PRESTIGE 650H - Modem/Routeur ZYXEL - Notice d'utilisation et mode d'emploi gratuit

MODE D'EMPLOI PRESTIGE 650H ZYXEL

Prestige 650 Series

ADSL Router

User's Guide

Version 3.40

July 2003

ZyXEL Unleash Network

Unleash Networking Power

Copyright

Copyright © 2003 by ZyXEL Communications Corporation.

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Published by ZyXEL Communications Corporation. All rights reserved.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Federal Communications Commission (FCC) Interference Statement

This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.
- This device must accept any interference received, including interference that may cause undesired operations.

This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and the receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio/TV technician for help.

Notice 1

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

Certifications

Refer to the product page at www.zyxel.com.

Tested To Comply With FCC Standards

FOR HOME OR OFFICE USE

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Safety Warnings

1. To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.
2. Do not use this product near water, for example, in a wet basement or near a swimming pool.
3. Avoid using this product during an electrical storm. There may be a remote risk of electric shock from lightening.

Customer Support

Please have the following information ready when you contact customer support.

• Product model and serial number.
• Warranty Information.
• Date that you received your device.
- Brief description of the problem and the steps you took to solve it.

Table of Contents

Copyright......ii

Federal Communications Commission (FCC) Interference Statement......iii

ZyXEL Limited Warranty ...... iv

Customer Support......v

List of Figures ......xii

List of Tables ...... xvii

List of Charts ...... XX

Preface ....xxi

Introduction to DSL....xxiii

Getting Started....I

Chapter 1 Getting To Know Your Prestige ....1-1

1.1 Introducing the Prestige 650 Series .... 1-1

1.2 Features of the Prestige....1-1

1.3 Applications for the Prestige....1-6

Chapter 2 Introducing the Web Configurator ....2-1

2.1 Web Configurator Overview....2-1

2.2 Accessing the Prestige Web Configurator 2-1

2.3 Navigating the Prestige Web Configurator 2-2

2.4 Configuring Password....2-3

2.5 Resetting the Prestige....2-4

Chapter 3 Wizard Setup....3-1

3.1 Wizard Setup Introduction....3-1

3.2 Encapsulation....3-1

3.3 Multiplexing....3-2

3.4 VPI and VCI 3-2

3.5 Wizard Setup Configuration: First Screen 3-2

3.6 IP Address and Subnet Mask 3-4

3.7 IP Address Assignment....3-4

3.8 Nailed-Up Connection (PPP)....3-6

3.9 NAT 3-6

3.10 Wizard Setup Configuration: Second Screen....3-6

3.11 DHCP Setup....3-12

3.12 Wizard Setup Configuration: Third Screen....3-13

3.13 Wizard Setup Configuration: Connection Tests....3-15

3.14 Test Your Internet Connection....3-16

LAN, Wireless LAN and WAN ....II

Chapter 4 LAN Setup....4-1

4.1 LAN Overview 4-1

4.2 DNS Server Address....4-1

4.3 DNS Server Address Assignment 4-2
4.4 LAN TCP/IP 4-2
4.5 Configuring LAN 4-4

Chapter 5 Wireless LAN Setup....5-1

5.1 Wireless LAN Overview....5-1
5.2 Levels of Security 5-3
5.3 Data Encryption with WEP 5-4
5.4 Inserting a PCMCIA Wireless LAN Card....5-4
5.5 Configuring Wireless LAN 5-4
5.6 Configuring MAC Filter....5-7
5.7 802.1x Overview....5-9
5.8 Introduction to RADIUS 5-9
5.9 Configuring 802.1x 5-11
5.10 Configuring Local User Authentication 5-13
5.11 Configuring RADIUS 5-15

Chapter 6 WAN Setup ....6-1

6.1 WAN Overview 6-1
6.2 PPPoE Encapsulation....6-1
6.3 PPTP Encapsulation....6-1
6.4 Traffic Shaping....6-2
6.5 Configuring WAN Setup....6-2

NAT, Dynamic DNS and Time Zone...... III

Chapter 7 Network Address Translation (NAT)....7-1

7.1 NAT Overview....7-1
7.2 SUA (Single User Account) Versus NAT....7-4
7.3 SUA Server 7-5
7.4 Selecting the NAT Mode....7-7
7.5 Configuring SUA Server 7-8
7.6 Configuring Address Mapping....7-10
7.7 Editing an Address Mapping Rule 7-12

Chapter 8 Dynamic DNS Setup....8-1

8.1 Dynamic DNS 8-1
8.2 Configuring Dynamic DNS....8-1

Chapter 9 Time and Date Setup....9-1

9.1 Configuring Time Zone....9-1

Remote Management and UPnP IV

Chapter 10 Remote Management Configuration....10-1

10.1 Remote Management Overview....10-1
10.2 Telnet 10-2
10.3 FTP....10-2
10.4 Web 10-2

10.5 Configuring Remote Management....10-2

Chapter 11 Universal Plug-and-Play (UPnP)....11-1

11.1 Universal Plug and Play Overview 11-1
11.2 UPnP and ZyXEL 11-2
11.3 Installing UPnP in Windows Example.... 11-3
11.4 Using UPnP in Windows XP Example 11-5

Bandwidth Management......V

Chapter 12 Bandwidth Management....12-1

12.1 Bandwidth Management Overview 12-1
12.2 Bandwidth Classes and Filters 12-1
12.3 Proportional Bandwidth Allocation 12-2
12.4 Bandwidth Management Usage Examples.... 12-2
12.5 Scheduler 12-4
12.6 Maximize Bandwidth Usage.... 12-4
12.7 Bandwidth Borrowing....12-7
12.8 Configuring Summary 12-9
12.9 Configuring Class Setup 12-11
12.10 Configuring Monitor 12-17

Maintenance......VI

Chapter 13 Maintenance....13-1

13.1 Maintenance Overview 13-1
13.2 System Status Screen 13-1
13.3 DHCP Table Screen....13-6
13.4 Wireless Screens 13-7
13.5 Diagnostic Screens....13-9
13.6 Firmware Screen....13-12

SMT General Configuration...... VII

Chapter 14 Introducing the SMT....14-1

14.1 SMT Introduction 14-1
14.2 Navigating the SMT Interface.... 14-4
14.3 Changing the System Password 14-6

Chapter 15 General Setup....15-1

15.1 General Setup....15-1
15.2 Configuring Menu 1....15-1

Chapter 16 LAN Setup....16-1

16.1 LAN Setup 16-1
16.2 Protocol Dependent Ethernet Setup 16-2
16.3 TCP/IP Ethernet Setup and DHCP 16-2

Chapter 17 Wireless LAN Setup....17-1

17.1 Wireless LAN Overview....17-1
17.2 Inserting a PCMCIA Wireless LAN Card 17-1

17.3 Wireless LAN Setup 17-1

Chapter 18 Internet Access ....18-1

18.1 Internet Access Overview 18-1
18.2 IP Policies 18-1
18.3 IP Alias....18-1
18.4 IP Alias Setup....18-2
18.5 Route IP Setup....18-4
18.6 Internet Access Configuration....18-5

Chapter 19 Remote Node Configuration....19-1

19.1 Remote Node Setup Overview....19-1
19.2 Remote Node Setup....19-1
19.3 Metric....19-5
19.4 Remote Node Network Layer Options....19-6
19.5 Remote Node Filter 19-9
19.6 Editing ATM Layer Options 19-13
19.7 Traffic Redirect 19-14

Chapter 20 Static Route Setup....20-1

20.1 IP Static Route Overview....20-1
20.2 Configuring an IP static route 20-2

Chapter 21 Bridging Setup....21-1

21.1 Bridging Overview....21-1
21.2 Bridge Ethernet Setup 21-1

Chapter 22 Network Address Translation (NAT)....22-1

22.1 NAT Overview....22-1
22.2 Applying NAT 22-1
22.3 NAT Setup 22-3
22.4 Configuring a Server behind NAT 22-9
22.5 General NAT Examples 22-11

SMT Advanced Management...... VIII

Chapter 23 Filter Configuration....23-1

23.1 About Filtering....23-1
23.2 Configuring a Filter Set for the Prestige 650H and the Prestige 650HW....23-4
23.3 Configuring a Filter Set for the Prestige 650R and the Prestige 650R-E 23-6
23.4 Configuring a Filter Rule 23-9
23.5 Filter Types and NAT 23-16
23.6 Example Filter 23-16
23.7 Applying Filters and Factory Defaults 23-19

Chapter 24 SNMP Configuration ....24-1

24.1 SNMP Overview 24-1
24.2 Supported MIBs 24-2
24.3 SNMP Configuration 24-2

24.4 SNMP Traps 24-4

Chapter 25 System Security....25-1

25.1 System Security Overview....25-1
25.2 Creating User Accounts on the Prestige....25-5

Chapter 26 System Information and Diagnosis....26-1

26.1 System Maintenance Overview 26-1
26.2 System Status....26-1
26.3 System Information....26-3
26.4 Log and Trace 26-5
26.5 Diagnostic....26-8

Chapter 27 Firmware and Configuration File Maintenance ....27-1

27.1 Filename Conventions 27-1
27.2 Backup Configuration....27-2
27.3 Restore Configuration....27-7
27.4 Uploading Firmware and Configuration Files 27-10

Chapter 28 System Maintenance....28-1

28.1 Command Interpreter Mode Overview 28-1
28.2 Call Control Support....28-2
28.3 Time and Date Setting 28-4

Chapter 29 Remote Management....29-1

29.1 Remote Management Overview....29-1
29.2 Configuring Remote Management....29-1
29.3 Remote Management and NAT 29-3
29.4 System Timeout 29-3

Chapter 30 IP Policy Routing ....30-1

30.1 IP Policy Routing Overview 30-1
30.2 Benefits of IP Policy Routing 30-1
30.3 Routing Policy 30-1
30.4 IP Routing Policy Setup....30-2
30.5 Applying an IP Policy....30-5
30.6 IP Policy Routing Example....30-7

Chapter 31 Call Scheduling ....31-1

31.1 Call Scheduling Overview 31-1

Appendices and Index ......IX

Appendix A Troubleshooting......A-1

A.1 Using LEDs to Diagnose Problems ...... A-1
A.2 Console Port....A-2
A.3 Telnet....A-2
A.4 Web Configurator ...... A-3
A.5 Login Username and Password....A-4
A.6 LAN Interface....A-4

A.7 WAN Interface....A-5
A.8 Internet Access....A-5
A.9 Remote Management ......A-6
A.10 Remote Node Connection ......A-7

Appendix B IP Subnetting......B-1

Appendix C Wireless LAN and IEEE 802.11......C-1

Appendix D PPPoE......D-1

Appendix E Virtual Circuit Topology....E-1

Appendix F Setting up Your Computer's IP Address....F-1

Appendix G Splitters and Microfilters...... G-1

Appendix H Power Adaptor Specifications.... H-1

H.1 Prestige 650R-E1/-E3/-E7 ADSL Router....H-1
H.2 Prestige 650R-11 ADSL Router....H-2
H.3 Prestige 650R-13/-17 ADSL Ethernet Router....H-3
H.4 Prestige 650R-31/-33 ADSL over ISDN Router....H-4
H.5 Prestige 650H-11/-13 ADSL Router with 4-Port Ethernet Switch....H-5
H.6 Prestige 650HW-11/-13 ADSL Router with 4-Port Ethernet Switch/Wireless LAN......H-6
H.7 Prestige 650HW-31/-33/-37; Prestige 650H-31/-33/-37 ADSL Router with 4-port Switch/Wireless....H-7

Appendix I Index......I-1

List of Figures

Figure 1-1 Prestige Internet Access Application....1-7

Figure 1-2 Prestige LAN-to-LAN Application ....1-7

Figure 2-1 Password Screen ....2-1

Figure 2-2 Web Configurator SITE MAP Screen 2-2

Figure 2-3 Password....2-3

Figure 2-4 Example Xmodem Upload....2-5

Figure 3-1 Wizard Screen 1 .... 3-3

Figure 3-2 Internet Connection with PPPoE....3-7

Figure 3-3 Internet Connection with RFC 1483 ....3-8

Figure 3-4 Internet Connection with ENET ENCAP 3-9

Figure 3-5 Internet Connection with PPPoA 3-11

Figure 3-6 Wizard Screen 3 .... 3-13

Figure 3-7 Wizard : LAN Configuration....3-14

Figure 3-8 Wizard Screen 4 .... 3-15

Figure 4-1 LAN and WAN IP Addresses ....4-1

Figure 4-2 LAN 4-4

Figure 5-1 RTS/CTS 5-2

Figure 5-2 Prestige Wireless Security Levels ....5-3

Figure 5-3 Wireless....5-5

Figure 5-4 MAC Address Filter 5-8

Figure 5-5 EAP Authentication....5-11

Figure 5-6 802.1x....5-11

Figure 5-7 Local User Database .... 5-14

Figure 5-8 RADIUS....5-16

Figure 6-1 Example of Traffic Shaping ....6-2

Figure 6-2 Internet Access Setup....6-3

Figure 7-1 How NAT Works....7-2

Figure 7-2 NAT Application With IP Alias 7-3

Figure 7-3 Multiple Servers Behind NAT Example....7-7

Figure 7-4 NAT Mode....7-7

Figure 7-5 Edit SUA/NAT Server Set....7-9

Figure 7-6 Address Mapping Rules .... 7-11

Figure 7-7 Address Mapping Rule Edit ....7-12

Figure 8-1 DDNS....8-2

Figure 9-1 Time/Date....9-1

Figure 10-1 Telnet Configuration on a TCP/IP Network ....10-2

Figure 10-2 Remote Management ....10-3

Figure 11-1 Configuring UPnP .... 11-2

Figure 12-1 Application-based Bandwidth Management Example 12-2

Figure 12-2 Subnet-based Bandwidth Management Example ...... 12-3

Figure 12-3 Application and Subnet-based Bandwidth Management Example.... 12-4

Figure 12-4 Bandwidth Allotment Example 12-5

Figure 12-5 Maximize Bandwidth Usage Example 12-6

Figure 12-6 Bandwidth Borrowing Example 12-8

Figure 12-7 Bandwidth Manager: Summary.... 12-10

Figure 12-8 Bandwidth Manager: Class Setup.... 12-12

Figure 12-9 Bandwidth Manager: Class Configuration 12-13

Figure 12-10 Bandwidth Management Statistics ...... 12-16

Figure 12-11 Bandwidth Manager Monitor .... 12-17

Figure 13-1 System Status 13-2

Figure 13-2 System Status: Show Statistics 13-4

Figure 13-3 DHCP Table.... 13-6

Figure 13-4 Association List.... 13-7

Figure 13-5 Channel Usage Table.... 13-8

Figure 13-6 Diagnostic.... 13-9

Figure 13-7 Diagnostic General 13-10

Figure 13-8 Diagnostic DSL Line....13-11

Figure 13-9 Firmware Upgrade.... 13-13

Figure 13-10 Network Temporarily Disconnected.... 13-14

Figure 13-11 Error Message.... 13-14

Figure 14-1 Login Screen 14-2

Figure 14-2 Prestige 650HW-31 SMT Menu Overview 14-3

Figure 14-3 SMT Main Menu for P650HW.... 14-5

Figure 14-4 Menu 23 System Password.... 14-6

Figure 15-1 Menu 1 General Setup.... 15-2

Figure 15-2 Menu 1.1 Configure Dynamic DNS 15-3

Figure 16-1 Menu 3 LAN Setup 16-1

Figure 16-2 Menu 3.1 LAN Port Filter Setup 16-1

Figure 16-3 Menu 3.2 TCP/IP and DHCP Ethernet Setup 16-2

Figure 17-1 Menu 3.5 - Wireless LAN Setup 17-2

Figure 17-2 Menu 3.5.1 WLAN MAC Address Filtering 17-4

Figure 18-1 Physical Network 18-2

Figure 18-2 Partitioned Logical Networks.... 18-2

Figure 18-3 Menu 3.2 TCP/IP and DHCP Setup.... 18-3

Figure 18-4 Menu 3.2.1 IP Alias Setup 18-3

Figure 18-5 Menu 1 General Setup.... 18-4

Figure 18-6 Menu 4 Internet Access Setup 18-5

Figure 19-1 Menu 11 Remote Node Setup.... 19-2

Figure 19-2 Menu 11.1 Remote Node Profile.... 19-3

Figure 19-3 Menu 11.3 Remote Node Network Layer Options 19-7

Figure 19-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection....19-9

Figure 19-5 Menu 11.5 Remote Node Filter (RFC 1483 or ENET Encapsulation)....19-10

Figure 19-6 Menu 11.5 Remote Node Filter (PPPoA or PPPoE Encapsulation)....19-10

Figure 19-7 Internet Security....19-11

Figure 19-8 Menu 21- Filer Set Configuration (P650H/HW)....19-12

Figure 19-9 Menu 21.11- WebSet 11 ...... 19-12

Figure 19-10 Menu 21.12- WebSet 12....19-12

Figure 19-11 Menu 11.6 for VC-based Multiplexing ....19-13

Figure 19-12 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation....19-14

Figure 19-13 Traffic Redirect Setup Example ....19-14

Figure 19-14 Menu 11.1 – Remote Node Profile....19-15

Figure 19-15 Menu 11.7 Traffic Redirect Setup ....19-16

Figure 20-1 Sample Static Routing Topology....20-1

Figure 20-2 Menu 12 Static Route Setup....20-2

Figure 20-3 Menu 12.1 IP Static Route Setup (P650H/HW)....20-2

Figure 20-4 Menu12.1.1 Edit IP Static Route....20-3

Figure 21-1 Menu 11.1 Remote Node Profile....21-2

Figure 21-2 Menu 11.3 Remote Node Network Layer Options....21-2

Figure 21-3 Menu 12.3 Bridge Static Route Setup....21-3

Figure 21-4 Menu 12.3.1 Edit Bridge Static Route ....21-3

Figure 22-1 Menu 4 Applying NAT for Internet Access....22-2

Figure 22-2 Menu 11.3 Applying NAT to the Remote Node 22-3

Figure 22-3 Menu 15 NAT Setup....22-4

Figure 22-4 Menu 15.1 Address Mapping Sets....22-4

Figure 22-5 Menu 15.1.255 SUA Address Mapping Rules 22-5

Figure 22-6 Menu 15.1.1 First Set....22-6

Figure 22-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set....22-8

Figure 22-8 Menu 15.2 NAT Server Setup ....22-9

Figure 22-9 Menu 15.2.1 NAT Server Setup 22-10

Figure 22-10 Multiple Servers Behind NAT Example....22-11

Figure 22-11 NAT Example 1....22-12

Figure 22-12 Menu 4 Internet Access & NAT Example ......22-12

Figure 22-13 NAT Example 2....22-13

Figure 22-14 Menu 15.2.1 Specifying an Inside Server ....22-13

Figure 22-15 NAT Example 3....22-14

Figure 22-16 Example 3: Menu 11.3 .....22-15

Figure 22-17 Example 3: Menu 15.1.1.1 22-16

Figure 22-18 Example 3: Final Menu 15.1.1....22-16

Figure 22-19 NAT Example 4....22-17

Figure 22-20 Example 4: Menu 15.1.1.1 Address Mapping Rule....22-18

Figure 22-21 Example 4: Menu 15.1.1 Address Mapping Rules....22-18

Figure 23-1 Outgoing Packet Filtering Process 23-2

Figure 23-2 Filter Rule Process.... 23-3

Figure 23-3 Menu 21 Filter Set Configuration (P650H/HW) 23-4

Figure 23-4 NetBIOS_WAN Filter Rules Summary 23-5

Figure 23-5 NetBIOS_LAN Filter Rules Summary.... 23-5

Figure 23-6 IGMP Filter Rules Summary....23-5

Figure 23-7 Menu 21 Filter Set Configuration (P650R and P650R-E).... 23-6

Figure 23-8 TELNET_WAN Filter Rules Summary.... 23-7

Figure 23-9 PPPoE Filter Rules Summary.... 23-7

Figure 23-10 FTP_WAN Filter Rules Summary.... 23-7

Figure 23-11 Menu 21.x.1 TCP/IP Filter Rule 23-10

Figure 23-12 Executing an IP Filter 23-13

Figure 23-13 Menu 21.6.1 Generic Filter Rule 23-14

Figure 23-14 Protocol and Device Filter Sets 23-16

Figure 23-15 Sample Telnet Filter.... 23-17

Figure 23-16 Menu 21.6.1 Sample Filter 23-18

Figure 23-17 Menu 21.6 Sample Filter Rules Summary.... 23-19

Figure 23-18 Filtering Ethernet Traffic 23-20

Figure 23-19 Filtering Remote Node Traffic 23-21

Figure 24-1 SNMP Management Model.... 24-1

Figure 24-2 Menu 22 SNMP Configuration.... 24-3

Figure 25-1 Menu 23 System Security.... 25-1

Figure 25-2 Menu 23 System Security.... 25-1

Figure 25-3 Menu 23.2 System Security : RADIUS Server 25-2

Figure 25-4 Menu 23 System Security.... 25-3

Figure 25-5 Menu 23.4 System Security : IEEE802.1x 25-4

Figure 25-6 Menu 14 Dial-in User Setup.... 25-6

Figure 25-7 Menu 14.1 Edit Dial-in User 25-6

Figure 26-1 Menu 24 System Maintenance .... 26-1

Figure 26-2 Menu 24.1 System Maintenance : Status.... 26-2

Figure 26-3 Menu 24.2 System Information and Console Port Speed 26-3

Figure 26-4 Menu 24.2.1 System Maintenance : Information 26-4

Figure 26-5 Menu 24.2.2 System Maintenance : Change Console Port Speed 26-5

Figure 26-6 Menu 24.3 System Maintenance : Log and Trace 26-6

Figure 26-7 Sample Error and Information Messages 26-6

Figure 26-8 Menu 24.3.2 System Maintenance : Syslog and Accounting.... 26-6

Figure 26-9 Menu 24.4 System Maintenance : Diagnostic 26-9

Figure 27-1 Telnet in Menu 24.5....27-3

Figure 27-2 FTP Session Example.... 27-4

Figure 27-3 Menu 24.5 System Maintenance - Backup Configuration.... 27-6

Figure 27-4 Menu 24.5 System Maintenance – Starting Xmodem Download Screen.... 27-6

Figure 27-5 Backup Configuration Example....27-7
Figure 27-6 Successful Backup Confirmation Screen 27-7
Figure 27-7 Telnet into Menu 24.6 ....27-8
Figure 27-8 Restore Using FTP Session Example....27-9
Figure 27-9 System Maintenance – Restore Configuration....27-9
Figure 27-10 System Maintenance – Starting Xmodem Download Screen....27-9
Figure 27-11 Restore Configuration Example ....27-10
Figure 27-12 Successful Restoration Confirmation Screen 27-10
Figure 27-13 Telnet Into Menu 24.7.1 Upload System Firmware ....27-11
Figure 27-14 Telnet Into Menu 24.7.2 System Maintenance....27-11
Figure 27-15 FTP Session Example of Firmware File Upload....27-12
Figure 27-16 Menu 24.7.1 as seen using the Console Port....27-14
Figure 27-17 Example Xmodem Upload....27-14
Figure 27-18 Menu 24.7.2 as seen using the Console Port....27-15
Figure 27-19 Example Xmodem Upload....27-16
Figure 28-1 Command Mode in Menu 24 ....28-1
Figure 28-2 Valid Commands....28-2
Figure 28-3 Menu 24.9 System Maintenance : Call Control ....28-2
Figure 28-4 Menu 24.9.1 Budget Management ....28-3
Figure 28-5 Menu 24 System Maintenance....28-4
Figure 28-6 Menu 24.10 System Maintenance: Time and Date Setting ....28-4
Figure 29-1 Menu 24.11 Remote Management Control ....29-2
Figure 30-1 Menu 25 IP Routing Policy Setup....30-2
Figure 30-2 Menu 25.1 IP Routing Policy Setup....30-3
Figure 30-3 Menu 25.1.1 IP Routing Policy ....30-4
Figure 30-4 Menu 3.2 TCP/IP and DHCP Ethernet Setup....30-6
Figure 30-5 Menu 11.3 Remote Node Network Layer Options....30-6
Figure 30-6 Example of IP Policy Routing....30-7
Figure 30-7 IP Routing Policy Example ....30-8
Figure 30-8 IP Routing Policy Example....30-9
Figure 30-9 Applying IP Policies Example....30-9
Figure 31-1 Menu 26 Schedule Setup....31-1
Figure 31-2 Menu 26.1 Schedule Set Setup....31-2
Figure 31-3 Applying Schedule Set(s) to a Remote Node (PPPoE)....31-4

List of Tables

Table 1-1 Model Specific Features.... 1-2

Table 2-1 Password 2-3

Table 3-1 Wizard Screen 1 3-3

Table 3-2 Internet Connection with PPPoE.... 3-7

Table 3-3 Internet Connection with RFC 1483 3-9

Table 3-4 Internet Connection with ENET ENCAP 3-10

Table 3-5 Internet Connection with PPPoA 3-11

Table 3-6 Wizard : LAN Configuration .... 3-14

Table 4-1 LAN 4-4

Table 5-1 Wireless....5-5

Table 5-2 MAC Address Filter 5-9

Table 5-3 802.1x 5-12

Table 5-4 Local User Database 5-15

Table 5-5 RADIUS.... 5-16

Table 6-1 Internet Access Setup 6-4

Table 7-1 NAT Definitions....7-1

Table 7-2 NAT Mapping Types....7-4

Table 7-3 Services and Port Numbers 7-6

Table 7-4 NAT Mode 7-8

Table 7-5 Edit SUA/NAT Server Set.... 7-9

Table 7-6 Address Mapping Rules 7-11

Table 7-7 Address Mapping Rule Edit 7-13

Table 8-1 DDNS....8-2

Table 9-1 Time/Date....9-2

Table 10-1 Remote Management .... 10-3

Table 11-1 Configuring UPnP....11-3

Table 12-1 Application and Subnet-based Bandwidth Management Example.... 12-3

Table 12-2 Bandwidth Manager: Summary 12-10

Table 12-3 Bandwidth Manager: Class Setup 12-12

Table 12-4 Bandwidth Manager: Class Configuration.... 12-13

Table 12-5Services and Port Numbers.... 12-15

Table 12-6 Bandwidth Management Statistics.... 12-16

Table 12-7 Bandwidth Manager Monitor.... 12-17

Table 13-1 System Status 13-3

Table 13-2 System Status: Show Statistics.... 13-5

Table 13-3 DHCP Table 13-7

Table 13-4 Association List.... 13-8

Table 13-5 Channel Usage Table.... 13-9

Table 13-6 Diagnostic General.... 13-10

Table 13-7 Diagnostic DSL Line .... 13-12

Table 13-8 Firmware Upgrade....13-13

Table 14-1 Main Menu Commands .... 14-4

Table 14-2 Main Menu Summary for P650HW....14-5

Table 15-1 Menu 1 General Setup .... 15-2

Table 15-2 Menu 1.1 Configure Dynamic DNS 15-3

Table 16-1 DHCP Ethernet Setup Menu Fields .... 16-3

Table 16-2 TCP/IP Ethernet Setup Menu Fields....16-3

Table 17-1 Wireless LAN Setup Field Description....17-2

Table 17-2 Menu 3.5.1 WLAN MAC Address Filtering....17-4

Table 18-1 Menu 3.2.1 IP Alias Setup ....18-4

Table 18-2 Menu 4 Internet Access Setup ....18-5

Table 19-1 Menu 11.1 Remote Node Profile ..... 19-3

Table 19-2 Menu 11.3 Remote Node Network Layer Options ....19-7

Table 19-3 Menu 11.1 – Remote Node Profile (Traffic Redirect Field) ...... 19-15

Table 19-4 Menu 11.7 Traffic Redirect Setup....19-16

Table 20-1 Menu12.1.1 Edit IP Static Route ....20-3

Table 21-1 Menu 11.3 Remote Node Network Layer Options : Bridge Fields....21-3

Table 21-2 Menu 12.3.1 Edit Bridge Static Route....21-4

Table 22-1 Applying NAT in Menus 4 & 11.3....22-3

Table 22-2 SUA Address Mapping Rules ....22-5

Table 22-3 Menu 15.1.1 First Set....22-7

Table 22-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set ....22-8

Table 23-1 Abbreviations Used in the Filter Rules Summary Menu ....23-8

Table 23-2 Rule Abbreviations Used 23-8

Table 23-3 Menu 21.x.1 TCP/IP Filter Rule 23-10

Table 23-4 Menu 21.6.1 Generic Filter Rule 23-15

Table 23-5 Filter Sets Table 23-20

Table 24-1 Menu 22 SNMP Configuration....24-3

Table 24-2 SNMP Traps....24-4

Table 24-3 Ports and Interface Types....24-4

Table 25-1 Menu 23.2 System Security : RADIUS Server....25-2

Table 25-2 Menu 23.4 System Security : IEEE802.1x 25-4

Table 25-3 Menu 14.1 Edit Dial-in User....25-6

Table 26-1 Menu 24.1 System Maintenance : Status....26-2

Table 26-2 Menu 24.2.1 System Maintenance : Information....26-4

Table 26-3 Menu 24.3.2 System Maintenance : Syslog and Accounting....26-7

Table 26-4 Menu 24.4 System Maintenance Menu : Diagnostic ....26-9

Table 27-1 Filename Conventions ......27-2

Table 27-2 General Commands for GUI-based FTP Clients .....27-4

Table 27-3 General Commands for GUI-based TFTP Clients 27-6

Table 28-1 Menu 24.9.1 Budget Management 28-3
Table 28-2 Menu 24.10 System Maintenance: Time and Date Setting 28-5
Table 29-1 Menu 24.11 Remote Management Control 29-2
Table 30-1 Menu 25.1 IP Routing Policy Setup.... 30-3
Table 30-2 Menu 25.1.1 IP Routing Policy 30-4
Table 31-1 Menu 26.1 Schedule Set Setup.... 31-2

List of Charts

Chart A-1 Troubleshooting Power LED ......A-1

Chart A-2 Troubleshooting LAN LED ......A-1

Chart A-3 Troubleshooting DSL LED ......A-2

Chart A-4 Troubleshooting Console Port....A-2

Chart A-5 Troubleshooting Telnet....A-2

Chart A-6 Troubleshooting Web Configurator.....A-3

Chart A-7 Troubleshooting Internet Browser Display ......A-4

Chart A-8 Troubleshooting Login Username and Password....A-4

Chart A-9 Troubleshooting LAN Interface....A-4

Chart A-10 Troubleshooting ADSL Connection....A-5

Chart A-11 Troubleshooting WAN Interface ......A-5

Chart A-12 Troubleshooting Internet Access....A-5

Chart A-13 Troubleshooting Internet Connection....A-6

Chart A-14 Troubleshooting Remote Management ......A-6

Chart A-15 Troubleshooting Connecting to a Remote Node or ISP ......A-7

Chart B-1 Classes of IP Addresses....B-1

Chart B-2 Allowed IP Address Range By Class ...... B-2

Chart B-3 “Natural” Masks......B-2

Chart B-4 Alternative Subnet Mask Notation......B-3

Chart B-5 Subnet 1 ...... B-4

Chart B-6 Subnet 2 ...... B-4

Chart B-7 Subnet 1 ...... B-5

Chart B-8 Subnet 2 B-5

Chart B-9 Subnet 3 ...... B-5

Chart B-10 Subnet 4 ...... B-6

Chart B-11 Eight Subnets ...... B-6

Chart B-12 Class C Subnet Planning....B-6

Chart B-13 Class B Subnet Planning....B-7

Preface

Congratulations on your purchase from the Prestige 650 ADSL Router series.

Your Prestige is easy to install and configure. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured through all interfaces.

Don't forget to register your Prestige online at www.zyxel.com for free future product updates and information.

About This User's Guide

This manual is designed to guide you through the configuration of your Prestige for its various applications. The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information on features not configurable by web configurator.

Related Documentation

Supporting Disk
Refer to the included CD for support documents.
Compact Guide or Read Me First
The Prestige 650H and Prestige 650HW come with a Compact Guide. The Prestige 650R and the Prestige 650R-E use a Read Me First. Both of them are designed to help you get up and running right away. They contain connection information and instructions on getting started. The Compact Guide contains additional information on the Wizard and key feature configuration.
Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information.
ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation.

Syntax Conventions

• “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices.

• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.

• Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.

• For brevity's sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in other words” throughout this manual.
• The Prestige 650 series may be referred to as the Prestige in this user's guide. This refers to both models (ADSL over POTS and ADSL over ISDN) unless specifically identified.
• The Prestige models with wireless features will be referred to as the Prestige 650H/HW.

The following section offers some background information on DSL. Skip to Chapter 1 if you wish to begin working with your router right away.

User Guide Feedback

Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.

Introduction to DSL

DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.

There are actually seven types of DSL service, ranging in speeds from 16 Kbits/sec to 52 Mbits/sec. The services are either symmetrical (traffic flows at the same speed in both directions), or asymmetrical (the downstream capacity is higher than the upstream capacity). Asymmetrical services (ADSL) are suitable for Internet users because more information is usually downloaded than uploaded. For example, a simple button click in a web browser can start an extended download that includes graphics and text.

As data rates increase, the carrying distance decreases. That means that users who are beyond a certain distance from the telephone company's central office may not be able to obtain the higher speeds.

A DSL connection is a point-to-point dedicated circuit, meaning that the link is always up and there is no dialing required.

What is ADSL?

It is an asymmetrical technology, meaning that the downstream data rate is much higher than the upstream data rate. As mentioned, this works well for a typical Internet session in which more information is downloaded, for example, from Web servers, than is uploaded. ADSL operates in a frequency range that is above the frequency range of voice services, so the two systems can operate over the same cable.

Part I:

Getting Started

This part is structured as a step-by-step guide to help you access your Prestige. It covers key features and applications, accessing the web configurator, password setup and configuring the wizard screens for initial setup.

Chapter 1

Getting To Know Your Prestige

This chapter describes the key features and applications of your Prestige.

1.1 Introducing the Prestige 650 Series

Your Prestige integrates high-speed 10/100Mbps auto-negotiating LAN interface(s) and a high-speed ADSL port into a single package. The Prestige is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks. By integrating DSL and NAT, the Prestige provides super-fast Internet access to multiple users at minimum cost.

The Prestige 650R and Prestige 650R-E is a router and includes two models, one for ADSL over POTS (Plain Old Telephone System) and one for ADSL over ISDN (Integrated Synchronous Digital System).

The Prestige 650H and Prestige 650HW have an integrated four-port switch with an embedded PCMCIA wireless card slot. The Prestige 650H/HW provides a wireless LAN connectivity allowing users to enjoy the convenience and mobility of working anywhere within the coverage area. The Prestige 650HW includes a wireless LAN card, but the Prestige 650H doesn't.

Only use firmware for your Prestige's specific model. Refer to the label on the bottom of your Prestige.

The web browser-based Graphical User Interface provides easy management and is totally independent of the operating system platform you use.

1.2 Features of the Prestige

The following sections describe the features of the Prestige series. Features vary by Prestige model. This table only lists the key features of the Prestige series. Please refer to the feature descriptions below for more details.

Some features are not available in every model. Refer to the Model Specific Features table to see what features are specific to your Prestige model.

Table 1-1 Model Specific Features

Four-Port Switch

A combination of switch and router makes your Prestige a cost-effective and viable network solution. You can connect up to four computers to the LAN ports on you Prestige without the cost of a hub.

▶ High Speed Internet Access

Your Prestige ADSL router can support downstream transmission rates of up to 8Mbps and upstream transmission rates of 832 Kbps. Prestige with ADSL over POTS also supports rate management.

IEEE 802.11b 11Mbps Wireless LAN

The 11 Mbps wireless LAN provides mobility and a fast network environment for small and home offices. Computers with wireless LAN Ethernet adapters can connect to the local area network without any wiring efforts and enjoy reliable high-speed connectivity. This feature is not available on all models.

▶ PPPoE Support (RFC2516)

PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the Prestige is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.

IEEE 802.1x Network Security

The Prestige supports the IEEE 802.1x standard to enhance user authentication. Use the built-in user profile database to authenticate up to 32 users using MD5 encryption. Use an EAP-compatible RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate a limitless number of users using EAP (Extensible Authentication Protocol). EAP is an authentication protocol that supports multiple types of authentication.

▶ Network Address Translation (NAT)

Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).

Traffic Redirect

Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the Prestige cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.

Bandwidth Management

Bandwidth management allows you to allocate network resources according to defined policies. This policy-based bandwidth allocation helps your network to better handle real-time applications such as Voice-over-IP (VoIP).

▶ Universal Plug and Play (UPnP)

Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.

10/100M Auto-negotiation Ethernet/Fast Ethernet Interface

This auto-negotiation feature allows the Prestige to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.

Dynamic DNS Support

With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS client.

Multiple PVC (Permanent Virtual Circuits) Support

Your Prestige supports up to 8 PVC's.

ADSL Standards

Full-Rate (ANSI T1.413, Issue 2; G.dmt (G.992.1) with line rate support of up to 8 Mbps downstream and 832 Kbps upstream.
◆ G.lite (G.992.2) with line rate support of up to 1.5Mbps downstream and 512Kbps upstream.
◆ Supports Multi-Mode standard (ANSI T1.413, Issue 2; G.dmt (G.992.1); G.994.1 and G.996.1 (for ISDN only); G.991.1; G.lite (G992.2)).
◆ Supports OAM F4/F5 loop-back, AIS and RDI OAM cells.
♦ ATM Forum UNI 3.1/4.0 PVC.
◆ Supports up to 8 PVCs (UBR, CBR, VBR).
◆ Multiple Protocols over AAL5 (RFC 1483).
◆ PPP over AAL5 (RFC 2364).
◆ PPP over Ethernet (RFC 2516).

DHCP Support

DHCP (Dynamic Host Configuration Protocol) allows individual clients (computers) to obtain TCP/IP configuration at start-up from a centralized DHCP server. The Prestige has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The Prestige can now also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.

IP Alias

IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network.

IP Policy Routing (IPPR)

Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.

▶ Protocol Support

◆ PPP (Point-to-Point Protocol) link layer protocol.
o PPP over PAP (RFC 1334).
o PPP over CHAP (RFC 1994).
◆ TCP/IP (Transmission Control Protocol/Internet Protocol) network layer protocol.
◆ Transparently bridging for unsupported network layer protocols.
◆ RIP I/RIP II
IGMP Proxy
ICMP support
◆ MIB II support (RFC 1213)
◆ PPPoE feature

o PPPoE idle time out

o PPPoE dial on demand

▶ Networking Compatibility

Your Prestige is compatible with major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers.

Multiplexing

The Prestige Series supports VC-based and LLC-based multiplexing.

Encapsulation

The Prestige series supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC encapsulated routing (ENET Encapsulation) as well as PPP over Ethernet (RFC 2516).

Network Management

◆ Menu driven SMT (System Management Terminal) management
◆ Embedded Web Configurator

◆ CLI (Command Line Interpreter)
◆ Remote SMT session via Telnet
◆ SNMP manageable
◆ Local SMT session via console port
DHCP Server/Client
◆ Built-in Diagnostic Tools
♦ Syslog

◆ TFTP/FTP server, firmware upgrade and configuration backup/support supported

▶ Diagnostics Capabilities

The Prestige can perform self-diagnostic tests. These tests check the integrity of the following circuitry:

• FLASH memory
• ADSL circuitry
  • RAM
  • LAN port

Filters

The Prestige's packet filtering functions allows added network security and management.

Ease of Installation

Your Prestige is designed for quick, intuitive and easy installation.

Housing

Your Prestige's all new compact and ventilated housing minimizes space requirements making it easy to position anywhere in your busy office.

1.3 Applications for the Prestige

Here are some example uses for which the Prestige is well suited.

1.3.1 Internet Access

The Prestige is the ideal high-speed Internet access solution. Your Prestige supports the TCP/IP protocol, which the Internet uses exclusively. It is compatible with all major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers. A DSLAM is a rack of ADSL line cards with data multiplexed into a backbone network interface/connection (for example, T1, OC3, DS3, ATM or Frame Relay). Think of it as the equivalent of a modem rack for ADSL. In addition, for Prestige 650H/HW, you can insert an optional wireless PCMICA card into the Prestige and allow wireless stations access to your network resources. A typical Internet access application is shown below.

graph LR
    A["Home/Office LAN"] --> B["10/100M Ethernet"]
    C["Laptop"] --> B
    D["Laptop"] --> B
    E["Computer"] --> B
    F["Computer"] --> B
    B --> G["DSLAM"]
    G --> H["ATM"]
    H --> I["ISP"]
    I --> J["Internet"]

Figure 1-1 Prestige Internet Access Application

1.3.2 LAN to LAN Application

You can use the Prestige to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application for your Prestige is shown as follows.

graph LR
    A["Home/Office LAN"] --> B["10/100M Ethernet"]
    B --> C["ATM"]
    D["Home/Office LAN"] --> E["10/100M Ethernet"]
    E --> F["ATM"]
    B <--> G["Prestige"]
    E <--> H["Prestige"]
    G <--> I["10/100M Ethernet"]
    H <--> J["10/100M Ethernet"]

Figure 1-2 Prestige LAN-to-LAN Application

Chapter 2

Introducing the Web Configurator

This chapter describes how to access and navigate the web configurator.

2.1 Web Configurator Overview

The embedded web configurator allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. It is recommended that you set your screen resolution to 1024 by 768 pixels

2.2 Accessing the Prestige Web Configurator

Step 1. Make sure your Prestige hardware is properly connected (refer to the Compact Guide or Read Me First).

Step 2. Prepare your computer/computer network to connect to the Prestige (refer to the Compact Guide or Read Me First).

Step 3. Launch your web browser.

Step 4. Type "192.168.1.1" as the URL.

Step 5. An Enter Network Password window displays. Enter the user name (“admin” is the default), password (“1234” is the default) and click OK.

Figure 2-1 Password Screen

Step 6. You should now see the Site Map screen.

The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you.

2.3 Navigating the Prestige Web Configurator

The following summarizes how to navigate the web configurator from the Site Map screen. Screens vary slightly for different Prestige models.

Select a language from the Language drop-down list box.
➢ Click Wizard Setup to begin a series of screens to configure your Prestige for the first time.
➢ Click a link under Advanced Setup to configure advanced Prestige features.
➢ Click a link under Maintenance to see Prestige performance statistics, upload firmware and back up, restore or upload a configuration file.
➢ Click SITE MAP to go to the Site Map screen.
➢ Click Logout in the navigation panel when you have finished a Prestige management session.

Figure 2-2 Web Configurator SITE MAP Screen

Click the HELP icon (located in the top right corner of most screens) to view embedded help.

2.4 Configuring Password

It is highly recommended that you change the password for accessing the Prestige.

To change your Prestige's password, click Advanced Setup and then Password. The screen appears as shown.

Figure 2-3 Password

The following table describes the labels in this screen.

Table 2-1 Password

2.5 Resetting the Prestige

If you forget your password or cannot access the Prestige, you will need to reload the factory-default configuration file or use the RESET button the back of the Prestige. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to “1234”, also.

2.5.1 Using The Reset Button

Step 1. Make sure the SYS LED is on (not blinking).

Step 2. Press the RESET button for five seconds, and then release it. When the SYS LED begins to blink, the defaults have been restored and the Prestige restarts.

2.5.2 Uploading a Configuration File Via Console Port

Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.

Step 1. Turn off the Prestige, begin a terminal emulation software session and turn on the Prestige again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.

Step 2. Enter "atlc" after "Enter Debug Mode" message.

Step 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. This is an example Xmodem configuration upload using HyperTerminal.

Step 4. Click Transfer, then Send File to display the following screen.

Figure 2-4 Example Xmodem Upload

Step 5. After successful firmware upload, enter "atgo" to restart the router.

Chapter 3

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator.

3.1 Wizard Setup Introduction

Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table of the Compact Guide or Read Me First. Your ISP may have already configured some of the fields in the wizard screens for you.

3.2 Encapsulation

Be sure to use the encapsulation method required by your ISP. The Prestige supports the following methods.

3.2.1 ENET ENCAP

The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol. IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment. For instance, it encapsulates routed Ethernet frames into bridged ATM cells. ENET ENCAP requires that you specify a gateway IP address in the Ethernet Encapsulation Gateway field in the second wizard screen. You can get this information from your ISP.

3.2.2 PPP over Ethernet

PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP. The Prestige bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information on PPPoE, see the appendix.

3.2.3 PPPoA

PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). It provides access control and billing functionality in a manner similar to dial-up services using PPP. The Prestige encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider's (ISP) DSLAM (digital access multiplexer). Please refer to RFC 2364 for more information on PPPoA. Refer to RFC 1661 for more information on PPP.

3.2.4 RFC 1483

RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). The first method allows multiplexing of multiple protocols over a single ATM virtual circuit (LLC-based multiplexing) and the second method assumes that each protocol is carried over a separate ATM virtual circuit (VC-based multiplexing). Please refer to the RFC for more detailed information.

3.3 Multiplexing

There are two conventions to identify what protocols the virtual circuit (VC) is carrying. Be sure to use the multiplexing method required by your ISP.

3.3.1 VC-based Multiplexing

In this case, by prior mutual agreement, each protocol is assigned to a specific virtual circuit; for example, VC1 carries IP, etc. VC-based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical.

3.3.2 LLC-based Multiplexing

In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header. Despite the extra bandwidth and processing overhead, this method may be advantageous if it is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs.

3.4 VPI and VCI

Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Please see the appendix for more information.

3.5 Wizard Setup Configuration: First Screen

In the SITE MAP screen click Wizard Setup to display the first wizard screen.

Figure 3-1 Wizard Screen 1

The following table describes the labels in this screen.

Table 3-1 Wizard Screen 1

Table 3-1 Wizard Screen 1

3.6 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the Prestige. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your Prestige, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your Prestige will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the Prestige unless you are instructed to do otherwise.

3.7 IP Address Assignment

A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However the encapsulation method assigned influences your choices for IP address and ENET ENCAP Gateway.

3.7.1 IP Assignment with PPPoA or PPPoE Encapsulation

If you have a dynamic IP, then the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.

3.7.2 IP Assignment with RFC 1483 Encapsulation

In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above.

3.7.3 IP Assignment with ENET ENCAP Encapsulation

In this case you can have either a static or dynamic IP. For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP. However for a dynamic IP, the Prestige acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as the DHCP server assigns them to the Prestige.

3.7.4 Private IP Addresses

Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

10.0.0.0 - 10.255.255.255  
172.16.0.0 - 172.31.255.255  
192.168.0.0 - 192.168.255.255 

You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

3.8 Nailed-Up Connection (PPP)

A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Prestige does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.

Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern

3.9 NAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

3.10 Wizard Setup Configuration: Second Screen

The second wizard screen varies depending on what mode and encapsulation type you use. All screens shown are with routing mode. Configure the fields and click Next to continue.

3.10.1 PPPoE

Select PPPoE from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown.

Figure 3-2 Internet Connection with PPPoE

The following table describes the labels in this screen.

Table 3-2 Internet Connection with PPPoE

Table 3-2 Internet Connection with PPPoE

3.10.2 RFC 1483

Select RFC 1483 from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown.

Figure 3-3 Internet Connection with RFC 1483

The following table describes the labels in this screen.

Table 3-3 Internet Connection with RFC 1483

3.10.3 ENET ENCAP

Select ENET ENCAP from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown.

Figure 3-4 Internet Connection with ENET ENCAP

The following table describes the labels in this screen.

Table 3-4 Internet Connection with ENET ENCAP

3.10.4 PPPoA

Select PPPoA from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown.

Figure 3-5 Internet Connection with PPPoA

The following table describes the labels in this screen.

Table 3-5 Internet Connection with PPPoA

Table 3-5 Internet Connection with PPPoA

3.11 DHCP Setup

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured.

3.11.1 IP Pool Setup

The Prestige is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64 for the client machines. This leaves 31 IP addresses, 192.168.1.2 to 192.168.1.32 (excluding the Prestige itself which has a default IP of 192.168.1.1) for other server machines, for example, server for mail, FTP, telnet, web, etc., that you may have.

3.12 Wizard Setup Configuration: Third Screen

Verify the settings in the screen shown next. To change the LAN information on the Prestige, click Change LAN Configurations. Otherwise click Save Settings to save the configuration and skip to section 3.13.

Figure 3-6 Wizard Screen 3

If you want to change your Prestige LAN settings, click Change LAN Configuration to display the screen as shown next.

Figure 3-7 Wizard : LAN Configuration

The following table describes the labels in this screen.

Table 3-6 Wizard : LAN Configuration

Table 3-6 Wizard : LAN Configuration

3.13 Wizard Setup Configuration: Connection Tests

The Prestige automatically tests the connection to the computer(s) connected to the LAN ports. To test the connection from the Prestige to the ISP, click Start Diagnose. Otherwise click Return to Main Menu to go back to the Site Map screen.

Figure 3-8 Wizard Screen 4

3.14 Test Your Internet Connection

Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User's Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.

Part II:

LAN, Wireless LAN and WAN

This part covers the LAN (Local Area Network), wireless LAN and WAN setup.

Chapter 4

LAN Setup

This chapter describes how to configure LAN settings.

4.1 LAN Overview

A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses.

4.1.1 LANs, WANs and the Prestige

The actual physical connection determines whether the Prestige ports are LAN or WAN ports. There are two separate IP networks, one inside, the LAN network; the other outside: the WAN network as shown next:

graph TD
    A["LAN"] --> B["Prestige"]
    B --> C["Internet"]
    D["Computer 1"] --> E["Computer 2"]
    F["Computer 3"] --> G["Computer 4"]
    H["Computer 5"] --> I["Computer 6"]
    J["Computer 7"] --> K["Computer 8"]
    L["Computer 9"] --> M["Computer 10"]
    N["Computer 11"] --> O["Computer 12"]
    P["Computer 13"] --> Q["Computer 14"]
    R["Computer 15"] --> S["Computer 16"]
    T["Computer 17"] --> U["Computer 18"]
    V["Computer 19"] --> W["Computer 20"]
    X["Computer 21"] --> Y["Computer 22"]
    Z["Computer 23"] --> AA["Computer 24"]
    AB["Computer 25"] --> AC["Computer 26"]
    AD["Computer 27"] --> AE["Computer 28"]
    AF["Computer 29"] --> AG["Computer 30"]
    AH["Computer 31"] --> AI["Computer 32"]
    AJ["Computer 33"] --> AK["Computer 34"]
    AL["Computer 35"] --> AM["Computer 36"]
    AN["Computer 37"] --> AO["Computer 38"]
    AP["Computer 39"] --> AQ["Computer 40"]
    AR["Computer 41"] --> AS["Computer 42"]
    AT["Computer 43"] --> AU["Computer 44"]
    AV["Computer 45"] --> AW["Computer 46"]
    AX["Computer 47"] --> AY["Computer 48"]
    AZ["Computer 49"] --> BA["Computer 50"]
    BB["Computer 51"] --> BC["Computer 52"]
    BD["Computer 53"] --> BE["Computer 54"]
    BF["Computer 55"] --> BG["Computer 56"]
    BH["Computer 57"] --> BI["Computer 58"]
    BJ["Computer 59"] --> BK["Computer 60"]
    BL["Computer 61"] --> BM["Computer 62"]
    BN["Computer 63"] --> BO["Computer 64"]
    BP["Computer 65"] --> BQ["Computer 66"]
    BR["Computer 67"] --> BS["Computer 68"]
    BT["Computer 69"] --> BU["Computer 70"]
    BV["Computer 71"] --> BW["Computer 72"]
    BX["Computer 73"] --> BY["Computer 74"]
    BZ["Computer 75"] --> CA["Computer 76"]
    CB["Computer 77"] --> CC["Computer 78"]
    DD["Computer 79"] --> EE["Computer 80"]
    FF["Computer 81"] --> DG["Computer 82"]
    DH["Computer 83"] --> DI["Computer 84"]
    DJ["Computer 84"] --> DK["Computer 85"]
    DL["Computer 85"] --> DV["Computer 86"]
    DW["Computer 87"] --> DX["Computer 88"]
    DXN["WAN"] --> DXN
    DXN --> DXN

Figure 4-1 LAN and WAN IP Addresses

4.2 DNS Server Address

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa, for example, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask.

There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank.

Some ISP's choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The Prestige supports the IPCP DNS server extensions through the DNS proxy feature.

If the Primary and Secondary DNS Server fields in DHCP Setup are not specified, for instance, left as 0.0.0.0, the Prestige tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the Prestige, the Prestige forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.

Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the DHCP Setup menu. This way, the Prestige can pass the DNS servers to the computers and the computers can query the DNS server directly without the Prestige's intervention.

4.3 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.

There are two ways that an ISP disseminates the DNS server addresses.

1. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
2. Leave the DNS Server fields in DHCP Setup blank (for example 0.0.0.0). The Prestige acts as a DNS proxy when this field is blank.

4.4 LAN TCP/IP

The Prestige has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

4.4.1 Factory LAN Defaults

The LAN parameters of the Prestige are preset in the factory with the following values:

IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.

These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured.

4.4.2 IP Address and Subnet Mask

Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.

4.4.3 RIP Setup

RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:

1. Both - the Prestige will broadcast its routing table periodically and incorporate the RIP information that it receives.
2. In Only - the Prestige will not send any RIP packets but will accept all RIP packets received.
3. Out Only - the Prestige will send out RIP packets but will not accept any RIP packets received.
4. None - the Prestige will not send any RIP packets and will ignore any RIP packets received.

The Version field controls the format and the broadcasting method of the RIP packets that the Prestige sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.

4.4.4 Multicast

Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

The Prestige supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Prestige queries all directly connected networks to gather group membership. After that, the Prestige periodically updates this information. IP multicasting can be enabled/disabled on the Prestige LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces.

4.5 Configuring LAN

Click LAN to open the following screen.

Figure 4-2 LAN

The following table describes the labels in this screen.

Table 4-1 LAN

Table 4-1 LAN

Chapter 5

Wireless LAN Setup

This chapter discusses how to configure Wireless LAN on the Prestige. This chapter is only applicable to the Prestige 650H and Prestige 650HW.

5.1 Wireless LAN Overview

This section introduces the wireless LAN and some basic configurations. Wireless LANs can be as simple as two computers with wireless LAN cards communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN cards communicating through access points which bridge network traffic to the wired LAN.

The WLAN screens are only available when a WLAN card is installed.

5.1.1 Additional Installation Requirements for Using 802.1x

A computer with an IEEE 802.11b wireless LAN card and equipped with a web browser (with JavaScript enabled) and/or Telnet.
A wireless station computer must be running IEEE 802.1x-compliant software. Currently, this is offered in Windows XP.
➢ An optional network RADIUS server for remote user authentication and accounting.

5.1.2 Channel

The range of radio frequencies used by IEEE 802.11b wireless devices is called a “channel”. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

5.1.3 ESS ID

An Extended Service Set (ESS) is a group of access points or wireless gateways connected to a wired LAN on the same subnet. An ESS ID uniquely identifies each set. All access points or wireless gateways and their associated wireless stations in the same set must have the same ESSID.

5.1.4 RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear” each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

graph TD
    subgraph_Stations_A["Station A"]
        RTS1["RTS"] --> Prestige1["Prestige"]
        CTS1["CTS"] --> Prestige1
        Data1["Data"] --> Prestige1
        ACK1["ACK"] --> Prestige1
    end
    subgraph_Stations_B["Station B"]
        Prestige2["Prestige"] --> CTS2["CTS Range"]
        CTS2 --> Prestige2
        Prestige2 --> Station3["Station A"]
        Prestige2 --> Station4["Station B"]
        Prestige2 --> CTS3["CTS Range"]
        CTS3 --> Prestige3["Prestige"]
        CTS3 --> CTS4["CTS Range"]
        CTS4 --> Station5["Station A and B"]
        CTS4 --> Station6["Station B"]
    end
    Note: Stations A and B do not hear each other. They can hear the Prestige.

Figure 5-1 RTS/CTS

When station A sends data to the Prestige, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the “cost” of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.

5.1.5 Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the Prestige will fragment the packet into smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

5.2 Levels of Security

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.

The figure below shows the possible wireless security levels on your Prestige. The highest security level relies on EAP (Extensible Authentication Protocol) for authentication and utilizes dynamic WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.

graph LR
    A["Unique ESS ID (Default)"] --> B["Unique ESS ID with Hide ESS ID Enabled"]
    B --> C["MAC Address Filtering"]
    C --> D["WEP Encryption"]
    D --> E["IEEE802.1x EAP with RADIUS Server Authentication"]
    style A fill:#f9f,stroke:#333
    style B fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style D fill:#f9f,stroke:#333
    style E fill:#f9f,stroke:#333

Figure 5-2 Prestige Wireless Security Levels

If you do not enable any wireless security on your Prestige, your network is accessible to any wireless networking device that is within range.

Use the Prestige web configurator to configurator to set up your wireless LAN security settings. Refer to the chapter on using the Prestige web configurator to see how to access the web configurator.

5.3 Data Encryption with WEP

WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

Your Prestige allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time.

5.4 Inserting a PCMCIA Wireless LAN Card

Use a ZyAIR series wireless LAN PCMCIA card to add wireless LAN capabilities.

Step 1. Turn off the Prestige.

Never insert or remove a wireless LAN card when the Prestige is turned on.

Step 2. Locate the slot labeled Wireless LAN on the Prestige.

Step 3. With its pin connector facing the slot and the LED side facing upwards, slide the ZyAIR wireless LAN card into the slot.

Never force, bend or twist the wireless LAN card into the slot.

Step 4. Turn on the Prestige. The WLAN LED should turn on.

5.5 Configuring Wireless LAN

If you are configuring the Prestige from a computer connected to the wireless LAN and you change the Prestige's ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the Prestige's new settings.

Click Wireless LAN, Wireless to open the Wireless screen.

Wireless LAN-Wireless

ESSID

Wireless

Hide ESSID

No

Channel ID

Channel-01 2412MHz

RTS/CTS Threshold

0 (0 \~ 2432)

Fragmentation Threshold

2432 (256 \~ 2432)

WEP Encryption

Disable

64-bit WEP: Enter 5 characters or 10 hexadecimal digits ("0-9", "A-F") preceded by 0x for each Key(1-4). 128-bit WEP: Enter 13 characters or 26 hexadecimal digits ("0-9", "A-F") preceded by 0x for each Key(1-4).

○ Key1

Key2

○ Key3

○ Key4

Back

Apply

Cancel

Figure 5-3 Wireless

The following table describes the labels in this screen.

Table 5-1 Wireless

Table 5-1 Wireless

5.6 Configuring MAC Filter

The MAC filter screen allows you to configure the Prestige to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the Prestige (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen.

To change your Prestige's MAC filter settings, click Wireless LAN, MAC Filter to open the MAC Filter screen. The screen appears as shown.

Wireless LAN- MAC Filter

Active

Action

Figure 5-4 MAC Address Filter

The following table describes the labels in this menu.

Table 5-2 MAC Address Filter

5.7 802.1x Overview

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the Prestige (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.

5.8 Introduction to RADIUS

RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks among others:

• Authentication
  Determines the identity of the users.
• Accounting

Keeps track of the client's network activity.

RADIUS user is a simple package exchange in which your Prestige acts as a message relay between the wireless station and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

- Access-Request

Sent by an access point requesting authentication.

- Access-Reject

Sent by a RADIUS server rejecting access.

- Access-Accept

Sent by a RADIUS server allowing access.

- Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

• Accounting-Request

Sent by the access point requesting accounting.

• Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the wired network from unauthorized access.

5.8.1 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server or the AP. The Prestige supports EAP-TLS, EAP-TTLS and DEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the four common types.

Your Prestige supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database and RADIUS.

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

graph LR
    A["Wireless Station"] --> B["The Prestige"]
    B --> C["Ethernet"]
    C --> D["RADIUS Server"]

Figure 5-5 EAP Authentication

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.

Step 1. The wireless station sends a “start” message to the Prestige.
Step 2. The Prestige sends a “request identity” message to the wireless station for identity information.
Step 3. The wireless station replies with identity information, including username and password.
Step 4. The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.

5.9 Configuring 802.1x

To change your Prestige's authentication settings, click Wireless LAN, 802.1x. The screen appears as shown.

Wireless LAN - 802.1x

802.1x Authentication

Wireless Port Control

ReAuthentication Timer

Idle Timeout

Authentication Databases

No Authentication Required

1800

(In Seconds)

3600

(In Seconds)

Local User Database Only

Back

Apply

Cancel

Figure 5-6 802.1x

The following table describes the labels in this screen.

Table 5-3 802.1x

Table 5-3 802.1x

5.10 Configuring Local User Authentication

By storing user profiles locally, your Prestige is able to authenticate wireless users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way.

To change your Prestige's local user database, click Wireless LAN, Local User Database. The screen appears as shown.

Wireless LAN · Local User DataBase

Back

Apply

Cancel

Figure 5-7 Local User Database

The following table describes the labels in this screen.

Table 5-4 Local User Database

5.11 Configuring RADIUS

Once you enable the EAP authentication, you need to specify the external sever for remote user authentication and accounting.

To set up your Prestige's RADIUS server settings, click WIRELESS LAN, RADIUS. The screen appears as shown.

Wireless LAN · Radius

Authentication Server

Active

Server IP Address

Port Number

Shared Secret

Accounting Server

Active

Server IP Address

Port Number

Shared Secret

Back

Apply

Cancel

Figure 5-8 RADIUS

The following table describes the labels in this screen.

Table 5-5 RADIUS

Table 5-5 RADIUS

Chapter 6

WAN Setup

This chapter describes how to configure WAN settings.

6.1 WAN Overview

A WAN (Wide Area Network) is an outside connection to another network or the Internet.

See the Wizard Setup chapter for more information on the fields in the WAN screens.

6.2 PPPoE Encapsulation

The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.

For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.

One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for individuals.

Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site.

By implementing PPPoE directly on the Prestige (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Prestige does that part of the task. Furthermore, with NAT, all of the LANs' computers will have access.

6.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.

PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.

6.4 Traffic Shaping

Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and “burstiness” or fluctuation of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections.

Peak Cell Rate (PCR) is the maximum rate at which the sender can send cells. This parameter may be lower (but not higher) than the maximum line speed. 1 ATM cell is 53 bytes (424 bits), so a maximum speed of 832 Kbps gives a maximum PCR of 1962 cells/sec. This rate is not guaranteed because it is dependent on the line speed.

Sustained Cell Rate (SCR) is the mean cell rate of a bursty, on-off traffic source that can be sent at the peak rate, and a parameter for burst-type traffic. SCR may not be greater than the PCR; the system default is 0 cells/sec.

Maximum Burst Size (MBS) is the maximum number of cells that can be sent at the PCR. After MBS is reached, cell rates fall below SCR until cell rate averages to the SCR again. At this time, more cells (up to the MBS) can be sent at the PCR again.

If the PCR, SCR or MBS is set to the default of “0”, the system will assign a maximum value that correlates to your upstream line rate.

The following figure illustrates the relationship between PCR, SCR and MBS.

Figure 6-1 Example of Traffic Shaping

6.5 Configuring WAN Setup

To change your Prestige's WAN remote node settings, click WAN. The screen differs by the encapsulation.

Internet Access Setup

Name

MyISP

Mode

Routing

Encapsulation

PPPoE

Multiplex

LLC

Virtual Circuit ID

VPI

8

VCI

35

ATM QoS Type

UBR

Cell Rate

Peak Cell Rate

0 cell/sec

Sustain Cell Rate

0 cell/sec

Maximum Burst Size

0

Login Information

Service Name

The image contains no text. The horizontal line is a stylistic or background element and must be ignored according to the rules.

User Name

user@isp.ch

Password

:

IP Address

Obtain an IP Address Automatically

Static IP Address

IP Address

0.0.0.0

Connection

○ Nailed-Up Connection

Connect on Demand

Max Idle Timeout

1500 sec

Figure 6-2 Internet Access Setup

The following table describes the labels in this screen.

Table 6-1 Internet Access Setup

Table 6-1 Internet Access Setup

Table 6-1 Internet Access Setup

Part III:

NAT, Dynamic DNS and Time Zone

This part covers NAT (Network Address Translation), dynamic DNS (Domain Name Sever) and Time Zone setup.

Chapter 7

Network Address Translation (NAT)

This chapter discusses how to configure NAT on the Prestige.

7.1 NAT Overview

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

7.1.1 NAT Definitions

Inside/outside denotes where a host is located relative to the Prestige, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side.

Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information.

Table 7-1 NAT Definitions

NAT never changes the IP address (either local or global) of an outside host.

7.1.2 What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside

local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.

The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world. With no servers defined, your Prestige filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).

7.1.3 How NAT Works

Each packet has two addresses – a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The Prestige keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.

graph TD
    subgraph LAN
        A["Computer IP = 192.168.1.13"] --> B["SA 192.168..1.10"]
        C["Computer IP = 192.168.1.12"] --> B
        D["Computer IP = 192.168.1.11"] --> B
        E["Computer IP = 192.168.1.10"] --> B
    end
    subgraph WAN
        F["SA IGA 1"] --> G["Internet"]
        H["Inside Global IP Address IGA 1"] --> G
        I["Inside Global IP Address IGA 2"] --> G
        J["Inside Global IP Address IGA 3"] --> G
        K["Inside Global IP Address IGA 4"] --> G
    end
    B --> L["Prestige"]
    B --> L
    L --> G
    style LAN fill:#f9f,stroke:#333
    style WAN fill:#bbf,stroke:#333

Figure 7-1 How NAT Works

7.1.4 NAT Application

The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.

Figure 7-2 NAT Application With IP Alias

7.1.5 NAT Mapping Types

NAT supports five types of IP/port mapping. They are:

1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address.
2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today's routers).

3. Many to Many Overload: In Many-to-Many Overload mode, the Prestige maps the multiple local IP addresses to shared global IP addresses.

4. Many-to-Many No Overload: In Many-to-Many No Overload mode, the Prestige maps each local IP address to a unique global IP address.

5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.

Port numbers do not change for One-to-One and Many-to-Many No Overload NAT mapping types.

The following table summarizes these types.

Table 7-2 NAT Mapping Types

7.2 SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 7-2.

1. Choose SUA Only if you have just one public WAN IP address for your Prestige.
2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige.

7.3 SUA Server

A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.

You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports.

Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.

Default Server IP Address

In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen.

If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen will be discarded.

7.3.1 Port Forwarding: Services and Port Numbers

A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.

Use the SUA Server page to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.

In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.

Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.

The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers.

Table 7-3 Services and Port Numbers

7.3.2 Configuring Servers Behind SUA (Example)

Let's say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35 as shown in the next figure.

The NAT network appears as a single host on the Internet

graph TD
    A["Internet"] -->|IP ADDRESS ASSIGNED BY ISP| B["Prestige"]
    B --> C["LAN"]
    C --> D["Computer IP Address = 192.168.1.34"]
    C --> E["Computer IP Address = 192.168.1.35"]
    C --> F["Computer IP Address = 192.168.1.36"]
    G["FTP/TELNET/SMTP server"] --> H["IP Address = 192.168.1.33"]
    G --> I["192.168.1.1"]
    style G fill:#cce5ff,stroke:#333

Figure 7-3 Multiple Servers Behind NAT Example

7.4 Selecting the NAT Mode

Click NAT to open the following screen.

NAT·Mode

Network Address Translation

○ None

● SUA Only

Edit Details

Full Feature

Edit Details

Apply

Figure 7-4 NAT Mode

The following table describes the labels in this screen.

Table 7-4 NAT Mode

7.5 Configuring SUA Server

If you do not assign an IP Address in Server Set 1 (default server), then all packets received for ports not specified in this screen will be discarded.

Click NAT, Select SUA Only and click Edit Details to open the following screen.

NAT · Edit SUA/NAT Server Set

Cancel
Figure 7-5 Edit SUA/NAT Server Set

The following table describes the labels in this screen.

Table 7-5 Edit SUA/NAT Server Set

Table 7-5 Edit SUA/NAT Server Set

7.6 Configuring Address Mapping

Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6.

To change your Prestige's address mapping settings, click NAT, Select Full Feature and click Edit Details to open the following screen.

NAT · Address Mapping Rules

Back

Figure 7-6 Address Mapping Rules

The following table describes the labels in this screen.

Table 7-6 Address Mapping Rules

Table 7-6 Address Mapping Rules

7.7 Editing an Address Mapping Rule

To edit an address mapping rule, click the rule's link in the NAT Address Mapping Rules screen to display the screen shown next.

Figure 7-7 Address Mapping Rule Edit

The following table describes the labels in this screen.

Table 7-7 Address Mapping Rule Edit

Chapter 8

Dynamic DNS Setup

This chapter discusses how to configure your Prestige to use Dynamic DNS.

8.1 Dynamic DNS

Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a DNS-like address (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.

First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name. The Dynamic DNS service provider will give you a password or key.

8.1.1 DYNDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.

If you have a private WAN IP address, then you cannot use Dynamic DNS.

8.2 Configuring Dynamic DNS

To change your Prestige's DDNS, click Dynamic DNS. The screen appears as shown.

Figure 8-1 DDNS

The following table describes the labels in this screen.

Table 8-1 DDNS

Chapter 9

Time and Date Setup

Use this screen to configure the Prestige's time and date settings. This chapter is not available on all models.

9.1 Configuring Time Zone

To change your Prestige's time and date, click Time Zone. The screen appears as shown. Use this screen to configure the Prestige's time based on your local time zone.

Time Zone

Time Server

Use Time Server when Bootup

Time Server IP Address

Time Zone

(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

□ Daylight Saving

Start Date

End Date

□ Calibrate system clock with Time Server now.

(Attention! This may take up to 60 seconds if Time Server is unreachable).

Date

Current Date

New Date (yyyy-mm-dd)

Time

Current Time

New Time

Figure 9-1 Time/Date

The following table describes the labels in this screen.

Table 9-1 Time/Date

Table 9-1 Time/Date

Part IV:

Remote Management and UPnP

This part contains information on how to configure the Prestige for remote management and setting up Universal Plug and Play (UPnP).

Chapter 10

Remote Management Configuration

This chapter provides information on configuring remote management. Remote management is not available on all models

10.1 Remote Management Overview

Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers.

You may manage your Prestige from a remote location via:

▶ Internet (WAN only)

▶ ALL (LAN and WAN)

▶ LAN only

Neither (Disable)

To disable remote management of a service, select Disable in the corresponding Server Access field.

10.1.1 Remote Management Limitations

Remote management over LAN or WAN will not work when:

1. A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
2. You have disabled that service in one of the remote management screens.
3. The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately.
4. There is an SMT console session running.
5. There is already another remote management session of the same type (web, FTP or Telnet) running. You may only have one remote management session of the same type running at one time.
6. There is a web remote management session running with a Telnet session. A Telnet session will be disconnected if you begin a web session; it will not begin if there already is a web session.

10.1.2 Remote Management and NAT

When NAT is enabled:

Use the Prestige's WAN IP address when configuring from the WAN.
Use the Prestige's LAN IP address when configuring from the LAN.

10.1.3 System Timeout

There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your Prestige automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.

10.2 Telnet

You can configure your Prestige for remote Telnet access as shown next.

graph LR
    A["LAN"] --> B["Prestige"]
    B --> C["Modem"]
    C --> D["INTERNET"]
    D --> E["Modem"]
    E --> F["User telnets into the LAN via the Prestige"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#cff,stroke:#333
    style F fill:#ffc,stroke:#333
    note1["Incoming Traffic"] -.-> A

Figure 10-1 Telnet Configuration on a TCP/IP Network

10.3 FTP

You can upload and download Prestige firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.

10.4 Web

You can use the Prestige's embedded web configurator for configuration and file management. See the online help for details.

10.5 Configuring Remote Management

Click Remote Management to open the following screen.

Remote Management Control

Figure 10-2 Remote Management

The following table describes the labels in this screen.

Table 10-1 Remote Management

Chapter 11

Universal Plug-and-Play (UPnP)

This chapter introduces the UPnP feature in the web configurator.

11.1 Universal Plug and Play Overview

Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.

11.1.1 How do I know if I'm using UPnP?

UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device.

11.1.2 NAT Traversal

UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

▶ Dynamic port mapping
▶ Learning public IP addresses
➢ Assigning lease times to mappings

Windows Messenger is an example of an application that supports NAT traversal and UPnP.

See the Network Address Translation (NAT) chapter for further information about NAT.

11.1.3 Cautions with UPnP

The automated nature of NAT traversal applications in establishing their own services may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention.

11.2 UPnP and ZyXEL

ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP ^™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.

UPnP broadcasts are only allowed on the LAN.

See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows.

11.2.1 Configuring UPnP

From the Site Map in the main menu, click UPnP under Advanced Setup to display the screen shown next.

UPNP

□ Enable the Universal Plug and Play(UPnP) Service
□ Allow users to make configuration changes through UPnP

Apply

Cancel

Figure 11-1 Configuring UPnP

The following table describes the labels in this screen.

Table 11-1 Configuring UPnP

11.3 Installing UPnP in Windows Example

This section shows how to install UPnP in Windows Me and Windows XP.

11.3.1 Installing UPnP in Windows Me

Follow the steps below to install the UPnP in Windows Me.

Step 1. Click Start and Control Panel. Double-click Add/Remove Programs.

Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details.

Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box.

Step 4. Click OK to go back to the Add/Remove Programs Properties window and click Next.

Step 5. Restart the computer when prompted.

11.3.2 Installing UPnP in Windows XP

Follow the steps below to install the UPnP in Windows XP.

Step 1. Click Start and Control Panel.

Step 2. Double-click Network Connections.

Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ....

The Windows Optional Networking Components Wizard window displays.

Step 4. Select Networking Service in the Components selection box and click Details.

Step 5. In the Networking Services window, select the Universal Plug and Play check box.

Step 6. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.

11.4 Using UPnP in Windows XP Example

This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige.

Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige.

11.4.1 Auto-discover Your UPnP-enabled Network Device

Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.

Step 2. Right-click the icon and select Properties.

Step 3. In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.

Step 4. You may edit or delete the port mappings or click Add to manually add port mappings.

When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.

Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray

Step 6. Double-click on the icon to display your current Internet connection status.

11.4.2 Web Configurator Easy Access

With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first. This comes helpful if you do not know the IP address of the Prestige.

Follow the steps below to access the web configurator.

Step 1. Click Start and then Control Panel.

Step 2. Double-click Network Connections.

Step 3. Select My Network Places under Other Places.

Step 4. An icon with the description for each UPnP-enabled device displays under Local Network.

Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays.

Step 6. Right-click on the icon for your Prestige and select Properties. A properties window displays with basic information about the Prestige.

Part V:

Bandwidth Management

This part provides information on the functions and configuration of Bandwidth Management.

Chapter 12

Bandwidth Management

This chapter describes the functions and configuration of bandwidth management. Bandwidth management is not available on all models.

12.1 Bandwidth Management Overview

Bandwidth management allows you to allocate an interface's outgoing capacity to specific types of traffic. It can also help you make sure that the Prestige forwards certain types of traffic (especially real-time applications) with minimum delay. With the use of real-time applications such as Voice-over-IP (VoIP) increasing, the requirement for bandwidth allocation is also increasing.

Bandwidth management addresses questions such as:

• Who gets how much access to specific applications?
• What priority level should you give to each type of traffic?
• Which traffic must have guaranteed delivery?
• How much bandwidth should be allotted to guarantee delivery?

Bandwidth management also allows you to configure the allowed output for an interface to match what the network can handle. This helps reduce delays and dropped packets at the next routing device. For example, you can set the WAN interface speed to 1000kbps if the broadband device connected to the WAN port has an upstream speed of 1000kbps. All configuration screens display measurements in kbps (kilobits per second), but this User's Guide also uses Mbps (megabits per second) for brevity's sake.

12.2 Bandwidth Classes and Filters

Use bandwidth classes and child-classes to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or child-class) based on a specific application and/or subnet. Use the Class Configuration tab (see section 12.9.1) to set up a bandwidth class's name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure child-classes with filters for any classes that you configure without filters. The Prestige leaves the bandwidth budget allocated and unused for a class that does not have a filter itself or child-classes with filters. View your configured bandwidth classes and child-classes in the Class Setup tab (see section 12.9 for details).

The total of the configured bandwidth budgets for child-classes cannot exceed the configured bandwidth budget speed of the parent class.

12.3 Proportional Bandwidth Allocation

Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth.

12.4 Bandwidth Management Usage Examples

These examples show bandwidth management allotments on a WAN interface that is configured for 10Mbps.

12.4.1 Application-based Bandwidth Management Example

The bandwidth classes in the following example are based solely on application. Each bandwidth class (VoIP, Web, FTP, E-mail and Video) is allotted 2 Mbps.

graph LR
    A["Computer"] --> B["LAN"]
    C["Computer"] --> B
    D["Computer"] --> B
    E["Computer"] --> B
    F["Computer"] --> B
    G["Computer"] --> B
    H["Computer"] --> B
    I["Computer"] --> B
    J["Computer"] --> B
    K["Computer"] --> B
    L["Prestige"] --> M["Internet"]
    N["VoIP Class : 2 Mbps\nWeb Class : 2 Mbps\nFTP Class : 2 Mbps\nE-mail Class : 2 Mbps\nVideo Class : 2Mbps"] --> M

Figure 12-1 Application-based Bandwidth Management Example

12.4.2 Subnet-based Bandwidth Management Example

The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 5 Mbps.

graph LR
    A["Subnet A"] --> C["LAN"]
    B["Subnet B"] --> C
    D["Subnet A"] --> C
    E["Subnet B"] --> C
    C --> F["Prestige"]
    F --> G["Internet"]
    style G fill:#bbdefb,stroke:#333
    note right of F
        Subnet A : 5 Mbps
        Subnet B : 5 Mbps
    end

Figure 12-2 Subnet-based Bandwidth Management Example

12.4.3 Application and Subnet-based Bandwidth Management Example

The following example uses bandwidth classes based on LAN subnets and applications (specific applications in each subnet are allotted bandwidth).

Table 12-1 Application and Subnet-based Bandwidth Management Example

graph LR
    A["LAN"] --> B["Hub/Switch"]
    B --> C["Prestige"]
    C --> D["INTERNET"]
    A --> E["Subnet A"]
    A --> F["Subnet B"]
    A --> G["Subnet A Web Class: 1 Mbps"]
    A --> H["Subnet A FTP Class: 1 Mbps"]
    A --> I["Subnet A E-mail Class: 1 Mbps"]
    A --> J["Subnet A Video Class: 1 Mbps"]
    C --> K["Subnet B VoIP Class: 1 Mbps"]
    C --> L["Subnet B Web Class: 1 Mbps"]
    C --> M["Subnet B FTP Class: 1 Mbps"]
    C --> N["Subnet B E-mail Class: 1 Mbps"]
    C --> O["Subnet B Video Class: 1 Mbps"]

Figure 12-3 Application and Subnet-based Bandwidth Management Example

12.5 Scheduler

The scheduler divides up an interface's bandwidth among the bandwidth classes. The Prestige has two types of scheduler: fairness-based and priority-based.

12.5.1 Priority-based Scheduler

With the priority-based scheduler, the Prestige forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class's priority number is, the higher the priority. Assign real-time applications (like those using audio or video) a higher priority number to provide smoother operation.

12.5.2 Fairness-based Scheduler

The Prestige divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface's bandwidth.

12.6 Maximize Bandwidth Usage

The maximize bandwidth usage option (see Figure 12-7) allows the Prestige to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a class is not using) among the bandwidth classes that require more bandwidth.

When you enable maximize bandwidth usage, the Prestige first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the Prestige divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth

and on their priority levels. When only one class requires more bandwidth, the Prestige gives extra bandwidth to that class.

When multiple classes require more bandwidth, the Prestige gives the highest priority classes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority classes if there is still bandwidth available. The Prestige distributes the available bandwidth equally among classes with the same priority level.

12.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic

Do the following three steps to configure the Prestige to allow bandwidth for traffic that is not defined in a bandwidth filter.

Step 1. Leave some of the interface's bandwidth unbudgeted.

Step 2. Do not enable the interface's Maximize Bandwidth Usage option.

Step 3. Do not enable bandwidth borrowing on the child-classes that have the root class as their parent (see section 12.7).

12.6.2 Maximize Bandwidth Usage Example

Here is an example of a Prestige that has maximized bandwidth usage enabled on an interface. The first figure shows each bandwidth class's bandwidth budget and priority. The classes are set up based on subnets. The interface is set to 10 Mbps. Each subnet is allocated 2 Mbps. The unbudgeted 2 Mbps allows traffic not defined in one of the bandwidth filters to go out when you do not select the maximize bandwidth option.

graph TD
    A["Interface"] --> B["Root Class: 10 Mbps"]
    B --> C["Administration: 2 Mbps"]
    B --> D["Sales: 2 Mbps"]
    B --> E["Marketing: 2 Mbps"]
    B --> F["R&D: 2 Mbps"]

Figure 12-4 Bandwidth Allotment Example

The following figure shows the bandwidth usage with the maximize bandwidth usage option enabled. The Prestige divides up the unbudgeted 2 Mbps among the classes that require more bandwidth. If the administration department only uses 1 Mbps of the budgeted 2 Mbps, the Prestige also divides the remaining 1 Mbps among the classes that require more bandwidth. Therefore, the Prestige divides a total of 3 Mbps total of unbudgeted and unused bandwidth among the classes that require more bandwidth.

In this case, suppose that all of the classes except for the administration class need more bandwidth.

Each class gets up to its budgeted bandwidth. The administration class only uses 1 Mbps of its budgeted 2 Mbps.
Sales and Marketing are first to get extra bandwidth because they have the highest priority (6). If they each require 1.5 Mbps or more of extra bandwidth, the Prestige divides the total 3 Mbps total of unbudgeted and unused bandwidth equally between the sales and marketing departments (1.5 Mbps extra to each for a total of 3.5 Mbps for each) because they both have the highest priority level.
R&D requires more bandwidth but only gets its budgeted 2 Mbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes.
The Prestige does not send any traffic that is not defined in the bandwidth filters because all of the unbudgeted bandwidth goes to the classes that need it.

graph TD
    A["Interface"] --> B["Root Class: 10 Mbps"]
    B --> C["Administration: 1 Mbps, Priority 4"]
    B --> D["Sales: 3.5 Mbps, Priority 6"]
    B --> E["Marketing: 3.5 Mbps, Priority 6"]
    B --> F["R&D: 2 Mbps, Priority 5"]

Figure 12-5 Maximize Bandwidth Usage Example

12.7 Bandwidth Borrowing

Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.

Enable bandwidth borrowing on a child-class to allow the child-class to use its parent class's unused bandwidth. A parent class's unused bandwidth is given to the highest priority child-class first. The child-class can also borrow bandwidth from a higher parent class (grandparent class) if the child-class's parent class is also configured to borrow bandwidth from its parent class. This can go on for as many levels as are configured to borrow bandwidth from their parent class (see section 12.7.1).

The total of the bandwidth allotments for child-classes cannot exceed the bandwidth allotment of their parent class. The Prestige uses the scheduler to divide a parent class's unused bandwidth among the child-classes.

12.7.1 Bandwidth Borrowing Example

Here is an example of bandwidth management with classes configured for bandwidth borrowing. The classes are set up based on departments and individuals within certain departments.

graph TD
    A["Interface"] --> B["Root Class: 100000 kbps"]
    B --> C["Administration: Bandwidth borrowing disabled"]
    B --> D["Sales: Bandwidth borrowing disabled"]
    D --> E["Sales USA: Bandwidth borrowing enabled"]
    D --> F["Sales Asia: Bandwidth borrowing disabled"]
    F --> G["Bill: Bandwidth borrowing enabled"]
    F --> H["Amy: Bandwidth borrowing disabled"]
    F --> I["Tina: Bandwidth borrowing enabled"]
    F --> J["Fred: Bandwidth borrowing disabled"]
    B --> K["R&D: Bandwidth borrowing enabled"]
    K --> L["Software: Bandwidth borrowing enabled"]
    K --> M["Hardware: Bandwidth borrowing enabled"]

Figure 12-6 Bandwidth Borrowing Example

The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled.
The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.

The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled.
The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
The R&D Software and Hardware classes can both borrow unused bandwidth from the R&D class because the R&D Software and Hardware classes both have bandwidth borrowing enabled.
The R&D Software and Hardware classes can also borrow unused bandwidth from the Root class because the R&D class also has bandwidth borrowing enabled.

12.7.2 Maximize Bandwidth Usage With Bandwidth Borrowing

If you configure both maximize bandwidth usage (on the interface) and bandwidth borrowing (on individual child-classes), the Prestige functions as follows.

1. The Prestige sends traffic according to each bandwidth class's bandwidth budget.
2. The Prestige assigns a parent class's unused bandwidth to its child-classes that have more traffic than their budgets and have bandwidth borrowing enabled. The Prestige gives priority to bandwidth child-classes of higher priority and treats bandwidth classes of the same priority equally.
3. The Prestige assigns any remaining unused or unbudgeted bandwidth on the interface to any bandwidth class that requires it. The Prestige gives priority to bandwidth classes of higher priority and treats bandwidth classes of the same level equally.
4. The Prestige assigns any remaining unbudgeted bandwidth to traffic that does not match any of the bandwidth classes.

12.8 Configuring Summary

Click BW Manager, Summary to open the Summary screen.

Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface.

BW Manager · Summary

BW Manager manages the bandwidth of traffic flowing out of router on the specific interface. BW Manager can be switched on/off independently for each interface.

Figure 12-7 Bandwidth Manager: Summary

The following table describes the labels in this screen.

Table 12-2 Bandwidth Manager: Summary

Table 12-2 Bandwidth Manager: Summary

12.9 Configuring Class Setup

The class setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-” to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see section 12.8 to configure the speed of the interface). Configure child-class layers for the root class.

To add or delete child classes on an interface, click BW Manager, then Class Setup. The screen appears as shown (with example classes).

The example reserves 15 Mbps of unbudgeted bandwidth for traffic that is not defined in the bandwidth filters (see section 12.6.1). The Administration, Sales USA and Sales Asia bandwidth classes each have bigger bandwidth budgets than the total of the budgets of their child-classes. The child-classes can borrow the extra bandwidth as long as they have bandwidth borrowing enabled (see section 12.7).

Figure 12-8 Bandwidth Manager: Class Setup

The following table describes the labels in this screen.

Table 12-3 Bandwidth Manager: Class Setup

12.9.1 Bandwidth Manager Class Configuration

Configure a bandwidth management class in the Class Configuration screen. You must use the Bandwidth Manager - Summary screen to enable bandwidth management on an interface before you can configure classes for that interface.

To add a child class, click BW Manager, then Class Setup. Click the Add Child-Class button to open the following screen.

Figure 12-9 Bandwidth Manager: Class Configuration

The following table describes the labels in this screen.

Table 12-4 Bandwidth Manager: Class Configuration

Table 12-4 Bandwidth Manager: Class Configuration

Table 12-4 Bandwidth Manager: Class Configuration

Table 12-5Services and Port Numbers

12.9.2 Bandwidth Management Statistics

Use the Bandwidth Management Statistics screen to view network performance information. Click the Statistics button in the Class Setup screen to open the Statistics screen.

Figure 12-10 Bandwidth Management Statistics

The following table describes the labels in this screen.

Table 12-6 Bandwidth Management Statistics

12.10 Configuring Monitor

To view the Prestige's bandwidth usage and allotments, click BW Manager, then Monitor. The screen appears as shown.

Figure 12-11 Bandwidth Manager Monitor

The following table describes the labels in this screen.

Table 12-7 Bandwidth Manager Monitor

Part VI:

Maintenance

This part covers the maintenance screens.

Chapter 13

Maintenance

This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics.

13.1 Maintenance Overview

Use the maintenance screens to view system information, upload new firmware, manage configuration and restart your Prestige.

13.2 System Status Screen

Click System Status to open the following screen, where you can use to monitor your Prestige. Note that these fields are READ-ONLY and are meant to be used for diagnostic purposes.

System Status

System Status

System Name :

ZyNOS FMV Version: V3.40(IS.2) | 6/16/2003

DSL FW Version: Alcatel, Version 3.9.122

Standard: Multi-Mode

WAN Information

IP Address: 0.0.0.0

IP Subnet Mask: 0.0.0.0

Default Gateway: 0.0.0.0

VPI/VCI: 8/35

LAN Information

MAC Address: 00:a0:c5:74:55:8a

IP Address: 192.168.1.1

IP Subnet Mask: 255.255.255.0

DHCP: Server

DHCP Start IP: 192.168.1.33

DHCP Pool Size: 32

Show Statistics

Figure 13-1 System Status

The following table describes the labels in this screen.

Table 13-1 System Status

Table 13-1 System Status

13.2.1 System Statistics

Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable.

Figure 13-2 System Status: Show Statistics

The following table describes the labels in this screen.

Table 13-2 System Status: Show Statistics

Table 13-2 System Status: Show Statistics

13.3 DHCP Table Screen

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.

Click MAINTENANCE, and then the DHCP Table tab. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the DHCP server.

DHCP Table

Figure 13-3 DHCP Table

The following table describes the labels in this screen.

Table 13-3 DHCP Table

13.4 Wireless Screens

These read-only screens display information about the Prestige's wireless LAN.

13.4.1 Association List

This screen displays the MAC address(es) of the wireless clients that are currently logged in to the network. Click Wireless LAN and then Association List to open the screen shown next.

Figure 13-4 Association List

The following table describes the labels in this screen.

Table 13-4 Association List

13.4.2 Channel Usage Table

This screen displays the state of the channels within the Prestige's transmission range. Click Wireless LAN and then Channel Usage Table to open the screen shown next.

Wireless LAN · Channel Usage Table

Figure 13-5 Channel Usage Table

The following table describes the labels in this screen.

Table 13-5 Channel Usage Table

13.5 Diagnostic Screens

These read-only screens display information to help you identify problems with the Prestige. Click Diagnostic to display the following screen.

Figure 13-6 Diagnostic

13.5.1 Diagnostic General Screen

Click Diagnostic and then General to open the screen shown next.

Figure 13-7 Diagnostic General

The following table describes the labels in this screen.

Table 13-6 Diagnostic General

Table 13-6 Diagnostic General

13.5.2 Diagnostic DSL Line Screen

Click Diagnostic and then DSL Line to open the screen shown next.

Figure 13-8 Diagnostic DSL Line

The following table describes the labels in this screen.

Table 13-7 Diagnostic DSL Line

13.6 Firmware Screen

Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "Prestige.bin". The upload process uses FTP (File Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See the Firmware and Configuration File Maintenance chapter in the parts that document the SMT for upgrading firmware using FTP/TFTP commands.

Only use firmware for your Prestige's specific model. Refer to the label on the bottom of your Prestige.

Click Firmware to open the following screen. Follow the instructions in this screen to upload firmware to your Prestige.

FIRMWARE

Firmware Upgrade

To upgrade the internal router firmware, browse to the location of the binary (.BIN) upgrade file and click UPLOAD.

File Path:

Browse...

Upload

CONFIGURATION FILE

Click Reset to clear all user-defined configurations and return to the factory defaults.

Reset

Figure 13-9 Firmware Upgrade

The following table describes the labels in this screen.

Table 13-8 Firmware Upgrade

Do not turn off the Prestige while firmware upload is in progress!

After you see the Firmware Upload in Process screen, wait two minutes before logging into the Prestige again.

The Prestige automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

Figure 13-10 Network Temporarily Disconnected

After two minutes, log in again and check your new firmware version in the System Status screen.

If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen.

Error Message:

ERROR: FAIL TO UPDATE DUE TO... The uploaded file was not accepted by the router.

Back

Figure 13-11 Error Message

Part VII:

SMT General Configuration

This part covers System Management Terminal configuration for general setup, LAN setup, wireless LAN setup, Internet access, remote nodes, remote node TCP/IP, static routing and NAT.

See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

Chapter 14

Introducing the SMT

This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus.

14.1 SMT Introduction

The Prestige's SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.

14.1.1 Procedure for SMT Configuration via Console Port

Follow the steps below to access your Prestige via the console port.

Configure a terminal emulation communications program as follows: VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, data flow set to none, 9600 bps port speed.

Press [ENTER] to display the SMT password screen. The default password is “1234”.

14.1.2 Procedure for SMT Configuration via Telnet

The following procedure details how to telnet into your Prestige.

Step 1. In Windows, click Start (usually in the bottom left corner), Run and then type “telnet 192.168.1.1” (the default IP address) and click OK.

Step 2. Enter "1234" in the Password field.

Step 3. After entering the password you will see the main menu.

Please note that if there is no activity for longer than five minutes (default timeout period) after you log in, your Prestige will automatically log you out. You will then have to telnet into the Prestige again.

14.1.3 Entering Password

The login screen appears after you press [ENTER], prompting you to enter the password, as shown next.

For your first login, enter the default password “1234”. As you type the password, the screen displays an asterisk “*” for each character you type.

Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out.

Enter Password : ****

Figure 14-1 Login Screen

14.1.4 Prestige SMT Menu Overview

We use the Prestige 650HW-31 SMT menus in this guide as an example. The SMT menus vary slightly for different Prestige models.

The following figure gives you an overview of the various SMT menu screens of your Prestige.

graph TD
    A["Prestige 650HW Main Menu"] --> B["Menu 1 General Setup"]
    B --> C["Menu 1.1 Configure Dynamic DNS"]
    C --> D["Menu 3.1 LAN Port Filter Setup"]
    D --> E["Menu 3.2 TCP/IP and DHCP Setup"]
    E --> F["Menu 3.5 Wireless LAN Setup"]
    F --> G["Menu 3.5.1 WLAN MAC Address Filter"]

    A --> H["Menu 3 LAN Setup"]
    H --> I["Menu 4 Internet Access Setup"]
    I --> J["Menu 11 Remote Node Setup"]
    J --> K["Menu 11.1 Remote Node Profile"]
    K --> L["Menu 11.3 Remote Node Network Layer Options"]
    L --> M["Menu 11.5 Remote Node Filter"]
    M --> N["Menu 11.6 Remote Node ATM Layer Options"]
    N --> O["Menu 11.7 Traffic Redirect Setup"]

    A --> P["Menu 12 Static Routing Setup"]
    P --> Q["Menu 12.1 IP Static Route"]
    Q --> R["Menu 12.3 Bridge Static Route"]
    R --> S["Menu 12.3.1 Edit Bridge Static Route"]
    S --> T["Menu 12.1.1 Edit IP Static Route"]
    T --> U["Menu 12.3.1 Edit IP Static Route"]

    A --> V["Menu 14 Dial-in User Setup"]
    V --> W["Menu 14.1 Edit Dial-in User"]
    W --> X["Menu 15.1 Address Mapping Sets"]
    X --> Y["Menu 15.2 NAT Server Sets"]
    Y --> Z["Menu 15.2.x NAT Server Setup"]

    A --> AA["Menu 15 NAT Setup"]
    AA --> AB["Menu 15.1.x Address Mapping Rules"]
    AB --> AC["Menu 15.1.x.x Address Mapping Rule"]

    subgraph System Maintenance
        AD["Menu 26 Schedule Setup"] --> AE["Menu 25 IP Routing Policy Setup"] --> AF["Menu 24 System Maintenance"] --> AG["Menu 23 System Security"] --> AH["Menu 22 SNMP Configuration"] --> AI["Menu 21 Filter Set Configuration"] --> AJ["Menu 21.x.x TCP/IP Filter Rule"] --> AK["Menu 21.x.x Generic Filter Rule"]

    AL["Menu 26.1 Schedule Set Setup"] --> AM["Menu 25.1 IP Routing Policy Setup"] --> AN["Menu 24.1 System Maintenance -- Status"] --> AO["Menu 23.1 Change Password"] --> AP["Menu 23.2 RADIUS Server"] --> AQ["Menu 23.4 IEEE802.1X"] --> AR["Menu 24.1 x Filter Rules Summary"] --> AS["Menu 24.9 x Generic Filter Rule"] --> AT["Menu 24.9.1 Budget Management"] --> AU["Menu 24.8 Command Interpreter Mode"] --> AV["Menu 24.7 System Maintenance -- Upload Firmware"] --> AW["Menu 24.7 System Maintenance -- Upload Firmware"] --> AX["Menu 24.6 System Maintenance -- Restore Configuration"] --> AY["Menu 24.5 System Maintenance -- Backup Configuration"]

    subgraph System Maintenance
        AZ["Menu 24.2 System Maintenance -- Change Console Port Speed"] --> BA["Menu 24.2 System Information and Console port Speed"] --> BB["Menu 24.2.1 System Maintenance -- Information"] --> BC["Menu 24.3 System Maintenance -- Log and Trace"] --> BD["Menu 24.3.1 System Maintenance -- View Error Log"] --> BE["Menu 24.3.2 System Maintenance -- UNIX Syslog"] --> BF["Menu 24.6 System Maintenance -- Restore Configuration"] --> BG["Menu 24.7 System Maintenance -- Upload Firmware"] --> BH["Menu 24.7 System Maintenance -- Upload Firmware"] --> BI["Menu 24.8 Command Interpreter Mode"] --> BJ["Menu 24.8 System Maintenance -- Log and Trace"] --> BK["Menu 24.8 System Maintenance -- Diagnostic"] --> BL["Menu 24.8 System Maintenance -- Diagnostic"]
    end

Figure 14-2 Prestige 650HW-31 SMT Menu Overview

14.2 Navigating the SMT Interface

The SMT (System Management Terminal) is the interface that you use to configure your Prestige.

Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.

Table 14-1 Main Menu Commands

After you enter the password, the SMT displays the main menu, as shown next.

Copyright (c) 1994 - 2003 ZyXEL Communications Corp.

Prestige 650HW-31 Main Menu

Getting Started

1. General Setup
2. LAN Setup
3. Internet Access Setup

Advanced Applications

1. Remote Node Setup
2. Static Routing Setup
3. Dial-in User Setup
4. NAT Setup

Advanced Management

1. Filter Set Configuration
2. SNMP Configuration
3. System Security
4. System Maintenance
5. IP Routing Policy Setup

6. Schedule Setup

7. Exit

Enter Menu Selection Number:

Figure 14-3 SMT Main Menu for P650HW

14.2.1 System Management Terminal Interface Summary

Table 14-2 Main Menu Summary for P650HW

Table 14-2 Main Menu Summary for P650HW

14.3 Changing the System Password

Change the Prestige default password by following the steps shown next.

Step 1. Enter 23 in the main menu to display Menu 23 - System Security.
Step 2. Enter 1 to display Menu 23.1 - System Security - Change Password as shown next.
Step 3. Type your existing system password in the Old Password field, for example “1234”, and press [ENTER].

Menu 23.1 - System Security - Change Password
Old Password= ?
New Password= ?
Retype to confirm= ?
Enter here to CONFIRM or ESC to CANCEL: 

Figure 14-4 Menu 23 System Password

Step 4. Type your new system password in the New Password field (up to 30 characters), and press [ENTER].

Step 5. Re-type your new system password in the Retype to confirm field for confirmation and press [ENTER].

Note that as you type a password, the screen displays an “*” for each character you type.

Chapter 15

General Setup

Menu 1 - General Setup contains administrative and system-related information.

15.1 General Setup

Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".

• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer name field and enter it as the Prestige System Name.
• In Windows 2000 click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the Prestige System Name.
• In Windows XP, click start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the Prestige System Name.

The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Prestige via DHCP.

15.2 Configuring Menu 1

Enter 1 in the Main Menu to open Menu 1 — General Setup (shown next).

Menu 1 - General Setup
System Name= ?
Location=
Contact Person's Name=
Domain Name=
Edit Dynamic DNS= No
Route IP= Yes
Bridge= No
Press ENTER to Confirm or ESC to Cancel: 

Figure 15-1 Menu 1 General Setup

Fill in the required fields. Refer to the table shown next for more information about these fields.

Table 15-1 Menu 1 General Setup

15.2.1 Configuring Dynamic DNS

If you have a private WAN IP address, then you cannot use Dynamic DNS.

To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next.

Menu 1.1 - Configure Dynamic DNS
Service Provider = WWW.DynDNS.ORG
Active= Yes
Host= me.ddns.org
EMAIL= mail@mailserver
USER= username
Password= *********
Enable Wildcard= No
Press ENTER to confirm or ESC to cancel: 

Figure 15-2 Menu 1.1 Configure Dynamic DNS

Follow the instructions in the next table to configure Dynamic DNS parameters.

Table 15-2 Menu 1.1 Configure Dynamic DNS

Chapter 16 LAN Setup

This chapter covers how to configure your wired Local Area Network (LAN) settings.

16.1 LAN Setup

This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3.

Figure 16-1 Menu 3 LAN Setup

16.1.1 General Ethernet Setup

This menu allows you to specify filter set(s) that you wish to apply to the Ethernet traffic. You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.

Figure 16-2 Menu 3.1 LAN Port Filter Setup

If you need to define filters, please read the Filter Set Configuration chapter first, then return to this menu to define the filter sets.

16.2 Protocol Dependent Ethernet Setup

Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below.

• For TCP/IP Ethernet setup refer to the Internet Access Application chapter.
• For bridging Ethernet setup refer to the Bridging Setup chapter.

16.3 TCP/IP Ethernet Setup and DHCP

Use menu 3.2 to configure your Prestige for TCP/IP.

To edit menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2 — TCP/IP and DHCP Ethernet Setup, as shown next:

Figure 16-3 Menu 3.2 TCP/IP and DHCP Ethernet Setup

Follow the instructions in the following table on how to configure the DHCP fields.

Table 16-1 DHCP Ethernet Setup Menu Fields

Follow the instructions in the following table to configure TCP/IP parameters for the Ethernet port.

Table 16-2 TCP/IP Ethernet Setup Menu Fields

Table 16-2 TCP/IP Ethernet Setup Menu Fields

Chapter 17

Wireless LAN Setup

This chapter covers how to configure wireless LAN settings in SMT menu 3.5. This chapter is only applicable to the Prestige 650 and Prestige 650HW.

17.1 Wireless LAN Overview

Refer to the chapter on the wireless LAN screens for wireless LAN background information.

17.2 Inserting a PCMCIA Wireless LAN Card

Use a ZyAIR series wireless LAN PCMCIA card to add optional wireless LAN capabilities.

Step 1. Turn off the Prestige.

Never insert or remove a wireless LAN card when the Prestige is turned on.

Step 2. Locate the slot labeled Wireless LAN on the Prestige.

Step 3. With its pin connector facing the slot and the LED side facing upwards, slide the ZyAIR wireless LAN card into the slot.

Never force, bend or twist the wireless LAN card into the slot.

Step 4. Turn on the Prestige. The WLAN LED should turn on.

17.3 Wireless LAN Setup

Use menu 3.5 to set up your Prestige as the wireless access point. To edit menu 3.5, enter 3 from the main menu to display Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.5 – Wireless LAN Setup as shown next.

Menu 3.5- Wireless LAN Setup
ESSID= Wireless
Hide ESSIS = No
Channel ID= CH01 2412MHz
RTS Threshold= 2432
Frag. Threshold= 2432
WEP= Disable
    Default Key= N/A
    Key1= N/A
    Key2= N/A
    Key3= N/A
    Key4= N/A
Edit MAC Address Filter= No
Press ENTER to Confirm or ESC to Cancel: 

Figure 17-1 Menu 3.5 - Wireless LAN Setup

The following table describes the fields in this menu.

Table 17-1 Wireless LAN Setup Field Description

Table 17-1 Wireless LAN Setup Field Description

17.3.1 Wireless LAN MAC Address Filter

The next layer of security is MAC address filter. To allow a wireless station to associate with the Prestige, enter the MAC address of the wireless LAN card on that wireless station in the MAC address table.

Figure 17-2 Menu 3.5.1 WLAN MAC Address Filtering

The following table describes the fields in this menu.

Table 17-2 Menu 3.5.1 WLAN MAC Address Filtering

Chapter 18

Internet Access

This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access.

18.1 Internet Access Overview

Refer to the chapters on the web configurator's wizard, LAN and WAN screens for more background information on fields in the SMT screens covered in this chapter.

18.2 IP Policies

Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing. Create policies using SMT menu 25 (see IP Policy Routing) and apply them on the Prestige LAN and/or WAN interfaces using menus 3.2 (LAN) and 11.3 (WAN).

18.3 IP Alias

IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network.

graph LR
    A["Ethernet Interface"] --> B["Prestige"]
    B --> C["LAN 1 IP Address (Menu 3.2)"]
    B --> D["LAN 2 IP Alias 1 (Menu 3.2.1)"]
    B --> E["LAN 3 IP alias 2 (Menu 3.2.1)"]
    F["Prestige"] --> G["Output"]

Figure 18-1 Physical Network
Figure 18-2 Partitioned Logical Networks

Use menu 3.2.1 to configure IP Alias on your Prestige.

18.4 IP Alias Setup

Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network.

Menu 3.2 - TCP/IP and DHCP Setup
DHCP Setup:
DHCP= Server
Client IP Pool Starting Addres= 192.168.1.33
Size of Client IP Pool= 32
Primary DNS Server= 0.0.0.0
Secondary DNS Server= 0.0.0.0
Remote DHCP Server= N/A
TCP/IP Setup:
IP Address= 192.168.1.1
IP Subnet Mask= 255.255.255.0
RIP Direction= None
Version= N/A
Multicast= None
IP Policies=
Edit IP Alias= Yes

Press ENTER to confirm or ESC to Cancel:
Press Space Bar to Toggle. 

Figure 18-3 Menu 3.2 TCP/IP and DHCP Setup

Pressing [ENTER] displays Menu 3.2.1 — IP Alias Setup, as shown next.

Menu 3.2.1 - IP Alias Setup
IP Alias 1= No
    IP Address= N/A
    IP Subnet Mask= N/A
    RIP Direction= N/A
    Version= N/A
    Incoming protocol filters= N/A
    Outgoing protocol filters= N/A
IP Alias 2= No
    IP Address= N/A
    IP Subnet Mask= N/A
    RIP Direction= N/A
    Version= N/A
    Incoming protocol filters= N/A
    Outgoing protocol filters= N/A

Enter here to CONFIRM or ESC to CANCEL: 

Figure 18-4 Menu 3.2.1 IP Alias Setup

Follow the instructions in the following table to configure IP Alias parameters.

Table 18-1 Menu 3.2.1 IP Alias Setup

18.5 Route IP Setup

The first step is to enable the IP routing in Menu 1 — General Setup.

To edit menu 1, type in 1 in the main menu and press [ENTER]. Set the Route IP field to Yes by pressing [SPACE BAR].

Menu 1 - General Setup
System Name= P650HW
Location= location
Contact Person's Name=
Domain Name=
Edit Dynamic DNS= No
Route IP= Yes
Bridge= No
Press ENTER to Confirm or ESC to Cancel: 

Figure 18-5 Menu 1 General Setup

18.6 Internet Access Configuration

Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your Prestige for Internet access, you need to collect your Internet account information.

Use the Internet Account Information table in the Compact Guide/Read Me First/Quick Start Guide to record your Internet account information. Note that if you are using PPPoA or PPPoE encapsulation, then the only ISP information you need is a login name and password. You only need to know the Ethernet Encapsulation Gateway IP address if you are using ENET ENCAP encapsulation.

From the main menu, type 4 to display Menu 4 - Internet Access Setup, as shown next.

Menu 4 - Internet Access Setup
ISP's Name= MyISP
Encapsulation= ENET ENCAP
Multiplexing= LLC-based
VPI #= 8
VCI #= 35
ATM QoS Type= UBR
    Peak Cell Rate (PCR)= 0
    Sustain Cell Rate (SCR)= 0
    Maximum Burst Size (MBS)= 0
My Login= N/A
My Password= N/A
ENET ENCAP Gateway= N/A
IP Address Assignment= Dynamic
    IP Address= N/A
Network Address Translation= SUA Only
    Address Mapping Set= N/A

Press ENTER to Confirm or ESC to Cancel: 

Figure 18-6 Menu 4 Internet Access Setup

The following table contains instructions on how to configure your Prestige for Internet access.

Table 18-2 Menu 4 Internet Access Setup

Table 18-2 Menu 4 Internet Access Setup

Table 18-2 Menu 4 Internet Access Setup

If all your settings are correct your Prestige should connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.

Chapter 19

Remote Node Configuration

This chapter covers remote node configuration.

19.1 Remote Node Setup Overview

This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use menu 4 to set up Internet access, you are configuring one of the remote nodes.

You first choose a remote node in Menu 11- Remote Node Setup. You can then edit that node's profile in menu 11.1, as well as configure specific settings in three submenus: edit IP and bridge options in menu 11.3; edit ATM options in menu 11.6; and edit filter sets in menu 11.5.

19.2 Remote Node Setup

This section describes the protocol-independent parameters for a remote node.

19.2.1 Remote Node Profile

To configure a remote node, follow these steps:

Step 1. From the main menu, enter 11 to display Menu 11 - Remote Node Setup.

Step 2. When menu 11 appears, as shown in the following figure, type the number of the remote node that you want to configure.

Figure 19-1 Menu 11 Remote Node Setup

19.2.2 Encapsulation and Multiplexing Scenarios

For Internet access you should use the encapsulation and multiplexing methods used by your ISP. Consult your ISP for information on encapsulation and multiplexing methods for LAN-to-LAN applications, for example between a branch office and corporate headquarters. There must be prior agreement on encapsulation and multiplexing methods because they cannot be automatically determined. What method(s) you use also depends on how many VCs you have and how many different network protocols you need. The extra overhead that ENET ENCAP encapsulation entails makes it a poor choice in a LAN-to-LAN application. Here are some examples of more suitable combinations in such an application.

Scenario 1. One VC, Multiple Protocols

PPPoA (RFC-2364) encapsulation with VC-based multiplexing is the best combination because no extra protocol identifying headers are needed. The PPP protocol already contains this information.

Scenario 2. One VC, One Protocol (IP)

Selecting RFC-1483 encapsulation with VC-based multiplexing requires the least amount of overhead (0 octets). However, if there is a potential need for multiple protocol support in the future, it may be safer to select PPPoA encapsulation instead of RFC-1483, so you do not need to reconfigure either computer later.

Scenario 3. Multiple VCs

If you have an equal number (or more) of VCs than the number of protocols, then select RFC-1483 encapsulation and VC-based multiplexing.

Figure 19-2 Menu 11.1 Remote Node Profile

In Menu 11.1 – Remote Node Profile, fill in the fields as described in the following table.

Table 19-1 Menu 11.1 Remote Node Profile

Table 19-1 Menu 11.1 Remote Node Profile

Table 19-1 Menu 11.1 Remote Node Profile

19.2.3 Outgoing Authentication Protocol

For obvious reasons, you should employ the strongest authentication protocol possible. However, some vendors' implementation includes specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified. If the peer disconnects right after a successful authentication, make sure that you specify the correct authentication protocol when connecting to such an implementation.

19.3 Metric

The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a

minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".

The metric sets the priority for the Prestige's routes to the Internet. If any two of the default routes have the same metric, the Prestige uses the following pre-defined priorities:

1. Normal route: designated by the ISP
2. Traffic-redirect route

IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above (see the IP Policy Routing chapter).

For example, if the normal route has a metric of "1" and the traffic-redirect route has a metric of "2", then the normal route acts as the primary default route. If the normal route fails to connect to the Internet, the Prestige tries the traffic-redirect route next.

19.4 Remote Node Network Layer Options

For the TCP/IP parameters, perform the following steps to edit Menu 11.3 – Remote Node Network Layer Options as shown next.

Step 1. In menu 11.1, make sure IP is among the protocols in the Route field.
Step 2. Move the cursor to the Edit IP/Bridge field, press [SPACE BAR] to select Yes, then press [ENTER] to display Menu 11.3 – Remote Node Network Layer Options.

Menu 11.3 - Remote Node Network Layer Options
IP Options: Bridge Options:
IP Address Assignment= Dynamic Ethernet Addr Timeout (min)= N/A
Rem IP Addr: 0.0.0.0
Rem Subnet Mask= 0.0.0.0
My WAN Addr= 0.0.0.0
NAT= Full Feature
Address Mapping Set= 2
Metric= 2
Private= No
RIP Direction= None
Version= RIP-1
Multicast= None
IP Policies= 3,4,5,6
Press ENTER to Confirm or ESC to Cancel: 

Figure 19-3 Menu 11.3 Remote Node Network Layer Options

The next table explains fields in Menu 11.3 - Remote Node Network Layer Options.

Table 19-2 Menu 11.3 Remote Node Network Layer Options

Table 19-2 Menu 11.3 Remote Node Network Layer Options

19.4.1 My WAN Addr Sample IP Addresses

The following figure uses sample IP addresses to help you understand the field of My Wan Addr in menu 11.3. Refer to the previous LAN and WAN IP Addresses figure in the web configurator chapter on LAN setup for a brief review of what a WAN IP is. My WAN Addr indicates the local Prestige WAN IP (172.16.0.1 in the following figure) while Rem IP Addr indicates the peer WAN IP (172.16.0.2 in the following figure).

graph TD
    A["Remote Network"] -->|192.168.1.0| B["Prestige"]
    A -->|192.168.1.1| B
    A -->|172.16.0.2| B
    C["Local Network"] -->|10.0.0.0| D["Prestige"]
    C -->|10.0.0.1| D
    C -->|172.16.0.1| D
    D --> E["xDSL/ATM"]
    E --> F["xDSL Lines"]
    F --> G["10/100MB"]
    G --> H["Computer"]
    style A fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style D fill:#ccf,stroke:#333
    style E fill:#cfc,stroke:#333
    style F fill:#fcc,stroke:#333
    style G fill:#fcc,stroke:#333

Figure 19-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection

19.5 Remote Node Filter

Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter.

Use Menu 11.5 – Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by comma, for example, 1, 5, 9, 12, in each filter field.

Note that spaces are accepted in this field. The Prestige has a prepackaged filter set, NetBIOS_WAN, that blocks NetBIOS packets (call protocol filter = 1). Include this in the call filter sets if you want to prevent NetBIOS packets from triggering calls to a remote node.

Menu 11.5 - Remote Node Filter
Input Filter Sets:
protocol filters= 11, 12
device filters=
Output Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL: 

Figure 19-5 Menu 11.5 Remote Node Filter (RFC 1483 or ENET Encapsulation)

Menu 11.5 - Remote Node Filter
Input Filter Sets:
protocol filters= 11, 12
device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
Protocol filters=
Device filters=
Enter here to CONFIRM or ESC to CANCEL: 

Figure 19-6 Menu 11.5 Remote Node Filter (PPPoA or PPPoE Encapsulation)

19.5.1 Web Configurator Internet Security Filter Rules

In the web configurator, open the Security screen as shown next. Select the predefined filter rules and click Apply.

Figure 19-7 Internet Security

Once you apply the filter rules in the web configurator, filter sets 11 and 12 are automatically applied in the protocol filters field under Input Filter Sets in SMT menu 11.5.

SMT input protocol filter set numbers that were previously applied are erased after you apply the Internet Security filter rules in the web configurator. To reapply them or apply new filter sets, you need to enter the filter set numbers again along with filter sets 11 and 12. For example, to apply filter sets 1 and 2, you enter “1, 2, 11, 12”.

19.5.2 Web Configurator Filter Sets

When you apply filter rules using the web configurator, filter sets 11 and 12 are automatically generated in SMT menu 21.

Figure 19-8 Menu 21- Filer Set Configuration (P650H/HW)

The following figures display the filter rules in filter sets 11 and 12.

Figure 19-9 Menu 21.11- WebSet 11

Figure 19-10 Menu 21.12- WebSet 12

Do not edit filter sets 11 and 12. They are used exclusively by the web configurator. Any rules you configured in sets 11 and 12 will be erased and replaced when you apply the web configurator-generated filter rules.

19.6 Editing ATM Layer Options

Follow the steps shown next to edit Menu 11.6 – Remote Node ATM Layer Options.

In menu 11.1, move the cursor to the Edit ATM Options field and then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.6 – Remote Node ATM Layer Options.

There are two versions of menu 11.6 for the Prestige, depending on whether you chose VC-based/LLC-based multiplexing and PPP encapsulation in menu 11.1.

19.6.1 VC-based Multiplexing (non-PPP Encapsulation)

For VC-based multiplexing, by prior agreement, a protocol is assigned a specific virtual circuit, for example, VC1 will carry IP. Separate VPI and VCI numbers must be specified for each protocol.

Figure 19-11 Menu 11.6 for VC-based Multiplexing

19.6.2 LLC-based Multiplexing or PPP Encapsulation

For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header.

Menu 11.6 - Remote Node ATM Layer Options
VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) 

VPI #= 8
VCI #= 35
ATM QoS Type= UBR
Peak Cell Rate (PCR)= 0
Sustain Cell Rate (SCR)= 0
Maximum Burst Size (MBS)= 0
ENTER here to CONFIRM or ESC to CANCEL: 

Only one set of VPI and VCI numbers needs to be specified.

Figure 19-12 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation

In this case, only one set of VPI and VCI numbers need be specified for all protocols. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (1 to 31 is reserved for local management of ATM traffic).

19.7 Traffic Redirect

Traffic redirect forwards LAN traffic to a backup gateway when the Prestige cannot connect to the Internet. An example is shown in the figure below.

graph TD
    A["Client 1"] --> B["Hub/Switch"]
    C["Client 2"] --> B
    D["Client 3"] --> B
    E["Client 4"] --> B
    B --> F["Prestige"]
    B --> G["Backup Gateway"]
    F --> H["INTERNET"]
    G --> H
    I["LAN"] --> B
    J["WAN"] --> H

Figure 19-13 Traffic Redirect Setup Example

To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1-Remote Node Profile as shown next.

Menu 11.1 - Remote Node Profile
Rem Node Name= MyISP Route= IP
Active= Yes Bridge= No
Encapsulation= ENET ENCAP Edit IP/Bridge= No
Multiplexing= LLC-based Edit ATM Options= No
Service Name= N/A
Incoming: Telco Option:
Rem Login= N/A Allocated Budget(min)= N/A
Rem Password= N/A Period(hr)= N/A
Outgoing: Schedule Sets= N/A
My Login= N/A Nailed-Up Connection= N/A
My Password= N/A Session Options:
Authen= N/A Edit Filter Sets= No
Idle Timeout(sec)= N/A
Edit Traffic Redirect= Yes
Press ENTER to Confirm or ESC to Cancel: 

Figure 19-14 Menu 11.1 – Remote Node Profile

To configure traffic redirect properties, press [SPACE BAR] to select Yes in the Edit Traffic Redirect field and then press [ENTER].

Table 19-3 Menu 11.1 – Remote Node Profile (Traffic Redirect Field)

19.7.1 Traffic Redirect Setup

Configure parameters that determine when the Prestige will forward WAN traffic to the backup gateway using Menu 11.7 — Traffic Redirect Setup.

Menu 11.7 - Traffic Redirect Setup
Active= No
Configuration:
Backup Gateway IP Address= 0.0.0.0
Metric= 15
Press ENTER to Confirm or ESC to Cancel: 

Figure 19-15 Menu 11.7 Traffic Redirect Setup

The following table describes the fields in this menu.

Table 19-4 Menu 11.7 Traffic Redirect Setup

Chapter 20

Static Route Setup

This chapter shows how to setup IP static routes.

20.1 IP Static Route Overview

Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.

Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond. For instance, the Prestige knows about network N2 in the following figure through remote node Router 1. However, the Prestige is unable to route a packet to network N3 because it does not know that there is a route through remote node Router 1 (via Router 2). The static routes allow you to tell the Prestige about the networks beyond the remote nodes.

graph LR
    N1["Computer 1"] --> PPESTIGE["Prestige"]
    N2["Computer 2"] --> R1["R1"]
    N3["Computer 3"] --> R2["R2"]
    PPESTIGE --> R1
    R1 --> R2

Figure 20-1 Sample Static Routing Topology

20.2 Configuring an IP static route

Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next).

Menu 12 - Static Route Setup
1. IP Static Route
3. Bridge Static Route
Please enter selection: 

Figure 20-2 Menu 12 Static Route Setup

Step 2. From menu 12, select 1 to open Menu 12.1 — IP Static Route Setup (shown next).

Figure 20-3 Menu 12.1 IP Static Route Setup (P650H/HW)

Step 3. Now, type the route number of a static route you want to configure.

Menu 12.1.1 - Edit IP Static Route
Route #: 1
Route Name = ?
Active = No
Destination IP Address = ?
IP Subnet Mask = ?
Gateway IP Address = ?
Metric = 2
Private = No
Press ENTER to Confirm or ESC to Cancel: 

Figure 20-4 Menu12.1.1 Edit IP Static Route

The following table describes the fields for Menu 12.1.1 – Edit IP Static Route Setup.

Table 20-1 Menu12.1.1 Edit IP Static Route

Table 20-1 Menu12.1.1 Edit IP Static Route

Chapter 21

Bridging Setup

This chapter shows you how to configure the bridging parameters of your Prestige.

21.1 Bridging Overview

Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another. The caveat is that, compared to routing, bridging generates more traffic for the same network layer protocol, and it also demands more CPU cycles and memory.

For efficiency reasons, do not turn on bridging unless you need to support protocols other than IP on your network. For IP, enable the routing if you need it; do not bridge what the Prestige can route.

21.2 Bridge Ethernet Setup

Basically, all non-local packets are bridged to the WAN. Your Prestige does not support IPX.

21.2.1 Remote Node Bridging Setup

Follow the procedure in another section to configure the protocol-independent parameters in Menu 11.1 – Remote Node Profile. For bridging-related parameters, you need to configure Menu 11.3 – Remote Node Network Layer Options.

To setup Menu 11.3 – Remote Node Network Layer Options shown in the next figure, follow these steps:

Step 1. In menu 11.1, make sure the Bridge field is set to Yes.

Figure 21-1 Menu 11.1 Remote Node Profile

Step 2. Move the cursor to the Edit IP/Bridge field, then press [SPACE BAR] to set the value to Yes and press [ENTER] to edit Menu 11.3 – Remote Node Network Layer Options.

Figure 21-2 Menu 11.3 Remote Node Network Layer Options

Table 21-1 Menu 11.3 Remote Node Network Layer Options : Bridge Fields

21.2.2 Bridge Static Route Setup

Similar to network layer static routes, a bridging static route tells the Prestige the route to a node before a connection is established. You configure bridge static routes in menu 12.3.1 (go to menu 12, choose option 3, then choose a static route to edit) as shown next.

Menu 12.3 - Bridge Static Route Setup

1. ____
2. ____
3. ____
4. ____ 

Enter selection number:
Figure 21-3 Menu 12.3 Bridge Static Route Setup

Menu 12.3.1 - Edit Bridge Static Route

Route #: 1
Route Name=
Active= No
Ether Address= ?
IP Address=
Gateway Node= 1
Press ENTER to Confirm or ESC to Cancel: 

Figure 21-4 Menu 12.3.1 Edit Bridge Static Route

The following table describes the Edit Bridge Static Route menu.

Table 21-2 Menu 12.3.1 Edit Bridge Static Route

Chapter 22

Network Address Translation (NAT)

This chapter discusses how to configure NAT on the Prestige.

22.1 NAT Overview

22.1.1 SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See section 22.3.1 for a detailed description of the NAT set for SUA. The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in the web configurator part of this guide.

1. Choose SUA Only if you have just one public WAN IP address for your Prestige.
2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige.

22.2 Applying NAT

You apply NAT via menus 4 or 11.3 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup.

Figure 22-1 Menu 4 Applying NAT for Internet Access

The following figure shows how you apply NAT to the remote node in menu 11.1.

Step 1. Enter 11 from the main menu.
Step 2. When menu 11 appears, as shown in the following figure, type the number of the remote node that you want to configure.
Step 3. Move the cursor to the Edit IP/Bridge field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.

Menu 11.3 - Remote Node Network Layer Options
IP Options: Bridge Options:
IP Address Assignment = Dynamic Ethernet Addr Timeout(min)= N/A
Rem IP Addr = 0.0.0.0
Rem Subnet Mask= 0.0.0.0
My WAN Addr= N/A
NAT= SUA Only
Address Mapping Set= N/A
Metric= 2
Private= No
RIP Direction= None
Version= RIP-1
Multicast= None
IP Policies= 
Enter here to CONFIRM or ESC to CANCEL: 

Figure 22-2 Menu 11.3 Applying NAT to the Remote Node

The following table describes the options for Network Address Translation.

Table 22-1 Applying NAT in Menus 4 & 11.3

22.3 NAT Setup

Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set 1. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only).

The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. Please see the section on port forwarding in the chapter on NAT web configurator screens for further information on these menus. To configure NAT, enter 15 from the main menu to bring up the following screen.

Menu 15 - NAT Setup
1. Address Mapping Sets
2. NAT Server Sets
Enter Menu Selection Number: 

Figure 22-3 Menu 15 NAT Setup

22.3.1 Address Mapping Sets

Enter 1 to bring up Menu 15.1 — Address Mapping Sets.

Menu 15.1 - Address Mapping Sets
1.
2.
3.
4.
5.
6.
7.
8.
255. SUA (read only)
Enter Menu Selection Number:
Enter Menu Selection Number: 

Figure 22-4 Menu 15.1 Address Mapping Sets

SUA Address Mapping Set

Enter 255 to display the next screen (see also section 22.1.1). The fields in this menu cannot be changed.

Figure 22-5 Menu 15.1.255 SUA Address Mapping Rules

The following table explains the fields in this menu.

Menu 15.1.255 is read-only.

Table 22-2 SUA Address Mapping Rules

Table 22-2 SUA Address Mapping Rules

User-Defined Address Mapping Sets

Now let's look at option 1 in menu 15.1. Enter 1 to bring up this menu. We'll just look at the differences from the previous menu. Note the extra Action and Select Rule fields mean you can configure rules in this screen. Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set.

Menu 15.1.1 - Address Mapping Rules
Set Name = ?
Idx Local Start IP Local End IP Global Start IP Global End IP Type
1. 0.0.0.0 Serve+
2
3.
4.
5.
6.
7.
8.
9.
10.
Action= Edit Select Rule=
Press ENTER to Confirm or ESC to Cancel: 

Figure 22-6 Menu 15.1.1 First Set

If the Set Name field is left blank, the entire set will be deleted.

The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.

Ordering Your Rules

Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed

up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9.

Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.

Table 22-3 Menu 15.1.1 First Set

You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken.

Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.

An End IP address must be numerically greater than its corresponding IP Start address.

Menu 15.1.1.1 Address Mapping Rule
Type= One-to-One
Local IP:
    Start=
    End = N/A
Global IP:
    Start= 0.0.0.0
    End = N/A
Server Mapping Set= N/A
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle. 

Figure 22-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set

The following table explains the fields in this menu.

Table 22-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set

Table 22-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set

22.4 Configuring a Server behind NAT

Follow these steps to configure a server behind NAT:

Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup.

Step 2. Enter 2 to display Menu 15.2 - NAT Server Sets as shown next.

Figure 22-8 Menu 15.2 NAT Server Setup

Step 3. Enter 1 to go to Menu 15.2.1 NAT Server Setup as follows.

Menu 15.2.1 - NAT Server Setup

Press ENTER to Confirm or ESC to Cancel:

Figure 22-9 Menu 15.2.1 NAT Server Setup

Step 4. Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field.
Step 5. Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33.
Step 6. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel.

The NAT network appears as a single host on the Internet

graph TD
    A["Priavte network"] --> B["IP addresses assigned by user"]
    B --> C["Computer IP Address = 192.168.1.34"]
    B --> D["Computer IP Address = 192.168.1.35"]
    B --> E["Computer IP Address = 192.168.1.36"]
    C --> F["LAN"]
    D --> F
    E --> F
    F --> G["Prestige"]
    G --> H["INTERNET"]
    H --> I["IP ADDRESS ASSIGNED BY ISP"]
    G --> J["FTP/TELNET/SMTP server IP Address = 192.168.1.33"]
    G --> K["192.168.1.1"]

Figure 22-10 Multiple Servers Behind NAT Example

22.5 General NAT Examples

The following are some examples of NAT configuration.

22.5.1 Example 1: Internet Access Only

In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.

graph LR
    PC1["PC 1"] -->|SA 192.168..1.10| Prestige["Prestige"]
    PC2["PC 2"] -->|SA 192.168..1.10| Prestige
    PC3["PC 3"] -->|SA 192.168..1.10| Prestige
    PC4["PC 4"] -->|SA 192.168..1.10| Prestige
    Prestige -->|Inside Local Addresses (ILA)| PC3
    Prestige -->|One Dynamic Inside Global Addresses (IGA) Assigned by ISP| SA["SA IGA 1"]
    SA --> Internet["INTERNET"]

Figure 22-11 NAT Example 1

Menu 4 - Internet Access Setup
ISP's Name= MyISP
Encapsulation= RFC 1483
Multiplexing= LLC-based
VPI #= 8
VCI #= 35
ATM QoS Type= UBR
Peak Cell Rate (PCR)= 0
Sustain Cell Rate (SCR)= 0
Maximum Burst Size (MBS)= 0
My Login= N/A
My Password= N/A
ENET ENCAP Gateway= N/A
IP Address Assignment= Static
IP Address= 0.0.0.0
Network Address Translation= SUA Only
Address Mapping Set= N/A
Press ENTER to Confirm or ESC to Cancel: 

Figure 22-12 Menu 4 Internet Access & NAT Example

From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 22.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.

22.5.2 Example 2: Internet Access with an Inside Server

graph TD
    PC1["PC 1"] -->|SA 192.168..1.10| Central["Central Node"]
    PC2["PC 2"] -->|SA 192.168..1.10| Central
    PC3["PC 3"] -->|SA 192.168..1.10| Central
    Central -->|Inside Local Addresses (ILA)| Prestige["Prestige"]
    Central -->|One Dynamic Inside Global Addresses (IGA) Assigned by ISP| Internet["INTERNET"]
    style Central fill:#f9f,stroke:#333
    style Internet fill:#ccf,stroke:#333

Figure 22-13 NAT Example 2

In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.

Figure 22-14 Menu 15.2.1 Specifying an Inside Server

22.5.3 Example 3: Multiple Public IP Addresses With Inside Servers

In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA. Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA. Map the third IGA to an inside web server and mail server. Four rules need to be configured, two bi-directional and two uni-directional as follows.

Rule 1. Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).

Rule 2. Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).

Rule 3. Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping).

Rule 4. You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN.

The example situation looks somewhat like this:

graph TD
    A["Web Server 192.168.1.21"] --> B["Central Node"]
    C["Mail Server 192.168.1.20"] --> B
    D["FTP Server 1 192.168.1.10"] --> B
    E["FTP Server 2 192.168.1.11"] --> B
    F["Other Computers on the LAN"] --> B
    G["Prestige"] --> H["3 IGAs"]
    H --> I["INTERNET"]
    style I fill:#cce5ff,stroke:#333
    note right of B: Mapping Rules
    note left of B: 3. Other LAN traffic --> IGA1["IGA 1 Type 1:1"]
    note right of B: 4. IGA3["IGA 3"] --> IGA2["IGA 2 Type 1:1"]
    note right of B: 3. Other LAN traffic --> IGA3["IGA 3, Type M-1(Outgoing Traffic)"]
    note right of B: Internal web server and mail server (Incoming Traffic)

Figure 22-15 NAT Example 3

Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 22-16.

Step 2. Then enter 15 from the main menu.

Step 3. Enter 1 to configure the Address Mapping Sets.

Step 4. Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm.

Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 22-17).

Step 6. Repeat the previous step for rules 2 to 4 as outlined above.

Step 7. When finished, menu 15.1.1 should look like as shown in.

Menu 11.3 - Remote Node Network Layer Options
IP Options: Bridge Options:
IP Address Assignment= Static Ethernet Addr Timeout (min)= 0
Rem IP Addr: 0.0.0.0
Rem Subnet Mask= 0.0.0.0
My WAN Addr= 0.0.0.0
NAT= Full Feature
Address Mapping Set= 2
Metric= 2
Private= No
RIP Direction= Both
Version= RIP-2B
Multicast= IGMP-v2
IP Policies=
Press ENTER to Confirm or ESC to Cancel: 

Figure 22-16 Example 3: Menu 11.3

The following figures show how to configure the first rule

Menu 15.1.1.1 Address Mapping Rule
Type= One-to-One
Local IP:
    Start= 192.168.1.10
    End = N/A
Global IP:
    Start= 10.132.50.1
    End = N/A
Server Mapping Set= N/A
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle. 

Figure 22-17 Example 3: Menu 15.1.1.1

Figure 22-18 Example 3: Final Menu 15.1.1

Now configure the IGA3 to map to our web server and mail server on the LAN.

Step 8. Enter 15 from the main menu.

Step 9. Enter 2 in Menu 15 - NAT Setup.

Step 10. Enter 1 in Menu 15.2 - NAT Server Sets to see the following menu. Configure it as shown.

Example 3: Menu 15.2.1

22.5.4 Example 4: NAT Unfriendly Application Programs

Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types. The following figure illustrates this.

graph LR
    A["Game Player 1\n192.168.1.10"] --> B["Computer"]
    C["Game Player 2\n192.168.1.11"] --> B
    D["Game Player 3\n192.168.1.12"] --> B
    B --> E["Prestige"]
    E --> F["3 IGAs\n10.132.50.1 = IGA 1\n10.132.50.2 = IGA 2\n10.132.50.3 = IGA 3"]
    G["INTERNET"] --> E
    style G fill:#cce5ff,stroke:#333

Figure 22-19 NAT Example 4

Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won't work through NAT even when using One-to-One and Many-to-Many No Overload mapping types.

Follow the steps outlined in example 3 to configure these two menus as follows.

Menu 15.1.1.1 Address Mapping Rule
Type= Many-to-Many No Overload
Local IP:
    Start= 192.168.1.10
    End = 192.168.1.12
Global IP:
    Start= 10.132.50.1
    End = 10.132.50.3
Server Mapping Set= N/A
Press ENTER to Confirm or ESC to Cancel: 

Figure 22-20 Example 4: Menu 15.1.1.1 Address Mapping Rule

After you've configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.

Menu 15.1.1 - Address Mapping Rules
Set Name= Example4
Idx Local Start IP Local End IP Global Start IP Global End IP Type
1. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M:M NO OV
2.
3.
4.
5.
6.
7.
8.
9.
10.
Action= Edit Select Rule=
Press ENTER to Confirm or ESC to Cancel: 

Figure 22-21 Example 4: Menu 15.1.1 Address Mapping Rules

Part VIII:

SMT Advanced Management

This part discusses filtering setup, SNMP, system security, system information and diagnosis, firmware and configuration file maintenance, system maintenance, remote management, IP policy routing and call scheduling.

See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

Chapter 23

Filter Configuration

This chapter shows you how to create and apply filters.

23.1 About Filtering

Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.

Data filtering screens data to determine if the packet should be allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the Ethernet side. Call filtering is used to determine if a packet should be allowed to trigger a call.

Outgoing packets must undergo data filtering before they encounter call filtering. Call filters are divided into two groups, the built-in call filters and user-defined call filters. Your Prestige has built-in call filters that prevent administrative, for example, RIP packets from triggering calls. These filters are always enabled and not accessible to you. Your Prestige applies the built-in filters first and then the user-defined call filters, if applicable, as shown next.

graph TD
    A["Outgoing Packet"] --> B["Data"]
    B -->|Match| C["Drop packet"]
    B -->|No match| D["Built-in default Call Filters"]
    D -->|Match| E["Drop packet if line not up"]
    D -->|No match| F["User-defined Call Filters (if applicable)"]
    F -->|Match| G["Drop packet if line not up"]
    F -->|No match| H["Active Data"]
    H --> I["Initiate call if line not up"]
    I --> J["Send packet and reset Idle Timer"]
    D --> K["Send packet but do not reset Idle Timer"]
    F --> L["Send packet but do not reset Idle Timer"]
    style D fill:#f9f,stroke:#333
    style F fill:#f9f,stroke:#333
    style H fill:#ccf,stroke:#333

Figure 23-1 Outgoing Packet Filtering Process

Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow.

The following figure illustrates the logic flow when executing a filter rule.

graph TD
    A["Start"] --> B["Packet intoFilter"]
    B --> C["Fetch First Filter Set"]
    C --> D["Fetch First Filter Rule"]
    D --> E{Active?}
    E -->|Yes| F["Execute Filter Rule"]
    E -->|No| G{Next filter Rule Available?}
    G -->|Yes| H["Fetch Next Filter Set"]
    H --> I{Next Filter Set Available?}
    I -->|No| J["Drop Packet"]
    I -->|Yes| K["Check Next Rule"]
    K --> L["Receive"]
    L --> M["Accept Packet"]
    M --> N["Forward"]
    N --> O["Drop"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#cff,stroke:#333
    style F fill:#ffc,stroke:#333
    style G fill:#cfc,stroke:#333
    style H fill:#fcc,stroke:#333
    style I fill:#ffc,stroke:#333
    style J fill:#fcc,stroke:#333
    style K fill:#ffc,stroke:#333
    style L fill:#fcc,stroke:#333
    style M fill:#ffc,stroke:#333
    style N fill:#fcc,stroke:#333

Figure 23-2 Filter Rule Process

You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port.

For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.

The Filter Structure of the Prestige

A filter set consists of one or more filter rules. Usually, you would group related rules, for example, all the rules for NetBIOS, into a single set and give it a descriptive name. You can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.

23.2 Configuring a Filter Set for the Prestige 650H and the Prestige 650HW

To configure a filter set, follow the steps shown next.

Step 1. Enter 21 in the main menu to display Menu 21 – Filter Set Configuration.

Figure 23-3 Menu 21 Filter Set Configuration (P650H/HW)

Step 2. Type the filter set to configure (no. 1 to 12) and press [ENTER].

Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER].

Step 4. Press [ENTER] at the message “Press ENTER to confirm…” to display Menu 21.2 – Filter Rules Summary (that is, if you selected filter set 2 in menu 21).

Figure 23-4 NetBIOS_WAN Filter Rules Summary

Figure 23-5 NetBIOS_LAN Filter Rules Summary

Figure 23-6 IGMP Filter Rules Summary

23.3 Configuring a Filter Set for the Prestige 650R and the Prestige 650R-E

To configure a filter set, follow the steps shown next.

Step 1. Enter 21 in the main menu to display Menu 21 – Filter Set Configuration.

Figure 23-7 Menu 21 Filter Set Configuration (P650R and P650R-E)

Step 2. Type the filter set to configure (no. 1 to 12) and press [ENTER].
Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER].
Step 4. Press [ENTER] at the message “Press ENTER to confirm…” to display Menu 21.4 – Filter Rules Summary (that is, if you selected filter set 4 in menu 21).

See Figure 23-4 for the summary of the NetBIOS WAN rules and Figure 23-5 for the summary of the NetBIOS LAN rules.

Figure 23-8 TELNET_WAN Filter Rules Summary

Figure 23-9 PPPoE Filter Rules Summary

Figure 23-10 FTP_WAN Filter Rules Summary

23.3.1 Filter Rules Summary Menus

The following tables briefly describe the abbreviations used in menu 21.x.

Table 23-1 Abbreviations Used in the Filter Rules Summary Menu

The protocol dependent filter rules abbreviation are listed as follows:

Table 23-2 Rule Abbreviations Used

Table 23-2 Rule Abbreviations Used

23.4 Configuring a Filter Rule

To configure a filter rule, type its number in Menu 21.x – Filter Rules Summary and press [ENTER] to open menu 21.x.1 for the rule.

There are two types of filter rules: TCP/IP and Generic. Depending on the type of rule, the parameters for each type will be different. Use [SPACE BAR] to select the type of rule that you want to create in the Filter Type field and press [ENTER] to open the respective menu.

To speed up filtering, all rules in a filter set must be of the same class, for instance, protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filters field or vice versa, the Prestige will warn you and will not allow you to save.

23.4.1 TCP/IP Filter Rule

This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.

To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.x.1 – TCP/IP Filter Rule, as shown next.

Figure 23-11 Menu 21.x.1 TCP/IP Filter Rule

The following table describes how to configure your TCP/IP filter rule.

Table 23-3 Menu 21.x.1 TCP/IP Filter Rule

Table 23-3 Menu 21.x.1 TCP/IP Filter Rule

Table 23-3 Menu 21.x.1 TCP/IP Filter Rule

The following figure illustrates the logic flow of an IP filter.

graph TD
    A["Packet into IP Filter"] --> B{Filter Active?}
    B -->|Yes| C["Apply SrcAddrMask to Src Addr"]
    C --> D{Check Src IP Addr}
    D -->|Matched| E["Apply DestAddrMask to Dest Addr"]
    E --> F{Check Dest IP Addr}
    F -->|Matched| G{Check IP Protocol}
    G -->|Matched| H{Check Src & Dest Port}
    H -->|Matched| I{More?}
    I -->|No| J["Action Matched"]
    I -->|Yes| K["Action Not Matched"]
    J --> L["Drop Packet"]
    J --> M["Check Next Rule"]
    J --> N["Accept Packet"]
    K --> O["Check Next Rule"]
    L --> P["Forward"]
    M --> Q["Forward"]
    N --> R["Drop"]
    N --> S["Accept Packet"]
    style A fill:#f9f,stroke:#333
    style K fill:#f9f,stroke:#333
    style L fill:#ccf,stroke:#333
    style M fill:#ccf,stroke:#333
    style N fill:#ccf,stroke:#333

Figure 23-12 Executing an IP Filter

23.4.2 Generic Filter Rule

This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.

For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The Prestige applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value fields are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF.

To configure a generic rule select an empty filter set in menu 21, for example 6. Select Generic Filter Rule in the Filter Type field and press [ENTER] to open Menu 21.6.1 – Generic Filter Rule, as shown in the following figure.

Menu 21.6.1 - Generic Filter Rule
Filter #: 6,1
Filter Type= Generic Filter Rule
Active= No
Offset= 0
Length= 0
Mask= N/A
Value= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle. 

Figure 23-13 Menu 21.6.1 Generic Filter Rule

The next table describes the fields in the Generic Filter Rule menu.

Table 23-4 Menu 21.6.1 Generic Filter Rule

23.5 Filter Types and NAT

There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets.

When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the Prestige applies the protocol filters to the “native” IP address and port number before NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic (or device) filters are applied to the raw packets that appear on the wire. They are applied at the point where the Prestige is receiving and sending the packets; for instance, the interface. The interface can be an Ethernet, or any other hardware port. The following figure illustrates this.

graph LR
    A["Protocol Filters"] --> B["NAT"]
    B --> C["Device Filters"]
    C --> D["Interface"]
    A <-->|Route| A
    B <-->|Incoming| C
    C <-->|Outgoing| D

Figure 23-14 Protocol and Device Filter Sets

23.6 Example Filter

Let's look at an example to block outside users from telnetting into the Prestige.

graph TD
    A["User"] --> B["Your LAN"]
    B --> C["Central Network"]
    C --> D["Prestige"]
    D --> E["Incoming Traffic Filter"]
    E --> F["User trying to telnet into the Prestige"]

Figure 23-15 Sample Telnet Filter

Step 1. Enter 21 in the main menu to display Menu 21 — Filter Set Configuration.
Step 2. Enter the index number of the filter set you want to configure (in this case 6).
Step 3. Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER].

Step 4. Press [ENTER] at the message “Press [ENTER] to confirm or [ESC] to cancel” to open Menu 21.6 — Filter Rules Summary.

Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next.

When you press [ENTER] to confirm, the following screen appears. Note that there is only one filter rule in this set.

Figure 23-16 Menu 21.6.1 Sample Filter

Figure 23-17 Menu 21.6 Sample Filter Rules Summary

After you have created the filter set, you must apply it.

Step 1. Enter 11 in the main menu to display menu 11 and type the remote node number to edit.

Step 2. Go to the Edit Filter Sets field, press [SPACE BAR] to choose Yes and press [ENTER].

Step 3. This brings you to menu 11.5. Apply the example filter set (for example, filter set 3) in this menu as shown in the next section.

23.7 Applying Filters and Factory Defaults

This section shows you where to apply the filter(s) after you design it (them). Sets of factory default filter rules have been configured in menu 21 (but have not been applied) to filter traffic.

Table 23-5 Filter Sets Table

23.7.1 Ethernet Traffic

You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 2, 4, 6, 11. The factory default filter set, NetBIOS_LAN, is inserted in the protocol filters field under Input Filter Sets in menu 3.1 in order to prevent local NetBIOS messages from triggering calls to the DNS server.

Figure 23-18 Filtering Ethernet Traffic

23.7.2 Remote Node Filters

Go to menu 11.5 (shown next) and type the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by typing their numbers separated by commas. The factory default filter set,

NetBIOS_WAN, is inserted in the protocol filters field under Call Filter Sets in menu 11.5 to block local NetBIOS traffic from triggering calls to the ISP.

Figure 23-19 Filtering Remote Node Traffic

Note that call filter sets are visible when you select PPPoA or PPPoE encapsulation.

Chapter 24

SNMP Configuration

This chapter explains SNMP Configuration menu 22.

24.1 SNMP Overview

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. The Prestige supports SNMP version one (SNMPv1) and version two c (SNMPv2c). The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured.

graph TD
    A["MANAGER"] --> B["AGENT"]
    A --> C["AGENT"]
    A --> D["AGENT"]
    B --> E["MIB"]
    C --> F["MIB"]
    D --> G["MIB"]
    style A fill:#f9f9f9,stroke:#333
    style B fill:#e6f7ff,stroke:#333
    style C fill:#e6f7ff,stroke:#333
    style D fill:#e6f7ff,stroke:#333
    note right of A: SNMP
    note left of B: Managed Device
    note right of C: Managed Device
    note right of D: Managed Device

Figure 24-1 SNMP Management Model

An SNMP managed network consists of two main components: agents and a manager.

An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include the number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.

24.2 Supported MIBs

The Prestige supports RFC-1215 and MIB II as defined in RFC-1213 as well as ZyXEL private MIBs. The focus of the MIBs is to let administrators collect statistic data and monitor status and performance.

24.3 SNMP Configuration

To configure SNMP, select option 22 from the main menu to open Menu 22 — SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.

Menu 22 - SNMP Configuration
SNMP:
Get Community= public
Set Community= public
Trusted Host= 0.0.0.0
Trap:
Community= public
Destination= 0.0.0.0
Press ENTER to Confirm or ESC to Cancel: 

Figure 24-2 Menu 22 SNMP Configuration

The following table describes the SNMP configuration parameters.

Table 24-1 Menu 22 SNMP Configuration

24.4 SNMP Traps

The Prestige will send traps to the SNMP manager when any one of the following events occurs:

Table 24-2 SNMP Traps

The following table maps the physical port and encapsulation to the interface type.

Table 24-3 Ports and Interface Types

Chapter 25

System Security

This chapter describes how to configure the system security on the Prestige. This chapter is only applicable to the Prestige 650H and the Prestige 650HW.

25.1 System Security Overview

You can configure the system password, an external RADIUS server and IEEE802.1x in menu 23.

25.1.1 System Password

Enter 1 in the main menu to display Menu 23- System Security.

You should change the default password. If you forget your password you have to restore the default configuration file. Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the Prestige in the Introducing the Web Configurator chapter.

Menu 23 - System Security
1. Change Password
2. RADIUS Server
4. IEEE802.1x 

Figure 25-1 Menu 23 System Security

25.1.2 Configuring External RADIUS Server

From Menu 23- System Security, enter 2 to display Menu 23.2 - System Security-RADIUS Server.

Menu 23 - System Security
1. Change Password
2. RADIUS Server
4. IEEE802.1x 

Figure 25-2 Menu 23 System Security

Menu 23.2 - System Security - RADIUS Server
Authentication Server:
Active= No
Server Address= 10.11.12.13
Port #= 1812
Shared Secret= *****
Accounting Server:
Active= No
Server Address= 10.11.12.13
Port #= 1813
Shared Secret= *****
Press ENTER to Confirm or ESC to Cancel: 

Figure 25-3 Menu 23.2 System Security : RADIUS Server

The following table describes the fields in this menu.

Table 25-1 Menu 23.2 System Security : RADIUS Server

Table 25-1 Menu 23.2 System Security : RADIUS Server

25.1.3 IEEE802.1x

The IEEE802.1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management.

Follow the steps below to enable EAP authentication on your Prestige.

Step 1. From the main menu, enter 23 to display Menu23 – System Security.

Menu 23 - System Security

1. Change Password
2. RADIUS Server
3. IEEE802.1x

Figure 25-4 Menu 23 System Security

Step 2. Enter 4 to display Menu 23.4 – System Security – IEEE802.1x.

Menu 23.4 - System Security - IEEE802.1x
Wireless Port Control= Authentication Required
ReAuthentication Timer (in second)= 1800
Idle Timeout (in second)= 3600
Authentication Databases= Local User Database Only
Press ENTER to Confirm or ESC to Cancel: 

Figure 25-5 Menu 23.4 System Security : IEEE802.1x

The following table describes the fields in this menu.

Table 25-2 Menu 23.4 System Security : IEEE802.1x

Table 25-2 Menu 23.4 System Security : IEEE802.1x

Once you enable user authentication, you need to specify an external RADIUS server or create local user accounts on the Prestige for authentication.

25.2 Creating User Accounts on the Prestige

By storing user profiles locally, your Prestige is able to authenticate wireless users without interacting with a network RADIUS server.

Follow the steps below to set up user profiles on your Prestige.

Step 1. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.

Figure 25-6 Menu 14 Dial-in User Setup

Step 3. Type a number and press [ENTER] to edit the user profile.

Figure 25-7 Menu 14.1 Edit Dial-in User

The following table describes the fields in this menu.

Table 25-3 Menu 14.1 Edit Dial-in User

Chapter 26

System Information and Diagnosis

This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4.

26.1 System Maintenance Overview

These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail.

Type 24 in the main menu to open Menu 24 – System Maintenance, as shown in the following figure.

Menu 24 - System Maintenance

1. System Status  
2. System Information and Console Port Speed  
3. Log and Trace  
4. Diagnostic  
5. Backup Configuration  
6. Restore Configuration  
7. Upload Firmware  
8. Command Interpreter Mode  
9. Call Control  
10. Time and Date Setting  
11. Remote Management 

Enter Menu Selection Number:
Figure 26-1 Menu 24 System Maintenance

26.2 System Status

The first selection, System Status gives you information on the status and statistics of the ports, as shown next. System Status is a tool that can be used to monitor your Prestige. Specifically, it gives you information on your ADSL telephone line status, number of packets sent and received.

To get to System Status, type 24 to go to Menu 24 — System Maintenance. From this menu, type 1. System Status. There are two commands in Menu 24.1 — System Maintenance — Status. Entering 1 resets the counters; [ESC] takes you back to the previous screen.

The following table describes the fields present in Menu 24.1 — System Maintenance — Status which are read-only and meant for diagnostic purposes.

Figure 26-2 Menu 24.1 System Maintenance : Status

The following table describes the fields present in Menu 24.1 — System Maintenance — Status.

Table 26-1 Menu 24.1 System Maintenance : Status

Table 26-1 Menu 24.1 System Maintenance : Status

26.3 System Information

To get to the System Information :

Step 1. Enter 24 in the main menu to display Menu 24 — System Maintenance.

Step 2. Enter 2 to display Menu 24.2 — System Information.

Step 3. From this menu you have two choices as shown in the next figure:

Menu 24.2 - System Information and Console Port Speed
1. System Information
2. Console Port Speed
Please enter selection: 

Figure 26-3 Menu 24.2 System Information and Console Port Speed

26.3.1 System Information

Enter 1 in menu 24.2 to display the screen shown next.

Figure 26-4 Menu 24.2.1 System Maintenance : Information

The following table describes the fields in this menu.

Table 26-2 Menu 24.2.1 System Maintenance : Information

Table 26-2 Menu 24.2.1 System Maintenance : Information

26.3.2 Console Port Speed

You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200, 38400, 57600 and 115200 bps. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure.

Menu 24.2.2 - System Maintenance - Change Console Port Speed
Console Port Speed: 9600
Press ENTER to Confirm or ESC to Cancel: 

Figure 26-5 Menu 24.2.2 System Maintenance : Change Console Port Speed

Once you change the Prestige consol port speed, you must also set the speed parameter for the communication software you are using to connect to the Prestige.

26.4 Log and Trace

There are two logging facilities in the Prestige. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.

26.4.1 Viewing Error Log

The first place you should look for clues when something goes wrong is the error log. Follow the procedures to view the local error/trace log:

Step 1. Type 24 in the main menu to display Menu 24 – System Maintenance.

Step 2. From menu 24, type 3 to display Menu 24.3 – System Maintenance – Log and Trace.

Menu 24.3 - System Maintenance - Log and Trace
1. View Error Log
2. UNIX Syslog
Please enter selection: 

Figure 26-6 Menu 24.3 System Maintenance : Log and Trace

Step 3. Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system.

After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.

59 Thu Jan 01 00:00:03 1970 PP0f INFO LAN promiscuous mode <0>
60 Thu Jan 01 00:00:03 1970 PP00 -WARN SNMP TRAP 0: cold start
61 Thu Jan 01 00:00:03 1970 PP00 INFO main: init completed
62 Thu Jan 01 00:00:19 1970 PP00 INFO SMT Session Begin
63 Thu Jan 01 00:00:24 1970 PP0a WARN MPOA Link Down
Clear Error Log (y/n): 

Figure 26-7 Sample Error and Information Messages

26.4.2 Syslog and Accounting

The Prestige uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 — System Maintenance — UNIX Syslog, as shown next.

Menu 24.3.2 - System Maintenance - UNIX Syslog

UNIX Syslog:
Active= No
Syslog IP Address= ?
Log Facility= Local 1

Types:
CDR= No
Packet triggered= No
Filter Log= No
PPP Log= No

Press ENTER to Confirm or ESC to Cancel:

Press Space Bar to Toggle. 

Figure 26-8 Menu 24.3.2 System Maintenance : Syslog and Accounting

You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log.

Table 26-3 Menu 24.3.2 System Maintenance : Syslog and Accounting

The following are examples of the four types of syslog messages sent by the Prestige:

Jul 19 11:28:39 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1,
Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f70717273
74
Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1,
Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e0000000600220008cd40000020405b4
Jul 19 11:29:06 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1,
Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000

3 - Filter Log

SdcmdSyslogSend (SYSLOG FILLOG, SYSLOG NOTICE, String);

String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD

IP[...] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m), drop (D).

Src: Source Address

Dst: Destination Address

prot: Protocol ("TCP", "UDP", "ICMP")

spo: Source port

dpo: Destination port

Jul 19 14:43:55 192.168.102.2 ZYXEL: IP [Src=202.132.154.123 Dst=255.255.255.255 UDP spo=0208
dpo=0208]} S03>R01mF

Jul 19 14:44:00 192.168.102.2 ZYXEL: IP [Src=192.168.102.20 Dst=202.132.154.1 UDP spo=05d4
dpo=0035]} S03>R01mF

Jul 19 14:44:04 192.168.102.2 ZYXEL: IP [Src=192.168.102.20 Dst=202.132.154.1 UDP spo=05d4
dpo=0035]} S03>R01mF

4 - PPP Log

SdcmdSyslogSend (SYSLOG PPPLOG, SYSLOG NOTICE, String);

String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing / ppp:Proto Shutdown

Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP

Jul 19 11:42:44 192.168.102.2 ZYXEL: ppp:LCP Closing
Jul 19 11:42:49 192.168.102.2 ZYXEL: ppp:IPCP Closing
Jul 19 11:42:54 192.168.102.2 ZYXEL: ppp:CCP Closing 

26.5 Diagnostic

The diagnostic facility allows you to test the different aspects of your Prestige to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown in the following figure.

Follow the procedure next to get to Diagnostic:

Step 1. From the main menu, type 24 to open Menu 24 – System Maintenance.

Step 2. From this menu, type 4. Diagnostic to open Menu 24.4 – System Maintenance – Diagnostic.

Menu 24.4 - System Maintenance - Diagnostic
xDSL System
1. Reset xDSL 21. Reboot System
22. Command Mode
TCP/IP
12. Ping Host
Enter Menu Selection Number:
Host IP Address= N/A 

Figure 26-9 Menu 24.4 System Maintenance : Diagnostic

The following table describes the diagnostic tests available in menu 24.4 for and the connections.

Table 26-4 Menu 24.4 System Maintenance Menu : Diagnostic

Chapter 27

Firmware and Configuration File Maintenance

This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files.

27.1 Filename Conventions

The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the Prestige's settings, they can be saved back to your computer under a filename of your choosing.

ZyNOS (ZyXEL Network Operating System sometimes referred to as the “ras” file) is the system firmware and has a “bin” filename extension. With many FTP and TFTP clients, the filenames are similar to those seen next.

Only use firmware for your Prestige's specific model. Refer to the label on the bottom of your Prestige.

ftp> put firmware.bin ras

This is a sample FTP session showing the transfer of the computer file " firmware.bin" to the Prestige.

ftp> get rom-0 config.cfg

This is a sample FTP session saving the current configuration to the computer file “config.cfg”.

If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the Prestige only recognizes “rom-0” and “ras”. Be sure you keep unaltered copies of both files for later use.

The following table is a summary. Please note that the internal filename refers to the filename on the Prestige and the external filename refers to the filename not on the Prestige, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 – System Maintenance – Information to confirm that you have uploaded the correct firmware version. The AT command is the command you enter after you press “y” when prompted in the SMT menu to go into debug mode.

Table 27-1 Filename Conventions

27.2 Backup Configuration

The Prestige displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24.7.1 and 24.7.2; depending on whether you use the console port or Telnet.

Option 5 from Menu 24 – System Maintenance allows you to backup the current Prestige configuration to your computer. Backup is highly recommended once your Prestige is functioning properly. FTP is the preferred methods for backing up your current configuration to your computer since they are faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don’t have to rename the files.

Please note that terms “download” and “upload” are relative to the computer. Download means to transfer from the Prestige to the computer, while upload means from your computer to the Prestige.

27.2.1 Backup Configuration

Follow the instructions as shown in the next screen.

Figure 27-1 Telnet in Menu 24.5

27.2.2 Using the FTP Command from the Command Line

Step 1. Launch the FTP client on your computer.

Step 2. Enter “open”, followed by a space and the IP address of your Prestige.

Step 3. Press [ENTER] when prompted for a username.

Step 4. Enter your password as requested (the default is “1234”).

Step 5. Enter “bin” to set transfer mode to binary.

Step 6. Use “get” to transfer files from the Prestige to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the Prestige to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions.

Step 7. Enter “quit” to exit the ftp prompt.

27.2.3 Example of FTP Commands from the Command Line

331 Enter PASS command
Password:
230 Logged in
ftp> bin
200 Type I OK
ftp> get rom-0 zyxel.rom
200 Port command okay
150 Opening data connection for STOR ras
226 File received OK
ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ftp> quit 

Figure 27-2 FTP Session Example

27.2.4 GUI-based FTP Clients

The following table describes some of the commands that you may see in GUI-based FTP clients.

Table 27-2 General Commands for GUI-based FTP Clients

27.2.5 TFTP and FTP over WAN Will Not Work When

TFTP, FTP and Telnet over WAN will not work when:

1. You have disable Telnet service in menu 24.11.

2. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service.

3. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the Prestige will disconnect the Telnet session immediately.

4. You have an SMT console session running.

27.2.6 Backup Configuration Using TFTP

The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.

To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next.

Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address.
Step 2. Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance.
Step 3. Enter command “sys stdio 0” to disable the SMT timeout, so the TFTP transfer will not be interrupted. Enter command “sys stdio 5” to restore the five-minute SMT timeout (default) when the file transfer is complete.
Step 4. Launch the TFTP client on your computer and connect to the Prestige. Set the transfer mode to binary before starting data transfer.
Step 5. Use the TFTP client (see the example below) to transfer files between the Prestige and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o).

Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the Prestige to the computer and “binary” to set binary transfer mode.

27.2.7 TFTP Command Example

The following is an example TFTP command:

tftp [-i] host get rom-0 config.rom

where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Prestige IP address, “get” transfers the file source on the Prestige (rom-0, name of the configuration file on the Prestige) to the file destination on the computer and renames it config.rom.

27.2.8 GUI-based TFTP Clients

The following table describes some of the fields that you may see in GUI-based TFTP clients.

Table 27-3 General Commands for GUI-based TFTP Clients

Refer to section 27.2.5 to read about configurations that disallow TFTP and FTP over WAN.

27.2.9 Backup Via Console Port (only for the Prestige 650H/HW)

Back up configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.

Step 1. Display menu 24.5 and enter "y" at the following screen.

Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 

Figure 27-3 Menu 24.5 System Maintenance - Backup Configuration

Step 2. The following screen indicates that the Xmodem download has started.

You can enter ctrl-x to terminate operation any time. Starting XMODEM download... 

Figure 27-4 Menu 24.5 System Maintenance – Starting Xmodem Download Screen

Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen.

Figure 27-5 Backup Configuration Example

Step 4. After a successful backup you will see the following screen. Press any key to return to the SMT menu.

** Backup Configuration completed. OK.
<h3 id="hit-any-key-to-continue">Hit any key to continue.###</h3>

Figure 27-6 Successful Backup Confirmation Screen

27.3 Restore Configuration

This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.

FTP is the preferred method for restoring your current computer configuration to your Prestige since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete.

WARNING! DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE.

27.3.1 Restore Using FTP

For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.

Menu 24.6 - Restore Configuration

To transfer the firmware and the configuration file, follow the procedure below:

1. Launch the FTP client on your computer.
2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
3. Type "put backupfilename rom-0" where backupfilename is the name of your backup configuration file on your computer and rom-0 is the remote file name on the system. This restores the configuration to your system.
4. The system reboots automatically after a successful file transfer.

For details on FTP commands, please consult the documentation of your FTP client program. For details on restoring using TFTP (note that you must remain on this menu to restore using TFTP), please see your user manual.

Press ENTER to Exit:

Figure 27-7 Telnet into Menu 24.6

Step 1. Launch the FTP client on your computer.

Step 2. Enter “open”, followed by a space and the IP address of your Prestige.

Step 3. Press [ENTER] when prompted for a username.

Step 4. Enter your password as requested (the default is “1234”).

Step 5. Enter "bin" to set transfer mode to binary.

Step 6. Find the “rom” file (on your computer) that you want to restore to your Prestige.

Step 7. Use “put” to transfer files from the Prestige to the computer, for example, “put config.rom rom-0” transfers the configuration file “config.rom” on your computer to the Prestige. See earlier in this chapter for more information on filename conventions.

Step 8. Enter “quit” to exit the ftp prompt. The Prestige will automatically restart after a successful restore process.

27.3.2 Restore Using FTP Session Example

ftp> put config.rom rom-0
200 Port command okay
150 Opening data connection for STOR rom-0
226 File received OK
221 Goodbye for writing flash
ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
ftp>quit 

Figure 27-8 Restore Using FTP Session Example

Refer to section 27.2.5 to read about configurations that disallow TFTP and FTP over WAN.

27.3.3 Restore Via Console Port (only for the Prestige 650H/HW)

Restore configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.

Step 1. Display menu 24.6 and enter “y” at the following screen.

Ready to restore Configuration via Xmodem. Do you want to continue (y/n): 

Figure 27-9 System Maintenance – Restore Configuration

Step 2. The following screen indicates that the Xmodem download has started.

Starting XMODEM download (CRC mode) ...
CCCCCC 

Figure 27-10 System Maintenance – Starting Xmodem Download Screen

Step 3. Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen.

Figure 27-11 Restore Configuration Example

Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu.

Save to ROM
Hit any key to start system reboot. 

Figure 27-12 Successful Restoration Confirmation Screen

27.4 Uploading Firmware and Configuration Files

This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in the previous Restore Configuration section or by following the instructions in Menu 24.7.2 – System Maintenance – Upload System Configuration File (for console port).