SHDSL Router, select the Status group and go to the
fileSystem object. Then execute the saveCertififcates action.
⇒The certificates and the associated public/private key pair are stored on the 1424
SHDSL Router. They are loaded each time the 1424 SHDSL Router starts up.
6 You can check which trusted and signed self-certificates are loaded by looking at the sta-
tus attributes router1424/fileSystem/trustedCertificates on page 1002 and router1424/fileSystem/
selfCertificates on page 1002.
1. Consult the manual of your SCEP server to find out which URL you have to specify.
1424 SHDSL Router Chapter 9 439
User manual Configuring the additional features
On the standard 1424 SHDSL Router, encryption in IPSEC is handled by the software. As this is a proc-
essor consuming task, the forwarding performance of the 1424 SHDSL Router decreases. Therefore,
the 1424 SHDSL Router is also available in a version with a HWA chip. This chip takes care of the DES
and 3DES encryption / decryption, unburdening the software of this task. This results in a better forward-
ing performance.
You can not distinguish a standard version from a HWA version on sight. However, you can distinguish
the two versions by looking at the status attribute router1424/sysDescr. In case you have a HWA version,
the string “HWA” or “3DES” appears in the sysDescr.
Example:
• 1424 SHDSL Router Txxxx/xxxxx 01/01/00 12:00 indicates that you have a standard version.
• 1424 SHDSL Router 3DES Txxxx/xxxxx 01/01/00 12:00 indicates that you have a 3DES version.
Whenever the 1424 SHDSL Router boots, it checks the presence of the HWA chip and does a diagnostic
test. Should these checks fail (e.g. because the HWA chip is faulty), then the following messages appear
in the status attribute router1424/messages:
• encryption chip init failed
• encryption chip diag failed
In case the HWA chip is faulty, the DES and 3DES encryption is done by the software as on the standard
1424 SHDSL Router.
440 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
This section introduces Remote Authentication Dial-In User Service (RADIUS) and gives a short descrip-
tion of the attributes you can use to configure RADIUS.
The following gives an overview of this section:
• 9.7.1 - Introducing RADIUS on page 441
• 9.7.2 - Enabling RADIUS for device access authentication on page 443
• 9.7.3 - Enabling RADIUS for network access authentication on page 445
• 9.7.4 - Enabling RADIUS for accounting on page 446
• 9.7.5 - Supported RADIUS attribute types on page 447
• 9.7.6 - Client (calling) IP settings on page 449
• 9.7.7 - NAS (called) IP settings on page 449
1424 SHDSL Router Chapter 9 441
User manual Configuring the additional features
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that ena-
bles Network Access Servers (NAS) to communicate with a central server to authenticate dial-in users
and authorize their access to the requested system or service. RADIUS allows a company to maintain
user profiles in a central database that all remote servers can share. It provides better security, allowing
a company to set up a policy that can be applied at a single administered network point. Having a central
service also means that it's easier to track usage for billing and for keeping network statistics.
The following figure shows the interaction between a dial-in user, the RADIUS client and the RADIUS
server:
The RADIUS server can support a variety of methods to authenticate a user. When it is provided with
the username and original password given by the user, it can support PPP, PAP or CHAP and other
authentication mechanisms.
Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a
corresponding response (Access-Accept or Access-Reject) from the server:
• Access-Request. The Access-Request packet contains the username, encrypted password, NAS IP
address, and port. The format of the request also provides information about the type of session that
the user wants to initiate.
• Access-Reject. When the RADIUS server receives the Access-Request from the NAS, it searches a
database for the username listed. If the username does not exist in the database, an Access-Reject
message is sent.
• Access-Accept. In RADIUS, authentication and authorisation are coupled together. If the username
is found and the password is correct, the RADIUS server returns an Access-Accept response, includ-
ing a list of attribute-value pairs that describe the parameters to be used for this session. Typical
parameters include service type, protocol type, IP address to assign the user (static or dynamic),
access list to apply, or a static route to install in the NAS routing table. The configuration information
in the RADIUS server defines what will be installed on the NAS.
The figure below illustrates the RADIUS authentication and authorization sequence:
The accounting features of the RADIUS protocol can be used independently of RADIUS authentication
or authorisation. The RADIUS accounting functions allow data to be sent at the start and end of sessions,
indicating the amount of resources (such as time, packets, bytes, and so on) used during the session.
An Internet service provider (ISP) might use RADIUS access control and accounting software to meet
special security and billing needs.
Transactions between the client and RADIUS server are authenticated through the use of a shared
secret, which is never sent over the network. In addition, user passwords are sent encrypted between
the client and RADIUS server to eliminate the possibility that someone snooping on an insecure network
could determine a user's password.
1424 SHDSL Router Chapter 9 443
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router object and select the radius
attribute.
Step Action
3 If in step 2 you set the login element to enabled or fallback, then you have to configure user-
names and associated passwords on the RADIUS server.
The username and password have to be entered as follows: "username:password". If
the ‘:’ is omitted, then the string is considered to be a password.
Multiple passwords can be added using the same username. Access rights are sent
using the RADIUS attribute CLASS (25) encoded as a string carrying a binary value. The
bit definitions are:
• readAccess = 00000001B
• writeAccess = 00000010B
• securityAccess = 00000100B
• countryAccess = 00001000B (only used on aster4/5)
• fileAccess = 00010000B
Caution should be taken since all access to the device has to be authenticated by a
RADIUS server.
Refer to radius on page 634 for a complete explanation of the radius attribute.
1424 SHDSL Router Chapter 9 445
User manual Configuring the additional features
Step Action
1 Configure a PPP(oA) link towards the remote network (e.g. the ISP’s network) and ena-
ble PAP or CHAP on this link.
Refer to 6.7 - Configuring PPP encapsulation on page 160 for more information.
2 In the 1424 SHDSL Router containment tree, go to the router object and select the radius
attribute.
Note that the local configuration of username and password is ignored if a table of RADIUS servers exist.
Furthermore, remote IP address and remote netmask are ignored if a RADIUS server imposes these
attributes.
Refer to radius on page 634 for a complete explanation of the radius attribute.
446 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the router object and select the radius
attribute.
This section shows which RADIUS attribute types are supported by the 1424 SHDSL Router.
(2) User-Password Is sent in case of PAP, TELNET, FTP and TMA authentication.
(4) NAS-IP-Address Is sent (this is the IP address of the interface that received the incom-
ing call).
(5) NAS-Port-ID Is sent (this is the index of the interface that received the incoming
call).
Also see 9.7.6 - Client (calling) IP settings on page 449 and 9.7.7 -
NAS (called) IP settings on page 449 for NAS and remote client
behaviour when sending/learning IP addresses and masks.
(25) Class Is used to send the “accessRights” when using TELNET and TMA. Is
sent as a hexadecimal value.
(33) Proxy-State
(80) Message-Authenticator HMAC MD5 authentication of access request. Is not required but is
sent for security reasons.
448 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
(40) Status-Type Supported (values (1) Start, (2) Stop and (3) Update).
(49) Terminate-Cause Supported (values (2) Lost Carrier, (5) Session Timeout and (6)
Admin Reset).
The following table shows some cases of how and which IP addresses the client can learn on its PPP
link in case of RADIUS:
Case Description
The following table shows some cases of how and which IP addresses the NAS sets on its PPP link in
case of RADIUS:
Case Description
The 1424 SHDSL Router features a stateful inspection firewall. This sections introduces the firewall and
explains how to configure it.
The following gives an overview of this section:
• 9.8.1 - Introducing the firewall on page 451
• 9.8.2 - Activating the firewall on page 457
• 9.8.3 - Adding an interface to a secure network (SNet) on page 458
• 9.8.4 - Defining an outbound SNet policy on page 460
• 9.8.5 - Defining an inbound SNet policy on page 462
• 9.8.6 - Defining an outbound self policy on page 464
• 9.8.7 - Defining an inbound self policy on page 466
• 9.8.8 - Configuring the firewall - rules of thumb on page 468
• 9.8.9 - Allowing access to the protocol stack when the firewall is active on page 469
• 9.8.10 - Determining which policies have to be defined on page 472
1424 SHDSL Router Chapter 9 451
User manual Configuring the additional features
Firewall types
Stateful inspection, also referred to as dynamic packet filtering, is a firewall architecture that works at the
network layer. Unlike static packet filtering, which examines a packet based on the information in its
header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure
they are valid. An example of a stateful firewall may examine not just the header information but also the
contents of the packet up through the application layer in order to determine more about the packet than
just information about its source and destination. A stateful inspection firewall also monitors the state of
the connection and compiles the information in a state table. Because of this, filtering decisions are
based not only on administrator-defined rules (as in static packet filtering) but also on context that has
been established by prior packets that have passed through the firewall.
As an added security measure against port scanning, stateful inspection firewalls close off ports until
connection to the specific port is requested.
A Virtual Firewall System (VFS) provides multiple logical firewalls for multiple networks, on one system.
That is, a service provider with numerous subscribers can provide firewalls separating and securing all
the subscribers and yet, is able to manage it from one system. This is accomplished by establishing
"security domains" controlled by Virtual Firewalls, with each firewall having its own defined security pol-
icy. Security domains are exclusive in that they are external to any other security domain in a given sys-
tem.
Virtual Firewalls are functionally similar to a simple firewall, and are configured with their own outbound
and inbound policies, and network objects. However, Virtual Firewalls enable easy management of a col-
lection of firewalls through policies at a defined security domain.
An SNet is a logical name by which we can identify each "security domain" network.
452 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
A Secure Network (SNet) is a logical name by which we can identify a "security domain" controlled by
Virtual Firewalls (VF).
There are four “standard1” SNets:
• self (i.e. the 1424 SHDSL Router itself)
• internet (i.e. the internet or any other external network)
• corp (i.e. the corporate network)
• DMZ (i.e. the demilitarised zone)
Policy Description
outbound SNet With outbound policies configured for a host in a secure network, it can access var-
ious services on the internet or on other secure networks.
So an outbound SNet policy defines the traffic from an SNet to any SNet but the
self SNet.
inbound SNet With inbound policies configured for a secure network, a remote host can access
various services running on internal machines in this secure network. With
Reverse NAT enabled, you can forward a service request onto the external public
IP address from a remote host (a host in the Internet) to any one of the internal
machines in the secure network with private IP address, which is running that serv-
ice.
So an inbound SNet policy defines the traffic to an SNet from any SNet but the self
SNet.
outbound self With outbound self policies configured for the device itself, the device can access
services running on hosts in various secure networks.
So an outbound self policy defines the traffic from the device itself (self SNet) to
any SNet.
454 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Policy Description
inbound self With inbound self policies configured for the device itself, services running on the
device itself can be accessed from various secure networks. For example, the
response to an ICMP echo request when a host in a secure network does a ping,
can be restricted by an inbound self policy.
So an inbound self policy defines the traffic to the device itself (self SNet) from any
SNet.
A network is vulnerable to attacks. Therefore, it is important to protect your network (e.g. with a firewall,
virus scanners, etc.). In general, there are five types of attacks:
sniffing and port Sniffing is the term generally used for traffic monitoring within a network, while port
scanning scanning is used to find out information about a remote network. Both sniffing and
port scanning have the same objective: finding system vulnerabilities. However,
they take different approaches. Sniffing is used by an attacker already on the net-
work who wants to gather more information about the network. Port scanning is
used by someone who is interested in finding vulnerabilities on a system that is
unknown.
Denial of Service Denial of Service is a type of attack on a network that is designed to bring the net-
(DoS) work to its knees by flooding it with useless traffic. Many DoS attacks exploit limi-
tations in the TCP/IP protocols.
spoofing An IP spoofing attack is one in which the source IP address of a packet is forged.
There are generally two types of spoofing attacks:
• IP spoofing used in DoS attacks.
• man in the middle attacks.
viruses and The two most common types of network attacks are the virus and the worm. A virus
worms is a program used to infect a computer. It is usually buried inside another program,
known as a Trojan, or distributed as a stand-alone executable. Worms are often
confused with viruses, but they are very different types of code. A worm is self-rep-
licating code that spreads itself from system to system. A traditional virus requires
manual intervention to propagate itself.
Attack protection
A firewall not only controls in- and outbound traffic, it also protects your network against malicious
attacks. The different attacks are listed below:
Attack Description
SYN Flooding is a well-known Denial Of Service (DOS) attack on TCP based serv-
ices. TCP needs a 3-way handshake before the actual communication starts
between two hosts. Whenever a new connection request comes in, the server allo-
cates some resources for serving it. A malicious intruder can forge a huge amount
of service requests over a very short period, and make the server run out of its
resources.
With strict and loose source routing, as specified in IP standard RFC 791, one can
make datagrams take a predefined path towards a destination. In this way, an
intruder can gain more information about the corporate network, which he or she
can then misuse.
With an FTP Bounce attack, an attacker issues a PORT command with IP address
and port number of some other system so that the server bounces the data to that
system.
Certain web servers have no limit on the MIME headers that could be included in
a clients HTTP request. The only limits are: 8192 byte for each header, 300 sec-
onds on reading headers. Due to this limitation, by sending a large amount of 8000
byte headers, it is possible to consume a lot of memory (and CPU) and slow down
or even lock the server.
456 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Attack Description
A Ping Of Death attack is a Denial Of Service attack, which exploits the errors in
the oversize datagram handling mechanism of a TCP/IP stack. It is a well-known
problem that certain popular operating systems have difficulty in handling data-
grams more than the maximum datagram size defined by the IP standard. If hosts
running such operating systems come across oversized ping packets, they tend to
hang or crash.
Step Action
3 Once the firewall is enabled, you can proceed with adding interfaces to SNets and defin-
ing policies.
458 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
2 In the ip attribute structure, go to the sNet element. Use this element to add the interface
to the SNet.
The sNet element is a choice element. The first part of the sNet element has the following
values:
• name. Select this value if you want to add the interface to one of
the standard SNets. In the second part of the sNet element, use
the drop-down box to select one of the standard SNets: corp, dmz
or internet.
Note that if you select the value <opt> (default), then the interface
is not added to a secure network.
Important remark
Note that if you configure the 1424 SHDSL Router with TMA through the LAN interface (i.e. over an IP
network), then make sure that before you assign the LAN interface to an SNet, that you create an
inbound self policy so that TMA can access the protocol stack of the 1424 SHDSL Router.
For more information, refer to …
• 9.8.7 - Defining an inbound self policy on page 466
• 9.8.9 - Allowing access to the protocol stack when the firewall is active on page 469
If you configure the 1424 SHDSL Router with TMA through the control port (i.e. through a serial connec-
tion), then there is no problem.
1424 SHDSL Router Chapter 9 459
User manual Configuring the additional features
Now, if you want to add the LAN interface to the SNet “corporate” and the ATM PVC on the WAN inter-
face to the SNet “internet”, then configure this as follows:
460 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the firewall object, select the outbound-
Policies attribute and add one or more entries to this table.
Use this attribute to define outbound SNet policies. Add a row to the outboundPolicies table
for each outbound SNet policy you want to define.
2 Configure the elements of the outbound SNet policy you just created. These elements
are:
• sNet. Use this element to specify the name of the source SNet for which you want to
create an outbound SNet policy. By doing so, you create a policy for the traffic from
the source SNet to any SNet except the self SNet.
• sourceIp. Use this element to specify the source IP address(es) for which you want to
create an outbound SNet policy.
Note that if you leave the sourceIp element at its default value (<opt>), then no source
IP address(es) is/are specified.
• destIp. Use this element to specify the destination IP address(es) for which you want
to create an outbound SNet policy.
Note that if you leave the destIp element at its default value (<opt>), then no source IP
address(es) is/are specified.
• application. Use this element to specify the application for which you want to create an
outbound SNet policy.
Note that if you leave the application element at its default value (<opt>), then no appli-
cation is specified.
• action. Use this element to specify whether packets that fall within the specification of
the policy are passed on (allow) or dropped (deny).
• nat. Use this element to determine whether address translation has to be done for the
outbound SNet policy and, if so, which translation address has to be taken.
Note that if you leave the nat element at its default value (<opt>), then no address trans-
lation is done.
• log. Use this element to determine whether limited (disabled) or extended (enabled) log-
ging is done for this policy.
• name. Use this element to assign a name (description) to the outbound SNet policy.
1424 SHDSL Router Chapter 9 461
User manual Configuring the additional features
Reconsider the example shown in Example - adding an interface to an SNet on page 459. Suppose you
want that the computers on the corporate network can surf on the Internet.
In that case you have to define an outbound SNet policy from the corporate network to the Internet allow-
ing HTTP traffic. Configure this as follows:
462 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the firewall object, select the inbound-
Policies attribute and add one or more entries to this table.
Use this attribute to define inbound SNet policies. Add a row to the inboundPolicies table for
each inbound SNet policy you want to define.
2 Configure the elements of the inbound SNet policy you just created. These elements are:
• sNet. Use this element to specify the name of the destination SNet for which you want
to create an inbound SNet policy. By doing so, you create a policy for the traffic from
any SNet except the self SNet to the destination SNet.
• sourceIp. Use this element to specify the source IP address(es) for which you want to
create an inbound SNet policy.
Note that if you leave the sourceIp element at its default value (<opt>), then no source
IP address(es) is/are specified.
• destIp. Use this element to specify the destination IP address(es) for which you want
to create an inbound SNet policy.
Note that if you leave the destIp element at its default value (<opt>), then no source IP
address(es) is/are specified.
• application. Use this element to specify the application for which you want to create an
inbound SNet policy.
Note that if you leave the application element at its default value (<opt>), then no appli-
cation is specified.
• action. Use this element to specify whether packets that fall within the specification of
the policy are passed on (allow) or dropped (deny).
• nat. Use this element to determine whether address translation has to be done for the
inbound SNet policy and, if so, which translation address has to be taken.
Note that if you leave the nat element at its default value (<opt>), then no address trans-
lation is done.
• log. Use this element to determine whether limited (disabled) or extended (enabled) log-
ging is done for this policy.
• name. Use this element to assign a name (description) to the inbound SNet policy.
1424 SHDSL Router Chapter 9 463
User manual Configuring the additional features
Reconsider the example shown in Example - adding an interface to an SNet on page 459. Suppose you
have an FTP server in your corporate network and you want that it can be accessed from the Internet.
In that case you have to define an inbound SNet policy from the Internet to the corporate network allow-
ing FTP traffic. Configure this as follows:
464 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the firewall object, select the outbound-
SelfPolicies attribute and add one or more entries to this table.
Use this attribute to define outbound self policies. Add a row to the outboundSelfPolicies
table for each outbound self policy you want to define.
2 Configure the elements of the outbound self policy you just created. These elements are:
• sNet. Use this element to specify the name of the destination SNet for which you want
to create an outbound self policy. By doing so, you create a policy for the traffic from
the device itself (self SNet) to the destination SNet.
• sourceIp. Use this element to specify the source IP address(es) for which you want to
create an outbound self policy.
Note that if you leave the sourceIp element at its default value (<opt>), then no source
IP address(es) is/are specified.
• destIp. Use this element to specify the destination IP address(es) for which you want
to create an outbound self policy.
Note that if you leave the destIp element at its default value (<opt>), then no source IP
address(es) is/are specified.
• application. Use this element to specify the application for which you want to create an
outbound self policy.
Note that if you leave the application element at its default value (<opt>), then no appli-
cation is specified.
• action. Use this element to specify whether packets that fall within the specification of
the policy are passed on (allow) or dropped (deny).
• log. Use this element to determine whether limited (disabled) or extended (enabled) log-
ging is done for this policy.
• name. Use this element to assign a name (description) to the outbound self policy.
1424 SHDSL Router Chapter 9 465
User manual Configuring the additional features
Reconsider the example shown in Example - adding an interface to an SNet on page 459. Suppose you
want that the firewall (i.e. the 1424 SHDSL Router itself) can ping computers on the corporate network.
In that case you have to define an outbound self policy from the device itself to the corporate network
allowing ICMP traffic. Configure this as follows:
466 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Step Action
1 In the 1424 SHDSL Router containment tree, go to the firewall object, select the inbound-
SelfPolicies attribute and add one or more entries to this table.
Use this attribute to define inbound self policies. Add a row to the inboundSelfPolicies table
for each inbound self policy you want to define.
2 Configure the elements of the inbound self policy you just created. These elements are:
• sNet. Use this element to specify the name of the source SNet for which you want to
create an inbound self policy. By doing so, you create a policy for the traffic from the
source SNet to the device itself (self SNet).
• sourceIp. Use this element to specify the source IP address(es) for which you want to
create an inbound self policy.
Note that if you leave the sourceIp element at its default value (<opt>), then no source
IP address(es) is/are specified.
• destIp. Use this element to specify the destination IP address(es) for which you want
to create an inbound self policy.
Note that if you leave the destIp element at its default value (<opt>), then no source IP
address(es) is/are specified.
• application. Use this element to specify the application for which you want to create an
inbound self policy.
Note that if you leave the application element at its default value (<opt>), then no appli-
cation is specified.
• action. Use this element to specify whether packets that fall within the specification of
the policy are passed on (allow) or dropped (deny).
• log. Use this element to determine whether limited (disabled) or extended (enabled) log-
ging is done for this policy.
• name. Use this element to assign a name (description) to the inbound self policy.
1424 SHDSL Router Chapter 9 467
User manual Configuring the additional features
Reconsider the example shown in Example - adding an interface to an SNet on page 459. Suppose you
want configured the 1424 SHDSL Router to be a DHCP server for the computers on the corporate net-
work. So it has to be able to accept DHCP requests from these computers on the corporate network.
In that case you have to define an inbound self policy from corporate network to the device itself allowing
DHCP traffic. Configure this as follows:
468 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
The following table lists some rules of thumb when configuring the firewall:
Rule Description
2 If interfaces are assigned to SNets and if the firewall is activated but no policies are
defined yet, then all traffic on the SNet interfaces is denied (i.e. dropped), except multi-
casts and broadcasts.
4 Traffic that is received on an SNet interface, has to be routed to another SNet interface.
Else it is dropped.
5 The most specific policy has to be listed first (i.e. the policy that specifies the narrowest
“range”).
For example, suppose that all computers but one are allowed to surf on the Internet, then
put the deny rule first and the allow rule second:
1. Deny surfing for computer X.
2. Allow surfing for all other computers.
6 You do not have to set up policies to allow the reverse session (i.e. the return path) of a
session that was initiated. These reverse sessions are set up and allowed automatically.
For example, if you define an outbound policy from the corporate network to the Internet
to allow web browsing (HTTP) and if a HTTP session from the corporate network to the
Internet is set up, then a reverse session from the Internet to the corporate network is set
up and allowed automatically. These reverse sessions can be seen in the status attribute
router1424/ip/router/firewall/reverseSessions on page 973.
1424 SHDSL Router Chapter 9 469
User manual Configuring the additional features
9.8.9 Allowing access to the protocol stack when the firewall is active
As explained in 9.8.8 - Configuring the firewall - rules of thumb on page 468, when activating the firewall,
carefully consider which applications/processes have to be able to access the protocol stack of the 1424
SHDSL Router, so that you can include them in the in- and/or outbound self policies. Else they are
denied access to the protocol stack.
This section gives a non-exhaustive list of applications/processes that need access to the protocol stack
of the 1424 SHDSL Router to function properly.
Maintenance applications
All the maintenance applications with which you want to manage the 1424 SHDSL Router have to be
able to access the protocol stack:
etc.
470 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Suppose a tunnel has to be set up over the SNet “internet”. The SNet of the tunnel can be “corp” or
“dmz”.
L2TP tunnel type Self policies to be defined for Self policies to be defined for
the outgoing tunnel the incoming tunnel
Miscellaneous protocols
If the 1424 SHDSL Router is configured to be a server and/or client for protocols such as DHCP, DNS,
NTP, etc., then in- and/or outbound self policies have to be defined for these protocols:
etc.
472 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
As can be learned from 9.8.8 - Configuring the firewall - rules of thumb on page 468 and 9.8.9 - Allowing
access to the protocol stack when the firewall is active on page 469, determining which policies you need
is not always easy. For some application/processes it may be trivial which in- and/or outbound policies
have to be defined (e.g. web access to the Internet). For others it may be somewhat more complicated
because there are several (hidden) processes that need to access, for instance, the protocol stack of the
1424 SHDSL Router (e.g. setting up an IPSEC secured L2TP tunnel).
The procedure below tries to help you how you can determine for which application/processes you have
to define inbound/outbound SNet/self policies.
Step Action
1 Activate the firewall as described in 9.8.2 - Activating the firewall on page 457.
2 Add the interfaces to SNets as described in 9.8.3 - Adding an interface to a secure net-
work (SNet) on page 458.
3 Now, in the 1424 SHDSL Router containment tree, go to the firewall object, select the log
attribute, go in the …
• general structure and set the unavailablePolicies element to enabled (you can leave the
other elements at their default value).
• thresholds structure and set the general element (temporarily1) to 1 (you can leave the
other elements at their default value).
4 Now, in the 1424 SHDSL Router containment tree, go to the Status group, go to the firewall
object and select the log attribute.
1424 SHDSL Router Chapter 9 473
User manual Configuring the additional features
Step Action
5 Carefully observe the logs that appear in this table. If you see entries appear with the
string “access policy not found, dropping packet”, then this means that an application/
process tries to pass the firewall but is not allowed because no matching policy is defined
for it.
Once you figured out which application/process it is (look at the protocol and sourcePort/dest-
Port elements), you can determine whether you want to allow it and define a policy for it.
1. After you’re done inspecting the log table in order to determine which policies you have to
define, it is best to reset the general element in the thresholds structure to its default value (20).
This to keep the log table surveyable.
Suppose that after following the procedure as described above, you see the following entries appear in
the log status attribute:
The “access policy not found, dropping packet” entries show you that you tried to access the 1424
SHDSL Router with TMA, but that no inbound self policy was defined for it. So define an inbound self
policy allowing TMA to access the protocol stack of the 1424 SHDSL Router and try again. Refer to Main-
tenance applications on page 469.
474 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Introduction
End-to-end roundtrip delay, jitter and loss can be measured to configurable destinations. The measure-
ment is based on ICMP echo packets (ping).
The DSCP bits can be configured in order to obtain results for different quality service classes. Using a
sliding window of up to 2000 packets with a configurable time interval, values are returned for the number
of packets sent and received, the number of lost packets, the minimum, average and maximum delay
and the average, maximum negative and maximum positive jitter.
Alarms are available with configurable thresholds for the average delay, the maximum delay, the differ-
ence between the minimum and the maximum delay, the average jitter, the maximum jitter and percent-
age loss. Jitter is defined as the differential delay between two consecutive packets.
Logging of the quality monitoring results per time interval is also available. For this, refer to 9.10 - Log-
ging of performance statistics on page 479.
This attribute can be used to verify the quality of an entire network link between the 1424 SHDSL Router
and the end device.
Which type of network actually is used between both devices is of no importance to this attribute. It is
sufficient to identify the end device at the other side of the link to start the quality monitoring. The follow-
ing figure shows an example:
The qualityMonitor:
• makes use of pings to measure the quality of the network link. A ping is sent out and received again,
after which data is compared. From this comparison, loss, delay and jitter are derived, which are an
indication of the link quality.
• can be enabled or disabled by the user at any point.
• can be found under the router object, refer to 11.9.1 - General router configuration attributes on
page 617.
• can generate performance statistics about the network link, refer to 13.9.1 - General router perform-
ance attributes on page 1055.
• can generate alarms in case of network problems, refer to 14.11 - Router and vrfRouter[ ] alarms on
page 1140.
1424 SHDSL Router Chapter 9 475
User manual Configuring the additional features
Time window
The data that is sent out is continuously monitored by using a sliding window which shifts in time over
the data stream. This time window is the interval between the sent out IP packets, multiplied by a number
of samples. Refer to the following figure:
Packets are sent out with a certain time difference between them. Variations in the network will cause a
certain extra delay before the packets are received again. This variation in delay is called jitter. This is
illustrated in the following figure:
1424 SHDSL Router Chapter 9 477
User manual Configuring the additional features
The quality monitor calculates three values: the maximum positive deviation, the average jitter and the
maximum negative deviation. These terms are illustrated in the following figure:
478 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
Statistics
The performance attribute qualityMonitor displays the performance statistics of the network links that are
being monitored.
This attribute is actually a table which provides information about loss, delay and jitter of the network link.
It also contains the data that is effectively logged to a file that is saved on the file system of the device,
and gives alarm information, as mentioned next. Refer to 13.9.1 - General router performance attributes
on page 1055 for more detailed information.
Alarms
File Logging
Performance statistics can be logged to a file that can be stored on the file system of the device, so that
they can be retrieved and processed by the user.
These statistics, more specifically h2Performance, h24Performance and d7Performance, are present in many
objects in the containment tree:
• the h2Performance performance attribute displays a 2 hours performance summary of the object where
the attribute is present.
• the h24Performance performance attribute displays a 24 hours performance summary of the object
where the attribute is present.
• the d7Performance performance attribute displays a 7 days performance summary of the object where
the attribute is present.
Refer to 13 - Performance attributes on page 1013 for a detailed explication of these attributes, and an
overview of where they can be found in the containment tree.
Configuration
• The configuration of file logging is done via the logStatsToFile attribute, which can be found under the
management object in the containment tree. Refer to 11.12 - Management configuration attributes on
page 799 for a detailed description.
• It may be desirable to align the logging of the performance information with the real time clock. There-
fore, the alignStatsToRtc configuration attribute has been introduced. Enabling this attribute will make
sure that the 2h statistics are aligned to 15 minutes, the 24h statisitics to 2 hours and the 7 days sta-
tistics to a day. This attribute can also be found under the management object in the containment tree.
• The behind-the-scenes mechanism that actually collects the data is using a CLI command, get -v.
This command gathers the values of a table in rows and columns and separates the data by a value
separator, in this case the <tab>.
For more information about CLI, refer to the TMA CLI manual on the TMA CD or the OneAccess web-
site.
480 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
It is essential for the logging to be succesful, that a real time clock is available on the device. The real
time clock can be made available on a device in two different ways:
• Manually. Configuring the clock manually must be done via the actions Set Date and Set Time. Refer to
12.2 - General status attributes on page 827 for more information.
Depending on the stuffing of the device, some devices are able to remember the real time clock for
a certain time after the device has been switched off (or restarted). Whether or not a device is able
to remember the real time clock, can be seen in the description of the device in the sysDescr status
attribute.
• Via SNTP (Simple Network Time Protocol). This way, the device receives a real time clock over the
network. Refer to the timeServer configuration attribute in 11.12 - Management configuration attributes
on page 799, and the timeServer status attribute in 12.12 - Management status attributes on page 993
for more information.
When a real time clock is not available, no logging can be done.
1424 SHDSL Router Chapter 9 481
User manual Configuring the additional features
Status
• The statistics files that have been logged on the file system can be found in the logStats status
attribute, refer to 12.12 - Management status attributes on page 993 for a detailed description.
• The statistics files contain data that has been retrieved from the performance data of the device,
together with a time stamp.
• The logged files are text files in which the data is seperated by a <tab>. They can easily be imported
in a spreadsheet program for analyzing the data.
482 1424 SHDSL Router Chapter 9
User manual Configuring the additional features
• Configuration
The following figure shows an example of a logStatsToFile table:
- In this example, each half hour, two samples are taken from the 2 hour performance table of the
WAN interface of the device, and logged as a file that starts with the name WanData. It is a week
file, so after one week, the file is stored away, and a new file is created.
- Each half hour, two samples are taken: this means that the period of 30 minutes is divided in two,
so every 15 minutes, one line is added to the log file.
- The logged data is modified: the logged date and time information is converted into seconds, units
are removed, and decimal points are converted into comma’s, via the conversion element.
• Status
The status attribute logStats shows which files are present on the file system of the device. In this exam-
ple, the following file will be present:
The first part of the filename is set in the logStatsToFile table; the second part of the file, in this case indi-
cating year and week number, are added automatically.
1424 SHDSL Router Chapter 9 483
User manual Configuring the additional features
Columns Description
2 and 3 This is the date and time when the data in each line of the table was added. For example,
looking at the first line:
• The date is the 9th of July 2008.
• The time is 22 hours, 15 minutes and 11 seconds.
4 This is the total time that has elapsed since the logging was started, expressed in sec-
onds.
The original format of this data is “xxd yyh zzm qqs”, as retrieved by the CLI command.
It has been converted into seconds by setting the conversion element.
5 This is the time period between each logging event, expressed in seconds. In this case,
a period of 15 minutes or 900 seconds has elapsed each time.
This has also been converted into seconds by setting the conversion element.
6 These columns are the performance data, as can be found in the 2 hour performance
table of the WAN interface. Refer to 13.4 - WAN interface performance attributes on
page 1032 for more information; the order of the columns are exactly the same as
described there.
Columns 1, 2 and 3 have been added to the log file by the file logging functionality of the 1424 SHDSL
Router itself. Columns 4, 5 an 6 are the reply of the CLI command that collects the data.
1424 SHDSL Router Chapter 10 485
User manual Configuration examples
10 Configuration examples
This chapter shows some basic configuration examples for the 1424 SHDSL Router. This allows you to
get acquainted with the way the 1424 SHDSL Router has to be configured. The first example is a step-
by-step example. For the other examples, the CLI code is given.
The following gives an overview of this chapter:
• 10.1 - LAN extension over a PDH/SDH network on page 486
486 1424 SHDSL Router Chapter 10
User manual Configuration examples
In this example, a remote office is connected to a central office over a PDH or SDH network.
A modem link connects the remote office to the PDH or SDH network. At the local office a 1424 SHDSL
Router is installed. The central router is a third party router. The WAN encapsulation is PPP with active
link monitoring.
1424 SHDSL Router Chapter 10 487
User manual Configuration examples
Reference manual
490 1424 SHDSL Router
Reference manual
1424 SHDSL Router Chapter 11 491
User manual Configuration attributes
11 Configuration attributes
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view: 1.3 - Overview of features on page 7
This chapter discusses the configuration attributes of the 1424 SHDSL Router. The following gives an
overview of this chapter:
• 11.1 - Configuration attribute overview on page 492
• 11.2 - General configuration attributes on page 503
• 11.3 - LAN interface configuration attributes on page 509
• 11.4 - WAN interface configuration attributes on page 530
• 11.5 - Encapsulation configuration attributes on page 532
• 11.6 - SHDSL line configuration attributes on page 578
• 11.7 - Profiles configuration attributes on page 591
• 11.8 - Bundle configuration attributes on page 610
• 11.9 - Router configuration attributes on page 616
• 11.10 - Bridge configuration attributes on page 771
• 11.11 - SNMP configuration attributes on page 796
• 11.12 - Management configuration attributes on page 799
492 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Refer to 4.3 - The objects in the 1424 SHDSL Router containment tree on page 42 to find out which
objects are present by default, which ones you can add yourself and which ones are added automati-
cally.
> router1424
sysName
sysContact
sysLocation
bootFromFlash
security
alarmMask
alarmLevel
Action: Activate Configuration
Action: Load Default Configuration
Action: Load Preconfiguration
Action: Load Saved Configuration
Action: Cold Boot
1424 SHDSL Router Chapter 11 493
User manual Configuration attributes
>> lanInterface
name
mode
ip
bridging
priorityPolicy
arp
vlan
adapter1
crossover1
flowControl1
ports2
bcastStormProtection2
switchCacheSize2
staticSwitchCase2
pppoEClient
bandwidth
inboundBandwidth
remark
adminStatus
linkStateTracking
delayOptimisation
oam
switchMode2
portGroups2
nrOfTxBds
alarmMask
alarmLevel
>> dslInterface
name
alarmMask
alarmLevel
>>> channel[ ]
encapsulation
maxFifoQLen
alarmMask
alarmLevel
>>>> atm
pvcTable
vp
ima
>>>>> ima
imaDifferentialDelay
imaVersion
txClockMode
txFrameLength
minActiveLinks
members
>>>> efm
name
ip
mode
arp
bridging
bandwidth
inboundBandwidth
vlan
priorityPolicy
pppoEClient
minActiveLinks
oam
>>> line
channel
region
retrain
management
endAlarmMask
endAlarmLevel
endLinePairAlarmMask
endLinePairAlarmLevel
repeaterAlarmMask
repeaterAlarmLevel
repeaterLinePairAlarmMask
repeaterLinePairAlarmLevel
name
startupMargin
alarmMask
alarmLevel
linkAlarmThresholds
numExpectedRepeaters
eocHandling
minLinePairSpeed
maxLinePairSpeed
modulation
compatibility
remark
autoConfig
1424 SHDSL Router Chapter 11 495
User manual Configuration attributes
>>>> linePair[ ]
alarmMask
alarmLevel
snmpIndexOffset
>> profiles
>>> policy
>>>> traffic
>>>>> ipTrafficPolicy[ ]
snmpIndexOffset
method
vrfRouter
trafficShaping
tos2QueueMapping
queue2QueueMapping
dropLevels
>>>>> bridgingTrafficPolicy[ ]
vlanPriorityMap
dropLevels
snmpIndexOffset
>>>> priority
>>>>> priorityPolicy[ ]
algorithm
countingPolicy
queueConfigurations
lowdelayQuotum
bandwidth
tc
snmpIndexOffset
496 1424 SHDSL Router Chapter 11
User manual Configuration attributes
>> bundle
>>> pppBundle[ ]
snmpIndexOffset
ip
bridging
mode
members
fragmentation
multiclassInterfaces
endpointDiscrClass
priorityPolicy
maxFifoQlen
defaultQueue
inboundBandwidth
alarmMask
alarmLevel
>> ip
>>> router
defaultRoute
routingTable
routingProtocol
alternativeRoutes
ripUpdateInterval
ripHoldDownTime
ripv2SecretTable
sysSecret
pppSecretTable
helperProtocols
sendTtlExceeded
sendPortUnreachable
sendAdminUnreachable
dhcpStatic
dhcpDynamic
dhcpCheckAddress
radius
dns
addrPools
sendHostUnreachable
dnsUpdateClient
qualityMonitor
alarmMask
alarmLevel
1424 SHDSL Router Chapter 11 497
User manual Configuration attributes
>>>> defaultNat
patAddress
portTranslations
servicesAvailable
addresses
gateway
tcpSocketTimeOut
udpSocketTimeOut
tcpSockets
udpSockets
dmzHost
tcpAdjustMss
>>>> nat[ ]
snmpIndexOffset
<All other objects are the same as the defaultNat object.>
>>>> tunnels
name
l2tpTunnels
ipsecL2tpTunnels
greTunnels
ipsecGreTunnels
ipsecTunnels
>>>> manualSA[ ]
espEncryptionAlgorithm
espEncryptionKey
espAuthenticationAlgorithm
espAuthenticationKey
spi
snmpIndexOffset
>>>> ikeSA[ ]
phase1
phase2
snmpIndexOffset
>>>> routingFilter[ ]
filter
snmpIndexOffset
>>>> ospf
routerId
refBandwidth
keyChains
importDefault
importMetrics
importFilter
498 1424 SHDSL Router Chapter 11
User manual Configuration attributes
>>>>> area
areaId
stub
networks
virtualLinks
ranges
snmpIndexOffset
>>>> vrrp[ ]
snmpIndexOffset
vrId
ipAddresses
interfaces
criticals
advertiseInterval
preemptMode
>>>> firewall
inspection
outboundPolicies
inboundPolicies
outboundSelfPolicies
inboundSelfPolicies
attacks
log
alg
tcpAdjustMss
>>>> bgp
asNr
routerId
localPreference
bestPath
networks
aggregates
importMetrics
importFilter
1424 SHDSL Router Chapter 11 499
User manual Configuration attributes
>>>>> ePeer[ ]
localIp
remoteIp
timers
weight
originateDefault
softReconfig
inbouldFilters
outboundFilters
inboundMaps
outboundMaps
alarmMask
alarmLevel
asTranslation
remoteAs
multiHop
snmpIndexOffset
>>>>> iPeer[ ]
localIp
remoteIp
timers
weight
originateDefault
softReconfig
inbouldFilters
outboundFilters
inboundMaps
outboundMaps
alarmMask
alarmLevel
nextHopSelf
snmpIndexOffset
>>>>> routeFilter[ ]
filters
snmpIndexOffset
>>>>> routeMap[ ]
filter
nextHop
weight
localPreference
prependAsPath
origin
med
snmpIndexOffset
500 1424 SHDSL Router Chapter 11
User manual Configuration attributes
>>> vrfRouter[ ]
snmpIndexOffset
defaultRoute
routingTable
sendTtlExceeded
sendPortUnreachable
sendAdminUnreachable
sendHostUnreachable
alternativeRoutes
routingProtocol
ripUpdateInterval
ripHoldDownTime
ripv2SecretTable
dhcpStatic
dhcpDynamic
dhcpCheckAddress
addrPools
dns
helperProtocols
alarmMask
alarmLevel
>>>> routingFilter[ ]
snmpIndexOffset
filter
>>>> ospf
routerId
refBandwidth
keyChains
importDefault
importMetrics
importFilter
1424 SHDSL Router Chapter 11 501
User manual Configuration attributes
>> bridge
>>> bridgeGroup
name
ip
arp
bridgeCache
bridgeCacheSize
bridgeTimeOut
spanningTree
localAccess
macAddress
vlan
vlanSwitching
accessControl
staticBridgeCash
forwardMulticast
alarmMask
alarmLevel
>>> vpnBridgeGroup[ ]
ip
arp
bridgeCache
bridgeCacheSize
bridgeTimeOut
spanningTree
localAccess
macAddress
vlan
vlanSwitching
accessControl
staticBridgeCash
forwardMulticast
snmpIndexOffset
>>> accessList[ ]
macAddress
advancedFilter
snmpIndexOffset
>> snmp
trapDestinations
mib2Traps
502 1424 SHDSL Router Chapter 11
User manual Configuration attributes
>> management
cms2Address
accessList
snmp
telnet
tftp
ftp
timedStatsAvailability
alignStatsToRtc
logStatsToFile
userInfo
consoleNoTrafficTimeOut
alarmFilter
atwinGraphics
accessPolicy
maxPingReplies
https
timeServer
timeZone
syslog
accessControl
ctrlPortProtocol
>>> loopback
ipAddress
ipNetMask
sNet
vrfRouter
>>> usrLoopback
snmpIndexOffset
<All other objects are the same as the loopback object.>
1424 SHDSL Router Chapter 11 503
User manual Configuration attributes
sysName Default:<empty>
Range: 0 … 64 characters
Use this attribute to assign a name to the 1424 SHDSL Router. The sysName
attribute is an SNMP MIB2 parameter.
This attribute is also used in the PPP authentication process. The PPP authenticator uses the sysName
attribute in order to verify the peer its response.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170
• 6.7.8 - Configuring CHAP on page 173
sysContact Default:<empty>
Range: 0 … 64 characters
Use this attribute to add contact information. You could, for instance, enter
the name and telephone number of the person to contact in case problem occur.
The sysContact attribute is an SNMP MIB2 parameter.
sysLocation Default:<empty>
Range: 0 … 64 characters
Use this attribute to specify the physical location of the 1424 SHDSL Router.
The sysLocation attribute is an SNMP MIB2 parameter.
bootFromFlash Default:auto
Range: enumerated, see below
Part of the flash memory of the 1424 SHDSL Router is organised as a file
system. In this file system, you can store two complete application software versions. You can use the
bootFromFlash attribute to switch between these softwares.
When you store two application software versions in the file system, they are automatically renamed as
CONTROL1 and CONTROL2, respectively. You can check this with the status attribute router1424/fileSys-
tem/fileList.
The bootFromFlash attribute has the following values:
auto the 1424 SHDSL Router automatically chooses the most recent application soft-
ware. It does this by comparing the application software version numbers.
1424 SHDSL Router Chapter 11 505
User manual Configuration attributes
security Default:<empty>
Range: table, see below
Use this attribute to create a list of passwords with associated access levels
in order to avoid unauthorised access to the 1424 SHDSL Router and the network.
Also use this attribute to set the protocols and passwords for SNMPv3.
The security table contains the following elements:
Element Description
password Use this element to set the password. You can then Default:<empty>
associate this password with a certain access level. Range: 0 … 20 characters
Also see Important remarks on page 506.
accessRights Use this element to set the access level associated Default:1111
with the password. It is a bit string of which each bit Range: bit string, see below
corresponds to an access level. The different access
levels are listed below.
snmpv3 Use this element to set the protocols and passwords for SNMPv3. The snmpv3
structure contains following elements:
• authProtocol. Use this element to set which authentication protocol is used. Pos-
sible values are:
- none. No authentication protocol is set.
- hmac-md5. MD5 authentication will be used.
• authPassword. Use this element to set the key that will be used in the authentica-
tion protocol.
• privProtocol. Use this element to set the encryption protocol. Possible values are:
- none. No encryption will be used.
- des. DES will be used as encryption protocol.
• privPassword. Use this element to set the encryption key.
The following table shows, for each access level, what you can or can not do:
readAccess yes no no no no no
fileSystem- no no no no no yes
Access
The table above indicates that the security attributes are not visible for users with readAccess. There is
however one exception on the standard properties of the security attributes: the sysName attribute.
This is still visible for users with readAccess.
Important remarks
<alarmConfigurationAttributes>
Activate Configuration
If you execute this action, then the editable non-active configuration becomes the active configuration.
Refer to 5.7.1 - What are the different configuration types? on page 90 for more information.
If you execute this action, then the non-active configuration is overwritten by the default configuration.
Refer to 5.7.1 - What are the different configuration types? on page 90 for more information.
If you install the 1424 SHDSL Router for the first time, all configuration attributes have their default val-
ues. If the 1424 SHDSL Router has already been configured but you want to start from scratch, then use
this action to revert to the default configuration.
Load Preconfiguration
If you execute this action, then the non-active configuration is overwritten by the preconfiguration (if
present, else this action does nothing). Refer to 5.7.1 - What are the different configuration types? on
page 90 for more information.
If you install the 1424 SHDSL Router for the first time and if a preconfiguration is present (i.e. a
precfg.cms file is present on the file system), then some configuration attributes will be set to a precon-
figured value. The rest of the attributes will be set to their default values. If the 1424 SHDSL Router has
already been configured but you want to revert to the preconfiguration, then use this action.
508 1424 SHDSL Router Chapter 11
User manual Configuration attributes
If you execute this action, then the non-active configuration is overwritten by the active configuration cur-
rently used by the 1424 SHDSL Router. Refer to 5.7.1 - What are the different configuration types? on
page 90 for more information.
If you are in the progress of modifying the non-active configuration but made some mistakes, then use
this action to revert to the active configuration.
Cold Boot
If you execute this action, then the 1424 SHDSL Router reboots. As a result, the 1424 SHDSL Router …
• performs a self-test.
• checks the software.
• reads the saved configuration and restarts program execution.
router1424/lanInterface
The following elements are only present on the 4 port Ethernet LAN interface:
• switchMode on page 527
• ports on page 528
• bcastStormProtection on page 529
• switchCacheSize on page 529
• staticSwitchCache on page 529
The following attributes are only present on the single port Ethernet LAN interface:
• adapter on page 513
• crossover on page 514
• flowControl on page 514
510 1424 SHDSL Router Chapter 11
User manual Configuration attributes
name Default:lan
Range: 1 … 24 characters
Use this attribute to assign an administrative name to the LAN interface.
mode Default:bridging
Range: enumerated, see below
Use this attribute to determine whether the packets are treated by the rout-
ing process, the bridging process or both.
The mode attribute has the following values:
Value Description
The settings of the IP configuration attributes of the LAN are ignored. If you
want to manage the 1424 SHDSL Router via IP, you have to configure an
IP address in the bridgeGroup object. Refer to ip on page 774.
routing The IP packets are routed. All other protocols are discarded.
ip Default:-
Range: structure, see below
Use this attribute to configure the IP related parameters of the LAN inter-
face.
Refer to …
• 5.2 - Configuring IP addresses on page 53 for general information on configuring IP addresses.
• 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
Important remark
If you set the configuration attribute mode to bridging, then the settings of the configuration attribute ip are
ignored. As a result, if you want to manage the 1424 SHDSL Router via IP, you have to configure an IP
address in the bridgeGroup object instead: ip.
1424 SHDSL Router Chapter 11 511
User manual Configuration attributes
bridging Default:-
Range: structure, see below
Use this attribute to configure the bridging related parameters of the LAN
interface.
Refer to …
• 8 - Configuring bridging and VLANs on page 297 for more information on bridging.
• 8.2.6 - Explaining the bridging structure on page 318 for a detailed description of the bridging structure.
priorityPolicy Default:<empty>
Range: 0 … 24 characters
Use this attribute to apply a priority policy on the LAN interface.
Do this by entering the index name of the priority policy you want to use. You can create the priority policy
itself by adding a priorityPolicy object and by configuring the attributes in this object.
Example
arp Default:-
Range: structure, see below
Use this attribute to configure the Address Resolution Protocol (ARP)
cache.
The arp structure contains the following elements:
Element Description
timeOut Use this element to set the ageing time of the ARP Default:00000d 02h 00m 00s
cache entries. Refer to The ARP cache time-out. Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
proxyArp Use this element to enable or disable the proxy ARP Default:enabled
mechanism. Refer to What is proxy ARP?. Range: enabled / disabled
Note that when you want to access a proxied device via its IP address that
is configured in the router1424/proxy/nmsGroup/objectTable, then the proxyArp ele-
ment must be set to enabled.
staticArp Use this element to create a fixed link between a MAC address and an IP address.
When set up here, this IP address will always be linked to this MAC address, and
cannot be linked to another one.
The staticArp table contains following elements:
• macAddress. Use this element to fill in the MAC address.
• ipAddress. Use this element to fill in the IP address.
The LAN interface has been allocated a fixed Ethernet address, also called MAC (Medium Access Con-
trol) address. This MAC address is not user configurable. The IP address of the LAN interface, on the
other hand, is user configurable. This means that the user associates an IP address with the predefined
MAC address. The MAC address - IP address pairs are kept in a table, called the ARP cache. Refer to
arpCache on page 834 for an example of such a table.
Before the 1424 SHDSL Router sends an IP packet on the LAN interface, it has to know the MAC
address of the destination device. If the address is not present in the ARP cache table yet, the 1424
SHDSL Router sends an ARP request on the Ethernet to learn the MAC address and associated IP
address of the destination device. This address pair is then written in the ARP cache. Once the address
pair is present, the 1424 SHDSL Router can reference to this pair if it has to send an IP packet to the
same device later on.
Summarised, all the MAC address - IP address pairs from ARP requests and replies received on the
LAN interface are kept in the ARP cache. However, if devices on the network are reconfigured then this
MAC address - IP address relation may change. Therefore, the ARP cache entries are automatically
removed from the cache after a fixed time-out. This time-out period can be set with the timeOut element.
Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for
another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real"
destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing
or a default gateway.
The advantages and disadvantages of proxy ARP are listed below:
advantages The main advantage of using proxy ARP is that it can be added to a single router
on a network without disturbing the routing tables of the other routers on the net-
work.
Proxy ARP should be used on the network where IP hosts are not configured with
default gateway or does not have any routing intelligence.
disadvantages Hosts have no idea of the physical details of their network and assume it to be a
flat network in which they can reach any destination simply by sending an ARP
request. But using ARP for everything has disadvantages, some of which are listed
below:
• It increases the amount of ARP traffic on your segment.
• Hosts need larger ARP tables to handle IP-to-MAC address mappings.
• Security may be undermined. A machine can claim to be another in order to
intercept packets, an act called "spoofing."
• It does not work for networks that do not use ARP for address resolution.
• It does not generalise to all network topologies (for example, more than one
router connecting two physical networks).
adapter Default:autoDetect
Range: enumerated, see below
Only present on the single port LAN interface.
Use this attribute to set the Ethernet mode of the LAN interface.
The adapter attribute has the following values: autoDetect, 10Mb/halfDuplex, 10Mb/fullDuplex, 100Mb/halfDuplex,
100Mb/fullDuplex.
514 1424 SHDSL Router Chapter 11
User manual Configuration attributes
crossover Default:auto
Range: mdi/mdix/auto
Only present on the single port LAN interface.
Use this attribute to adjust the LAN interface, if necessary, to the type of cable that is used (crossed or
straight), and the mode of the LAN connector of the remote device (MDI or MDIX; MDI stands for Medium
Dependant Interface).
By default, the LAN interface adjusts automatically. But, for compatibility reasons, it might be necessary
sometimes to manually adjust the interface.
The crossover structure contains the following element:
Element Description
auto This is the default setting, which means that the LAN interface automatically
adjusts to MDI or MDIX mode, however necessary.
mdi The LAN interface functions as an MDI port. Use this when:
• The remote port is an MDI port, in combination with a crossed cable.
• The remote port is an MDIX port, in combination with a straight cable.
mdix The LAN interface functions as an MDIX port. Use this when:
• The remote port is an MDI port, in combination with a straight cable.
• The remote port is an MDIX port, in combination with a crossed cable.
flowControl
Element Description
rx If the 1424 SHDSL Router receives pause frames on the LAN interface from the
remote device, it stops sending out packets.
tx If the receive buffer of the LAN interface fills up, the 1424 SHDSL Router sends
out pause frames to the remote device.
rxAndTx The packet flow is monitored in both receive and transmit direction. The 1424
SHDSL Router reacts as described for the rx and tx element.
vlan Default:<empty>
Range: table, see below
Use this attribute to create and configure VLANs. Refer to 8.3 - Configuring
VLANs on page 325 for an introduction and a step-by-step procedure.
As long as no VLANs are created in the vlan table, the LAN interface accepts both VLAN untagged and
VLAN tagged frames. The VLAN untagged frames are bridged and/or routed (depending on the setting
of the mode attribute). The VLAN tagged frames are bridged (in case the mode attribute is set to bridging
or bridgingAndRouting, else they are discarded).
As soon as a VLAN is created in the vlan table, the LAN interface still accepts VLAN untagged frames
but only accepts those VLAN tagged frames of which the VLAN ID corresponds with the VLAN ID that
has been configured in the vlan table (refer to the configuration element vid on page 517). Other VLAN
tagged frames are discarded.
Note that in case of the 1424 SHDSL Router 4 port Ethernet switch, the vlan table of the 4 port Ethernet
switch has to be used only if you want that VLAN tagged packets inside the 4 port Ethernet switch are
forwarded to the bridging or routing function of the 1424 SHDSL Router. Refer to for 8.4.2 - Setting up
VLANs on the 4 port Ethernet switch on page 339 more information.
Element Description
remark Use this element to write down any text, message, Default:-
remark, etc. of up to 64 characters. Range: 0 … 64 characters
mode Use this element to determine whether, for the corre- Default:bridging
sponding VLAN, the packets are treated by the rout- Range: enumerated, see below
ing process or the bridging process.
The mode element has the following values:
• bridging. All packets received on the VLAN are bridged.
• routing. All packets received on the VLAN are routed.
516 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
priorityPolicy Use this element to apply a priority policy on the LAN Default:<empty>
interface. Range: 0 … 24 characters
Do this by entering the index name of the priority policy you want to use. You can
create the priority policy itself by adding a priorityPolicy object and by configuring the
attributes in this object.
Example
inboundandwidth Use this element to configure the inbound bandwidth on the VLAN.
This element has already been explained in the context of the LAN interface itself,
refer to 11.3 - LAN interface configuration attributes on page 509 for more informa-
tion.
1424 SHDSL Router Chapter 11 517
User manual Configuration attributes
vlan/vlan Default:-
Range: structure, see below
Use the vlan structure in the vlan table to configure the VLAN related param-
eters of the corresponding VLAN.
Refer to 8.3 - Configuring VLANs on page 325 for an introduction on VLANs.
The vlan structure contains the following elements:
Element Description
Important remark
You can also enter VLAN tag 0 as VLAN ID. This is not really a VLAN, but
a way to reverse the filtering:
- all the untagged data is passed, internally, to VLAN 0.
- all the other, tagged, data for which no VLANs are defined, are handled by
the main LAN interface.
This allows a set-up where a number of VLANs are VLAN switched, while other
VLANs and untagged data are bridged. This is particularly interesting for VLAN
based networks with Ethernet switch discovery protocols like Cisco CDP. Until
now, this was not possible since the VLAN switching mode did not allow flooding
packets over multiple interfaces (bridging), nor did it allow terminating manage-
ment data in the device.
In such set-up, the configuration looks as follows:
- A first bridge group includes all VLANs that need to be switched. This bridge
group is set in VLAN switching mode.
- A second bridge group includes VLAN 0 and possibly also a VLAN for man-
agement of the device.
- The interface VLAN table(s) include(s) entries for all switched VLANs, VLAN
0 and possibly a VLAN for management.
518 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
tpid Use this element to set the Tag Protocol ID of the Default:33024
VLAN header. Range: 0 ... 65535
This is the value to be used as the first 2 bytes of the VLAN tag when adding a
VLAN header.
Remarks
• This value must be filled in here as a decimal number, although TPID is nor-
mally expressed as a hexadecimal number. Make sure to convert the desired
hexadecimal value to decimal, before filling it in.
• This element is only relevant when the tagSignificance element, described next,
is set to sVlan or local.
Element Description
tagSignificance This element is only relevant when you set the mode Default:global
element to bridging. Range: local / global
The tagSignificance element has the following values:
• local. The VLAN tag only has a local significance, i.e. it is only present on the
LAN interface side. This means that when the data is moved …
- from the LAN interface to the bridge group, the VLAN tag is removed.
- from the bridge group to the LAN interface, the VLAN tag is added.
If a VLAN header is already present in the packet, the P bits will be defined by
the cosCosMap. The cosCosMap is described below.
• global. The VLAN tag has a global significance, i.e. it is both present on the LAN
interface and the bridge group side.
This means that when the data is moved from the LAN interface to the bridge
group or vice versa, the VLAN tag is always preserved.
• cVlan. Upon transmission a VLAN tag is added according to the information in
the tunnel field. The P bits in the outer header are defined by the cosCosMap of
this VLAN.
Upon reception, if a matching sVlan is found for the outer header, the inner cVlan
‘s are checked to find the corresponding bridge group. If no matching cVlan is
found, the sVlan header is stripped, and the packet is parsed according to the
rules defined by the sVlan configuration.
The usage of cVlan is only needed if per-vlan rules need to be defined.
• sVlan. Upon transmission a VLAN tag is added to the packet. Upon reception it
behaves the same as the cVlan option. sVlan ’s can use 802.1ad vlan TPID.
Refer to the figure Local or global VLAN tag significance on page 521.
txCos Use this element to set the default user priority Default:0
(802.1P, also called COS) of the transmitted VLAN Range: 0 … 7
frames.
changeTos Use this element to enable or disable the COS to TOS Default:disabled
mapping. Range: enabled / disabled
If you set the changeTos attribute to disabled, then the element cosTosMap is ignored.
Note that the TOS to COS mapping is always enabled, irrespective with the
setting of the changeTos attribute.
520 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
cosTosMap Use this element to determine how the VLAN user pri- Default:-
ority (COS) maps onto the IP TOS byte value. Range: structure, see below
Note that the COS to TOS mapping only occurs in case …
• the mode element is set to routing and the changeTos element is set to enabled.
or
• the mode element is set to bridging, the changeTos element is set to enabled and
the tagSignificance element is set to local.
tosCosMap Use this element to determine how the IP TOS byte Default:-
value maps onto the VLAN user priority (COS). Range: table, see below
Note that the COS to TOS mapping only occurs in case …
• the mode element is set to routing.
or
• the mode element is set to bridging and the tagSignificance element is set to local.
The following figure shows how the tagSignificance element influences the VLAN tagging between the LAN
interface and the bridge group:
522 1424 SHDSL Router Chapter 11
User manual Configuration attributes
bandwidth Default:-
Range: structure, see below
Use this attribute to configure the outbound bandwidth on the LAN interface.
Refer to 9.3 - Tuning the bandwidth on the LAN interface on page 376 for more detailed information.
The bandwidth strucuture contains following elements:
Element Description
maxFifoQlen Use this element to set the maximum length (number Default:200
of packets) of the First In First Out queue. Range: 1 ... 4000
Note that this element is only applicable when the interface is running in FIFO
queueing mode, and only applicable to non-colored packets.
Refer to algorithm on page 606 for more information on this queue.
bandwidth/correction Default:-
Range: structure, see below
Use this element to adjust the bandwidth on the LAN interface.
The correction structure contains following elements:
Element Description
Element Description
bandwidth/correction/predefined
Use this element to have the bandwidth automatically tuned, depending on the encapsulation that is
used further up in the link.
The predefined structure contains the following elements:
Element Description
encapsulation Use this element to set which encapsulation is used further up in the link: frameRe-
lay, ppp, atm, hdlc or efm. Either one of these 5 can selected by clicking the right
mouse button and selecting Set To This Choice Type.
• When chosing atm, the following settings must be refined: higherLayer and multi-
Protocol. Refer to the pvcTable/atm attribute in 11.5.1 - ATM configuration
attributes on page 533 for a detailed explantion of both elements.
• When efm is used further up in the link, the following settings must be refined to
control the bandwidth correction: fragmentSize and idleBytes.
When using EFM, Ethernet packets are broken up into variable length frag-
ments, which are then split up into 64/65 bytes frames (64 bytes of Payload
Data, and 1 SYNC byte).
The following elements must be set:
- The actual length of the fragments can be set with the fragmentsize element.
By default, the fragmentSize is 256 bytes.
- To get a smooth dataflow, a number of idle bytes can be introduced inbe-
tween the different frames; this can be set with the idleBytes element.
By default, the idleBytes is 2.
mode Use this element to set whether the WAN interface Default:routing
further up in the link is set to routing or bridging mode. Range: routing/bridging
524 1424 SHDSL Router Chapter 11
User manual Configuration attributes
bandwidth/correction/manual
Element Description
inboundBandwidth
Use this attribute to configure the inbound bandwidth on the LAN interface.
The inboundBandwidth structure contains the same elements as the bandwidth on page 522 structure described
above, except that inboundBandwidth has one extra element, which is priorityPolicy; this has also already
been described above.
Also refer to 9.3 - Tuning the bandwidth on the LAN interface on page 376 for more detailed information.
pppoEClient Default:-
Range: table, see below
Use this attribute to establish a PPPoE link over the LAN interface. The
1424 SHDSL Router can only act as a client.
If you use PPPoE on your computer, then the IP MTU size has to be limited to 1492 bytes. This is a gen-
eral rule defined in the PPPoE protocol.
The pppoEClient table contains following elements:
Element Description
name Use this element to set the administrative name of the Default:<empty>
PPPoE link. Range: 0 … 24 characters
adminStatus Use this element to set the administrative state of the Default:up
PPPoE link: up or down. Range: up / down
ppp Use this element to configure the PPP related param- Default:-
eters of the PPPoE link. Range: structure, see below
The ppp element contains the following elements: linkMonitoring, authentication, authen-
Period, sessionName and sessionSecret. Refer to 11.5.4 - PPP configuration attributes
on page 566 for a detailed description of these elements.
526 1424 SHDSL Router Chapter 11
User manual Configuration attributes
remark Default:-
Range: 0 … 64 characters
Use this attribute to write down any text, message, remark, etc. of up to 64
characters.
adminStatus Default:up
Range: down/up
Use this attribute to activate (up) or deactivate (down) the LAN interface.
Sometimes, there might be a need to put the LAN interface admininstratively down, for instance when a
network administrator wants to reconfigure a few settings on the 1424 SHDSL Router from a distance.
When set to down, this attribute can bring the LAN interface and its VLAN subinterfaces down, including
shutting of the power on the Ethernet chips, so that connected devices also see this link as down.
linkStateTracking Default:-
Range: structure, see below
Use this attribute to track the link state of the interface.
The linkStatetracking structure contains the following elements:
Element Description
trackedInterface Use this element to fill in the name of an interface of which the link state will be
tracked:
• As long as this interface is up, nothing is done.
• When the tracked interface goes down, the LAN is brought physically down; no
power is put on the output port so that the device which is connected to this LAN
interface does no longer get any power on its own LAN interface.
ports
Note that this element is only present on the 4 port Ethernet LAN interface.
This is a mask which can be configured, to indicate on which of the 4 ports the link-
StateTracking must be applied: port1, port2, port3 and port4 can each be enabled or dis-
abled.
delayOptimisation Default:disabled
Range: enabled/disabled
Use this attribute to minimize delay over the LAN interface when using a pri-
orityPolicy.
Whenever a priority policy is applied on the interface, a delay optimisation mechanism is activated auto-
matically in order to guarantee a minimum delay for high priority packets.
1424 SHDSL Router Chapter 11 527
User manual Configuration attributes
oam Default:-
Range: structure, see below
Use this attribute to set the LAN interface OAM mode.
Refer to 6.5.2 - OAM or Operation, Administration and Maintenance on page 143 for more information
on OAM; there, OAM has been explained in the context of EFM.
Note that OAM is to be used in point-to-point connections: within the same broadcast domain, only 2
devices may be present with OAM enabled.
Element Description
<alarmConfigurationAttributes>
switchMode Default:portSwitching
Range: enumerated, see below
Only present on the 4 port Ethernet LAN interface.
Use this attribute to select the switching mode of the 4 port Ethernet interface.
The switchMode attribute has the following values:
Value Description
The switchMode attribute is a bootable attribute: it is necessary to reboot the 1424 SHDSL Router or dis-
connect and reconnect the ethernet devices from the 1424 SHDSL Router before the newly selected
option becomes active.
528 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ports Default:-
Range: table, see below
Only present on the 4 port Ethernet LAN interface.
Use this attribute to set the Ethernet mode for each port of the 4 port Ethernet interface.
The ports table contains 4 entries. Each entry corresponds with a port of the 4 port Ethernet interface. So
you can configure the Ethernet and VLAN tagging mode for each port separately. The ports table contains
the following elements:
Element Description
adapter Use this element to set the Ethernet mode for each Default:autoNegotiate
port of the 4 port Ethernet interface. Range: choice, see below
The first part of the adapter element has the following values:
• autoNegotiate. The port automatically negotiates Default:all enabled
with its link partner which Ethernet mode they are Range: structure, see below
going to use.
Using the second part of the adapter element, you can determine which capabil-
ities the port may advertise in this negotiation process. Do this by setting the
corresponding element in this structure to enabled. The structure contains the
following elements: 10Mb/halfDuplex, 10Mb/fullDuplex, 100Mb/halfDuplex, 100Mb/fullDu-
plex, flowControl. By default, all these elements are set to enabled.
• fixed. The port is set to a fixed Ethernet mode. Default:10Mb/halfDuplex
Using the second part of the adapter element, you Range: enumerated, see below
can select the Ethernet mode. Possible values are:
10Mb/halfDuplex, 10Mb/fullDuplex, 100Mb/halfDuplex, 100Mb/fullDuplex.
crossover Use this element to adjust the LAN port, if necessary, Default:auto
to the type of cable that is used (crossed or straight), Range: enumerated, see below
and the mode of the LAN connector of the remote
device (MDI or MDIX; MDI stands for Medium Dependant Interface).
Refer to crossover on page 514 for more information.
1424 SHDSL Router Chapter 11 529
User manual Configuration attributes
bcastStormProtection Default:-
Range: structure, see below
Only present on the 4 port Ethernet LAN interface.
Use this attribute to protect the 4 port Ethernet interface against broadcast/multicast storms. Note that
this configuration is done for all ports at once (including the local port).
The bcastStormProtection structure contains the following elements:
Element Description
switchCacheSize Default:1024
Range: 256/512/1024
Only present on the 4 port Ethernet LAN interface.
Use this attribute to set the size of the MAC address cache: 256, 512 or 1024. This is the maximum number
of entries in the MAC address cache.
staticSwitchCache Default:<empty>
Range: table, see below
Only present on the 4 port Ethernet LAN interface.
Use this attribute to set the static MAC address cache. This is a fixed mapping between a MAC address
and a port.
The staticSwitchCache table contains the following elements: port and macAddress.
530 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/wanInterface
router1424/wanInterface/channel[ ]
name Default:wan
Range: 1 … 24 characters
Use this attribute to assign an administrative name to the WAN interface.
<alarmConfigurationAttributes>
encapsulation Default:atm
Range: enumerated, see below
Use this attribute to select the encapsulation protocol on the WAN interface.
The encapsulation attribute may have the following values: atm, efm, frameRelay, ppp and/or hdlc.
Note that not all encapsulation protocols are present on all 1424 SHDSL Router versions. Refer to 1 -
Introducing the 1424 SHDSL Router on page 3.
priorityPolicy Default:<empty>
Range: 0 … 24 characters
Use this attribute to apply a priority policy on the WAN interface.
Do this by entering the index name of the priority policy you want to use. You can create the priority policy
itself by adding a priorityPolicy object and by configuring the attributes in this object.
Example
maxFifoQLen Default:200
Range: 1 … 4000
Use this attribute to set the maximum length (number of packets) of the First
In First Out queue.
Note that this attribute is only applicable when the interface is running in FIFO queueing mode, and only
applicable to non-colored packets.
Refer to algorithm on page 606 for more information on this queue.
532 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This section discusses the configuration attributes of the encapsulation protocols that can be used on
the 1424 SHDSL Router.
The following gives an overview of this section:
• 11.5.1 - ATM configuration attributes on page 533
• 11.5.2 - ATM IMA configuration attributes on page 551
• 11.5.3 - Frame Relay configuration attributes on page 554
• 11.5.4 - PPP configuration attributes on page 566
• 11.5.5 - EFM configuration attributes on page 571
1424 SHDSL Router Chapter 11 533
User manual Configuration attributes
router1424/dslInterface/channel[wan_1]/atm
pvcTable Default:<empty>
Range: table, see below
Use this attribute to configure the ATM Permanent Virtual Circuits (PVCs) .
Refer to 6.2.2 - Configuring ATM PVCs on page 110 for more information on PVCs.
The pvcTable contains the following elements:
Element Description
remark Use this attribute to write down any text, message, Default:-
remark, etc. of up to 64 characters. Range: 0 … 64 characters
mode Use this element to determine whether, for the corre- Default:routing
sponding PVC, the packets are treated by the routing Range: enumerated, see below
process, the bridging process or both.
The mode element has the following values:
• bridging. All packets received on the PVC are bridged.
• routing. All packets received on the PVC are routed.
• routingAndBridging. The SNAP header is checked to determine whether the pack-
ets have to be bridged or routed.
priorityPolicy Use this element to set a priority policy per PVC. Default:<empty>
Do this by entering the index name of the priority pol- Range: 0 … 24 characters
icy you want to use. You can create the priority policy itself by adding a priorityPolicy
object and by configuring the attributes in this object.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on
priority policies.
delayOptimisation Use this attribute to minimize delay over the PVC Default:disabled
when using a priorityPolicy. Range: enabled/disabled
Whenever a priority policy is applied on the PVC, a delay optimisation mechanism
is activated automatically in order to guarantee a minimum delay for high priority
packets.
Element Description
atm Use this element to configure the specific PVC param- Default:-
eters. Range: structure, see below
Refer to pvcTable/atm on page 536 for a detailed description of the atm structure.
ppp Use this element to configure the PPP related param- Default:-
eters of the PVC in case you choose to map PPP onto Range: structure, see below
AAL5 (refer to the elements higherLayerProtocol and mul-
tiProtocolMech on page 536).
Refer to 11.5.4 - PPP configuration attributes on page 566 for a detailed descrip-
tion of the elements in the ppp structure.
frameRelay Use this element to configure the Frame Relay related Default:-
parameters of the PVC. Range: structure, see below
Refer to pvcTable/frameRelay on page 546 for a detailed description of the frameRelay
structure.
pvcTable/atm Default:-
Range: structure, see below
Use the atm structure in the pvcTable to configure the ATM related parame-
ters of the corresponding PVC.
Refer to 6.2.2 - Configuring ATM PVCs on page 110 for more information on PVCs.
The atm structure contains the following elements:
Element Description
vpi Use this element to set the Virtual Path Identifier Default:0
(VPI). Range: 0 … 255
vci Use this element to set the Virtual Channel Identifier Default:32
(VCI). Range: 32 … 65535
You can configure multiple virtual channels per virtual path. Refer to What is VPI
and VCI? on page 98.
higherLayerProtocol Use this attribute to select the protocol you want to run Default:rfc2684
over ATM. Range: enumerated, see below
The higherLayerProtocol element has the following values:
• rfc2684. Select this value in case you want to run bridged/routed Ethernet/IP
over ATM (RFC 2684).
• ppp. Select this value in case you want to run PPP over ATM (PPPoA, RFC
2364).
• pppOverEthernet. Select this value in case you want to run PPP over Ethernet
(PPPoE, RFC 2516).
-In the PPPoE context, the 1424 SHDSL Router can only act as a cli-
ent.
- If you use PPPoE on your computer, then the IP MTU size has to be limited
to 1492 bytes. This is a general rule defined in the PPPoE protocol.
multiProtocolMech Use this element to define how you want to encapsu- Default:llcEncapsulation
late the higher layer protocol data in ATM. Range: enumerated, see below
The multiProtocolMech element has the following values:
• llcEncapsulation. Logical Link Control (LLC) encapsulation multiplexes multiple
protocols over a single virtual connection. The protocol type of each protocol
data unit (PDU) is identified by a prefixed IEEE 802.2 Logical Link Control (LLC)
header.
In general, LLC encapsulation tends to require fewer VCs in a multi-protocol
environment but has more fragmentation overhead.
• vcMultiplexing. Virtual Circuit (VC) multiplexing uses one virtual connection to
carry the PDUs of exactly one protocol type. When multiple protocols need to
be transported, there is a separate VC for each.
VC multiplexing tends to reduce fragmentation overhead (e.g. an IPV4 data-
gram containing a TCP control packet with neither IP nor TCP options exactly
fits into a single cell) but needs more VCs.
1424 SHDSL Router Chapter 11 537
User manual Configuration attributes
Element Description
serviceCategory Use this element to specify the ATM service category. Default:ubr
The serviceCategory element has the following values: Range: enumerated, see below
cbr, vbr-rt, vbr-nrt, ubr.
For more information on ATM service categories, refer to 6.2.1 - Introducing ATM
on page 98.
peakCellRate Use this element to set the Peak Cell Rate (PCR) of Default:auto
the PVC. Range: auto, 64000…
The peakCellRate is expressed in bps. Enter a multiple of 64000 bps as peakCellRate
value (e.g. 2048000). The maximum value is the physical connection towards the
ATM network.
Note that:
• when selecting the PCR form the drop down list, the values are expressed in
kbps, instead of bps.
In auto mode, the PVC will try to get the maximum bandwidth, i.e. the speed of the
physical connection towards the ATM network. This is the line speed on which the
1424 SHDSL Router is trained.
For more information on PCR and how to configure it, refer to …
• 6.2.1 - Introducing ATM on page 98
• 6.2.6 - Configuring UBR on page 115
• 6.2.7 - Configuring VBR-nrt on page 116
• 6.2.8 - Configuring VBR-rt on page 117
• 6.2.9 - Configuring CBR on page 118
sustCellRate Use this element to set the Sustainable Cell Rate Default:<opt>
(SCR) of the PVC. Range: 0 …
The sustCellRate is expressed in bps. Enter a multiple of 64000 bps as sustCellRate
value (e.g. 2048000). The maximum value is the physical connection towards the
ATM network.
For more information on SCR and how to configure it, refer to …
• 6.2.1 - Introducing ATM on page 98
• 6.2.7 - Configuring VBR-nrt on page 116
• 6.2.8 - Configuring VBR-rt on page 117
538 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
maxBurstSize Use this element to set the Maximum Burst Size Default:<opt>
(MBS) of the PVC. This is the maximum number of Range: 0 … 2147483647
cells that are allowed to be sent above the SCR, with
an upper limit which is PCR.
The maxBurstSize is expressed as a number of cells (or cell times). Since each ATM
cell has a certain length of time, this number of cells corresponds to a number of
cell time slots.
So, cell times is a unit expressed as a number of cells, which represent the amount
of time that it takes the ATM cells to pass an interface.
For more information on MBS and how to configure it, and a definition of cell times,
refer to …
• 6.2.1 - Introducing ATM on page 98
• 6.2.7 - Configuring VBR-nrt on page 116
• 6.2.8 - Configuring VBR-rt on page 117
inArpTimeOut Use this element to set the time between the trans- Default:00000d 00h 00m 30s
mission of two consecutive Inverse ARP frames. Range: 00000d 00h 00m 01s -
00000d 01h 00m 00s
pvcTable/atm/oamF5Loopback Default:-
Range: structure, see below
Use the oamF5Loopback structure to configure the transmission of OAM F5
loopback cells.
The oamF5Loopback structure contains the following elements:
Element Description
The 1424 SHDSL Router always responds to OAM LB cells received from
the peer ATM device (both segment and end-to-end cells). However, when
OAM LB is activated, the 1424 SHDSL Router only sends end-to-end OAM
LB request cells.
interval Use this element to set the time interval between the Default:00000d 00h 00m 10s
sending of two consecutive loopback cells. Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
Example
Suppose failsPermitted is set to 10. If 10 consecutive loopback cells are not returned
by the remote side, then the 1424 SHDSL Router declares the PVC down.
pvcTable/atm/oamF5CC Default:-
Range: structure, see below
Use the oamF5CC structure to configure the transmission of OAM F5 conti-
nuity check cells.
The oamF5CC structure contains the following elements:
Element Description
direction Use this element to indicate whether this side of the Default:sink
PVC is the originator, the receiver or both of the CC Range: enumerated, see below
cells.
The direction element has the following values:
• source. This side of the PVC is the originator of the CC cells.
• sink. This side of the PVC is the receiver of the CC cells.
• both. This side of the PVC is both the originator and the receiver of the CC cells.
The source transmits CC cells as configured in the tx structure. The sink acts as
configured in the rx structure.
The direction elements of both sides have to be configured correspondingly, i.e. sink/
source, source/sink or both/both. Refer to Common activation/deactivation configura-
tions on page 542 for some examples.
target Use this element to indicate whether the CC cells are Default:endToEnd
defined for the current segment (segment) or end-to- Range: enumerated, see below
end (endToEnd), ot for both (both).
The segment cells only work for the segment to which the device itself belongs (i.e.
no specific coding is used for location identifiers).
The target elements of both sides have to be configured correspondingly, i.e. either
both segment, or both endToEnd, or both both.
Element Description
rx Use this structure to configure how the sink acts. This Default:-
structure only applies in case you set the direction ele- Range: structure, see below
ment to the value sink or both.
The rx structure contains the following elements:
• timeOut. Use this element to determine the time-out Default:00m 03s 500ms
period after which the sink declares the AIS (Alarm Range: 00m 00s 500ms -
Indication Signal) state. 10m 00s 000ms
If the sink with CC activated does not receive any
user cell or CC cell within a time interval as configured in the timeOut element,
then it declares the AIS state due to a LOC (Loss of Continuity) defect.
source / initActivation sink / passive The local side transmits the CC cells and is the
“master” in the (de)activation of the CC mecha-
nism. The remote side receives the CC cells and
is the “slave” in the (de)activation of the CC mech-
anism.
both / initActivation both / passive Both local and remote side transmit and receive
CC cells. The local side is the “master” in the
(de)activation of the CC mechanism and the
remote the “slave”.
source / activated sink / activated The local side transmits the CC cells and the
remote side receives the CC cells. The CC mech-
anism is activated manually on both sides.
both / activated both / activated Both local and remote side transmit and receive
CC cells. The CC mechanism is activated manu-
ally on both sides.
pvcTable/atm/oamF5PM Default:-
Range: structure, see below
Use the oamF5PM structure to configure the transmission of OAM F5 Per-
formance Monitoring cells.
The oamF5PM structure contains the following elements:
Element Description
direction Use this element to indicate whether this side of the Default:sink
PVC is the originator, the receiver or both of the PM Range: enumerated, see below
cells.
The direction element has the following values:
• source. This side of the PVC is the originator of the PM cells.
• sink. This side of the PVC is the receiver of the PM cells.
• both. This side of the PVC is both the originator and the receiver of the PM cells.
The direction elements of both sides have to be configured correspondingly, i.e. sink/
source, source/sink or both/both.
target Use this element to indicate whether the PM cells are Default:endToEnd
defined for the current segment (segment) or end-to- Range: segment/endToEnd
end (endToEnd).
The segment cells only work for the segment to which the device itself belongs (i.e.
no specific coding is used for location identifiers).
The target elements of both sides have to be configured correspondingly, i.e. both
segment or both endToEnd.
type Use this element to set the type of performance mon- Default:fpmWithBr
itoring. Range: fpmWithBr/fpm
The type element has the following values:
• fpmWithBr. Forward performance monitoring (FPM) together with backward
reporting (BR) are applied.
• fpm. Only forward performance monitoring is applied.
Refer to 6.3.7 - OAM Performance Monitoring (PM) on page 136 for more informa-
tion about FPM and BR.
policy Use this element to set how PM cells are switched. Default:inband
The policy element has the following values: Range: inband/outband
• outband: the PM cells will be switched 'out of band', i.e. the switching of regular
pvc ATM cells is not in sync with the switching of PM cells for this pvc.
• inband: the PM cells will be switched in sync with the switching of PM cells.
blockSizeAB Use this element to set the size of the block of cells, Default:128
after which an activation/deactivation cell is inserted Range: enumerated, see below
in the cell flow, in the direction away from the activa-
tor/deactivator.
Possible values are: 128 cells, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768.
544 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
blockSizeBA Use this element to set the size of the block of cells, Default:128
after which an activation/deactivation cell is inserted Range: enumerated, see below
in the cell flow, in the direction towards the activator/
deactivator.
Possible values are: 128 cells, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768.
source / initActivation sink / passive The local side transmits the PM cells and is the
“master” in the (de)activation of the PM mecha-
nism. The remote side receives the PM cells and
is the “slave” in the (de)activation of the PM mech-
anism.
both / initActivation both / passive Both local and remote side transmit and receive
PM cells. The local side is the “master” in the
(de)activation of the PM mechanism and the
remote the “slave”.
source / activated sink / activated The local side transmits the PM cells and the
remote side receives the PM cells. The PM mech-
anism is activated manually on both sides.
both / activated both / activated Both local and remote side transmit and receive
PM cells. The PM mechanism is activated manu-
ally on both sides.
pvcTable/frameRelay Default:-
Range: structure, see below
Use the frameRelay structure in the pvcTable to configure the Frame Relay
related parameters of the corresponding PVC.
Refer to 6.2 - Configuring ATM encapsulation on page 97 for more information on PVCs.
The frameRelay structure contains the following elements:
Element Description
pvcTable/frameRelay/common/lmi Default:-
Range: structure, see below
Use this attribute to select the Local Management Interface (LMI) protocol
and to fine-tune the LMI operation.
Refer to 6.6.5 - Configuring LMI on page 156 for more information on LMI.
The lmi structure contains the following elements:
Element Description
mode Use this element to set the Frame Relay mode. Default:auto
The mode element has the following values: Range: enumerated, see below
If you use the 1424 SHDSL Router in combination with equipment from
another vendor and you set the LMI mode to auto, then the LMI mode on the
other equipment may only be set to user or network to insure valid operation.
• nni. In the LMI context, the 1424 SHDSL Router is both Frame Relay user and
Frame Relay network. This means it can both send and receive Status Enquir-
ies and Status Responses.
In a Network-to-Network Interface (NNI) it is important for the connected Frame
Relay devices that they know which DLCIs are configured on each side. There-
fore, in comparison with the auto setting, one extra step is required before LMI
is declared to be up.
So at initialisation, the 1424 SHDSL Router sends the first Full Status Enquiry
and receives a Full Status Response. Then it waits until it receives a Full Status
Enquiry from the remote before it declares that LMI is up.
Refer to Interaction between the LMI modes on page 563 for an overview of how
the different LMI modes work together.
548 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
type Use this element to set the LMI variant. There are sev- Default:q933-Annex-A
eral standards for the LMI protocol with small varia- Range: enumerated, see below
tions between them. Therefore you should configure
the 1424 SHDSL Router according to the standard that is used by your service pro-
vider.
The type element has the following values:
• lmiRev1. Set this value only for compatibility with older equipment.
• ansiT1-617-d. Set this value for ANSI LMI compliance.
• q933-Annex-A. Set this value for ITU-T LMI compliance.
• frf1-2. Set this value for FRF.1-2 compliance.
pollingInterval Use this element to set the time between consecutive Default:00000d 00h 00m 10s
Status Enquiry messages. Range: 00000d 00h 00m 05s -
00000d 00h 00m 30s
errorTreshold Use this element to set the maximum number of unan- Default:3
swered Status Enquiry messages that the 1424 Range: 1 … 10
SHDSL Router will accept before declaring the DLCI
down. Also see the monitoredEvents element below.
monitoredEvents Use this element to set the number of status polling Default:3
intervals over which the error threshold is counted. Range: 1 … 10
In other words, if the station receives an errorThreshold number of unanswered Sta-
tus Enquiry messages within a monitoredEvents number of pollingInterval intervals, then
the interface is declared down.
Example
expectedPollInterval Use this element to set the maximum time between Default:00000d 00h 00m 15s
two consecutive incoming Status Enquiry messages. Range: 00000d 00h 00m 00s -
Select the value 0 in order to disable verification. 00000d 00h 00m 30s
This element is only relevant when using Frame Relay over a point-to-point link (no
Frame Relay network). In Frame Relay language, a router is normally considered
as a Frame Relay user or DTE. However, if two routers are connected to each
other in Frame Relay but without a real Frame Relay network in between, then the
routers also have to take the role of a Frame Relay network or DCE (refer to the
mode element above). In that case the Status Enquiry messages are sent in both
directions.
fullEnquieryInterval Use this element to set the number of Status Enquiry Default:6
intervals that have to pass before sending a Full Sta- Range: 1 … 255
tus Enquiry message.
1424 SHDSL Router Chapter 11 549
User manual Configuration attributes
vp Default:<empty>
Range: table, see below
Use this attribute to configure the transmission of OAM F4 loopback cells.
The vp table contains the following elements:
Element Description
vpi Use this element to enter the Virtual Path Identifier Default:0
(VPI) of the Virtual Path for which you want to send Range: 0 … 255
the OAM F4 loopback cells.
oamF4PM Use this element to configure the transmission of OAM F4 Performance Monitoring
cells. Refer to OAM Performance Management on page 132.
Refer to pvcTable/atm/oamF5PM on page 543 for a detailed description of the oamF4PM
structure.
All entries in the vp configuration table are considered, even if for a certain VPI number no corresponding
PVC has been configured. In the vp status and performance tables only the information about VPs that
are configured in the vp configuration table is shown. However, the 1424 SHDSL Router does respond
to loopback requests for VPs that are not configured in the vp configuration table but for which a PVC
has been configured.
550 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ima
router1424/dslInterface/channel[wan_1]/atm/ima
imaDifferentialDelay Default:100ms
Range: enumerated, see below
Use this attribute to set the maximum amount of delay that is allowed
between the different DSL line pairs of an IMA group (i.e. the link differential delay tolerance).
The imaDifferentialDelay attribute has the following values: 50ms, 75ms, 100ms, 125ms, 150ms.
imaVersion Default:1.0
Range: 1.0/1.1
Use this attribute to select the IMA version.
There are two IMA versions: 1.0 and 1.1. The IMA version 1.1 is a revision of the IMA version 1.0. The
purpose of this revision is to introduce the IMA PICS proforma and a new version of the IMA MIBs as
well as several minor corrections and clarifications to the content of IMA version 1.0. It is recognized that
interoperability problems were generated by different interpretations of some IMA version 1.0 require-
ments.
For this reason, the ATM Forum encourages the migration to IMA version 1.1. The IMA version 1.1 spec-
ification increments the OAM Label value used in the IMA OAM cells in order to differentiate version 1.1
from version 1.0 IMA units.
txClockMode Default:common
Range: common/independent
This attribute displays the transmit clock mode that is currently being used
by the trasmitter. Possible values are:
Value Description
common This is Common Transmit Clock configuration (CTC). This is a configuration where
the transmit clocks of all the physical links within the IMA group are derived from
the same clock source.
txFrameLength Default:128
Range: enumerated, see below
Use this attribute to set the IMA frame length, in cells, of the transmitter.
The txFrameLength attribute has the following values: 32, 64, 128, 256.
minActiveLinks Default:1
Range: 1 ... 4
Use this attribute to set the minimum amount of DSL line pairs that have to
be up before the IMA group becomes active.
554 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/dslInterface/channel[wan_1]/frameRelay
ip Default:<empty>
Range: structure, see below
Use this attribute to globally configure the IP parameters of the DLCIs. More
specifically, use this attribute to configure the IP related parameters of all the DLCIs for which …
• in the dlciTable no IP address is defined for that specific DLCI,
• and the mode element is set to routing or routingAndBridgning.
If you want to configure the IP related parameters for one specific DLCI, then configure for that DLCI the
ip structure in the dlciTable.
Refer to …
• 5.2 - Configuring IP addresses on page 53 for general information on configuring IP addresses.
• 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
• 6.6.4 - Configuring IP addresses in Frame Relay on page 153 for more specific information on con-
figuring IP addresses in Frame Relay.
556 1424 SHDSL Router Chapter 11
User manual Configuration attributes
dlciTable Default:<empty>
Range: table, see below
Use this attribute to configure the Frame Relay Data Link Connection Iden-
tifiers (DLCIs).
Refer to 6.6.2 - Configuring Frame Relay DLCIs on page 150 for more information on DLCIs.
The dlciTable contains the following elements:
Element Description
mode Use this element to determine whether, for the corre- Default:routing
sponding DLCI, the packets are treated by the routing Range: enumerated, see below
process, the bridging process or both.
The mode element has the following values:
• bridging. All packets received on the DLCI are bridged.
• routing. All packets received on the DLCI are routed.
• routingAndBridging. The SNAP header is checked to determine whether the pack-
ets have to be bridged or routed.
frameRelay Default:-
Range: structure, see below
Use the frameRelay structure to configure the Frame Relay related parame-
ters of the corresponding DLCI.
Refer to …
• 6.6.2 - Configuring Frame Relay DLCIs on page 150 for more information on DLCIs.
• 6.6.6 - Configuring CIR and EIR on page 157 for more information on CIR and EIR.
The frameRelay structure contains the following elements:
Element Description
dlci Use this element to set the Data Link Connection Default:16
Identifier (DLCI). Range: 16 … 1022
The DLCI number may have any value between 16 and 1022. However, if you set
the type element of the lmi structure to q933-Annex-A, you should only use DLCIs up
to 1007.
eir Use this element to set the Excess Information Rate Default:0
for the DLCI. Range: 0 …
The eir is expressed in bps. Enter a multiple of 64000 bps as eir value (e.g. 2048000).
The maximum value is the physical connection towards the Frame Relay network.
If the eir value is set to 0 (default), it means no excess burst is allowed.
The bursts of data that are allowed are the CIR value + EIR value. I.e. If you want
a CIR of 1 Mbps and you want to allow bursts up to 1.5 Mbps, then set the CIR to
1024000 bps and the EIR to 512000 bps.
overhead Use this element to set the amount of overhead you Default:0
want to add to the configured CIR value. The overhead Range: 0 … 50
element is expressed in bytes.
Normally when you specify CIR, you have to make sure that the CIR value you
enter includes the user data (i.e. the payload) and the Frame Relay headers (i.e.
the overhead). However, you could choose to only specify the amount of payload
as CIR value. In that case use the overhead element to specify the amount of over-
head.
Element Description
rxCir Use this element to set the receive Committed Infor- Default:0
mation Rate for the DLCI. Range: 0 …
Whereas the cir element is the Committed Information Rate for the outgoing traffic
on a DLCI, the rxCir element is the Committed Information Rate for the incoming
traffic on a DLCI. So using the latter you can also limit the incoming data stream
on a DLCI.
Also see rxCir, rxEir and rxExcess relationship on page 560.
rxEir Use this element to set the receive Excess Informa- Default:0
tion Rate for the DLCI. Range: 0 …
Whereas the eir element is the Excess Information Rate for the outgoing traffic on
a DLCI, the rxEir element is the Excess Information Rate for the incoming traffic on
a DLCI. So using the latter you can also limit the incoming data stream on a DLCI.
Also see rxCir, rxEir and rxExcess relationship on page 560.
1424 SHDSL Router Chapter 11 559
User manual Configuration attributes
Element Description
Value All data above the rxCir rate but below the rxCir+rxEir
rate is …
discard dropped.
ignore passed.
The following table shows the rxCir, rxEir and rxExcess relationship:
0 any value any value This is the default situation. In this case the
incoming bandwidth is not checked.
different from 0 any value discard All data above the rxCir rate is discarded
(and counted as ifOutDiscards).
different from 0 any value setDeBit All data between the rxCir and rxCir+rxEir rate
is marked Discard Eligible. All data above
the rxCir+rxEir rate is discarded (and
counted as ifOutDiscards).
different from 0 any value ignore All data between the rxCir and rxCir+rxEir rate
is passed. All data above the rxCir+rxEir rate
is discarded (and counted as ifOutDiscards).
1424 SHDSL Router Chapter 11 561
User manual Configuration attributes
lmi Default:-
Range: structure, see below
Use this attribute to select the Local Management Interface (LMI) protocol
and to fine-tune the LMI operation.
Refer to 6.6.5 - Configuring LMI on page 156 for more information on LMI.
The lmi structure contains the following elements:
Element Description
mode Use this element to set the Frame Relay mode. Default:auto
The mode element has the following values: Range: enumerated, see below
If you use the 1424 SHDSL Router in combination with equipment from
another vendor and you set the LMI mode to auto, then the LMI mode on the
other equipment may only be set to user or network to insure valid operation.
• nni. In the LMI context, the 1424 SHDSL Router is both Frame Relay user and
Frame Relay network. This means it can both send and receive Status Enquir-
ies and Status Responses.
In a Network-to-Network Interface (NNI) it is important for the connected Frame
Relay devices that they know which DLCIs are configured on each side. There-
fore, in comparison with the auto setting, one extra step is required before LMI
is declared to be up.
So at initialisation, the 1424 SHDSL Router sends the first Full Status Enquiry
and receives a Full Status Response. Then it waits until it receives a Full Status
Enquiry from the remote before it declares that LMI is up.
Refer to Interaction between the LMI modes on page 563 for an overview of how
the different LMI modes work together.
562 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
type Use this element to set the LMI variant. There are sev- Default:q933-Annex-A
eral standards for the LMI protocol with small varia- Range: enumerated, see below
tions between them. Therefore you should configure
the 1424 SHDSL Router according to the standard that is used by your service pro-
vider.
The type element has the following values:
• lmiRev1. Set this value only for compatibility with older equipment.
• ansiT1-617-d. Set this value for ANSI LMI compliance.
• q933-Annex-A. Set this value for ITU-T LMI compliance.
• frf1-2. Set this value for FRF.1-2 compliance.
pollingInterval Use this element to set the time between consecutive Default:00000d 00h 00m 10s
Status Enquiry messages. Range: 00000d 00h 00m 05s -
00000d 00h 00m 30s
errorThreshold Use this element to set the maximum number of unan- Default:3
swered Status Enquiry messages that the 1424 Range: 1 … 10
SHDSL Router will accept before declaring the DLCI
down. Also see the monitoredEvents element.
monitoredEvents Use this element to set the number of status polling Default:4
intervals over which the error threshold is counted. Range: 1 … 10
In other words, if the station receives an errorThreshold number of unanswered Sta-
tus Enquiry messages within a monitoredEvents number of pollingInterval intervals, then
the interface is declared down.
Example
expectedPollInterval Use this element to set the maximum time between Default:00000d 00h 00m 15s
two consecutive incoming Status Enquiry messages. Range: 00000d 00h 00m 00s -
Select the value 0 in order to disable verification. 00000d 00h 00m 30s
This element is only relevant when using Frame Relay over a point-to-point link (no
Frame Relay network). In Frame Relay language, a router is normally considered
as a Frame Relay user or DTE. However, if two routers are connected to each
other in Frame Relay but without a real Frame Relay network in between, then the
routers also have to take the role of a Frame Relay network or DCE (refer to the
mode element). In that case the Status Enquiry messages are sent in both direc-
tions.
fullEnquiryInterval Use this element to set the number of Status Enquiry Default:6
intervals that have to pass before sending a Full Sta- Range: 1 … 255
tus Enquiry message.
1424 SHDSL Router Chapter 11 563
User manual Configuration attributes
The following table shows how the different LMI modes work together when two routers are connected
to each other over a Frame Relay network:
noLmi noLmi up up up up no no
modeLearnedDlci Default:routing
Range: enumerated, see below
If the Frame Relay network supports LMI, then the 1424 SHDSL Router can
learn its active and inactive DLCIs. Use this attribute to determine whether, for learned DLCIs, the pack-
ets are treated by the routing process, the bridging process or both.
The modeLearnedDlci attribute has the following values:
Value Description
routingAndBridging The SNAP header is checked to determine whether the packets have to be bridged
or routed.
delayOptimisation Default:none
Range: none / lowSpeedLinks
Use this attribute to reduce the delay on low speed links. Especially if these
links have to transport delay sensitive data (e.g. voice over IP).
fragmentation Default:-
Range: structure, see below
Use this attribute to enable or disable Frame Relay fragmentation on (phys-
ical) interface level. Refer to What is interface Frame Relay fragmentation? on page 148.
The fragmentation structure contains the following elements:
Element Description
mru Default:1560
Range: 500 … 1650
Use this attribute to set the Maximum Receive Unit (MRU) of the interface.
What is MRU?
The Maximum Receive Unit (MRU) is the largest size packet or frame, specified in octets (eight-bit
bytes), that can be received in a packet- or frame-based network (e.g. the Internet).
566 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/ppp
router1424/lanInterface/pppoEClient/ppp
router1424/wanEfm/efm/pppoEClient/ppp
compression Default:disabled
Range: enumerated, see below
Use this attribute to enable or disable the compression of PPP encapsu-
lated packets.
The compression attribute has the following values:
Value Description
predictor1 PPP compression is done using the Predictor type 1 compression algorithm (RFC
1978). Using compression you can increase the throughput on PPP links.
568 1424 SHDSL Router Chapter 11
User manual Configuration attributes
linkMonitoring Default:-
Range: structure, see below
Use this attribute to enable or disable link monitoring and to fine-tune it.
Refer to 6.7.5 - Configuring link monitoring on page 169 for more information on link monitoring.
The linkMonitoring structure contains the following elements:
Element Description
interval Use this element to set the time interval between two Default:00000d 00h 00m 10s
consecutive echo requests. Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
replyTimeOut Use this element to set the time the 1424 SHDSL Default:00000d 00h 00m 02s
Router waits for a reply on the echo request. Range: 00000d 00h 00m 00s -
00000d 00h 04m 15s
If no reply has been received within this time-out, then
the 1424 SHDSL Router considers this as a failed echo request.
failsPermitted Use this element to set the number of failed echo Default:4
requests after which the 1424 SHDSL Router Range: 1 … 30
declares the PPP link down.
Example
authentication Default:disabled
Range: enumerated, see below
Use this attribute to enable or disable authentication on the PPP link.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170.
• 6.7.8 - Configuring CHAP on page 173.
Value Description
disabled Authentication is disabled. However, the 1424 SHDSL Router will answer to
authentication requests received from the remote side.
pap This side of the link requests a PAP authentication from the remote router.
chap This side of the link requests a CHAP authentication from the remote router.
chapOrPap This side of the link requests a CHAP or PAP authentication from the remote
router.
If the remote router supports …
• only PAP, then PAP is used.
• only CHAP, then CHAP is used.
• both CHAP and PAP, then CHAP is used.
msChap This side of the link requests an MS CHAP version 1 authentication from the
remote router.
msChapV2 This side of the link requests an MS CHAP version 2 authentication from the
remote router.
sessionName Default:<empty>
Range: 0 … 64 characters
Use this attribute to set the PPP authentication name of the 1424 SHDSL
Router.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170
• 6.7.8 - Configuring CHAP on page 173
sessionSecret Default:<empty>
Range: 0 … 64 characters
Use this element to set the PPP authentication secret of the 1424 SHDSL
Router.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170
• 6.7.8 - Configuring CHAP on page 173
1424 SHDSL Router Chapter 11 571
User manual Configuration attributes
router1424/wanEfm/efm
name Default:efm
Range: 1 ... 24 characters
Use this attribute to assign an administrative name to the EFM link.
ip Default:-
Range: structure, see below
Use this attribute to configure the IP related parameters of the EFM link.
Refer to …
• 5.2 - Configuring IP addresses on page 53 for general information on configuring IP addresses.
• 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
Important remark
If you set the configuration attribute mode to bridging, then the settings of the configuration attribute ip are
ignored. As a result, if you want to manage the 1424 SHDSL Router via IP, you have to configure an IP
address using the ip attribute in the bridgeGroup object instead: 11.10.1 - Bridge group configuration
attributes on page 772.
mode Default:bridging
Range: enumerated, see below
Use this attribute to determine whether the packets are treated by the rout-
ing process, the bridging process or both.
The mode attribute has the following values:
Value Description
routing The IP packets are routed. All other protocols are discarded.
arp Default:-
Range: structure, see below
Use this attribute to configure the Address Resolution Protocol (ARP)
cache.
The arp structure contains the following elements:
Element Description
timeOut Use this element to set the ageing time of the ARP Default:00000d 02h 00m 00s
cache entries. Refer to The ARP cache time-out. Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
proxyArp Use this element to enable or disable the proxy ARP Default:enabled
mechanism. Refer to What is proxy ARP?. Range: enabled / disabled
staticArp Use this element to create a fixed link between a MAC address and an IP address.
When set up here, this IP address will always be linked to this MAC address, and
cannot be linked to another one.
The staticArp table contains following elements:
• macAddress. Use this element to fill in the MAC address.
• ipAddress. Use this element to fill in the IP address.
574 1424 SHDSL Router Chapter 11
User manual Configuration attributes
The line interface has been allocated a fixed Ethernet address, also called MAC (Medium Access Con-
trol) address. This MAC address is not user configurable. The IP address of the line interface, on the
other hand, is user configurable. This means that the user associates an IP address with the predefined
MAC address. The MAC address - IP address pairs are kept in a table, called the ARP cache. Refer to
the arpCache status attribute in 12.5.5 - EFM status attributes on page 877 for an example of such a table.
Before the 1424 SHDSL Router sends an IP packet on the line interface, it has to know the MAC address
of the destination device. If the address is not present in the ARP cache table yet, the 1424 SHDSL
Router sends an ARP request on the line to learn the MAC address and associated IP address of the
destination device. This address pair is then written in the ARP cache. Once the address pair is present,
the 1424 SHDSL Router can reference to this pair if it has to send an IP packet to the same device later
on.
Summarised, all the MAC address - IP address pairs from ARP requests and replies received on the line
interface are kept in the ARP cache. However, if devices on the network are reconfigured then this MAC
address - IP address relation may change. Therefore, the ARP cache entries are automatically removed
from the cache after a fixed time-out. This time-out period can be set with the timeOut element.
Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for
another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real"
destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing
or a default gateway.
The advantages and disadvantages of proxy ARP are listed below:
advantages The main advantage of using proxy ARP is that it can be added to a single router
on a network without disturbing the routing tables of the other routers on the net-
work.
Proxy ARP should be used on the network where IP hosts are not configured with
default gateway or does not have any routing intelligence.
disadvantages Hosts have no idea of the physical details of their network and assume it to be a
flat network in which they can reach any destination simply by sending an ARP
request. But using ARP for everything has disadvantages, some of which are listed
below:
• It increases the amount of ARP traffic on your segment.
• Hosts need larger ARP tables to handle IP-to-MAC address mappings.
• Security may be undermined. A machine can claim to be another in order to
intercept packets, an act called "spoofing."
• It does not work for networks that do not use ARP for address resolution.
• It does not generalise to all network topologies (for example, more than one
router connecting two physical networks).
1424 SHDSL Router Chapter 11 575
User manual Configuration attributes
bridging Default:-
Range: structure, see below
Use this attribute to configure the bridging related parameters of the EFM
link.
Refer to …
• 8 - Configuring bridging and VLANs on page 297 for more information on bridging.
• 8.2.6 - Explaining the bridging structure on page 318 for a detailed description of the bridging structure.
bandwidth Default:-
Range: structure, see below
Use this attribute to configure the outbound bandwidth of the EFM link.
This attribute has already been explained in the context of the LAN interface; refer to bandwidth on page 522
for a detailed description.
inboundBandwidth Default:-
Range: structure, see below
Use this attribute to configure the inbound bandwidth of the EFM link.
The inboundBandwidth structure contains the following elements:
• cir.
• correction.
• maxFifoQLen.
• priorityPolicy.
For a detailed description of these elements, refer to inboundBandwidth on page 525; they have already been
explained there in the context of the LAN interface.
vlan Default:<empty>
Range: table, see below
Use this attribute to create and configure VLANs. Refer to 8.3 - Configuring
VLANs on page 325 for an introduction and a step-by-step procedure.
Refer to the vlan configuration attribute of the LAN interface for a detailed description.
priorityPolicy Default:-
Range: 0 ... 24 characters
Use this attribute to apply a priority policy on the EFM link.
Do this by entering the index name of the priority policy you want to use. You can create the priority policy
itself by adding a priorityPolicy object and by configuring the attributes in this object.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on priority policies.
Example
pppoEClient Default:<empty>
Range: table, see below
Use this attribute to establish a PPPoE link over the EFM link. The 1424
SHDSL Router can only act as a client.
If you use PPPoE on your computer, then the IP MTU size has to be limited to 1492 bytes. This is a gen-
eral rule defined in the PPPoE protocol.
The pppoEClient table contains following elements:
Element Description
name Use this element to set the administrative name of the Default:<empty>
PPPoE link. Range: 0 … 24 characters
adminStatus Use this element to set the administrative state of the Default:up
PPPoE link: up or down. Range: up / down
ppp Use this element to configure the PPP related param- Default:-
eters of the PPPoE link. Range: structure, see below
The ppp element contains the following elements: linkMonitoring, authentication, authen-
Period, sessionName and sessionSecret. Refer to 11.5.4 - PPP configuration attributes
on page 566 for a detailed description of these elements.
minActiveLinks Default:1
Range: 1 ... 4
Use this attribute to set the minimum amount of DSL line pairs that have to
be up before the EFM link becomes active.
1424 SHDSL Router Chapter 11 577
User manual Configuration attributes
oam Default:-
Range: structure, see below
Use this attribute to set the EFM OAM mode.
Refer to 6.5.2 - OAM or Operation, Administration and Maintenance on page 143 for more information
on OAM.
The oam structure contains the following element:
Element Description
delayOptimisation Default:disabled
Range: enabled/disabled
Use this attribute to minimize delay over the EFM link when using a priority-
Policy.
Whenever a priority policy is applied on the EFM link, a delay optimisation mechanism is activated auto-
matically in order to guarantee a minimum delay for high priority packets.
578 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/dslInterface/line
router1424/dslInterface/line/linePair[ ]
Note that the linePair[ ] object is not present in the containment tree by default. It must be added manually;
refer to 4.4 - Adding an object to the containment tree on page 45 , this section explains how to. Up to 4
line pairs (1, 2, 3 and 4) can be added.
1424 SHDSL Router Chapter 11 579
User manual Configuration attributes
Important remarks
• When using ATM as encapsulation on the SHDSL line, the following line pair speeds are supported:
- Single pair: all speeds are supported.
- Dual pair: all speeds are supported.
- Three pair: up to 5312Mbits/s per line pair is supported.
- Four pair: up to 3840Mbits/s per line pair supported.
This basically means that, in all cases, a maximum total line speed of up to 16 Mbit/s is supported
when using ATM.
Refer to 6.2 - Configuring ATM encapsulation on page 97 for more information about ATM.
• When using EFM as encapsulation on the SHDSL line, linePair1 must be configured on the central
device. As long as this is not the case, the EFM datapath can never be up.
Refer to 6.5 - Configuring EFM encapsulation on page 141 for more information about EFM.
580 1424 SHDSL Router Chapter 11
User manual Configuration attributes
channel Default:remote
Range: central / remote
Use this attribute to determine which unit is the central unit and which the
remote unit. I.e. it determines which unit acts as master and which as slave during the synchronisation
procedure. Therefore set one device to central and its remote counterpart to remote.
On the 1424 SHDSL Router, the clocking follows the channel attribute:
central internal.
remote slave-receive.
1424 SHDSL Router Chapter 11 581
User manual Configuration attributes
region Default:auto
Range: enumerated, see below
Use this attribute to determine which SHDSL standard is used.
The region attribute has the following values:
Value Description
auto The 1424 SHDSL Router itself determines which standard it has to use.
retrain Default:-
Range: structure, see below
Use this attribute to determine when the 1424 SHDSL Router should retrain.
Criterion Description
no SHDSL frame synchro- When the 1424 SHDSL Router cannot synchronise on the SHDSL fram-
nisation ing, it retrains.
SHDSL frame CRC error SHDSL framing sends 166 blocks per second over the line, independ-
threshold exceeded ently of the speed. Each block has a CRC check. When a certain per-
centage of frames has a CRC error, the 1424 SHDSL Router retrains.
signal to noise ratio too low When the signal to noise ratio becomes too low during a certain period
of time, the 1424 SHDSL Router retrains.
layer 2 protocol not yet up When you connect the 1424 SHDSL Router with a remote SHDSL
device, the 1424 SHDSL Router trains and establishes a layer 1 link with
the remote SHDSL device. Then the 1424 SHDSL Router tries to estab-
lish a layer 2 link (e.g. PPP, FR, ATM). If the layer 2 handshake does not
succeed within 1 minute, then the 1424 SHDSL Router retrains and the
whole process restarts. Also the following message is dumped in the
message table: Retrain due to framer-out-of-sync. However, once
the layer 2 handshake succeeds (layer 2 is up), then a drop of the layer
2 link will not cause a retrain.
1424 SHDSL Router Chapter 11 583
User manual Configuration attributes
Element Description
errorPersistence- Use this element to set the period, in seconds, during Default:10
Time which each retrain criterion is measured. If within this Range: 1 … 30
period the predefined criterion value is equalled or
exceeded, the 1424 SHDSL Router retrains.
errorThreshold Use this element to set the amount of CRC errors, in Default:10
promille, at which the 1424 SHDSL Router should Range: 1 … 1000
retrain. If the amount of CRC errors exceeds this
value, then the 1424 SHDSL Router retrains.
noiseMarginThresh- Use this element to set the noise margin ratio, in dB, Default:0
old which has to be maintained. If the measured noise Range: -2… 15
margin ratio drops below this value, then the 1424
SHDSL Router retrains. It will retrain at a lower speed (because of the deteriorated
line conditions).
The noiseMarginThreshold can be set between -2 and 15dB. When the noiseMargin-
Threshold is 0, this matches an error ratio of 10-6 for the given speed according to
the SHDSL standard. This means that a positive value gives a lower error ratio,
and a negative value gives a higher error ratio.
stepupMargin In case the 1424 SHDSL Router retrains because the Default:disabled
measured signal to noise ratio drops below the Range: 3 … 15
snrThreshold value, then it will retrain at a lower speed
(because of the deteriorated line conditions).
If after this retrain the measured signal to noise value increases again with a value
as configured in the stepupMargin element, then the 1424 SHDSL Router retrains
again in order to achieve a higher speed.
584 1424 SHDSL Router Chapter 11
User manual Configuration attributes
startupMargin Default:2dB
Range: enumerated, see below
Use this attribute to set the target margin in function of which a line speed
has to be selected during the ITU-T G.994.1 auto speed negotiation.
The startupMargin attribute is only relevant in case on both the central and remote 1424 SHDSL Router (or
any other compatible SHDSL device) a speed range is selected. In other words, the startupMargin attribute
has no function in case a fixed speed is selected (i.e. minLinePairSpeed = maxLinePairSpeed); in all other
cases, it will be used to decide which line speed to use.
The higher the startupMargin, the lower the selected line speed but the more stable the line will be. The
startupMargin attribute has the following values: disabled, 0dB, 1dB, 2dB, 3dB, 4dB, 5dB, 6dB, 7dB, 8dB, 9dB, 10dB.
When you set the startupMargin to disabled, the target margin is not considered during the ITU-T G.994.1
auto speed negotiation. I.e. all the speeds in the range as set with the attributes minLinePairSpeed and max-
LinePairSpeed are available.
The target margin is the amount of received signal power in excess of that required to achieve the DSL
target bit error rate of 10-7.
1424 SHDSL Router Chapter 11 585
User manual Configuration attributes
minLinePairSpeed Default:192kbps
Range: enumerated, see below
Use this attribute to set the lowest linepair speed the 1424 SHDSL Router
may select. The minLinePairSpeed attribute has the following values: 192kbps up to 5696kbps in steps of
64kbps.
Refer to 5.4.2 - Selecting an SHDSL line speed (range) on page 77 for more information.
maxLinePairSpeed Default:5696kbps
Range: enumerated, see below
Use this attribute to set the highest linepair speed the 1424 SHDSL Router
may select. The maxLinePairSpeed attribute has the following values: 192kbps up to 5696kbps in steps of
64kbps.
Refer to 5.4.2 - Selecting an SHDSL line speed (range) on page 77 for more information.
586 1424 SHDSL Router Chapter 11
User manual Configuration attributes
name Default:o10-PathManagement
Range: enumerated, see below
Use this attribute to assign an administrative name to the line.
modulation Default:auto
Range: enumerated, see below
Use this attribute to set the modulation that will be used on the line.
The modulation attribute has the following values:
Value Description
auto When using this value, the modulation will be determined automatically.
This is the default value, and will suffice in practically all cases.
tc-pam16 When using tc-pam16, the line rate is limited from 192kbps to 3840kbps. Use this
when the remote device is a G.SHDSL device.
tc-pam32 When using tc-pam32, the line rate is limited from 768kbps to 5696kbps. Use this
when the remote device is a G.SHDSL.bis device.
compatibility Default:-
Range: structure
This attribute has been added for inter vendor compatibility.
For detailed information about this structure, contact OneAccess Support.
remark Default:-
Range: 0 … 64 characters
Use this attribute to write down any text, message, remark, etc. of up to 64
characters.
1424 SHDSL Router Chapter 11 587
User manual Configuration attributes
autoConfig Default:-
Range: structure, see below
Use this attribute to enable the automatic configuration of the line pairs of
the 1424 SHDSL Router, based on the remote device: the 1424 SHDSL Router detects the DSLAM con-
figuration and then sets the appropriate parameters for the G.SHDSL lines.
This automatic configuration will only occur when the 1424 SHDSL Router is configured as CPE device,
and running in ATM.
The autoconfig structure contains the following elements:
Element Description
initialWireMode Use this element to set the preferred initial startup Default:multiPair
mode, single pair or multi-pair mode. Range: singlePair/multiPair
When a connection is set up, the handshake can be done using a single line pair,
or multiple line pairs.
The 1424 SHDSL Router retrieves the line parameters from the DSLAM and ini-
tializes the G.SHDSL line according to the retrieved parameters.
Remark:
When the SHDSL parameters have been retrieved from the remote device via the autoConfig functionality,
the configuration remains as it has been set, even when a line pair is disconnected or interrupted.
For example:
• When a 1424 SHDSL Router is connected to a 4 wire DSLAM, the autoConfig mechanism will also con-
figure it for 4 wires.
• If the second line pair is interrupted or breaks down, the SHDSL configuration of the 1424 SHDSL
Router remains for 4 wires; there is no automatic fallback mechanism.
Conclusion: the autoConfig mechanism sets the SHDSL parameters according to the configuration of the
remote device, not according to the actual lines that are connected to the device.
588 1424 SHDSL Router Chapter 11
User manual Configuration attributes
linkAlarmThresholds Default:-
Range: structure, see below
Use this attribute to set the alarm threshold values of the most important line
parameters. If this predefined threshold value is exceeded, then a corresponding alarm is generated.
The linkAlarmThresholds structure contains the following elements:
Element Description
lineAttenuationOn Use this element to set the alarm threshold value of Default:0.0
the line attenuation in dB. If the line attenuation … Range: 0.0 … 63.5
• exceeds this value during at least 10 seconds, then the lineAttenuation alarm is
raised.
• drops below this value during at least 10 seconds, then the lineAttenuation alarm
is cleared.
signalNoiseOn Use this element to set the alarm threshold value of Default:0.0
the signal noise in dB. If the signal noise … Range: 0.0 … 58.4
• drops below this value during at least 10 seconds, then the signalNoise alarm is
raised.
• exceeds this value during at least 10 seconds, then the signalNoise alarm is
cleared.
errSecOn Use this element to set the alarm threshold value of Default:00000d 00h 00m 36s
the erroneous seconds in days, hours, minutes and Range: 00000d 00h 00m 00s -
seconds. If the amount of erroneous seconds … 00000d 18h 12m 15s
• exceeds this value within a 15 minutes period1, then the errSecExceeded alarm is
raised.
• drops below this value within a 15 minutes period, then the errSecExceeded alarm
is cleared.
sevErrSecOn Use this element to set the alarm threshold value of Default:00000d 00h 00m 02s
the severely erroneous seconds in days, hours, min- Range: 00000d 00h 00m 00s -
utes and seconds. If the amount of severely errone- 00000d 18h 12m 15s
ous seconds …
• exceeds this value within a 15 minutes period1, then the sevErrSecExceeded
alarm is raised.
• drops below this value within a 15 minutes period, then the sevErrSecExceeded
alarm is cleared.
1. The 15 minutes periods run synchronous with the 15 minutes periods of the router1424/wanInter-
face/line/h2Line performance attribute.
Because alarms are raised or cleared within 15 minutes periods, there is a delay in the alarm
status. For example, suppose that in the first minute of a 15 minutes period the errSecOn value
is exceeded, then the errSecRatioExceeded alarm is raised. The alarm stays on for the remainder
of the 15 minutes period. The alarm is only cleared if also in the next 15 minutes period the
errSecOn value is not exceeded.
1424 SHDSL Router Chapter 11 589
User manual Configuration attributes
numExpectedRepeaters Default:0
Range: 0 … 8
Use this attribute to set the number of Crocus SHDSL Repeaters that the
1424 SHDSL Router can expect to find on the SHDSL line. If the actual number of repeaters does not
match the number you entered in the numExpectedRepeaters attribute, then the invalidNumRepeaters alarm is
raised.
eocHandling Default:none
Range: enumerated, see below
SHDSL devices can communicate with each other through the Embedded
Operations Channel (EOC). Use the eocHandling attribute to define the handling of the EOC messages.
Refer to 5.5.3 - Controlling the standard EOC message exchange on page 81 for more information.
management Default:o10-PathManagement
Range: enumerated, see below
Use this attribute to determine whether and which management data is for-
warded over the SHDSL line.
Refer to 5.5.2 - Controlling the proprietary EOC message exchange on page 80 for more information.
590 1424 SHDSL Router Chapter 11
User manual Configuration attributes
snmpIndexOffset
Use this attribute to correct the snmpIndex, in order to let it keep the same value as before, after a manually
added object has been removed from the containment tree. Refer to 5.3.7 - Introducing attributes snmpIn-
dex and snmpIndexOffset on page 74 for more information.
<alarmConfigurationAttributes>
This section lists the configuration attributes that are present in the different profiles.
The following gives an overview of this section:
• 11.7.1 - IP traffic policy configuration attributes on page 592
• 11.7.2 - Bridging traffic policy configuration attributes on page 603
• 11.7.3 - Priority policy configuration attributes on page 605
592 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/profiles/policy/traffic/ipTrafficPolicy[ ]
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 593
User manual Configuration attributes
method Default:trafficShaping
Range: enumerated, see below
Use this attribute to choose an IP traffic policy method. This IP traffic policy
is then used to …
• determine, on traffic overload conditions, how and which queues are filled with the “excess” data.
Refer to 7.11 - Applying QoS on routed traffic on page 259.
• do policy based routing. Refer to 7.4 - Configuring policy based routing on page 197.
• filter data on an interface. Refer to 9.2 - Configuring the access restrictions on page 370.
Value Description
tosDiffServ The data is redirected to the queues based on DiffServ (refer to RFC 2597) regard-
ing class and drop precedence. Refer to What is AF PHB? on page 264.
This means that, depending on their DSCP field in the TOS byte, some packets
are moved to other queues and/or dropped sooner than other packets in case the
queue is full.
The highest 3 bits of the DSCP field are mapped as follows:
The next 2 bits of the DSCP field define the drop levels:
00 and 01 dropLevel1
10 dropLevel2
11 dropLevel3
Refer to the attribute dropLevels on page 598 for more information on drop levels.
594 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Value Description
Refer to the attribute tos2QueueMapping on page 600 for more information on TOS to
queue mapping.
Refer to the attribute queue2QueueMapping on page 601 for more information on queue
to queue mapping.
1424 SHDSL Router Chapter 11 595
User manual Configuration attributes
trafficShaping Default:<empty>
Range: table, see below
The function of this attribute is threefold:
• Traffic and priority policing
In case you have set the method attribute to trafficShaping, then use the trafficShaping table to specify
which data has to be redirected to which queue. If an overload condition occurs, then a packet is redi-
rected to the specified queue when the criteria as specified in the trafficShaping table are met.
Refer to 7.11 - Applying QoS on routed traffic on page 259.
• Policy based routing
In case you have set the method attribute to trafficShaping, then use the trafficShaping table to specify
which data has to be redirected to which interface or gateway. Packets are redirected to the specified
interface or gateway when the criteria as specified in the trafficShaping table are met.
Refer to 7.4 - Configuring policy based routing on page 197.
• Extended access list
In case you have set the method attribute to trafficShaping, then use the trafficShaping table to specify
which data is forwarded. Packets are forwarded when the criteria as specified in the trafficShaping table
are met. If more than one entry applies to the same packet, then the entry which has the narrowest
filter range (when looking at the filter criteria from left to right) is chosen.
Refer to 9.2 - Configuring the access restrictions on page 370.
Important remarks
• By default, the entries in the trafficShaping table are “allow” rules. I.e. only the traffic defined in the table
is permitted, all other traffic is discarded (independent whether the traffic shaping table is used as an
access list, for priority policing or policy based routing). However, you can inverse an entry making it
a “deny” rule by entering “discard” as value of the interface element.
• If more than one entry applies to the same packet, then the entry which has the narrowest filter range
(when looking at the filter criteria from left to right) is chosen. For example: two rows in the trafficShaping
table apply to the same packet, but row 1 wants to forward packets to queue 3 and row 2 wants to
forward packets to the low delay queue. In that case, first the IP source address is considered. The
row with the smallest range wins. If the ranges are exactly the same, then the IP destination address
is considered. And so on. Should the two rows be completely identical except for the queue, then one
of the rows is chosen at random.
• You do not necessarily have to fill in IP addresses in the trafficShaping table. It is perfectly valid to filter
on IP protocol, IP protocol/port combination or TOS values only.
• If the IP protocol is set to any, and one of the sourcePortStart, destinationPortStart, sourcePortEnd, or destina-
tionPortEnd parameters is non-default, then this entry is internally split into 2 seperate entries : one with
protocol TCP and one with protocol UDP.
• If the IP protocol is set to a different value than any, UDP or TCP, the sourcePortStart, destinationPortStart,
sourcePortEnd, and destinationPortEnd parameterss are ignored.
596 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
name Use this element to assign a useful name for each Default:<empty>
entry in the trafficShaping table, for example allow http. Range: 0 … 24 characters
tosStartValue Use these elements to set the TOS byte value. Default:any(start)/optional(end)
Packets that fall within the specified range are for- Range: 0 … 256
tosEndValue
warded and queued if applicable.
ipProtocol Use this element to set the protocol field from the IP Default:any
header. Range: 0 … 255
Packets that have the specified protocol field are forwarded and queued if applica-
ble.
You can specify the protocol by typing the protocol number. For ease of use, some
common protocols can be selected from a drop-down box: any (0), ICMP (1), IGMP
(2), IPinIP (4), TCP (6), EGP (8), IGP (9), UDP (17), RSVP (46), IGRP (88), OSPFIGP (89),
TCPestablished (255).
sourcePortStart Use these elements to set the source port as specified Default:any(start)/optional(end)
in the UDP / TCP headers. Range: 0 … 65535
sourcePortEnd
Packets that fall within the specified range are forwarded and queued if applicable.
You can specify the port by typing the protocol number. For ease of use, some
common port numbers can be selected from a drop-down box: any or optional (0),
echo (7), discard (9), ftp-data (20), ftp (21), telnet (23), smtp (25), domain (53), www-http
(80), pop3 (110), nntp (119), snmp (161), snmptrap (162), z39.50 (210), syslog (514),
router (520), socks (1080), I2tp (1701), OneAccess (1728).
Note that the predefined “echo” value is a UDP port. It has nothing to do with
ICMP echo.
Element Description
newTosValue Use this element to set the new TOS byte value. Default:unchanged
When you select a new TOS byte value, then a packet Range: 0 … 256
that matches an entry in the trafficShaping table its TOS byte value is changed.
Selecting unchanged, leaves the TOS byte value as it is.
priority Use this element to set the destination queue for a Default:queue1
packet matching an entry in the trafficShaping table. Range: enumerated, see below
In case an overload condition occurs, then a packet that matches an entry in the
trafficShaping table is sent to the specified queue.
The priority element has the following values: queue1, queue2, queue3, queue4, queue5,
lowDelayQueue.
interface Use this element to set the destination interface for a Default:<empty>
packet matching an entry in the trafficShaping table. Range: 0 … 24 characters
This is policy based routing.
Type the name of the interface in the interface element, e.g. lan.
Note that by default, the entries in the trafficShaping table are “allow” rules. I.e. only
the traffic defined in the table is permitted, all other traffic is discarded (independ-
ent whether the traffic shaping table is used as an access list, for priority policing
or policy based routing). However, you can inverse an entry making it a “deny” rule
by entering “discard” as value of the interface element.
gateway Use this element to set the gateway for a packet Default:<opt>
matching an entry in the trafficShaping table. This is pol- Range: up to 255.255.255.255
icy based routing.
Except for the ipProtocol, newTosValue and priority elements, it is possible to specify ranges using the start
and end values. There are two special cases:
• A start value is entered, but no end value ⇒ an exact match is needed for the start value.
• Neither a start nor an end value is entered ⇒ the field is not checked.
598 1424 SHDSL Router Chapter 11
User manual Configuration attributes
dropLevels Default:-
Range: table, see below
Use this attribute to define for each user configurable queue, how many
packets may be queued before they are dropped.
The dropLevels table contains the following elements:
Element Description
dropLevel1 Use this element to set the maximum length (drop Default:100
level 1), in packets, of each user configurable queue. Range: 1 … 3000
In case you set the attribute method to …
• trafficShaping or tosMapped, then only this drop level is relevant.
• tosDiffServ, then this drop level corresponds with the drop level bits value 00 and
01.
dropLevel2 Use this element to set the maximum length (drop Default:100
level 2), in packets, of each user configurable queue. Range: 1 … 3000
In case you set the attribute method to …
• trafficShaping or tosMapped, then this drop level is not relevant.
• tosDiffServ, then this drop level corresponds with the drop level bits value 10.
dropLevel3 Use this element to set the maximum length (drop Default:100
level 3), in packets, of each user configurable queue. Range: 1 … 3000
In case you set the attribute method to …
• trafficShaping or tosMapped, then this drop level is not relevant.
• tosDiffServ, then this drop level corresponds with the drop level bits value 11.
Examples
Suppose …
• method is set to trafficShaping or tosMapped.
• for queue 1 you set maxLength1 = 1000, for queue 2 to 500, for queue 3 to 3000, for queue 4 to 1000
and for queue 5 to 200.
In this case, packets are dropped when the amount of packets in the queue exceeds the amount as
specified with the maxLength1 element.
1424 SHDSL Router Chapter 11 599
User manual Configuration attributes
Suppose …
• method is set to tosDiffServ.
• for queue 1 you set maxLength1 = 100, maxLength2 = 200 and maxLength3 = 50.
tos2QueueMapping Default:<empty>
Range: table, see below
• Traffic and priority policing
In case you have set the method attribute to tosMapped, then use the tos2QueueMapping table to specify
which data has to be redirected to which queue. If an overload condition occurs, then a packet is redi-
rected to the specified queue when the criteria as specified in the tos2QueueMapping table are met.
Refer to 7.11 - Applying QoS on routed traffic on page 259.
• Policy based routing
In case you have set the method attribute to tosMapped, then use the tos2QueueMapping table to specify
which data has to be redirected to which interface or gateway. Packets are redirected to the specified
interface or gateway when the criteria as specified in the tos2QueueMapping table are met.
Refer to 7.4 - Configuring policy based routing on page 197.
Element Description
startTos Use these elements to set the TOS byte value. Default:0 (start) / 255 (end)
endTos Packets that have a TOS byte value within the speci- Range: 0 … 255
fied range are redirected to the targetQueue.
interface Use this element to set the destination interface for a Default:<empty>
packet matching an entry in the tos2QueueMapping Range: 0 … 24 characters
table. This is policy based routing.
Type the name of the interface in the interface element, e.g. lan.
gateway Use this element to set the gateway for a packet Default:<opt>
matching an entry in the tos2QueueMapping table. This Range: up to 255.255.255.255
is policy based routing.
1424 SHDSL Router Chapter 11 601
User manual Configuration attributes
queue2QueueMapping Default:<empty>
Range: table, see below
• Traffic and priority policing
In case you have set the method attribute to queueMapped, then use the queue2QueueMapping table to
specify which data has to be redirected to which queue. If an overload condition occurs, then a packet
is redirected to the specified queue when the criteria as specified in the queue2QueueMapping table are
met.
Refer to 7.11 - Applying QoS on routed traffic on page 259.
• Policy based routing
In case you have set the method attribute to queueMapped, then use the queue2QueueMapping table to
specify which data has to be redirected to which interface or gateway. Packets are redirected to the
specified interface or gateway when the criteria as specified in the queue2QueueMapping table are met.
Refer to 7.4 - Configuring policy based routing on page 197.
Element Description
queue Use this element to set the current colouring of the Default:any
packets. Range: enumerated, see below
Packets that have a certain colouring are redirected to the targetQueue.
The queue element has the following values: queue1, queue2, queue3, queue4, queue5,
lowDelayQueue, any.
interface Use this element to set the destination interface for a Default:<empty>
packet matching an entry in the queue2QueueMapping Range: 0 … 24 characters
table. This is policy based routing.
Type the name of the interface in the interface element, e.g. lan.
gateway Use this element to set the gateway for a packet Default:<opt>
matching an entry in the queue2QueueMapping table. Range: up to 255.255.255.255
This is policy based routing.
602 1424 SHDSL Router Chapter 11
User manual Configuration attributes
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
vrfRouter Default:<empty>
Range: 0 … 24 characters
Use this attribute to apply the traffic policy on a VRF router.
Do this by entering the index name of the VRF Router you want the traffic policy to apply on. To create
a VRF Router, a vrfRouter[ ] object must be added and configured; refer to:
• 4.4 - Adding an object to the containment tree on page 45
• 7.10 - Configuring Virtual Routing and Forwarding or VRF on page 254
• 11.9.13 - Virtual Routing and Forwarding (VRF) configuration attirbutes on page 769
1424 SHDSL Router Chapter 11 603
User manual Configuration attributes
Although a bridging traffic policy can still be configured, the preferred way to manipulate bridged traffic,
is to make use of access lists. These allow for extra configuration possiblities compared to bridge traffic
policies.
Refer to ...
• 8.5 - Bridge traffic classification by filtering on page 344,
• 8.6 - Bridge traffic classification by applying QoS on bridged traffic on page 352and
• 11.10.2 - Bridge access list configuration attributes on page 786
... for more information.
router1424/profiles/policy/traffic/bridgingTrafficPolicy[ ]
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
604 1424 SHDSL Router Chapter 11
User manual Configuration attributes
vlanPriorityMap Default:-
Range: structure, see below
Use this attribute to impose a bridging traffic policy on the bridged VLAN
frames received by the 1424 SHDSL Router.
Each VLAN frame has a certain priority (this is specified in the 802.1P part of the 802.1Q header of the
VLAN frame). In case a traffic overload condition occurs and in case you imposed this traffic policy on a
certain interface, then the VLAN frames are sent to a queue. Using the vlanPriorityMap attribute, you can
specify which VLAN frame is sent to which queue based on the priority of the VLAN frame.
The vlanPriorityMap structure contains the following elements:
Element Description
priority0 Use these elements to define which priority corresponds with which queue. The
… possible queues are: queue1 up to queue5 and lowDelayQueue. To empty these
queues, specify a priority policy.
priority7
Frames that are not tagged are all considered to have priority 0.
$
Refer to 8 - Configuring bridging and VLANs on page 297 for more information on
traffic policy, priority policy and priority queuing.
dropLevels Default:-
Range: table, see below
Use this attribute to define for each user configurable queue, how many
packets may be queued before they are dropped.
The dropLevels table contains the following element:
Element Description
dropLevel1 Use this element to set the maximum length, in pack- Default:100
ets, of each user configurable queue. Range: 1 … 3000
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
1424 SHDSL Router Chapter 11 605
User manual Configuration attributes
router1424/profiles/policy/priority/priorityPolicy[ ]
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
606 1424 SHDSL Router Chapter 11
User manual Configuration attributes
algorithm Default:fifo
Range: enumerated, see below
Use this attribute to determine how and which queues are emptied.
Whenever a priority policy is applied on an interface, a delay optimisation mechanism is activated auto-
matically in order to guarantee a minimum delay for high priority packets.
This applies to all types of priority policies, except fifo.
Value Description
fifo This is a First In First Out queue. The data that enters the queue first, also leaves
the queue first. This is the fastest but most superficial queuing mechanism.
You can change the maximum length of the FIFO queue on an interface using the
configuration attribute maxFifoQLen.
roundRobin This is a priority queuing mechanism. In this case, all user configurable queues
containing data have an equal weight. In other words, if all the user configurable
queues contain data, they are addressed in turns. The low delay has a higher pri-
ority, it is addressed between every user configurable queue. The system queue
has absolute priority, it is emptied as soon as it contains data.
• Queues 1 up to 5: user configurable queues. These queues are addressed in
turns.
• Queue 6: low delay queue. This queue is addressed between every user con-
figurable queue.
• Queue 7: system queue. This queue has absolute priority over all other queues.
As soon as it contains data, it is emptied.
absolutePriority This is a priority queuing mechanism. In this case, queues with a high priority have
absolute priority over queues with a low priority. In other words, no lower priority
queue is emptied as long as a higher priority queue contains data.
The priority of the queues runs parallel to the queue number. I.e. the user config-
urable queue number 1 has the lowest priority, whereas the system queue
(number 7) has the highest priority.
• Queues 1 up to 5: user configurable queues. Queue 1 has the lowest priority
whereas queue 5 has the highest priority. A lower priority queue is only emptied
in case no higher priority queue contains data.
• Queue 6: low delay queue. This queue is only emptied in case the system
queue contains no data.
• Queue 7: system queue. This queue has absolute priority over all other queues.
As soon as it contains data, it is emptied.
Note that there is a risk of starvation. This means that it is possible that the
lower priority queues are never emptied because a higher priority queue
continuously receives data.
1424 SHDSL Router Chapter 11 607
User manual Configuration attributes
Value Description
weightedFair- This is a priority queuing mechanism. In this case, the user configurable queues
Queueing are addressed based on their weight. The low delay has a higher priority, it is
addressed between every user configurable queue. The system queue has abso-
lute priority, it is emptied as soon as it contains data.
• Queues 1 up to 5: user configurable queues. These queues are addressed
based on their weight. The weight can be configured in the queueConfigurations
attribute.
• Queue 6: low delay queue. This queue is addressed between every user con-
figurable queue.
• Queue 7: system queue. This queue has absolute priority over all other queues.
As soon as it contains data, it is emptied.
countingPolicy Default:bytes
Range: enumerated, see below
Use this attribute to define whether the quotum of the queues is expressed
in bytes or packets.
queueConfigurations Default:<empty>
Range: table, see below
Use this attribute to …
• set the number of bytes/packets that is dequeued from the user configurable queue when the queue
is addressed.
• set the relative importance of the user configurable queues.
Element Description
weight Use this element to set the relative importance of the Default:1
user configurable queues. Range: 1 … 10
The weight element is only relevant in case the algorithm attribute is set to weighted-
FairQueueing.
Example
Suppose queue 1 has weight 2, queue 2 has weight 1 and both queues contain
data. In that case the queues are emptied in the following order: queue 1 → queue
1 → queue 2 → queue 1 → queue 1 → queue 2 → etc.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more information on queues.
lowdelayQuotum Default:1500
Range: 1 … 25000
Use this attribute to set the number of bytes/packets that is dequeued from
the low delay queue when the queue is addressed. The unit of the quotum (bytes or packets) can be set
with the countingPolicy attribute.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more information on queues.
1424 SHDSL Router Chapter 11 609
User manual Configuration attributes
bandwidth Default:-
Range: table, see below
Use this attribute to set the bandwidth per queue.
The bandwidth table contains the following elements:
Element Description
eir Use this element to set the Excess Information Rate Default:0
(EIR), in bits per second, of the different queues. Range: 0 … 2147483647
Traffic above the cir value is accepted up to a maximum rate of cir + eir if there is
sufficient bandwidth available, e.g. because there is currently no higher priority
traffic on the outbound interface.
unit Use this element to set how the cir and eir values are Default:bits/sec
expressed: either in bits/sec or percent. Range: enumerated, see below
tc Default:50
Range: 50 ... 1000
Use this attribute to set the time interval with which the CIR/EIR quota on
the queues is updated.
The default value is 50 ms; the user can change this interval to any multiple of 50 ms ranging from 50
ms up to 1 sec.
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
610 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This section describes the configuration attributes of the different bundles that you can set up on the
1424 SHDSL Router.
The following gives an overview of this section:
• 11.8.1 - PPP bundle configuration attributes on page 611
1424 SHDSL Router Chapter 11 611
User manual Configuration attributes
router1424/bundle/pppBundle[ ]
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
612 1424 SHDSL Router Chapter 11
User manual Configuration attributes
members Default:<empty>
Range: table, see below
Use this attribute to make the WAN interface a part of the PPP bundle. Do
this by adding one entry to the members table and by typing “wan” as value of the interface element.
Note that in case you run PPP over ATM (PPPoA) you can also create PPP bundles. In that case, just
type the name of the ATM PVC as value of the interface element in the members table.
Refer to 6.7.11 - Setting up multilink PPP on page 177 for more information on how to set up a PPP bun-
dle.
mode Default:bridging
Range: enumerated, see below
Use this attribute to determine whether the packets are treated by the rout-
ing process, the bridging process or both.
The mode attribute has the following values:
Value Description
bridging All packets received on the PPP bundle are bridged. BCP is set up.
routing All packets received on the PPP bundle are routed. IPCP is set up.
routingAndBridging The SNAP header is checked to determine whether the packets have to be bridged
or routed. IPCP and BCP are set up.
ip Default:<empty>
Range: structure, see below
Use this attribute to configure the IP related parameters of the PPP bundle.
Refer to …
• 5.2 - Configuring IP addresses on page 53 for general information on configuring IP addresses.
• 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
bridging Default:-
Range: structure, see below
Use this attribute to configure the bridging related parameters of the PPP
bundle.
Refer to …
• 8 - Configuring bridging and VLANs on page 297 for more information on bridging.
• 8.2.6 - Explaining the bridging structure on page 318 for a detailed description of the bridging structure.
1424 SHDSL Router Chapter 11 613
User manual Configuration attributes
fragmentation Default:enabled
Range: enabled / disabled
Use this attribute to enable or disable PPP fragmentation. Refer to What is
PPP fragmentation? on page 164.
When PPP fragmentation is enabled, long frames are fragmented into a sequence of shorter frames. At
the remote side they are reassembled into the original frame.
multiclassInterfaces Default:<empty>
Range: table, see below
Use this attribute to set up multiclass PPP links. So you have to add an entry
to the multiclassInterfaces table for every multiclass PPP link that you want to create.
Refer to 6.7.13 - Setting up multiclass PPP on page 183 for more information.
The multiclassInterfaces table contains the following elements:
Element Description
mode Use this element to determine whether, for the corre- Default:routing
sponding multiclass PPP link, the packets are treated Range: enumerated, see below
by the routing process, the bridging process or both.
The mode element has the following values:
• bridging. All packets received on the multiclass PPP link are bridged.
• routing. All packets received on the multiclass PPP link are routed.
• routingAndBridging. The SNAP header is checked to determine whether the pack-
ets have to be bridged or routed.
Element Description
multiclassInterfaces/multiclass Default:-
Range: structure, see below
Use this structure to configure the multiclass specific parameters of the mul-
ticlass PPP link.
The multiclass structure contains the following elements:
Element Description
multiclass Use this element to set a multiclass identifier for the Default:1
multiclass PPP link. Range: 1 … 7
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
priorityPolicy Default:<empty>
Range: 0 ... 24 characters
Use this attribute to apply a priority policy on the bundle.
Do this by entering the index name of the priority policy you want to use. You can create the priority policy
itself by adding a priorityPolicy object and by configuring the attributes in this object.
Example
maxFifoQlen Default:200
Range: 1 ... 4000
Use this attribute to set the maximum length (number of packets) of the First
In First Out queue.
Note that this attribute is only applicable when the interface is running in FIFO queueing mode, and only
applicable to non-colored packets.
Refer to algorithm on page 606 for more information on this queue.
1424 SHDSL Router Chapter 11 615
User manual Configuration attributes
defaultQueue Default:queue1
Range: enumerated, see below
Use this element to select a default queue.
This allows you to easily set up a traffic policy without having to create and apply traffic policy profiles.
However, you still have to create and apply a priority policy profile to empty the queues.
Refer to 7.11.11 - The default queue attribute versus a traffic policy profile on page 286 for more infor-
mation.
delayOptimisation Default:disabled
Range: enabled/disabled
Use this attribute to minimize delay over the PPP bundle when using a prior-
ityPolicy.
Whenever a priority policy is applied on the PPP link, a delay optimisation mechanism is activated auto-
matically in order to guarantee a minimum delay for high priority packets.
inboundBandwidth Default:-
Range: structure, see below
Use this attribute to configure the inbound bandwidth of the PPP bundle.
The inboundBandwidth structure contains the following elements:
• cir.
• correction.
• maxFifoQLen.
• priorityPolicy.
For a detailed description of these elements, refer to inboundBandwidth on page 525; they have already been
explained there in the context of the LAN interface.
<alarmConfigurationAttributes>
This section discusses the configuration attributes concerned with routing. First it describes the general
routing configuration attributes. Then it explains the configuration attributes of the extra features as there
are NAT, L2TP tunnelling, GRE tunnelling, filtering, traffic and priority policy, etc…
Depending on the device, it is possible that not all of these features are present. Refer to the detailed
features overview.
router1424/ip/router/
defaultRoute Default:-
Range: structure, see below
Use this attribute to set the default route, also called gateway address.
Refer to 7.3 - Configuring static routes on page 188 for more information on static routes.
The defaultRoute structure contains the following elements:
Element Description
gateway Use this element to specify the IP address of the next Default:0.0.0.0
router that will route all packets for which no specific Range: up to 255.255.255.255
(static or dynamic) route exists in the routing table.
Whether you can omit the gateway element or not, is linked to the following condi-
tions:
the LAN interface, you can not omit the gateway element.
the WAN interface, you can omit the gateway element only when using
PPP encapsulation.
preference Use this element to set the level of importance of the Default:10
default route with respect to routes learnt via RIP. Range: 1 … 200
RIP routes always have a preference of 60. Routes with a lower preference value
are chosen over routes with higher preference value.
1424 SHDSL Router Chapter 11 619
User manual Configuration attributes
Element Description
metric Use this element to set with how much the metric Default:1
parameter of a route has to be incremented. Range: 1 … 15
If two routes exist with the same preference, then the route with the lowest metric
value is chosen. This element is only important when combining static routes and
RIP routes.
Refer to 7.5.3 - Explaining the rip structure on page 208 for more information on
the metric parameter.
620 1424 SHDSL Router Chapter 11
User manual Configuration attributes
routingTable Default:<empty>
Range: table, see below
Use this attribute to configure the static IP routes.
Refer to 7.3 - Configuring static routes on page 188 for more information on static routes.
The routingTable table contains the following elements:
Element Description
network Use this element to specify the IP address of the des- Default:0.0.0.0
tination network. Range: up to 255.255.255.255
mask Use this element to specify the network mask of the Default:255.255.255.0
destination network. Range: up to 255.255.255.255
gateway Use this element to specify the IP address of the next Default:0.0.0.0
router on the path to the destination network. Range: up to 255.255.255.255
Whether you can omit the gateway element or not, is linked to the following condi-
tions:
the LAN interface, you can not omit the gateway element.
the WAN interface, you can omit the gateway element only when using
PPP encapsulation.
preference Use this element to set the level of importance of the Default:10
route. Range: 1 … 200
Routes with a lower preference value are chosen over routes with higher prefer-
ence value. Note that routes learned through RIP always have a preference of 60.
1424 SHDSL Router Chapter 11 621
User manual Configuration attributes
Element Description
metric Use this element to set with how much the metric Default:1
parameter of a route has to be incremented. Range: 1 … 15
If two routes exist with the same preference, then the route with the lowest metric
value is chosen. Refer to 7.5.3 - Explaining the rip structure on page 208 for more
information on the metric parameter.
622 1424 SHDSL Router Chapter 11
User manual Configuration attributes
routingProtocol Default:none
Range: enumerated, see below
Use this attribute to activate or deactivate the Routing Information Protocol
(RIP).
Refer to 7.5 - Configuring RIP on page 204 for more information on RIP.
The routingProtocol attribute has the following values:
Value Description
rip The RIP routing protocol is active. You can set the RIP version per interface. Refer
to the elements txVersion and rxVersion in the rip structure (refer to 7.5.3 - Explaining
the rip structure on page 208).
alternativeRoutes Default:backup
Range: enumerated, see below
Use this attribute to determine how the 1424 SHDSL Router deals with iden-
tical routes.
If more than one route to a (sub-)network is defined in the routing table, and these routes have …
• identical destination addresses, masks, preferences and metrics,
• a different gateway,
… then you can use the alternativeRoutes attribute to determine which route the 1424 SHDSL Router uses
to reach the (sub-)network.
The alternativeRoutes attribute has the following values:
Value Description
backup The 1424 SHDSL Router always uses the same route to reach the (sub-)network.
Only when this route goes down, it uses the alternative route.
roundRobin The 1424 SHDSL Router alternately uses the two possible routes to reach the
(sub-)network. However, once a certain route is used to reach a specific address,
this same route is always used to reach this specific address.
The ripHoldDownTime attribute tries to avoid situations as described above. Suppose router B has a
ripHoldDownTime attribute. In that case, the situation is as follows:
1. Route X goes down.
⇒Router A sends a RIP update message to router B declaring route X down. Router B starts the RIP
hold-down timer.
2. The status of route X starts toggling between up and down.
⇒Router A sends several RIP update messages concerning route X to router B. Router B holds the
status of route X down, as longs as the RIP hold-down timer has not expired.
ripv2SecretTable Default:<empty>
Range: table, see below
Use this attribute to define the secrets used for the RIP authentication.
Refer to 7.5.4 - Enabling RIP authentication on an interface on page 211 for more information on RIP
authentication.
The ripv2SecretTable table contains the following elements:
Element Description
keyId Use this element to set a unique identifier for each Default:0
secret. Range: 0 … 255
Remarks
• If authentication is enabled (either text or md5), then only updates using that authentication are proc-
essed. All other updates on that interface are discarded.
• If you use md5 and if for a certain interface multiple secrets are present in the ripv2SecretTable, then the
first entry in the ripv2SecretTable is used to transmit RIP updates. Authentication of the received RIP
updates is done by looking for the first secret with a matching key.
• If you use text and if for a certain interface multiple secrets are present in the ripv2SecretTable, then only
the first entry in the ripv2SecretTable is used to transmit and receive RIP updates.
1424 SHDSL Router Chapter 11 625
User manual Configuration attributes
sysSecret Default:<empty>
Range: 0 … 64 characters
Use this attribute for the PPP authentication process. The PPP authentica-
tor uses the sysSecret attribute in order to verify the peer its response.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170
• 6.7.8 - Configuring CHAP on page 173
pppSecretTable Default:<empty>
Range: table, see below
Use this attribute for the PPP authentication process. Enter the authentica-
tion name and secret of the remote router in this table.
For more information on PPP authentication, refer to …
• 6.7.6 - Configuring PAP on page 170
• 6.7.8 - Configuring CHAP on page 173
The pppSecretTable contains the following elements:
Element Description
name Use this element to set the PPP authentication name Default:<empty>
of the remote router. Range: 0 … 64 characters
If the remote router is a 1424 SHDSL Router, then the name element should corre-
spond with the remote 1424 SHDSL Router its sysName or sessionName attribute.
Refer to 6.7.10 - Use which name and secret attributes for PPP authentication? on
page 176.
secret Use this element to set the PPP authentication secret Default:<empty>
of the remote router. Range: 0 … 64 characters
If the remote router is a 1424 SHDSL Router, then the secret element should cor-
respond with the remote 1424 SHDSL Router its sysSecret or sessionSecret attribute.
Refer to 6.7.10 - Use which name and secret attributes for PPP authentication? on
page 176.
626 1424 SHDSL Router Chapter 11
User manual Configuration attributes
helperProtocols Default:<empty>
Range: table, see below
Use this attribute to define the TCP and UDP port numbers for which broad-
cast forwarding is required. Use this attribute if you specified helper IP addresses using the helpers ele-
ment in the ip structure of the LAN interface. Refer to 5.2.3 - Explaining the ip structure on page 56.
If the helperProtocols table is empty (default), then address substitution is applied for the following proto-
cols:
Time Server 37
Important remark
Specifying at least one value in the helperProtocols table clears the default helper list automatically. In that
case, if you want that for instance NetBios Datagram Server broadcast is forwarded, you have to specify
port number 138 again.
For BootP / DHCP broadcast packets, the 1424 SHDSL Router is also a BootP / DHCP Relay Agent. If
the protocol is selected, then the 1424 SHDSL Router will write the IP address of its Ethernet interface
in the BootP or DHCP gateway field and increment the hops field in addition to the address substitution.
1424 SHDSL Router Chapter 11 627
User manual Configuration attributes
sendTtlExceeded Default:enabled
Range: enabled / disabled
Use this attribute to enable or disable the sending of ICMP “TTL exceeded“
messages.
The sendTtlExceeded attribute has the following values:
Value Description
enabled The 1424 SHDSL Router sends ICMP “TTL exceeded" messages.
disabled The 1424 SHDSL Router does not send ICMP “TTL exceeded” messages.
This also implies that the router is not recognised by the UNIX or Windows trace-
route feature.
Each IP packet has a Time To Live (TTL) value in its header. Each device that sends an IP packet sets
this parameter at some fixed or predefined value. When the packet enters a router, the router decre-
ments the TTL value. If a router finds a value 0 after decrementing the TTL, it discards the packet. This
because a value 0 means the packet has passed too many routers. Probably the packet is looping
between a number of routers. This mechanism avoids that routers with configuration errors bring down
a complete network.
If a router discards a packet because its TTL is exceeded, it normally sends an ICMP “TTL exceeded“
message to the originator of the packet. With the sendTtlExceeded attribute you can define whether you
want the 1424 SHDSL Router to send such ICMP messages or not.
It has been chosen to allow TTL exceeded messages in case of PPP. However, this has the effect that
TTL exceeded is also transmitted on some Ethernet broadcasts.
628 1424 SHDSL Router Chapter 11
User manual Configuration attributes
sendPortUnreachable Default:enabled
Range: enabled / disabled
Use this attribute to enable or disable the sending of ICMP “Destination
unreachable: Port unreachable“ messages.
The sendPortUnreachable attribute has the following values:
Value Description
enabled The 1424 SHDSL Router sends ICMP “port unreachable" messages.
disabled The 1424 SHDSL Router does not send ICMP “port unreachable” messages.
This also implies that the router is not recognised by the UNIX or Windows trace-
route feature.
The 1424 SHDSL Router supports a number of higher-layer IP protocols (Telnet, SNMP and TMA) for
management purposes. If an IP packet is sent to the 1424 SHDSL Router for a higher-layer protocol that
it does not support, it normally sends an ICMP “Destination unreachable: Port unreachable“ message to
the originator of the packet. With the sendPortUnreachable attribute you can define whether you want the
1424 SHDSL Router to send such an ICMP message or not.
sendAdminUnreachable Default:enabled
Range: enabled / disabled
Use this attribute to enable or disable the sending of ICMP "Destination
unreachable: Communication with destination is administratively prohibited” messages.
The sendAdminUnreachable attribute has the following values:
Value Description
enabled The 1424 SHDSL Router sends ICMP “communication prohibited“ messages.
disabled The 1424 SHDSL Router does not send ICMP “communication prohibited“ mes-
sages.
If the 1424 SHDSL Router receives an IP packet that is destined for a prohibited destination (because
this destination is defined in an access list), then it sends an ICMP "Destination unreachable: Commu-
nication with destination is administratively prohibited” message to the originator of the packet. With the
sendAdminUnreachable attribute you can define whether you want the 1424 SHDSL Router to send such
an ICMP message or not.
1424 SHDSL Router Chapter 11 629
User manual Configuration attributes
dhcpStatic Default:<empty>
Range: table, see below
This attribute activates the DHCP server on the 1424 SHDSL Router. Use
this attribute to assign a fixed IP address to a client its MAC address and this for an infinite time.
The dhcpStatic table contains the following elements:
Element Description
mask Use this element to set the client its subnet mask. Default:255.255.255.0
Range: up to 255.255.255.255
gateway Use this element to set the default gateway for the cli- Default:0.0.0.0
ent its subnet. Range: up to 255.255.255.255
If the interface element is left empty (default), then it is the gateway element that
determines on which interface the 1424 SHDSL Router will act as DHCP server.
Namely the interface through which the IP address as entered in the gateway ele-
ment can be reached.
If no gateway is specified, then the 1424 SHDSL Router gives its own address.
This address lies in the subnet of the interface through which the 1424 SHDSL
Router sends out the DHCP reply.
interface Use this element to specify the name of the interface Default:<empty>
on which you want the 1424 SHDSL Router to act as Range: 0 … 36 characters
DHCP server.
dnsSetting Use this element to determine which DNS servers are Default:learned
used for handling the DNS requests. Range: enumerated, see below
The dnsSetting element has the following values:
• configured. The 1424 SHDSL Router sends all DNS requests to the DNS servers
that have been configured in the attribute dns on page 636.
• learned. If DNS servers have been configured in the attribute dns, then all DNS
requests are sent to these servers. However, if no DNS servers have been con-
figured, then the 1424 SHDSL Router tries to learn the DNS servers from the
network. During the time the 1424 SHDSL Router has not learned the DNS
servers yet, DNS relay is active allowing DNS between the clients that already
have been given an IP address.
• relay. The 1424 SHDSL Router acts as a DNS server for its clients, caching all
DNS requests. It answers to DNS requests if possible. However, if an entry is
not present in its cache, then it relays this request to the DNS servers that have
been configured in the attribute dns.
nameServer Use this element to set the IP address of the name Default:0.0.0.0
server that is available to the client. Range: up to 255.255.255.255
630 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
nameServer2 Use this element to set the IP address of the second Default:0.0.0.0
name server that is available to the client. Range: up to 255.255.255.255
tftpServer Use this element to set the IP address of the TFTP Default:0.0.0.0
server that is available to the client. It is the next Range: up to 255.255.255.255
server to use in boottrap.
macAddress Use this element to enter the client its MAC address. Default:0.0.0.0.0.0
If no MAC address is specified, then there is no con- Range: up to ff.ff.ff.ff.ff.ff
nection to the client. Therefore, all other attributes in the table are ignored for this
client.
bootFile Use this element to set the location of the boot file. Default:<empty>
Range: 0 … 128 characters
hostName Use this element to set the name of the client. Default:<empty>
Range: 0 … 20 characters
domainName Use this element to set the name the client should use Default:<empty>
when resolving hostnames via the Domain Name Range: 0 … 20 characters
System (DNS).
netbiosNameServer Use this element to set the IP address of the NetBios Default:0.0.0.0
server. Range: up to 255.255.255.255
netbiosNameServer Use this element to set the IP address of the second Default:0.0.0.0
2 NetBios server. Range: up to 255.255.255.255
dhcpDynamic Default:<empty>
Range: table, see below
This attribute activates the DHCP server on the 1424 SHDSL Router. Use
this attribute to specify the IP address range from which an IP address may be dynamically assigned to
a client its MAC address.
The dhcpDynamic table contains the following elements:
Element Description
ipStartAddress Use this element to define the start address of the IP Default:192.168.1.100
address range. It is from this range that an IP address Range: up to 255.255.255.255
will be dynamically assigned to a client.
If no IP start address is specified, all other attributes on the same line in the table
are ignored.
ipEndAddress Use this element to define the end address of the IP Default:192.168.1.254
address range. It is from this range that an IP address Range: up to 255.255.255.255
will be dynamically assigned to a client.
The IP address range will only contain the ipStartAddress in case …
• no ipEndAddress is specified,
• the specified ipEndAddress is the same as the ipStartAddress,
• the specified ipEndAddress is smaller than the ipStartAddress,
• the specified ipEndAddress belongs to another subnet than the ipStartAddress.
Do not include the 1424 SHDSL Router its own IP address in this range!
mask Use this element to set the client its subnet mask for Default:255.255.255.0
the specified IP address range. Range: up to 255.255.255.255
gateway Use this element to set the default gateway for the cli- Default:0.0.0.0
ent its subnet. Range: up to 255.255.255.255
If the interface element is left empty (default), then it is the gateway element that
determines on which interface the 1424 SHDSL Router will act as DHCP server.
Namely the interface through which the IP address as entered in the gateway ele-
ment can be reached.
If no gateway is specified, then the 1424 SHDSL Router gives its own address.
This address lies in the subnet of the interface through which the 1424 SHDSL
Router sends out the DHCP reply.
interface Use this element to specify the name of the interface Default:<empty>
on which you want the 1424 SHDSL Router to act as Range: 0 … 36 characters
DHCP server.
632 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
dnsSetting Use this element to determine which DNS servers are Default:learned
used for handling the DNS requests. Range: enumerated, see below
The dnsSetting element has the following values:
• configured. The 1424 SHDSL Router sends all DNS requests to the DNS servers
that have been configured in the attribute dns on page 636.
• learned. If DNS servers have been configured in the attribute dns, then all DNS
requests are sent to these servers. However, if no DNS servers have been con-
figured, then the 1424 SHDSL Router tries to learn the DNS servers from the
network. During the time the 1424 SHDSL Router has not learned the DNS
servers yet, DNS relay is active allowing DNS between the clients that already
have been given an IP address.
• relay. The 1424 SHDSL Router acts as a DNS server for its clients, caching all
DNS requests. It answers to DNS requests if possible. However, if an entry is
not present in its cache, then it relays this request to the DNS servers that have
been configured in the attribute dns.
Important remark:
• If the dnsSetting element is set to learned and no DNS server is discovered, the
lease time of an IP address (set with the leaseTime element described below) will
always be 60 seconds. This is done because the DHCP client needs to update
its DNS settings when they become available on the DHCP server. If the lease
time of the IP address would be infinit, the client would never receive the DNS
settings.
• When the DHCP server has a valid DNS server or the dnsSetting element is set
to configured, the actual configured leased time will be used.
nameServer Use this element to set the IP address of the name Default:0.0.0.0
server that is available to the client. Range: up to 255.255.255.255
nameServer2 Use this element to set the IP address of the second Default:0.0.0.0
name server that is available to the client. Range: up to 255.255.255.255
tftpServer Use this element to set the IP address of the TFTP Default:0.0.0.0
server that is available to the client. It is the next Range: up to 255.255.255.255
server to use in boottrap.
leaseTime Use this element to set the maximum time a client can Default:00000d 00h 00m 00s
lease an IP address from the specified IP address Range: 00000d 00h 00m 00s -
range. 24855d 03h 14m 07s
If 00000d 00h 00m 00s (default) is specified, then the lease time is infinite.
holdTime Use this element to set the time between two consec- Default:00000d 00h 00m 00s
utive leases of an IP address. I.e. if a client has just let Range: 00000d 00h 00m 00s -
go of its dynamically assigned IP address, then this 24855d 03h 14m 07s
same IP address can not be reassigned before the
holdTime has elapsed.
1424 SHDSL Router Chapter 11 633
User manual Configuration attributes
Element Description
bootFile Use this element to set the location of the boot file. Default:<empty>
Range: 0 … 128 characters
hostName Use this element to set the name of the client. Default:<empty>
Because the DHCP server can not give the same Range: 0 … 20 characters
name to all clients of this IP address range, a number is added to the hostname
from the second IP address onwards. The number goes up to 99.
Example
Suppose the hostname is OneAccess. In that case the name for the start IP address
is OneAccess, for the second IP address OneAccess1, and so on.
domainName Use this element to set the name the client should use Default:<empty>
when resolving hostnames via the Domain Name Range: 0 … 20 characters
System (DNS).
netbiosNameServer Use this element to set the IP address of the NetBios Default:0.0.0.0
server. Range: up to 255.255.255.255
netbiosNameServer Use this element to set the IP address of the second Default:0.0.0.0
2 NetBios server. Range: up to 255.255.255.255
dhcpCheckAddress Default:disabled
Range: enumerated, see below
Use this attribute to allow that the IP address assigned by the DHCP server
is probed with an ARP request (Ethernet) or ICMP Echo Request (IP). This checks and prevents the dou-
ble use of IP addresses.
The dhcpCheckAddress attribute has the following values:
Value Description
arpOnly Probing is done when an IP address is leased by a client. However, the probing is
only done by means of an ARP request (Ethernet).
634 1424 SHDSL Router Chapter 11
User manual Configuration attributes
radius Default:-
Range: structure, see below
Use this attribute to configure the 1424 SHDSL Router for RADIUS. Also
see 9.7 - Configuring RADIUS on page 440.
To enable the use of RADIUS in PPP, PAP or CHAP should be enabled on the 1424 SHDSL Router.
The local configuration of the username and password is ignored if a table of RADIUS servers exist. Fur-
thermore, remote IP address and remote netmask are ignored if a RADIUS server imposes these
attributes.
The radius structure contains the following elements:
Element Description
acctUpdate Use this element to specify the time at which an Default:00000d 00h 00m 00s
update of the accounting data should be send to the Range: 00000d 00h 00m 00s -
server. 00000d 00h 01m 00s
Set this element to 0 (default) if no update is required. Note that this is not always
supported by the accounting server.
1424 SHDSL Router Chapter 11 635
User manual Configuration attributes
Element Description
dns Default:-
Range: structure, see below
Use this attribute to enter the DNS server addresses. Also see What is
DNS? on page 1148.
The dns structure contains the following elements:
Element Description
primaryDns Use this element to specify the IP address of the pri- Default:0.0.0.0
mary DNS server. Range: up to 255.255.255.255
secondaryDns Use this element to specify the IP address of the sec- Default:0.0.0.0
ondary DNS server. Range: up to 255.255.255.255
domainName Use this element to enter the domain name to which Default:<empty>
the 1424 SHDSL Router belongs. Range: 0 … 32 characters
What is DNS?
The Domain Name Service (DNS) is an Internet service that translates domain names into IP addresses.
Because domain names are alphabetic, they are easier to remember. The Internet however, is really
based on IP addresses. Therefore, every time you use a domain name, a DNS service must translate
the name into the corresponding IP address. For example, the domain name www.mywebsite.com might
translate to 198.105.232.4.
The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular
domain name, it asks another one, and so on, until the correct IP address is returned.
The 1424 SHDSL Router is a DNS proxy. This means that if the 1424 SHDSL Router has not received
a DNS address (as DHCP client), then it gives its own address in DHCP requests (as DHCP server). The
1424 SHDSL Router relays DNS requests it receives to configured or learned DNS servers.
1424 SHDSL Router Chapter 11 637
User manual Configuration attributes
addrPools Default:<empty>
Range: table, see below
Use this attribute to create a list or an interval of IP addresses from which
the 1424 SHDSL Router can pick IP addresses and use them on a PPP link.
The addrPool table contains the following elements:
Element Description
addrPools/pool/list Default:<empty>
Range: table, see below
Use this element to create one or more lists of IP addresses from which the
1424 SHDSL Router can pick IP addresses and use them as local and remote IP address for a PPP link.
Use the addrPool element in the ip structure to determine from which IP list pool the 1424 SHDSL Router
has to pick IP addresses. Refer to 5.2.3 - Explaining the ip structure on page 56 for more information.
The list table contains the following elements:
Element Description
name Use this element to assign a name to the IP list pool. Default:<empty>
Range: 0 … 24 characters
Important remark
Note again that an IP list pool is for both local and remote IP addresses.
1424 SHDSL Router Chapter 11 639
User manual Configuration attributes
Example
Suppose …
• you want to create two IP list pools: myList1 and myList2.
• you want that the 1424 SHDSL Router picks local and remote IP addresses from myList2.
Step Action
1 Create two entries in the router/addrPools table and specify a name for each entry.
3 Expand the pool element by clicking on the black triangle of the pool element.
Step Action
5 Create entries in the pool/list tables and enter a local IP address, remote IP address and
a netmask for each entry.
6 In the addrPool element of the ip structure, select the value “list” and enter the name of the
IP list pool from which you want to pick IP addresses. In our example, this is myList2.
1424 SHDSL Router Chapter 11 641
User manual Configuration attributes
addrPool/pool/interval Default:<empty>
Range: structure, see below
Use this element to create one or more ranges of IP addresses from which
the 1424 SHDSL Router can pick IP addresses and use them as remote IP address for a PPP link. Use
the addrPool element in the ip structure to determine from which IP interval pool the 1424 SHDSL Router
has to pick IP addresses. Refer to 5.2.3 - Explaining the ip structure on page 56 for more information.
The interval structure contains the following elements:
Element Description
Important remark
Example
Suppose …
• you want to create two IP interval pools: myInterval1 and myInterval2.
• you want that the 1424 SHDSL Router picks a remote IP addresses from myInterval2.
Step Action
1 Create two entries in the router/addrPools table and specify a name for each entry.
3 Expand the pool element by clicking on the black triangle of the pool element.
Step Action
5 Configure the pool/interval structures. I.e. create an IP address range using the elements
from and to.
6 In the addrPool element of the ip structure, select the value “interval” and enter the name of
the IP interval pool from which you want to pick IP addresses. In our example, this is
myInterval2.
sendHostUnreachable Default:enabled
Range: enabled/disabled
Use this attribute to enable or disable the sending of ICMP destination
unreachable messages.
The sendHostUnreachable attribute has the following values:
Value Description
enabled The 1424 SHDSL Router sends ICMP destination unreachable messages.
disabled The 1424 SHDSL Router does not send ICMP destination unreachable messages.
644 1424 SHDSL Router Chapter 11
User manual Configuration attributes
dnsUpdateClient Default:-
Range: table, see below
Use this attribute to let the 1424 SHDSL Router act as a DNS update client.
When enabled, it automatically updates the hostname, managed on the servers of the DNS provider,
with the new IP address.
This update sequence is triggered by a change of the IP address of the coupled interface in the 1424
SHDSL Router.
The dnsUpdateClient table contains the following elements:
Element Description
name Use this element to assign a name to each entry in the Default:<empty>
table. This name must be filled in as argument value Range: 0 ... 24 characters
in the forceDnsUpdate action, refer to router1424/ip/router/
forceDnsUpdate on page 923 for more information.
dnsUpdateClient/dnsProvider/dynDns
Use the dynDns structure to set the configuration parameters of the dynDns DNS provider.
The dynDns structure contains following elements:
Element Description
mode Use this element to select a working mode. The mode Default:disabled
element has the following values: Range: enumerated, see below
• disabled. This is the default setting when adding a new row to this table. It is rec-
ommended by DynDNS that updates only be done from the moment that all
configuration settings are properly done.
So until that is the case, it is recommended to leave the mode element to this
default setting.
• offline. This sets the hostname to offline mode.
This feature is only available to credited users of DynDNS. The return code
Option only for Credited Users will be returned by the server when the account is not
credited. This feature is only effective when the parameter system, described
below, is set to dynamic or custom.
• online. This sets the hostname to online mode.
The update state-machine will change its state to enabledIdle, and will start to
send updates, when appropriate, i.e. when the IP address of the interface
changes.
system Use this element to select the way the updates are Default:dynamic
done. The system element has the following values: Range: enumerated, see below
• dynamic. Updates will be done in the Dynamic DNS system of DynDNS.
• static. Updates are done in the Static DNS system of DynDNS. The Static DNS
system is meant for users whose IP address will not change over time. Unlike
a Dynamic DNS host, a Static DNS host does not expire after 35 days without
updates, but updates take longer to propagate through the DNS system.
• custom. Custom DNS service provides a full DNS solution, giving complete con-
trol over an entire domain name. This service is not free however.
hostNameFqdn Use this element to set the name that will be used Default:<empty>
when updating with the update servers of DynDNS. Range: 0 … 128 characters
An example is: 1424 SHDSL Router.dyndns.org.
A wildcard * is allowed in front of this parameter, for example: *.myhost . The wild-
card aliases *.myhost.dyndns.org to the same address as myhost.dyndns.org.
Note that wildcard aliasing is only effective when the system element is set to
dynamic or static.
interface Use this element to set the name of the interface to Default:<empty>
which the DynDNS hostname update client is to be Range: 0 … 24 characters
coupled. This can be any interface that is configured
to run in routing mode.
646 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
userName Use this element to set the username to log in to the Default:<empty>
website of DynDNS; it is the same username as the Range: 0 … 24 characters
one the user utilises to log in into the website of
DynDNS as registered account.
password Use this element to set the password to log in to the Default:<empty>
website of DynDNS; It is the same password as the Range: 0 … 24 characters
one the user utilises to log in into the website of
DynDNS as registered account.
tcpPort Use this element to set the TCP port used to commu- Default:http
nicate with the update server of DynDNS. The tcpPort Range: enumerated, see below
element has the following values:
• http. Port 80 will be used.
• httpProxyBypass. Port 8245 will be used. This allows the update client to bypass
transparent HTTP proxies.
qualityMonitor
Use this attribute to verify the quality of an entire network link between this device and the end device.
Refer to 9.9 - IP SLA or traffic quality monitoring on page 474 for more information.
The qualityMonitor structure contains the following elements:
Element Description
monitor Use this element to start or stop the quality monitor by Default:disabled
setting this element to enabled or disabled respectively. Range: enabled/disabled
The quality monitor is disabled by default.
This element makes it possible to enable the qualityMonitor during a certain period
of time, during which quality data is logged. It can be disabled again, while the data
is being kept, so that the user can analyze it at any time at a later stage.
It basically means that the qualityMonitor does not have to run all the time, in order
to be able to analyze quality data.
type Use this element to set the way in which the destinations Default:sequantial
table is executed: each line in the table is an action, Range: concurrent/sequantial
they can be executed one after the other, or all at the
same time, i.e. sequential or concurrent respectively.
qualityMonitor/destinations Default:<empty>
Range: table, see below
Use this element to configure the actual monitoring. The destinations element
is a table: every line in the table is a link that is being monitored.
The destinations table contains the following elements:
Element Description
ipAddress Use this element to set the IP address of the end Default:0.0.0.0
device of the link. Range: up to 255.255.255.255
Either use this element, or the hostName element, to identify the end device.
hostName Use this element to set the name of the end device of Default:<empty>
the link. Range: 0 … 132 characters
Either use this element, or the ipAddress element, to identify the end device.
source Use this element to set the IP source address from Default:0.0.0.0
which the quality monitoring is initiated. Range: up to 255.255.255.255
This must be one of the 1424 SHDSL Router inter-
faces; if this IP address is not one of the 1424 SHDSL Router interface addresses,
then nothing is sent.
When using the default, 0.0.0.0, this means that the IP address of the exit port is
used.
tos Use this element to set the TOS byte of the IP pack- Default:0
ets that are sent out. Range: 0 ... 255
With this, a certain priority can be given to the pack-
ets, in order to get reliable statistics about the link.
It is important that the quality monitoring packets are treated with the same priority
in the link, as actual data that is being sent over the link. This will give a reliable
image of the quality of the link.
interval Use this element to set the time interval with which IP Default:10
packets are sent out. Range: 1 ... 36000
This element is expressed in multiples of 100 milliseconds (msec).
timeOut Use this element to set the time out value after which Default:10
the sent out packets have to be considered as lost. Range: 1 ... 100
This element is expressed in multiples of 100 milliseconds (msec).
icmpLength Use this element to set the length, in bytes, of the Default:64
ICMP packets that are sent out. Range: 32 ... 1300
1424 SHDSL Router Chapter 11 649
User manual Configuration attributes
Element Description
lossAlarm Use this element to set when a loss alarm is gener- Default:<empty>
ated, and when it is cleared again. Range: structure, see below
The lossAlarm structure contains following elements:
• samples. This is the number of samples that are Default:10
taken to calculate the loss alarm. Range: 1 ... 2000
Together with the interval element, explained
above, these elements define the loss window.
For example, when set to 10, and interval is set to 10, a time window of 10 sec-
onds is monitored.
• alarmOn. This is the threshold that activates the loss Default:1
alarm: when more than this number of packets are Range: 1 ... 256
lost, the lossAlarm is activated.
• alarmOff. This is the threshold that deactivates the Default:0
loss alarm: the lossAlarm remains on until this Range: 0 ... 256
number of packets, or less, are lost.
delayAlarm Use this element to set when a delay alarm is gener- Default:<empty>
ated, and when it is cleared again. Range: structure, see below
Refer to qualityMonitor/destinations/delayAlarm on page 650 for a detailed description.
For the logging to work correctly and reliably, the logging interval should be
lower or equal to the duration of the loss and the delay window.
To view the quality data that is being logged by the quality monitor, refer to the log-
ging element in the qualityMonitor performance table: refer to 13.9.1 - General router
performance attributes on page 1055.
650 1424 SHDSL Router Chapter 11
User manual Configuration attributes
qualityMonitor/destinations/delayAlarm Default:-
Range: structure, see below
Use this element to set when a delay alarm is generated, and when it is
cleared again.
2 factors are taken into consideration for generating alarms: roundtrip delay and jitter. For the delay,
three values are calculated: a minimum, a maximum and an average. For jitter, a positive deviation, a
negative deviation and an average value are calculated. Based on these values, alarms are generated.
The delayAlarm structure contains the following elements:
Element Description
samples This is the number of samples that are taken to calcu- Default:10
late the delay alarm. Range: 1 ... 2000
Together with the interval element, explained in previ-
ous table, these elements define the delay window.
For example, when set to 10, and interval is set to 10, a time window of 10 seconds
is monitored.
alarmAvgOn This is the threshold that activates the delay alarm Default:500
when the average delay is bigger than this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmAvgOff This is the threshold that deactivates the delay alarm Default:500
when the average delay drops below this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmMaxOn This is the threshold that activates the delay alarm Default:500
when the maximum delay is bigger than this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmMaxOff This is the threshold that deactivates the delay alarm Default:500
when the maximum delay drops below this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmMinMaxOn This is the threshold that activates the delay alarm Default:500
when the difference between the minimum and maxi- Range: 1 ... 64000
mum delay is bigger than this value.
This element is expressed in milliseconds (msec).
alarmMinMaxOff This is the threshold that deactivates the delay alarm Default:500
when the difference between the minimum and maxi- Range: 1 ... 64000
mum delay drops below this value.
This element is expressed in milliseconds (msec).
alarmAvgJitterOn This is the threshold that activates the jitter alarm Default:500
when the average jitter is bigger than this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmAvgJitterOff This is the threshold that deactivates the jitter alarm Default:500
when the average jitter drops below this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
1424 SHDSL Router Chapter 11 651
User manual Configuration attributes
Element Description
alarmMaxJitterOn This is the threshold that activates the jitter alarm Default:500
when the maximum jitter is bigger than this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
alarmMaxJitterOff This is the threshold that deactivates the jitter alarm Default:500
when the maximum jitter drops below this value. Range: 1 ... 64000
This element is expressed in milliseconds (msec).
<alarmConfigurationAttributes>
router1424/ip/router/defaultNat
router1424/ip/router/nat[ ]
Note that the nat [ ] object is not present in the containment tree by default. It must be added manually;
refer to 4.4 - Adding an object to the containment tree on page 45 , this section explains how to do so.
1424 SHDSL Router Chapter 11 653
User manual Configuration attributes
patAddress Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to enter the official IP address that has to be used for the
Port Address Translation. Entering an address different from the default value 0.0.0.0 automatically ena-
bles PAT.
Refer to 7.8 - Configuring address translation on page 225 for more information on PAT.
portTranslations Default:<empty>
Range: table, see below
Use this attribute to define specific port number ranges that should not be
translated.
Some TCP or UDP applications do not allow port translations: these applications require a dedicated
source port number. In the portTranslations table you can define UDP and TCP port ranges that should not
be translated. If a packet with a source port number in such a range is received, PAT replaces only the
source IP address provided it is the first device using this port number. When other devices using the
same application (hence the same port number) try to send traffic to the same Internet destination
address, PAT discards this traffic.
It is also possible to define port ranges that PAT should always discard. The port translation range PAT
uses goes from 60928 up to 65535.
The portTranslations table contains the following elements:
Element Description
protocol Use this element to select the protocol: tcp or udp. Default:tcp
Range: tcp / udp
startPort Use this element to set the lowest value of the TCP or Default:0
UDP port range. Range: 0 … 65535
endPort Use this element to set the highest value of the TCP Default:<opt>
or UDP port range. Range: 0 … 65535
If no endPort value is defined (<opt>), then the port range is limited to the startPort
value only.
action Use this element to set the action in case a packet is Default:noTranslation
received with a source port number that falls within Range: enumerated, see below
the specified port range.
The action element has the following values:
• noTranslation. The port numbers that fall within the specified port range are not
translated.
• deny. Packets with port numbers that fall within the specified port range are dis-
carded.
654 1424 SHDSL Router Chapter 11
User manual Configuration attributes
servicesAvailable Default:<empty>
Range: table, see below
Use this attribute to define specific port number ranges for incoming Internet
traffic that should not be translated. Instead it is sent to the corresponding private IP address.
The servicesAvailable table makes it possible to have a server on the local network that can be accessed
from the Internet, although it has no official IP address.
The servicesAvailable table contains the following elements:
Element Description
protocol Use this element to select the protocol: tcp or udp. Default:tcp
Range: tcp / udp
startPort Use this element to set the lowest value of the TCP or Default:0
UDP port range. Range: 0 … 65535
endPort Use this element to set the highest value of the TCP Default:<opt>
or UDP port range. Range: 0 … 65535
If no endPort value is defined (<opt>), then the port range is limited to the startPort
value only.
serverAddress Use this element to set the private server address. Default:0.0.0.0
If a packet is received with a source port number that Range: up to 255.255.255.255
falls within the specified port range, then it is sent to the private server address.
serverPort Use this element to realize port translations for incom- Default:<OPT>
ing connections; refer to the example below. Range: 0 ... 65535
Example:
• protocol=tcp, startport=1024, serverAddress=192.168.1.1, serverport=23 (or telnet), endport will be ignored when
using serverPort:
⇒when starting a telnet session to the PAT address port 1024, you actually start a telnet session to
192.168.1.1
• protocol=tcp, startport=1025, serverAddress=192.168.1.2, serverport=23 (or telnet), endport will be ignored when
using serverPort:
⇒when starting a telnet session to the PAT address port 1025, you actually start a telnet session to
192.168.1.2
• protocol=tcp, startport=1026, serverAddress=192.168.1.3, serverport=23 (or telnet), endport will be ignored when
using serverPort:
⇒when starting a telnet session to the PAT address port 1026, you actually start a telnet session to
192.168.1.3
1424 SHDSL Router Chapter 11 655
User manual Configuration attributes
addresses Default:<empty>
Range: table, see below
Use this attribute to enter all the official IP addresses that have to be used
for Network Address Translation. Entering an address in the addresses table automatically enables the
general NAT process. Now you can activate or deactivate NAT per IP interface. Note that by default NAT
is deactivated on all IP interfaces.
Refer to 7.8 - Configuring address translation on page 225 for more information on NAT.
The addresses table contains the following elements:
Element Description
privateAddress Use this element to set the private IP address, i.e. to Default:<opt>
permanently assign an official IP address to a private Range: up to 255.255.255.255
address.
If you do not specify a private IP address, then NAT is applied dynamically. I.e. the
official IP address is used for any private source IP address.
gateway Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to define the gateway addresses of routes on which NAT
or PAT should be applied. If you do not configure the gateway attribute, then NAT or PAT is applied on all
routes through this interface.
tcpSockets Default:1024
Range: 500 … 4500
Use this attribute to set the maximum number of TCP sessions that may be
used simultaneously for address translation.
udpSockets Default:1024
Range: 500 … 4500
Use this attribute to set the maximum number of UDP session that may be
used simultaneously for address translation.
Remark
As long as the total sum of configured sockets, using the udpSockets and tcpSockets attributes, is higher
then the actually used sockets, new sockets can be allocated.
Both pools must be added together because not only TCP and UDP are supported, but also ESP and
GRE sockets/sessions are counted (and ICMP, but these used to be allocated from the number of UDP
sockets). Both configuration parameters are still present to remain backwards compatible.
In other words, the total amount of usable sockets is the sum of the values of the udpSockets and tcpSockets
attributes.
dmzHost Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to set the address of the DMZ (demilitarised zone) host.
What is a DMZ?
In computer networks, a DMZ (demilitarised zone) is a computer host or small network inserted as a
"neutral zone" between a company's private network and the outside public network. It prevents outside
users from getting direct access to a server that has company data. A DMZ is an optional and more
secure approach to a firewall and effectively acts as a proxy server as well.
In a typical DMZ configuration for a small company, a separate computer receives requests from users
within the private network for access to Web sites or other companies accessible on the public network.
The DMZ host then initiates sessions for these requests on the public network. However, the DMZ host
is not able to initiate a session back into the private network. It can only forward packets that have
already been requested.
Users of the public network outside the company can access only the DMZ host. The DMZ may typically
also have the company's Web pages so these could be served to the outside world. However, the DMZ
provides access to no other company data. In the event that an outside user penetrated the DMZ host's
security, the Web pages might be corrupted but no other company information would be exposed.
1424 SHDSL Router Chapter 11 657
User manual Configuration attributes
tcpAdjustMss Default:0/disabled
Range: 200...2000
Use this attribute to configure the Maximum Segment Size (MSS) for tran-
sient packets that traverse the 1424 SHDSL Router.
When a TCP session is established the MSS value in the setup is adapted to the value configured here,
in order to reduce the maximum size of TCP segments.
What is MSS?
MTU or Maximum Transfer Unit is the maximum number of bytes that one packet can contain. Typical,
for Ethernet, this is 1500 bytes. The maximum amount of actual data that can be transported in such a
data packet is 1460 bytes; this is the Maximum Segment Size or MSS.
Reducing MSS
Reducing the maximum size of TCP segments may prevent the communication from slowing down or
even failing.
For instance, when PPP over Ethernet (PPPoE) is being used in the network, PPPoE truncates the
Ethernet Maximum Transfer Unit (MTU) to 1492 bytes, which could result in loss of communication.
Similarly, when a tunnelling protocol such as GRE, L2TP or IPSEC is being used in the network, frag-
mentation may be required if the MSS is not adjusted, which slows down the communication.
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
658 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/ip/router/tunnels/
l2tpTunnels Default:<empty>
Range: table, see below
Use this attribute to configure the Layer 2 Tunnelling Protocol tunnels you
want to set up. Add a row to the l2tpTunnels table for each L2TP tunnel you want to set up.
The l2tpTunnels table contains the following elements:
Element Description
remark Use this element to write down any text, message, Default:-
remark, etc. of up to 64 characters. Range: 0 … 64 characters
adminStatus Use this element to activate (up) or deactivate the tun- Default:down
nel (down). Range: up / down
mode Use this element to determine whether for the corre- Default:routing
sponding tunnel, IP packets are treated by the routing Range: enumerated, see below
process, the bridging process or both.
The mode element has the following values:
• bridging. All packets received on the tunnel are bridged.
• routing. All packets received on the tunnel are routed.
• routingAndBridging. The SNAP header is checked to determine whether the pack-
ets have to be bridged or routed.
priorityPolicy Use this element to apply a priority policy on the L2TP Default:<empty>
tunnel. Range: 0 … 24 characters
Do this by entering the index name of the priority policy you want to use. You can
create the priority policy itself by adding a priorityPolicy object and by configuring the
attributes in this object.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information
about priority policy.
Element Description
inboundBandwidth Use this element to configure the inbound bandwidth of the L2TP tunnel.
The inboundBandwidth structure contains the following elements:
• cir.
• correction.
• maxFifoQLen.
• priorityPolicy.
For a detailed description of these elements, refer to 11.3 - LAN interface configu-
ration attributes on page 509; they have already been explained there in the con-
text of the LAN interface.
1424 SHDSL Router Chapter 11 661
User manual Configuration attributes
l2tpTunnels/l2tp Default:-
Range: structure, see below
Use the l2tp structure in the l2tpTunnels table to configure the L2TP related
parameters of the tunnel.
The l2tp structure contains the following elements:
Element Description
localIpAddress Use this element to set the official IP address that Default:<opt>
serves as start point of the L2TP connection. Range: up to 255.255.255.255
remoteIpAddress Use this element to set the official IP address that Default:<opt>
serves as end point of the L2TP connection. Range: up to 255.255.255.255
Both localIpAddress and remoteIpAddress together with the well-known port number for
L2TP (i.e. 1701), make up the socket used for the L2TP session. At the moment,
only one L2TP session can exist between one localIpAddress and remoteIpAddress
combination.
pppSesionName Use this element to set the PPP authentication name Default:<empty>
of the PPP link in the tunnel. Range: 0 … 64 characters
pppSesionSecret Use this element to set the PPP authentication secret Default:<empty>
of the PPP link in the tunnel. Range: 0 … 64 characters
Element Description
Important remark
keepAliveTimeOut Use this element to set the amount of time (in sec- Default:30
onds) the tunnel waits before it sends a keep alive Range: 1 … 3600
message in case it receives no data.
If the tunnel does not receive incoming data during a certain time, it sends a keep
alive message to the other side and waits for an acknowledgement.
noTrafficTimeOut This element applies on dial tunnels only (i.e. for Default:120
which the type element is set to outgoingDial). Range: 1 … 3600
Use this element to set the amount of time (in seconds) the tunnel waits before it
closes in case it receives no data.
l2tpMode Use this element to set the L2TP function of the 1424 SHDSL Router.
The l2tpMode element has the following values:
• lac. The 1424 SHDSL Router acts as an L2TP Access Concentrator.
• lns. The 1424 SHDSL Router acts as an L2TP Network Server.
• auto. If both local and remote 1424 SHDSL Router are set to auto, they mutually
decide who will be the LAC and who the LNS.
Important remark
Only select auto if you use a OneAccess router at both sides of the tunnel.
In conjunction with routers from other vendors (e.g. Cisco), specifically select an
L2TP mode (lac or lns).
1424 SHDSL Router Chapter 11 663
User manual Configuration attributes
Element Description
tunnelAuthentication Use this element to enable (on) or disable (off) tunnel Default:off
authentication. Range: on / off
L2TP incorporates a simple, optional, CHAP-like tunnel authentication system dur-
ing control connection establishment.
If the LAC or LNS wishes to authenticate the identity of the peer it is contacting or
being contacted by, it sends a challenge packet. If the expected response and
response received from a peer does not match, the tunnel is not opened.
To participate in tunnel authentication, a single shared secret has to exist between
the LAC and LNS.
tunnelSecret Use this element to set the tunnel secret. This secret Default:<empty>
is used in the tunnel authentication in order to verify Range: 0 … 64 characters
the peer its response.
copyTos Use this element to enable (on) or disable (off) the cop- Default:on
ying of the TOS byte value from the payload its IP Range: on / off
header to the L2TP header.
maxNrOfRetrans- Use this element to set the number of times a control Default:4
missions message has to be retransmitted in case no acknowl- Range: 0 … 10
edgement follows, before the tunnel is closed.
transmitWindowSize Use this element to set the window size for transmit- Default:4
ting control messages. Range: 1 … 30
receiveWindowSize Use this element to set the window size for receiving Default:4
control messages. Range: 1 … 30
udpChecksum Use this element to enable (on) or disable (off) the Default:off
UDP checksum. Range: on / off
It is recommended to enable the UDP checksum on lower quality links.
calledNr Use this element to set the called number. This ele- Default:<empty>
ment is present for compatibility with other vendors Range: 0 … 48 characters
that support this feature. If you set up a tunnel
between two OneAccess devices, then you can leave this element empty.
The called number is an indication to the receiver of a call as to what (telephone)
number the caller used to reach it. It encodes the (telephone) number to be called
for an outgoing call request (OCRQ) and the called number for an incoming call
request (ICRQ).
The called number is an ASCII string. Contact between the administrator of the
LAC and the LNS may be necessary to coordinate interpretation of the value
needed in this element.
Element Description
What is MTU?
The Maximum Transmission Unit (MTU) is the largest size packet or frame, spec-
ified in octets (eight-bit bytes), that can be sent in a packet- or frame-based net-
work (e.g. the Internet). The Ethernet standard MTU is 1500.
An MTU that is too large may result in retransmissions if the packet encounters a
router that cannot handle that large a packet. An MTU that is too small results in
relatively more header overhead and more acknowledgements that have to be
sent and handled.
The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. For
protocols other than TCP, different MTU sizes may apply.
IP packets with a size larger than the MTU and with the DF (Don’t Fragment)
bit set are dropped and an ICMP destination unreachable (type 3, code 4)
message is sent.
1424 SHDSL Router Chapter 11 665
User manual Configuration attributes
l2tpTunnels/backup Default:-
Range: structure, see below
Use the backup structure in the l2tpTunnels table to configure the back-up
related parameters of the tunnel.
In a main/back-up tunnel mechanism, configuring the backup element allows you to quickly set up a back-
up tunnel as soon as the main tunnel goes down, instead of waiting on several time-outs before the back-
up tunnel is set up. Refer to 9.4.4 - Setting up a main and back-up tunnel on page 386.
The backup structure contains the following elements:
Element Description
interface Use this element to enter the name of the tunnel that Default:<empty>
will act as back-up in a main/back-up mechanism. Range: 0 … 24 characters
Alternatively, if the string "discard" is entered as a backup interface, then the
backup functionality is executed for the main tunnel even if no backup tunnel is
present. So the main tunnel is reset and the route to the main tunnel is closed (so
the route status goes “down” instead of “spoofing”). In that case, if an alternative
route is present, then this route will be taken.
timeOut Use this element to set the set-up time-out in sec- Default:30
onds. If the tunnel is not set up within the specified Range: 1 … 3600
time-out, then the back-up tunnel is set up.
autoRetry This element is only relevant in case the type element Default:no
of the tunnel is set to outgoingLeasedLine. Range: yes / no
Use this element to determine, if a leased line tunnel does not come up, whether
it has to keep trying to come up (yes) or quit after one try (no).
666 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ipsecL2tpTunnels Default:<empty>
Range: table, see below
Use this attribute to configure the IP secured Layer 2 Tunnelling Protocol
tunnels you want to set up. Add a row to the IpsecL2tpTunnels table for each IPSEC L2TP tunnel you want
to set up.
The elements of the ipsecL2tpTunnel are basically the same as the elements of the l2tpTunnel (refer to
l2tpTunnels on page 659). The only difference is the presence of the ipsec element within the l2tp structure.
Refer to ipsecL2tpTunnels/l2tp/ipsec on page 667 for more information on the ipsec element.
1424 SHDSL Router Chapter 11 667
User manual Configuration attributes
ipsecL2tpTunnels/l2tp/ipsec Default:-
Range: choice, see below
Use this element to apply a security association on the IPSEC L2TP tunnel.
Do this by typing the index name of the security association you want to use. You can create the security
association itself by adding a manualSA or ikeSA object and by configuring the attributes in this object.
Refer to 9.6 - Configuring IP security on page 407 for more information on IP security.
The ipsec element offers you the following choice:
Choice Description
fdxManualSA Select this value if you want to apply a manual secu- Default:<empty>
rity association on both the inbound and outbound Range: 0 … 24 characters
traffic of the IPSEC L2TP tunnel.
If you select this value, then a field appears behind the value. Type the manualSA
object its index name in this field.
Example
hdxManualSA Select this value if you want to apply a manual secu- Default:-
rity association on the inbound traffic and another Range: structure, see below
manual security association on the outbound traffic of
the IPSEC L2TP tunnel.
If you select this value, then a structure appears behind the value. This structure
contains the following elements:
• inbound. To apply a security association on the Default:<empty>
inbound traffic, type the manualSA object its index Range: 0 … 24 characters
name in this field.
• outbound. To apply a security association on the Default:<empty>
outbound traffic, type the manualSA object its index Range: 0 … 24 characters
name in this field.
Example
If you created a manualSA object with index name my_SA_in (i.e. manualSA[my_SA_in])
and one with index name my_SA_out (i.e. manualSA[my_SA_out]) and you want to apply
the first on the inbound and the latter on the outbound traffic, then enter the index
names of the manualSA objects as follows:
668 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Choice Description
ikePresharedSA Select this value if you want to apply an IKE pre- Default:-
shared key security association on both the inbound Range: structure, see below
and outbound traffic of the IPSEC L2TP tunnel.
If you select this value, then a structure appears behind the value. Refer to
ipsecL2tpTunnels/l2tp/ipsec/ikePresharedSA on page 669 for a detailed description of the
ikePresharedSA structure.
ikeCertificateSA Select this value if you want to apply an IKE certificate Default:-
security association on both the inbound and out- Range: structure, see below
bound traffic of the IPSEC L2TP tunnel.
If you select this value, then a structure appears behind the value. Refer to
ipsecL2tpTunnels/l2tp/ipsec/ikeCertificateSA on page 671 for a detailed description of the
ikeCertificateSA structure.
1424 SHDSL Router Chapter 11 669
User manual Configuration attributes
ipsecL2tpTunnels/l2tp/ipsec/ikePresharedSA Default:-
Range: structure, see below
Use the ikePresharedSA structure in the ipsec structure to apply an IKE pre-
shared key security association on both the inbound and outbound traffic of the IPSEC L2TP tunnel.
The ikePresharedSA structure contains the following elements:
Element Description
ikeSA Use this element to apply a certain IKE preshared key Default:<empty>
security association on the IPSEC L2TP tunnel. Range: 0 … 24 characters
Do this by typing the ikeSA object its index name in this field.
Example
If you created an ikeSA object with index name mySA (i.e. ikeSA[mySA])
and you want to apply this security association on an IPSEC L2TP tun-
nel, then enter the index name as value of the ikeSA element.
localId Use this element to set the local identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The localId element has the following values:
• ipAddress. Set the IP address that will be used as local ID. If you leave the ipAd-
dress element at its default value (0.0.0.0), then the local IP address of the L2TP
tunnel is used as local ID.
• hostname. Set the hostname that will be used as local ID. The hostname has to
be of the form “host.domain.com”.
• user. Set the username that will be used as local ID. The username has to be of
the form “my.name@company.com”.
remoteId Use this element to set the remote identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The remoteId element has the following values:
• ipAddress. Sets the IP address that will be used as remote ID. If you leave the
ipAddress element at its default value (0.0.0.0), then the remote IP address of the
L2TP tunnel is used as remote ID.
• hostname. Sets the hostname that will be used as remote ID. The hostname has
to be of the form “host.domain.com”.
• user. Sets the username that will be used as remote ID. The username has to
be of the form “my.name@company.com”.
preSharedKey Use this element to set the pre-shared key string. Default:presharedkey
This key string in combination with the selected IKE Range: 12 … 49 characters
DH group is used to calculate the key during the key exchange in phase 1 of the
IKE negotiation. Refer to diffieHelmanGroup on page 699.
670 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
proxyId Use this element to set up a tunnel with other vendors. Default:-
This element must match with the access list of the Range: structure, see below
remote tunnel. The following values define the type of
payload carried by the IPsec frame:
• ipProtocol: Specify an IP protocol using the ipProtocol element. Select one of the
common IP protocols from the drop-down box.
• localIpAddress: Specify the IP address that serves as start point of the IPsec tun-
nel.
• localIpMask: Specify the subnet mask of the local IP address.
• localIpPort: Specify the local port number.
• remoteIpAddress: Specify the IP address that serves as end point of the IPsec tun-
nel.
• remoteIpMask: Specify the subnet mask of the remote IP address.
• remoteIpPort: Specify the remote port number.
1424 SHDSL Router Chapter 11 671
User manual Configuration attributes
ipsecL2tpTunnels/l2tp/ipsec/ikeCertificateSA Default:-
Range: structure, see below
Use the ikeCertificateSA structure in the ipsec structure to apply an IKE certifi-
cate security association on both the inbound and outbound traffic of the IPSEC L2TP tunnel.
The ikeCertificateSA structure contains the following elements:
Element Description
Example
If you created an ikeSA object with index name mySA (i.e. ikeSA[mySA])
and you want to apply this security association on an IPSEC L2TP tun-
nel, then enter the index name as value of the ikeSA element.
localId Use this element to set the local identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The localId element has the following values:
• ipAddress. Set the IP address that will be used as local ID. If you leave the ipAd-
dress element at its default value (0.0.0.0), then the local IP address of the L2TP
tunnel is used as local ID.
• hostname. Set the hostname that will be used as local ID. The hostname has to
be of the form “host.domain.com”.
• user. Set the username that will be used as local ID. The username has to be of
the form “my.name@company.com”.
The ipAddress, hostName, user element has to be the same as the IP address / host-
name / username in the certificate of the local device (at least one of these three
values has to be filled in); refer to router1424/fileSystem/generateSelfCertificateRequest on
page 1004 and router1424/fileSystem/getSelfCertificateScep on page 1008.
672 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
remoteId Use this element to set the remote identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The remoteId element has the following values:
• ipAddress. Sets the IP address that will be used as remote ID. If you leave the
ipAddress element at its default value (0.0.0.0), then the remote IP address of the
L2TP tunnel is used as remote ID.
• hostName. Sets the hostname that will be used as remote ID. The hostname has
to be of the form “host.domain.com”.
• user. Sets the username that will be used as remote ID. The username has to
be of the form “my.name@company.com”.
• derAsn1Dn. This allows a part of the certificate subject field to be used for remote
identification, for example O=company, L=Heverlee.
Certain elements can be used here to fill in in this field. For more information
on these elements, refer to the subject field in router1424/fileSystem/generateSelfCer-
tificateRequest on page 1004.
Pay attention to the order in which the elements are written. Also, spaces
between the characters are taken into account; the field is also case sensitive.
In other words, the information typed in here must be identical to how it is writ-
ten in the certificate subject field.
The remoteId element has to be the same as the ipAddress / hostName / user / derAsn1Dn
in the certificate of the remote device (the remoteId element is actually the localId ele-
ment of the remote device).
proxyId Use this element to set up a tunnel with other vendors. Default:-
This element must match with the access list of the Range: structure, see below
remote tunnel. The following values define the type of
payload carried by the ipsec frame:
• ipProtocol: Specify an IP protocol using the ipProtocol element. Select one of the
common IP protocols from the drop-down box.
• localIpAddress: Specify the IP address that serves as start point of the IPsec tun-
nel.
• localIpMask: Specify the subnet mask of the local IP address.
• localIpPort: Specify the local port number.
• remoteIpAddress: Specify the IP address that serves as end point of the IPsec tun-
nel.
• remoteIpMask: Specify the subnet mask of the remote IP address.
• remoteIpPort: Specify the remote port number.
1424 SHDSL Router Chapter 11 673
User manual Configuration attributes
router1424/ip/router/tunnels/
ipsecTunnels Default:<empty>
Range: table, see below
Use this attribute to configure the IP secured tunnels you want to set up.
Add a row to the IpsecTunnels table for each IPSEC tunnel you want to set up.
The ipsecTunnels table contains the following elements:
Element Description
remark Use this element to write down any text, message, Default:-
remark, etc. of up to 64 characters. Range: 0 … 64 characters
localIpAddress Use this element to set the official IP address that Default:<opt>
serves as start point of the IPSEC tunnel. Range: up to 255.255.255.255
localInterface Use this element to set the startpoint of the tunnel to Default:<empty>
the address of the interface referenced by localInterface. Range: 0 … 24 characters
Use this element when the start point of the tunnel can
not be determined in advance.
remoteIpAddress Use this element to set the official IP address that Default:<opt>
serves as end point of the IPSEC tunnel. Range: up to 255.255.255.255
remoteDnsName Use this element to set the DNS name of the end point Default:<empty>
of the IPSEC connection. In this case, the DNS name Range: 0 … 64 characters
will be resolved to an IP address.
• incoming: The incoming tunnel does not initiate the tunnel but waits for a request
from the remote party.
• outgoingLeasedLine: An outgoingLeasedLine tunnel is opened as soon as the 1424
SHDSL Router is up, and it stays open. No traffic timeouts are started.
• outgoingDial: The outgoingDial tunnel is not continuously open. It is opened when-
ever data has to be sent through the tunnel, and closed when no data is
detected for a certain time.
1424 SHDSL Router Chapter 11 675
User manual Configuration attributes
Element Description
noTrafficTimeOut This element only applies to dial tunnels, i.e. for which Default:00000d 00h 02m 00s
the type element is set to outgoingDial. Range: 00000d 00h 00m 30s -
00000d 01h 00m 00s
Use this element to set the amount of time (in sec-
onds) the tunnel waits before it closes in case it receives no data.
noTrafficDirection Use this element to set the direction in which traffic is Default:both
monitored. Range: enumerated, see below
The noTrafficDirection element has the following values:
• both: traffic is monitored in both direction.
• inbound: only incoming traffic is monitored.
• outbound: only outgoing traffic is monitored.
remoteRoute Use this element to allow or forbid the use of the Default:-
default route to reach the tunnel end point. Range: structure, see below
When you select this element, a structure appears behind the element. This struc-
ture contains the following elements:
• useDefaultRoute: This element has the following val- Default:enabled
ues: Range: enumerated, see below
- enabled: It is allowed the reach the tunnel end-
point by using the default route.
- disabled: It is not allowed the reach the tunnel endpoint by using the default
route. The user has to wait for an alternative route to come up.
tos Use this element to copy the TOS byte value from the Default:copy
IP header of the payload, or to force the TOS byte to Range: enumerated, see below
a fixed value of 0...255.
The tos element has the following values:
• copy: the TOS byte value is copied from the IP header of the payload.
• 0...255: the TOS byte value is forced to a value between 0 and 255.
dontFragmentBit Use this element to copy the dontFragment bit value Default:copy
from the IP header of the payload to the new IPSEC Range: enumerated, see below
IP header.
The dontFragmentBit element has the following values:
• copy: copies the dontFragment bit value from the IP header of the payload to the
new IPSEC IP header.
• clear: clears the dontFragment bit in the new IPSEC IP header.
• set: sets the dontFragment bit in the new IPSEC IP header.
676 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
What is MTU?
The Maximum Transmission Unit (MTU) is the largest size packet or frame, spec-
ified in octets (eight-bit bytes), that can be sent in a packet- or frame-based net-
work (e.g. the Internet). The Ethernet standard MTU is 1500.
An MTU that is too large may result in retransmissions if the packet encounters a
router that cannot handle that large a packet. An MTU that is too small results in
relatively more header overhead and more acknowledgements that have to be
sent and handled.
The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. For
protocols other than TCP, different MTU sizes may apply.
IP packets with a size larger than the MTU and with the DF (Don’t Fragment)
bit set are dropped and an ICMP destination unreachable (type 3, code 4)
message is sent.
1424 SHDSL Router Chapter 11 677
User manual Configuration attributes
ipsecTunnels/ipsec Default:<empty>
Range: table, see below
Use this element to apply a security association on the IPSEC tunnel.
Do this by typing the index name of the security association you want to use. You can create the security
association itself by adding a manualSA or ikeSA object and by configuring the attributes in this object.
Refer to 9.6 - Configuring IP security on page 407 for more information on IP security.
The ipsec element offers you the following choice:
Choice Description
fdxManualSA Select this value if you want to apply a manual secu- Default:<empty>
rity association on both the inbound and outbound Range: 0 … 24 characters
traffic of the IPSEC tunnel.
If you select this value, then a field appears behind the value. Type the manualSA
object its index name in this field.
Example
If you created a manualSA object with index name my_SA (i.e. manualSA[my_SA]) and
you want to apply this security association on an IPSEC tunnel, then enter the
index name as value of the fdxManualSA element.
hdxManualSA Select this value if you want to apply a manual secu- Default:-
rity association on the inbound traffic and another Range: structure, see below
manual security association on the outbound traffic of
the IPSEC tunnel.
If you select this value, then a structure appears behind the value. This structure
contains the following elements:
• inbound. To apply a security association on the Default:<empty>
inbound traffic, type the manualSA object its index Range: 0 … 24 characters
name in this field.
• outbound. To apply a security association on the Default:<empty>
outbound traffic, type the manualSA object its index Range: 0 … 24 characters
name in this field.
Example
If you created a manualSA object with index name my_SA_in (i.e. manualSA[my_SA_in])
and one with index name my_SA_out (i.e. manualSA[my_SA_out]) and you want to apply
the first on the inbound and the latter on the outbound traffic, then enter the index
names of the manualSA objects as follows.
ikePresharedSA Select this value if you want to apply an IKE pre- Default:-
shared key security association on both the inbound Range: structure, see below
and outbound traffic of the IPSEC tunnel.
If you select this value, then a structure appears behind the value. Refer to ipsec-
Tunnels/ipsec/ikePresharedSA on page 679 for a detailed description of the ikePresharedSA
structure.
678 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Choice Description
ikeCertificateSA Select this value if you want to apply an IKE certificate Default:-
security association on both the inbound and out- Range: structure, see below
bound traffic of the IPSEC tunnel.
If you select this value, then a structure appears behind the value. Refer to ipsec-
Tunnels/ipsec/ikeCertificateSA on page 681 for a detailed description of the ikeCertificateSA
structure.
1424 SHDSL Router Chapter 11 679
User manual Configuration attributes
ipsecTunnels/ipsec/ikePresharedSA Default:-
Range: structure, see below
Use the ikePresharedSA structure in the ipsec structure to apply an IKE pre-
shared key security association on both the inbound and outbound traffic of the IPSEC tunnel.
The ikePresharedSA structure contains the following elements:
Element Description
ikeSA Use this element to apply a certain IKE preshared key Default:<empty>
security association on the IPSEC tunnel. Range: 0 … 24 characters
Do this by typing the ikeSA object its index name in this field.
Example
If you created an ikeSA object with index name mySA (i.e. ikeSA[mySA])
and you want to apply this security association on an IPSEC tunnel,
then enter the index name as value of the ikeSA element.
localId Use this element to set the local identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The localId element has the following values:
• ipAddress. Set the IP address that will be used as local ID. If you leave the ipAd-
dress element at its default value (0.0.0.0), then the local IP address of the L2TP
tunnel is used as local ID.
• hostname. Set the hostname that will be used as local ID. The hostname has to
be of the form “host.domain.com”.
• user. Set the username that will be used as local ID. The username has to be of
the form “my.name@company.com”.
remoteId Use this element to set the remote identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The remoteId element has the following values:
• ipAddress. Sets the IP address that will be used as remote ID. If you leave the
ipAddress element at its default value (0.0.0.0), then the remote IP address of the
L2TP tunnel is used as remote ID.
• hostname. Sets the hostname that will be used as remote ID. The hostname has
to be of the form “host.domain.com”.
• user. Sets the username that will be used as remote ID. The username has to
be of the form “my.name@company.com”.
preSharedKey Use this element to set the pre-shared key string. Default:presharedkey
This key string in combination with the selected IKE Range: 12 … 49 characters
DH group is used to calculate the key during the key exchange in phase 1 of the
IKE negotiation. Refer to diffieHelmanGroup on page 699.
680 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
proxyId Use this element to set up a tunnel with other vendors. Default:-
This element must match with the access list of the Range: structure, see below
remote tunnel. The following values define the type of
payload carried by the ipsec frame:
• ipProtocol: Specify an IP protocol using the ipProtocol element. Select one of the
common IP protocols from the drop-down box.
• localIpAddress: Specify the IP address that serves as start point of the IPSEC tun-
nel.
• localIpMask: Specify the subnet mask of the local IP address.
• localIpPort: Specify the local port number.
• remoteIpAddress: Specify the IP address that serves as end point of the IPSEC
tunnel.
• remoteIpMask: Specify the subnet mask of the remote IP address.
• remoteIpPort: Specify the remote port number.
1424 SHDSL Router Chapter 11 681
User manual Configuration attributes
ipsecTunnels/ipsec/ikeCertificateSA Default:-
Range: structure, see below
Use the ikeCertificateSA structure in the ipsec structure to apply an IKE certifi-
cate security association on both the inbound and outbound traffic of the IPSEC tunnel.
The ikeCertificateSA structure contains the following elements:
Element Description
Example
If you created an ikeSA object with index name mySA (i.e. ikeSA[mySA])
and you want to apply this security association on an IPSEC tunnel,
then enter the index name as value of the ikeSA element.
localId Use this element to set the local identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The localId element has the following values:
• ipAddress. Set the IP address that will be used as local ID. If you leave the ipAd-
dress element at its default value (0.0.0.0), then the local IP address of the L2TP
tunnel is used as local ID.
• hostname. Set the hostname that will be used as local ID. The hostname has to
be of the form “host.domain.com”.
• user. Set the username that will be used as local ID. The username has to be of
the form “my.name@company.com”.
The ipAddress, hostName, user element has to be the same as the IP address / host-
name / username in the certificate of the local device (at least one of these three
values has to be filled in); refer to router1424/fileSystem/generateSelfCertificateRequest on
page 1004 and router1424/fileSystem/getSelfCertificateScep on page 1008.
682 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
remoteId Use this element to set the remote identifier for use in Default:<ipAddress> 0.0.0.0
IKE phase 1 negotiation. Range: choice, see below
The remoteId element has the following values:
• ipAddress. Sets the IP address that will be used as remote ID. If you leave the
ipAddress element at its default value (0.0.0.0), then the remote IP address of the
L2TP tunnel is used as remote ID.
• hostname. Sets the hostname that will be used as remote ID. The hostname has
to be of the form “host.domain.com”.
• user. Sets the username that will be used as remote ID. The username has to
be of the form “my.name@company.com”.
• derAsn1Dn. This allows a part of the certificate subject field to be used for remote
identification, for example O=company, L=Heverlee.
Certain elements can be used here to fill in in this field. For more information
on these elements, refer to the subject field in router1424/fileSystem/generateSelfCer-
tificateRequest on page 1004.
Pay attention to the order in which the elements are written. Also, spaces
between the characters are taken into account; the field is also case sensitive.
In other words, the information typed in here must be identical to how it is writ-
ten in the certificate subject field.
The remoteId element has to be the same as the IP address / hostname / username
in the certificate of the remote device (the remoteId element is actually the localId ele-
ment of the remote device).
proxyId The following values define the type of payload car- Default:-
ried by the ipsec frame: Range: structure, see below
• ipProtocol: Specify an IP protocol using the ipProtocol element. Select one of the
common IP protocols from the drop-down box.
• localIpAddress: Specify the IP address that will be used as local ID.
• localIpMask: Specify the subnet mask of the local IP address.
• localIpPort: Specify the local port number.
• remoteIpAddress: Specify the IP address that will be used as remote ID.
• remoteIpMask: Specify the subnet mask of the remote IP address.
• remoteIpPort: Specify the remote port number.
1424 SHDSL Router Chapter 11 683
User manual Configuration attributes
router1424/ip/router/tunnels/
greTunnels Default:<empty>
Range: table, see below
Use this attribute to configure the GRE tunnels you want to set up. Add a
row to the greTunnels table for each GRE tunnel you want to set up.
The greTunnels table contains the following elements:
Element Description
remark Use this element to write down any text, message, Default:-
remark, etc. of up to 64 characters. Range: 0 … 64 characters
adminStatus Use this element to set the administrative state of the Default:up
GRE tunnel: up or down. Range: enumerated, see below
priorityPolicy Use this element to apply a priority policy on the GRE Default:<empty>
tunnel. Range: 0 … 24 characters
Do this by entering the index name of the priority policy you want to use. You can
create the priority policy itself by adding a priorityPolicy object and by configuring the
attributes in this object.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information
about priority policy.
gre Use the gre structure to configure the GRE related Default:-
parameters of the tunnel. Refer to greTunnels/gre on Range: structure, see below
page 685 for a detailed explanation of the gre structure.
inboundBandwidth Use this element to configure the inbound bandwidth of the GRE tunnel.
The inboundBandwidth structure contains the following elements:
• cir.
• correction.
• maxFifoQLen.
• priorityPolicy.
For a detailed description of these elements, refer to the inboundBandwidth attribute
in 11.3 - LAN interface configuration attributes on page 509; they have already
been explained there in the context of the LAN interface.
1424 SHDSL Router Chapter 11 685
User manual Configuration attributes
greTunnels/gre Default:-
Range: structure, see below
Use the gre structure to configure the GRE related parameters of the tunnel.
The gre structure contains the following elements:
Element Description
localIpAddress Use this element to set the official IP address that Default:<opt>
serves as start point of the GRE tunnel. Range: up to 255.255.255.255
localInterface Use this element to set the startpoint of the tunnel to Default:<empty>
the address of the interface referenced by localInterface. Range: 0 … 24 characters
remoteIpAddress Use this element to set the official IP address that Default:<opt>
serves as end point of the GRE tunnel. Range: up to 255.255.255.255
tos Use this element to copy the TOS byte value from the Default:copy
IP header of the payload, or to force the TOS byte to Range: enumerated, see below
a fixed value of 0...255.
The tos element has the following values:
• copy. The TOS byte value is copied from the IP header of the payload.
• 0...255. The TOS byte value is forced to a value between 0 and 255.
dontFragmentBit Use this element to copy the dontFragment bit value Default:copy
from the IP header of the payload to the new GRE IP Range: enumerated, see below
header.
The dontFragmentBit element has the following values:
• copy. Copies the dontFragment bit value from the IP header of the payload to the
new GRE IP header.
• clear. Clears the dontFragment bit in the new GRE IP header.
• set. Sets the dontFragment bit in the new GRE IP header.
ttl Use this element to copy the ttl byte value from the IP Default:copy
header of the payload, or to force the ttl byte to a fixed Range: enumerated, see below
value of 0...255.
The ttl element has the following values:
• copy. The ttl byte value is copied from the IP header of the payload.
• 0...255. The ttl byte value is forced to a value between 0 and 255.
686 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
What is MTU?
The Maximum Transmission Unit (MTU) is the largest size packet or frame, spec-
ified in octets (eight-bit bytes), that can be sent in a packet- or frame-based net-
work (e.g. the Internet). The Ethernet standard MTU is 1500.
An MTU that is too large may result in retransmissions if the packet encounters a
router that cannot handle that large a packet. An MTU that is too small results in
relatively more header overhead and more acknowledgements that have to be
sent and handled.
The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. For
protocols other than TCP, different MTU sizes may apply.
IP packets with a size larger than the MTU and with the DF (Don’t Fragment)
bit set are dropped and an ICMP destination unreachable (type 3, code 4)
message is sent.
1424 SHDSL Router Chapter 11 687
User manual Configuration attributes
ipsecGreTunnels Default:<empty>
Range: table, see below
Use this attribute to configure the IPSEC GRE tunnels you want to set up.
Add a row to the ipsecGreTunnels table for each IPSEC GRE tunnel you want to set up.
The ipsecGreTunnels table contains the following elements:
Element Description
name Use this element to assign a unique interface name for the IPSEC GRE Tunnel.
adminStatus Use this element to set the administrative state of the IPSEC GRE tunnel: up or
down.
priorityPolicy Use this element to apply a priority policy on the IPSEC GRE tunnel. Refer to 7.11
- Applying QoS on routed traffic on page 259 for more information about priority
policy.
ip Use the ip structure for IP configuration inside the IPSEC GRE tunnel. Refer to
5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip
structure.
gre Use the gre structure to set the specific IPSEC GRE parameters. Refer to ipsecGre-
Tunnels/gre on page 688 for a detailed explanation of the gre structure.
inboundBandwidth Use this element to configure the inbound bandwidth of the IPsec GRE tunnel.
The inboundBandwidth structure contains the following elements:
• cir.
• correction.
• maxFifoQLen.
• priorityPolicy.
For a detailed description of these elements, refer to the inboundBandwidth attribute
in 11.3 - LAN interface configuration attributes on page 509; they have already
been explained there in the context of the LAN interface.
688 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ipsecGreTunnels/gre Default:-
Range: structure, see below
Use the gre structure to set the specific IPSEC GRE parameters.The gre
structure contains the following elements:
Element Description
localIpAddress Use this element to set the official IP address that Default:<opt>
serves as start point of the GRE tunnel. Range: up to 255.255.255.255
localInterface Use this element to set the startpoint of the tunnel to Default:<empty>
the address of the interface referenced by localInterface. Range: 0 … 24 characters
remoteIpAddress Use this element to set the official IP address that Default:<opt>
serves as end point of the GRE tunnel. Range: up to 255.255.255.255
noTrafficTimeout This element only applies to dial tunnels, i.e. for which Default:00000d 00h 02m 00s
the type element is set to outgoingDial. Range: 00000d 00h 00m 30s -
00000d 01h 00m 00s
Use this element to set the amount of time (in sec-
onds) the tunnel waits before it closes in case it receives no data.
noTrafficDirection Use this element to set the direction in which traffic is Default:both
monitored. Range: enumerated, see below
The noTrafficDirection element has the following values:
• both: traffic is monitored in both direction.
• inbound: only incoming traffic is monitored.
• outbound: only outgoing traffic is monitored.
1424 SHDSL Router Chapter 11 689
User manual Configuration attributes
Element Description
• incoming: The incoming tunnel does not initiate the tunnel but waits for a request
from the remote party.
• outgoingLeasedLine: An outgoingLeasedLine tunnel is opened as soon as the 1424
SHDSL Router is up, and it stays open. No traffic timeouts are started.
• outgoingDial: The outgoingDial tunnel is not continuously open. It is opened when-
ever data has to be sent through the tunnel, and closed when no data is
detected for a certain time.
tos Use this element to copy the TOS byte value from the Default:copy
IP header of the payload, or to force the TOS byte to Range: enumerated, see below
a fixed value of 0...255.
The tos element has the following values:
• copy. The TOS byte value is copied from the IP header of the payload.
• 0...255. The TOS byte value is forced to a value between 0 and 255.
dontFragmentBit Use this element to copy the dontFragment bit value Default:copy
from the IP header of the payload to the new GRE IP Range: enumerated, see below
header.
The dontFragmentBit element has the following values:
• copy. Copies the dontFragment bit value from the IP header of the payload to the
new GRE IP header.
• clear. Clears the dontFragment bit in the new GRE IP header.
• set. Sets the dontFragment bit in the new GRE IP header.
ttl Use this element to copy the ttl byte value from the IP Default:copy
header of the payload, or to force the ttl byte to a fixed Range: enumerated, see below
value of 0...255.
The ttl element has the following values:
• copy. The ttl byte value is copied from the IP header of the payload.
• 0...255. The ttl byte value is forced to a value between 0 and 255.
690 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
What is MTU?
The Maximum Transmission Unit (MTU) is the largest size packet or frame, spec-
ified in octets (eight-bit bytes), that can be sent in a packet- or frame-based net-
work (e.g. the Internet). The Ethernet standard MTU is 1500.
An MTU that is too large may result in retransmissions if the packet encounters a
router that cannot handle that large a packet. An MTU that is too small results in
relatively more header overhead and more acknowledgements that have to be
sent and handled.
The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. For
protocols other than TCP, different MTU sizes may apply.
IP packets with a size larger than the MTU and with the DF (Don’t Fragment)
bit set are dropped and an ICMP destination unreachable (type 3, code 4)
message is sent.
1424 SHDSL Router Chapter 11 691
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
692 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Value Description
des DES is used to encrypt / decrypt the data. The DES key has to be entered in the
espEncryptionKey attribute.
3des Triple DES is used to encrypt / decrypt the data. The 3DES key has to be entered
in the espEncryptionKey attribute.
Make sure that for the same security association on both the local and remote router the same ESP
encryption algorithm is selected.
1424 SHDSL Router Chapter 11 693
User manual Configuration attributes
DES encryption only the first 8 octets of the key are used. All other octets are ignored.
11 11 11 11 11 11 11 11 22 22 22 22 22 22 22 22 33 33 33 33 33 33 33 33
3DES encryption at the transmitter side, the first set of 8 octets of the key are used to encrypt the
data, the second set of 8 octets to decrypt the data and the third set of 8 octets to
encrypt the data again.
11 11 11 11 11 11 11 11 22 22 22 22 22 22 22 22 33 33 33 33 33 33 33 33
encryption encryption
decryption
Make sure that for the same security association on both the local and remote router the same ESP
encryption key is used.
694 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Value Description
hmac_md5 The MD5 hash function is used to authenticate the data. The MD5 key has to be
entered in the espAuthenticationKey attribute.
hmac_sha-1 The SHA-1 hash function is used to authenticate the data. The SHA-1 key has to
be entered in the espAuthenticationKey attribute.
Make sure that for the same security association on both the local and remote router the same ESP
authentication algorithm is selected.
MD5 authentication only the first 16 octets of the key are used. All other octets are ignored.
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20
Make sure that on both the local and remote router the same ESP authentication key is used.
Make sure that for the same security association on both the local and remote router the same SPI value
is used.
1424 SHDSL Router Chapter 11 695
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 697
User manual Configuration attributes
Element Description
mode Use this element to set the IKE mode. The choice Default:aggressive
between these modes is a matter of trade-offs. Range: enumerated, see below
The mode element has the following values:
• main: Main mode is selected. Some characteristics of main mode are:
- Protects the identities of the peers during negotiations and is therefore more
secure.
- Allows greater proposal flexibility than aggressive mode.
- Is more time consuming than aggressive mode because more messages
are exchanged between peers. (Six messages are exchanged in main
mode.)
• aggressive: Aggressive mode is selected. Some characteristics of aggressive
mode are:
- Exposes identities of the peers to eavesdropping, making it less secure than
main mode.
- Takes half the number of messages of main mode, has less negotiation
power, and does not provide identity protection.
- Is faster than main mode because fewer messages are exchanged between
peers. (Three messages are exchanged in aggressive mode.)
698 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
encryptionAlgorithm Use this element to select the IKE encryption algo- Default:des
rithm. Range: enumerated, see below
The encryption key is calculated using the selected diffieHelmanGroup algorithm in
combination with the value of the preSharedKey element.
The encryptionAlgorithm element has the following values:
• des: DES (56 bits) is used to encrypt / decrypt the data.
• 3des: Triple DES (168 bits) is used to encrypt / decrypt the data.
• aes128: AES128 (128 bits) is used to encrypt / decrypt the data.
• aes192: AES192 (192 bits) is used to encrypt / decrypt the data.
• aes256: AES256 (256 bits) is used to encrypt / decrypt the data.
Make sure that for the same security association on both the local and
remote router the same encryption algorithm is selected.
authenticationAlgo- Use this element to select the IKE authentication algo- Default:hmac_sha-1
rithm rithm. Range: enumerated, see below
The authentication key is calculated using the selected diffieHelmanGroup algorithm
in combination with the value of the preSharedKey element.
The authenticationAlgorithm element has the following values:
• hmac_md5: The MD5 hash function is used to authenticate the data.
• hmac_sha-1: The SHA-1 hash function is used to authenticate the data.
Make sure that for the same security association on both the local and
remote router the same authentication algorithm is selected.
1424 SHDSL Router Chapter 11 699
User manual Configuration attributes
Element Description
diffieHelmanGroup Use this element to select the algorithm that will be Default:1_modp768
used to calculate the phase 1 IKE key. This key is Range: enumerated, see below
then used to encrypt and authenticate the data. The
calculation of the IKE key is based on the value of the preSharedKey element (refer
to preSharedKey on page 669).
The diffieHelmanGroup element has the following values:
• 1_modp768: The Diffie-Hellman group 1 (768 bits) is used to calculate the IKE
key.
• 2_modp1024: The Diffie-Hellman group 2 (1024 bits) is used to calculate the IKE
key.
• 5_modp1536: The Diffie-Hellman group 5 (1536 bits) is used to calculate the IKE
key.
Important remarks
• Note that the heavier the algorithm, the more processing power is required. E.g.
when selecting the Diffie-Hellman group 5, up to 30 seconds may be needed to
generate a key.
• Make sure that for the same security association on both the local and remote
router the same Diffie-Hellman algorithm is selected.
lifeTime Use this element to set the life time, in seconds, of the Default:28800
IKE SA. Range: 120 … 86400
When the life time expires, it is replaced by a new SA (and SPI) or terminated.
keepAlive Use this element to configure the IKE keep alive mes- Default:-
sages. Keep alive messages are sent to check and Range: structure, see below
maintain, or keep alive, the connection between local
and remote.
Refer to router1424/ip/router/ikeSA[ ]/phase1/keepAlive on page 700 for a detailed descrip-
tion of the keepAlive structure.
700 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
mode Use this element to set the keep alive mode. Default:onDemand
The mode element has the following values: Range: enumerated, see below
• disabled: Keep alive is disabled, i.e. no keep alive messages are sent.
• onDemand: Keep alive messages are sent on the basis of traffic patterns. For
example, if a router has to send outbound traffic and the liveliness of the peer
is questionable, the router sends a keep alive message to query the status of
the peer. If a router has no traffic to send, it never sends a keep alive message.
• periodic: Keep alive messages are sent at the interval specified by the delay ele-
ment.
delay Use this element to set the interval at which keep alive Default:00000d 00h 00m 30s
messages are sent in case the mode element is set to Range: 00000d 00h 00m 00s -
periodic. 24855d 03h 14m 07s
failsPermitted Use this element to set the number of times a keep Default:3
alive message is resent in case no answer was Range: 0 …
received on the original keep alive message.
interval Use this element to set the delay between the retries. Default:00000d 00h 00m 10s
For example, considering the default values, if no Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
answer is received on a keep alive message, then the
router retries 3 times to resent the keep alive message with an interval of 10 sec-
onds.
1424 SHDSL Router Chapter 11 701
User manual Configuration attributes
Element Description
Important remarks
• Note that the heavier the algorithm, the more processing power is required. E.g.
when selecting the Diffie-Hellman group 5, up to 30 seconds may be needed to
generate a key.
• Make sure that for the same security association on both the local and remote
router the same PFS algorithm is selected.
proposal Use this element to configure the IKE proposal. A pro- Default:-
posal is a list of IKE attributes to protect the IKE con- Range: structure, see below
nection between the IKE host and its peer.
Refer to router1424/ip/router/ikeSA[ ]/phase2/proposal on page 702 for a detailed description
of the proposal structure.
702 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
espEncryptionAlgo- Use this element to select the IPSEC encryption algo- Default:des
rithm rithm (in case of ESP). Range: enumerated, see below
The espEncryptionAlgorithm element has the following values:
• null: No encryption is done.
The null encryption algorithm is simply a convenient way to represent the
optional use of applying encryption within ESP. ESP can then be used to pro-
vide authentication and integrity without confidentiality.
• des: DES (56 bits) is used to encrypt / decrypt the data.
• 3des: Triple DES (168 bits) is used to encrypt / decrypt the data.
• disabled: No encryption is done.
Make sure that for the same security association on both the local and
remote router the same encryption algorithm is selected.
Make sure that for the same security association on both the local and
remote router the same authentication algorithm is selected.
Make sure that for the same security association on both the local and
remote router the same authentication algorithm is selected.
1424 SHDSL Router Chapter 11 703
User manual Configuration attributes
Element Description
lifeTime Use this element to set the life time of the IPSEC SA. Default:-
When the life time expires, it is replaced by a new SA Range: structure, see below
(and SPI) or terminated.
The lifeTime structure contains the following elements:
• time. Use this element to set the life time, in sec- Default:3600
onds, of the IPSEC SA. Range: 120 … 86400
• kBytes. Use this element to set the life time, in kilo- Default:4250000
bytes, of the IPSEC SA. Range: 2500 … 4250000
As soon as one of the two criteria is exceeded (i.e. either the time or the number
of kilobytes), the IPSEC SA is timed out.
This section discusses the configuration attributes concerned with OSPF. First it describes the general
OSPF configuration attributes. Then it explains the OSPF area configuration attributes.
The following gives an overview of this section:
• General OSPF configuration attributes on page 705
• Area configuration attributes on page 710
1424 SHDSL Router Chapter 11 705
User manual Configuration attributes
²v
router1424/ip/router/ospf/routerId Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to set the unique sequence number for the router in the
OSPF network.
router1424/ip/router/ospf/keyChains Default:<empty>
Range: table, see below
Use this attribute to set the key chains that will be used in the MD-5 authen-
tication process. For more information on authentication, refer to …
• 7.6.3 - Enabling OSPF authentication on page 219
• router1424/ip/router/ospf/area[ ]/networks/authentication on page 714
• router1424/ip/router/ospf/area[ ]/virtualLinks/authentication on page 716
Element Description
chain Use this element to set the properties of each key Default:<empty>
chain. Range: table, see below
Refer to router1424/ip/router/ospf/keyChains/chain on page 707 for a detailed description of
this element.
1424 SHDSL Router Chapter 11 707
User manual Configuration attributes
router1424/ip/router/ospf/keyChains/chain Default:<empty>
Range: table, see below
The chain table contains the following elements:
Element Description
keyId Use this element to set a unique identifier for each Default:0
secret. Range: 0 … 255
sendDate Use this element to set the start date from which the Default:01/01/01
secret is allowed to be sent. Enter the date as argu- Range: 01/01/01 … 31/12/99
ment value in the format dd/mm/yy (e.g. 01/01/05)
sendTime Use this element to set the time from which the secret Default:00:00:00
is allowed to be sent. Enter the time as argument Range: 00:00:00 … 23:59:59
value in the format hh:mm:ss (e.g. 12:30:45).
sendDuration Use this element to set the period of time during which Default:00000d 00h 00m 00s
the secret is allowed to be sent. Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
acceptDate Use this element to set the start date from which the Default:01/01/01
secret is allowed to be accepted by the other routers Range: 01/01/01 … 31/12/99
in the OSPF network. Enter the date as argument
value in the format dd/mm/yy (e.g. 01/01/05)
acceptTime Use this element to set the time from which the secret Default:00:00:00
is allowed to be accepted by the other routers in the Range: 00:00:00 … 23:59:59
OSPF network. Enter the time as argument value in
the format hh:mm:ss (e.g. 12:30:45).
acceptDuration Use this element to set the period of time during which Default:00000d 00h 00m 00s
the secret is allowed to be accepted by the other rout- Range: 00000d 00h 00m 00s -
ers in the OSPF network. Enter this value in seconds. 24855d 03h 14m 07s
router1424/ip/router/ospf/importMetrics Default:-
Range: structure, see below
Use this attribute to configure the default cost for importing RIP and static
routes into OSPF.
The importMetrics structure contains following elements:
Element Description
static Use this element to set the default cost of a static Default:20
route which will be imported into OSPF. Range: 0 … 2147483647
rip Use this element to set the default cost of a RIP route Default:20
which will be imported into OSPF. Range: 0 … 2147483647
708 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/ip/router/ospf/importFilter Default:<empty>
Range: table, see below
Use this attribute to configure the import filter which allows or denies the
import of external routes into OSPF.
The importFilter table contains following elements:
Element Description
type Use this element to select the type of routes which will Default:all
be allowed or denied into OSPF. Range: static / rip / all
Whether a route is allowed into OSPF or denied access to OSPF, is set by the ele-
ment mode which is described further on in this table.
The type element has the following values:
• all. All routes are allowed into OSPF / denied access to OSPF.
• static. Static routes are allowed into OSPF / denied access to OSPF.
• rip. Rip routes are allowed into OSPF / denied access to OSPF.
address Use this element to set the IP address the external Default:0.0.0.0
route has to comply to. Range: up to 255.255.255.255
mask Use this element to set the netmask the external route Default:0.0.0.0
has to comply to. Range: up to 255.255.255.255
Address and mask define the address range the external route has to comply
to.
mode Use this element to allow or deny the import of exter- Default:allow
nal routes into OSPF. Range: deny / allow
costType Use this element to set the type of cost of the external Default:type2
route. Range: type1 / type2
The costType element has the following values:
• type1. The external cost is expressed in the same units as OSPF interface cost
(i.e. in terms of the link state metric).
• type2. The external cost is an order of magnitude larger; any type 2 cost is con-
sidered greater than the cost of any path internal to the OSPF routing domain.
Use of type 2 external cost assumes that routing outside the OSPF domain is
the major cost of routing a packet, and eliminates the need for conversion of
external costs to internal link state costs.
cost Use this element to set the cost of the external route. Default:0
Range: 0 … 65535
router1424/ip/router/ospf/importDefault Default:disabled
Range: enabled/disabled
Use this attribute to enable or disable the import of a default route into
OSPF. When OSPF receives an external route from any other protocol (static, bgp, rip, radius), it is
checked whether this is a default route or not. When this attribute is enabled, the route will be imported.
710 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 711
User manual Configuration attributes
Element Description
defaultCost Use this element to assign a default cost to the area. Default:0
This is the cost of the default route of the area. Range: 0 … 2147483647
translatorRole Use this element to specify whether or not the 1424 Default:candidate
SHDSL Router will unconditionally translate Type-7 Range: candidate / always
LSAs into Type-5 LSAs.
The translatorRole element has the following values:
• always. The 1424 SHDSL Router always translates Type-7 LSAs into Type-5
LSAs regardless of the translator state of other NSSA border routers.
• candidate. The 1424 SHDSL Router participates in the translator election proc-
ess. I.e. only one NSSA border router is elected as Type-7 translator among all
the NSSA border routers that were set as candidate.
translatorInterval Use this element to define the length of time the 1424 Default:00000d 00h 00m 40s
SHDSL Router, if it is an elected Type-7 translator, Range: 00000d 00h 00m 00s -
will continue to perform its translator duties once it has 00000d 18h 12m 15s
determined that its translator status has been
deposed by another NSSA border router translator.
If an NSSA border router is elected as Type-7 translator among all the NSSA bor-
der routers that were set as candidate, then it will continue to perform translation
duties until supplanted by a reachable NSSA border router whose Nt bit is set or
whose router ID is greater. Such an event may happen when an NSSA router with
translatorRole set to always regains border router status, or when a partitioned NSSA
becomes whole. If an elected translator determines its services are no longer
required, it continues to perform its translation duties for the additional time interval
defined by the translatorInterval. This minimizes excessive flushing of translated
Type-7 LSAs and provides for a more stable translator transition.
712 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
address Use this element to specify the IP address of the net- Default:0.0.0.0
work. Range: up to 255.255.255.255
mask Use this element to specify the IP address mask of the Default:255.255.255.0
attached network (Network Mask). Range: up to 255.255.255.255
Address and mask define the network address to select the interfaces that will
be part of the OSPF network (with the OSPF parameters defined in this net-
work).
cost Use this element to specify the cost of the link. When Default:0
the cost is set to 0, the actual cost is calculated auto- Range: 0 … 65535
matically.
Refer to 7.6.1 - Introducing OSPF on page 213 for more information about cost.
priority Use this element to set the priority of the link. On the Default:0
basis of this element, the designated router in the net- Range: 0 … 255
work is elected.
Refer to 7.6.1 - Introducing OSPF on page 213 for more information about desig-
nated routers.
This element is only important for broadcast networks. It must not be set for
P2P links.
helloInterval Use this element to specify the length of time, in sec- Default:00000d 00h 00m 30s
onds, between the hello packets that a router sends Range: 00000d 00h 00m 00s -
on an OSPF interface. 00000d 18h 12m 15s
OSPF requires the hello interval and dead interval to be exactly the same
for all routers attached to a common network.
1424 SHDSL Router Chapter 11 713
User manual Configuration attributes
Element Description
deadInterval Use this element to specify the maximum length of Default:00000d 00h 02m 00s
time, in seconds, before the neighbours declare the Range: 00000d 00h 00m 00s -
OSPF router down when they stop hearing the 24855d 3h 14m 07s
router's Hello Packets.
retransmitInterval Use this element to specify the length of time, in sec- Default:00000d 00h 00m 05s
onds, after which an hello packet is retransmitted. Range: 00000d 00h 00m 00s -
00000d 00h 4m 15s
authentication Use this element to authenticate OSPF packets. Default:-
OSPF packets can be authenticated so that routers Range: structure, see below
can be part of routing domains based on predefined passwords. By default, a
router uses a Null authentication which means that routing exchanges over a net-
work are not authenticated. There are two other authentication methods: Simple
Password authentication and Message Digest authentication (MD-5).
Refer to router1424/ip/router/ospf/area[ ]/networks/authentication on page 714 for a detailed
description of this element.
Element Description
text Use this element to set the password when using text Default:-
authentication. Range: 0 … 8 characters
keyChain Use this element to set the key chain which will be Default:chain
used in this network when using md5 authentication. Range: 0 … 24 characters
1424 SHDSL Router Chapter 11 715
User manual Configuration attributes
Element Description
remoteId Use this element to set the IP address of the remote Default:0.0.0.0
router with which the virtual link is established. Range: up to 255.255.255.255
helloInterval Use this element to specify the length of time, in sec- Default:00000d 00h 00m 30s
onds, between the hello packets that a router sends Range: 00000d 00h 00m 00s -
on an OSPF interface. 00000d 18h 12m 15s
deadInterval Use this element to specify the maximum length of Default:00000d 00h 02m 00s
time, in seconds, between the sent hello packets after Range: 00000d 00h 00m 00s -
which the neighbours declare the virtual link down. 24855d 3h 14m 07s
retransmitInterval Use this element to specify the length of time, in sec- Default:00000d 00h 00m 05s
onds, after which an hello packet is retransmitted. Range: 00000d 00h 00m 00s -
00000d 00h 4m 15s
authentication Use this element to authenticate OSPF packets. Default:-
OSPF packets can be authenticated so that routers Range: structure, see below
can be part of routing domains based on predefined passwords. By default, a
router uses a Null authentication which means that routing exchanges over a net-
work are not authenticated. There are two other authentication methods: Simple
Password authentication and Message Digest authentication (MD-5).
Refer to router1424/ip/router/ospf/area[ ]/virtualLinks/authentication on page 716 for more infor-
mation.
716 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
text Use this element to set the password when using text Default:--
authentication. Range: 0 … 8 characters
keyChain Use this element to set the key chain which will be Default:chain
used in the virtual link when using md5 authentication. Range: 0 … 24 characters
1424 SHDSL Router Chapter 11 717
User manual Configuration attributes
Element Description
type Use this element to set the type of Summary-LSA that Default:all
has to be created. Range: enumerated, see below
The type element has the following values:
• summary. The area's routing information is condensed.
• nssa. In case of an NNSA, multiple Type-7 LSAs are aggregated into a single
Type-5 LSA.
• all. Both tasks are performed.
network Use this element to set the IP address of the network. Default:0.0.0.0
Range: up to 255.255.255.255
mask Use this element to set the subnet mask of the net- Default:255.255.255.0
work. Range: up to 255.255.255.255
This section discusses the configuration attributes concerned with BGP. First it describes the general
BGP configuration attributes, followed by the ePeer, iPeer, routeFilter and routeMap configuration attributes.
Refer to 7.7 - Configuring BGP on page 221 for more information about BGP.
The following gives an overview of this section:
• General BGP configuration attributes
• ePeer and iPeer configuration attributes
• routeFilter configuration attributes
• routeMap configuration attributes
1424 SHDSL Router Chapter 11 719
User manual Configuration attributes
router1424/ip/router/bgp/asNr Default:0
Range: 0 ... 65535
Use this attribute to set the number of the Autonomous System (AS) the
1424 SHDSL Router belongs to.
router1424/ip/router/bgp/routerId Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to set the router ID which identifies the sender within the
BGP network.
router1424/ip/router/bgp/localPreference Default:100
Range: 0 ... max
Use this attribute to set the advertising speaker's degree of preference for
an advertised route. A BGP speaker uses this atribute to inform its internal peers of this preference.
router1424/ip/router/bgp/bestPath Default:-
Range: structure, see below
Use this attribute to influence the routing decision process. The bestPath
structure contains the following elements:
Element Description
ignoreAsPath Use this element to enable or disable the use of the Default:disabled
asPath attribute in the decision process. Range: enabled/disabled
deterministicMed Use this element to change the BGP route selection Default:disabled
procedure to a deterministic but slower one. The 1424 Range: enabled/disabled
SHDSL Router will compare the med values first
before applying other selection criteria.
missingMedWorst By default, routes that are missing the med attribute, Default:disabled
will be assigned a value of zero. With this element Range: enabled/disabled
enabled, a value of infinity will be assigned to the
missing med attribute, making routes without a med value the least desirable path.
compareRouterId When identical routes are received from different external Default:disabled
peers, the oldest path is normally selected. Range: enabled/disabled
However, when this element is enabled, the route received from the peer with the lowest
router ID is selected.
1424 SHDSL Router Chapter 11 721
User manual Configuration attributes
router1424/ip/router/bgp/networks Default:<empty>
Range: table, see below
Use this attribute to assemble a list of networks that will be advertised by the
BGP protocol. The networks table contains following elements:
Element Description
address Use this element to set the IP address of the network Default:0.0.0.0
that BGP will advertise. Range: up to 255.255.255.255
mask Use this element to set the subnet mask of the net- Default:255.255.255.0
work that BGP will advertise. Range: up to 255.255.255.255
routeMap Use this element to set the name of a BGP routeMap, Default:-
used to change the attribute values of the advertised Range: 0 … 24 characters
network. For more information about the routeMap
attribute, refer to routeMap configuration attributes on page 734.
router1424/ip/router/bgp/aggregates Default:<empty>
Range: table, see below
Use this attribute to create an aggregate entry in the BGP database if any
more-specific BGP routes are available that fall into the specified range. The aggregates attribute contains
the following elements:
Element Description
mask Use this element to set the aggregate subnet mask of Default:255.255.255.0
the network that BGP will advertise. Range: up to 255.255.255.255
asSet Use this element to distribute the aggregate route with Default:disabled
the atomic aggregate attribute present. Range: enabled/disabled
If this element is enabled, the path advertised for this
route will consist of all elements contained in all paths that are being summarized.
routeMap Use this element to set the name of a BGP routeMap, Default:-
used to change the attribute values of the aggregate. Range: 0 … 24 characters
For more information about the routeMap attribute,
refer to routeMap configuration attributes on page 734.
722 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/ip/router/bgp/importMetrics Default:-
Range: structure, see below
Use this attribute to define the value of the med attribute for routes imported
from the system routing table.
The importMetrics table contains following elements:
Element Description
local Use this element to define the value of routes con- Default:noImport
nected to local interfaces. Range: enumerated, see below
The local element has the following values:
• noImport. The route will not be imported into the BGP domain.
• useIGP. The metric value of the route in the system routing table will be used.
• 0 ... 2147483647. The metric value can be entered manually.
static Use this element to define the value of statically con- Default:noImport
figured routes. Range: enumerated, see below
The static element has the same values as the local element: noImport, useIGP and 0
... 2147483647. For the explanation of these values, refer to the local element above.
rip Use this element to define the value of RIP routes. Default:noImport
The rip element has the same values as the local ele- Range: enumerated, see below
ment: noImport, useIGP and 0 ... 2147483647. For the explanation of these values, refer
to the local element above.
ospf Use this element to define the value of OSPF routes. Default:noImport
The ospf element has the same values as the local ele- Range: enumerated, see below
ment: noImport, useIGP and 0 ... 2147483647. For the explanation of these values, refer
to the local element above.
radius Use this element to define the value of routes con- Default:noImport
nected via RADIUS. Range: enumerated, see below
The radius element has the same values as the local element: noImport, useIGP and 0
... 2147483647. For the explanation of these values, refer to the local element above.
1424 SHDSL Router Chapter 11 723
User manual Configuration attributes
router1424/ip/router/bgp/importFilter Default:<empty>
Range: table, see below
Use this attribute to allow a finer granularity in filtering the import of routes
from the system routing table after the importMetrics settings are applied. The entries in the table are
searched one-by-one in the order they are configured, until the first match is found and applied.
The importFilter table contains following elements:
Element Description
type Use this element to select which routes will be filtered. Default:all
The type element has the following values: all, local, Range: enumerated, see below
static, rip, ospf, radius.
address Use this element to set the IP address of the network Default:0.0.0.0
that will be filtered. Range: up to 255.255.255.255
mask Use this element to set the subnet mask of the net- Default:0.0.0.0
work that will be filtered. Range: up to 255.255.255.255
mode Use this element to deny or allow the import of the Default:allow
chosen route. Range: deny/allow
routeMap Use this element to set the name of a BGP routeMap. Default:-
When the route is allowed, using the mode element, Range: 0 … 24 characters
this routeMap is used to change the attribute values of
the imported network.
724 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This section describes the following common ePeer and iPeer configuration attributes:
• router1424/ip/router/bgp/ePeer[ ]/localIp on page 725
• router1424/ip/router/bgp/ePeer[ ]/remoteIp on page 725
• router1424/ip/router/bgp/ePeer[ ]/timers on page 725
• router1424/ip/router/bgp/ePeer[ ]/weight on page 726
• router1424/ip/router/bgp/ePeer[ ]/originateDefault on page 726
• router1424/ip/router/bgp/ePeer[ ]/softReconfig on page 726
• router1424/ip/router/bgp/ePeer[ ]/inboundFilters on page 727
• router1424/ip/router/bgp/ePeer[ ]/outboundFilters on page 727
• router1424/ip/router/bgp/ePeer[ ]/inboundMaps on page 728
• router1424/ip/router/bgp/ePeer[ ]/outboundMaps on page 728
• router1424/ip/router/bgp/ePeer[ ]/snmpIndexOffset on page 728
• router1424/ip/router/bgp/ePeer[ ]/<alarmConfigurationAttributes> on page 728
This section describes the following ePeer configuration attributes:
• router1424/ip/router/bgp/ePeer[ ]/astranslation on page 729
• router1424/ip/router/bgp/ePeer[ ]/remoteAs on page 729
• router1424/ip/router/bgp/ePeer[ ]/multiHop on page 730
This section describes the following iPeer configuration attributes:
• router1424/ip/router/bgp/iPeer[ ]/nextHopSelf on page 730
The objects ePeer and iPeer are not present in the containment tree by default. If you want to use the fea-
ture associated with this object, then add the objects first. Refer to 4.4 - Adding an object to the contain-
ment tree on page 45.
1424 SHDSL Router Chapter 11 725
User manual Configuration attributes
Element Description
keepAlive Use this element to set the interval by which keep Default:00000d 00h 00m 30s
alive messages are sent to the peer. Range: 00000d 00h 00m 00s -
00000d 18h 12m 15s
A reasonable maximum value of the keepAlive interval is one third of the
negotiated holdTime interval.
holdTime Use this element to set the period after which the peer Default:00000d 00h 01m 30s
is declared dead, when no keep alive messages are Range: 00000d 00h 00m 00s -
received. 00000d 18h 12m 15s
726 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
routeMap Use this element to set the name of a BGP routeMap, Default:<OPT>
used to change the atribute values of the default Range: 0 … 24 characters
route.
Element Description
name Use this element to set the name of a BGP routeFilter. Default:-
Refer to routeFilter configuration attributes on Range: 0 … 24 characters
page 731 for more information about the attribute
routeFilter.
Element Description
name Use this element to set the name of a BGP routeFilter. Default:-
Refer to routeFilter configuration attributes on Range: 0 … 24 characters
page 731 for more information about the attribute
routeFilter.
728 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
name Use this element to set the name of a BGP routeMap. Default:-
Refer to routeMap configuration attributes on Range: 0 … 24 characters
page 734 for more information about the attribute
routeMap.
Element Description
name Use this element to set the name of a BGP routeFilter. Default:-
Refer to routeMap configuration attributes on Range: 0 … 24 characters
page 734 for more information about the attribute
routeMap.
Use this attribute to manipulate the AS numbers. The asTranslation structure contains the following ele-
ments:
Element Description
localAsNr Use this element to set the AS number that will be Default:<OPT>, 0
used to set up the connection with the external peer, Range: 0 … 65535
instead of the common AS number of the BGP router
When different from zero, the external peer neighbor must announce itself to belong to this Atonomous
System. If not, the connection is refused.
730 1424 SHDSL Router Chapter 11
User manual Configuration attributes
By default, for external peers, only directly connected neighbors are allowed. This means the number of
hops is 1.
Use this attribute to set the maximum number of hops needed to reach the neighbor of an external peer.
The multiHop structure contains the following elements:
Element Description
nrHops Use this element to set the maximum number of hops Default:1
needed to reach the neighbor of an external peer. Range: 0 … 255
securityCheck Use this element to set a security check on the BGP Default:enabled
packets. The securityCheck element has the following Range: enabled/disabled
values:
• enabled. If securityCheck is enabled, BGP packets are transmitted on this peer with
TTL value 255; on the receiving side, packets are checked to have a minimum
TTL value of (255 - nrHops).
• disabled. When securityCheck is disabled, no check on the minimum TTL value of
an incoming packet is executed, but BGP packets are transmitted with a TTL
value of only nrHops, thus ensuring that the packets will not reach the remote
neighbor if more hops are needed.
When enabled, the local IP address will be used as the next hop for all updates sent to the BGP neighbor.
1424 SHDSL Router Chapter 11 731
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
732 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
network Use this element to set the network IP address. After Default:0.0.0.0
applying the prefixLength to both this network configura- Range: up to 255.255.255.255
tion and the prefix to be filtered, a match is successful
if both results are equal.
prefixLength Use this element to set the prefix length. The prefix- Default:-
Length element contains the following values: Range: structure, see below
• mask. Use this value to set the mask length to apply Default:255
to the configured network and the prefix to filter. Range: 0 ... 255
The value 255 actually means any.
• minLength. Use this value to set the minimum net- Default:<OPT>, 0
Mask length required. Range:
• maxLength. Use this value to set the maximum net- Default:0
Mask length allowed. The value 255 actually Range: 0 ... 32|255
means any.
nextHop Use this element to find a match for the nextHop Default:<OPT>,0.0.0.0
attribute value. Range: up to 255.255.255.255
asPath Use this element to filter the AS path. The asPath ele- Default:<OPT>, any
ment contains the following values: Range: choice, see below
• any. No filtering will be done. Default:<empty>
Range: 0 ... 0 characters
origin Use this element to find a match for the origin attribute Default:<OPT>
value. The origin element contains the following val- Range: enumerated, see below
ues: any, igp, egp, incomplete.
1424 SHDSL Router Chapter 11 733
User manual Configuration attributes
Element Description
med Use this element to find a match for the med attribute Default:<OPT>, 0
value. Range: 0 … 24 characters
mode Use this element to set the action to take if all config- Default:allow
ured attribute values match. Range: allow/deny
734 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 735
User manual Configuration attributes
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 737
User manual Configuration attributes
Element Description
Currently, the 1424 SHDSL Router supports up to 5 routing update filters. Although you can add more
than 5 routingFilter[ ] objects to the containment tree, no more than 5 will be active.
Example
This example shows a filter that only forwards the route to subnet 192.168.48.0.
router1424/ip/router/vrrp[ ]/
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 739
User manual Configuration attributes
vrId Default:0
Range: 0 … 255
Use this attribute to set the identification of the virtual router. Specify a
number between 1 and 255. The VRID has to be set the same on all participating routers.
Setting the vrId to 0 (default) disables this virtual router instance.
ipAddresses Default:<empty>
Range: table, see below
Use this attribute to configure one or more IP addresses on the virtual
router.
The ipAddresses table contains the following element:
Element Description
address Use this element to configure the IP address of the vir- Default:0.0.0.0
tual router. This address must be the same on all rout- Range: up to 255.255.255.255
ers participating in this virtual router.
By adding several IP addresses, several IP addresses can be configured on a sin-
gle virtual router. This can be used to ensure redundancy while migrating from one
address scheme to another. It cannot be used for load balancing purposes, in this
case multiple virtual routers must be used.
If no IP address is configured, this virtual router instance is not active.
It is important that all VRRP routers have a physical interface configured with an IP address in the same
subnet as the virtual router. The VRRP protocol sends only IP addresses and not subnet information.
Without the corresponding subnet information, the VRRP router will add the virtual router address as a
single IP address with a host (255.255.255.255) netmask. This will prevent routing from working prop-
erly, as the virtual router will not listen to broadcasts from the local network.
740 1424 SHDSL Router Chapter 11
User manual Configuration attributes
interfaces Default:<empty>
Range: table, see below
Use this attribute to add Ethernet-alike interfaces3 to the virtual router and
assign a priority to them. This priority is used in the master virtual router election process.
The interfaces table contains the following element:
Element Description
name Use this element to specify the name of the interface Default:<empty>
that you want to add to the virtual router. Range: 0 … 36 characters
priority Use this element to specify the priority of the interface. Default:100
Specify a number between 1 and 254. The higher the Range: 1 … 254
number, the higher the priority.
The numbers 0 and 255 are reserved numbers and cannot be set by the user:
• 0 specifies that the master has stopped working and that the backup router
needs to transition to master state.
• 255 specifies that the VRRP router is the IP address owner and therefore is
master, independently from the priority settings.
Refer to 7.9.1 - Introducing VRRP on page 248 for more information on how the
priority plays a role in the election of a master virtual router.
criticals Default:<empty>
Range: table, see below
Use this attribute to specify which interfaces must be up in order for the
VRRP router to start.
The criticals table contains the following element:
Element Description
name Use this element to specify the name of the interface Default:<empty>
that must be up before the router may be elected as Range: 0 … 36 characters
master.
So as soon as an interface that is defined in the criticals table goes down, the com-
plete router is considered to be down (on VRRP level that is). In that case, a new
master has to be elected. So this adds an extra condition to the election process
as shown in How is a master virtual router elected? on page 249.
preemptMode Default:enabled
Range: enabled / disabled
Use this attribute to allow a backup virtual router to take over from the mas-
ter virtual router in case the backup virtual router has a higher priority on the enclosing virtual router.
The preemptMode attribute has the following values:
Value Description
enabled If after a router is elected as master a backup appears which has a higher priority
than the master, then the backup begins to send its own advertisements. The cur-
rent master will see that the backup has higher priority and stop functioning as the
master. The backup will then see that the master has stopped sending advertise-
ments and assume the role of master.
disabled Once a router is elected as master, it stays master until it goes down. So the
appearance of a backup with a higher priority after the master has been elected
does not cause a new election process.
While preemption can ensure that a primary router will return to master status once it returns to service,
preemption also causes a brief outage while the election process takes place. Disabling preemption will
ensure maximum up-time on the network, but will not always result in the primary or highest priority
router acting as master.
Note that, regardless of the setting of the preemptMode attribute, the VRRP IP address owner will always
preempt.
1424 SHDSL Router Chapter 11 743
User manual Configuration attributes
pingReply Default:any
Range: enumerated, see below
Use this attribute to set how the virtual router responds to ICMP requests.
The pingReply attribute has the following values:
Value Description
ownerOnly This is the default behaviour, and means that the VRRP address will not reply to
ICMP echo packets when the VRRP address is virtual (i.e. not attached to an inter-
face).
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
744 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/ip/router/firewall
inspection Default:disabled
Range: enabled / disabled
Use this attribute to enable or disable the firewall.
outboundPolicies Default:<empty>
Range: table, see below
Use this attribute to define outbound SNet policies. Refer to 9.8.4 - Defining
an outbound SNet policy on page 460 for more information.
The outboundPolicies table contains the following elements:
Element Description
sNet Use this element to specify the name of the source Default:<name> corp
SNet for which you want to create an outbound SNet Range: choice, see below
policy.
The sNet element is a choice element. The first part of the sNet element has the fol-
lowing values:
• name. Select this value if the source SNet is one of Default:corp
the standard SNets. In the second part of the sNet Range: corp / dmz
element, use the drop-down box to select one of
the standard SNets:
- corp. The source SNet is “corporate”. If you select this
value, then you create a policy for the traffic from the
corporate SNet to any SNet except the self SNet.
- dmz. The source SNet is “DMZ”. If you select this value,
then you create a policy for the traffic from the DMZ
SNet to any SNet except the self SNet.
Note that you only have to set the source SNet. The destination SNet is
always any SNet except the self SNet.
746 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
Note that if you leave the sourceIp element at its default value (<opt>), then no
source IP address(es) is/are specified.
1424 SHDSL Router Chapter 11 747
User manual Configuration attributes
Element Description
Note that if you leave the destIp element at its default value (<opt>), then no
destination IP address(es) is/are specified.
748 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
application Use this element to specify the application for which Default:<opt>
you want to create an outbound SNet policy. Range: choice, see below
The application element is a choice element. Currently, the first part of the application
element is always custom. The custom structure contains the following elements:
• protocol. Use this element to specify the protocol. Default:any
The protocol element has the following values: any, Range: enumerated, see below
icmp, tcp, udp, ah, esp.
Note that if you leave the protocol element at its default value (any), then no pro-
tocol is specified.
• startPort. Use this element to specify the start of the Default:0 (any)
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that if you leave the port element at its default value (any), then no port is
specified.
• endPort. Use this element to specify the end of the Default:<opt>
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that you can specify one single port by filling in the startPort element and
leaving the endPort element at its default value (<opt>).
Note that if you leave the application element at its default value (<opt>), then
no application is specified.
Element Description
Note that if you leave the nat element at its default value (<opt>), then no
address translation is done.
Important remark
If you want to enable NAT on an interface but you also want that the inter-
face is inspected by the firewall, then enable NAT in the policies of the firewall and
not in the ip structure of the interface.
inboundPolicies Default:<empty>
Range: table, see below
Use this attribute to define inbound SNet policies. Refer to 9.8.5 - Defining
an inbound SNet policy on page 462 for more information.
The inboundPolicies table contains the following elements:
Element Description
sNet Use this element to specify the name of the destina- Default:<name> corp
tion SNet for which you want to create an inbound Range: choice, see below
SNet policy.
The sNet element is a choice element. The first part of the sNet element has the fol-
lowing values:
• name. Select this value if the destination SNet is Default:corp
one of the standard SNets. In the second part of Range: corp / dmz
the sNet element, use the drop-down box to select
one of the standard SNets:
- corp. The destination SNet is “corporate”. If you select
this value, then you create a policy for the traffic from
any SNet except the self SNet to the corporate SNet.
- dmz. The destination SNet is “DMZ”. If you select this
value, then you create a policy for the traffic from any
SNet except the self SNet to the DMZ SNet.
Note that you only have to set the destination SNet. The source SNet is
always any SNet except the self SNet.
1424 SHDSL Router Chapter 11 751
User manual Configuration attributes
Element Description
Note that if you leave the sourceIp element at its default value (<opt>), then no
source IP address(es) is/are specified.
752 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
Note that if you leave the destIp element at its default value (<opt>), then no
destination IP address(es) is/are specified.
1424 SHDSL Router Chapter 11 753
User manual Configuration attributes
Element Description
application Use this element to specify the application for which Default:<opt>
you want to create an inbound SNet policy. Range: choice, see below
The application element is a choice element. Currently, the first part of the application
element is always custom. The custom structure contains the following elements:
• protocol. Use this element to specify the protocol. Default:any
The protocol element has the following values: any, Range: enumerated, see below
icmp, tcp, udp, ah, esp.
Note that if you leave the protocol element at its default value (any), then no pro-
tocol is specified.
• startPort. Use this element to specify the start of the Default:0 (any)
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that if you leave the port element at its default value (any), then no port is
specified.
• endPort. Use this element to specify the end of the Default:<opt>
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that you can specify one single port by filling in the startPort element and
leaving the endPort element at its default value (<opt>).
Note that if you leave the application element at its default value (<opt>), then
no application is specified.
Element Description
Note that if you leave the nat element at its default value (<opt>), then no
address translation is done.
Important remark
If you want to enable NAT on an interface but you also want that the inter-
face is inspected by the firewall, then enable NAT in the policies of the firewall and
not in the ip structure of the interface.
outboundSelfPolicies Default:<empty>
Range: table, see below
Use this attribute to define outbound self policies. Refer to 9.8.6 - Defining
an outbound self policy on page 464 for more information.
The outboundSelfPolicies table contains the following elements:
Element Description
sNet Use this element to specify the name of the destina- Default:<name> corp
tion SNet for which you want to create an outbound Range: choice, see below
self policy.
The sNet element is a choice element. The first part of the sNet element has the fol-
lowing values:
• name. Select this value if the destination SNet is Default:corp
one of the standard SNets. In the second part of Range: corp / dmz
the sNet element, use the drop-down box to select
one of the standard SNets:
- corp. The destination SNet is “corporate”. If you select
this value, then you create a policy for the traffic from
the device itself (self SNet) to the corporate SNet.
- dmz. The destination SNet is “DMZ”. If you select this
value, then you create a policy for the traffic from the
device itself (self SNet) to the DMZ SNet.
- internet. The destination SNet is “internet”. If you select this value, then you
create a policy for the traffic from the device itself (self SNet) to the internet
SNet.
Note that you only have to set the destination SNet. The source SNet is
always the self SNet.
756 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
Note that if you leave the sourceIp element at its default value (<opt>), then no
source IP address(es) is/are specified.
1424 SHDSL Router Chapter 11 757
User manual Configuration attributes
Element Description
Note that if you leave the destIp element at its default value (<opt>), then no
destination IP address(es) is/are specified.
758 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
application Use this element to specify the application for which Default:<opt>
you want to create an outbound self policy. Range: choice, see below
The application element is a choice element. Currently, the first part of the application
element is always custom. The custom structure contains the following elements:
• protocol. Use this element to specify the protocol. Default:any
The protocol element has the following values: any, Range: enumerated, see below
icmp, tcp, udp, ah, esp.
Note that if you leave the protocol element at its default value (any), then no pro-
tocol is specified.
• startPort. Use this element to specify the start of the Default:0 (any)
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that if you leave the port element at its default value (any), then no port is
specified.
• endPort. Use this element to specify the end of the Default:<opt>
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that you can specify one single port by filling in the startPort element and
leaving the endPort element at its default value (<opt>).
Note that if you leave the application element at its default value (<opt>), then
no application is specified.
inboundSelfPolicies Default:<empty>
Range: table, see below
Use this attribute to define inbound self policies. Refer to 9.8.4 - Defining an
outbound SNet policy on page 460 for more information.
The inboundSelfPolicies table contains the following elements:
Element Description
sNet Use this element to specify the name of the source Default:<name> corp
SNet for which you want to create an inbound self pol- Range: choice, see below
icy.
The sNet element is a choice element. The first part of the sNet element has the fol-
lowing values:
• name. Select this value if the source SNet is one of Default:corp
the standard SNets. In the second part of the sNet Range: corp / dmz
element, use the drop-down box to select one of
the standard SNets:
- corp. The source SNet is “corporate”. If you select this
value, then you create a policy for the traffic from the
corporate SNet to the device itself (self SNet).
- dmz. The source SNet is “DMZ”. If you select this value,
then you create a policy for the traffic from the DMZ
SNet to the device itself (self SNet).
- internet. The source SNet is “internet”. If you select this value, then you create
a policy for the traffic from the internet SNet to the device itself (self SNet).
Note that you only have to set the source SNet. The destination SNet is
always the self SNet.
760 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
Note that if you leave the sourceIp element at its default value (<opt>), then no
source IP address(es) is/are specified.
1424 SHDSL Router Chapter 11 761
User manual Configuration attributes
Element Description
Note that if you leave the destIp element at its default value (<opt>), then no
destination IP address(es) is/are specified.
762 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
application Use this element to specify the application for which Default:<opt>
you want to create an inbound self policy. Range: choice, see below
The application element is a choice element. Currently, the first part of the application
element is always custom. The custom structure contains the following elements:
• protocol. Use this element to specify the protocol. Default:any
The protocol element has the following values: any, Range: enumerated, see below
icmp, tcp, udp, ah, esp.
Note that if you leave the protocol element at its default value (any), then no pro-
tocol is specified.
• startPort. Use this element to specify the start of the Default:0 (any)
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that if you leave the port element at its default value (any), then no port is
specified.
• endPort. Use this element to specify the end of the Default:<opt>
port range. Specify the port by typing the port Range: 0 … 65535
number. For ease of use, some common port num-
bers can be selected from a drop-down box.
Note that you can specify one single port by filling in the startPort element and
leaving the endPort element at its default value (<opt>).
Note that if you leave the application element at its default value (<opt>), then
no application is specified.
attacks Default:-
Range: structure, see below
Use this attribute to determine, per type of attack, whether the firewall has
to check for this type of attack and neutralise it.
The attacks structure contains the following elements:
Element Description
Element Description
log Default:-
Range: structure, see below
Use this attribute to enable or disable logging and to determine what is
logged.
The log structure contains the following elements:
Element Description
Element Description
Element Description
thresholds Use this element to set the threshold to trigger the log- Default:-
ging. The threshold is set per log entry type, except for Range: structure, see below
denyPolicies and allowPolicies. In that case the threshold
is set per policy.
Logging thresholds are provided so that the logging system does not get flooded
with a huge number of duplicate logs in case the firewall or the corporate network
connected to it is under attack.
The thresholds structure contains the following elements:
• attack. Use this element to determine the number of Default:50
attacks that should occur before they are logged. Range: 1 … 300
• general. Use this element to determine the number Default:20
of general events that should occur before they are Range: 1 … 300
logged.
tableLength Use this element to set the length of the log table. Default:200
Note that changing this value clears the table. Range: 10 … 500
alg Default:-
Range: structure, see below
Use this attribute to enable or disable the ALG, the Application Level Gate-
way.
The alg structure contains following elements:
Element Description
tcpAdjustMss Default:0/disabled
Range: 0, 200 ... 2000
Use this attribute to configure the Maximum Segment Size (MSS) for tran-
sient packets that traverse the 1424 SHDSL Router.
When a TCP session is established the MSS value in the setup is adapted to the value configured here,
in order to reduce the maximum size of TCP segments.
What is MSS?
MTU or Maximum Transfer Unit is the maximum number of bytes that one packet can contain. Typical,
for Ethernet, this is 1500 bytes. The maximum amount of actual data that can be transported in such a
data packet is 1460 bytes; this is the Maximum Segment Size or MSS.
Reducing MSS
Reducing the maximum size of TCP segments may prevent the communication from slowing down or
even failing.
For instance, when PPP over Ethernet (PPPoE) is being used in the network, PPPoE truncates the
Ethernet Maximum Transfer Unit (MTU) to 1492 bytes, which could result in loss of communication.
Similarly, when a tunnelling protocol such as GRE, L2TP or IPSEC is being used in the network, frag-
mentation may be required if the MSS is not adjusted, which slows down the communication.
1424 SHDSL Router Chapter 11 769
User manual Configuration attributes
router1424/ip/vrfRouter[ ]
• This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
• These attributes have already been described in 11.9.1 - General router configuration attributes on
page 617. Refer to this section for more information.
• For more information on VRF, refer to 7.10 - Configuring Virtual Routing and Forwarding or VRF on
page 254.
770 1424 SHDSL Router Chapter 11
User manual Configuration attributes
This section also describes the configuration attributes of the following object:
router1424/ip/vrfRouter[ ]/ospf
These attributes have already been described in 11.9.8 - OSPF configuration attributes on page 704.
Refer to this section for more information.
Finally, this section also describes the configuration attributes of the following object:
router1424/ip/vrfRouter[ ]/routingFilter[ ]
These attributes have already been described in 11.9.10 - Routing filter configuration attributes on
page 736. Refer to this section for more information.
1424 SHDSL Router Chapter 11 771
User manual Configuration attributes
This section discusses the configuration attributes concerned with bridging. First it describes the general
bridging configuration attributes. Then it explains the configuration attributes of the extra features as
there are access listing, user priority mapping, etc…
The following gives an overview of this section:
• 11.10.1 - Bridge group configuration attributes on page 772
• 11.10.2 - Bridge access list configuration attributes on page 786
• 11.10.3 - VLAN group configuration attributes on page 793
772 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/bridge/bridgeGroup/
staticBridgeCache Default:<empty>
Range: table, see below
Use this attribute to set the static bridge cache. This is a fixed mapping
between a MAC address and an interface.
The staticBridgeCache table contains the following elements: interface and macAddress.
If a packet with the same MAC address is received on another interface, that packet will be dropped.
forwardMulticast Default:0
Range: 0, 1, 2
Use this attribute to define the multicast forwarding behavior.
The forwardMulticast attribute has the following values:
Value Description
0 or noSpan- Spanning tree packets (mac address 01:80:c2:00:00:00) are not forwarded, all
ningTree. other multicast addresses are flooded to all other members of the bridgegroup.
1 or all. All multicast packets are forwarded to all other members of the bridgegroup.
name Default:bridge
Range: 1 … 24 characters
Use this attribute to assign an administrative name to the bridge.
This attribute is only present on the default bridge group (bridgeGroup), not on the user instantiatable
bridge groups (vpnBridgeGroup[ ]). The user instantiatable bridge groups their name is the index name that
you have to specify when you add the bridge group object to the containment tree (refer to 8.2.3 - Adding
a bridge group on page 314).
774 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ip Default:<empty>
Range: structure, see below
Use this attribute to configure the IP related parameters of the bridge.
Refer to …
• 5.2 - Configuring IP addresses on page 53 for general information on configuring IP addresses.
• 5.2.3 - Explaining the ip structure on page 56 for a detailed description of the ip structure.
Important remark
If you set the configuration attribute mode to bridging, then the settings of the configuration attribute ip are
ignored. As a result, if you want to manage the 1424 SHDSL Router via IP, you have to configure an IP
address in the bridgeGroup object instead: ip.
arp Default:-
Range: structure, see below
Use this attribute to configure the Address Resolution Protocol (ARP) cache
of the bridge.
Refer to arp on page 512 for a detailed description of the arp structure.
1424 SHDSL Router Chapter 11 775
User manual Configuration attributes
bridgeCache Default:learning
Range: enumerated, see below
Use this attribute to determine how the bridge group should act: as a
repeater, a filter or a switch.
The bridgeCache attribute has the following values:
Value Description
Whereas the ARP cache keeps MAC address - IP address pairs, the bridge cache (also called address
database) keeps MAC address - interface pairs. This allows the bridge to know which device is reacha-
ble through which interface. Refer to bridgeCache on page 980 for an example of such a table.
776 1424 SHDSL Router Chapter 11
User manual Configuration attributes
If devices on the network are (re)moved then the MAC address - interface relation changes (refer to
What is the bridge cache?). Therefore, the bridge cache entries are automatically removed from the
cache after a fixed time-out. This time-out period can be set with the bridgeTimeOut attribute. This in case
no topology change is detected, otherwise the time-out is equal to the value of the bridgeForwardDelay ele-
ment of the spanningTree attribute.
When checking the bridgeCache it may appear that some entries are present for a longer time than is con-
figured with the bridgeTimeOut attribute. This because the entries in the bridgeCache are not monitored con-
tinuously, but once per minute. As a result, some entries may appear to be “overtime”. However, this
should be no more than ± 75 seconds.
1424 SHDSL Router Chapter 11 777
User manual Configuration attributes
spanningTree Default:-
Range: structure, see below
Use this attribute to configure the bridging related parameters.
Whereas the bridging attribute groups the bridging related parameters per interface, the spanningTree
attribute groups the bridging related parameters of the bridge as a whole.
The spanningTree structure contains the following elements:
Element Description
bridgePriority Use this element to set the priority of the bridge. Default:32768
The bridge its MAC address together with the Range: 0 … 65535
bridgePriority element form a unique bridge identifier. This identifier is used to deter-
mine which bridge becomes the root bridge.
The bridge with the lowest bridgePriority value becomes the root bridge. If two
bridges have the same bridgePriority value, then the bridge with the lowest MAC
address becomes the root bridge.
bridgeMaxAge Use this element to set the time the bridge retains Default:00000d 00h 00m 20s
bridging information before discarding it. Range: 00000d 00h 00m 06s -
00000d 00h 00m 40s
bridgeHelloTime Use this element to set the interval by which the root Default:00000d 00h 00m 02s
bridge sends Configuration BPDUs, also called Hello Range: 00000d 00h 00m 01s -
messages. 00000d 00h 00m 10s
778 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
transmitHoldCount Use this element to limit the transmission rate, i.e. the Default:6
rate with which configuration messages are transmit- Range: 1 ... 10
ted.
Spanning tree configuration messages are transmitted if the information they con-
vey changes. This is subject to the maximum transmission rate configured here.
The transmitHoldCount is expressed in seconds, and can vary between 1 and 10 sec-
onds, with a default of 6.
maxHops Use this element to set the maximum number of hops Default:20
that the MSTconfiguration information may traverse Range: 6 ... 40
before being discarded.
The use of a separate hop count, on top of the age of stored configuration infor-
mation, provides superior reconfiguration performance.
For more information about the elements messageAge, maxAge, and bridgeTimes, refer
to the spanningTree status attribute in 12.10.1 - Bridge group status attributes on
page 977.
1424 SHDSL Router Chapter 11 779
User manual Configuration attributes
localAccess Default:permitted
Range: enumerated, see below
Use this attribute to allow or deny access to the bridge group itself.
The localAccess attribute has the following values:
Value Description
restricted No bridged packets can be delivered to the bridge group itself. This adds some
security, because the 1424 SHDSL Router can not be accessed through the bridge
group.
You could for instance create one bridge group specifically for …
• management purposes. In this bridge group, set the localAccess attribute to peri-
mitted.
• the actual data coming from the customers. In this bridge group, set the localAc-
cess attribute to restricted. In this way, the customer can never access the 1424
SHDSL Router itself.
Value Description
deviceMac A MAC address from the 1424 SHDSL Router itself is associated with the bridge
group.
Use the second part of the macAddress attribute to define which MAC address has
to be selected:
• lan. The LAN interface its MAC address is associated with the bridge group.
• random. The 1424 SHDSL Router generates a random MAC address and this is
associated with the bridge group.
userMac A user defined MAC address is associated with the bridge group.
Use the second part of the macAddress attribute to enter the MAC address.
vlan Default:<empty>
Range: table, see below
Use this attribute to set up (a) VLAN(s) on the bridge group in case you want
to manage the 1424 SHDSL Router over (a) VLAN(s).
Although the 1424 SHDSL Router bridges VLAN tagged frames when connected to a VLAN aware
switch, the 1424 SHDSL Router itself can only be managed via IP if a VLAN is configured on the bridge
group. In other words, if you want that the data carried by a VLAN can be delivered to the protocol stack
of the 1424 SHDSL Router (e.g. so that it can be routed), then you have to configure the VLAN on the
bridge group.
780 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Element Description
vlan/vlan Default:-
Range: structure, see below
Use this structure to configure the specific VLAN related parameters of a
VLAN.
The vlan structure contains the following elements:
Element Description
txCos Use this element to set the default user priority Default:0
(802.1P, also called COS) of the transmitted VLAN Range: 0 … 7
frames.
changeTos Use this element to enable or disable the COS to TOS Default:disabled
mapping. Range: enabled / disabled
If you set the changeTos attribute to disabled, then the element cosTosMap is ignored.
Note that the TOS to COS mapping is always enabled, irrespective with the
setting of the changeTos attribute.
cosTosMap Use this element to determine how the VLAN user pri- Default:-
ority (COS) maps onto the IP TOS byte value. Range: structure, see below
The cosTosMap structure contains the following elements:
• p0 … p7. Use these elements to define which VLAN Default:0
user priority (0 up to 7) maps onto which IP TOS Range: 0 … 7
byte value (0 up to 255).
1424 SHDSL Router Chapter 11 781
User manual Configuration attributes
Element Description
tosCosMap Use this element to determine how the IP TOS byte Default:-
value maps onto the VLAN user priority (COS). Range: table, see below
The tosCosMap table contains the following elements:
• startTos and endTos. Use these elements to set the Default:0
TOS byte value range that has to be mapped. Range: 0 … 255
• cos. Use this element to set the VLAN user priority Default:0
(COS) value on which the specified TOS byte Range: 0 … 7
value range has to be mapped.
vlanSwitching Default:<empty>
Range: table, see below
Use this attribute specify which VLANs you want to switch in case the bridge
group is used as a VLAN switch. Note that you have to enable VLAN switching on the bridge group by
setting the bridgeCache attribute to switching. Refer to …
• bridgeCache on page 775
• 8.3.4 - Configuring VLAN switching on page 332
Element Description
sourceIntf Use this element to enter the name of the (physical) Default:<empty>
source interface which carries the VLAN that has to Range: 0 … 24 characters
be switched.
sourceVlan Use this element to enter the VLAN ID of the VLAN Default:1
that has to be switched. Range: 0 … 4094
sourcePFilter Use this element to apply a filter on the priority bits of Default:<OPT>
the source VLAN packets. Selecting value -1 leaves Range: -1 ... 7
the sourcePFilter element as optional, so no filtering is
done.
sourcePMap Use this element to, if desired, remap the VLAN prior- Default:-
ities. The priorities defined in the sourcePMap are Range: structure, see below
applied when the VLAN is switched from sourceVlan to
destinationVlan.
The structure contains the elements p0 up to p7, which represent priority
0 up to priority 7. If you want to remap priorities, then enter the new priority
value under one of these priority elements.
Example: suppose you want to remap priority 5 to priority 7, then enter 7
as value of the p5 element.
destinationIntf Use this element to enter the name of the (physical) Default:<empty>
destination interface which carries the VLAN when it Range: 0 … 24 characters
has been switched.
The destination interface can also be a bridge group, in that case just enter the
name of the bridge group.
1424 SHDSL Router Chapter 11 783
User manual Configuration attributes
Element Description
destinationVlan Use this element to enter the VLAN ID of the VLAN Default:1
when it has been switched. Range: 0 … 4094
Entering 0 as VLAN ID strips the VLAN tag of the Ethernet frame. Refer to Strip-
ping the VLAN tag for more information.
destinationPFilter Use this element to apply a filter on the priority bits of Default:<OPT>
the destination VLAN packets. Selecting value -1 Range: -1 ... 7
leaves the destinationPFilter element as optional, so no
filtering is done.
destinationPMap Use this element to, if desired, remap the VLAN prior- Default:-
ities. The priorities defined in the destinationPMap are Range: structure, see below
applied when the VLAN is switched from destinationVlan
to sourceVlan.
Refer to the sourcePMap element for more information on this structure.
tunnel Enabling this element inserts an extra VLAN tag, the Default:disabled
IEEE 802.1Q-in-Q VLAN Tag, to the tagged packets; Range: enabled/disabled
this results in double-tagged frames.
This allows for extra services on specific VLANs. QinQ was originally designed to
expand the number of VLANs by adding a tag to an 802.1Q tagged packet. With
this extra tag, the number of VLANs is increased to 4K×4K.
Note that, when this element is set to enabled:
• the setting of the sourcePMap element is applied to the outer VLAN header.
• the setting of the destinationPMap element is ignored.
bidirectional Use this element to set in which direction the switch- Default:yes
ing will take place. Possible values are: Range: no / yes
• yes. The switching happens in both directions, i.e. from source to destination
and vice versa.
• no. The switching happens from source to destination.
784 1424 SHDSL Router Chapter 11
User manual Configuration attributes
accessControl Default:-
Range: structure, see below
Use this attribute to control the incoming datapackets that are delivered to
the bridge group.
The accessControl structure contains following elements:
Element Description
Example
vlanLearningMode Default:shared
Range: enumerated, see below
Use this attribute to set how learned MAC addresses are treated; this
attribute allows for VLAN aware bridge caching.
The vlanLearningMode attribute has the following values:
Value Description
shared This value means that the bridge cache (i.e. the learned MAC addresses) is shared
between all VLAN ‘s.
This means that the filterid element in the bridgeCache status attribute of the VLAN
group is 0; refer to 12.10.3 - VLAN group status attributes on page 988 for more
information.
independent This value means that the bridge cache (i.e. the learned MAC addresses) is not
shared over all VLAN ‘s; each VLAN individually keeps track of its bridge cache.
This means that the filterid element in the bridgeCache status attribute of the VLAN
group is equal to the VLAN ID; refer to 12.10.3 - VLAN group status attributes on
page 988 for more information.
grouped This value means that each VLAN group has its own bridge cache, i.e. the learned
MAC addresses within one VLAN group are shared among the members of that
VLAN group. Refer to 8.3 - Configuring VLANs on page 325 for more information
about VLAN groups.
This means that the filterid element in the bridgeCache status attribute of the VLAN
group is as configured in the VLAN group; refer to 12.10.3 - VLAN group status
attributes on page 988 and 11.10.3 - VLAN group configuration attributes on
page 793 for more information.
<alarmConfigurationAttributes>
router1424/bridge/accessList[ ]/
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
1424 SHDSL Router Chapter 11 787
User manual Configuration attributes
macAddress Default:<empty>
Range: table, see below
Use this attribute to filter bridged frames based on the source MAC address.
This is an outbound access list. Packets coming from MAC addresses that are specified in the access
list are not sent out on the interface on which the access list is applied.
To apply the access list on a bridge interface, type the index name of the accessList[ ] object as value of
the accessList element in the bridging structure.
Example
If you created an accessList object with index name my_access_list (i.e. access-
List[my_access_list]) and you want to apply this access list on a bridge interface, then
enter the index name as value for the accessList element in the bridging structure.
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
788 1424 SHDSL Router Chapter 11
User manual Configuration attributes
advancedFilter Default:<empty>
Range: table, see below
Use this attribute to create (an) advanced filter(s) in order to filter bridged
frames, taking into account source and destination MAC address ranges, the layer 3 protocol field, the
number of TCP SYN packets per minute and VLAN tag and priority bits.
Important remarks
• The advanced filters specified here can be applied in inbound and outbound direction.
• The advanced filters always have priority above the filters defined using the macAddress attribute, refer
to macAddress on page 787, i.e. the advanced filters will overrule the filters defined using the macAddress
attribute.
Element Description
name Use this element to set a name for the advanced filter. Default:<empty>
Range: 0 … 24 characters
sourceMacStart Use this element to set the start address of the source Default:<OPT>
MAC address range that will be filtered. Range: up to ff:ff:ff:ff:ff:ff
When you want to filter just one MAC address, fill it in here.
When you only fill in this field and leave the sourceMacEnd element blank, then all
addresses, starting with this one, up to ff:ff:ff:ff:ff:ff will be filtered.
sourceMacEnd Use this element to set the end address of the source Default:<OPT>
MAC address range that will be filtered. Range: up to ff:ff:ff:ff:ff:ff
When you only fill in this field and leave the sourceMacStart element blank, then all
addresses starting from 0:0:0:0:0:0 up to this address, will be filtered.
destinationMacStart Use this element to set the start address of the desti- Default:<OPT>
nation MAC address range that will be filtered. Range: up to ff:ff:ff:ff:ff:ff
When you want to filter just one MAC address, fill it in here.
When you only fill in this field and leave the destinationMacEnd element blank, then
all addresses, starting with this one, up to ff:ff:ff:ff:ff:ff will be filtered.
destinationMacEnd Use this element to set the end address of the desti- Default:<OPT>
nation MAC address range that will be filtered. Range: up to ff:ff:ff:ff:ff:ff
When you only fill in this field and leave the destiantionMacStart element blank, then
all addresses starting from 0:0:0:0:0:0 up to this address, will be filtered.
vlan Use this element to filter out specific VLAN ‘s. Default:<OPT>,4097
Any value between 0 and 4098 can be filled in here. Range: choice, see below
There are however a few special cases:
• 0 = priorityTagged. This filters out VLAN ‘s with VLAN tag equal to 0.
• 4096 = untagged. This filters out VLAN ‘s with no VLAN header.
• 4097= any (<OPT>). This leaves the vlan element as optional, so no filtering is
done.
• 4098 = anyVlan. This filters out VLAN ‘s with a VLAN header.
1424 SHDSL Router Chapter 11 789
User manual Configuration attributes
Element Description
priority Use this element to filter bridged frames based on the Default:<OPT>,8
priority bits in the VLAN header. Possible values are Range: 0 ... 8
between 0 and 7; filling in 8 leaves the priority element
as optional (<OPT>), so no filtering is done.
protocol Use this element to filter bridged frames based on the Default:<OPT>,65536
used protocol. Possible values are: any, ip, arp, rarp, Range: choice, see below
vlanTagged, ipv6, mplsUnicast, mplsMulticast, llcsnap.
action Use this element to set the action that has to be exe- Default:deny, 0
cuted on the filtered frames. Possible actions are: Range: 0,1,2
• deny (or 0). Packets matching this line are dropped.
• permit (or 1). Packets matching this line are passed to the advanced action (if
present) or permitted (refer to advancedFilter/advanced on page 790 for more infor-
mation about the advanced action). No further lines are checked.
• continue (or 2). Packets matching this line are passed to the advanced action (if
present) and processing of the ACL continues (refer to advancedFilter/advanced on
page 790 for more information about the advanced action).
advanced Use this element to set the advanced features of the Default:none
advancedFilter attribute. Refer to advancedFilter/advanced Range: structure, see below
on page 790 for a detailed description of the advanced
element.
790 1424 SHDSL Router Chapter 11
User manual Configuration attributes
advancedFilter/advanced
Use this element to set the advanced features of the advancedFilter attribute.
The advanced element contains following elements:
Element Description
limitTcpSyn Use this element to limit the number of TCP SYN packets. The limitTcpSyn structure
contains following elements:
• mode. Use this element to set the way how the Default:perMac
number of TCP SYN packets are limited. Possible Range: global/perMac
values are:
- global. The total number of TCP SYN packets is taken into account.
- perMac. The number of TCP SYN packets per MAC address is taken into
account.
• rate(SynPerMinute). Use this element to set the Default:5
number of TCP SYN packets that are allowed per Range: 0 ... 2147483647
minute.
jumpOver Use this element to set the number of lines that have Default:1
to be skipped when jumping to the next filter, i.e. the Range: 1 ... 100
number of filters that have to be skipped.
The jumpOver action is only useful when the continue action has been chosen in the
advancedFilter on page 788 attribute, described above.
jumpTo Use this element to enter the name of the advanced Default:<empty>
filter to jump to. A name filled in here, must match a Range: 0 ... 24 characters
name entered in the name element of the advancedFilter
element, refer to advancedFilter on page 788.
The jumpTo action is only useful when the continue action has been chosen in the
advancedFilter on page 788 attribute, describe above.
mark
This element only applies to outbound access lists.
Use this element to color bridged packets, i.e. make certain changes to the bridged
packets; refer to advancedFilter/advanced/mark on page 791.
advancedFilter/advanced/mark
Use this element to color bridged packets, i.e. make certain changes to the bridged packets.
The mark element contains following elements:
Element Description
setQueue Use this element to set a destination queue for the filtered packets.
The setQueue structure contains following elements:
• queue. Use this element to assign the data packets Default:queue1
to a certain queue. Possible values are: queue1, Range: enumerated, see below
queue2, queue3, queue4, queue5, lowDelayQueue.
• dropLevel. Use this element to define how many Default:100
packets may be queued before they are dropped. Range: 0 ... 1000
Selecting 0 (or dropOnQueue) means that packets
may not be dropped.
setTosAndCos Use this element to set the TOS and COS value of the filtered packets.
• tos. Use this elements to set the TOS byte value. Default:0
Enter 256 to leave the TOS value unchanged. Range: 0 ... 256
• cos. Use this element to set the default user priority Default:0
value(COS). Enter 8 to leave the COS value Range: 0 ... 8
unchanged.
Element Description
mapTosToCos Use this element to determine how the IP TOS byte value maps onto the VLAN
user priority (COS). The mapTosToCos table contains following elements:
• startTos. Use this element to set the start of the TOS Default:0
byte value range that has to be mapped. Enter 256 Range: 0 ... 256
for nonIP data.
• endTos. Use this element to set the end of the TOS Default:255
byte value range that has to be mapped. Enter 256 Range: 0 ... 256
for nonIP data.
• cos. Use this element to set the VLAN user prior- Default:0
ity(COS) value on which the specified TOS byte- Range: 0 ... 8
value range has to be mapped. Enter 8 to leave the
COS value unchanged.
• queue. Use this element to assign the data packets Default:queue1
to a certain queue. Possible values are: queue1, Range: enumerated, see below
queue2, queue3, queue4, queue5, lowDelayQueue.
• dropLevel. Use this element to define how many Default:100
packets may be queued before they are dropped. Range: 0 ... 1000
Selecting 0 (or dropOnQueue) means that packets
may not be dropped.
1424 SHDSL Router Chapter 11 793
User manual Configuration attributes
router1424/bridge/bridgeGroup/vlanGroup[ ]
This object is not present in the containment tree by default. If you want to use the feature associated
with this object, then add the object first. Refer to 4.4 - Adding an object to the containment tree on
page 45.
794 1424 SHDSL Router Chapter 11
User manual Configuration attributes
filteringId Default:1
Range: 1 ... 4094
Use this attribute to set a unique identifier for the VLAN group.
vlanMembers Default:<empty>
Range: table, see below
Use this attribute to add VLAN ‘s to the VLAN group by means of their VLAN
ID. VLAN ‘s can be added individually, or by entering a range.
The vlanMembers attribute has the following values:
Value Description
range Use this element to add a range of VLAN ID’s, by set- Default:none
ting the from and to elements. Range: structure, see below
In both elements, a range of 1 up to 4095 can be set.
1424 SHDSL Router Chapter 11 795
User manual Configuration attributes
importBridgePorts Default:disabled
Range: enabled/disabled
Use this attribute to automatically import all bridging interfaces, which are
members of this bridge group, into the VLAN group. Do this by setting this attribute to enabled.
ports Default:<empty>
Range: table, see below
Use this attribute to:
• manually add interfaces to the VLAN group, or:
• to overrule the configuration values of the interfaces, which have been imported using the importBridge-
Ports attribute, for this VLAN group.
The ports table has the following elements:
Value Description
mst Default:32768
Range: 0 ... 61440
Use this attribute to set the priority of the VLAN group for Multiple Spanning
Tree or MST.
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
796 1424 SHDSL Router Chapter 11
User manual Configuration attributes
router1424/snmp
trapDestinations Default:<empty>
Range: table, see below
Use this attribute to define to which IP address the SNMP traps have to be
sent.
The 1424 SHDSL Router translates all alarm status changes into SNMP traps. These traps can then be
sent to a management system. To enable this, configure in the trapDestinations table the IP addresses to
which the traps have to be sent. If the trapDestinations table is empty then no traps are sent.
The trapDestinations table contains the following elements:
Element Description
sourceIp Use this element to set the IP address that will be the Default:<opt>
source of the SNMP traps. Range: up to 255.255.255.255
When this element is not filled in, the default value will
be used, which is the IP address of the LAN interface.
address Use this element to set the IP address of the manage- Default:0.0.0.0
ment station to which the SNMP trap messages have Range: up to 255.255.255.255
to be sent.
community Use this element to set the community string which is Default:public
included in the SNMP traps that are sent to the man- Range: 0 … 20 characters
agement station. It is used as a password in the
SNMP communication. Give it the same value as on your SNMP management sta-
tion.
type Use this element to set which kind of SNMP trap will Default:v1Trap
be sent. Range: enumerated, see below
The type element has the following values:
• v1Trap. An SNMPv1 trap will be sent.
• v2Trap. An SNMPv2 trap will be sent.
• v2Inform. An SNMPv2 inform will be sent.
• v3Trap. An SNMPv3 trap will be sent.
• v3Inform. An SNMPv3 inform will be sent.
Refer to 5.3 - Managing devices using SNMP on page 65 for more information
about the different SNMP versions.
timeOut This element is only relevant for SNMPv2. Default:<opt>, 00000d 00h
Use this element to set the time out period, after which 00m 05s
Range: 00000d 00h 00m 00s-
a trap is sent again.
24855d 03h 14m 07s
Element Description
mib2Traps Default:off
Range: on / off
Use this attribute to enable (on) or disable (off) the sending of SNMP traps
as MIB2 traps.
If you want to send the SNMP traps as MIB2 traps, proceed as follows:
Step Action
1 Select the snmp/trapDestinations attribute. Add an entry to this table for each network man-
agement station that should receive SNMP traps. Refer to trapDestinations on page 797.
router1424/management/
router1424/management/loopback
router1424/management/usrLoopback[ ]
The management/usrLoopback[ ] object must be added manually, and contains the same configuration
attributes as the management/loopback object, except for:
• snmpIndexOffset on page 816
The router1424/management/usrLoopback[ ] object must be added manually. All other attributes under this
object are the same as the ones under the router1424/management/loopback object.
1424 SHDSL Router Chapter 11 801
User manual Configuration attributes
sysLog Default:-
Range: structure, see below
Use this attribute to configure the sending of syslog messages.
The sysLog structure contains the following elements:
Element Description
What is syslog?
The syslog protocol (RFC 3164) is used for the transmission of event notification messages across net-
works.
A syslog message is sent on UDP port 514. It has the following format:
"<facility*8+severity> date hostname message"
where …
• the priority value is the number contained within the angle brackets, i.e. <facility*8+severity>.
• facility is a part of the priority value: facility = 23 * 8 = 184
In this case no facility has been explicitly assigned and therefore a "local use" facility is used (numer-
ical code value 23).
• severity is a part of the priority value: severity = 6 - <alarmLevel of the alarm>
The severity only ranges from 0 up to 6. So in case the alarm level of an alarm is bigger than 6, the
severity is limited to 0.
• date is the date the syslog message was generated: Mmm dd hh:mm:ss (e.g. Jan 01 12:45:55).
• hostname is the IP address of the interface through which the syslog message was sent (e.g.
10.0.28.3).
• message is the alarm message. It has the following format:
"alarm:<sysName>;<realTimeClock>;<sysUpTime>;<devSeverityLevel>;<severit-
yLevel>;<alarmMessage>"
where …
- <sysName> is the sysName configured in the 1424 SHDSL Router.
- <realTimeClock> is the value of the real time clock at the moment the alarm was generated: dd/
mm/yy hh:mm:ss (e.g. 25/12/02 22:45:55).
- <sysUpTime> is the system up-time of the 1424 SHDSL Router at the moment the alarm was gen-
erated: xxxxxd xxh xxm xxs (e.g. 00025d 08h 45m 55s).
802 1424 SHDSL Router Chapter 11
User manual Configuration attributes
Example:
The following gives an example of a complete syslog message. In this case, the separator is the ^ char-
acter.
"<189>Feb 28 16:56:15 10.0.28.2 alarm:router1424^28/02/03 16:56:15^130^3^5^
router1424.configChanged on"
Note that, when the 1424 SHDSL Router has been switched off for more than 15 days, the <realTime-
Clock> is not stable anymore.
1424 SHDSL Router Chapter 11 803
User manual Configuration attributes
timeServer Default:0.0.0.0
Range: up to 255.255.255.255
Use this attribute to enter the IP address of the SNTP time server with which
the 1424 SHDSL Router can synchronise its clock. Date and time are displayed in the status attributes
router1424/date and router1424/time.
You can also set the time zone and the daylight saving time using the configuration attribute timeZone on
page 803.
What is SNTP?
Short for Simple Network Time Protocol, a simplified version of NTP. SNTP is used when the ultimate
performance of the full NTP implementation described in RFC 1305 is not needed or justified.
The 1424 SHDSL Router can only act as an SNTP client, not as an SNTP server.
timeZone Default:-
Range: structure, see below
Use this attribute to set the time zone when using an SNTP time server.
Refer to timeServer on page 803.
The timeZone structure contains the following elements:
Element Description
What is UTC?
UTC is the coordinated universal time, formerly known as Greenwich mean time
(GMT). It is the international time standard.
daylightSaving Use this element to set the daylight saving time. Default:europeanUnion
The daylightSaving element has the following values: Range: europeanUnion / none
europeanUnion and none.
804 1424 SHDSL Router Chapter 11
User manual Configuration attributes
cms2Address Default:0
Range: 0 … 65535
Use this attribute to assign an absolute address to the 1424 SHDSL Router.
If you want to connect with TMA to a OneAccess device, you have to specify the address of the device
in the Connect… window. Refer to 4 - Maintaining the 1424 SHDSL Router on page 31.
There are two different address types: relative and absolute. The following table explains the difference
between these address types:
Type Description
relative This type of addressing is meant for a network topology where the OneAccess
devices are connected in-line on management level. I.e. with extended manage-
ment connections between two OneAccess devices. An extended management
connection is realised with a crossed cable between the control connectors of two
OneAccess devices.
absolute This type of addressing is meant for a network topology where the OneAccess
devices are not connected in-line on management level. I.e. when there is a digital
multipoint device present (e.g. an Orchid DM).
accessList Default:<empty>
Range: table, see below
Use this attribute to set up an inbound simple access list on the protocol
stack. Refer to 9.2 - Configuring the access restrictions on page 370 for more information on inbound
access lists.
The access list filters incoming traffic, based on the source IP address. You can specify multiple entries
within the access list. When more than one entry applies to the same packet, then only the most specific
one is taken in consideration. I.e. the entry covering the smallest range. If not one entry matches, then
the packet is dropped. If the access list is empty, then all packets are forwarded.
The accessList table contains the following elements:
Element Description
sourceAddress Use this element to set the IP source address of the Default:0.0.0.0
packet. The address may be a (sub)network address. Range: up to 255.255.255.255
mask Use this element to set the IP subnet mask for the Default:255.255.255.255
sourceAddress. By combining an IP address with a Range: up to 255.255.255.255
mask you can uniquely identify a range of addresses.
action Use this element to set the action when a packet Default:deny
arrives with a source IP address that falls within the Range: enumerated, see below
specified address range.
The possible actions are:
• deny. The packet is dropped.
• allow. The packet is forwarded.
If you specify one entry or multiple entries for which the action is set to deny, then also specify at least
one entry for which the action is set to allow. Else all packets are dropped!
Example 1
Example 2
accessPolicy Default:<empty>
Range: 0 … 24 characters
Use this attribute to apply an inbound extended access list on the protocol
stack.
Do this by entering the index name of the traffic policy you want to apply. You can create the traffic policy
itself by adding a trafficPolicy object and by configuring the attributes in this object.
Important remark
It is possible that the 1424 SHDSL Router has to answer to DHCP requests or terminate L2TP and IPSec
tunnels. In that case, if you set up an access list on the protocol stack, then make sure that these proto-
cols are allowed access to the protocol stack.
Refer to 9.2 - Configuring the access restrictions on page 370 for more information on inbound access
lists.
Example
snmp Default:enabled
Range: enabled / disabled
Use this attribute to accept (enabled) or discard (disabled) SNMP requests.
telnet Default:enabled
Range: enabled / disabled
Use this attribute to accept (enabled) or discard (disabled) Telnet sessions.
Use this attribute also to accept (enabled) or discard (disabled) HTTP (Web Interface) sessions.
tftp Default:enabled
Range: enabled / disabled
Use this attribute to accept (enabled) or discard (disabled) TFTP sessions.
ftp Default:enabled
Range: enabled / disabled
Use this attribute to accept (enabled) or discard (disabled) FTP sessions.
1424 SHDSL Router Chapter 11 807
User manual Configuration attributes
It does not apply on TMA or TMA CLI sessions (nor through the control port, nor over IP). They have a
fixed time-out of 15 minutes.
alarmFilter Default:0
Range: 0 … 50000
Use this attribute to selectively ignore / drop alarms in TMA for HP Open-
View if these alarms are below a certain level.
The filter number that you define using the alarmFilter attribute, has to correspond with a filter that you
have to define in the Alarm Manager of TMA for HP OpenView. In the Alarm Manager, it is possible to
specify a minimum alarm level that is needed before alarms are logged in HP OpenView. This can be
specified for each filter number.
timedStatsAvailability Default:basic
Range: enumerated, see below
Use this attribute to determine whether the nested tables in the timed per-
formance statistics (i.e. 2 hour, 24 hour and 7 days performance statistics) are visible or not.
The timedStatsAvailability attribute has the following values:
Value Description
none Only the “first level” timed performance statistics are available. In other words, the
nested tables (i.e. a table in a table) in the timed performance statistics are not dis-
played.
basic The full performance statistics are available on the physical interfaces only (e.g.
the LAN interface, etc.). Not on the logical interfaces (e.g. a PVC, a VLAN, etc.).
full The full performance statistics are available on both the physical (e.g. the LAN
interface, etc.) and logical (e.g. a PVC, a VLAN, etc.) interfaces
If you have a lot of PVCs this may require quite some memory space and
processing power.
808 1424 SHDSL Router Chapter 11
User manual Configuration attributes
atwinGraphics Default:enabled
Range: enabled / disabled
Use this attribute to enable or disable the graphical symbols in the ATWIN
user interface.
One of the tools that allows you to manage the 1424 SHDSL Router is ATWIN (refer to 1.4 - Maintenance
and management tools on page 8). ATWIN is a basic, menu-driven user interface. You can start it using
a terminal (emulation program) on the control port or using Telnet on an IP interface (e.g. the LAN inter-
face) and by typing atwin at the command prompt (refer to the Maintenance tools manual (PDF) for
more information).
By default, ATWIN uses graphical symbols to draw the borders of the “windows”. In some cases how-
ever, these graphical symbols are displayed incorrectly. In that case you can choose to disable the
graphical symbols. By doing so, the window borders are drawn using + and - signs.
The atwinGraphics attribute has the following values:
Value Description
enabled The ATWIN window borders are drawn using graphical symbols.
disabled The ATWIN window borders are drawn using + and - signs.
1424 SHDSL Router Chapter 11 809
User manual Configuration attributes
accessControl Default:-
Range: structure, see below
Use this attribute to configure the monitoring of management access to the
device.
The loginControl structure contains the following elements:
Element Description
alarm Use this element to determine when the access failure Default:-
alarm should be logged in the accessLog table and a Range: structure, see below
syslog message is sent.
The alarm structure contains the following elements:
• maxFailCnt. Use this element to set the access fail- Default:3
ure alarm threshold. If this value is exceeded Range: 0 … 100
within the access failure alarm period, then the
access failure alarm is raised.
• period. Use this element to set the access failure Default:00000d 00h 15m 00s
alarm period. If within this period the access failure Range: 00000d 00h 00m 00s -
alarm threshold is exceeded, then the access fail- 00001d 00h 00m 00s
ure alarm is raised.
Example
By default, if within a period of 15 minutes 3 access attempts fail, then the access
failure alarm is logged in the accessLog table as follows:
Jul 13 11:00:00 00000d 00h 15m 58s accessFailureOn
maxPingReplies Default:-disabled
Range: disabled/0...65535
Use this attribute to set the number of times the 1424 SHDSL Router will
reply to received pings. When disabled, the 1424 SHDSL Router will always answer to pings.
810 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ctrlPortProtocol Default:console
Range: enumerated, see below
Use this attribute to set the function of the control connector.
The ctrlPortProtocol attribute has the following values:
Value Description
management Select this value if you want to connect the control connector of the 1424 SHDSL
Router to …
• a management concentrator for management purposes.
• the control connector of another OneAccess device using a crossed cable (i.e.
they are connected back-to-back) in order to create an extended management
link. Refer to What is relative and absolute addressing? on page 804 for more
information on extended management links.
When connecting the control connector of the 1424 SHDSL Router to a COM port
of your computer, you can still open a TMA session on the 1424 SHDSL Router.
You can however not open a CLI or ATWIN session.
console Select this value if you want to connect the control connector of the 1424 SHDSL
Router to a COM port of your computer in order to manage the 1424 SHDSL
Router using TMA, CLI, ATWIN, etc.
alignStatsToRtc Default:disabled
Range: enabled / disabled
Use this attribute to synchronize the statistics to the real time clock. This
means that:
• for the 7 days statistics, each day interval starts at exactly midnight.
• for the 24 hours statistics, every 2 hour interval starts at exactly an even hour of the day.
• for the 2 hours statistics, each 15 minutes interval starts at exactly an hour or 15, 30 or 45 minutes
after the hour.
These statistics, more specifically h2Performance, h24Performance and d7Performance, are present in many
objects in the containment tree, and described in 13 - Performance attributes on page 1013.
logStatsToFile Default:<empty>
Range: table, see below
Use this attribute to log statistics to a file that is stored on the file system of
the device, so that they can be retrieved and processed by the user, for instance in a spreadsheet pro-
gram.
The system will clean the file system automatically: day files will be kept on the system for 15 days; week
files will be kept on the system for 5 weeks; month files will be kept on the system for 2 months. This
mechanism will make sure that the file system of the device can never get full.
Refer to 9.10 - Logging of performance statistics on page 479 for more information.
1424 SHDSL Router Chapter 11 811
User manual Configuration attributes
Element Description
interval Use this element to set the time interval in which the Default:2h
file will be updated. Possible values are 30 minutes, 1 Range: enumerated, see below
hour, 2 hours or 1 day: 30min, 1h, 2h, 1d.
type Use this element to set the type of data that will actu- Default:-
ally be logged in the file. The type element contains a Range: structure, see below
table structure; refer to logStatsToFile/type/table on page 812
for more information.
fileType Use this element to set the type of file, with regard to Default:day
time, that is stored: whether dayly statistics, weekly Range: enumerated, see below
statistics or monthly statistics are logged in the file. So
possible values are: day, week or month.
A day file will contain the statistics of one day (starting at 0h and ending at 23.59h).
A week file will contain the data of one week; the week starts on Monday and ends
on Sunday.
A month file will contain the data of exactly one month.
fileName Use this element to set the first part of the name of the Default:<empty>
file that will be stored on the file system of the device. Range: 0 … 10 characters
The second part of the file name depends on the fileType and the date when the file
is logged. For a full description of the fileName, refer to the logStats status attribute in
12.12 - Management status attributes on page 993.
812 1424 SHDSL Router Chapter 11
User manual Configuration attributes
logStatsToFile/type/table Default:-
Range: structure, see below
The table structure contains the following elements:
Element Description
element Use this element to set for which object of the contain- Default:<empty>
ment tree, and for which attribute, the statistics have Range: 0 … 90 characters
to be logged.
Enter the full path of the object, as you would when using CLI; this means:
• the path of the object, including the attribute itself,
• followed by the group that the attribute belongs to.
In the example below, looking at the first line of the table:
• the h24Line table of the WAN line interface is retrieved: wanInterface/line/h24Line.
• this is followed by :Performance since the h24Line table belongs to the Performance
group.
So the full path that must be entered is: wanInterface/line/h24Line:Performance.
Refer to the TMA CLI manual for more detailed information about the CLI code if
necessary.
samples Use this element to set the number of samples that Default:1
have to be taken from the statistics of the containment Range: 0 … 48
tree object.
For example, when interval is set to 30min, and samples to 2, this means that every 15
minutes a sample is taken.
The following figure shows an example of a logStatsToFile table, with seven containment tree objects for
which data is logged:
814 1424 SHDSL Router Chapter 11
User manual Configuration attributes
userInfo Default:<empty>
Range: table, see below
Use this attribute to type in any information you want. Each line in the userInfo
table can contain up to 128 characters.
The main purpose of this attribute is to copy values of certain attributes that have a SNMP OID that is
higher than 231-1. Some SNMP platforms cannot handle such high OID 's.
https Default:disabled
Range: enabled / disabled
ssh Default:disabled
Range: enabled / disabled
1424 SHDSL Router Chapter 11 815
User manual Configuration attributes
ipAddress Default:<OPT>
Range: up to 255.255.255.255
Use this attribute to assign an IP address to the loopback interface.
The loopback interface is a software interface which can be used for management purposes. This inter-
face is always up, regardless of the state of the physical interfaces. This means the router will always
respond to ICMP echo requests sent to this address. In every other respect the loopback address
behaves the same as an IP address of a physical interface.
If the loopback address is used and RIP is active, then a host route to the loopback address is included
in the RIP updates.
816 1424 SHDSL Router Chapter 11
User manual Configuration attributes
ipNetMask Default:<OPT>
Range: up to 255.255.255.255
Use this attribute to assign an IP netmask to the loopback interface.
Also see ipAddress on page 815.
sNet Default:<OPT>
Range: enumerated, see below
Use this attribute to add the loopback interface to a secure network (SNet)
so that it can be controlled by a (virtual) firewall.
The sNet element is a choice element. The first part of the sNet element has the following values:
Value Description
name Select this value to add the interface to the standard secure network. In the second
part of the sNet element, use the drop-down box to select the standard SNet: self.
Note that if you select the value <OPT> (default), then the interface is not added
to the secure network.
vrfRouter Default:0
Range: 0 ... 65535
Use this attribute to add the loopback interface to a VRF router. Do this by
entering the index name of the VRF router here.
snmpIndexOffset Default:0
Range: 0 ... 65535
Use this attribute to correct the snmpIndex, in order to let it keep the same
value as before, after a manually added object has been removed from the containment tree. Refer to
5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more information.
1424 SHDSL Router Chapter 12 817
User manual Status attributes
12 Status attributes
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view: 1.3 - Overview of features on page 7
This chapter discusses the status attributes of the 1424 SHDSL Router. The following gives an overview
of this chapter:
• 12.1 - Status attribute overview on page 818
• 12.2 - General status attributes on page 827
• 12.3 - LAN interface status attributes on page 831
• 12.4 - WAN interface status attributes on page 843
• 12.5 - Encapsulation status attributes on page 846
• 12.6 - SHDSL line status attributes on page 887
• 12.7 - End and repeater status attributes on page 896
• 12.8 - Bundle status attributes on page 900
• 12.9 - Router status attributes on page 911
• 12.10 - Bridge status attributes on page 976
• 12.11 - SNMP status attributes on page 991
• 12.12 - Management status attributes on page 993
• 12.13 - File system status attributes on page 1000
• 12.14 - Operating system status attributes on page 1011
818 1424 SHDSL Router Chapter 12
User manual Status attributes
Refer to 4.3 - The objects in the 1424 SHDSL Router containment tree on page 42 to find out which
objects are present by default, which ones you can add yourself and which ones are added automati-
cally.
> router1424
sysDescr
sysObjectID
sysUpTime
sysServices
flash1Version
flash2Version
activeFlash
flashVersions
bootVersion
tdreVersion
messages
deviceId
configurationSaving
date
time
Action: Set Date
Action: Set Time
1424 SHDSL Router Chapter 12 819
User manual Status attributes
>> lanInterface
ifDescr
ifType
ifOperStatus
ifLastChange
ifSpeed
ifMtu
ip
macAddress
arpCache
bridging
adapter1
vlan
ports2
ipAdEntBcastAddr
ipAdEntReasmMaxSize
pppOEClient
snmpIndex
oam
switchCache
Action: clearArpCache
Action: oamRemoteLoopback
Action: clearSwitchCache
>> dslInterface
ifDescr
ifType
ifOperStatus
ifLastChange
ifSpeed
snmpIndex
>>> channel[wan_1 ]
ifDescr
ifType
ifOperStatus
ifLastChange
ifSpeed
ifMtu
snmpIndex
>>>> atm
atmSync
pvcTable
vp
>>>> efm
ip
arpCache
bridging
macAddress
ifDescr
ifType
ifMtu
ifOperStatus
ifLastChange
ifSpeed
ipAdEntBcastAddr
ipAdEntReasmMaxSize
vlan
pppoEClient
oamDiscovery
oamRemoteLoopback
oamRemoteInfo
>>> line
ifDescr
ifType
ifOperStatus
ifSpeed
region
minLinePairSpeed
maxLinePairSpeed
framerType
testType
testOriginator
testStatus
eocAlarmThresholds
numDiscoveredRepeaters
spanStatus
snmpIndex
Action: testActivation
Action: stopAllTests
psdMeasurement
1424 SHDSL Router Chapter 12 821
User manual Status attributes
>>>> linePair[ ]
ifSpeed
ifOperStatus
status
timeSinceLastRetrain
lineAttenuation
noiseMargin
actualBitRate
stepupThreshold
transmitPower
snmpIndex
adminStatus
>>> repeater[ ]
vendorId
vendorModel
vendorSerial
vendorSoftVersion
eocSoftVersion
shdslVersion
eocState
eocAlarmThresholds
testType
snmpIndex
Action: testActivation
>>>> networkLinePair[ ]
lineAttenuation
noiseMargin
snmpIndex
>>>> customerLinePair[ ]
lineAttenuation
noiseMargin
snmpIndex
>>> end
vendorId
vendorModel
vendorSerial
vendorSoftVersion
eocSoftVersion
shdslVersion
eocState
eocAlarmThresholds
testType
822 1424 SHDSL Router Chapter 12
User manual Status attributes
>>>> linePair[ ]
lineAttenuation
noiseMargin
snmpIndex
>> profiles
>>> policy
>>>> priority
>>>>> priorityPolicy[ ]
snmpIndex
>>>> traffic
>>>>> ipTrafficPolicy[ ]
snmpIndex
>>>>> bridgingTrafficPolicy[ ]
snmpIndex
>> ip
>>> router
routingTable
igmpTable
dhcpBinding
dhcpStatistics
dhcpBlackList
dhcpRelayInfo
radius
dns
dnsServers
addrPools
poolReservations
dnsUpdateClient
Action: unBlacklist
Action: forceDnsUpdate
>>>> defaultNat
addresses
natSockets
>>>> nat[ ]
addresses
natSockets
snmpIndex
1424 SHDSL Router Chapter 12 823
User manual Status attributes
>>>> tunnels
ifDescr
ifType
ifOperStatus
snmpIndex
l2tpTunnels
ipsecL2tpTunnels
ipsecTunnels
greTunnels
ipsecGreTunnels
>>>> routingFilter[ ]
snmpIndex
>>>> ikeSA[ ]
phase1
phase2.
snmpIndex
>>>> manualSA[ ]
snmpIndex
>>>> ospf
type
routers
externalRoutes
asExtLsas
snmpIndex
>>>>> area
interfaces
hosts
neighbors
routers
stub
routerLsas
networkLsas
summLsas
asbrLsas
nssaLsas
snmpIndex
>>>> bgp
networks
aggregates
rib
peers
824 1424 SHDSL Router Chapter 12
User manual Status attributes
>>>>> ePeer
status
upTime
remote
timers
adjSoftIn
adjRibIn
adjRibOut
warning
snmpIndex
Action:shutDown
Action:restart
Action:softReset
>>>>> iPeer
<contains the same attributes as the ePeer object>
>>>>> routeFilter
users
snmpIndex
>>>>> routeMap
users
snmpIndex
>>>> vrrp[ ]
macAddress
interfaces
criticals
snmpIndex
>>>> firewall
sessions
reverseSessions
log
sNet
>>> vrfRouter[ ]
snmpIndex
routingTable
dhcpBinding
dhcpStatistics
dhcpRelayInfo
dhcpBlacklist
addrPools
poolReservations
dns
dnsServers
igmpTable
1424 SHDSL Router Chapter 12 825
User manual Status attributes
>>>> ospf
type
routes
externalRoutes
asExtLsas
snmpIndex
>>>> routingFilter[ ]
snmpIndex
>> bridge
>>> bridgeGroup
ifDescr
ifType
ifOperStatus
ifMtu
ip
arpCache
bridgeCache
bridging
spanningTree
snmpIndex
macAddress
vlan
Action: clearArpCache
Action: clearBridgeCache
>>> vpnBridgeGroup[ ]
<contains the same attributes as the bridgeGroup object>
>>> accessList[ ]
snmpIndex
>> snmp
trapDestinations
engineId
>> management
cms2Address
logStats
timeServer
alarmLog
accessLog
syslog
826 1424 SHDSL Router Chapter 12
User manual Status attributes
>>> loopback
ifDescr
ifType
ifOperStatus
ifMtu
ipAddress
mask
snmpIndex
>>> usrLoopback[ ]
<contains the same attributes as the loopback object>
>> fileSystem
fileList
freeSpace
status
corruptBlocks
trustedCertificates
selfCertificates
Action: Delete File
Action: Rename File
Action: loadTrustedCertificate
Action: generateSelfCertificateRequest
Action: loadSelfCertificate
Action: getTrustedCertificateScep
Action: getSelfCertificateScep
Action: getCrlScep
Action: saveCertificates
>> operatingSystem
taskInfo
coreDump
1424 SHDSL Router Chapter 12 827
User manual Status attributes
router1424/sysDescr
router1424/sysObjectID
router1424/sysUpTime
This attribute displays the elapsed time since the last power-on or cold boot of the 1424 SHDSL Router.
router1424/sysServices
router1424/flash1Version
This attribute displays the code and version of the application software stored as CONTROL1.
Example: Txxxx/xxxxx 01/01/00 12:00
In this example the following parameters are visible:
• Txxxx is the application software code for this device.
• /xxxxx is the application software version.
• 01/01/00 is the application software release date.
• 12:00 is the application software release time.
router1424/flash2Version
This attribute displays the code and version of the application software stored as CONTROL2.
Example: Txxxx/xxxxx 01/01/00 12:00
In this example the following parameters are visible:
• Txxxx is the application software code for this device.
• /xxxxx is the application software version.
• 01/01/00 is the application software release date.
• 12:00 is the application software release time.
1424 SHDSL Router Chapter 12 829
User manual Status attributes
router1424/activeFlash
This attribute displays which application software is currently active. Possible values are:
Value Description
router1424/flashVersions
This attribute displays how many application software versions can be stored in the file system.
router1424/bootVersion
This attribute displays the code, version, release date and time of the boot software currently used in the
1424 SHDSL Router.
router1424/tdreVersion
This attribute displays the version of the TDRE (Total Dynamic Routing Engine) currently used in the
1424 SHDSL Router.
Example: xxx.yyy.zzz
In this example the following parameters are visible:
• xxx is the major TDRE version. This number is incremented only when a complete new version of the
TDRE is released.
• yyy is the minor TDRE version. This number is incremented every time new features are added to the
TDRE.
• zzz is the build version. This number is incremented every time a new TDRE version is built (also in
case of bug fixes etc.).
router1424/messages
This attribute displays informative and error messages, e.g. Reconfigured, Cold Boot, … The messages table
displays maximum 20 messages.
If you open a TMA session on the 1424 SHDSL Router over IP, i.e. not through the control port, then the
messages are also sent to the control port. This means that if you open a terminal emulation session on
the control port, you can monitor these messages. If you hit the ENTER key, the messages stop and you
get the (CLI) password prompt.
830 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/deviceId
This attribute displays a unique code. This code is programmed into the 1424 SHDSL Router before it
leaves the factory. You can use this code for inventory purposes.
router1424/configurationSaving
This attribute indicates when the 1424 SHDSL Router is writing its (new) configuration to the flash mem-
ory. Possible values are:
Value Description
busy The 1424 SHDSL Router is busy writing its configuration to the flash memory. Dur-
ing this state, do not power-down or reboot the 1424 SHDSL Router else the new
configuration will be lost.
done The 1424 SHDSL Router has finished writing its configuration to the flash memory.
router1424/date
This attribute displays the current date in the format dd/mm/yy (e.g. 01/01/00).
router1424/time
This attribute displays the current time in the format hh:mm:ss (e.g. 12:30:45).
router1424/Set Date
Use this action to set the current date. Enter the date as argument value in the format dd/mm/yy (e.g. 01/
01/00). Then execute the action.
router1424/Set Time
Use this action to set the current time. Enter the time as argument value in the format hh:mm:ss (e.g.
12:30:45). Then execute the action.
1424 SHDSL Router Chapter 12 831
User manual Status attributes
router1424/lanInterface/
The following attributes are only present on the 4 port Ethernet LAN interface:
• ports on page 838
• switchCache on page 839
The following attribute is only present on the single port Ethernet LAN interface:
• adapter on page 837
ifDescr
ifType
ifOperStatus
ifLastChange
This attribute shows the system-up time on the moment the interface entered its current operational
state. I.e. the moment the value of the ifOperStatus status attribute changes (from up to down or vice versa),
the system-up time value is written into the ifLastChange status attribute.
ifSpeed
This attribute displays the interface speed in bits per second (bps).
ifMtu
This attribute displays the interface its Maximum Transfer Unit, i.e. the maximum number of bytes that
one packet can contain on this interface.
Important remark
ip
Element Description
status This is the current operational status of the IP layer (layer 3).
address This is the IP address of the interface. It is either configured or retrieved automat-
ically.
netMask This is the IP subnet mask of the interface. It is either configured or retrieved auto-
matically.
secondaryIp This is the secondary IP address that has been configured on the LAN interface.
The secondaryIp table contains following elements:
• address. This is the secondary IP address.
• netMask. This is the secondary IP subnet mask.
macAddress
This attribute displays the MAC address of the 1424 SHDSL Router its LAN interface.
The LAN interface has been allocated a fixed Ethernet address, also called MAC (Medium Access Con-
trol) address. The MAC address is globally unique and can not be modified. It is a 6 byte code, repre-
sented in hexadecimal format. Each byte in the code is separated by a colon.
Refer to What is the ARP cache? on page 512 for more information on the MAC addresses.
834 1424 SHDSL Router Chapter 12
User manual Status attributes
arpCache
This attribute displays all the MAC address - IP address pairs from ARP requests and replies received
on the LAN interface. Refer to What is the ARP cache? on page 512 for more information.
The arpCache table contains the following elements:
Element Description
type This is the ARP cache entry type. Possible values are:
• dynamic. The MAC - IP address pair is retrieved from an ARP request or reply
message.
• static. The MAC - IP address pair is configured.
There is only one static entry, i.e. the 1424 SHDSL Router its own IP and MAC
address.
timeOut This is the time the entry will remain in the ARP cache. For the static entry, this
value is 0.
Example
bridging
Element Description
status This displays the current state of the port. Possible values are:
• discarding1. The port does not participate in frame forwarding.
• learning. The port prepares to participate in frame forwarding, and it learns the
present MAC addresses.
• forwarding1. The port participates in frame forwarding.
Refer to 8.1.6 - The Spanning Tree bridge port states on page 306 for more infor-
mation on port states2.
836 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
spanningTree This displays the current spanning tree state. The spanningTree element contains
the following elements:
• portRole. This the role of the port in the STP. Refer to 8.1.5 - The Spanning Tree
topology on page 304 for more information.
• portId. This the unique port identifier. It is a combination of MAC address and
priority of the port. This assures the uniqueness of the unique port identifier
among the ports of a single bridge.
• portPathCosts. This element contains:
- extPathCost. This is the pathCost as configured in the bridging structure, refer
to 8.2.6 - Explaining the bridging structure on page 318 for more information.
- intPathCost. This is the internalPathCost as configured in the bridging structure.
• extRootPathCost. This is the path cost from this port to the root bridge.
• inRootPathCost. This is the path cost to the root bridge within this MST region.
• designatedBridgeId. This element itself consists of 2 elements: priority and macAd-
dress. Together, these two elements form a unique bridge identifier. Depending
whether the current port is a designated port or not, these two elements display
the unique bridge identifier of …
- the bridge to which this port belongs, in case of a designated port.
- the bridge believed to be the designated bridge for the LAN that is currently
connected to this port, in all other cases.
This bridge identifier is used …
- together with the designatedPortId element, to determine whether this port
should be the designated port for the LAN that is currently connected to this
port.
- to test the value of the bridge identifier parameter conveyed in received
Configuration BPDUs.
• designatedPortId. This displays the unique port identifier of the bridge port through
which the designated bridge transmits the configuration message information
stored by this port. This port identifier is used …
- together with the designatedBridgeId element to determine whether this port
should be the designated port for the LAN that is currently connected to this
port.
- by the management system to determine the topology of the bridged LAN.
• designatedOrInternal. This element indicates if the status of a port is designated
whithin the global spanning tree, or if the MSTP packet is received from the
same region.
• edgeDetection. This element indicates whether or not a port is an edge port.
However, if a port is defined as an edge port, and it receives an incoming STP
packet, the edge status is automatically lost.
1. These are the only possible port states for a bridge that is not running the Spanning Tree pro-
tocol (IEEE p802.1D).
2. Only relevant when the bridge uses the Spanning Tree Protocol.
1424 SHDSL Router Chapter 12 837
User manual Status attributes
adapter
Element Description
speed This is the Ethernet speed in Mbps. Possible values are: 10 and 100.
duplex This is the Ethernet duplex mode. Possible values are: halfDuplex and fullDuplex.
vlan
Element Description
name This is the name of the VLAN as you configured it. If you did not configure a name,
then this element displays: <LAN interface name> “vlan” <VLAN ID>.
E.g. lan vlan 2
mode This element displays the VLAN mode, possible values are: ces, routing, bridging, rout-
ingAndBridging, switching, frf5, frf8, multilink.
ifLastChange This is the system-up time on the moment the VLAN entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
ports
Element Description
portName This element displays the port name. Possible values are port1, port2, port3, port4 or
localPort. Refer to What is the 4 port Ethernet switch? on page 337 for more infor-
mation on what the local port is.
ifOperStatus This element displays the current operational status of the port.
speed This element displays the port speed in megabits per second (Mbps).
duplex This element displays the duplex mode of the port. Possible values are: fullDuplex
or halfDuplex.
autoNegotiate This element displays the status of the Ethernet mode auto negotiation process.
Possible values are:
• disabled. The adapter element in ports configuration attribute is set to fixed. I.e. the
auto negotiation process is disabled.
• done. The adapter element in ports configuration attribute is set to autoNegotiate and
the auto negotiation process is finished.
• notDone. The adapter element in ports configuration attribute is set to autoNegotiate
but the auto negotiation process is not finished (yet).
linkPartnerCaps This element displays the Ethernet mode capabilities of the port its link partner. So
this structure contains the following elements: 10Mb/halfDuplex, 10Mb/fullDuplex, 100Mb/
halfDuplex, 100Mb/fullDuplex, flowControl. Each element can have the value capable or
notCapable.
vlanMembership This element displays the VLAN membership of the port. The vlanMembership table
contains the following elements:
• vid. This element displays the VLAN ID.
• portMembership. This element displays which port is a member (yes) or no mem-
ber (no) of the corresponding VLAN.
1424 SHDSL Router Chapter 12 839
User manual Status attributes
switchCache
Element Description
port This element displays the port that is linked to the MAC address: port1, port2, port3,
port4 or localPort.
type This element displays the type of entry in the MAC address cache, static or dynamic.
ipAdEntBcastAddr
This attribute displays the value of the least-significant bit in the IP broadcast address. This address is
used for sending packets on the interface which is associated with the IP address of this entry. The value
applies to the general broadcast, the subnet and network broadcasts.
ipAdEntReasmMaxSize
This attribute displays the size of the largest IP packet which this entity can re-assemble from incoming
IP fragmented packets received on this interface.
pppoEClient
Element Description
name This element displays the administrative name of the PPPoE link.
mode This element displays by which process the packets are treated. Possible values
are:
• bridging. All packets are bridged.
• routing. The IP packets are routed. All other protocols are discarded.
• routingAndBridging. IP packets are routed. Non-IP packets are bridged.
ifOperState This element displays the current operational status of the PPPoE link.
ifLastChange This element shows the system-up time on the moment the PPPoE link entered its
current operational state. I.e. the moment the value of the ifOperStatus element
changes (from up to down or vice versa), the system-up time value is written into the
ifLastChange element.
840 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
pppOverEth When the 1424 SHDSL Router wants to initiate a PPP over Ethernet (PPPoE) ses-
sion, it must first perform a discovery to identify the Ethernet MAC address of the
host and to establish a PPPoE session ID. The pppOverEth structure displays infor-
mation on the PPPoE discovery.
The pppOverEth structure contains the following elements:
• discState. This is the state of the discovery. The discovery goes as follows:
- The 1424 SHDSL Router sends a PADI packet (PPPoE Active Discovery
Initiation).
- When the host receives a PADI that it can serve, it replies by sending a
PADO packet (PPPoE Active Discovery Offer).
- The 1424 SHDSL Router then sends one PADR packet (PPPoE Active Dis-
covery Request) to the host that it has chosen.
- When the host receives a PADR packet, it prepares to begin a PPP session.
It generates a unique session ID for the PPPoE session and replies to the
1424 SHDSL Router with a PADS packet (PPPoE Active Discovery Ses-
sion-confirmation).
So possible discState values are: idle, waitForPADO, waitForPADS, established.
• remoteMacAddress. This is the MAC address of the remote system as learned dur-
ing the discovery.
ppp This element displays PPP related parameters of the PPPoE link.
The ppp structure contains the following elements:
• lcpState. This element reflects the status of the LCP (Link Control Protocol) pro-
tocol. Possible values are:
- Initial. LCP handshake has not started yet.
- Starting, Closed, Stopped, Closing, Stopping. These values correspond with the
transient states in the LCP state diagram.
- Req-Sent. The local side of the PPP link has sent an LCP request. The remote
side did not answer yet.
- Ack-Rcvd. The local side of the PPP link has received an LCP acknowledge
from the remote side. This is a transient state.
- Ack-Sent. The local side of the PPP link has acknowledged the LCP request
from the remote side.
- Opened. The LCP handshake succeeded.
1424 SHDSL Router Chapter 12 841
User manual Status attributes
Element Description
• ipcpState. This attribute reflects the status of the IPCP (Internet Protocol Control
Protocol) protocol. The possible values are the same as those of the lcpState
attribute above.
• myAuthenState. This element displays the authentication state of the router at this
side (local side) of the link. i.e. the state of the authenticator. Possible values
are:
- No-Authentication. The local side does not request PPP authentication or still
has to start the CHAP authentication (LCP handshake is busy).
- Wait-On-Response. The local side has sent a challenge packet and is waiting
for an answer.
- Authen-Successful. The response packet is found to be correct. This is the
state when authentication succeeded.
- Authen-Failure. The response packet is found to be incorrect. This is a tran-
sient state since the router starts the LCP handshake again after a failing
authentication.
• hisAuthenState. This attribute displays the authentication state of the router at the
other side (remote side) of the link. i.e. the state of the peer. Possible values
are:
- No-Authentication. This is the start-up state.
- Wait-On-Challenge. During the LCP handshake the authenticator already indi-
cates it wants to authenticate. From that moment on, the peer awaits a chal-
lenge packet.
- Wait-On-Success. Once the peer has sent a response, it awaits a success or
failure message.
- Authen-Successful. The peer has received a success packet. It remains in this
state during data transfer.
- Authen-Failure. The peer has received a failure packet. This is a transient state
since the router starts the LCP handshake again after a failing authentica-
tion.
- Authen-Not-Allowed. This state only occurs when the peer does not accept the
authentication request during the LCP handshake. A possible reason might
be that the peer router does not support CHAP.
snmpIndex
This attribute displays the SNMP index, which is a unique number, assigned to each object in the con-
tainment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more
information.
The snmpIndex attribute appears in many objects of the 1424 SHDSL Router containment tree.
oam
This attribute has already been explained in 12.5.5 - EFM status attributes on page 877, refer to the oam
attribute there.
842 1424 SHDSL Router Chapter 12
User manual Status attributes
clearArpCache
oamRemoteLoopback
Use this action to set up an OAM loop at the network side. Select start as argument value, and execute
the action.
To stop the OAM loop, select stop as argument value, and execute the action.
clearSwitchCache
router1424/wanInterface/ifDescr
router1424/wanInterface/ifType
router1424/wanInterface/ifSpeed
This attribute displays the interface speed in bits per second (bps).
router1424/wanInterface/ifMtu
This attribute displays the interface its Maximum Transfer Unit, i.e. the maximum number of bytes that
one packet can contain on this interface.
router1424/wanInterface/ifLastChange
This attribute shows the system-up time on the moment the interface entered its current operational
state. I.e. the moment the value of the ifOperStatus status attribute changes (from up to down or vice versa),
the system-up time value is written into the ifLastChange status attribute.
router1424/wanInterface/ifOperStatus
This attribute displays the current operational status of the interface. Possible values are:
Value Description
• PPP(oA), when …
- LCP is not open.
- the bit pump is not synchronised.
1424 SHDSL Router Chapter 12 845
User manual Status attributes
Important remarks
• Whether the 1424 SHDSL Router is configured in bridging or routing has no effect on the value of the
attributes wanInterface/ifOperStatus:Status and wanInterface/alarmInfo/linkDown:Alarms.
• In case of ATM, if the configuration element pvcTable/atm/oamF5Loopback is set to disabled, then the ifOp-
erStatus of the PVC becomes up when the ATM is synchronised globally. However, this does not guar-
antee that the PVC is configured (correctly) on the remote side. However, the other conditions as
stated in the table above remain.
• In case of PPP(oA), if the configuration element linkMonitoring/operation is set to disabled, then it is pos-
sible that the wanInterface/ifOperStatus value does not go down even if the link quality is too bad for a
proper data link. This because the link monitoring mechanism is the only PPP mechanism that will
start a renegotiation of the LCP layer.
• In case of Frame Relay, if the configuration element lmi/auto is set to noLmi, then the value of the status
element lmi/status:Status is always up. However, the other conditions as stated in the table above
remain.
846 1424 SHDSL Router Chapter 12
User manual Status attributes
This section discusses the status attributes of the encapsulation protocols that can be used on the 1424
SHDSL Router.
The following gives an overview of this section:
• 12.5.1 - ATM status attributes on page 847
• 12.5.2 - ATM IMA status attributes on page 859
• 12.5.3 - Frame Relay status attributes on page 864
• 12.5.4 - PPP status attributes on page 870
• 12.5.5 - EFM status attributes on page 877
1424 SHDSL Router Chapter 12 847
User manual Status attributes
router1424/dslInterface/channel[wan_1]/atm
atmSync
This attribute displays the ATM synchronisation status. Possible values are: synced, notSynced.
pvcTable
This attribute gives the complete status information of all known PVCs.
The pvcTable table contains the following elements:
Element Description
name This is the name of the PVC as you configured it. If you did not configure a name,
then this element displays: <interface name> “vpi” <vpi number> “vci” <vci number>.
E.g. wan vpi 102 vci 102
mode This displays by which process the packets are treated. Possible values are:
• bridging. All packets received on the PVC are bridged.
• routing. All packets received on the PVC are routed.
• routingAndBridging. The SNAP header is checked to determine whether the pack-
ets have to be bridged or routed.
ifLastChange This is the system-up time on the moment the PVC entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
atm This displays the specific ATM related status information of the PVC.
Refer to pvcTable/atm on page 851 for a detailed description of the atm structure.
1424 SHDSL Router Chapter 12 849
User manual Status attributes
Element Description
frameRelay This displays the specific Frame Relay related status information of the PVC.
The frameRelay structure contains following elements:
• lmi. This attribute gives a complete LMI status information overview for each
PVC. Refer to lmi on page 867 for a detailed description.
• dlciTable. This attribute gives the complete status information of all known DLCIs
for this PVC. Refer to pvcTable/frameRelay/dlciTable on page 856 for a detailed
description.
850 1424 SHDSL Router Chapter 12
User manual Status attributes
pvcTable/ip
Element Description
address This is the IP address of the PVC. It is either configured or retrieved automatically.
netMask This is the IP subnet mask of the PVC. It is either configured or retrieved automat-
ically.
remote This is the IP address of the remote end of the PVC. It is either configured or
retrieved automatically.
1424 SHDSL Router Chapter 12 851
User manual Status attributes
pvcTable/atm
The atm structure in the pvcTable displays the specific ATM related status information of the PVC.
The atm structure contains the following elements:
Element Description
peakCellRate This displays the Peak Cell Rate (PCR) of the PVC in bps.
sustCellRate This displays the Sustainable Cell Rate (SCR) of the PVC in bps.
maxBurstSize This displays the Maximum Burst Size (MBS) of the PVC in cell times.
pppOverEth When the 1424 SHDSL Router wants to initiate a PPP over Ethernet (PPPoE) ses-
sion, it must first perform a discovery to identify the Ethernet MAC address of the
host and to establish a PPPoE session ID. The pppOverEth structure displays infor-
mation on the PPPoE discovery.
The pppOverEth structure contains the following elements:
• discState. This is the state of the discovery. The discovery goes as follows:
- The 1424 SHDSL Router sends a PADI packet (PPPoE Active Discovery
Initiation).
- When the host receives a PADI that it can serve, it replies by sending a
PADO packet (PPPoE Active Discovery Offer).
- The 1424 SHDSL Router then sends one PADR packet (PPPoE Active Dis-
covery Request) to the host that it has chosen.
- When the host receives a PADR packet, it prepares to begin a PPP session.
It generates a unique session ID for the PPPoE session and replies to the
1424 SHDSL Router with a PADS packet (PPPoE Active Discovery Ses-
sion-confirmation).
So possible discState values are: idle, waitForPADO, waitForPADS, established.
• remoteMacAddress. This is the MAC address of the remote system as learned dur-
ing the discovery.
Element Description
pvcTable/atm/oamF5/segment
Element Description
oamLB This element displays whether or not the OAM loopback mechanism is active or
not.
oamCC This element displays the status of the the OAM continuity check mechanism. Pos-
sible values are:
• Deactivated: this mode will not start CC in any case.
• Activated: CC is started, no negotiation is done with the remote endpoint.
• Passive: the 1424 SHDSL Router is willing to accept activation/deactivation
messages and responds to it.
• InitActivation: this mode initiates the activation of the CC process by sending acti-
vation messages.
oamPM This element displays whether or not the OAM performance monitoring mecha-
nism is active or not.
The oamPM structure contains the following elements:
• status. This element shows the status of the OAM performance monitoring
mechanism. Possible values are:
- Deactivated: this mode will not start PM in any case.
- Activated: PM is started, no negotiation is done with the remote endpoint.
- Passive: the 1424 SHDSL Router is willing to accept activation/deactivation
messages and responds to it.
- InitActivation: this mode initiates the activation of the PM process by sending
activation messages.
• blocksizeAB. This element displays the size of the block of cells, after which an
activation/deactivation cell is inserted in the cell flow, in the direction away from
the activator/deactivator.
• blocksizeBA. This element displays the size of the block of cells, after which an
activation/deactivation cell is inserted in the cell flow, in the direction towards
the activator/deactivator.
aisState This element displays whether or not the AIS state is active or not.
rdiState This element displays whether or not the RDI state is active or not.
854 1424 SHDSL Router Chapter 12
User manual Status attributes
pvcTable/atm/oamF5/endToEnd
The endToEnd structure contains the same elements as the segment structure. Refer to pvcTable/atm on
page 851.
pvcTable/frameRelay/lmi
Element Description
mode This displays the Frame Relay mode. Possible values are: noLmi, user, network, auto.
Refer to pvcTable/frameRelay/common/lmi on page 547 for more information on these val-
ues.
type This displays the LMI variant. Possible values are: lmiRev1, ansiT1-617-d, q933-Annex-
A, frf1-2.
Refer to pvcTable/frameRelay/common/lmi on page 547 for more information on these val-
ues.
status This displays the current state of LMI. Possible values are:
• up. LMI messages can and are exchanged.
• down. No LMI messages can be exchanged.
lastStatusChange This is the system-up time when the LMI status entered its current state. I.e. the
moment the value of the status element changes (from up to down or vice versa), the
system-up time value is written into the lastStatusChange element.
lastError This displays the last error condition reported by LMI. Possible values are: none,
protocol error, unknown information element, sequence error, unknown report, timer expired,
invalid report type, unsolicited status.
netTxSeqNum This is the sequence number of the last LMI Status Response frame that was sent.
Since only a Frame Relay network or DCE can transmit Status Responses, the
value of this element only changes in case the 1424 SHDSL Router is defined as
a Frame Relay network or both user and network. I.e. in case the mode element is
set to network, auto or nni.
netRxSeqNum This is the sequence number of the last LMI Status Enquiry frame that was
received.
Since only a Frame Relay network or DCE can receive Status Enquiries, the value
of this element only changes in case the 1424 SHDSL Router is defined as a
Frame Relay network or both user and network. I.e. in case the mode element is
set to network, auto or nni.
netErrors This is the number of errors on LMI commands issued by the Frame Relay network
or DCE during the last monitoredEvents period.
1424 SHDSL Router Chapter 12 855
User manual Status attributes
Element Description
userTxSeqNum This is the sequence number of the last LMI Status Enquiry frame that was sent.
Since only a Frame Relay user or DTE can transmit Status Enquiries, the value of
this element only changes in case the 1424 SHDSL Router is defined as a Frame
Relay user or both user and network. I.e. in case the mode element is set to user,
auto or nni.
userRxSeqNum This is the sequence number of the last LMI Status Response frame that was
received.
Since only a Frame Relay user or DTE can receive Status Responses, the value
of this element only changes in case the 1424 SHDSL Router is defined as a
Frame Relay user or both user and network. I.e. in case the mode element is set to
user, auto or nni.
userErrors This is the number of errors on LMI commands issued by the Frame Relay user or
DTE during the last monitoredEvents period.
userWaitFullEnquiry This is the number of LMI frames still to be sent before a Full Status Enquiry will
be requested.
userLastReport- This displays the type of the most recent report that was sent. Possible values are:
TypeSent
• full status. The last report contained the full status.
• link integrity. The last report only contained the link integrity information.
856 1424 SHDSL Router Chapter 12
User manual Status attributes
pvcTable/frameRelay/dlciTable
This attribute gives the complete status information of all known DLCIs.
The dlciTable table contains the following elements:
Element Description
name This is the name of the DLCI as you configured it. If you did not configure a name,
then this element displays: <interface name> “dlci” <dlci number>.
E.g. wan dlci 16
mode This element displays the mode of the DLCI. Possible modes are: ces, routing, bridg-
ing, routingAndBridging, switching, frf5, frf8, multilink.
ifLastChange This is the system-up time on the moment the DLCI entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
frameRelay This displays the specific Frame Relay related status information of the DLCI.
Refer to pvcTable/frameRelay/dlciTable/frameRelay for a detailed description of the
frameRelay structure.
1424 SHDSL Router Chapter 12 857
User manual Status attributes
pvcTable/frameRelay/dlciTable/frameRelay
The frameRelay structure in the dlciTable displays the specific Frame Relay related status information of the
DLCI.
The frameRelay structure contains the following elements:
Element Description
active This indicates whether the corresponding DLCI is active (on) or not (off).
new This is set to on if the DLCI has just been created, else it is off.
deleted This is set to on if the DLCI has been deleted, else it is off.
rr This element is only relevant for LMI revision 1. It is the flow control flag. If it is on,
then no traffic can be sent on this DLCI. Else it is off.
bandwidth This element is only relevant for LMI revision 1 (in all other cases this value is 0).
It is the CIR value, in bps, as it is configured on the remote.
cllmLastCongestion- CLLM (Consolidated Link Layer Management) is a Frame Relay protocol used for
Cause traffic management. The cllmLastCongestionCause element indicates the last reason,
which was received from the network, for congestion on the corresponding DLCI.
Possible values are:
• none
• short term, excessive traffic
• long term, excessive traffic
• short term, equipment failure
• long term, equipment failure
• short term, maintenance action
• long term, maintenance action
• short term, unknown cause
• long term, unknown cause
• unknown cause
858 1424 SHDSL Router Chapter 12
User manual Status attributes
vp
Whereas the pvcTable gives the current operational status for each Virtual Channel, the vp table gives the
current operational status of a complete Virtual Path.
The vp table contains the following elements:
Element Description
router1424/dslInterface/channel[wan_1]/atm/ima
neState
This attribute displays the current operational status of the near-end of the IMA group. Possible values
are:
Element Description
notConfigured This is a group state indicating that the group does not exist yet.
startUp This is a group state indicating that the group is waiting to see the far-end in star-
tup.
startUpAck This is a group transitional state, when both groups are in startup and the far-end
group parameters have been accepted.
configAbortUnsup- This is a group state indicating that the group has rejected the group parameters
portedM proposed by the far-end IMA group. The reason in this case is “unsupported IMA
frame size”.
configAbortIncom- This is a group state indicating that the group has rejected the group parameters
patibleSymmetry proposed by the far-end IMA group. The reason in this case is “incompatible group
symmetry”.
configAbortInvalid This is a group state indicating that the group has rejected the group parameters
ImaVersion proposed by the far-end IMA group. The reason in this case is “unsupported IMA
version”.
configAbortOther This is a group state indicating that the group has rejected the group parameters
proposed by the far-end IMA group. The reason in this case is any other reason
than configAbortUnsupportedM, configAbortIncompatibleSymmetry or configA-
bortInvalidImaVersion.
insufficientLinks Group state indicating that the group does not have sufficient links in the active
state to be in the operational state.
blocked This is a group state indicating that the group has been inhibited.
operational Group state indicating than the group has sufficient links in both transmit and
receive directions to carry ATM layer cells.
feState
This attribute displays the current operational status of the far-end of the IMA group. The possible values
are the same as those of the neState attribute above.
1424 SHDSL Router Chapter 12 861
User manual Status attributes
neTxClockMode
This attribute displays the transmit clock mode that is currently being used by the near-end. Possible
values are: common or independent.
feTxClockMode
This attribute displays the transmit clock mode that is currently being used by the far-end. Possible val-
ues are: common or independent.
nrActRxLinks
nrActTxLinks
memebers
This attribute gives the complete status information of all the members of the IMA group.
The members table contains the following elements:
Element Description
inteface This element displays the name of the interface that is a member of the IMA group.
id This element displays the logical ID of the link on the interface that makes up the
IMA bundle.
neRxState This element displays the current status of the near-end receive side of the link.
Possible values are:
• notInGroup. This is a state indicating that the link is no longer configured within
an IMA group.
• unusableNoGivenReason. This is a state indicating that the link is not in use. No
reason can be given why the link is not in use.
• unusableFault. This is a state indicating that the link is not in use. The reason is
fault. This means a fault has been detected either on the link or in the link pro-
tocol.
• unusableMisconnected. This is a state indicating that the link is not in use because
of a connection problem.
• unusableInhibited. This is a state indicating that the link is not in use. The reason
is inhibited. This means that operation of the link is blocked for some locally
defined application or implementation dependent reason.
• unusableFailed. This is a state indicating the link is not in use. The reason in this
case is failed. This means that the link fails due to the persistence of a defined
defect.
• usable. This is a state indicating that the link is ready to be used.
• active. This is a state indicating that the link is capable of passing cells from the
ATM layer.
• deleted. This is a state indicating that the link has been removed from the IMA
group.
neTxState This element displays the current status of the near-end transmit side of the link.
The possible values are the same as those of the neRxState element, explained
above.
feRxState This element displays the current status of the far-end receive side of the link. The
possible values are the same as those of the neRxState element, explained above.
feTxState This element displays the current status of the far-end transmit side of the link. The
possible values are the same as those of the neRxState element, explained above.
1424 SHDSL Router Chapter 12 863
User manual Status attributes
Element Description
neRxFailure This element displays the current failure status of the near-end receive side of the
link. Possible values are:
• noFailure. There is no failure. The near-end side of the link is up.
• imaLinkFailure. The complete link is down.
• lifFailure. A LIF (Loss of IMA Frame) defect is detected. The LIF defect is the
occurrence of persistent OIF (Out of IMA Frame) anomalies for at least 2 IMA
frames.
• lodsFailure. A LODS (Link Out of Delay Synchronization) defect is detected. The
LODS is a link event indicating that the link is not synchronized with the other
links within the IMA group.
• misConnected. This is reported when the IMA unit has determined that the receive
link is not connected to the same far-end IMA unit as the other receive links in
the group.
• blocked. The link is blocked.
• fault. A fault is detected either on the link or in the link protocol.
• farEndTxLinkUnusable. The far-end transmit side of the link is unusable.
• farEndRxLinkUnusable. The far-end receive side of the link is unusable.
trl This element displays whether or not this link is selected as the reference to derive
the IDCR. Possible values are: yes or no.
TRL stands for Timing Reference Link, and is used to pass synchronization from
the transmit to the receive end.
IDCR stands for IMA Data Cell Rate, and represents the rate at which IMA data
cells should be exchanged between the IMA sublayer and the ATM layer.
864 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/dslInterface/channel[wan_1]/frameRelay/
ip
dlciTable
This attribute gives the complete status information of all known DLCIs.
The dlciTable table contains the following elements:
Element Description
name This is the name of the DLCI as you configured it. If you did not configure a name,
then this element displays: <interface name> “dlci” <dlci number>.
E.g. wan dlci 16
ifLastChange This is the system-up time on the moment the DLCI entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
frameRelay This displays the specific Frame Relay related status information of the DLCI.
Refer to dlciTable/frameRelay on page 866 for a detailed description of the frameRelay
structure.
866 1424 SHDSL Router Chapter 12
User manual Status attributes
dlciTable/frameRelay
The frameRelay structure in the dlciTable displays the specific Frame Relay related status information of the
DLCI.
The frameRelay structure contains the following elements:
Element Description
active This indicates whether the corresponding DLCI is active (on) or not (off).
new This is set to on if the DLCI has just been created, else it is off.
deleted This is set to on if the DLCI has been deleted, else it is off.
rr This element is only relevant for LMI revision 1. It is the flow control flag. If it is on,
then no traffic can be sent on this DLCI. Else it is off.
bandwidth This element is only relevant for LMI revision 1 (in all other cases this value is 0).
It is the CIR value, in bps, as it is configured on the remote.
cllmLastCongestion- CLLM (Consolidated Link Layer Management) is a Frame Relay protocol used for
Cause traffic management. The cllmLastCongestionCause element indicates the last reason,
which was received from the network, for congestion on the corresponding DLCI.
Refer to cllmLastCongestionCause on page 869 for the possible values of the cllmLastCon-
gestionCause element.
1424 SHDSL Router Chapter 12 867
User manual Status attributes
lmi
Element Description
mode This displays the Frame Relay mode. Possible values are: noLmi, user, network, auto.
Refer to lmi on page 561 for more information on these values.
type This displays the LMI variant. Possible values are: lmiRev1, ansiT1-617-d, q933-Annex-
A, frf1-2.
Refer to lmi on page 561 for more information on these values.
status This displays the current state of LMI. Possible values are:
• up. LMI messages can and are exchanged.
• down. No LMI messages can be exchanged.
lastStatusChange This is the system-up time when the LMI status entered its current state. I.e. the
moment the value of the status element changes (from up to down or vice versa), the
system-up time value is written into the lastStatusChange element.
lastError This displays the last error condition reported by LMI. Possible values are: none,
protocol error, unknown information element, sequence error, unknown report, timer expired,
invalid report type, unsolicited status.
netTxSeqNum This is the sequence number of the last LMI Status Response frame that was sent.
Since only a Frame Relay network or DCE can transmit Status Responses, the
value of this element only changes in case the 1424 SHDSL Router is defined as
a Frame Relay network or both user and network. I.e. in case the mode element is
set to network, auto or nni.
netRxSeqNum This is the sequence number of the last LMI Status Enquiry frame that was
received.
Since only a Frame Relay network or DCE can receive Status Enquiries, the value
of this element only changes in case the 1424 SHDSL Router is defined as a
Frame Relay network or both user and network. I.e. in case the mode element is
set to network, auto or nni.
netErrors This is the number of errors on LMI commands issued by the Frame Relay network
or DCE during the last monitoredEvents period.
userTxSeqNum This is the sequence number of the last LMI Status Enquiry frame that was sent.
Since only a Frame Relay user or DTE can transmit Status Enquiries, the value of
this element only changes in case the 1424 SHDSL Router is defined as a Frame
Relay user or both user and network. I.e. in case the mode element is set to user,
auto or nni.
868 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
userRxSeqNum This is the sequence number of the last LMI Status Response frame that was
received.
Since only a Frame Relay user or DTE can receive Status Responses, the value
of this element only changes in case the 1424 SHDSL Router is defined as a
Frame Relay user or both user and network. I.e. in case the mode element is set to
user, auto or nni.
userErrors This is the number of errors on LMI commands issued by the Frame Relay user or
DTE during the last monitoredEvents period.
userWaitFullEnquiry This is the number of LMI frames still to be sent before a Full Status Enquiry will
be requested.
userLastReport- This displays the type of the most recent report that was sent. Possible values are:
TypeSent
• full status. The last report contained the full status.
• link integrity. The last report only contained the link integrity information.
1424 SHDSL Router Chapter 12 869
User manual Status attributes
cllmLastCongestionCause
This attribute indicates the last reason, which was received from the network, for congestion on any of
the DLCIs. Possible values are:
• none
• short term, excessive traffic
• long term, excessive traffic
• short term, equipment failure
• long term, equipment failure
• short term, maintenance action
• long term, maintenance action
• short term, unknown cause
• long term, unknown cause
• unknown cause
870 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/lanInterface/pppoEClient/ppp
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/ppp/
router1424/wanEfm/efm/pppoEClient/ppp
ip
Element Description
status This is the current operational status of the IP layer (layer 3) of the PPP link.
address This is the IP address of the PPP link. It is either configured or retrieved automat-
ically.
netMask This is the IP subnet mask of the PPP link. It is either configured or retrieved auto-
matically.
remote This is the IP address of the remote end of the PPP link. It is either configured or
retrieved automatically.
bridging
lcpState
This attribute reflects the status of the LCP (Link Control Protocol) protocol. Possible values are:
Value Description
Starting, Closed, These values correspond with the transient states in the LCP state diagram.
Stopped, Closing,
Stopping
Req-Sent The local side of the PPP link has sent an LCP request. The remote side did not
answer yet.
Ack-Rcvd The local side of the PPP link has received an LCP acknowledge from the remote
side. This is a transient state.
Ack-Sent The local side of the PPP link has acknowledged the LCP request from the remote
side.
ipcpState
This attribute reflects the status of the IPCP (Internet Protocol Control Protocol) protocol. The possible
values are the same as those of the lcpState attribute.
Refer to lcpState on page 871.
bcpState
This attribute reflects the status of the BCP (Bridging Control Protocol) protocol. The possible values are
the same as those of the lcpState attribute.
Refer to lcpState on page 871.
ccpState
This attribute reflects the status of the CCP (Compression Control Protocol) protocol. The possible val-
ues are the same as those of the lcpState attribute.
Refer to lcpState on page 871.
lcpMyOptions
During the LCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the LCP options for the router at this side (local side) of the link.
The lcpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following LCP options:
• 3: the Authentication-Protocol option.
• 5: the Magic-Number option.
For more information on the LCP configuration options, refer to RFC 1661.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
1424 SHDSL Router Chapter 12 873
User manual Status attributes
lcpHisOptions
This attribute lists the LCP options for the router at the other side (remote side) of the link. The
lcpHisOptions table contains the same elements as the lcpMyOptions table. Refer to lcpMyOptions on page 872.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
ipcpMyOptions
During the IPCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the IPCP options for the router at this side (local side) of the link.
The ipcpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following IPCP option:
• 3: the IP-Address option.
• ip-vso: the IP-Vendor Specific option. This is used to negotiate the netmask.
For more information on the IPCP configuration options, refer to RFC 1332.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
ipcpHisOptions
This attribute lists the IPCP options for the router at the other side (remote side) of the link. The
ipcpHisOptions table contains the same elements as the ipcpMyOptions table. Refer to ipcpMyOptions on
page 873.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
874 1424 SHDSL Router Chapter 12
User manual Status attributes
bcpMyOptions
During the BCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the BCP options for the router at this side (local side) of the link.
The bcpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following BCP options:
• 1: the Bridge-Identification option.
• 2: the Line-Identification option.
• 3: the MAC-Support option.
• 4: the Tinygram-Compression option.
• 5: the LAN-Identification option.
• 6: the MAC-Address option.
• 7: the Spanning-Tree-Protocol option.
For more information on the BCP configuration options, refer to RFC 2878.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
bcpHisOptions
This attribute lists the BCP options for the router at the other side (remote side) of the link. The
bcpHisOptions table contains the same elements as the bcpMyOptions table. Refer to bcpMyOptions on page 874.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
1424 SHDSL Router Chapter 12 875
User manual Status attributes
ccpMyOptions
During the CCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the CCP options for the router at this side (local side) of the link.
The ccpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following CCP option:
• 1: the Predictor1 option.
For more information on the CCP configuration options, refer to RFC 1962.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
ccpHisOptions
This attribute lists the CCP options for the router at the other side (remote side) of the link. The
ccpHisOptions table contains the same elements as the ccpMyOptions table. Refer to ccpMyOptions on page 875.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
myCompressionRatio
When PPP compression is enabled, this attribute displays the compression ratio achieved by the router
at this side (local side) of the link.
hisCompressionRatio
When PPP compression is enabled, this attribute displays the compression ratio achieved by the router
at the other side (remote side) of the link.
876 1424 SHDSL Router Chapter 12
User manual Status attributes
myAuthenState
This attribute displays the authentication state of the router at this side (local side) of the link. I.e. the
state of the authenticator. Possible values are:
Value Description
No-Authentication The local side does not request PPP authentication or still has to start the CHAP
authentication (LCP handshake is busy).
Wait-On-Response The local side has sent a challenge packet and is waiting for an answer.
Authen-Successful The response packet is found to be correct. This is the state when authentication
succeeded.
Authen-Failure The response packet is found to be incorrect. This is a transient state since the
router starts the LCP handshake again after a failing authentication.
hisAuthenState
This attribute displays the authentication state of the router at the other side (remote side) of the link. I.e.
the state of the peer. Possible values are:
Value Description
Wait-On-Challenge During the LCP handshake the authenticator already indicates it wants to authen-
ticate. From that moment on, the peer awaits a challenge packet.
Wait-On-Success Once the peer has sent a response, it awaits a success or failure message.
Authen-Successful The peer has received a success packet. It remains in this state during data trans-
fer.
Authen-Failure The peer has received a failure packet. This is a transient state since the router
starts the LCP handshake again after a failing authentication.
Authen-Not-Allowed This state only occurs when the peer does not accept the authentication request
during the LCP handshake. A possible reason might be that the peer router does
not support CHAP.
1424 SHDSL Router Chapter 12 877
User manual Status attributes
router1424/wanEfm/efm
ip
Element Description
status This is the current operational status of the IP layer (layer 3).
address This is the IP address of the interface. It is either configured or retrieved automat-
ically.
netMask This is the IP subnet mask of the interface. It is either configured or retrieved auto-
matically.
secondaryIp This is the secondary IP address that has been configured on the EFM interface.
The secondaryIp table contains following elements:
• address. This is the secondary IP address itself.
• netMask. This is the secondary IP subnet mask.
arpCache
This attribute displays all the MAC address - IP address pairs from ARP requests and replies received
on the EFM link. Refer to What is the ARP cache? on page 512 for more information.
The arpCache table contains the following elements:
Element Description
type This is the ARP cache entry type. Possible values are:
• dynamic. The MAC - IP address pair is retrieved from an ARP request or reply
message.
• static. The MAC - IP address pair is configured.
There is only one static entry, i.e. the 1424 SHDSL Router its own IP and MAC
address.
timeOut This is the time the entry will remain in the ARP cache. For the static entry, this
value is 0.
1424 SHDSL Router Chapter 12 879
User manual Status attributes
bridging
macAddress
This attribute displays the MAC address of the 1424 SHDSL Router its EFM interface.
The EFM interface has been allocated a fixed Ethernet address, also called MAC (Medium Access Con-
trol) address. The MAC address is globally unique and can not be modified. It is a 6 byte code, repre-
sented in hexadecimal format. Each byte in the code is separated by a colon.
Refer to What is the ARP cache? on page 512 for more information on the MAC addresses.
880 1424 SHDSL Router Chapter 12
User manual Status attributes
ifDescr
ifType
ifMtu
This attribute displays the interface its Maximum Transfer Unit, i.e. the maximum number of bytes that
one packet can contain on this interface.
Important remark
ifOperStatus
ifLastChange
This attribute shows the system-up time on the moment the interface entered its current operational
state. I.e. the moment the value of the ifOperStatus status attribute changes (from up to down or vice versa),
the system-up time value is written into the ifLastChange status attribute.
1424 SHDSL Router Chapter 12 881
User manual Status attributes
ifSpeed
This attribute displays the interface speed in bits per second (bps).
ipAdEntBcastAddr
This attribute displays the value of the least-significant bit in the IP broadcast address. This address is
used for sending packets on the interface which is associated with the IP address of this entry. The value
applies to the general broadcast, the subnet and network broadcasts.
ipAdEntReasmMaxSize
This attribute displays the size of the largest IP packet which this entity can re-assemble from incoming
IP fragmented packets received on this interface.
vlan
This attribute displays the status of the VLAN(s) on the EFM link.
The vlan table contains the following elements:
Element Description
name This is the name of the VLAN as you configured it. If you did not configure a name,
then this element displays: <LAN interface name> “vlan” <VLAN ID>.
E.g. lan vlan 2
mode This element displays the VLAN mode, possible values are: ces, routing, bridging, rout-
ingAndBridging, switching, frf5, frf8, multilink.
ifLastChange This is the system-up time on the moment the VLAN entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
pppoEClient
Element Description
name This element displays the administrative name of the PPPoE link.
mode This element displays by which process the packets are treated. Possible values
are:
• bridging. All packets are bridged.
• routing. The IP packets are routed. All other protocols are discarded.
• routingAndBridging. IP packets are routed. Non-IP packets are bridged.
ifOperState This element displays the current operational status of the PPPoE link.
ifLastChange This element shows the system-up time on the moment the PPPoE link entered its
current operational state. I.e. the moment the value of the ifOperStatus element
changes (from up to down or vice versa), the system-up time value is written into the
ifLastChange element.
pppOverEth When the 1424 SHDSL Router wants to initiate a PPP over Ethernet (PPPoE) ses-
sion, it must first perform a discovery to identify the Ethernet MAC address of the
host and to establish a PPPoE session ID. The pppOverEth structure displays infor-
mation on the PPPoE discovery.
The pppOverEth structure contains the following elements:
• discState. This is the state of the discovery. The discovery goes as follows:
- The 1424 SHDSL Router sends a PADI packet (PPPoE Active Discovery
Initiation).
- When the host receives a PADI that it can serve, it replies by sending a
PADO packet (PPPoE Active Discovery Offer).
- The 1424 SHDSL Router then sends one PADR packet (PPPoE Active Dis-
covery Request) to the host that it has chosen.
- When the host receives a PADR packet, it prepares to begin a PPP session.
It generates a unique session ID for the PPPoE session and replies to the
1424 SHDSL Router with a PADS packet (PPPoE Active Discovery Ses-
sion-confirmation).
So possible discState values are: idle, waitForPADO, waitForPADS, established.
• remoteMacAddress. This is the MAC address of the remote system as learned dur-
ing the discovery.
1424 SHDSL Router Chapter 12 883
User manual Status attributes
Element Description
ppp This element displays PPP related parameters of the PPPoE link.
The ppp structure contains the following elements:
• lcpState. This element reflects the status of the LCP (Link Control Protocol) pro-
tocol. Possible values are:
- Initial. LCP handshake has not started yet.
- Starting, Closed, Stopped, Closing, Stopping. These values correspond with the
transient states in the LCP state diagram.
- Req-Sent. The local side of the PPP link has sent an LCP request. The remote
side did not answer yet.
- Ack-Rcvd. The local side of the PPP link has received an LCP acknowledge
from the remote side. This is a transient state.
- Ack-Sent. The local side of the PPP link has acknowledged the LCP request
from the remote side.
- Opened. The LCP handshake succeeded.
• ipcpState. This attribute reflects the status of the IPCP (Internet Protocol Control
Protocol) protocol. The possible values are the same as those of the lcpState
attribute above.
• myAuthenState. This element displays the authentication state of the router at this
side (local side) of the link. i.e. the state of the authenticator. Possible values
are:
- No-Authentication. The local side does not request PPP authentication or still
has to start the CHAP authentication (LCP handshake is busy).
- Wait-On-Response. The local side has sent a challenge packet and is waiting
for an answer.
- Authen-Successful. The response packet is found to be correct. This is the
state when authentication succeeded.
- Authen-Failure. The response packet is found to be incorrect. This is a tran-
sient state since the router starts the LCP handshake again after a failing
authentication.
884 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
• hisAuthenState. This attribute displays the authentication state of the router at the
other side (remote side) of the link. i.e. the state of the peer. Possible values
are:
- No-Authentication. This is the start-up state.
- Wait-On-Challenge. During the LCP handshake the authenticator already indi-
cates it wants to authenticate. From that moment on, the peer awaits a chal-
lenge packet.
- Wait-On-Success. Once the peer has sent a response, it awaits a success or
failure message.
- Authen-Successful. The peer has received a success packet. It remains in this
state during data transfer.
- Authen-Failure. The peer has received a failure packet. This is a transient state
since the router starts the LCP handshake again after a failing authentica-
tion.
- Authen-Not-Allowed. This state only occurs when the peer does not accept the
authentication request during the LCP handshake. A possible reason might
be that the peer router does not support CHAP.
1424 SHDSL Router Chapter 12 885
User manual Status attributes
oam
For detailed information, refer to section 5 of IEEE Std. 802.3-2005, more specifically section 57. Oper-
ations, Administration, and Maintenance (OAM).
The oam structure contains the following elements:
Element Description
discovery This element displays the status of the OAM discovery process. Possible values
are:
• fault. This state indicates to the remote device that there is a link fault. This is
also the initial condition.
• sendLocal. While in this state, the 1424 SHDSL Router waits for Information
OAMPDUs received from the remote device.
• passiveWait. This state indicates that the 1424 SHDSL Router is in passive mode,
waiting to receive Information OAMPDUs with Local Information TLVs (Type
Length Value) from the remote.
• sendLocalRemote. While in this state, the 1424 SHDSL Router is sending Local
and Remote Information TLVs. Once the 1424 SHDSL Router has received an
Information OAMPDU with the Local Information TLV from the remote device,
the 1424 SHDSL Router begins sending Information OAMPDUs that contain
both the Local and Remote Information TLVs.
• sendLocalRemoteOk. If the OAM settings of both the local and remote devices are
acceptable, the 1424 SHDSL Router enters the sendLocalRemoteOk state.
• sendAny. Finally, once an OAMPDU has been received indicating that the
remote device is satisfied with the respective settings, the 1424 SHDSL Router
enters the sendAny state. This is the normal operating state for OAM on fully
operational links.
loopback This element displays the status of the OAM remote loopback mechanism. Possi-
ble values are:
• idle. The loopback mechanism is not active.
• waiting. The 1424 SHDSL Router is waiting for the remote device to reply. Note
that switching from idle to active state goes so quickly, that the waiting state will
hardly be noticable.
• active. The 1424 SHDSL Router has received an answer from the remote
device, and the loopback mechanism is active.
886 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
localinfo These elements display specific information about the local and remote device
remoteInfo with regard to EFM OAM.
The localInfo and remoteInfo structures contain following elements:
• version. This field indicates the OAM version supported by the remote device.
• revision. This field indicates the current revision of the Information TLV (Type
Length Value). The value of this field starts at zero and will be incremented
each time something in the Information TLV changes.
• state. This field indicates indicates state information of the remote device.
• oui. This field indicates the Organizationally Unique Identifier of the vendor.
• vendorInfo. This field indicates the identifier that can be used to differentiate a
vendor’s product models and versions. This field contains the Vendor Specific
Information field.
• varRetrieval, linkEvents, loopback, unidirectional, mode, maxPduSize. For more informa-
tion about these elements, refer to IEEE Std. 802.3-2005, section 57.5.2.1
Local Information TLV, Table 57–8—OAM Configuration field and Table 57–
9—OAMPDU Configuration field.
clearArpCache
oamRemoteLoopback
Use this action to set up an OAM loop at the network side. Select start as argument value, and execute
the action.
To stop the OAM loop, select stop as argument value, and execute the action.
1424 SHDSL Router Chapter 12 887
User manual Status attributes
router1424/dslInterface/line
ifDescr
ifType
ifOperStatus
This attribute displays the current operational status of the line. Possible values are:
Value Description
ifSpeed
This attribute displays the current line speed in bits per second (bps).
In case of a 1424 SHDSL Router 2 pair version, the line/ifSpeed attribute displays the sum of the speed of
line pair 1 and 2.
region
This attribute displays the SHDSL standard currently used. Possible values are: auto, annexA, annexB.
Refer to region on page 581 for more information on these values.
890 1424 SHDSL Router Chapter 12
User manual Status attributes
numDiscoveredRepeaters
This attribute displays the number of Crocus SHDSL repeaters that the 1424 SHDSL Router discovered
on the SHDSL line.
1424 SHDSL Router Chapter 12 891
User manual Status attributes
minLinePairSpeed
This attribute displays the selected lowest linepair speed of the 1424 SHDSL Router.
maxLinePairSpeed
This attribute displays the selected highest linepair speed of the 1424 SHDSL Router.
framerType
This attribute displays the encapsulation that is currently being used, atm or efm.
spanStatus
The spanStatus table displays EOC related information of the local and remote device (and is linked to the
eocHandling line configuration attribute).
The spanStatus table displays eocState as Online or Offline. Online means that the EOC channel between local
and remote device has been synchronised; Offline means that there is no connection with the remote
device.
snmpIndex
This attribute displays the snmpIndex, which is a unique number, assigned to each object in the contain-
ment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more infor-
mation.
wireMode
This attribute displays the current wire mode settings. Possible values are singlePair or multiPair.
nrOfActivePairs
This attribute displays the number of line pairs that are currently activated:
• If wireMode is multPair, than this attibute indicates how many line pairs are currently bundled.
• If EFM or IMA is used as encapsulation, this attribute indicates how many line pairs are currently used
by EFM or IMA (wireMode is singlePair in this situation).
pairOrder
This attribute indicates in what order the lines are present in the bundle when ATM in multi-pair mode is
used. This attribute is used as an extension of the linePairsSwapped attribute for modems that support max-
imum 2 pairs.
892 1424 SHDSL Router Chapter 12
User manual Status attributes
eocAlarmThresholds
What this attribute displays depends on the setting of the eocHandling attribute:
If eocHandling is then …
set to …
none the eocAlarmThresholds attribute does not display relevant information. It always dis-
plays 0.0.
discovery • on the central1 device, the eocAlarmThresholds attribute displays the values as set
in the linkAlarmThresholds attribute.
inventory
• on the remote2 device, the eocAlarmThresholds attribute does not display relevant
info information. It always displays 0.0.
alarmConfiguration the eocAlarmThresholds attribute displays the values as set in the linkAlarmThresholds
attribute on the central device.
1. The central device is the device on which the channel attribute is set to central.
2. The remote device is the device on which the channel attribute is set to remote.
psdMeasurement
Use this action to measure the frequency spectrum of the line signal of the 1424 SHDSL Router. Once
this action is started, the frequency and amplitude of the line signal can be measured. The 1424 SHDSL
Router will not start the handshaking process after this action has been executed.
1424 SHDSL Router Chapter 12 893
User manual Status attributes
ifOperStatus
This attribute displays the current operational status of the line pair. Possible values are:
Value Description
up The line pair is up, data transfer is possible. This is the case when the value of the
linePair[ ]/status attribute is dataState.
ifSpeed
This attribute displays the line pair speed, in bits per second (bps), when the line pair is in data state.
status
This attribute displays the current status of the line pair. Possible values are:
Value Description
timeSinceLastRetrain
This attribute displays the elapsed time since the last retrain cycle.
lineAttenuation
The lineAttenuation attribute does not display meaningful information when the line is not trained. It is only
relevant for a line that is in data state for at least 5 minutes.
894 1424 SHDSL Router Chapter 12
User manual Status attributes
noiseMargin
This attribute displays the current signal to noise ratio on the line pair in dB.
The signalNoise attribute does not display meaningful information when the line is not trained. It is only
relevant for a line that is in data state for at least 5 minutes.
transmitPower
This attribute displays the transmit power on the line pair in dB.
actualBitRate
This attribute displays the maximum speed, in bits per second (bps), that could be negotiated on the line
pair during the training sequence.
snmpIndex
This attribute displays the SNMP index, which is a unique number, assigned to each object in the con-
tainment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more
information.
stepupTreshold
modulation
This attribute displays the modulation mode that is used on the line pair: tc-pam16, tc-pam32 or auto.
adminStatus
This attribute displays the current condition of the line pair. Possible values are:
Value Description
down This means that the linePair is currently not activated or used.
896 1424 SHDSL Router Chapter 12
User manual Status attributes
• Exactly which information is retrieved from the remote SHDSL device(s) through the EOC channel
depends on the setting of the eocHandling attribute. Refer to 5.5.4 - Which standard EOC information
is retrieved? on page 83 for an overview.
• The repeater[ ] and end objects contain the same attributes, therefore only the attributes of the end
object are listed here.
1424 SHDSL Router Chapter 12 897
User manual Status attributes
router1424/wanInterface/end/vendorId
This attribute is only retrieved in case the eocHandling attribute is set to discovery, inventory, info or alarmCon-
figuration.
This attribute displays information about the vendor of the repeater or end device. The vendorId structure
contains the following elements:
• countryCode E.g. 65295 for Belgium.
• providerCode E.g. TLS_ for OneAccess.
• vendorSpecific
router1424/wanInterface/end/vendorModel
This attribute is only retrieved in case the eocHandling attribute is set to inventory, info or alarmConfiguration.
This attribute displays the model of the repeater or end device. E.g. SHDSL TT 2P for a Crocus SHDSL
Table Top 2 pair version.
router1424/wanInterface/end/vendorSerial
This attribute is only retrieved in case the eocHandling attribute is set to inventory, info or alarmConfiguration.
This attribute displays the serial number of the repeater or end device. For a OneAccess devices this is
the deviceId attribute (refer to router1424/deviceId on page 830).
router1424/wanInterface/end/vendorSoftVersion
This attribute is only retrieved in case the eocHandling attribute is set to inventory, info or alarmConfiguration.
This attribute displays the version of the firmware used on the repeater or end device. For a OneAccess
device this is the part after “/” of the T-code string displayed in the flashVersion attribute (refer to router1424/
flash1Version on page 828).
router1424/wanInterface/end/eocSoftVersion
This attribute is only retrieved in case the eocHandling attribute is set to discovery, inventory, info or alarmCon-
figuration.
This attribute displays the EOC software version used on the repeater or end device.
898 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/wanInterface/end/shdslVersion
This attribute is only retrieved in case the eocHandling attribute is set to discovery, inventory, info or alarmCon-
figuration.
This attribute displays the SHDSL version used on the repeater or end device.
router1424/wanInterface/end/eocState
This attribute is only retrieved in case the eocHandling attribute is set to discovery, inventory, info or alarmCon-
figuration.
This attribute displays the state of the EOC channel.
router1424/wanInterface/end/eocAlarmThresholds
This attribute is only retrieved in case the eocHandling attribute is set to info or alarmConfiguration.
What this attribute displays depends on the setting of the eocHandling attribute:
If eocHandling is then …
set to …
info the eocAlarmThresholds attribute displays the values as set in the linkAlarmThresholds
attribute on the remote1 device.
alarmConfiguration the eocAlarmThresholds attribute displays the values as set in the linkAlarmThresholds
attribute on the central2 device.
1. The remote device is the device on which the channel attribute is set to remote.
2. The central device is the device on which the channel attribute is set to central.
router1424/wanInterface/end/linePair[ ]/lineAttenuation
This attribute is only retrieved in case the eocHandling attribute is set to info or alarmConfiguration.
This attribute displays the line attenuation, in dB, as it is measured on the line pair of the repeater or end
device.
router1424/wanInterface/end/linePair[ ]/signalNoise
This attribute is only retrieved in case the eocHandling attribute is set to info or alarmConfiguration.
This attribute displays the noise margin, in dB, as it is measured on the line pair of the repeater or end
device.
router1424/wanInterface/repeater/loopbackActivation
Set the loop by selecting the action argument value initiateNetworkLoopback and executing the action (in
TMA, double-click the loopbackActivation string). Stop the loop by selecting the action argument value
clearAllMaintenanceStates and executing the action (in TMA, double-click the loopbackActivation string).
Important remarks
• You can only set up a loop at the network side of the Crocus SHDSL Repeater. Not at the customer
side.
• You can only start the loopbackActivation action on the central device. Not on the remote device.
• You can only start the loopbackActivation action in case the eocHandling attribute is set to alarmConfiguration.
900 1424 SHDSL Router Chapter 12
User manual Status attributes
This section describes the status attributes of the different bundles that can be set up on the 1424
SHDSL Router. The following gives an overview of this section:
• 12.8.1 - PPP bundle status attributes on page 901
1424 SHDSL Router Chapter 12 901
User manual Status attributes
router1424/bundle/pppBundle[ ]/ifDescr
router1424/bundle/pppBundle[ ]/ifType
router1424/bundle/pppBundle[ ]/ifOperStatus
This attribute displays the current operational status of the PPP bundle.
router1424/bundle/pppBundle[ ]/ifSpeed
This attribute displays the current speed of the PPP bundle in bits per second (bps). It is the sum of the
speeds of all the bundle links in the bundle.
1424 SHDSL Router Chapter 12 903
User manual Status attributes
router1424/bundle/pppBundle[ ]/members
This attribute displays the status of the different bundle links in the PPP bundle.
The members table contains the following elements:
Element Description
ifDescr This element displays the name of the bundle link as you entered it in the members
configuration attribute.
Refer to 6.7.11 - Setting up multilink PPP on page 177 for more information.
memberStatus This element displays the member status of the bundle link in the bundle. Possible
values are:
• notJoined. The bundle link is currently not an active member of the bundle. E.g.
because the bundle link is down.
• joined. The bundle link is currently an active member of the bundle.
• notFound. The bundle link that you specified in the members configuration attribute
could not be found. E.g. because you entered a wrong channel index name or
because you did not create a channel yet.
Refer to 6.7.11 - Setting up multilink PPP on page 177 for more information for
more information on the channels and channel index names.
ifLastChange This element displays the system-up time on the moment the bundle link entered
its current operational state. I.e. the moment the value of the memberStatus status
element changes (from notJoined to joined or vice versa), the system-up time value
is written into the ifLastChange status element.
ifSpeed This element displays the current speed of the bundle link in bits per second (bps).
904 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/bundle/pppBundle[ ]/ip
Element Description
status This is the current operational status of the IP layer (layer 3) of the PPP bundle.
address This is the IP address of the PPP bundle. It is either configured or retrieved auto-
matically.
netMask This is the IP subnet mask of the PPP bundle. It is either configured or retrieved
automatically.
remote This is the IP address of the remote end of the PPP bundle. It is either configured
or retrieved automatically.
router1424/bundle/pppBundle[ ]/ipcpState
This attribute reflects the status of the IPCP (Internet Protocol Control Protocol) protocol. Possible val-
ues are:
Value Description
Starting, Closed, These values correspond with the transient states in the IPCP state diagram.
Stopped, Closing,
Stopping
Req-Sent The local side of the PPP link has sent an IPCP request. The remote side did not
answer yet.
Ack-Rcvd The local side of the PPP link has received an IPCP acknowledge from the remote
side. This is a transient state.
Ack-Sent The local side of the PPP link has acknowledged the IPCP request from the remote
side.
router1424/bundle/pppBundle[ ]/ipcpMyOptions
During the IPCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the IPCP options for the router at this side (local side) of the link.
The ipcpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following IPCP option:
• 3: the IP-Address option.
• ip-vso: the IP-Vendor Specific Option. This is used to negotiate the netmask.
For more information on the IPCP configuration options, refer to RFC 1332.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
router1424/bundle/pppBundle[ ]/ipcpHisOptions
This attribute lists the IPCP options for the router at the other side (remote side) of the link. The
ipcpHisOptions table contains the same elements as the ipcpMyOptions table. Refer to router1424/bundle/ppp-
Bundle[ ]/ipcpMyOptions on page 905.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
906 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/bundle/pppBundle[ ]/bridging
router1424/bundle/pppBundle[ ]/bcpState
This attribute reflects the status of the BCP (Bridging Control Protocol) protocol. The possible values are
the same as those of ipcpState attribute. Refer to router1424/bundle/pppBundle[ ]/ipcpState on page 904.
router1424/bundle/pppBundle[ ]/bcpMyOptions
During the BCP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the BCP options for the router at this side (local side) of the link.
The bcpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following BCP options:
• 1: the Bridge-Identification option.
• 2: the Line-Identification option.
• 3: the MAC-Support option.
• 4: the Tinygram-Compression option.
• 5: the LAN-Identification option.
• 6: the MAC-Address option.
• 7: the Spanning-Tree-Protocol option.
For more information on the BCP configuration options, refer to RFC 2878.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
1424 SHDSL Router Chapter 12 907
User manual Status attributes
router1424/bundle/pppBundle[ ]/bcpHisOptions
This attribute lists the BCP options for the router at the other side (remote side) of the link. The
bcpHisOptions table contains the same elements as the bcpMyOptions table. Refer to router1424/bundle/pppBun-
dle[ ]/bcpMyOptions on page 906.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
router1424/bundle/isdnBundle[ ]/bacpState
This attribute reflects the status of the BACP (Bandwidth Allocation Control Protocol) protocol. The pos-
sible values are the same as those of ipcpState attribute. Refer to router1424/bundle/pppBundle[ ]/ipcpState on
page 904.
router1424/bundle/isdnBundle[ ]/bacpMyOptions
During the BACP handshake, a number of options can be exchanged between the local and remote side
of the link. This attribute lists the BACP options for the router at this side (local side) of the link.
The bacpMyOptions table contains the following elements:
Element Description
option The 1424 SHDSL Router supports the following BACP options:
• 1: the Favored-Peer option.
For more information on the BACP configuration options, refer to RFC 2125.
value This is the option value represented as an octet string (hexadecimal ASCII repre-
sentation).
908 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/bundle/isdnBundle[ ]/bacpHisOptions
This attribute lists the BACP options for the router at the other side (remote side) of the link. The
bacpHisOptions table contains the same elements as the bacpMyOptions table. Refer to router1424/bundle/isdn-
Bundle[ ]/bacpMyOptions on page 907.
Other option values than the ones supported by the 1424 SHDSL Router may be present.
1424 SHDSL Router Chapter 12 909
User manual Status attributes
router1424/bundle/pppBundle[ ]/multiclassInterfaces
This attribute displays the status of the different multiclass PPP links in the PPP bundle.
The multiclassInterfaces table contains the following elements:
Element Description
name This element displays the name of the multiclass PPP link as you defined it in the
multiclassInterfaces configuration attribute.
ifOperStatus This element displays the current operational status of the multiclass PPP link.
ifLastChange This element shows the system-up time on the moment the multiclass PPP link
entered its current operational state. I.e. the moment the value of the ifOperStatus
status attribute changes (from up to down or vice versa), the system-up time value
is written into the ifLastChange status attribute.
bridging This element displays the bridging information of the multiclass PPP link.
Refer to bridging on page 835 for a detailed description of the bridging structure.
ppp This element displays the PPP information of the multiclass PPP link.
Refer to 12.5.4 - PPP status attributes on page 870 for a detailed description of the
elements in the ppp structure.
multiclass This element displays the multiclass identifier of the multiclass PPP link.
910 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/bundle/pppBundle[ ]/snmpIndex
This attribute displays the SNMP index, which is a unique number, assigned to each object in the con-
tainment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more
information.
1424 SHDSL Router Chapter 12 911
User manual Status attributes
This section discusses the status attributes concerned with routing. First it describes the general routing
status attributes. Then it explains the status attributes of the extra features as there are NAT, L2TP tun-
nelling, etc…
The following gives an overview of this section:
• 12.9.1 - General router status attributes on page 912
• 12.9.2 - NAT status attributes on page 924
• 12.9.3 - L2TP tunnel status attributes on page 926
• 12.9.4 - GRE tunnel status attributes on page 931
• 12.9.5 - Native IPSEC tunnel status attributes on page 934
• 12.9.6 - IKE SA status attributes on page 936
• 12.9.7 - OSPF status attributes on page 938
• 12.9.8 - BGP status attributes on page 956
• 12.9.9 - VRRP status attributes on page 970
• 12.9.10 - Firewall status attributes on page 972
• 12.9.11 - Virtual Routing and Forwarding (VRF) status attirbutes on page 975
912 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/routingTable
This attribute lists all known routes (both static and learned routes) with their operating status.
The routingTable contains the following elements:
Element Description
gateway This is the IP address of the next router on the path to the destination network.
interface This is the interface through which the destination network can be reached. Pos-
sible values are:
• internal. The own protocol stack is used.
• <name>. The destination network can be reached through this particular inter-
face. The <name> of the interface is the name as you configured it.
Note that the “interface” can also be a DLCI, an ATM PVC, a tunnel, etc.
• discard. Packets for this destination are discarded.
encapsulation This is the used encapsulation. It is related to the interface for this route. Possible
values are:
• none. The IP packets are not encapsulated.
• ethernet. The IP packets are encapsulated with the ARPA MAC header.
• frameRelay. The IP packets are encapsulated in Frame Relay.
• ppp. The IP packets are encapsulated in PPP.
• atm. The IP packets are encapsulated in ATM.
914 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
preference This displays the route preference. If more than one route matches the IP destina-
tion address, this attribute determines which route is used. The route with the low-
est preference value will be used.
Element Description
metric If two routes exist with the same preference, then the route with the lowest metric
value is chosen. The metric attribute serves as a cost for using the route. In most
cases it indicates the number of hops (= routers) required to reach a destination.
timeOut In case of a RIP route, the timeOut attribute displays the time the route will remain
in the routing table if no RIP updates are received anymore. For other routes this
attribute always displays 00000d 00h 00m 00s.
Example
The lines in the routing table depicted above represent the following:
• Line 1 represents the default gateway, which is not defined.
• Lines 2 and 5 represent the subnets on the LAN and WAN interface respectively.
• Lines 3 and 6 represent the interface its IP addresses.
• Line 7 represents the static route to the remote LAN.
• Finally, line 4 represents the multicast address for RIP version 2.
Remark
If the LAN is not connected to the 1424 SHDSL Router, it is still possible to contact the 1424 SHDSL
Router with e.g. TMA or Telnet over the WAN link by using the IP address of the LAN interface. This
means that the status attribute router1424/lanInterface/ip/status still indicates up, although in the routingTable
the corresponding route to the network is down. This implementation seems not logical but is necessary
to insure correct operation with HP OpenView.
916 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/igmpTable
This attribute shows the multicast address, reported by one or more clients. The igmpTable is always
updated, even if no proxy is configured.
The igmpTable contains the following elements:
Element Description
interface This is the interface name of the client(s). In case of multiple interface names, they
are separated from each other by a comma.
What is IGMP?
Internet Group Management Protocol (IGMP) is defined in RFC 1112 as the standard for IP multicasting
in the Internet.
It is used to establish host memberships in particular multicast groups on a single network. The mecha-
nisms of the protocol allow a host to inform its local router, using Host Membership Reports, that it wants
to receive messages addressed to a specific multicast group.
All hosts conforming to level 2 of the IP multicasting specification require IGMP.
IGMP topology
In this topology …
• Client 1 and Client 2 are multicast clients.
• Router 1, 2 and 3 are multicast enabled routers.
• Server 1 is a multicast server.
1424 SHDSL Router Chapter 12 917
User manual Status attributes
The multicasting IGMP protocol can be configured on every IP interface. Refer to the igmp element in
5.2.3 - Explaining the ip structure on page 56.
A client can leave or join a multicast group by erasing or adding a multicast address from a table, defined
in the client application. A list of multicast group addresses is maintained in the routers. The reported
multicast addresses can be seen in the igmpTable. Refer to router1424/ip/router/igmpTable on page 916.
On a router interface, IGMP join and leave messages are interpreted and the multicast member list is
adapted accordingly. Multicast frames are forwarded if they are present in the multicast member list. On
a proxy interface, IGMP join and leave messages are transmitted according to the multicast member list.
Multicast frames are always forwarded.
Since IGMP is send in UDP (join/leave can be lost), the clients (proxies) are polled every 125 seconds:
• A general query is send to 224.0.0.1 (poll all systems).
• A leave group message is send to 224.0.0.2 (all routers).
918 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/dhcpBinding
Element Description
interface This is the name of the interface on which the client has been bound.
state This is the state of the lease. Possible values are leased and onHold.
router1424/ip/router/dhcpStatistics
This attribute contains the statistics of all IP address ranges that have been specified in the configuration
attribute dhcpDynamic.
The dhcpStatistics table contains the following elements:
Element Description
interface For the corresponding IP address range, this is the name of the interface on which
the clients have been bound.
free For the corresponding IP address range, this displays the number of IP addresses
that are still free.
leased For the corresponding IP address range, this displays the number of IP addresses
that are leased.
hold For the corresponding IP address range, this displays the number of IP addresses
that are on hold.
During power-down of the DHCP server, some leased IP addresses can still be active. Because the
duration of the power-down can not be known, all timer information about lease and hold time becomes
meaningless. Therefore, the DHCP server incorporated in the 1424 SHDSL Router sends a ping to all
leased addresses after a warm boot. When the client responds to this ping, the DHCP server resets all
timers to their default value and keeps the lease with this client.
1424 SHDSL Router Chapter 12 919
User manual Status attributes
router1424/ip/router/dhcpRelayInfo
This attribute displays the status information of the DHCP relay process in case the 1424 SHDSL Router
is configured to act as DHCP relay agent.
The dhcpRelayInfo table contains the following elements:
Element Description
sourceIntf This is the name of the interface on which the DHCP request has been received.
assignedIp This is the IP address that has been dynamically assigned to the client by the
remote DHCP server.
dhcpStatus This is the status of the DHCP process. Possible values are: discover, offer, request,
decline, ack, nack, release, inform, idle.
router1424/ip/router/dhcpBlackList
This attribute displays the MAC and IP address of blacklisted clients and the reason why they are on the
black list.
The dhcpBlackList table contains the following elements:
Element Description
reason This is the reason why the client is on the black list. Possible values are:
• arp. The ARP request probing indicated that the IP address is already in use by
a client on the network. Refer to dhcpCheckAddress on page 633.
• ping. The ICMP Echo Request (ping) probing indicated that the IP address is
already in use by a client on the network. Refer to dhcpCheckAddress on page 633.
• alienAck. Another DHCP server assigned an IP address to the client.
• declined. The client explicitly declined the IP address that was assigned.
• networkOrBroadcast. The DHCP server tried to assign a network or broadcast
address to a client. This indicates that the IP address ranges in the DHCP
server have been misconfigured.
920 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/radius
This attribute shows some RADIUS status information. Refer to What is RADIUS? on page 441 for more
information.
The radius structure contains the following elements:
Element Description
authServer This is the IP address of the authentication server the 1424 SHDSL Router is con-
nected to.
acctServer This is the IP address of the accounting server the 1424 SHDSL Router is con-
nected to.
router1424/ip/router/dns
This attribute shows some DNS status information. Refer to What is DNS? on page 1148 for more infor-
mation.
The dns table contains the following elements:
Element Description
infiniteTimeOut This indicates that the DNS record has an infinite TTL or at least longer than 24
days.
router1424/ip/router/dnsServers
This attribute displays the IP address(es) of the DNS server(s) that have been configured or learned.
The dns table contains the following elements:
Element Description
router1424/ip/router/addrPools
This attribute shows which IP address pools have been configured. Refer to What is an IP address pool?
on page 60 for more information.
The addrPools table contains the following elements:
Element Description
name This is the name of the IP address pools that have been configured.
type This is the type of IP address pools that have been configured.
nrOfAddresses This is the number of IP addresses that have been configured in each address
pool.
availAddresses This is the number of IP addresses that are available in each address pool.
router1424/ip/router/poolReservations
This attribute shows which IP addresses have already been picked out of the IP address pool. Refer to
What is an IP address pool? on page 60 for more information.
The addrPools table contains the following elements:
Element Description
name This is the name of the IP address pool, as you configured it, from which the IP
addresses have been picked.
type This is the type of IP address pool from which the IP addresses have been picked.
Possible values are: list or interval.
local This is the local IP address that has been picked out of the IP address pool.
remote This is the remote IP address that has been picked out of the IP address pool.
netMask This is the subnet mask that has been picked out of the IP address pool.
interface This is the name of the interface on which the IP addresses are used.
922 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/dnsUpdateClient
Element Description
router1424/ip/router/unBlacklist
Element Description
startIp Use this element to specify an IP address (range) that has to be removed from the
blacklist.
If you want to specify …
• a single IP address, then just enter the IP address in the startIp element and
leave the stopIp element at its default value (<opt>).
• an IP address range, then enter the first IP address of the range in the startIp
element and the last IP address of the range in the stopIp element.
stopIp Use this element to specify the last IP address of an IP address range that has to
be removed from the blacklist.
mac Use this element to specify a MAC address of an entry that has to be removed from
the blacklist.
router1424/ip/router/forceDnsUpdate
This action can unblock the Dynamic DNS status-machine from stopped to enabledIdle so that automatic
DNS update can recover from an errored situation.
This action is accompanied with an argument dnsUpdateName, to indicate which of the entries in the dnsUp-
dateClient table is subject to the action.
When a reconfiguration of the dnsUpdateClient table is done after an errored situation, the update state-
machine will resume operation automatically, i.e. its state will change from stopped to enabledIdle.
924 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/defaultNat/addresses
This attribute displays the status of each official IP address that is configured in the configuration
attribute addresses.
The addresses table contains the following elements:
Element Description
officialAddress This is the official IP address as you entered it in the addresses configuration
attribute.
privateAddress This is the private IP address that is currently linked with the official IP address.
status This is the status of the official IP address. Possible values are:
• free. This official IP address is currently not in use.
• fixed. This address has a pre-configured mapping between the official and pri-
vate IP address.
• allocated. This official IP address is currently assigned to a private IP address,
but it is not fixed.
uses This indicates how many sessions are currently used by this official IP address.
If the attribute value becomes zero, the assigned official IP address becomes free
again and can be assigned to another private IP address.
926 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/tunnels/l2tpTunnels
Element Description
name This is the name of the tunnel as you configured it. If you did not configure a name,
then this element displays: “tunnel” <local IP address of the tunnel>.
E.g. tunnel 192.168.5.1
ifOperStatus This displays the operational status of the tunnel. Possible values are:
• up. The tunnel is up, data transfer is possible.
• down. The tunnel is down, data transfer is not possible.
• dormant. The tunnel is "stand-by". As soon as data has to be sent over the tun-
nel, control connect messages are exchanged and the operational status of the
tunnel becomes up.
ifLastChange This is the system-up time on the moment the tunnel entered its current opera-
tional state. I.e. the moment the value of the ifOperStatus status element changes
(from up to down or vice versa), the system-up time value is written into the
ifLastChange status element.
l2tp This displays the specific L2TP related status information of the tunnel.
Refer to the router1424/ip/router/tunnels/l2tpTunnels/l2tp on page 928 for a detailed descrip-
tion of the l2tp structure.
router1424/ip/router/tunnels/l2tpTunnels/l2tp
The l2tp structure in the l2tpTunnels table displays the specific L2TP related status information of the tun-
nel.
The l2tp structure contains the following elements:
Element Description
localIpAddress This displays the official IP address that serves as start point of the L2TP connec-
tion.
remoteIpAddress This displays the official IP address that serves as end point of the L2TP connec-
tion.
l2tpType This displays which L2TP server type the 1424 SHDSL Router currently is: LAC or
LNS.
If you set the configuration attribute l2tpMode to auto, then the status attribute l2tpType
displays the auto value until the 1424 SHDSL Routers have mutually decided who
will be the LAC and who the LNS.
controlState This displays the states associated with the LNS or LAC control connection estab-
lishment. Refer to L2TP status - control states on page 929 for more information.
callState This displays the states associated with the LNS or LAC incoming or outgoing
calls. Refer to L2TP status - call states on page 929 for more information.
deliveryState This displays the states associated with the LNS or LAC packet delivery. Refer to
L2TP status - delivery states on page 930 for more information.
authenState This displays the states associated with the LNS or LAC authentication. Refer to
L2TP status - authentication states on page 930 for more information.
router1424/ip/router/tunnels/ipsecL2tpTunnels
The states associated with the LNS or LAC for control connection establishment are:
Value Description
waitCtlReply This is the state where a Start Control Connection Reply is awaited.
waitCtlConn This is the state where a Start Control Connection Connected is awaited. Upon
receipt, the challenge response is checked. The tunnel either is established, or is
torn down if an authorisation failure is detected.
The states associated with the LNS or LAC incoming or outgoing calls are:
Value Description
waitReply This is the state where an Incoming or Outgoing Call Reply message is awaited. If
an Incoming or Outgoing Call Reply message is received, an incoming or Outgoing
Call Connected message is sent and the session moves to the established state.
waitConnect This is the state where an Incoming or Outgoing Call Connected message is
awaited. If an Incoming or Outgoing Call Connected message is received, the call
was successful and the session moves to the established state.
Value Description
operating The 1424 SHDSL Router has sent a packet, but has not received an acknowledge-
ment on this packet yet.
Value Description
noAuthentication Authentication is not enabled. This is also the start-up state for the authentication
process.
authenSuccessful Authentication was successful. The 1424 SHDSL Router remains in this state dur-
ing data transfer.
authenFailure Authentication failed. This is a transient state since the 1424 SHDSL Router starts
the handshake again after a failing authentication.
1424 SHDSL Router Chapter 12 931
User manual Status attributes
router1424/ip/router/tunnels/greTunnels
Element Description
name This element displays the unique interface name of the GRE Tunnel.
ifOperStatus This element displays the status of the GRE tunnel. Possible values are:
• down. The tunnel is not operational.
• up. The tunnel is operational.
• dormant. The tunnel is dormant.
ifLastChange This is the system-up time on the moment the tunnel entered its current opera-
tional state. I.e. the moment the value of the ifOperStatus status element changes
(from up to down or vice versa), the system-up time value is written into the ifLastCh-
ange status element.
gre The gre structure displays the GRE related parameters of the tunnel. The gre struc-
ture contains following elements:
• localIpAddress. This is the local IP address of tunnel endpoint.
• remoteIpAddress. This is the remote IP address of tunnel endpoint.
• state. This element displays the current state of the GRE tunnel. Possible values
are:
- setup. The proces of bringing up the tunnel has started.
- resolvingRemote. The remote address will be resolved through DNS resolving.
- resolvingLocal. The local address will be resolved by finding a valid (up) route
for the remote address.
- open. The GRE tunnel is waiting for a tunnel endpoint to connect.
- spoofing. The GRE tunnel is configured as on-data, waiting for user data to
be operational.
- down. The GRE tunnel is not operational (no route found).
- up. The GRE tunnel is operational.
1424 SHDSL Router Chapter 12 933
User manual Status attributes
router1424/ip/router/tunnels/ipsecGreTunnels
Element Description
name This element displays the unique interface name of the IPSEC GRE Tunnel.
ifOperStatus This element displays the status of the IPSEC GRE tunnel. Possible values are:
• down. The tunnel is not operational.
• up. The tunnel is operational.
• dormant. The tunnel is dormant.
ifLastChange This is the system-up time on the moment the tunnel entered its current opera-
tional state. I.e. the moment the value of the ifOperStatus status element changes
(from up to down or vice versa), the system-up time value is written into the ifLastCh-
ange status element.
gre The gre structure displays the IPSEC GRE related parameters of the tunnel. The
gre structure contains following elements:
• localIpAddress. This is the local IP address of tunnel endpoint.
• remoteIpAddress. This is the remote IP address of tunnel endpoint.
• ike. This element displays the IKE state for this tunnel. Possible values are:
- idle. IKE is not configured.
- down. IKE is down.
- setup. IKE is being set up.
- up. IKE is up.
- rollover. The re-keying process is busy.
• state. This element displays the current state of the IPSEC GRE tunnel. Possi-
ble values are:
- setup. The proces of bringing up the tunnel has started.
- resolvingRemote. The remote address will be resolved through DNS resolving.
- resolvingLocal. The local address will be resolved by finding a valid (up) route
for the remote address.
- open. The IPSEC GRE tunnel is waiting for a tunnel endpoint to connect.
- spoofing. The IPSEC GRE tunnel is configured as on-data, waiting for user
data to be operational.
- down. The IPSEC GRE tunnel is not operational (no route found).
- up. The IPSEC GRE tunnel is operational.
934 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/tunnels/ipsecTunnels
Element Description
localIpAddress This is the official IP address that serves as start point of the IPSEC tunnel.
remoteIpAddress This is the IP address that serves as end point of the IPSEC tunnel.
This could be the result after the DNS resolving of the configuration attribute remot-
eDnsName.
operStatus This element displays the status of the IPSEC tunnel. Possible values are:
• down. The tunnel is not operational, probably IKE is down.
• up. The tunnel is operational.
• resolvingRemote. The endpoint of the tunnel remoteDnsName will be resolved by
means of a DNS request.
• resolvingLocal. The local address should be resolved by finding a valid route for
the remote address. This route should be up.
• setup. The tunnel is being configured.
• delete. The tunnel will be deleted soon.
• new. A new tunnel has been added and has not yet been configured.
• waitDnsReply. Waiting for a DNS reply, which means the tunnel endpoint is being
resolved.
• spoofing. The tunnel is in spoofing state. Outgoing dial tunnels will stay in spoof-
ing state as long as no data is present to send through the tunnel.
• initSA. The SA will be configured next, this could either be an IKE SA or a Manual
SA.
• waitUp. The tunnel is putting routes up and will change its state to up after 1s.
lastChange This element displays the system up time on the moment the tunnel entered its
current operational state.
ike This element displays the IKE state for this tunnel. Possible values are:
• idle. IKE is not configured.
• down. IKE is down.
• setup. IKE is being set up.
• up. IKE is up.
• rollover. The re-keying process is busy.
936 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/ikeSA[ ]/phase1
This attribute displays status information of phase 1 in the IKE negotiation process.
The phase1 table contains the following elements:
Element Description
remainingSecs This element displays the time the IKE SA will remain active for.
router1424/ip/router/ikeSA[ ]/phase2
This attribute displays status information of phase 2 in the IKE negotiation process.
The phase2 table contains the following elements:
Element Description
direction This element displays the direction of the IPSEC SA. Possible values are: inbound
or outbound.
spi This element displays the Security Parameter Index of the IPSEC SA.
protocol This element displays which protocol is used in the IPSEC SA. Possible values
are: esp or ah.
encapsulation This element displays which encapsulation is used in the IPSEC SA. Possible val-
ues are: transport l2tp, transport gre and tunnel.
natTraversel This element displays whether natTraversel is active or not. Possible values are:
active and inactive.
encryptionAlgorithm This element displays which encryption algorithm is used on the IPSEC SA. Pos-
sible values are: null, des, 3des or disabled.
authenticationAlgo- This element displays which authentication algorithm is used on the IPSEC SA.
rithm Possible values are: hmac_md5, hmac_sha-1 or disabled.
softLifeTime This element displays the soft life time of the IPSEC SA.
When the soft life time expires, the IKE peers know that the hard lifetime is about
to expire. This gives them the time to rekey the SA without disrupting communica-
tion before the hard lifetime expires.
hardLifeTime This element displays the hard life time of the IPSEC SA.
When the hard life time expires, the IPSEC SA is actually disconnected.
router1424/ip/router/ikeSA[ ]/clearSAs
This section discusses the status attributes concerned with OSPF. First it describes the general OSPF
status attributes. Then it explains the OSPF area status attributes.
The following gives an overview of this section:
• General OSPF status attributes on page 939
• Area status attributes on page 944
1424 SHDSL Router Chapter 12 939
User manual Status attributes
router1424/ip/router/ospf/type
Element Description
areaBorder This element indicates whether the router is an Area Border Router.
asbr This element indicates whether the router is an Autonomous System Border
Router.
Refer to 7.6.1 - Introducing OSPF on page 213 for more information.
virtualLink This element indicates whether a virtual link is present on the router.
wildCardMulticast This element indicates whether multicast extensions are supported by the router.
Note that wildcard multicast is not yet supported by the 1424 SHDSL
Router.
nssaTranslator This element indicates whether the router is an NSSA border router translator.
1424 SHDSL Router Chapter 12 941
User manual Status attributes
router1424/ip/router/ospf/routes
This attribute displays all detected routes in the OSPF network. All detected routes are transferred to the
routing table of this router as type OSPF.
The routes table contains the following elements:
Element Description
type This element displays the type of the network. Possible values are:
• direct. This value indicates a direct route. This is a route to a host connected
directly to the router.
• intra. This value indicates an intra-area route. This is a route with destinations
belonging to one of the router's attached areas.
• inter. This value indicates an inter-area route.This is a route with destinations in
other OSPF areas.
• extType1. This value indicates an external route of type 1.
• extType2. This value indicates an external route of type 2.
• reject. This value indicates a rejected route.
• static. This value indicates a static route.
• none. This value indicates a non-existing route.
gateway This element displays the IP address of the next interface on the path to the des-
tination network.
outgoingIp This element displays the IP address of the outgoing router interface.
router1424/ip/router/ospf/externalRoutes
This attribute displays all external routes which are injected into the OSPF network by this router.
The externalRoutes table contains following elements:
Element Description
gateway This element displays the IP address of the next interface on the path to the des-
tination network.
costType This element displays the type of cost of the external route. Possible values are:
• type1. The type of cost of the external route is type 1.
• type2. The type of cost of the external route is type 2.
tag This element displays the 32-bit field attached to each external route. This is not
used by the OSPF protocol itself. It is used to communicate information between
AS boundary routers.
advertise This element displays whether the router advertises the external route to the rest
of the OPSF network. Possible values are:
• yes. The router advertises the external route to the rest of the OPSF network.
• no. The router does not advertise the external route to the rest of the OPSF net-
work.
routeType This element displays how the external route is injected into OSPF. Possible val-
ues are:
• static. Static route configured by the user.
• rip. This route was learned through the rip protocol.
1424 SHDSL Router Chapter 12 943
User manual Status attributes
router1424/ip/router/ospf/asExtLsas
This attribute displays the database entries for all external routes in the OSPF network.
The asExtLsas table contains following elements:
Element Description
linkStateId This element displays the portion of the network that is being described by the
LSA. The contents of this field depend on the type of LSA.
advRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains the following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
netMask This element displays the IP address mask for the advertised destination.
costType This element displays the type of cost of the external route. Possible values are:
• type1. The type of cost of the external route is type 1.
• type2. The type of cost of the external route is type 2.
tag This element displays a 32-bit field attached to each external route. This is not
used by the OSPF protocol itself. It is used to communicate information between
AS boundary routers.
forwardAddress This element displays the address to which data traffic for the advertised destina-
tion is forwarded to.
944 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/ospf/area[ ]/interfaces
This attribute displays all interfaces available in the area. If an interface is part of more than one network,
the interface belongs to the network with the most significant subnet mask.
The interfaces table contains following elements:
Element Description
network This element displays the name of the sub network the interface is part of.
type This element displays the interface type. Possible values are:
• pointToPoint: The interface is a point-to-point interface.
• broadcast: The interface is a broadcast interface.
• virtualLink: The interface is a virtual link interface.
• loopback: The interface is a loopback interface.
dr This element displays the IP address of the Designated Router of the sub network.
backupDr This element displays the IP address of the Backup Designated Router.
adjNeighbors This element displays the amount of adjacent neighbors of the router.
router1424/ip/router/ospf/area[ ]/interfaces/status
The states are listed in order of progressing functionality. For example, the inoperative state is listed
first, followed by a list of intermediate states before the final, fully functional state is achieved.
Possible values are:
Value Description
down This is the initial interface state. No protocol traffic at all will be sent or received.
loopback The router's interface to the network is looped back. The interface will be unavail-
able for regular data traffic.
waiting The router is trying to determine the identity of the (Backup) Designated Router for
the network. To do this, the router monitors the Hello Packets it receives. The
router is not allowed to elect a Backup Designated Router nor a Designated Router
until it transitions out of Waiting state. This prevents unnecessary changes of
(Backup) Designated Router.
pointToPoint The interface is operational, and connects either to a physical point-to-point net-
work or to a virtual link. Upon entering this state, the router attempts to form an
adjacency with the neighbouring router. Hello Packets are sent to the neighbour
every helloInterval seconds.
backupDr The router itself is the Backup Designated Router on the attached network. It will
be promoted to Designated Router when the present Designated Router fails. The
router establishes adjacencies to all other routers attached to the network.
dr In this state, this router itself is the Designated Router on the attached network.
Adjacencies are established to all other routers attached to the network. The router
must also originate a network-LSA for the network node.
1424 SHDSL Router Chapter 12 947
User manual Status attributes
router1424/ip/router/ospf/area[ ]/hosts
Element Description
intfName This element displays the administrative name of the loop-back interface.
netMask This element displays the subnet mask of the loop-back interface.
network This element displays the administrative name of the network that the loop-back
interface is part of.
cost This element displays the cost of the loop-back interface link.
router1424/ip/router/ospf/area[ ]/neighbors
Element Description
interface This element displays the administrative name of the neighbouring interface.
routerId This element displays the unique sequence number for the router in the OSPF net-
work.
router1424/ip/router/ospf/area[ ]/neighbors/status
The states are listed in order of progressing functionality. For example, the inoperative state is listed
first, followed by a list of intermediate states before the final, fully functional state is achieved.
Possible values are:
Value Description
down This is the initial state of a neighbour conversation. It indicates that there has been
no recent information received from the neighbour.
attempt This state is only valid for neighbors attached to NBMA networks. It indicates that
no recent information has been received from the neighbour, but that a more con-
certed effort should be made to contact the neighbour. This is done by sending
the neighbour Hello packets at intervals of helloInterval
init An Hello packet has recently been seen from the neighbour. However, bidirec-
tional communication has not yet been established with the neighbour (i.e., the
router itself did not appear in the neighbour’s Hello packet). All neighbors in this
state (or higher) are listed in the Hello packets sent from the associated interface.
2way Communication between the two routers is bidirectional. This has been assured
by the operation of the Hello Protocol.
exchangeStart This is the first step in creating an adjacency between the two neighbouring rout-
ers. The goal of this step is to decide which router is the master. Neighbour con-
versations in this state or greater are called adjacencies.
exchange The router is describing its entire link state database by sending Database
Description packets to the neighbour. Link State Request Packets may also be
sent asking for the neighbour’s more recent LSAs.
loading Link State Request packets are sent to the neighbour asking for the more recent
LSAs that have been discovered (but not yet received) in the Exchange state.
fullAdjacency The neighbouring routers are fully adjacent. These adjacencies will now appear in
router-LSAs and network-LSAs.
1424 SHDSL Router Chapter 12 949
User manual Status attributes
router1424/ip/router/ospf/area[ ]/routers
Element Description
routerId This element displays the unique sequence number for the router in this OSPF
autonomous system.
gateway This element displays the IP address of the next interface on the path to reach this
router.
router1424/ip/router/ospf/area[ ]/routerLsas
Element Description
advRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
routerType This element indicates the kind of router link being described. The routerType struc-
ture contains following elements:
• areaBorder. This element indicates a link to an ABR.
• asbr. This element indicates a link to an ASBR.
• virtualLink. This element indicates a virtual link.
• wildCardMulticast. This element indicates a multicast link.
linkNr This element displays the number of router links described in this LSA.
linkId This element identifies the object that this router link connects to. When connecting
to an object that also originates an LSA (i.e., another router or a transit network)
the Link ID is equal to the neighbouring LSAs Link State ID. This provides the key
for looking up the neighbouring LSA in the link state database during the routing
table calculation.
1424 SHDSL Router Chapter 12 951
User manual Status attributes
Element Description
linkType This element displays the type of the link. Possible values are:
• pointToPoint. The link is a point-to-point connection.
• transit. The link is a transit connection.
• stub. The link is a connection within a stub area.
• virtualLink. The link is a virtual link.
router1424/ip/router/ospf/area[ ]/networkLsas
Element Description
linkStateId This element displays the IP interface address of the Designated Router.
It displays the portion of the network that is being described by the LSA. The con-
tents of this field depend on the type of LSA.
AdvRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains the following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
netMask This element displays the IP address mask for the network.
linkNr This element displays the number of router links described in this LSA.
routerId This element displays the router IDs of each of the routers attached to the network.
Only those routers that are fully adjacent to the Designated Router are listed. The
Designated Router itself is included in this list.
1424 SHDSL Router Chapter 12 953
User manual Status attributes
router1424/ip/router/ospf/area[ ]/summLsas
This attribute displays the Summary-LSAs. Summary-LSAs are originated by area border routers and
describe inter-area destinations.
The summLsas table contains following elements:
Element Description
AdvRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains the following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
netMask This element displays the IP address mask for the destination network.
router1424/ip/router/ospf/area[ ]/asbrLsas
Element Description
linkStateId This element displays the portion of the network that is being described by the
LSA. The contents of this field depend on the type of LSA.
AdvRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains the following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
router1424/ip/router/ospf/area[ ]/nssaLsas
Element Description
linkStateId This element displays the portion of the network that is being described by the
LSA. The contents of this field depend on the type of LSA.
AdvRouterId This element displays the router ID of the router that originated the LSA.
age This element displays the time in seconds since the LSA was originated.
sequenceNr This element displays the LS sequence number (successive instances of an LSA
are given successive LS sequence numbers).
options This element indicates if the advertising router supports optional OSPF capabili-
ties. Routers of differing capabilities can be mixed within an OSPF routing domain.
The options structure contains the following elements:
• floodExternal. Entire OSPF areas can be configured as "stubs". AS-external-
LSAs will not be flooded into stub areas. This capability is represented by the
element floodExternal.
• multicast. This element indicates whether IP multicast datagrams are forwarded.
• nssa. This element indicates whether the router supports nssa area‘s.
• externalAttributes. This element indicates the router's willingness to receive and
forward external LSAs.
• demandCircuit. This element indicates the router's handling of demand circuits.
• opaque. This element indicates if the router can handle opaque-LSAs.
netMask This element displays the IP address mask for the advertised destination.
costType This element displays the type of cost of the external route. Possible values are:
• type1. The type of cost of the external route is type 1.
• type2. The type of cost of the external route is type 2.
tag This element displays a 32-bit field attached to each external route. This is not
used by the OSPF protocol itself. It is used to communicate information between
AS boundary routers.
forwardAddress This element displays the address to which data traffic for the advertised destina-
tion is forwarded to.
956 1424 SHDSL Router Chapter 12
User manual Status attributes
This section discusses the status attributes concerned with BGP. First it describes the general BGP sta-
tus attributes, followed by the ePeer, iPeer, routeFilter and routeMap status attributes.
As the BGP protocol encodes route networks in [prefix, length] format, all status information is displayed
in this internal BGP format:
• prefix: This is the IP address prefix.
• length: This is the length in bits of the IP address prefix. A length of zero indicates a prefix that
matches all IP addresses.
router1424/ip/router/bgp/networks
This attribute displays displays the configured networks in the internal BGP format.
The networks table contains the following elements:
Element Description
length This element displays the length in bits of the IP address prefix. A length of zero
indicates a prefix that matches all IP addresses.
router1424/ip/router/bgp/aggregates
This attribute displays displays the configured aggregates in the internal BGP format.
The aggregates table contains the following elements:
Element Description
prefix This element displays the IP address prefix of the configured aggregates.
length This element displays the length in bits of the IP address prefix of the configured
aggregates. A length of zero indicates a prefix that matches all IP addresses.
summaryOnly This element displays whether or not all advertisements of more-specific routes
from the updates are suppressed. Possible values are:
• enabled: Only the aggregate will be distributed.
• disabled: All advertisements of more-specific routes will be distributed.
asSet This element displays whether or not the aggregate route with the atomic aggre-
gate attribute present, is distributed. Possible values are:
• enabled: The path advertised for this route will consist of all elements contained
in all paths that are being summarized.
• disabled: The atomic aggregate attribute is not present in the distributed aggre-
gate route.
1424 SHDSL Router Chapter 12 959
User manual Status attributes
router1424/ip/router/bgp/rib
This attribute displays the routing information base, which shows the entries in the BGP routing table.
The rib table contains the following elements:
Element Description
length This element displays the length in bits of the IP address prefix. A length of zero
indicates a prefix that matches all IP addresses.
status This element displays the status of the BGP route. Possible values are:
• invalid. The route is not valid.
• valid. The route is a valid BGP route but another route for same the destination
is preferred.
• selected. The route is selected by the BGP route selection process.
• suppressed. The route falls into an aggregate range with flag summaryOnly ena-
bled and will not be forwarded.
type This element displays the properties of the BGP route. Possible values are:
• ibgp. The route is received through an iPeer.
• ebgp. The route is received through an ePeer.
• network. The route is imported locally through a network definition.
• aggregate. The route is distributed through an aggregate definition.
• local. The route is imported locally from the system routing table.
• static. The route is imported locally from the system routing table.
• rip. The route is imported locally from the system routing table.
• ospf. The route is imported locally from the system routing table.
• radius. The route is imported locally from the system routing table.
960 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
attributes This element displays the values of the different attributes as defined in the BGP
protocol. There is however one exception: weight, which is a parameter local to
each router. The attributes structure contains following elements:
• nextHop. This is the IP address of the router that should be used as the next hop
of the prefix destination.
• weight. This is the local weight of the route as set on the incoming peer or
through routeMaps. Routes learned through another BGP peer have a default
weight of zero, and routes sourced by the local router have a default weight of
32768.
• localPref. This is the degree of preference when advertising a route to its internal
peers.
• asPath. This element identifies the autonomous systems through which the rout-
ing information in this update message has passed.
• origin. This element is generated by the BGP speaker that originates the asso-
ciated routing information. Possible values are: igp, egp, incomplete.
• med. This is the metric used by the BGP decision process.
• atomicAggr. This element indicates whether or not the atomicAggregate attribute is
included in the aggregated route. Possible values are: yes or no.
If an aggregate is configured with the asSet flag disabled, dropping the asSet
path which is normally formed by combining the different paths of the aggre-
gated routes, the atomicAggregate attribute should be included in the aggregated
route.
• aggregator. The aggregator structure contains the AS number and IP address of
the BGP speaker that formed the aggregate route.
• unknownTrans. This element is a binary representation of transitive attributes
which are not recognized by this BGP speaker, but which should be passed
along to other BGP peers.
1424 SHDSL Router Chapter 12 961
User manual Status attributes
router1424/ip/router/bgp/peers
This attribute gives an overview of the created iPeers and ePeers. The peers table contains following ele-
ments:
Element Description
type This element displays the type of peer. Possible values are:
• ibgp. The peer is an internal peer.
• ebgp.The peer is an external peer.
remote This structure displays BGP information about the remote speaker. The remote
structure contains following elements:
• address. This is the IP address of the remote speaker.
• asNr. This is the number of the Autonomous System the remote speaker is part
of.
• id. This is the router ID that identifies the remote speaker within the BGP sys-
tem.
status This element displays the status of the peer. Possible values are:
• shutdown. The peer is shut down by a user action and will not try to make a con-
nection again.
• idle, connect, active, openSent, openConfirm, established. These are states of the BGP
peer state machine when trying to make a connection.
upTime This element displays the period during which this peer has reached the estab-
lished state.
warning This element displays messages informing the user if a restart or softReset action is
required to have a consistent RIB (routing information base) table due to certain
reconfigurations, e.g. routeFilter or routeMap reconfigurations.
962 1424 SHDSL Router Chapter 12
User manual Status attributes
The attributes above all refer to the ePeer object. The attributes of the iPeer object are identical.
1424 SHDSL Router Chapter 12 963
User manual Status attributes
router1424/ip/router/bgp/ePeer[ ]/status
This attribute displays the status of the external peer. Possible values are: shutDown, idle, connect, active,
openSent, openConfirm, established.
router1424/ip/router/bgp/ePeer[ ]/upTime
This attribute displays the period during which this peer has reached the established state.
router1424/ip/router/bgp/ePeer[ ]/remote
This attribute displays BGP information of the remote speaker. The remote structure contains following
elements:
• asNr. This element shows the number of the Autonomous System the remote speaker is part of.
• id. This element shows the router ID that identifies the remote speaker withing the BGP system.
router1424/ip/router/bgp/ePeer[ ]/timers
This attribute displays timer values, resulting from the negotiation between the peer neighbors. The timers
structure contains following elements:
• keepAlive: This element displays the value of the keepAlive interval.
• holdTime: the holdTime is the smallest of its configured holdTime and the holdTime received in the open
message from the neighbor. The holdTime must be either zero or at least three seconds. If the nego-
tiated holdTime interval is zero, periodic keep alive messages must not be sent.
964 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/bgp/ePeer[ ]/adjSoftIn
This attribute displays the unfiltered, unmodified incoming updates from this neighbor when softReconfig
is enabled. They are stored separately and displayed in this table.
This attribute contains the elements prefix, length and attributes. For a detailed explanation, refer to
router1424/ip/router/bgp/rib on page 959.
router1424/ip/router/bgp/ePeer[ ]/adjRibIn
This attribute displays the entries in the rib table of the BGP router object which are received through
this peer after filtering and routeMapping.
This attribute contains the elements prefix, length, status, type and attributes. For a detailed explanation, refer
to router1424/ip/router/bgp/rib on page 959.
router1424/ip/router/bgp/ePeer[ ]/adjRibOut
This attribute displays the entries in the rib table of the BGP router object which are sent out through this
peer in update packets, after applying the outbound routeFilters and routeMaps on this peer.
This attribute contains the elements prefix, length and attributes. For a detailed explanation, refer to
router1424/ip/router/bgp/rib on page 959.
1424 SHDSL Router Chapter 12 965
User manual Status attributes
router1424/ip/router/bgp/ePeer[ ]/warning
This attribute displays a message informing the user if a restart or softReset action is required to have a
consistent RIB table due to certain reconfigurations, e.g. routeFilter or routeMap reconfigurations
router1424/ip/router/bgp/ePeers[ ]/shutDown
router1424/ip/router/bgp/ePeer[ ]/restart
Use this action to execute a full restart of the peer, bringing down the TCP connection, and start from
zero.
router1424/ip/router/bgp/ePeer[ ]/softReset
Value Description
both Use this value to execute both an inbound and outbound softReset.
966 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/bgp/routeFilter[ ]/users
This attribute displays a list of all BGP entities which refer to and use this routeFilter object.
The users table contains following elements:
Element Description
type This element shows the object type which is refering to this routeFilter object. Pos-
sible values are:
• iPeer. An internal peer is refering to this routeFilter object.
• ePeer. An external peer is refering to this routeFilter object.
• routeMap. A route map is refering to this routeFilter object.
name This element shows the instance name of the iPeer, ePeer or routeMap object which
is refering to this routeFilter object.
mode In case of an internal or external peer, this element shows whether the route filter
is applied as an inbound or outbound filter. Possible values are: inBound and out-
Bound.
968 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/bgp/routeMap[ ]/users
This attribute displays a list of all BGP entities which refer to and use this routeMap object.
The users table contains following elements:
Element Description
type This element shows the object type which is refering to this routeMap object. Possi-
ble values are:
• iPeer. An internal peer is refering to this routeMap object.
• ePeer. An external peer is refering to this routeMap object.
• bgp. The bgp router object is refering to this routeMap object.
name This element shows the instance name of the iPeer or ePeer object which is refering
to this routeMap object.
router1424/ip/router/vrrp[ ]/macAddress
This attribute displays the for VRRP reserved MAC address. The first 5 bytes are fixed (00:00:5e:00:01).
The last byte is the virtual router ID.
router1424/ip/router/vrrp[ ]/interfaces
This attribute displays the status of the virtual router its interfaces.
The interfaces table contains the following elements:
Element Description
status This element displays the interface status. Possible values are:
• initial: The virtual router interface is in an initial state (e.g. during the master/
backup election process).
• master: The virtual router interface is elected master after the master/backup
election process.
• backup: The virtual router interface is elected backup after the master/backup
election process.
• inactive: The virtual router interface is inactive (e.g. because VRRP is not active).
router1424/ip/router/vrrp[ ]/criticals
This attribute displays the status of the virtual router interfaces that you defined as critical (refer to criticals
on page 741).
The criticals table contains the following elements:
Element Description
status This element displays the operational status (e.g. up, down, etc.) of the critical
interface.
972 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/firewall/sessions
This attribute displays the status of the sessions that are currently going through the firewall.
The sessions table contains the following elements:
Element Description
sNet This element displays the name of the source SNet. I.e. the SNet in which the orig-
inator of the session is located.
policyDirection This element displays the direction of the policy that applies on the session. Pos-
sible values are: inbound or outbound.
protocol This element displays the protocol that is used. Possible values are: icmp, tcp, udp,
esp, ah, other.
bytesTransferred This element displays the number of bytes transferred in this session.
natIp This element displays the IP address of the NAT gateway (if NAT is enabled for
this session).
name This element displays the name of the policy that applies on the session.
router1424/ip/router/firewall/reverseSessions
This attribute displays the status of the reverse sessions that are currently going through the firewall.
You do not have to set up policies to allow the reverse session (i.e. the return path) of a session that was
initiated. These reverse sessions are set up and allowed automatically.
For example, if you define an outbound policy from the corporate network to the Internet to allow web
browsing (HTTP) and if a HTTP session from the corporate network to the Internet is set up, then a
reverse session from the Internet to the corporate network is set up and allowed automatically.
The reverseSessions table contains the same elements as the sessions table. Refer to router1424/ip/router/fire-
wall/sessions on page 973.
974 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/ip/router/firewall/log
Element Description
date This element displays the date and time the event was logged.
sysUpTime This element displays the system-up time at the moment the event was logged.
priority This element displays the priority of the event. Possible values are: debug, info,
notice, warning, error, critical, alert, emergency.
protocol This element displays the protocol that is used. Possible values are: icmp, tcp, udp,
esp, ah, other.
router1424/ip/router/firewall/sNet
This attribute displays the SNets that are available (standard and custom). However, it says nothing
about which SNets are actually in use (i.e. assigned to an interface).
router1424/ip/router/firewall/clearLog
router1424/ip/vrfRouter[ ]
These attributes have already been described in 12.9.11 - Virtual Routing and Forwarding (VRF) status
attirbutes on page 975. Refer to this section for more information.
router1424/ip/vrfRouter[ ]/ospf
• type
• routes
• externalRoutes
• asExtLsas
• snmpIndex
These attributes have already been described in 12.9.7 - OSPF status attributes on page 938. Refer to
this section for more information.
router1424/ip/vrfRouter[ ]/routingFilter[ ]
• snmpIndex
976 1424 SHDSL Router Chapter 12
User manual Status attributes
This section discusses the status attributes concerned with bridging. First it describes the general bridg-
ing status attributes. Then it explains the status attributes of the extra feature, access listing.
The following gives an overview of this section:
• 12.10.1 - Bridge group status attributes on page 977
• 12.10.2 - Bridge access list status attributes on page 986
• 12.10.3 - VLAN group status attributes on page 988
1424 SHDSL Router Chapter 12 977
User manual Status attributes
router1424/bridge/bridgeGroup/
ifDescr
ifType
ifOperStatus
This attribute displays the current operational status of the bridge group.
ifMtu
This attribute displays the interface its Maximum Transfer Unit, i.e. the maximum number of bytes that
one packet can contain on this interface.
Refer to ifMtu on page 832 for more information.
ip
Element Description
address This is the IP address of the bridge. It is either configured or retrieved automati-
cally.
netMask This is the IP subnet mask of the interface. It is either configured or retrieved auto-
matically.
secondaryIp This is the secondary IP address that has been configured on the bridge group.
The secondaryIp table contains following elements:
• address. This is the secondary IP address.
• netMask. This is the secondary IP subnet mask.
macAddress
arpCache
This attribute displays all the MAC address - IP address pairs from ARP requests and replies received
on the LAN interface. Refer to What is the ARP cache? on page 512 for more information.
The arpCache table contains the following elements:
Element Description
type This is the ARP cache entry type. Possible values are:
• dynamic. The MAC - IP address pair is retrieved from an ARP request or reply
message.
• static. The MAC - IP address pair is configured.
There is only one static entry, i.e. the 1424 SHDSL Router its own IP and MAC
address.
timeOut This is the time the entry will remain in the ARP cache. For the static entry, this
value is 0.
980 1424 SHDSL Router Chapter 12
User manual Status attributes
bridgeCache
When a port of the bridge enters the learning state, it stores the MAC addresses of the stations situated
on the network that is connected to this port. The MAC addresses are stored in a MAC address database
or bridge cache. The bridgeCache attribute visualises this address database. Refer to What is the bridge
cache? on page 775 for more information.
The bridgeCache table contains the following elements:
Element Description
interface This is the interface through which the station can be reached.
macAddress This is the MAC address of the station situated on the network connected to the
interface.
vlanId If the station belongs to a VLAN, then this element displays the VLAN ID.
filterId This is the ID that identifies the VLAN group the VLAN belongs to.
type This displays whether the MAC address entry is static or dynamic:
• dynamic. The corresponding MAC address is learned on one of the interfaces.
• static. There are only two static entries:
- the 1424 SHDSL Router its own MAC address.
- a MAC address used for Spanning Tree.
age This is the elapsed time since a frame was received from the station.
Example
bridging
The bridging attributes or elements in the individual interface objects display the bridging information for
that particular interface. This bridging attribute, however, displays the bridging information of all the
(bridged) interfaces of the 1424 SHDSL Router.
The bridging structure contains the following elements:
Element Description
state This element displays the current state of the port. Possible values are:
• discarding1. The port does not participate in frame forwarding.
• learning. The port prepares to participate in frame forwarding, and it learns the
present MAC addresses.
• forwarding1. The port participates in frame forwarding.
Refer to 8.1.6 - The Spanning Tree bridge port states on page 306 for more infor-
mation on port states2.
cacheSize This attribute displays the actual number of dynamically learned MAC addresses
in the bridge cache, i.e. the current size of the bridge cache.
maxCacheSize This element displays the maximum allowed number of dynamically learned MAC
addresses in the bridge cache. If it is 0, this means this number is unlimited.
vlanMembership This element displays to which VLAN ‘s a bridging interface belongs to. Possible
values are:
• all. The bridging interface belongs to all VLAN ‘s.
• none. The bridging interface does not belong to any VLAN.
• grouped. The membership is based on the defined VLAN groups.
spanningTree This element has already been described in the context of the LAN interface. Refer
to the spanningTree element in bridging on page 835 for detailed information.
1. These are the only possible port states for a bridge that is not running the Spanning Tree pro-
tocol (IEEE p802.1D).
2. Only relevant when the bridge uses the Spanning Tree Protocol.
982 1424 SHDSL Router Chapter 12
User manual Status attributes
vlan
Element Description
name This is the name of the VLAN as you configured it. If you did not configure a name,
then this element displays: <LAN interface name> “vlan” <VLAN ID>.
E.g. lan vlan 2
ifLastChange This is the system-up time on the moment the VLAN entered its current operational
state. I.e. the moment the value of the ifOperStatus element changes (from up to down
or vice versa), the system-up time value is written into the ifLastChange element.
spanningTree
This attribute gives you the Spanning Tree status information of the bridge group.
The spanningTree structure contains the following elements:
Element Description
bridgePriority Together, these two attributes form the unique bridge identifier of this bridge.
bridgeMacAddress
bridgeTimes The bridgeTimes element displays some timing information with regard to spanning
tree.
The bridgeTimes structure contains the following elements:
• messageAge. This is the actual age of stored configuration information.
• maxAge. This is the time-out value to be used by all bridges in the bridged LAN
for discarding bridging information. The maxAge element displays the value as it
is set by the root bridge. This information is conveyed by the root bridge to
ensure that each bridge in the bridged LAN has a consistent value against
which to test the age of stored configuration information.
• forwardDelay. This is the time-out value to be used by all bridges in the bridged
LAN …
- before a bridge port moves from listening state to learning state or from
learning state to forwarding state.
- for purging MAC addresses from the bridge cache in case a topology
change is detected (time-out or ageing).
The forwardDelay element displays the value as it is set by the root bridge. This
information is conveyed by the root bridge to ensure that each bridge in the
bridged LAN has a consistent value for the forward delay timer.
• nrHops. This is the number of hops the configuration information has traversed.
rootPortId This is the port identifier of the port that offers the lowest cost path to the root.
If two or more ports offer equal least cost paths to the root bridge, then the root port
is selected to be that with the highest designatedPriority (i.e. the lowest numerical
value).
If two or more ports offer equal least cost paths to the root bridge and the same
designatedPriority, then the root port is selected to be that with the highest
designatedPortPriority (i.e. the lowest numerical value).
984 1424 SHDSL Router Chapter 12
User manual Status attributes
Element Description
extRootPathCost This is the cost of the path from this bridge to the root bridge.
If this bridge is the root bridge, the rootPathCost value equals 0. Else, the extRootPath-
Cost value equals the sum of …
• the path cost as it is up to the designated bridge for the LAN that is currently
connected to this port (this cost is transmitted in Configuration BPDUs by the
designated bridge)
and
The total cost of the path to the root bridge should not exceed 65500.
intRootPathCost This is the cost of the path from this bridge to the regional root in MSTP.
bridgeCacheSize
Element Description
size This attribute displays the actual number of dynamically learned MAC addresses
in the bridge cache, i.e. the current size of the bridge cache.
maxSize This attribute displays the maximum allowed number of dynamically learned MAC
addresses in the bridge cache.
clearArpCache
clearBridgeCache
restart
router1424/bridge/accessList[ ]/snmpIndex
This attribute displays the snmpIndex, which is a unique number, assigned to each object in the contain-
ment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more infor-
mation.
988 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/bridge/bridgeGroup/vlanGroup[ ]
snmpIndex
This attribute displays the snmpIndex, which is a unique number, assigned to each object in the contain-
ment tree. Refer to 5.3.7 - Introducing attributes snmpIndex and snmpIndexOffset on page 74 for more infor-
mation.
vlanMembers
This attribute displays the VLAN’s which are part of the VLAN group, by means of their vlanId.
bridgeCache
When a port of the bridge enters the learning state, it stores the MAC addresses of the stations situated
on the network that is connected to this port. The MAC addresses are stored in a MAC address database
or bridge cache. The bridgeCache attribute visualises this address database. Refer to What is the bridge
cache? on page 775 for more information.
Here, in the context of a VLAN group, this means that each VLAN group has its own bridge cache, i.e.
the learned MAC addresses within one VLAN group are shared among the members of that VLAN group.
Refer to 8.3 - Configuring VLANs on page 325 for more information about VLAN groups.
The bridgeCache table contains the following elements:
Element Description
interface This is the interface through which the station can be reached.
macAddress This is the MAC address of the station situated on the network connected to the
interface.
vlanId If the station belongs to a VLAN, then this element displays the VLAN ID.
type This displays whether the MAC address entry is static or dynamic:
• dynamic. The corresponding MAC address is learned on one of the interfaces.
• static. There are only two static entries:
- the 1424 SHDSL Router its own MAC address.
- a MAC address used for Spanning Tree.
age This is the elapsed time since a frame was received from the station.
990 1424 SHDSL Router Chapter 12
User manual Status attributes
ports
This attribute displays the ports that are part of the VLAN group.
The ports table contains the following elements:
Element Description
portRole This is the role of the interface within the Spanning Tree domain.
portId This the unique port identifier. It is a combination of MAC address and priority of
the port. This assures the uniqueness of the unique port identifier among the ports
of a single bridge.
priority This is the priority of the interface, as configured in the bridging interface, or as
configured using the ports configuration attribute of the VLAN group. Refer to 8.2.6
- Explaining the bridging structure on page 318 and 11.10.3 - VLAN group configu-
ration attributes on page 793 respectively.
internalPathCost This is the path cost of the interface for MSTP as configured in the bridging inter-
face, or as configured using the ports configuration attribute of the VLAN group.
Refer to 8.2.6 - Explaining the bridging structure on page 318 and 11.10.3 - VLAN
group configuration attributes on page 793 respectively.
intRootPathCost This is the cost to the MST Regional Root Bridge for this region.
designatedBridgeId This is the ID of the designated bridge. It consists of the priority and macAddress.
mst
This attribute displays specific MSTP (Multiple Spanning Tree Protocol) information.
The mst structure contains the following elements:
Element Description
bridgePriority This is the priority of the VLAN group for Multiple Spanning Tree or MST, as con-
figured.
bridgeMacAddress This is the MAC address associated with the bridge group.
maxHops This is the maximum number of hops that the MSTconfiguration information may
traverse before being discarded.
regionalRootId This is the ID of the MST Regional Root Bridge for this region. It consists of the
priority and macAddress.
intRootPathCost This is the cost to the MST Regional Root Bridge for this region.
1424 SHDSL Router Chapter 12 991
User manual Status attributes
router1424/snmp/trapDestinations
This attribute displays status information about the management system the SNMP traps are sent to.
The trapDestinations table contains the following elements:
Element Description
address This element displays the IP address of the management station to which the
SNMP traps are sent.
state This element displays the state of the traps that are sent. Possible values are:
• ok. The traps are sent succesfully.
• badSource. A bad source IP address is being used.
• duplicateIpAddress. A duplicate destination IP address is being used.
router1424/snmp/engineId
router1424/management/
router1424/management/loopback
router1424/management/usrLoopback[ ]
The management/usrLoopback[ ] object must be added manually, and contains the same status attributes as
the management/loopback object.
994 1424 SHDSL Router Chapter 12
User manual Status attributes
cms2Address
This attribute displays the absolute device address as you configured it.
logStats
This attribute displays the statistics files that have been logged on the file system of the device.
The logStats table contains the following elements:
Element Description
fileName This is the full name of the file as it it stored on the file system of the device. The
following figure explains the composition of the file name by means of an example:
• The first part of the file name is the fileName as configured in the logStatsToFile
configuration attribute.
• The second part of the file name is added automatically, depending on the set-
ting of the fileType configuration attribute.
In the example above:
- the first 4 files are month files, showing the data of exactly one month: the
year and month are mentioned in the file name.
- the last three are week files, showing the data of exactly one week: the year
and week number are mentioned in the file name.
error This element displays a message relating to the actual logging of the files. If there
are no problems, the message NOERROR is displayed.
1424 SHDSL Router Chapter 12 995
User manual Status attributes
timeServer
Element Description
state This is the state of the 1424 SHDSL Router its clock. Possible values are:
• notConfigured. The 1424 SHDSL Router is not configured for SNTP.
• notSynchronised. The 1424 SHDSL Router its clock is not synchronised with the
time server.
• synchronised. The 1424 SHDSL Router its clock is synchronised with the time
server.
connection This is the state of the connection with the time server. Possible values are:
• notConfigured. The 1424 SHDSL Router is not configured for SNTP.
• notSynchronised. The connection with the time server is not synchronised.
• synchronised. The connection with the time server is synchronised.
• noContact. The connection with the time server is lost.
stratum This is the stratum level of the time server its reference clock. Possible values are:
• 0: unspecified or unavailable
• 1: primary reference (e.g. radio clock)
• 2 - 15: secondary reference (via SNTP)
delay This is the total roundtrip delay of the time server with its reference clock.
996 1424 SHDSL Router Chapter 12
User manual Status attributes
alarmLog
This attribute displays the alarm log. It displays the 32 most recent alarms that occurred on the 1424
SHDSL Router.
The alarmLog table contains the following elements:
Element Description
timeStamp This is the value of the real time clock at the moment the alarm was generated.
sysUpTime This is the system up-time of the 1424 SHDSL Router at the moment the alarm
was generated.
totalAlarmLevel This is the total alarm level of the 1424 SHDSL Router.
alarm This is the alarm itself in the format path.alarmName on|off (e.g. router1424/lanInter-
face.linkDown on).
1424 SHDSL Router Chapter 12 997
User manual Status attributes
accessLog
This attribute displays the access log. It displays the 32 most recent login events that occurred on the
1424 SHDSL Router.
The accessLog table contains the following elements:
Element Description
timeStamp This element displays the value of the real time clock at the moment the access
event occurred.
sysUpTime This element displays the system up-time of the 1424 SHDSL Router at the
moment the access event occurred.
type This element displays the type of access event. Possible values are:
• login. A successful login was detected.
• loginFailure. A failed login was detected.
• accessFailureOn. The number of failed logins exceeded the access failure thresh-
old within the access failure period. Refer to accessControl on page 809.
• accessFailureOff. After an accessFailureOn event was logged, the number of failed
logins dropped below the access failure threshold within the access failure
period. Refer to accessControl on page 809.
user This element displays the name of the user who caused the access event. If you
entered a …
• password string only in the password element of the security table, then the user
element displays nothing.
• user/password string in the password element of the security table (of the type
"username:password"), then the user element displays the username part of
the user/password string. Also see security on page 505.
application This element displays the type of application that caused the access event. Possi-
ble values are:
• cms2. The access event is caused by any maintenance application. For exam-
ple, TMA, TMA CLI, CLI or ATWIN (via a Telnet or terminal session), WebInter-
face, etc.
• ftp. The access event is caused by FTP.
• fileSystem. The access event is caused by any maintenance application access-
ing the file system. For example, FTP, TFTP, TML, etc. when downloading
firmware.
• snmp. The access event is caused by SNMP. Note that since SNMP is not ses-
sion oriented, each successful SNMP request would result in an access event.
So an SNMP walk would result in thousands of access events being logged.
Therefore, in case of SNMP, only the failed requests are logged.
• proxy. The access event is caused by any maintenance application accessing a
CMS device through the 1424 SHDSL Router (i.e. the 1424 SHDSL Router acts
as proxy). This since the password of the 1424 SHDSL Router is used to control
the access to the CMS devices.
accessRights This element displays the access rights that are associated with the access event.
998 1424 SHDSL Router Chapter 12
User manual Status attributes
Note that some applications may cause more than one access event. For example, suppose you access
the 1424 SHDSL Router with FTP and download a file to the file system. In that case two events are
logged in the accessLog table:
1. One event logging the access of the FTP application to the 1424 SHDSL Router.
2. One event logging the access of the FTP application to the file system when downloading the file.
1424 SHDSL Router Chapter 12 999
User manual Status attributes
ifDescr
ifType
ifOperStatus
This attribute displays the current operational status of the loopback interface.
ifMtu
This attribute displays the interface its Maximum Transfer Unit, i.e. the maximum number of bytes that
one packet can contain on this interface.
Refer to ifMtu on page 832 for more information.
ipAddress
This attribute displays the IP address of the loopback interface as you configured it.
mask
This attribute displays the subnet mask of the loopback interface as you configured it.
1000 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/fileList
Part of the flash memory of the 1424 SHDSL Router is organised as a file system and a number of files
are stored in it. The fileList attribute shows all the files that are present on the file system. Usually, the
following files are present:
• The configuration file of the 1424 SHDSL Router (file config1.db).
• Up to two application software files of the 1424 SHDSL Router (files CONTROL1 and CONTROL 2).
Element Description
name This is the filename. Maximum length of the filename is 24 characters. All charac-
ters are allowed (including spaces). The filename is case sensitive.
router1424/fileSystem/freeSpace
This attribute displays the number of free bytes on the file system.
router1424/fileSystem/status
This attribute displays the status of the file system. Possible values are:
Value Description
formatting The file system is being formatted. This can be triggered when the file system is
found to be corrupt at boot.
corrupt The file system is in a state were no guarantee can be given about the correct
operation of the file system. The file system will be formatted at the following boot.
router1424/fileSystem/corruptBlocks
The file system of the 1424 SHDSL Router consists of several blocks. When a block can not be erased,
the corruptBlocks count is incremented. This block can no longer be used to store data.
1002 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/trustedCertificates
This attribute displays the trusted certificates that are currently loaded.
The trustedCertificates table contains the following elements:
Element Description
name This element displays the certificate name. Possible values are: ca-0, ca-1, ca-2.
subject This element displays the subject information of the certificate. In case of a trusted
certificate this is information of the CA.
router1424/fileSystem/selfCertificates
This attribute displays the signed self-certificates that are currently loaded.
The selfCertificates table contains the following elements:
Element Description
name This element displays the certificate name. In this case, this is the same string as
entered in the privateKeyName element of the loadSelfCert action.
subject This element displays subject information of the certificate. In case of a self-certif-
icate this is information of the device (e.g. the IP address).
1424 SHDSL Router Chapter 12 1003
User manual Status attributes
router1424/fileSystem/Delete File
Use this action to remove obsolete files from the file system. You have to enter the filename you want to
delete as argument value.
router1424/fileSystem/Rename File
Use this action to rename a file on the file system. You have to enter the old and new filename in a struc-
ture.
router1424/fileSystem/loadTrustedCertificate
This action is used in the procedure where security certificates are obtained and loaded manually in
order to set up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting
up an IPSEC secured L2TP tunnel using a manual SA on page 421.
Use this action to load the trusted certificate you obtained from your Certificate Authority (CA) into the
memory of the 1424 SHDSL Router. Enter the filename of the trusted certificate as argument value and
execute the action.
• The trusted certificate file has to be present on the file system of the 1424 SHDSL Router.
• The filename is case sensitive.
• The saveCertificats action has to be executed after the loadTrustedCertificate action so that the trusted cer-
tificate is also loaded every time the 1424 SHDSL Router reboots.
1004 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/generateSelfCertificateRequest
This action is used in the procedure where security certificates are obtained and loaded manually in
order to set up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting
up an IPSEC secured L2TP tunnel using a manual SA on page 421.
Use this action to create a request for a signed self-certificate. Then this request has to be submitted to
your Certificate Authority (CA) which signs it and returns a signed self-certificate. Fill in the elements in
the argument value structure and execute the action.
The argument value structure of the generateCertReq action contains the following elements:
Element Description
fileName Use this element to specify the name of the self-certif- Default:<empty>
icate request file. Range: 0 … 24 characters
After you filled in all the elements and executed the generateCertReq action, a file is
written to the file system of the 1424 SHDSL Router. The name of this file is the
name you specified using the fileName element.
subject Use this element to specify the subject. It can contain Default:<empty>
following elements: Range: 0 … 24 characters
• CN. This is the subject name.
• OU. This is the department name.
• O. This is the name of the organisation or company.
• L. This is the city where you are located.
• S. This is the state or province where you are located.
• C. This is the country where you are located.
These elements are official abbreviations, and can also be found in the certificate
itself. They can be verified by the remote device.
privateKeyName Use this element to specify the name of the private Default:<empty>
key. Range: 0 … 8 characters
Remember the private key name. You need it to load the associated signed self-
certificate into the memory of the 1424 SHDSL Router. Refer to router1424/fileSystem/
loadSelfCertificate on page 1006.
ipAddress Use this element to specify the IP address that will be Default:0.0.0.0
used in the self-certificate. This is then used for Range: up to 255.255.255.255
authentication purposes.
hostname Use this element to specify the hostname that will be Default:<empty>
used in the self-certificate. This is then used for Range: 0 … 32 characters
authentication purposes.
The hostname has to be of the form “host.domain.com”.
1424 SHDSL Router Chapter 12 1005
User manual Status attributes
Element Description
user Use this element to specify the username that will be Default:<empty>
used in the self-certificate. This is then used for Range: 0 … 32 characters
authentication purposes.
The username has to be of the form “my.name@company.com”.
keyLength Use this element to specify the length of the public/pri- Default:512
vate keys. Note that the longer the key length, the Range: 512 / 1024 / 2048
longer it takes to generate the keys.
It is important to note that at least one of the three following elements may not be left empty: ipAddress,
hostname and/or username. This information is written in the Subject Alternative Name field of the certificate
itself.
1006 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/loadSelfCertificate
This action is used in the procedure where security certificates are obtained and loaded manually in
order to set up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting
up an IPSEC secured L2TP tunnel using a manual SA on page 421.
Use this action to load the signed self-certificate you first submitted and then retrieved from your Certif-
icate Authority (CA) into the memory of the 1424 SHDSL Router. Fill in the elements in the argument
value structure and execute the action.
The argument value structure of the loadSelfCert action contains the following elements:
Element Description
fileName Use this element to specify the name of the signed Default:<empty>
self-certificate file. Range: 0 … 24 characters
privateKeyName Use this element to specify the name of the private Default:<empty>
key. Range: 0 … 8 characters
This has to be exact the same name as you specified in the privateKeyName element
of the generateCertReq action. Refer to router1424/fileSystem/generateSelfCertificateRequest
on page 1004.
• The signed self-certificate file has to be present on the file system of the 1424 SHDSL Router.
• The filename is case sensitive.
• The saveCerts action has to be executed after the loadSelfCert action so that the signed self-certificate
is also loaded every time the 1424 SHDSL Router reboots.
1424 SHDSL Router Chapter 12 1007
User manual Status attributes
router1424/fileSystem/getTrustedCertificateScep
This action is used in the procedure where security certificates are obtained and loaded through SCEP
in order to set up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting
up an IPSEC secured L2TP tunnel using a manual SA on page 421.
Use this action to obtain and load the trusted certificate from a SCEP server. Fill in the elements in the
argument value structure and execute the action.
The argument value structure of the getTrustedCertScep action contains the following elements:
Element Description
url Use this element to specify the URL to which the Default:<empty>
SCEP requests have to be submitted. Range: 0 … 40 characters
Together with the server element this makes up the complete path to which the
SCEP requests are submitted. Consult the manual of your SCEP server to find out
which URL you have to specify.
Example
Suppose you set the server element to 172.31.127.6 and the url element to certsrv/
mscep/mscep.dll, then the SCEP requests are submitted to http://172.31.127.6/certsrv/
mscep/mscep.dll.
caName Use this element to set the name of the CA. Default:<empty>
This element is more for information purposes. It may Range: 0 … 20 characters
be omitted.
port Use this element to set the port on which the SCEP Default:<opt>
requests are sent. By default, this is port 80. Range: 1 … 65535
The saveCerts action has to be executed after the getTrustedCertScep action so that the trusted certificate is
also loaded every time the 1424 SHDSL Router reboots.
1008 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/getSelfCertificateScep
This action is used in the procedure where security certificates are obtained and loaded through SCEP
in order to set up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting
up an IPSEC secured L2TP tunnel using a manual SA on page 421.
Use this action to obtain and load the self-certificate from a SCEP server. Fill in the elements in the argu-
ment value structure and execute the action.
The argument value structure of the getSelfCertScep action contains the following elements:
Element Description
url Use this element to specify the URL to which the Default:<empty>
SCEP requests have to be submitted. Range: 0 … 40 characters
Together with the server element this makes up the complete path to which the
SCEP requests are submitted.
Example
Suppose you set the server element to 172.31.127.6 and the url element to certsrv/
mscep/mscep.dll, then the SCEP requests are submitted to http://172.31.127.6/certsrv/
mscep/mscep.dll.
subject Use this element to specify the subject. Refer to the Default:<empty>
explanation of the subject field in router1424/fileSystem/ Range: 0 … 20 characters
generateSelfCertificateRequest on page 1004 for more infor-
mation.
privateKeyName Use this element to specify the name of the private Default:<empty>
key. Range: 0 … 8 characters
ipAddress Use this element to specify the IP address that will be Default:0.0.0.0
used in the self-certificate. This is then used for Range: up to 255.255.255.255
authentication purposes.
1424 SHDSL Router Chapter 12 1009
User manual Status attributes
Element Description
hostname Use this element to specify the hostname that will be Default:<empty>
used in the self-certificate. This is then used for Range: 0 … 32 characters
authentication purposes.
The hostname has to be of the form “host.domain.com”.
user Use this element to specify the username that will be Default:<empty>
used in the self-certificate. This is then used for Range: 0 … 32 characters
authentication purposes.
The username has to be of the form “my.name@company.com”.
port Use this element to set the port on which the SCEP Default:<opt>
requests are sent. By default, this is port 80. Range: 1 … 65535
keyLength Use this element to specify the length of the public/pri- Default:512
vate keys. Note that the longer the key length, the Range: 512 / 1024 / 2048
longer it takes to generate the keys.
• The saveCertificates action has to be executed after the getSelfCertificateScep action so that the signed
self-certificate is also loaded every time the 1424 SHDSL Router reboots.
• It is important to note that at least one of the three following elements may not be left empty: ipAddress,
hostname and/or username. This information is written in the Subject Alternative Name field of the cer-
tificate itself.
1010 1424 SHDSL Router Chapter 12
User manual Status attributes
router1424/fileSystem/getCrlScep
Use this action to get the Certificate Revocation List (CRL). A CRL is a list of certificates that have been
revoked before their scheduled expiration date. Fill in the elements in the argument value structure and
execute the action.
The argument value structure of the getCertRevListScep action contains the following elements:
Element Description
url Use this element to specify the URL to which the Default:<empty>
SCEP requests have to be submitted. Range: 0 … 40 characters
Together with the server element this makes up the complete path to which the
SCEP requests are submitted.
Example
Suppose you set the server element to 172.31.127.6 and the url element to certsrv/
mscep/mscep.dll, then the SCEP requests are submitted to http://172.31.127.6/certsrv/
mscep/mscep.dll.
port Use this element to set the port on which the SCEP Default:<opt>
requests are sent. By default, this is port 80. Range: 1 … 65535
router1424/fileSystem/saveCertificates
This action is used in the procedure where security certificates are obtained and loaded in order to set
up an L2TP tunnel secured with IPSEC using an IKE certificate SA. Refer to 9.6.7 - Setting up an IPSEC
secured L2TP tunnel using a manual SA on page 421.
Use this action to save the trusted certificate and the signed self-certificate that were either obtained and
loaded manually or by using SCEP. Saving the certificates ensures that they are loaded every time the
1424 SHDSL Router reboots.
1424 SHDSL Router Chapter 12 1011
User manual Status attributes
router1424/operatingSystem/taskInfo
Element Description
taskStatus This is the current status of the task. Possible values are:
• awake. This task is actually running.
• asleep. This task is waiting on an event.
• inactive. This task slot is not active, i.e. no task has been assigned to this slot.
load30s This is the load on the processor, in percent, during the last 30 seconds.
load5m This is the load on the processor, in percent, during the last 5 minutes.
runningInMedium Each task can be running with a low, medium or high priority. This element gives
the percentage of time this task has been running with medium priority during the
last 30 seconds.
runningInHigh Each task can be running with a low, medium or high priority. This element gives
the percentage of time this task has been running with high priority during the last
30 seconds.
The percentage of time this task has been running with low priority can be calcu-
lated using the following formula:
running in low priority = 100% - runningInMedium - runningInHigh
programCounter This is the current value of the program counter. The program counter is the mem-
ory address for the current instruction of this task.
router1424/operatingSystem/coreDump
This structure is empty under normal conditions. If the device software however would ever crash, it will
reboot. After this reboot this attribute contains operating system information at the time of the crash. If a
crash has occurred the user can export this information to a file together with other information of the
set-up including configuration(s). He can send all this information to his technical contact who should
forward it to OneAccess Support for further analysis.
For more information on how to export the information, refer to the TMA manual.
1424 SHDSL Router Chapter 13 1013
User manual Performance attributes
13 Performance attributes
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view: 1.3 - Overview of features on page 7
This chapter discusses the performance attributes of the 1424 SHDSL Router. The following gives an
overview of this chapter:
• 13.1 - Performance attributes overview on page 1014
• 13.2 - General performance attributes on page 1022
• 13.3 - LAN interface performance attributes on page 1024
• 13.4 - WAN interface performance attributes on page 1032
• 13.5 - Encapsulation performance attributes on page 1033
• 13.6 - SHDSL line performance attributes on page 1046
• 13.7 - End and repeater performance attributes on page 1050
• 13.8 - Bundle performance attributes on page 1051
• 13.9 - Router performance attributes on page 1054
• 13.10 - IP traffic policy performance attributes on page 1097
• 13.11 - Bridge performance attributes on page 1099
• 13.12 - SNMP performance attributes on page 1109
• 13.13 - Management performance attributes on page 1112
• 13.14 - Operating system performance attributes on page 1115
1014 1424 SHDSL Router Chapter 13
User manual Performance attributes
> router1424
Action: clearAllCounters
>> lanInterface
ifInOctets
ifInUcastPkts
ifInNUcastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifOutOctets
ifOutUcastPkts
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifOutQLen
ifInQLen
h2Performance
h24Performance
d7Performance
ifInDropLevelExceeded
ifOutDropLevelExceeded
ifInPriorityQueues
ifOutPriorityQueues
vlan
mibCounters1
pppoEClient
Action: clearCounters
>> dslInterface
ifInOctets
ifInUcastPkts
ifInNUcastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifInQLen
ifInDropLevelExceeded
ifInPriorityQueues
ifOutOctets
ifOutUcastPkts
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifOutQLen
ifOutDropLevelExceeded
ifOutPriorityQueues
h2Performance
h24Performance
d7Performance
Action: clearCounters
>>> channel[wan_1]
<contains the same attributes as the dslInterface object>
>>>> atm
pvcTable
unknownCells
vp
Action: clearCounters
1016 1424 SHDSL Router Chapter 13
User manual Performance attributes
>>>> efm
ifInOctets
ifInUcastPkts
ifInNUcastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifInQLen
ifOutOctets
ifOutUcastPkts
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifOutQLen
h2Performance
h24Performance
d7Performance
ifDropLevelExceeded
ifOutPriorityQueues
vlan
pppOEClient
oam
Action: clearCounters
>>> line
h2Line
h24Line
d7Line
line
Action: retrain
Action: clearCounters
Action: testActivation
Action: psdMeasurement
>>>> linePair[ ]
h2LineParameters
h2Performance
h24LineParameters
h24Performance
d7LineParameters
d7Performance
lineParameters
performance
Action: clearCounters
Action: retrain
1424 SHDSL Router Chapter 13 1017
User manual Performance attributes
>>> repeater[ ]
h2Line
h24Line
d7Line
line
Action: clearCounters
Action: testActivation
>>>> networkLinePair[ ]
h2LineParameters
h2Performance
h24LineParameters
h24Performance
d7LineParameters
d7Performance
lineParameters
performance
Action: clearCounters
>>>> customerLinePair[ ]
h2LineParameters
h2Performance
h24LineParameters
h24Performance
d7LineParameters
d7Performance
lineParameters
performance
Action: clearCounters
>>> end
h2Line
h24Line
d7Line
line
Action: clearCounters
Action: testActivation
>>>> linePair[ ]
h2LineParameters
h2Performance
h24LineParameters
h24Performance
d7LineParameters
d7Performance
lineParameters
performance
Action: clearCounters
1018 1424 SHDSL Router Chapter 13
User manual Performance attributes
>> profiles
>>> policy
>>>> traffic
>>>>> ipTrafficPolicy[ ]
discards
trafficShaping
Action: clearCounters
>> ip
>>> router
routingTable
radiusAuth
radiusAcct
pingResults
tracertResults
qualityMonitor
igmpProxy
Action: startPing
Action: stopPing
Action: startTracert
Action: stopTracert
Action: clearTracert
Action: clearCounters
1424 SHDSL Router Chapter 13 1019
User manual Performance attributes
>>>> defaultNat
socketsFree
allocFails
discards
addressesAvailable
tcpSocketsUsed
udpSocketsUsed
icmpSocketsUsed
tcpAllocs
udpAllocs
icmpAllocs
espAllocs
greAllocs
espSocketsUsed
greSocketsUsed
packetsToPublic
octetsToPublic
packetsToPrivate
octetsToPrivate
h2Nat
h24Nat
d7Nat
Action: reset
Action: clearCounters
>>>> tunnels
l2tpTunnels
ipsecL2tpTunnels
greTunnels
ipsecGreTunnels
ipsecTunnels
Action: clearCounters
>>>> manualSA[ ]
inPackets
outPackets
espAuthenticationFailure
espDecryptionFailure
espSequenceNrReplay
espDroppedFrames
Action: clearCounters
>>>> ikeSA[ ]
negotiations
phase1Errors
phase2Sessions
Action: clearCounters
1020 1424 SHDSL Router Chapter 13
User manual Performance attributes
>>>> bgp
>>>>> ePeer[ ]
sessions
messagesSent
messagesRcvd
prefixesSent
prefixesRcvd
inboundFilters
outboundFilters
inboundMaps
outboundMaps
>>>>> iPeer[ ]
<contains the same attributes as the ePeer object>
>>>>> routeFilter[ ]
uses
filters
>>>>> routeMap[ ]
uses
>>>> firewall
h24General
d7General
h24Attack
d7Attack
>>> vrfRouter[ ]
routingTable
pingResults
tracerResults
igmpProxy
>>>> routingFilter[ ]
filter
>> bridge
>>> bridgeGroup
bridgeCache
bridgeDiscards
bridgeFloods
bridgeBroadcasts
bridgeMulticasts
vlan
vlanSwitching
Action: clearCounters
1424 SHDSL Router Chapter 13 1021
User manual Performance attributes
>>> vpnBridgeGroup[ ]
<contains the same attributes as the bridgeGroup object>
>>> accessList[ ]
bridgeAccessList
advancedFilter
Action: clearCounters
>> snmp
mib2Counters
mpdStats
usmStats
Action: clearCounters
>> management
cms2SessionCount
tftpSessionCount
cliSessionCount
tcpSessionCount
tcpSession
ipStackEvents
Action: clearCounters
>> operatingSystem
currUsedProcPower
usedProcPower
freeDataBuffers
totalDataBuffers
freeMemory
totalMemory
taskInfo
memAllocations
memOutstanding
memOverview
freeShortBuffers
totalShortuffers
1022 1424 SHDSL Router Chapter 13
User manual Performance attributes
There are no general performance attributes. However, there is one general performance action:
• router1424/clearAllCounters on page 1023
1424 SHDSL Router Chapter 13 1023
User manual Performance attributes
router1424/clearAllCounters
Use this action to clear all counters in all objects in the containment tree of the 1424 SHDSL Router.
You can also clear the counters per object. To do so, use the clearCounters action located in the corre-
sponding object.
1024 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/lanInterface
ifInOctets
This attribute displays the number of octets (bytes) received on this interface.
ifInUcastPkts
This attribute displays the number of unicast packets received on this interface and delivered to a higher-
layer protocol. Unicast packets are all non-multicast and non-broadcast packets.
ifInNUcastPkts
This attribute displays the number of non-unicast packets received on this interface and delivered to a
higher-layer protocol. Non-unicast packets are all the multicast and broadcast packets.
ifInDiscards
This attribute displays the number of incoming packets that were discarded, to prevent their deliverance
to a higher-layer protocol. This even though no errors were detected in these packets.
ifInErrors
This attribute displays the number of incoming packets that could not be delivered to a higher-layer pro-
tocol because they contained errors.
ifInUnknownProtos
This attribute displays the number of incoming packets that were discarded because they contained an
unknown or unsupported protocol.
1026 1424 SHDSL Router Chapter 13
User manual Performance attributes
ifOutOctets
This attribute displays the total number of octets (bytes) transmitted by the interface, including framing
characters.
ifOutUcastPkts
This attribute displays the total number of packets that higher-level protocols requested to be transmitted
to a unicast address, including those that were discarded or not sent.
ifOutNUcastPkts
This attribute displays the number of non-unicast packets that higher-level protocols requested to be
transmitted to a non-unicast (i.e. a broadcast or multicast) address, including those that were discarded
or not sent.
ifOutDiscards
This attribute displays the number of outgoing packets that were discarded, to prevent they are transmit-
ted by the interface. This could be due to, for instance, the presence of an access list.
ifOutErrors
This attribute displays the number of outgoing packets that could not be transmitted by the interface
because they contained errors. On the LAN interface ifOutErrors are also generated in case of extensive
collisions.
ifOutQLen
This attribute displays the length, expressed in packets, of the output packet queue on the interface.
As of TDRE 12.0, with improved buffer management, it is important that this value is not too big. Other-
wise all Mbuf ‘s will be used up at some point, especially when small packets are used.
ifInQLen
This attribute displays the length, expressed in packets, of the input packet queue on the interface.
1424 SHDSL Router Chapter 13 1027
User manual Performance attributes
h2Performance
This attribute displays the 2 hours performance summary of the LAN interface.
The h2Performance table contains the following elements:
ifStatusChanges the number of times the ifOperStatus value of the interface changed (from up to down
or vice versa).
ifInErrors the number of packets received on this interface that could not be delivered to a
higher-layer protocol because they contained errors.
ifOutOctets the number of octets (bytes) transmitted by the interface, including framing char-
acters.
ifOutDiscards the number of outgoing packets that were discarded, to prevent they were trans-
mitted by the interface. This could be due to, for instance, the presence of an
access list.
ifOutErrors the number of packets that could not be transmitted by the interface because they
contained errors.
1028 1424 SHDSL Router Chapter 13
User manual Performance attributes
h24Performance
This attribute displays the 24 hours performance summary of the LAN interface. The h24Performance table
contains the same elements as the h2Performance table.
d7Performance
This attribute displays the 7 days performance summary of the LAN interface. The d7Performance table
contains the same elements as the h2Performance table.
ifOutPQLen
In case an overload condition occurs and priority queuing is activated, then this attribute displays how
many packets the different queues contain.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more information on the priority
queues.
ifOutDropLevelExceeded
This attribute displays how many times the drop levels of the outbound user configurable queues have
been exceeded (and hence packets have been dropped).
Refer to dropLevels on page 598 for more information on the drop levels.
ifInDropLevelExceeded
This attribute displays how many times the drop levels of the inbound user configurable queues have
been exceeded (and hence packets have been dropped).
Refer to dropLevels on page 598 for more information on the drop levels.
1424 SHDSL Router Chapter 13 1029
User manual Performance attributes
vlan
This attribute displays the SNMP MIB2 performance parameters of the VLANs that are present on the
LAN interface.
The vlan table contains the following elements:
Element Description
name This element displays the name of the VLAN as you configured it.
mibCounters This element displays the SNMP MIB2 performance parameters of the VLAN.
Refer to 13.3 - LAN interface performance attributes on page 1024 for an explana-
tion of the individual SNMP MIB2 performance parameters.
pppoEClient
This attribute displays the PPPoE performance parameters that are present on the LAN interface.
The pppoEClient table contains the following elements:
Element Description
name This element displays the administrative name of the PPPoE link as you config-
ured it.
mibCounters This element displays the SNMP MIB2 performance parameters of the PPPoE link.
Refer to 13.3 - LAN interface performance attributes on page 1024 for an explana-
tion of the individual SNMP MIB2 performance parameters.
ifOutPriorityQueues
This attribute displays the performance summary of the outbound priority queues on the LAN interface.
The ifOutPriorityQueues table contains the following elements:
Element Description
length This element displays the length, expressed in packets, of the output priority
queues.
Element Description
octets This element displays the same information as the packets element above, except
that it is expressed in octets (or bytes).
h2Performance This element displays the 2 hours performance summary with regards to the out-
pur priority queues; refer to ifOutPriorityQueues/h2Performance on page 1030 for a
detailed explantion.
h24Performance This element displays the 24 hours performance summary with regards to the out-
pur priority queues. The h24Performance table contains the same elements as the
ifOutPriorityQueues/h2Performance on page 1030 table.
d7Performance This element displays the 7 days performance summary with regards to the outpur
priority queues. The h24Performance table contains the same elements as the ifOut-
PriorityQueues/h2Performance on page 1030 table.
ifOutPriorityQueues/h2Performance
This element displays the 2 hours performance summary with regards to the output priority queues.
The h2Performance table contains the following elements:
QueuedPkts the number of packets that were first queued before they were sent.
cirTxPkts the total number of packets sent conform the CIR value.
eirTxPkts the total number of packets sent conform the EIR value.
QueuedOctets the number of bytes that were first queued before they were sent.
cirTxOctets the total number of bytes sent conform the CIR value.
eirTxOctets the total number of bytes sent conform the EIR value.
ifInPriorityQueues
This attribute displays the performance summary of the inbound priority queues of the LAN interface.
The ifInPriorityQueues table contains the same elements as the ifOutPriorityQueues table described above.
mibCounters
Element Description
ifInPkts This element displays the number of packets received on each port.
ifOutPkts This element displays the number of packets transmitted on each port.
h2Performance This element displays the 2 hours performance summary of each port.
This h2Performance table contains the following elements: sysUpTime, ifUpTime, ifSta-
tusChanges, ifInPkts, ifOutPkts. These have already been described in the h2Performance
table of the LAN interface itself:
h24Performance This element displays the 24 hours performance summary of each port. It contains
the same elements as the h2Performance tabel.
d7Performance This element displays the 7 days performance summary of each port. It contains
the same elements as the h2Performance tabel above.
oam
This attribute lists the performance information with regard to received and sent OAM data.
Note that:
• PduDiscardRx (the number of OAMPDU discards) is linked to the discovery process.
• dataDiscardTx and dataDiscardTx (the number of data discards) are linked to the loopback process.
Refer to IEEE Std. 802.3-2005, section 57.4.2 Structure and section 57.4.3 OAMPDU descriptions for
more detailed information.
1032 1424 SHDSL Router Chapter 13
User manual Performance attributes
All performance attributes of the WAN interface are the same as on the LAN interface. Therefore, they
are not explained here again. Refer to 13.3 - LAN interface performance attributes on page 1024 for a
complete description of these attributes.
1424 SHDSL Router Chapter 13 1033
User manual Performance attributes
This section discusses the performance attributes of the encapsulation protocols that can be used on
the 1424 SHDSL Router.
The following gives an overview of this section:
• 13.5.1 - ATM performance attributes on page 1034
• 13.5.2 - Frame Relay performance attributes on page 1042
1034 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable
This attribute lists the complete performance information of all known PVCs.
The pvcTable table contains the following elements:
Element Description
priorityQLengths In case an overload condition occurs and priority queuing is activated, then this
elements displays how many packets the different queues contain.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more infor-
mation on the priority queues.
atm This displays the specific ATM related performance information of the PVC.
Refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm on page 1036 for a detailed
description of the atm structure
frameRelay This displays the specific Frame Relay related performance information of the
PVC.
The frameRelay structure contains following elements:
• lmi. This attribute gives a complete LMI performance information overview for
each PVC. Refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/frameRelay/lmi
on page 1039 for a detailed description.
• dlciTable. This attribute gives the complete performance information of all known
DLCIs for this PVC. Refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/
frameRelay/dlciTable on page 1039 for a detailed description.
1036 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm
The atm structure in the pvcTable displays the specific ATM related performance information of the PVC.
The atm structure contains the following elements:
Element Description
oamF5 This element displays the performance information of the OAM F5 loopback cells.
The oamF5 structure contains the following elements:
• segment: this element displays performance information with regard to the seg-
ment the 1424 SHDSL Router is part of. Refer to router1424/dslInterface/chan-
nel[wan_1]/atm/pvcTable/atm/oamF5/segment on page 1037 for a detailed description of
the elements of the segment structure.
• endToEnd: this element displays performance information with regard to the
entire end-to-end conenction the 1424 SHDSL Router is part of. Refer to
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/endToEnd on page 1038 for
a detailed description of the elements of the endToEnd structure.
OAM VP/VC AIS (Alarm Indication Signal) and RDI (Remote Defect Indication) are
cells that are used for identifying and reporting VP/VC defects on a segment/end-
to-end level. When a physical link error, interface failure or loss of continuity (LOC)
occurs, segment endpoints insert AIS cells into all the downstream VP/VCs
affected by the failure. Upon receiving an AIS cell on a VP/VC, the router marks
the logical interface down and sends an RDI cell on the same VP/VC to let the
remote end know the error status. When an RDI cell is received on a VP/VC, the
router sets the logical interface status to down. Also refer to 6.3 - Configuring OAM
on ATM interfaces on page 125 for more information.
1424 SHDSL Router Chapter 13 1037
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/segment
This element displays performance information of the OAM F5 loopback cells with regard to the segment
the 1424 SHDSL Router is part of.
The segment structure contains the following elements:
Element Description
fpmRx This displays the number of received FPM (Forward Performance Managenent)
cells.
fpmTx This displays the number of transmitted FPM (Forward Performance Managenent)
cells.
actDeactRx This displays the number of received continuity check activator/deactivator cells.
pmRxStats This displays the performance monitoring statistics with regard to the received
ATM cells.
Refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/segment/pmRxStats
on page 1038 for a detailed description of the elements of the pmRxStats structure
pmTxStats This displays the performance monitoring statistics with regard to the transmitted
ATM cells.
The pmTxStats structure contains the same elements as the pmRxStats structure
above, refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/segment/
pmRxStats on page 1038.
1038 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/endToEnd
This element displays performance information of the OAM F5 loopback cells with regard to the end-to-
end connection the 1424 SHDSL Router is part of.
The endToEnd structure contains the same elements as the segment structure. Refer to router1424/dslInter-
face/channel[wan_1]/atm/pvcTable/atm/oamF5/segment on page 1037.
router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/segment/pmRxStats
This element displays the performance monitoring statistics with regard to the received ATM cells.
The pmRxStats structure contains the following elements:
Element Description
lostOamCells This displays the number of transferred OAM cells that were lost.
lostUserCells This displays the number of transferred user cells that were lost.
misInsertUserCells This displays the number of transferred user cells that were misinserted.
cellErrRatio This displays the ratio of total errored cells to the total of successfully transferred
cells, plus tagged cells, plus errored cells.
cellLosRatio This displays the ratio of total lost cells to total transmitted cells.
cellMisinsertRatio This displays the total number of misinserted cells observed during a specified
time interval divided by the time interval duration (equivalently, the number of
misinserted cells per connection second).
sevErrCellBlckRatio This displays the ratio of total severely errored cell blocks to total cell blocks.
1424 SHDSL Router Chapter 13 1039
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/frameRelay/lmi
Element Description
inStatusEnquiry This is the number of Status Enquiries received from the network.
inStatus This is the number of Status Reports received from the network.
inStatusUpdate This is the number of unsolicited Status Updates received from the network.
outStatusUpdate This is the number of unsolicited Status Updates sent to the network.
netPollNotRcvd This is the number of times the expectedPollInterval expired without an incoming sta-
tus enquiry.
router1424/dslInterface/channel[wan_1]/atm/pvcTable/frameRelay/dlciTable
This attribute lists the complete performance information of all known DLCIs.
The dlciTable table contains the following elements:
Element Description
priorityQLengths In case an overload condition occurs and priority queuing is activated, then this
elements displays how many packets the different queues contain.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more infor-
mation on the priority queues.
frameRelay This displays the specific Frame Relay related performance information of the
DLCI.
Refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/frameRelay/dlciTable/frameRelay
on page 1040 for a detailed description of the frameRelay structure.
1040 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/pvcTable/frameRelay/dlciTable/frameRelay
The frameRelay structure in the dlciTable displays the specific Frame Relay related performance information
of the DLCI.
The frameRelay structure contains the following elements:
Element Description
inFecn This is the number of frames received from the network indicating forward conges-
tion and this since the virtual circuit was created.
inBecn This is the number of frames received from the network indicating backward con-
gestion and this since the virtual circuit was created.
inDe This is the number of frames received with the Discard Eligibility bit set.
inOctets This is the number of octets received over this virtual circuit since it was created.
inFrames This is the number of frames received over this virtual circuit since it was created.
outFecn This is the number of frames sent to the network indicating forward congestion and
this since the virtual circuit was created.
outBecn This is the number of frames sent to the network indicating backward congestion
and this since the virtual circuit was created.
outDe This is the number of frames sent to the network with the Discard Eligibility bit set.
outOctets This is the number of octets sent over this virtual circuit since it was created.
outFrames This is the number of frames sent over this virtual circuit since it was created.
1424 SHDSL Router Chapter 13 1041
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/atm/unknownCells
This attribute displays the number of received cells that are not in-band for a certain PVC.
Example
Suppose router A sends OAM F4 loopback cells on VPI 5. On router B no VPI 5 is configured or no OAM
F4 loopback cells are configured for VPI 5. In that case, the unknownCells value on router B will increase.
router1424/dslInterface/channel[wan_1]/atm/vp
Whereas the atm structure in the pvcTable displays the OAM F5 loopback cell performance information for
each Virtual Channel, the vp table displays the OAM F4 loopback cell performance information of a com-
plete Virtual Path.
The vp table contains the following elements:
Element Description
oamF4 This displays the performance information of the OAM F4 loopback cells.
The oamF4 structure contains the following elements:
• segment: this element displays performance information with regard to the seg-
ment the 1424 SHDSL Router is part of. Refer to router1424/dslInterface/chan-
nel[wan_1]/atm/vp on page 1041 for a detailed description of the elements of the
segment structure.
• endToEnd: this element displays performance information with regard to the
entire end-to-end conenction the 1424 SHDSL Router is part of. Refer to
router1424/dslInterface/channel[wan_1]/atm/vp/endToEnd on page 1041 for a detailed
description of the elements of the endToEnd structure.
router1424/dslInterface/channel[wan_1]/atm/vp/segment
This element displays performance information of the OAM F4 loopback cells with regard to the segment
the 1424 SHDSL Router is part of.
The segment structure for OAM F4 loopback cells contains the same elements as the segment structure for
OAM F5 loopback cells; refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm on page 1036 for more
information.
router1424/dslInterface/channel[wan_1]/atm/vp/endToEnd
This element displays performance information of the OAM F4 loopback cells with regard to the end-to-
end connection the 1424 SHDSL Router is part of.
The segment structure for OAM F4 loopback cells contains the same elements as the segment structure for
OAM F5 loopback cells; refer to router1424/dslInterface/channel[wan_1]/atm/pvcTable/atm/oamF5/endToEnd on
page 1038 for more information.
1042 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/dslInterface/channel[wan_1]/frameRelay/
dlciTable
This attribute lists the complete performance information of all known DLCIs.
The dlciTable table contains the following elements:
Element Description
priorityQLengths In case an overload condition occurs and priority queuing is activated, then this
elements displays how many packets the different queues contain.
Refer to 7.11.2 - Introducing traffic and priority policy on page 262 for more infor-
mation on the priority queues.
frameRelay This displays the specific Frame Relay related performance information of the
DLCI.
Refer to dlciTable/frameRelay on page 1044 for a detailed description of the frameRelay
structure.
1044 1424 SHDSL Router Chapter 13
User manual Performance attributes
dlciTable/frameRelay
The frameRelay structure in the dlciTable displays the specific Frame Relay related performance information
of the DLCI.
The frameRelay structure contains the following elements:
Element Description
inFecn This is the number of frames received from the network indicating forward conges-
tion and this since the virtual circuit was created.
inBecn This is the number of frames received from the network indicating backward con-
gestion and this since the virtual circuit was created.
inDe This is the number of frames received with the Discard Eligibility bit set.
inOctets This is the number of octets received over this virtual circuit since it was created.
inFrames This is the number of frames received over this virtual circuit since it was created.
outFecn This is the number of frames sent to the network indicating forward congestion and
this since the virtual circuit was created.
outBecn This is the number of frames sent to the network indicating backward congestion
and this since the virtual circuit was created.
outDe This is the number of frames sent to the network with the Discard Eligibility bit set.
outOctets This is the number of octets sent over this virtual circuit since it was created.
outFrames This is the number of frames sent over this virtual circuit since it was created.
1424 SHDSL Router Chapter 13 1045
User manual Performance attributes
lmi
Element Description
inStatusEnquiry This is the number of Status Enquiries received from the network.
inStatus This is the number of Status Reports received from the network.
inStatusUpdate This is the number of unsolicited Status Updates received from the network.
outStatusUpdate This is the number of unsolicited Status Updates sent to the network.
netPollNotRcvd This is the number of times the expectedPollInterval expired without an incoming sta-
tus enquiry.
cllmInFrames
This attribute displays the total number of received CLLM (Consolidated Link Layer Management)
frames.
1046 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/wanInterface/line/h2Line
This attribute displays the 2 hours performance information summary of the line.
The h2Line table contains the following elements:
router1424/wanInterface/line/h24Line
This attribute displays the 24 hours performance information summary of the line. The h24Line table con-
tains the same elements as the router1424/wanInterface/line/h2Line table.
router1424/wanInterface/line/d7Line
This attribute displays the 7 days performance information summary of the line. The d7Line table contains
the same elements as the router1424/wanInterface/line/h2Line table.
router1424/wanInterface/line/line
This attribute displays the performance information summary of the line since the last cold boot. Except
for the sysUpTime, the line structure contains the same elements as the router1424/wanInterface/line/h2Line
table.
router1424/wanInterface/line/retrain
router1424/wanInterface/line/linePair[ ]/h2LineParameters
router1424/wanInterface/line/linePair[ ]/h24LineParameters
This attribute displays the 24 hours line parameter summary. The h24LineParameters table contains the
same elements as the router1424/wanInterface/line/linePair[ ]/h2LineParameters table.
router1424/wanInterface/line/linePair[ ]/d7LineParameters
This attribute displays the 7 days line parameter summary. The d7LineParameters table contains the same
elements as the router1424/wanInterface/line/linePair[ ]/h2LineParameters table.
router1424/wanInterface/line/linePair[ ]/lineParameters
This attribute displays the line parameter summary since the last cold boot. Except for the sysUpTime, the
lineParameters table contains the same elements as the router1424/wanInterface/line/linePair[ ]/h2LineParameters
table.
1424 SHDSL Router Chapter 13 1049
User manual Performance attributes
router1424/wanInterface/line/linePair[ ]/h2Performance
loswSec the number of lost synchronisation words seconds that was counted.
router1424/wanInterface/line/linePair[ ]/h24Performance
This attribute displays the 24 hours performance summary of the line. The h24Performance table contains
the same elements as the router1424/wanInterface/line/linePair[ ]/h2Performance table.
router1424/wanInterface/line/linePair[ ]/d7Performance
This attribute displays the 7 days performance summary of the line. The d7Performance table contains the
same elements as the router1424/wanInterface/line/linePair[ ]/h2Performance table.
router1424/wanInterface/line/linePair[ ]/performance
This attribute displays the performance summary of the line since the last cold boot. Except for the sysUp-
Time, the performance table contains the same elements as the router1424/wanInterface/line/linePair[ ]/
h2Performance table.
1050 1424 SHDSL Router Chapter 13
User manual Performance attributes
Exactly which information is retrieved from the remote SHDSL device(s) through the EOC channel
depends on the setting of the eocHandling attribute. Refer to 5.5.4 - Which standard EOC information is
retrieved? on page 83 for an overview.
The performance information of the line pairs of the repeater and end device is only retrieved in case the
eocHandling attribute is set to info or alarmConfiguration. Other than that, the repeater[ ]/linePair[ ] and end/linePair[
] objects contain the same performance attributes as the line/linePair[ ] object. Refer to 13.6 - SHDSL line
performance attributes on page 1046 for more information on these attributes.
Note that the sysUpTime in the performance attributes of the repeater[ ]/linePair[ ] and end/linePair[ ] objects is
not the elapsed time since the last cold boot, but the elapsed time since the creation of the repeater[ ] or
end object.
1424 SHDSL Router Chapter 13 1051
User manual Performance attributes
This section describes the performance attributes of the different bundles that can be set up on the 1424
SHDSL Router. The following gives an overview of this section:
• 13.8.1 - PPP bundle performance attributes on page 1052
1052 1424 SHDSL Router Chapter 13
User manual Performance attributes
All performance attributes, except one, of the PPP bundle are the same as those of the LAN interface.
Therefore, they are not explained here again. Refer to 13.3 - LAN interface performance attributes on
page 1024 for a complete description of these attributes.
However, the following attribute is only present in the PPP bundle object and therefore explained in this
section:
• router1424/bundle/pppBundle[ ]/multiclassinterfaces on page 1053
1424 SHDSL Router Chapter 13 1053
User manual Performance attributes
router1424/bundle/pppBundle[ ]/multiclassinterfaces
This attribute displays the performance of the different multiclass PPP links in the PPP bundle.
The multiclassinterfaces table contains following elements:
Element Description
name This element displays the name of the multiclass PPP link as you defined it in the
multiclassInterfaces configuration attribute.
mibCounters This element displays the SNMP MIB2 parameters of the multiclass PPP link.
These are the same as the SNMP MIB2 parameters of the LAN interface. Refer to
13.3 - LAN interface performance attributes on page 1024.
1054 1424 SHDSL Router Chapter 13
User manual Performance attributes
This section discusses the performance attributes concerned with routing. First it describes the general
routing performance attributes. Then it explains the performance attributes of the extra features as there
are NAT, filtering, L2TP tunnelling, etc…
The following gives an overview of this section:
• 13.9.1 - General router performance attributes on page 1055
• 13.9.2 - NAT performance attributes on page 1064
• 13.9.3 - L2TP tunnel performance attributes on page 1069
• 13.9.4 - Native IPSEC tunnel performance attributes on page 1072
• 13.9.5 - GRE tunnel performance attributes on page 1074
• 13.9.6 - Manual SA performance attributes on page 1076
• 13.9.7 - IKE SA performance attributes on page 1078
• 13.9.8 - BGP performance attributes on page 1081
• 13.9.9 - Routing filter performance attributes on page 1090
• 13.9.10 - Firewall performance attributes on page 1092
• 13.9.11 - Virtual Routing and Forwarding (VRF) performance attirbutes on page 1096
1424 SHDSL Router Chapter 13 1055
User manual Performance attributes
router1424/ip/router/routingTable
This attribute lists all known routes and how many times they are used.
The routingTable contains the following elements:
Element Description
mask This element displays the network mask of the destination network.
gateway This element displays the IP address of the next router on the path to the destina-
tion network.
interface This element displays the interface through which the destination network can be
reached. Possible values are:
• internal. The own protocol stack is used.
• <name>. The destination network can be reached through this particular inter-
face. The <name> of the interface is the name as you configured it.
Note that the “interface” can also be a DLCI, an ATM PVC, a tunnel, etc.
• discard. Packets for this destination are discarded.
uses This element displays how many times the route has been used since it is listed in
the routing table.
For each IP packet that matches this route, the attribute value is incremented by
one. RIP routes may disappear from the routing table, and re-appear afterwards.
The attribute value is reset when a RIP route disappears from the routing table.
1424 SHDSL Router Chapter 13 1057
User manual Performance attributes
router1424/ip/router/radiusAuth
Element Description
requests This element displays the number of access requests that is sent to the authenti-
cation server.
accepts This element displays the number of access accepts that is received from the
authentication server.
rejects This element displays the number of access rejects that is received from the
authentication server.
challenges This element displays the number of access challenges that is received from the
authentication server.
badAuthenticators This element displays the total number of packets that contained invalid Message-
Authenticator attributes.
droppedPackets This element displays the number of incoming packets dropped for reasons other
than being malformed, bad authenticators, or unknown types.
router1424/ip/router/radiusAcct
Element Description
requests This element displays the number of accounting requests that is sent to the
accounting server.
responses This element displays the number of accounting responses that is received from
the accounting server.
badAuthenticators This element displays the number of packets that contained invalid Signature
attributes.
droppedPackets This element displays the number of incoming packets dropped for reasons other
than being malformed, bad authenticators, or unknown types.
1058 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/ip/router/pingResults
This attribute displays the results of a ping to an IP address started with the startPing action.
The pingResults structure contains the following elements:
Element Description
ipAddress This element displays the IP address of the host that is being pinged.
numOfRxPackets This element displays the number of correct answers on the transmitted pings.
minReplyTime This element displays the lowest reply time of all correct answers.
maxReplyTime This element displays the highest reply time of all correct answers.
avrgReplyTime This element displays the average reply time of all correct answers.
router1424/ip/router/tracertResults
This attribute displays the results of a traceroute to an IP address/host started with the startTracert action.
The tracertResults table contains the following elements:
Element Description
ipAddress This element displays the IP address of the hop that has been passed.
hostName This element displays the hostname of the hop that has been passed. Note that
this only displays
nrTx This element displays the number of traceroute queries that have been transmitted
to the hop.
nrRx This element displays the number of correct answers on the transmitted traceroute
queries that have been received from the hop.
minRtt This element displays the minimum Round-Trip Time that has been measured.
maxRtt This element displays the maximum Round-Trip Time that has been measured.
avrgRtt This element displays the average Round-Trip Time that has been calculated.
successRate This element displays the success rate. It is the ratio of nrRx/nrTx expressed in per-
cents.
comment This element displays some comments. E.g. Destination reached, Maximum number of
hops reached, etc.
1424 SHDSL Router Chapter 13 1059
User manual Performance attributes
router1424/ip/router/qualityMonitor
This attribute displays the performance statistics of the network links that are being monitored by the
quality monitor.
The qualityMonitor table contains the following elements:
Element Description
ipAddress This element displays the IP address of the end device of the link.
hostName This element displays the name of the end device of the link.
sourceIp This element displays the IP source address from which the quality monitoring is
initiated.
nbrOfTxPackets This element displays the total number of transmitted packets since the qualityMon-
itor was activated.
nbrOfRxPackets This element displays the total number of received packets since the qualityMonitor
was activated.
error This element displays the total number of received erroneous packets since the
qualityMonitor was activated.
loss This element displays the current loss of the link within the defined loss window.
lossDelay This element displays the current loss of the link within the defined delay window.
When the loss window and delay window are equal, loss and lossDelay will have the
same value.
minDelay This element displays the minimum delay that was measured in the link.
This element is expressed in seconds (sec).
avgDelay This element displays the average delay that was measured in the link.
This element is expressed in seconds (sec).
maxDelay This element displays the maximum delay that was measured in the link.
This element is expressed in seconds (sec).
maxJitterMin This element displays the maximum negative jitter deviation that was measured.
This element is expressed in seconds (sec).
avgJitter This element displays the average jitter that was measured in the link.
This element is expressed in seconds (sec).
maxJitterPlus This element displays the maximum positive jitter deviation that was measured.
This element is expressed in seconds (sec).
1060 1424 SHDSL Router Chapter 13
User manual Performance attributes
Element Description
logging The logging table contains the data that is effectively logged to a file that is saved
on the file system of the device. It contains the following elements: sysUpTime,
nbrOfTxPackets, nbrOfRxPackets, error, loss, lossDelay, minDelay, avgDelay, maxDelay, maxJitter-
Min, avgJitter, maxJitterPlus.
The sysUpTime is the elapsed time since the quality monitor was activated.
The other elements have already been described in this table.
alarm This element provides more information about alarms that have been raised by the
quality monitor.
It is a bit string of which each bit corresponds to an alarm condition. The following
alarm conditions can be seen:
• loss.
• avgDelay.
• maxDelay.
• minMaxDelay.
• avgJitter.
• maxJitterPlus.
• maxJitterMin.
Of each alarm, it is indicated whether it is on or off.
1424 SHDSL Router Chapter 13 1061
User manual Performance attributes
router1424/ip/router/startPing
Use this action to start transmitting pings to an IP address or host. The result of the ping can be seen in
the pingResults attribute. Refer to router1424/ip/router/pingResults on page 1058.
The argument value structure of the startPing action contains the following elements:
Argument Description
ipAddress Use this element to specify the IP address of the host Default:0.0.0.0
you want to ping. Range: up to 255.255.255.255
If you fill in the ipAddress element you may omit the hostName element.
hostName Use this element to specify the hostname of the host Default:<empty>
you want to ping. Range: 0 … 255 characters
If you fill in the hostName element you may omit the ipAddress element.
dataLength Use this element to specify the length, in bytes, of the Default:31
data transmitted in a ping. Range: 0 … 1300
timeOut Use this element to specify the time-out period. Default:00000d 00h 00m 05s
If a ping is sent, the 1424 SHDSL Router waits during Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
this time-out period on the answer. If the answer is
received …
• within this time-out period, then ping is considered successful.
• outside this time-out period, then the ping is considered unsuccessful.
router1424/ip/router/stopPing
router1424/ip/router/startTracert
Use this action to start a traceroute to an IP address or host. The result of the traceroute can be seen in
the tracertResults attribute. Refer to router1424/ip/router/tracertResults on page 1058.
The argument value structure of the startTracert action contains the following elements:
Argument Description
ipAddress Use this element to specify the IP address of the host Default:0.0.0.0
you want to trace. Range: up to 255.255.255.255
If you fill in the ipAddress element you may omit the hostName element.
hostName Use this element to specify the hostname of the host Default:<empty>
you want to trace. Range: 0 … 255 characters
If you fill in the hostName element you may omit the ipAddress element.
startTtl Use this element to specify from which TTL onwards Default:1
you want to see the traceroute results. Range: 1 … 255
For example, if you set the startTtl element to 5, then the traceroute result displayed
in the tracertResult attribute starts from TTL number 5. 1 up to 4 is not displayed.
queriesPerHop Use this element to specify how many traceroute que- Default:3
ries have to be sent to each hop. Range: 1 … 65536
dnsTimeOut Use this element to set the DNS time-out. Default:00000d 00h 00m 03s
When hop IP addresses are resolved to hostnames, Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
then the DNS replies are expected within this time-out
period. Else they are no longer accepted.
1424 SHDSL Router Chapter 13 1063
User manual Performance attributes
Argument Description
icmpTimeOut Use this element to set the ICMP time-out. Default:00000d 00h 00m 03s
When a hop is queried, then the ICMP replies are Range: 00000d 00h 00m 00s -
24855d 03h 14m 07s
expected within this time-out period. Else they are no
longer accepted.
tos Use this element to set the Type Of Service in the Default:0
traceroute query. Range: 0 … 255
This can be used to investigate whether different service types result in different
paths. Useful values are 16 (low delay) and 8 (high throughput).
packetLength Use this element to set the traceroute query datagram Default:32
length in bytes. Range: 32 … 1300
router1424/ip/router/stopTracert
router1424/ip/router/clearTracert
ip/router/defaultNat
socketsFree
This attribute shows the remaining number of new connections (i.e. sockets) that can be initiated. A
socket is a set of source and destination IP addresses and port numbers.
Initially, 2048 simultaneous sockets can be initiated. Sockets are freed using a garbage mechanism.
This means that every five minutes all sockets are checked. If a socket has been released by PAT or
NAT, then this socket is returned to the pool of free sockets.
ICMP and UDP sockets are released when they have no data traffic during five minutes. TCP sockets
are released after the TCP session has been closed or when the session has been idle for 24 hours.
allocFails
If no sockets are available anymore but an attempt to set up a new connection is being made, then the
natAllocFails attribute value is incremented by 1.
Because the sockets are distributed using a hashing function, it is possible that natAllocFails increases
even though natSocketsFree still indicates free sockets.
Before TDRE12, ICMP required a new socket for each transmitted packet; this implied that, for instance,
a permanent ping or trace-route command could eventually use all free sockets.
As of TDRE12 however, this is not the case anymore: different ping sessions from the same source
address are reusing the same sockets.
discards
This attribute indicates how many times a packet has been discarded for reasons other than a lack of
free sockets. This could be, for instance, because an attempt was made to connect from the Internet to
a service that was not present in the servicesAvailable table.
1066 1424 SHDSL Router Chapter 13
User manual Performance attributes
addressesAvailable
This attribute displays the number of NAT addresses that are currently free.
tcpSocketsUsed
This attribute displays the number of sockets currently in use by PAT and NAT for TCP applications.
udpSocketsUsed
This attribute displays the number of sockets currently in use by PAT and NAT for UDP applications.
icmpSocketsUsed
This attribute displays the number of sockets currently in use by PAT and NAT for ICMP applications.
1424 SHDSL Router Chapter 13 1067
User manual Performance attributes
tcpAllocs
This attribute indicates how many TCP sockets have been allocated since cold boot. Together with the
performance attributes udpAllocs, icmpAllocs, espAllocs and greAllocs, it gives an indication of the type of traffic
that is being routed.
udpAllocs
This attribute indicates how many UDP sockets have been allocated since cold boot. Together with the
performance attributes tcpAllocs, icmpAllocs, espAllocs and greAllocs, it gives an indication of the type of traffic
that is being routed.
icmpAllocs
This attribute indicates how many ICMP sockets have been allocated since cold boot. Together with the
performance attributes udpAllocs, tcpAllocs, espAllocs and greAllocs, it gives an indication of the type of traffic
that is being routed.
espSocketsUsed
This attribute displays the number of sockets currently in use by PAT and NAT for ESP applications.
greSocketsUsed
This attribute displays the number of sockets currently in use by PAT and NAT for GRE applications.
espAllocs
This attribute indicates how many ESP sockets have been allocated since cold boot. Together with the
performance attributes udpAllocs, icmpAllocs, greAllocs and tcpAllocs, it gives an indication of the type of traffic
that is being routed.
greAllocs
This attribute indicates how many GRE sockets have been allocated since cold boot. Together with the
performance attributes udpAllocs, tcpAllocs, icmpAllocs and espAllocs, it gives an indication of the type of traffic
that is being routed.
packetsToPublic
This attribute indicates how many packets have been sent to the public network since cold boot.
octetsToPublic
This attribute indicates how many bytes have been sent to the public network since cold boot.
packetsToPrivate
This attribute indicates how many packets have been sent to the private network since cold boot.
octetsToPrivate
This attribute indicates how many packets have been sent to the private network since cold boot.
1068 1424 SHDSL Router Chapter 13
User manual Performance attributes
h2Nat
This attibute displays the 2 hours performance summary with regard to the connections on the 1424
SHDSL Router, showing the number of socket allocations and transferred data over a given interval.
The elements of the h2Nat table have already been described in this section.
h24Nat
This attibute displays the 24 hours performance summary with regard to the connections on the 1424
SHDSL Router, showing the number of socket allocations and transferred data over a given interval.
The elements of the h24Nat table have already been described in this section.
d7Nat
This attibute displays the 7 days performance summary with regard to the connections on the 1424
SHDSL Router, showing the number of socket allocations and transferred data over a given interval.
The elements of the d7Nat table have already been described in this section.
reset
Use this action to release all sockets currently in use and return them to the free socket pool.
In other words, executing this action resets all NAT/PAT sessions that are currently established. It also
releases all official IP addresses that are dynamically assigned to a private IP address. If any TCP ses-
sions are still active, these sessions will be aborted.
Take care when using this action! All TCP information is lost when the sockets are released with this
action. Any TCP sessions in use at the time of the reset will go into a hang-up state. These applications
will need to restart.
1424 SHDSL Router Chapter 13 1069
User manual Performance attributes
router1424/ip/router/tunnels/l2tpTunnels
Element Description
inPriorityQueues This element displays the performance summary of the input priority queues on the
L2TP tunnel. In case an overload condition occurs and priority queuing is acti-
vated, then this elements displays how many packets the different queues contain.
The elements of the inPriorityQueues table have already been described in the ifOut-
PriorityQueues attribute of the LAN interface; refer to 13.3 - LAN interface perform-
ance attributes on page 1024 for a detailed description. Note that, here, they apply
on the input priority queues of the L2TP tunnel.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on
the priority queues.
outPriorityQueues This element displays the performance summary of the output priority queues on
the L2TP tunnel. In case an overload condition occurs and priority queuing is acti-
vated, then this elements displays how many packets the different queues contain.
The elements of the outPriorityQueues table have already been described in the ifOut-
PriorityQueues attribute of the LAN interface; refer to 13.3 - LAN interface perform-
ance attributes on page 1024 for a detailed description.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on
the priority queues.
ppp This element displays PPP related performance information of the L2TP tunnel.
The PPP structure contains the following elements:
• port. This is the interface index of the L2TP tunnel.
• lcp. This element displays LCP events of the L2TP tunnel.
• auth. This element displays authentication events of the L2TP tunnel.
• ipcp. This element displays IPCP events of the L2TP tunnel.
1424 SHDSL Router Chapter 13 1071
User manual Performance attributes
router1424/ip/router/tunnels/ipsecL2tpTunnels
router1424/ip/router/tunnels/ipsecTunnels
Element Description
router1424/ip/router/tunnels/greTunnels
Element Description
inPriorityQueues This element displays the performance summary of the input priority queues of the
GRE tunnel. In case an overload condition occurs and priority queuing is activated,
then this elements displays how many packets the different queues contain.
The elements of the inPriorityQueues table have already been described in the ifOut-
PriorityQueues attribute of the LAN interface; refer to 13.3 - LAN interface perform-
ance attributes on page 1024 for a detailed description. Note that, here, they apply
on the input priority queues of the GRE tunnel.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on
the priority queues.
outPriorityQueues This element displays the performance summary of the output priority queues of
the GRE tunnel. In case an overload condition occurs and priority queuing is acti-
vated, then this elements displays how many packets the different queues contain.
The elements of the outPriorityQueues table have already been described in the ifOut-
PriorityQueues attribute of the LAN interface; refer to 13.3 - LAN interface perform-
ance attributes on page 1024 for a detailed description.
Refer to 7.11 - Applying QoS on routed traffic on page 259 for more information on
the priority queues.
router1424/ip/router/tunnels/ipsecGreTunnels
This attribute displays the performance information of the IPSEC GRE tunnels.
The ipsecGreTunnels table contains the same elements as the greTunnels table. Refer to router1424/ip/router/
tunnels/greTunnels on page 1075.
1076 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/ip/router/manualSA[ ]/inPackets
Upon receipt of a (reassembled) packet containing an ESP Header, the receiver determines the appro-
priate SA, based on the destination IP address, security protocol (ESP), and the SPI. Once the appro-
priate SA is determined, the inPackets attribute is incremented for this SA.
router1424/ip/router/manualSA[ ]/outPackets
ESP is applied to an outbound packet only after it is determined that the packet is associated with an SA
that calls for ESP processing. Once the appropriate SA is determined, the outPackets attribute is incre-
mented for this SA.
router1424/ip/router/manualSA[ ]/espDecryptionFailure
This attribute displays the number of times the decryption of an incoming ESP packet failed.
router1424/ip/router/manualSA[ ]/espAuthenticationFailure
This attribute displays the number of times the authentication of an incoming ESP packet failed.
router1424/ip/router/manualSA[ ]/espSequenceNrReplay
For each incoming ESP packet, the receiver verifies that the packet contains a sequence number that
does not duplicate the sequence number of any other packets received during the life of this SA. Should
this be the case, then these packets are dropped and the espSequenceNrReplay attribute is incremented for
this SA.
router1424/ip/router/manualSA[ ]/espDroppedFrames
This attribute displays the number of ESP packets that were successfully decrypted and authenticated,
but that could not be delivered to the L2TP tunnel (e.g. because the tunnel was down) and had to be
dropped.
1078 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/ip/router/ikeSA[ ]/phase2Negotiations
This attribute displays performance information of the IKE phase 2 negotiation process.
The phase2Negotiations table contains the following elements:
Element Description
initStarted This element displays the number of IKE phase 2 negotiation initiations that were
started.
respStarted This element displays the number of IKE phase 2 negotiation responses that were
started.
succeeded This element displays the number of IKE phase 2 negotiations that succeeded.
failed This element displays the number of IKE phase 2 negotiations that failed.
expiredSA This element displays the number of IKE SAs that expired.
router1424/ip/router/ikeSA[ ]/phase2Sessions
Element Description
direction This element displays the direction of the IPSEC SA. Possible values are: inbound
or outbound.
spi This element displays the Security Parameter Index of the IPSEC SA.
protocol This element displays which protocol is used in the IPSEC SA. Possible values
are: esp or ah.
outPackets This element displays the number of outbound packets for which an appropriate
SA could be determined.
Only after an appropriate SA could be determined, the security protocol (ESP or
AH) is applied to the outbound packet.
outOctets This element displays the number of outbound octets (bytes) for which an appro-
priate SA could be determined.
inPackets This element displays the number of inbound packets for which an appropriate SA
could be determined.
Only after an appropriate SA could be determined, the inbound packet is accepted.
inOctets This element displays the number of inbound octets (bytes) for which an appropri-
ate SA could be determined.
authenticationFail- This element displays the number of times the authentication of an incoming
ure packet failed.
1080 1424 SHDSL Router Chapter 13
User manual Performance attributes
Element Description
decryptionFailure This element displays the number of times the decryption of an incoming packet
failed.
sequenceNrReplay For each incoming packet, the receiver verifies that the packet contains a
sequence number that does not duplicate the sequence number of any other pack-
ets received during the life of this SA. Should this be the case, then these packets
are dropped and the sequenceNrReplay attribute is incremented for this SA.
droppedFrames This element displays the number of packets that were successfully decrypted and
authenticated, but that could not be delivered to the L2TP tunnel (e.g. because the
tunnel was down) and had to be dropped.
1424 SHDSL Router Chapter 13 1081
User manual Performance attributes
This section discusses the performance attributes concerned with BGP. First, the ePeer and iPeer BGP
performance attributes are discussed, followed by the routeFilter and routeMap performance attributes.
The following gives an overview of this section:
• ePeer and iPeer performance attributes on page 1082
• routeFilter performance attributes on page 1086
• routeMap performance attributes on page 1088
1082 1424 SHDSL Router Chapter 13
User manual Performance attributes
The attributes above all refer to the ePeer object. The attributes of the iPeer object are identical.
1424 SHDSL Router Chapter 13 1083
User manual Performance attributes
router1424/router/bgp/ePeer[ ]/sessions
This attribute displays counters which are useful to check the stability of a BGP peer session.
The sessions structure contains the following elements:
Element Description
established This element displays the number of times the peer has reached the established
state.
dropped This element displays the number of times the peer has dropped out of the estab-
lished state.
router1424/router/bgp/ePeer[ ]/messagesSent
This attribute displays counters keeping track of the number of different BGP messages sent.
The messagesSent structure contains the following elements:
Element Description
keepAlive This element displays the number of keep alive messages sent.
router1424/router/bgp/ePeer[ ]/messagesRcvd
This attribute displays counters keeping track of the number of different BGP messages received.
The messagesSent structure contains the following elements:
Element Description
keepAlive This element displays the number of keep alive messages received.
router1424/router/bgp/ePeer[ ]/prefixesSent
This attribute displays the number of prefixes in the update messages sent over a peer.
The prefixesSent structure contains the following elements:
Element Description
announced This element displays the number of announced prefixes, which are new or have
changed in the routing table.
withdrawn This element displays the number of prefixes, withdrawn from the routing table.
router1424/router/bgp/ePeer[ ]/prefixesRcvd
This attribute displays the number of prefixes in the update messages received over a peer.
The prefixesSent structure contains the following elements:
Element Description
announced This element displays the number of announced prefixes, which are new or have
to be changed in the routing table.
withdrawn This element displays the number of prefixes, which must be withdrawn from the
routing table.
router1424/router/bgp/ePeer[ ]/inboundFilters
This attribute displays a list of the BGP routeFilter objects which will be applied on all announced prefixes
in incoming update packets.
The inboundFilters table contains the following elements:
Element Description
uses This element displays the number of matching prefixes received on this peer, on
which this inbound filter is applied.
1424 SHDSL Router Chapter 13 1085
User manual Performance attributes
router1424/router/bgp/ePeer[ ]/outboundfilters
This attribute displays a list of the BGP routeFilter objects which will be applied on all announced prefixes
in outgoing update packets.
The outboundFilters table contains the following elements:
Element Description
uses This element displays the number of matching prefixes scheduled to be sent out
on this peer, on which this outbound filter is applied.
router1424/router/bgp/ePeer[ ]/inboundMaps
This attribute displays a list of the BGP routeMap objects which will be applied on all announced prefixes
in incoming update packets.
The inboundMaps table contains the following elements:
Element Description
uses This element displays the number of matching prefixes received on this peer, on
which this inbound map is applied.
router1424/router/bgp/ePeer[ ]/outboundMaps
This attribute displays a list of the BGP routeMap objects which will be applied on all announced prefixes
in outgoing update packets.
The outboundMaps table contains the following elements:
Element Description
uses This element displays the number of matching prefixes scheduled to be sent out
on this peer, on which this outbound map is applied.
1086 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/router/bgp/routeFilter[ ]/uses
This attribute displays the number of times a match has been found within the filter table.
router1424/router/bgp/routeFilter[ ]/filters
This attribute displays a more detailed overview of the filter rows and the matches per row.
The filters table contains the following elements:
Element Description
network This element displays the configured network after applying the prefixLength.
prefixLength This element displays the prefixLength configuration, displayed in maskLength [min-
Len .. maxLen] format.
asPath This element displays the asPath filtering configuration, displayed as a regular
expression.
uses This element displays the number of times a match has been found for this filter
row.
1088 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/router/bgp/routeMap[ ]/uses
This attribute displays the number of times this routeMap has been applied.
1090 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/ip/router/routingFilter[ ]
filter
Element Description
uses This is the number of times the network has been forwarded.
1092 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/ip/router/firewall/h24General
maxConn the number of times that the maximum number of connections was reached.
maxResource the number of times that the used resources exceeded 80%. This could indicate
flooding.
noSrcRoute the number of times that no route to the source could be found.
connLimit the number of times that the maximum number of connections was reached.
srcRouteOpt the number of times that the source routing option was set for an IP packet.
policyDeleted the number of times that the policy was already deleted.
noDestRoute the number of times that no route to the destination could be found.
router1424/ip/router/firewall/d7General
router1424/ip/router/firewall/h24Attack
unexpUdpE- the number of received UDP echo responses for uninitiated requests.
choResp
unexpIcmpE- the number of received ICMP echo responses for uninitiated requests.
choResp
minIpHdrLen the number of packets with an IP header length less than the minimum length.
badTcpLen the number of times the TCP packet length was invalid.
badUdpLen the number of times the UDP packet length was invalid.
zeroBytes the number of times zero bytes were transferred for a connection.
unexpData the number of times unexpected data was received for uninitiated traffic.
unexpIcmpErr the number of received ICMP error messages for uninitiated requests.
router1424/ip/router/firewall/d7Attack
router1424/ip/vrfRouter[ ]
router1424/ip/vrfRouter[ ]/routingFilter[ ]
router1424/profiles/policy/traffic/ipTrafficPolicy[ ]/discards
This attribute indicates how many packets have been discarded based on the criteria that are defined by
the IP traffic policy.
router1424/profiles/policy/traffic/ipTrafficPolicy[ ]/trafficShaping
This attribute shows the usage of each line in the traffic shaping table.
The trafficShaping table contains the following elements:
Element Description
name This is the name of the line in the traffic shaping table as you configured it.
uses This is the number of times this line in the traffic shaping table is used.
tosEndValue Packets that fall within the specified range are forwarded and queued if applicable.
ipProtocolEnd Packets that have the specified protocol field are forwarded and queued if applica-
ble.
sourcePortEnd Packets that fall within the specified range are forwarded and queued if applicable.
destinationPortEnd Packets that fall within the specified range are forwarded and queued if applicable.
octets This is the number of octets that were treated by the line in the traffic shaping table.
destination This is the destination interface. It could also be discard, meaning that these packets
were denied.
1424 SHDSL Router Chapter 13 1099
User manual Performance attributes
This section discusses the performance attributes concerned with bridging. First it describes the general
bridging performance attributes. Then it explains the performance attributes of the extra features as
there are access listing, etc…
The following gives an overview of this section:
• 13.11.1 - Bridge group performance attributes on page 1100
• 13.11.2 - Bridge access list performance attributes on page 1107
1100 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/bridge/bridgeGroup/
bridgeCache
When a port of the bridge enters the learning state, it stores the MAC addresses of the stations situated
on the network that is connected to this port. The MAC addresses are stored in a MAC address database
or bridge cache. The bridgeCache attribute visualises this address database. Refer to What is the bridge
cache? on page 775 for more information.
The bridgeCache table contains the following elements:
Element Description
interface This is the interface through which the station can be reached.
macAddress This is the MAC address of the station situated on the network connected to the
interface.
vlanId This element displays the VLAN ID of the VLAN the interface is part of.
filterId This is the ID that identifies the VLAN group the VLAN belongs to.
rxPkts This is the number of packets received from the corresponding MAC address.
txPkts This is the number of packets forwarded to the corresponding MAC address.
staticViolations This is the number of packets that have been counted as static violation, for the
respective interface and macAddress.
When a packet arrives on an interface with a source address which is not known
in the bridge cache, the packet is discarded and counted as a static violation. This
normally only occurs when learning is disabled on the bridging interface.
Also note that, when learning is disabled and there is no entry in the staticBridgeCache,
staticViolations are still counted when packets are received (eventhough the static-
BridgeCache is empty).
When this kind of staticViolations occurs, there is no possibility for searching which
MAC address is the cause of the static violation, since there is no entry of this MAC
address in the bridgeCache.
Refer to 8.2.6 - Explaining the bridging structure on page 318 for more information
about the learning element.
relearns This is the number of packets that have been relearned via the respective interface
and macAddress. This indicates that some inconsistency is present in the network.
relearnDrops This is the number of relearned packets on the interface that have been dropped.
1102 1424 SHDSL Router Chapter 13
User manual Performance attributes
bridgeDiscards
This attribute displays the number of times a frame was discarded because …
• it was received on the same interface as the one through which the destination address can be
reached.
• it was received on an interface that is not in the forwarding state.
bridgeFloods
This attribute displays the number of times a frame was flooded on all interfaces because the position of
the station with the destination MAC address was not known (yet).
bridgeBroadcasts
This attribute displays the number of times a frame was flooded on all interfaces because it was a broad-
cast.
bridgeMulticasts
This attribute displays the number of times a frame was flooded on all interfaces because it was a mul-
ticast.
1424 SHDSL Router Chapter 13 1103
User manual Performance attributes
vlan
This attribute displays the SNMP MIB2 performance parameters of the VLANs that are present on the
bridge group.
The vlan table contains the following elements:
Element Description
name This element displays the name of the VLAN as you configured it.
mibCounters This element displays the SNMP MIB2 performance parameters of the VLAN.
Refer to 13.3 - LAN interface performance attributes on page 1024 for an explana-
tion of the individual SNMP MIB2 performance parameters.
vlanSwitching
This attribute displays the performance information of the VLAN switching process.
The vlanSwitching table contains the following elements:
Element Description
sourceIntf This element displays the name of the source interface which carries the VLAN
that is being switched.
sourcePFilter This element displays the filter that is applied on the priority bits of the source
VLAN packets.
tunnelMode This element displays wheather or not tunnel mode has been enabled or disabled
between source and destination.
uses This element displays the number of packets that have been switched.
1104 1424 SHDSL Router Chapter 13
User manual Performance attributes
cacheEvents
This attribute displays some unusual events with regard to the bridge cache.
The cacheEvents table contains the following elements:
Element Description
sizeOverflows This element displays the number of times the maximum allowed bridge cache
size has been exceeded.
staticViolations This is the total number of packets that have been counted as static violation.
When a packet arrives on an interface with a source address which is not known
in the bridge cache, the packet is discarded and counted as a static violation. This
normally only occurs when learning is disabled on the bridging interface.
Also note that, when learning is disabled and there is no entry in the staticBridgeCache,
staticViolations are still counted when packets are received (eventhough the static-
BridgeCache is empty).
When this kind of staticViolations occurs, there is no possibility for searching which
MAC address is the cause of the static violation, since there is no entry of this MAC
address in the bridgeCache.
Refer to 8.2.6 - Explaining the bridging structure on page 318 for more information
about the learning element.
relearns This is the total number of packets that have been relearned within the bridge
group on the different interfaces. This indicates that some inconsistency is present
in the network.
relearnDrops This is the total number of relearned packets that have been dropped within the
bridge group on the different interfaces.
bridgeRxPkts
bridgeTxPkts
bridging
This attribute displays bridging performance information per individual bridging interface.
The bridging table contains the following elements:
Element Description
rxDiscards This is the number of times a frame was discarded on the interface.
rxFloods This is the number of times a frame was received that was flooded on all interfaces.
rxBroadcasts This is the number of times a broadcast frame was received on the interface.
rxMulticasts This is the number of times a multicast frame was received on the interface.
cache The cache structure contains the following elements: sizeOverflows, staticViolations,
relearns and relearnDrops.
Refer to cacheEvents on page 1104 for a detailed explanation; here, they apply to the
specific interface.
h2Performance This attribute displays the 2 hours bridging performance summary of the interface.
h24Performance This attribute displays the 24 hours performance summary of the bridge group.
d7Performance This attribute displays the 7 days performance summary of the bridge group.
1106 1424 SHDSL Router Chapter 13
User manual Performance attributes
h2Performance
This attribute displays the 2 hours performance summary of the bridge group.
The h2Performance table contains the following elements:
floods the number of received frames that were flooded on all interfaces.
cacheSizeOverflows the number of times the maximum allowed bridge cache size has been
exceeded.
staticCacheViolations the number of packets that have been counted as static violations.
h24Performance
This attribute displays the 24 hours performance summary of the bridge group. The h24Performance table
contains the same elements as the h2Performance.
d7Performance
This attribute displays the 7 days performance summary of the bridge group. The d7Performance table con-
tains the same elements as the h2Performance.
1424 SHDSL Router Chapter 13 1107
User manual Performance attributes
router1424/bridge/accessList[ ]/bridgeAccessList
This attribute shows information on the use of the bridge access list.
The bridgeAccessList table contains the following elements:
Element Description
macAddress This is the MAC address as configured in the configuration attribute router1424/
bridge/accessList[ ]/bridgeAccessList.
uses This indicates the number of times a packet has been discarded for the corre-
sponding MAC address.
router1424/bridge/accessList[ ]/advancedFilter
This attribute shows information on the advanced filters as configured in advancedFilter on page 788.
For every advanced filter that was defined, one line appears here in the advancedFilter table. This table
gives an indication of the efficiency of the defined filter(s).
Ideally, the filter with the highest number of matches, should be at the top of the table. When this is not
the case, it is recommendable the redefine the advancedFilter table (refer to advancedFilter on page 788).
The advancedFilter table contains the following elements:
Element Description
matched This is a counter that displays the number of packets that matched the defined fil-
ter.
checked This is a counter that displays the total number of packets that were checked by
the defined filter.
sourceMacStart This is the start address of the source MAC address range that was filtered.
sourceMacEnd This is the end address of the source MAC address range that was filtered.
destinationMacStart This is the start address of the destination MAC address range that was filtered.
destinationMacEnd This is the end address of the destination MAC address range that was filtered.
vlan This is the VLAN that was defined in the advanced filter.
priority This is the value of the priority bits, in the VLAN header of the filtered frames, that
was defined in the advanced filter.
protocol This is the protocol that was defined in the advanced filter.
action This is the action that was executed on the filtered frames.
advanced This is the advanced action that was executed on the filtered frames.
1424 SHDSL Router Chapter 13 1109
User manual Performance attributes
router1424/snmp/mib2Counters
Element Description
outPkts This is the total number of SNMP Messages that were sent.
inBadVersions This is the total number of received SNMP Messages that were for an
unsupported SNMP version.
inBadCommunityNames This is the total number of SNMP Messages delivered to the 1424 SHDSL
Router which used an unknown SNMP community name.
inAsnParseErrs This is the total number of ASN.1 or BER errors encountered by the 1424
SHDSL Router when decoding received SNMP Messages.
inTotalReqVars This is the total number of MIB objects which have been retrieved success-
fully by the 1424 SHDSL Router as the result of receiving valid SNMP Get-
Request and Get-Next PDUs.
inTotalSetVars This is the total number of MIB objects which have been altered successfully
by the 1424 SHDSL Router as the result of receiving valid SNMP Set-
Request PDUs.
inGetRequests This is the total number of SNMP Get-Request PDUs which have been
accepted and processed by the 1424 SHDSL Router.
inGetNexts This is the total number of SNMP Get-Next PDUs which have been
accepted and processed by the 1424 SHDSL Router.
inSetRequests This is the total number of SNMP Set-Request PDUs which have been
accepted and processed by the 1424 SHDSL Router.
inGetResponses This is the total number of SNMP Get-Response PDUs which have been
accepted and processed by the 1424 SHDSL Router.
inTraps This is the total number of SNMP Trap PDUs which have been accepted
and processed by the 1424 SHDSL Router.
outTooBigs This is the total number of SNMP PDUs which were generated by the 1424
SHDSL Router and for which the value of the error status field is tooBig.
outNoSuchNames This is the total number of SNMP PDUs which were generated by the 1424
SHDSL Router and for which the value of the error status field is
noSuchName.
outBadValues This is the total number of SNMP PDUs which were generated by the 1424
SHDSL Router and for which the value of the error status field is badValue.
outGenErrs This is the total number of SNMP PDUs which were generated by the 1424
SHDSL Router and for which the value of the error status field is genErr.
outGetResponses This is the total number of SNMP Get-Response PDUs which have been
generated by the 1424 SHDSL Router.
1424 SHDSL Router Chapter 13 1111
User manual Performance attributes
Element Description
outTraps This is the total number of SNMP Trap PDUs which have been generated
by the 1424 SHDSL Router.
router1424/snmp/mpdStats
This attribute displays the SNMP Message Processing and Dispatching parameters.
The mpdStats structure contains the following elements:
Element Description
unknownsecurityModels This is the total number of packets received by the SNMP engine which
were dropped because they referenced a security model that was not known
to or supported by the SNMP engine.
invalidMsgs This is the total number of packets received by the SNMP engine which
were dropped because there were invalid or inconsistent components in the
SNMP message.
unknownPduHandlers This is the total number of packets received by the SNMP engine which
were dropped because the PDU contained in the packet could not be
passed to an application responsible for handling the PDU type.
router1424/snmp/usmStats
Element Description
unsupportedSecLevels This is the total number of packets received by the SNMP engine which
were dropped because they requested a security level that was unknown to
the SNMP engine or otherwise unavailable.
notInTimeWindows This is the total number of packets received by the SNMP engine which
were dropped because they appeared outside of the authoritative SNMP
engine's window.
unknownUserNames This is the total number of packets received by the SNMP engine which
were dropped because they referenced a user that was not known to the
SNMP engine.
unknownEngineIds This is the total number of packets received by the SNMP engine which
were dropped because they referenced an snmpEngineId that was not known
to the SNMP engine.
wrongDigests This is the total number of packets received by the SNMP engine which
were dropped because they did not contain the expected digest value.
decryptionErrors This is the total number of packets received by the SNMP engine which
were dropped because they could not be decrypted.
1112 1424 SHDSL Router Chapter 13
User manual Performance attributes
router1424/management/cms2SessionCount
This attribute displays the number of CMS2 sessions that are currently active on the 1424 SHDSL
Router.
There are always minimum two fixed sessions active. Connecting with TMA, TMA CLI, Telnet, etc. opens
additional sessions. This is explained in the following table:
+ 1 session When connecting with TMA for HP OpenView or the Alarm Manager.
router1424/management/cliSessionCount
This attribute displays the number of CLI sessions that are currently active on the 1424 SHDSL Router.
There are always minimum two fixed sessions active. Connecting with TMA CLI, the Web Interface, etc.
opens additional sessions. This is explained in the following table:
router1424/management/tftpSessionCount
This attribute displays the number of TFTP sessions that are currently active on the 1424 SHDSL Router.
router1424/management/tcpSessionCount
This attribute displays the number of TCP sessions that are currently active on the 1424 SHDSL Router.
The following table shows when a TCP session opens:
router1424/management/ipStackEvents
This attribute gives an indication of the internal load of the protocol stack.
1424 SHDSL Router Chapter 13 1115
User manual Performance attributes
router1424/operatingSystem/currUsedProcPower
This attribute displays the amount of processing power used during the last 650 milliseconds, expressed
as a percentage of the total available processing power.
router1424/operatingSystem/usedProcPower
This attribute lists the used processing power for the 11 most recent 30 seconds intervals. The process-
ing power is expressed as a percentage of the total processing power.
The usedProcPower table contains the following elements:
Element Description
sysUpTime This is the elapsed time since the last cold boot. The next values are for the 30
seconds period before this relative time stamp.
min This is the minimum percentage of processing power in use during the last 30 sec-
onds.
average This is the average percentage of processing power in use during the last 30 sec-
onds.
max This is the maximum percentage of processing power in use during the last 30 sec-
onds.
router1424/operatingSystem/freeDataBuffers
The processor uses buffers for storing the packets during processing and/or queuing. Each buffer has a
256 byte size, headers included. This attribute is the number of data buffers currently not in use and
available for e.g. incoming data.
router1424/operatingSystem/totalDataBuffers
router1424/operatingSystem/largestFreeBlockSize
The processor uses RAM memory for storing internal information and buffering. The different tasks allo-
cate RAM memory on request. Tasks may also free memory again. In this way the total RAM memory
becomes fragmented. This attribute gives the size of the largest contiguous free memory block
expressed in bytes.
router1424/operatingSystem/freeBlockCount
router1424/operatingSystem/freeMemory
router1424/operatingSystem/totalMemory
router1424/operatingSystem/taskInfo
This attribute contains status information concerning the different tasks running on the processor. It is a
table grouping up to 31 task slots, which is the maximum number of parallel tasks running on the proc-
essor's operating system.
This attribute contains the same elements as the status attribute router1424/operatingSystem/taskInfo on
page 1012.
1118 1424 SHDSL Router Chapter 13
User manual Performance attributes
1424 SHDSL Router Chapter 14 1119
User manual Alarm attributes
14 Alarm attributes
Depending on the device, some features may or may not be present. Refer to the detailed features over-
view: 1.3 - Overview of features on page 7
This chapter discusses the alarm attributes of the 1424 SHDSL Router. The following gives an overview
of this chapter:
• 14.1 - Alarm attributes overview on page 1120
• 14.2 - Introducing the alarm attributes on page 1123
• 14.3 - General alarms on page 1126
• 14.4 - LAN interface alarms on page 1128
• 14.5 - WAN interface alarms on page 1129
• 14.6 - EFM alarms on page 1131
• 14.7 - SHDSL line alarms on page 1132
• 14.8 - SHDSL line pair alarms on page 1133
• 14.9 - End and repeater alarms on page 1135
• 14.10 - Bundle alarms on page 1139
• 14.11 - Router and vrfRouter[ ] alarms on page 1140
• 14.12 - Bridge group alarms on page 1141
• 14.13 - BGP ePeer and iPeer alarms on page 1142
1120 1424 SHDSL Router Chapter 14
User manual Alarm attributes
> router1424
totalAlarmLevel
alarmInfo
notResponding
alarmSyncLoss
configChanged
access
unknownStatus
coldBoot
warmBoot
codeConsistencyFail
configConsistencyFail
>> lanInterface
alarmInfo
linkDown
>> dslInterface
alarmInfo
linkDown
>>> channel[ ]
linkDown
>>>> efm
linkDown
>>> line
alarmInfo
linkDown
invalidNumRepeaters
testActive
>>>> linePair[ ]
alarmInfo
linkDown
lineAttenuation
noiseMargin
errSecRatioExceeded
sevErrSecRatioExceeded
bbErrRatioExceeded
1424 SHDSL Router Chapter 14 1121
User manual Alarm attributes
>>> repeater[ ]
alarmInfo
linkDown
remoteAlarmHigh
remoteAlarmLow
unknownState
>>>> networkLinePair[ ]
alarmInfo
lineAttenuation
noiseMargin
errSecRatioExceeded
sevErrSecRatioExceeded
bbErrRatioExceeded
>>>> customerLinePair[ ]
alarmInfo
lineAttenuation
noiseMargin
errSecRatioExceeded
sevErrSecRatioExceeded
bbErrRatioExceeded
>>> end
alarmInfo
linkDown
remoteAlarmHigh
remoteAlarmLow
unknownState
>>>> linePair[ ]
alarmInfo
lineAttenuation
noiseMargin
errSecRatioExceeded
sevErrSecRatioExceeded
bbErrRatioExceeded
>> router
alarmInfo
pingActive
qMonLoss
qMonDelay
qMonJitter
1122 1424 SHDSL Router Chapter 14
User manual Alarm attributes
>>> bgp
>>>> ePeer
alarmInfo
sessionDown
>>>> iPeer
alarmInfo
sessionDown
>> bridge
>>> bridgeGroup
alarmInfo
linkDown
linkShutdown
>> vrfRouter[ ]
alarmInfo
pingActive
qMonLoss
qMonDelay
qMonJitter
1424 SHDSL Router Chapter 14 1123
User manual Alarm attributes
Before discussing the alarm attributes of the 1424 SHDSL Router in detail, some general information on
the alarm attributes of the 1424 SHDSL Router is given.
The following gives an overview of this chapter:
• 14.2.1 - Configuration alarm attributes on page 1124
• 14.2.2 - General alarm attributes on page 1125
1124 1424 SHDSL Router Chapter 14
User manual Alarm attributes
router1424/…/alarmMask
Use this attribute to mask or unmask the alarms of an object. This determines whether an active alarm
is forwarded to the central management system (e.g. HP OpenView) or not.
The alarms in the alarmMask attribute have the following values:
Value Is the active alarm being forwarded to the central management system?
Alarms are always seen in the alarmInfo alarm attribute of an object, regardless of the masking of the
alarm. I.e. even if an alarm is set to disabled in the alarmMask of an object, if the alarm condition is fulfilled
then the alarm will be set to on in the alarmInfo of that object. However, because this alarm is disabled it
will not be sent to the central management system (e.g. HP OpenView).
Only the most important alarms are unmasked (i.e. enabled) by default. All other alarms are masked (i.e.
disabled).
router1424/…/alarmLevel
Use this attribute to assign a priority level to each alarm of the corresponding object. The alarm level
range goes from 0 to 254, where 0 is the lowest and 254 is the highest priority level.
The alarmLevel of an unmasked, active alarm is sent to the totalAlarmLevel alarm attribute of the top object
router1424.
1424 SHDSL Router Chapter 14 1125
User manual Alarm attributes
router1424/totalAlarmLevel
This attribute is only present in the top object of the containment tree of the 1424 SHDSL Router, being
router1424.
It displays the priority level of an unmasked, active alarm. When several alarms are generated at the
same time, the highest priority level is shown. If the alarm levels are set in a structured manner, one look
at the totalAlarmLevel attribute enables the operator to make a quick estimation of the problem.
The value of the totalAlarmLevel attribute is also communicated to the central management system (e.g.
HP OpenView) where it determines the colour of the icon. This colour is an indication of the severity of
the alarm.
router1424/…/alarmInfo
This attribute contains the actual alarm information of the corresponding object.
The alarmInfo structure contains the following elements:
discriminator the total alarm count since the last cold boot.
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
router1424/alarmInfo
The different alarms related to the router1424 object together with their explanation and default alarmMask
and alarmLevel value are given in the following table:
alarmMask alarmLevel
Example
unknownState each time a new 1424 SHDSL Router is added to the disabled 0
network and before the management concentrator has
completed a first successful polling session.
coldBoot each time the 1424 SHDSL Router performs a cold boot. disabled 1
warmBoot each time the 1424 SHDSL Router performs a warm disabled 1
boot.
1424 SHDSL Router Chapter 14 1127
User manual Alarm attributes
alarmMask alarmLevel
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
router1424/lanInterface/alarmInfo
The alarm related to the lanInterface object together with its explanation and default alarmMask and
alarmLevel value is given in the following table:
alarmMask alarmLevel
linkDown when no valid LAN data is detected. I.e. when the con- enabled 3
nection between the interface and the LAN is down.
1424 SHDSL Router Chapter 14 1129
User manual Alarm attributes
router1424/dslInterface/
router1424/dslInterface/channel[ ]/
alarmInfo
The alarm related to the wanInterface object together with its explanation and default alarmMask and
alarmLevel value is given in the following table:
alarmMask alarmLevel
router1424/wanEfm/efm/alarmInfo
The alarm related to the efm object together with its explanation and default alarmMask and alarmLevel value
is given in the following table:
alarmMask alarmLevel
linkDown when no valid EFM data is detected. I.e. when the EFM enabled 3
connection is down.
1132 1424 SHDSL Router Chapter 14
User manual Alarm attributes
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
router1424/wanInterface/line/alarmInfo
The alarms related to the line object together with their explanation and default alarmMask and alarmLevel
value are given in the following table:
alarmMask alarmLevel
linkDown when the line is down. I.e. no data can be transmitted enabled 3
over the line.
This section describes the alarms of the alarm attribute router1424/wanInterface/line/linePair[ ]/alarmInfo.
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
router1424/wanInterface/line/linePair[ ]/alarmInfo
The alarms related to the linePair[ ] object together with their explanation and default alarmMask and
alarmLevel value are given in the following table:
alarmMask alarmLevel
linkDown when the line pair is down. I.e. no data can be transmit- disabled 3
ted over the line pair.
lineAttenuation when the line attenuation exceeds the value configured disabled 1
in the linkAlarmThresholds for at least 10 seconds. The
alarm is cleared when the line attenuation drops below
this value for at least 10 seconds.
Note that in case the eocHandling attribute is set to alarm-
Configuration, the central SHDSL device forces the remote
SHDSL device to use the linkAlarmThresholds/lineAttenuation
as configured on the central device.
For more information, refer to …
• 5.5.3 - Controlling the standard EOC message
exchange on page 81
• 5.5.4 - Which standard EOC information is retrieved?
on page 83
1134 1424 SHDSL Router Chapter 14
User manual Alarm attributes
alarmMask alarmLevel
noiseMargin when the signal noise exceeds the value configured in disabled 1
the linkAlarmThresholds for at least 10 seconds. The alarm
is cleared when the signal noise drops below this value
for at least 10 seconds.
Note that in case the eocHandling attribute is set to alarm-
Configuration, the central SHDSL device forces the remote
SHDSL device to use the linkAlarmThresholds/signalNoise as
configured on the central device.
For more information, refer to …
• 5.5.3 - Controlling the standard EOC message
exchange on page 81
• 5.5.4 - Which standard EOC information is retrieved?
on page 83
bbErrRatioEx- when the background block error ratio exceeds the disabled 1
ceeded value configured in the linkAlarmThresholds configuration
attribute within a 15 minute period1. The alarm is cleared
when the background block error ratio drops below this
value within a 15 minute period.
1. The 15 minutes periods run synchronous with the 15 minutes periods of the router1424/wanInter-
face/line/h2Line performance attribute.
Because alarms are raised or cleared within 15 minutes periods, there is a delay in the alarm
status. For example, suppose that in the first minute of a 15 minutes period the errSecOn value
is exceeded, then the errSecExceeded alarm is raised. The alarm stays on for the remainder of
the 15 minutes period. The alarm is only cleared if also in the next 15 minutes period the
errSecOn value is not exceeded.
1424 SHDSL Router Chapter 14 1135
User manual Alarm attributes
router1424/dslInterface/end/
router1424/dslInterface/end/linePair[ ]
The repeater[ ] and end objects contain the same attributes, therefore only the alarms of the end object are
described.
1136 1424 SHDSL Router Chapter 14
User manual Alarm attributes
alarmInfo
The alarm related to the end object together with its explanation and default alarmMask and alarmLevel value
is given in the following table:
alarmMask alarmLevel
unknownState each time a new 1424 SHDSL Router is added to the disabled 4
network and before the management concentrator has
completed a first successful polling session.
1424 SHDSL Router Chapter 14 1137
User manual Alarm attributes
alarmInfo
The alarm related to the end/linePair[ ] object together with its explanation and default alarmMask and
alarmLevel value is given in the following table:
alarmMask alarmLevel
alarmMask alarmLevel
bbErrRatioEx- when the background block error ratio exceeds the disabled 1
ceeded value configured in the linkAlarmThresholds configuration
attribute within a 15 minute period1. The alarm is cleared
when the background block error ratio drops below this
value within a 15 minute period.
1. The 15 minutes periods run synchronous with the 15 minutes periods of the router1424/wanInter-
face/line/h2Line performance attribute.
Because alarms are raised or cleared within 15 minutes periods, there is a delay in the alarm
status. For example, suppose that in the first minute of a 15 minutes period the errSecOn value
is exceeded, then the errSecExceeded alarm is raised. The alarm stays on for the remainder of
the 15 minutes period. The alarm is only cleared if also in the next 15 minutes period the
errSecOn value is not exceeded.
1424 SHDSL Router Chapter 14 1139
User manual Alarm attributes
This section describes the alarms of the alarm attribute router1424/bundle/pppBundle[ ]/alarmInfo.
router1424/bundle/pppBundle[ ]/alarmInfo
The alarm related to the xxxBundle[ ] object together with its explanation and default alarmMask and
alarmLevel value is given in the following table:
alarmMask alarmLevel
linkDown when all the bundle links in the bundle are down. enabled 3
1140 1424 SHDSL Router Chapter 14
User manual Alarm attributes
router1424/ip/router/
router1424/ip/router/vrfRouter[ ]
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
router1424/ip/router/alarmInfo
The alarm related to the router object together with its explanation and default alarmMask and alarmLevel
value is given in the following table:
alarmMask alarmLevel
qMonLoss is generated when more packets have been lost than disabled 3
allowed in the configuration of the qualityMonitor.
Refer to the qualityMonitor attribute in 11.9.1 - General
router configuration attributes on page 617 for more
information about configuring the quality monitor.
qMonDelay is generated when the delay is bigger than allowed in the disabled 3
configuration of the qualityMonitor.
Refer to the qualityMonitor attribute in 11.9.1 - General
router configuration attributes on page 617 for more
information about configuring the quality monitor.
qMonJitter is generated when the jitter is bigger than allowed in the disabled 3
configuration of the qualityMonitor.
Refer to the qualityMonitor attribute in 11.9.1 - General
router configuration attributes on page 617 for more
information about configuring the quality monitor.
1424 SHDSL Router Chapter 14 1141
User manual Alarm attributes
router1424/bridge/bridgeGroup
alarmInfo
The alarm related to the bridgeGroup object together with its explanation and default alarmMask and
alarmLevel value is given in the following table:
alarmMask alarmLevel
Refer to 14.2 - Introducing the alarm attributes on page 1123 for general information on the alarm
attributes.
The attribute below refers to the ePeer object. The attribute of the iPeer object is identical.
router1424/ip/router/bgp/ePeer/alarmInfo
The alarm related to the ePeer object together with its explanation and default alarmMask and alarmLevel
value is given in the following table:
alarmMask alarmLevel
To display the sub-system picture of the 1424 SHDSL Router, click on the sub-system picture button
located in the TMA toolbar: .
This paragraph displays and labels the different elements of the sub-system picture. It also explains how
the visual indications should be interpreted.
1144 1424 SHDSL Router Chapter 15
User manual TMA sub-system picture
The following table gives an overview of the sub-system picture elements and what they indicate:
Element Description
LAN This reflects the status of the LAN interface. The possible indications are:
• green. There is no alarm active in the corresponding lanInterface object.
• red. An alarm is active in the corresponding lanInterface object.
The colour of the LAN interface only changes if the alarms related to the
lanInterface object are set to enabled in the alarmMask.
LINE This reflects the status of the WAN interface and of the line pair(s). The possible
indications are:
• green outside. There is no alarm active in the corresponding
wanInterface object.
• red outside. An alarm is active in the corresponding wanInterface
object.
• green inside, left. There is no alarm active in the corresponding linePair[1] object.
• red inside, left. An alarm is active in the corresponding linePair[1] object.
• green inside, right. There is no alarm active in the corresponding linePair[2]
object.
• red inside, right. An alarm is active in the corresponding linePair[2] object.
The colours of the WAN interface / line pair(s) only change if the alarms
related to the wanInterface / linePair[ ] objects are set to enabled in the alarm-
Mask.
1146 1424 SHDSL Router Chapter 15
User manual TMA sub-system picture
1424 SHDSL Router Chapter 16 1147
User manual Auto installing the 1424 SHDSL Router
The 1424 SHDSL Router uses several protocols during its auto-install sequence. These are introduced
below.
What is BootP?
BootP (RFC 951) is used by IP devices that have no IP address to obtain one.
The client IP device sends a limited broadcast request on its interfaces requesting an IP address. The
request contains the client its MAC address, which is a unique identifier (refer to What is the ARP cache?
on page 512 for more information).
A workstation with a BootP server interprets incoming BootP requests. You can configure a file on the
server with MAC address and IP address/subnet mask pairs for all devices in the network you want to
service. If the MAC address in the BootP request matches a MAC address in this file, the BootP server
replies with the corresponding IP address and subnet mask.
Assigning an IP address in this way is done through a simple request - response handshake.
The 1424 SHDSL Router, being a router, always requests a static IP address.
What is DHCP?
DHCP (RFC 2131 and RFC 2132) is used by IP devices that have no IP address to obtain one.
The client IP device sends a limited broadcast request on its interfaces requesting an IP address. The
request contains the client its MAC address, which is a unique identifier (refer to What is the ARP cache?
on page 512 for more information).
A workstation with a DHCP server works in a similar way as with a BootP server. The difference with
BootP is that you can additionally configure a list of IP addresses on the server. These IP addresses are
dynamically assigned to the IP devices requesting an IP address, independently of their MAC address.
Those address assignments are limited in time.
Assigning an IP address in this way is done through a 4-way handshake and with regular renewals.
The 1424 SHDSL Router, being a router, always requests a static IP address.
What is DNS?
The Domain Name Service (DNS) is an Internet service that translates domain names into IP addresses.
Because domain names are alphabetic, they are easier to remember. The Internet however, is really
based on IP addresses. Therefore, every time you use a domain name, a DNS service must translate
the name into the corresponding IP address. For example, the domain name www.mywebsite.com might
translate to 198.105.232.4.
The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular
domain name, it asks another one, and so on, until the correct IP address is returned.
1424 SHDSL Router Chapter 16 1149
User manual Auto installing the 1424 SHDSL Router
What is TFTP?
Trivial File Transfer Protocol (TFTP) is an Internet software utility for transferring files that is simpler to
use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and
directory visibility are not required. TFTP uses the User Datagram Protocol (UDP) rather than the Trans-
mission Control Protocol (TCP). TFTP is described formally in Request for Comments (RFC) 1350.
TFTP is typically used in combination with BootP or DHCP to obtain the configuration of a device from
a TFTP server. The configuration file on this TFTP can be in a binary or an ASCII (CLI) format. How to
build such files is explained in 16.4 - Creating a configuration file on page 1162.
Being broadcast packets, BootP, DHCP, DNS and TFTP requests can cross a router using IP helper
addresses. The 1424 SHDSL Router is a relay agent for these protocols. This means it adds additional
information to the request packets allowing servers on distant networks to send back the answer.
1150 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
This section shows the auto-install sequence on the 1424 SHDSL Router its LAN interface.
The following gives an overview of this section:
• 16.2.1 - Set-up for auto-install on the LAN interface on page 1151
• 16.2.2 - Auto-install in case of Ethernet on page 1152
• 16.2.3 - Example of auto-install on the LAN interface on page 1153
1424 SHDSL Router Chapter 16 1151
User manual Auto installing the 1424 SHDSL Router
The following figure shows the set-up for auto-install on the LAN interface:
1152 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
The following shows how the 1424 SHDSL Router obtains an IP address and its configuration file:
Note again that the obtained IP address is assigned to the bridge group, not to the LAN interface itself
(since it is in bridging mode)! So if you check the status of the bridge group, you will see the IP address
there:
1424 SHDSL Router Chapter 16 1155
User manual Auto installing the 1424 SHDSL Router
This section shows the auto-install sequence on the 1424 SHDSL Router its WAN interface.
The following gives an overview of this section:
• 16.3.1 - Set-up for auto-install on the WAN interface on page 1156
• 16.3.2 - Auto-install in case of ATM on page 1157
• 16.3.3 - Auto-install in case of Frame-Relay on page 1158
• 16.3.4 - Example of auto-install on the WAN interface running ATM on page 1159
1156 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
The following figure shows the set-up for auto-install on the WAN interface:
1424 SHDSL Router Chapter 16 1157
User manual Auto installing the 1424 SHDSL Router
In order for the auto-install of the local OneAccess Router to be successful, the following must be con-
figured on the central OneAccess Router:
1424 SHDSL Router Chapter 16 1161
User manual Auto installing the 1424 SHDSL Router
The following shows how the local OneAccess Router obtains an IP address and its configuration file:
1162 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
In 16.2 - Auto-install on the LAN interface on page 1150 , you can see how the configuration file is
retrieved using TFTP during the auto-install sequence. The two possible configuration file formats used
for this purpose are:
binary .cms Use the TMA export utility and choose the CMS file type. This
is the most compact format.
Refer to 16.4.2 - Creating a binary file using TMA on
page 1164.
ASCII CLI .cli • Use the TMA export utility and choose the CLI file type.
• Use the TFTP get command.
• Use the CLI get command.
Refer to …
• 16.4.3 - Creating an ASCII CLI file using TMA on page 1165
• 16.4.4 - Creating an ASCII CLI file using TFTP on
page 1167
• 16.4.5 - Creating an ASCII CLI file using Telnet on
page 1168
To create a configuration file in binary (*.cms) format using TMA, proceed as follows:
Step Action
2 Make changes to its configuration (if necessary) in order to obtain the desired configura-
tion.
To create a configuration file in ASCII CLI (*.cli) format using TMA, proceed as follows:
Step Action
2 Make changes to its configuration (if necessary) in order to obtain the desired configura-
tion.
Do not select the file extension for ASCII text (*.txt)! This is for documentation pur-
poses only, not for configuration purposes.
1166 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
Step Action
To create a configuration file in ASCII CLI (*.cli) format using TFTP, proceed as follows:
Step Action
Example
Note that the procedure described above does not work with FTP.
1168 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
To create a configuration file in ASCII CLI (*.cli) format using Telnet logging and the CLI get command,
proceed as follows:
Step Action
1 Start a Telnet session on the 1424 SHDSL Router. You are automatically in CLI mode.
2 You are automatically located in the top object (router1424) and in the "Edit Configuration"
group. Check to make sure (just press the Enter key).
3 Log the CLI output to a file. Refer to the documentation of your Telnet software how to
do so.
In 16.2 - Auto-install on the LAN interface on page 1150 , you can see how the configuration file is
retrieved using TFTP during the auto-install sequence. It is, however, also possible to restore previously
saved configuration files by downloading them yourself to the 1424 SHDSL Router. You can do this by
using various applications. This is explained in this section.
The following gives an overview of this section:
• 16.5.1 - Downloading a configuration file using TMA on page 1170
• 16.5.2 - Downloading a configuration file using (T)FTP on page 1171
• 16.5.3 - Downloading a configuration file using Telnet on page 1172
1170 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
Step Action
Step Action
2 Set the transfer mode to binary (octet) format. The syntax to do this is typically binary or
octet.
1. However, make sure that source and destination file format are both the same!
1172 1424 SHDSL Router Chapter 16
User manual Auto installing the 1424 SHDSL Router
Step Action
1 Start a Telnet session on the 1424 SHDSL Router. You are automatically in CLI mode.
2 You are automatically located in the top object (router1424) and in the "Edit Configuration"
group. Check to make sure (just press the Enter key).
3 Use the “send” feature of your Telnet software to send the ASCII CLI configuration file to
the 1424 SHDSL Router. Refer to the documentation of your Telnet software how to do
so.
1424 SHDSL Router Chapter 17 1173
User manual Downloading software
17 Downloading software
This chapter explains how to download application software to the 1424 SHDSL Router. It also shows
how to download any other file to the file system of the 1424 SHDSL Router. But first it explains the dif-
ference between boot and application software.
The following gives an overview of this chapter:
• 17.1 - What is boot and application software? on page 1174
• 17.2 - Downloading application software using TMA on page 1175
• 17.3 - Downloading application software using TFTP on page 1176
• 17.4 - Downloading application software using TML on page 1177
• 17.5 - Downloading application software using FTP on page 1178
• 17.6 - Downloading files to the file system on page 1179
1174 1424 SHDSL Router Chapter 17
User manual Downloading software
The boot software takes care of the initial phase in the start-up sequence of the 1424 SHDSL Router. It
is located on the lowest software level. If the 1424 SHDSL Router only loads its boot software, then we
say that the 1424 SHDSL Router runs in boot mode.
The 1424 SHDSL Router …
• runs in boot mode if no application software is present.
• can temporarily be forced to run in boot mode by using the -b option of the TML command. Refer to
17.4 - Downloading application software using TML on page 1177.
In boot mode …
• you can download application software (using TML).
• you cannot establish a TMA session. You can only use TML to download application software.
The application software, also called control software or firmware, completely controls the 1424 SHDSL
Router. It is located on the highest software level. If the 1424 SHDSL Router loads its boot, loader and
application software, then we say that the 1424 SHDSL Router runs in application mode.
In application mode …
• you can download application software (using TMA, TFTP or TML).
• you can establish a TMA session.
1424 SHDSL Router Chapter 17 1175
User manual Downloading software
To download application software to the 1424 SHDSL Router using TMA, proceed as follows:
Step Action
1 Establish a link between TMA and the 1424 SHDSL Router either over a serial or an IP
connection. Refer to 4 - Maintaining the 1424 SHDSL Router on page 31.
4 In the TMA - Download window, select the Configuration tab and click on Add…
6 If you are currently connected to the 1424 SHDSL Router without write access, then you
can enter a password in the Password tab which gives you write access. Else leave the
Password tab blank.
When downloading with TMA over an IP connection, you actually evoke TFTP (Trivial File Transfer Pro-
tocol) through TMA. You can also use TFTP without opening TMA.
To download application software to the 1424 SHDSL Router using TFTP, proceed as follows:
Step Action
When downloading with TMA over a serial connection, you actually evoke TML (Total Memory Loader)
through TMA. You can also use TML without opening TMA.
To download application software to the 1424 SHDSL Router using TML, proceed as follows:
Step Action
where …
• tml is the executable (Total Memory Loader) to download files to the OneAccess
devices through their control port.
• -c1 specifies the COM port of the computer connected to the 1424 SHDSL Router (in
this example COM1).
• -v returns graphical information on the download status.
• -fTxxxxxxx.00 is the software file you want to download (e.g. T1234001.00).
• CONTROL (in capitals!) specifies that the file being downloaded is an application or
loader software file.
• ?my_pwd is the write access password as configured in the 1424 SHDSL Router. If no
password has been configured, you may omit the ? and the password.
To see a list of all the possible TML options: type TML in your DOS windows and press
the ENTER key.
To download application software to the 1424 SHDSL Router using FTP, proceed as follows:
Step Action
2 Make sure the transfer mode is set to binary (octet) format. The syntax to do this is typi-
cally binary.
You might want to download other files than the firmware files only. In fact, any file can be downloaded
to the file system of the 1424 SHDSL Router. You can do this using the same tools you use to download
application software. These tools are:
• TMA (refer to 17.2 - Downloading application software using TMA on page 1175).
• TFTP (refer to 17.3 - Downloading application software using TFTP on page 1176).
• TML (refer to 17.4 - Downloading application software using TML on page 1177).
• FTP (refer to 17.5 - Downloading application software using FTP on page 1178).
The major difference is that instead of specifying CONTROL as target filename for the application software,
you now can specify any filename as target filename.
Tool Example
Example:
• tftp> put models.nms models.nms?pwd123
• tml -c1 -v -fmodels.nms@models.nms?pwd123
1180 1424 SHDSL Router Chapter 17
User manual Downloading software
1424 SHDSL Router Chapter 18 1181
User manual Technical specifications
18 Technical specifications
This chapter gives the technical specifications of the 1424 SHDSL Router. The following gives an over-
view of this chapter:
• 18.1 - SHDSL line specifications on page 1182
• 18.2 - LAN interface specifications on page 1183
• 18.3 - 4 port Ethernet switch specifications on page 1184
• 18.4 - Console port specifications on page 1185
• 18.5 - IP address assignment and auto-provisioning on page 1186
• 18.6 - ATM encapsulation specifications on page 1187
• 18.7 - Frame Relay encapsulation specifications on page 1188
• 18.8 - PPP encapsulation specifications on page 1189
• 18.9 - EFM encapsulation specifications on page 1190
• 18.10 - IP routing specifications on page 1191
• 18.11 - Bridging specifications on page 1193
• 18.12 - Network address translation specifications on page 1194
• 18.13 - Tunnelling and VPN specifications on page 1195
• 18.14 - Priority and traffic policy specifications on page 1196
• 18.15 - Firewall specifications on page 1199
• 18.16 - Access security specifications on page 1200
• 18.17 - Maintenance and management specifications on page 1200
• 18.18 - Memory specifications on page 1201
• 18.19 - Power requirements on page 1202
• 18.20 - Dimensions on page 1203
• 18.21 - Safety compliance on page 1204
• 18.22 - Over-voltage and over-current protection compliance on page 1204
• 18.23 - EMC compliance on page 1204
• 18.24 - Environmental compliance on page 1204
1182 1424 SHDSL Router Chapter 18
User manual Technical specifications
The following table shows the connector layout of the RJ45 line connector:
4 line 1
5 line 1
Colour Description
The following table shows the connector layout of the RJ45 Ethernet LAN interface connector:
3 receive (+) In
4 not used -
5 not used -
7 not used -
8 not used -
1184 1424 SHDSL Router Chapter 18
User manual Technical specifications
• Number of ports: 4
• Connectors: RJ45 (EIA/TIA 568B)
• Applicable standards: IEEE 802.3 (10Mbps Ethernet), IEEE 802.3u (100Mbps Ethernet)
• Characteristics:
- 10 / 100 Mbps auto-sense
- Half or full duplex
- Auto-negotiation
- Auto cross-over MDI/MDI-X for automatic connection to a terminal or switch
• Meaning of LED colours:
- Lit green LED: link active
- Blinking yellow LED: traffic in progress
• The layout of the connectors is identical to the LAN interface: transmission pairs 1-2, receive pairs 3-6
• Cable to be used: shielded crossover/straight cables with 4 twisted pairs
1424 SHDSL Router Chapter 18 1185
User manual Technical specifications
The following table shows the connector layout of the RJ45 Console connector:
2 TD Transmitted data In
3 GND Ground -
4 NC Not connected -
5 NC Not connected -
6 Cable type -
7 - - -
8 - - -
• A console cable for router configuration and maintenance only requires TX, RX and GND to be con-
nected; refer to Annex C: - Console cable on page 1211 for more information about the cable.
1186 1424 SHDSL Router Chapter 18
User manual Technical specifications
• BOOTP/DHCP server (RFC 2131, RFC 2132) with static or dynamic address assignment
• DHCP server major features:
- IP address ranges are configurable per interface
- If no gateway is configured in the DHCP server, the router gives its own address
- The DHCP server collects the DNS names of all DHCP clients and acts as a local DNS server for
these names
• DHCP relay agent (RFC 2131, RFC 2132)
• DNS proxy
• Static IP address assignment
• Possible assignment of secondary IP address on the LAN interface
• Numbered or unnumbered mode on WAN interfaces
• Automatic IP address assignment through:
- BootP client (RFC 951)
- DHCP client (RFC 2131, RFC 2132)
- IPCP
• Automatic IP gateway assignment through Inverse ARP (RFC 2390, in Frame-Relay and ATM)
• Automatic default route assignment on remotely learned IP address in PPP
• Automatic configuration file upload through DHCP client
• DHCP client requests are transmitted if an interface is in routing mode and has no IP address yet
• DHCP client requests can be blocked from being transmitted on the LAN interface and bridge groups
1424 SHDSL Router Chapter 18 1187
User manual Technical specifications
The 1424 SHDSL Router complies to the router requirements as stated in RFC 1812 and supports the
routing of standard IP packets (RFC 791) between the different interfaces of the 1424 SHDSL Router
according to the routing protocols listed below.
Static routing
RIP
OSPF
ICMP
The 1424 SHDSL Router supports the handling of broadcasts and multicasts and includes the following
related functionalities:
• IGMPv2 (Internet Group Management protocol, RFC 2236), as the standard for IP multicasting
• IGMP proxy function
• Forwarding of directed broadcasts can be enabled or disabled per interface
• Helper address can be configured for broadcasts
Filtering
IP MTU
• The IP MTU can be configured on the WAN and LAN interfaces (between 500 and 1650 bytes)
VRRP
Bridging protocols
Bridge groups
VLANs
VLAN switching
Filtering
L2TP tunnelling
IPSEC security
This section gives the specifications of the priority and traffic policies that are available on the 1424
SHDSL Router. The following gives an overview of this section:
• 18.14.1 - Priority policy on page 1197
• 18.14.2 - IP traffic policy on page 1197
• 18.14.3 - Bridge traffic policy on page 1198
1424 SHDSL Router Chapter 18 1197
User manual Technical specifications
Traffic shaping
TosDiffServ
• Traffic is forwarded to a certain priority queue based on DiffServ (RFCs 2474, 2475) regarding class
and drop precedence
TosMapped
• Traffic is forwarded to a certain priority queue based on a user-defined range of the TOS field
• Configurable maximum queue length
QueueMapped
• Traffic is forwarded to a certain priority queue based on the 802.1P tag of VLAN tagged Ethernet traf-
fic
1424 SHDSL Router Chapter 18 1199
User manual Technical specifications
• Firewall with 3 zones (Internet, Corporate, DMZ) and IP protocol stack (Self)
• Outbound and inbound policies based on …
- Source and destination IP address range
- Application (IP protocol and port range)
• PAT can be applied per outbound / inbound policy
• Outbound and inbound policies for the IP protocol stack (Self)
• Protection again attacks: SYN flooding, Source Routing, WinNuke, FTP Bounce, IP Unaligned
Timestamp, MIME Flood, Sequence Number Prediction, Sequence Number Out Of Range, ICMP
Error Messages
• Firewall logging with different priorities
1200 1424 SHDSL Router Chapter 18
User manual Technical specifications
• Password protected
• Several access levels possible:
- Read access
- Write access
- Security access
- File system access
• Radius client (RFC 2865)
• Management access can be enabled or disabled per interface
• Overall management access can be prohibited (Telnet, HTTP, SNMP, FTP, TFP)
• Local console (Command Line Interface or ATWIN) via serial control port
• TELNET (Command Line Interface or ATWIN) (RFC 854)
• HTTP web interface1 (RFC 2616)
• Easy Configurator (customisable JAVA based web interface)
• TMA (Total Maintenance Application) via serial control port or IP connection (UDP port 1728)
• TMA CLI2
• TMA Element Management2
• TMA for HP OpenView2
• TML (Total Memory Loader) for configuration and software download via serial control port
• FTP configuration and software download (RFC 414)
• TFTP configuration and software download (RFC 1350)
• PING (RFC 792)
• SNMP (RFC 1157)
• SNMP MIB2 (RFC 1213), private MIB
• SNMP traps (RFC 1215)
• SYSLOG event logging (RFC 3164)
• SNTP (RFC 2030)
• IP loopback address
1. HTTP interfaces are available on both port 80 and port 8080. This allows connecting to the
HTTP interfaces in case a NAT service is defined on port 80.
2. Not included.
1424 SHDSL Router Chapter 18 1201
User manual Technical specifications
• Flash memory: 32 MB
• RAM: 64 MB
1202 1424 SHDSL Router Chapter 18
User manual Technical specifications
Power adapter to be used: Switched Power Module 100-240 VAC, 20W, Vout=12 Vdc, Iout=1A. Note
that a 24/48VDC power adapter can also be delivered.
Do not use another type of power supply than the one recommended by OneAccess.
1424 SHDSL Router Chapter 18 1203
User manual Technical specifications
18.20 Dimensions
The standard version of the 1424 SHDSL Router has a metal housing with the following characteristics:
• Width: 275 mm
• Height: 55 mm
• Depth: 146 mm
• Weight: 1,26 kg
• EN60950-1 - 1st edition: Safety of information technology equipment, including electrical business
equipment.
• Class 2 equipment.
The over-voltage and over-current protection complies with ITU-T K.44 and ETSI ETS 300 386-2 recom-
mendations.
• EN55022 B Emissions
• EN55024 Immunity
• EN61000-3-2 Harmonics
• EN61000-3-3 Voltage fluctuations and flicker
• EN61000-4-2 ESD
• EN61000-4-3 Radiated immunity
• EN61000-4-4 EFT/burst
• EN61000-4-5 Surge
• EN61000-4-6 Conducted immunity
• EN61000-4-8 Power magnetic field immunity
• EN61000-4-11 Voltage dips & drops
• ENV50204 Radiated immunity against digital radio telephone
• EN300386 V.1.3.3 Ems Requirements
• Storage conditions: ETSI ETS 300 019-1-1 Class 1.1. In addition, the storage temperature has to be
between -25 to +70°C, with a relative humidity between 0 and 95% non-condensing.
• Transport conditions: ETSI ETS 300 019-1-2 Class 2.3
• Stationary use conditions: ETSI ETS 300 019-1-3 Class 3.2. In addition, a relative humidity between
0 and 95% non-condensing and an ambient operational temperature between -10 to 50°C is sup-
ported.
• Maximum altitude: 3000m
• International protection (IP) class of protection against solid and liquids: IP40
• In use: Temperature Controlled.
- Test specification (Part1 Classification of environmental conditions):
› Class T3.1 (normal)
› Class T3.1 (exceptional)
1424 SHDSL Router 1205
Annex
Annex
1206 1424 SHDSL Router
Annex
1424 SHDSL Router Annex A: 1207
Annex common TCP and UDP numbers
208595 1424 SHDSL 1P ROUTER NPWR IP router and bridge with SHDSLbis 1 pair line interface. 4
port 10/100Mbit/s Ethernet switch and a second 10/
100Mbit/s Ethernet interface. Supports ATM and EFM
over the line. Delivered without power adapter.
208597 1424 SHDSL 2P ROUTER 230VAC IP router and bridge with SHDSLbis 2 pair line interface. 4
port 10/100Mbit/s Ethernet switch and a second 10/
100Mbit/s Ethernet interface. Supports ATM and EFM
over the line. Delivered with European AC power adapter.
501426 1424 SHDSL 2P ROUTER NPWR IP router and bridge with SHDSLbis 2 pair line interface. 4
port 10/100Mbit/s Ethernet switch and a second 10/
100Mbit/s Ethernet interface. Supports ATM and EFM
over the line. Delivered without power adapter.
208601 1424 SHDSL 4P ROUTER 230VAC IP router and bridge with SHDSLbis 4 pair line interface. 4
port 10/100Mbit/s Ethernet switch and a second 10/
100Mbit/s Ethernet interface. Supports ATM and EFM
over the line. Delivered with European AC power adapter.
208602 1424 SHDSL 4P ROUTER NPWR IP router and bridge with SHDSLbis 4 pair line interface. 4
port 10/100Mbit/s Ethernet switch and a second 10/
100Mbit/s Ethernet interface. Supports ATM and EFM
over the line. Delivered without power adapter.
202752 PWR-PLUG (EUR VERSION) 230VAC- Wallplug Switched Power Module EUR type, 230Vac ->
>12VDC 12Vdc for Desktop units delivered without power adapter.
(xxx NPWR). See doc OneAccess Product Quick
Reference for compatibility with xxx NPWR item
202753 PWR-PLUG (UK VERSION) 230VAC- Wallplug Switched Power Module UK type, 230Vac ->
>12VDC 12Vdc for Desktop units delivered without power adapter.
(xxx NPWR). See doc OneAccess Product Quick
Reference for compatibility with xxx NPWR item
202754 PWR-PLUG (US VERSION) 110VAC- Wallplug Switched Power Module US type, 110Vac ->
>12VDC 12Vdc for Desktop units delivered without power adapter.
(xxx NPWR). See doc OneAccess Product Quick
Reference for compatibility with xxx NPWR item
191706 PWR-PLUG +/-48/24VDC FOR 7,5 /12VDC Wallplug power module with input range: 18 to 72Vdc and
CPE DEVICES output: 7,5 / 12Vdc for Desktop units delivered without
power adapter. (xxx NPWR). Fully isolated input. Suitable
for + & - DC input voltages.
1210 1424 SHDSL Router Annex B:
Annex product information
1424 SHDSL Router Annex C: 1211
Annex Console cable
D graphical vii
typographical vi
DE
copyright notice ii
what is 148
documentation set v
default queue environmental information iv
configuring 286 intended audience ix
versus traffic policy profile 286 organisation v
what is 286 properties ii
default route statements iii
configuring 190 TDRE version described in this ix
what is 189 your feedback ix
MLFR O
what is 149
OAM
MLPPP activation/deactivation mechanism 137
alarms 1139 basic configuration 125
configuration attributes 610 concepts 129
setting up 177 continuity check (CC) 134
on a BRI interface in leased line mode 181 fault and performance management 131
motherboard, position of the DIP switches 28 functional overview 128
loopback(LB) 133
MPoA performance management (PM) 136
what is 106 what is 126
MRU OAM AIS, what is 1036
what is 565
OAM RDI, what is 1036
MS-CHAP
version 1, what is 162 object, what is 40
version 2, what is 163 operating system
MS-CHAP, what is 162 performance attributes 1115
status attributes 1011
MTU
what is 59, 664, 676, 686, 690 organisation of this manual v
multicasting OSPF
specifications 1192 activating 218
authentication, enabling 219
multiclass PPP basic configuration 212
setting up 183 configuration attributes 704
what is 164 configuration attributes, general 705
multi-protocol over ATM introducing 213
encapsulation mechanisms, which are 107 specifications 1191
what is 106 status attributes 938
status attributes, general 939
N what is 213
NAT adjacency 216
adding multiple NAT objects 236 area 0 214
combining with PAT 240 areas 214
configuration attributes 652 authentication 217
easy NAT 240 backbone area 214
enabling on an interface 234 border routers 214
how works 238 cost 216
performance attributes 1064 link states 213
1226 1424 SHDSL Router Index
Annex