Go to page of
Similar user manuals
-
Network Card
Allied Telesis AT-WCU201
2 pages 0.06 mb -
Network Card
Allied Telesis AT-2973T
176 pages 3.75 mb -
Network Card
Allied Telesis AT-AR021 (S) BRI-S/T
13 pages 0.41 mb -
Network Card
Allied Telesis AT-WA7501
339 pages 3.29 mb -
Network Card
Allied Telesis AT-AR02X Series
1 pages 0.11 mb -
Network Card
Allied Telesis AT-iMG646MOD
3 pages 0.1 mb -
Network Card
Allied Telesis AT-iMG634
2 pages 0.07 mb -
Network Card
Allied Telesis AT-AR022 ETH
13 pages 0.41 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Allied Telesis AR440S, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Allied Telesis AR440S one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Allied Telesis AR440S. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Allied Telesis AR440S should contain:
- informations concerning technical data of Allied Telesis AR440S
- name of the manufacturer and a year of construction of the Allied Telesis AR440S item
- rules of operation, control and maintenance of the Allied Telesis AR440S item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Allied Telesis AR440S alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Allied Telesis AR440S, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Allied Telesis service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Allied Telesis AR440S.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Allied Telesis AR440S item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
C613-16049-00 REV E www .alliedtelesis. com AlliedW ar e TM OS How T o | Intr oduction In this How T o Note’ s example, a headquarters offic e has VPNs to two branch offices and a number of r oaming VPN clients. The example il lustrates the following possible components that you could use in a corporate netw ork: z VPNs betw een a headquar ters o[...]
-
Page 2
Page 2 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks How to mak e voice traffic high priority ................................................. ...................................... .... 30 How to prioritise outg oing V oIP traffic fr om the headquar ters r outer ............................ 31 How to prioritise outg oing V oIP t[...]
-
Page 3
Page 3 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks About IPsec modes: tunnel and transpor t This solution uses two types of VPN: z IPsec tunnel mode, for the head quar ters office to branch office VPNs. These are site-to- site (r outer -to-router) VPNs. z IPsec transport mode with L2TP , fo r the roaming Windo ws VPN clients. Th[...]
-
Page 4
Page 4 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Backgr ound: NA T -T and policies NA T -T NA T T ra v ersal (NA T -T) can be enabled on an y of our IPsec VPN l inks. It automatically allows IPsec VPNs to tra v erse any NA T gatewa ys that ma y be in the VPN path. This is lik el y to occur with the VPNs fr om the roaming VPN c[...]
-
Page 5
Page 5 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Po l i c i e s a n d interfaces It is useful to k eep in mind that you apply fir e wall rules and IPsec policies to interfaces in the follo wing different wa ys: z Fire wall rules can be applied on either privat e or public interfaces. The rules are matched against traffic that [...]
-
Page 6
Page 6 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configure VPNs in typical corporate netw orks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) r outer and tw o branch office r outers. The headquarters r outer is acting as a VPN Access Concentrator , and a[...]
-
Page 7
Page 7 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks 2. The branch office 1 r outer , which provides: z an ADSL PPP oA Internet connection. Note that the PPPoA connection r equires an AT M D S L A M z VPN access to headquarters using IPsec tunnel mode z incoming VPN client access from r oaming users z a fix ed Internet address so [...]
-
Page 8
Headquar ters Page 8 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configur e the headquar ters VPN access concentrator Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]
-
Page 9
Headquar ters Page 9 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Give a fixed public addr ess to the interface eth0, which is the Internet connection interface. Y ou can replace eth0 with ppp0 if you use a leased line . enable ip add ip int=eth0 ip=200.200 .200.1 Give a fixed private ad dress to the interface vlan 1 , which conn[...]
-
Page 10
Headquar ters Page 10 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks r emote security officers (RSOs). RSO defini tions specify trusted remote addr esses for security officer users. add user rso ip=< ipadd> [-< ipadd >] enable user rso enable telnet server If desired, set the r outer to send log messages to a sys log s[...]
-
Page 11
Headquar ters Page 11 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Check that you ha v e a 3DES feature licence for the ISAKMP policies. show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor . enable featur[...]
-
Page 12
Headquar ters Page 12 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” ke y exchange that NA T -T uses. create ipsec pol=isakmp in t=eth0 ac=permit lp=500 rp=500 create ipsec pol=isakmp_fl oat int=eth0 ac=permit lp=4500 Create an IPsec policy for th[...]
-
Page 13
Headquar ters Page 13 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks z the branch office policies use a differ en t encr yption transform—3des2key—than the r oaming policy . When a new incoming ISAKMP mess age starts, this lets the router identify whether to match it to the r oaming policy or one of the branch office policies.[...]
-
Page 14
Headquar ters Page 14 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection. create firewall policy=hq dynamic=roaming add firewall policy=hq dyn amic=roaming user=any ad[...]
-
Page 15
Headquar ters Page 15 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=hq ru= 5 ac=non int=vlan1 prot=all ip=192.168.140.1-192.168.1 40.254 rem=192.168.141.0-192.168.144.254 If yo u configured SSH (r[...]
-
Page 16
Page 16 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to configur e the AR440S r outer at branch office 1 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]
-
Page 17
Page 17 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection. Asynchronous T ransfer Mode (A TM) is alwa ys used ov er ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Cr eate your PP PoA link, an d define the userna me and pass wor d need[...]
-
Page 18
Page 18 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 If you need remote management access, we st r ongly recommend that y ou use Secure Shell (SSH). Y ou should not telnet to a secure gatewa y . T o configure SS H, define appr opriate RSA en cr yption k eys, then enable the SSH server . create enco key=2 type=rsa[...]
-
Page 19
Page 19 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Y ou need to co nfigure dynamic PPP ov er L2TP to accept in coming Windows VPN client connections. Create an IP pool to allocate unique intern al pa yload addr esses to incoming VPN clients. create ip pool=roaming ip= 192.168.144.1-192.168.144.50 Define a PPP t[...]
-
Page 20
Page 20 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 z (for site-to-site VPNs) 3DESOUTER as the encr yption algorithm for ESP z (for site-to-site VPNs) SHA as the hashing alg orithm for ESP authentication z (for r oaming client VPNs) four possible variants of VPN encr yption, for added flexibility . W e propose t[...]
-
Page 21
Page 21 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our ISAKMP pre-shar ed ke y . This ke y is used when initiating your VPN during phase one ISAKMP exchanges with your VPN peers. Share the value of this pr e-shared k e y with all VPN peers that use it—in this example , th e r oaming VPN cl ients and [...]
-
Page 22
Page 22 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection. create firewall policy=bra nch1 dynamic=roaming add firewall policy=branch 1 dynamic=roamin[...]
-
Page 23
Page 23 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=branch 1 ru=5 ac=non int=vlan1 prot=all ip=192.168.141.1-192.168.1 41.254 rem=192.168.140.0-192.168.142.254 If yo u configured[...]
-
Page 24
Page 24 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to configur e the AR440S r outer at branch office 2 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]
-
Page 25
Page 25 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection. Asynchronous T ransfer Mode (A TM) is alwa ys used ov er ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Branch 2 uses PPP oEoA (PPP over virtual ethe rnet over A TM). Cr eate [...]
-
Page 26
Page 26 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 If desire d, set up the router as a DH CP server for the branch office 2 LAN. create dhcp policy=branch2 lease=7 200 add dhcp policy=branch2 ro u=192.168.142.254 add dhcp policy=branch2 su bn=255.255.255.0 create dhcp range=branch2_ hosts poli=branch2 ip=192.16[...]
-
Page 27
Page 27 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Check that you ha v e a 3DES feature licence for the ISAKMP policy . show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor . enable featu[...]
-
Page 28
Page 28 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create another IPsec policy for dir ect Internet traffic fr om the head quarters LAN to the Internet, such as web br owsin g. create ipsec pol=internet int=ppp0 ac=permit Note: The or der of the IPsec policies is impor tant. The In te rn et per mi t p ol ic y m[...]
-
Page 29
Page 29 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 does not need rule 3 that the other site s hav e, because branch office 2 has no r oaming VPN client connections. Create a pair of rules to allow office-to-offi ce pa ylo ad traffic to pass thr ough the fire wall without appl ying NA T . This tr[...]
-
Page 30
Page 30 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to mak e voice traffic high priority This is an optional enhancemen t to the configuration of the routers. It prioritises outg oing v oice traffic higher than other outgoing traf fic on each VPN, to maximise call quality . Use the configuration in this section if y ou expe[...]
-
Page 31
Headquar ters Page 31 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Ho w to prioritise outg oing V oIP traffic from the headquar ters r outer Add the f ollowing steps after step 9 on page 14 . First, classify the V oIP traffic . In many depl o yments of V oIP , the originating V oIP ap pliance marks V oIP pack ets with a DSCP val[...]
-
Page 32
Headquar ters Page 32 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Apply the policy to the VPN betw een headquarters and branch office 1 . set sqos interface=ipsec-b ranch1 tunnelpolicy=1 Apply the policy to the VPN betw een headquarters and branch office 2. set sqos interface=ipsec-b ranch2 tunnelpolicy=1 This example creates f[...]
-
Page 33
Page 33 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to prioritise outg oing V o IP traffic from the branch office 1 ro u t e r Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applianc e has mark ed V oIP traffic and V oIP signalling pack ets with DSCP 48. create [...]
-
Page 34
Page 34 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 This example creates f our triggers, which allows for up to four simultaneous r oaming client VPNs. Y ou can scale this to the correct n umber for y our network. Create the f ollowing scripts as text files on the r outer . Create triggers to run the a ppropriat[...]
-
Page 35
Page 35 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to prioritise outg oing V o IP traffic from the branch office 2 r outer Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applia nce has mark ed V oIP traffic and V oIP control pack ets with DSCP 48. create classi[...]
-
Page 36
Page 36 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to test y our VPN solution If the following tests sho w that your tunn el is not w orking, see the How T o Note Ho w T o T roubleshoot A Virtual Pr ivate Network (VPN) . Check the LANs are rea c h a b l e The simplest wa y to test a tunnel is to ping fr om one LAN to the o[...]
-
Page 37
Page 37 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Configuration scripts for headquarters and branch offices This section pr ovides script-only v ersions of th e three configurations described earlier in this document. Scripts can provide a quick er wa y to configure y our routers, thr ough pre-editing and downloading using TFT[...]
-
Page 38
Headquar ters Page 38 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Headquar ters VPN access conce ntrator's configuration # System configuration set system name=HQ # User configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roaming1 pass=roaming1 lo=no telnet=no add user=roaming2[...]
-
Page 39
Headquar ters Page 39 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=hq lease=7200 add dhcp poli=hq rou=192.168.140.254 add dhcp poli=hq subn=255.255.255.0 create dhcp range=hq_hosts poli=hq ip=192.168.140.16 num=32 ena dhcp # SSH configuration # [...]
-
Page 40
Headquar ters Page 40 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # Create a group of SA specifications for the roaming VPN clients. # These SA specifications use IPsec transport mode. create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha mod=transport create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5 mod=[...]
-
Page 41
Headquar ters Page 41 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # FIREWALL configuration enable firewall create firewall policy=hq enable firewall policy=hq icmp_f=all # Define a firewall dynamic definition to work with dynamic # interfaces. This provides for the dynamic PPP/L2TP interfaces that # incoming Windows VPN connect[...]
-
Page 42
Headquar ters Page 42 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # If you configured SSH, create a rule for SSH traffic. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=hq ru=7 ac=[...]
-
Page 43
Page 43 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Branch office 1 AR440S configuration—the PPP oA site with VPN client access and a fix ed IP addr ess # SYSTEM configuration set system name=Branch1 # USER configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roamin[...]
-
Page 44
Page 44 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # allows incoming roaming VPN client connections. The clients can # only target a known, unchanging address. create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off set ppp=0 username="branch office 1" password=branch1 iprequest=off # Note that this[...]
-
Page 45
Page 45 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Log configuration # If desired, forward router log entries to a UNIX-style syslog # server. create log output=2 destination=syslog server=< your-local-syslog-server-address > syslogformat=extended add log out=2 filter=1 sev=>3 # IPSEC configuration #[...]
-
Page 46
Page 46 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # ISAKMP Configuration create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both set isa pol=hq localid=branch1 encalg=3des2key create isakmp pol=roaming pe=any key=1 set isa pol=roaming sendd=true sendi=true natt=true localid=branch1 enable isakmp # FI[...]
-
Page 47
Page 47 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Create a pair of rules to allow office-to-office payload traffic to # pass through the firewall without applying NAT. # The rule for the public interface uses encapsulation=ipsec to # identify incoming VPN traffic. add firewall poli=branch1 ru=4 ac=non int=pp[...]
-
Page 48
Page 48 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 AR440S configuration—the PPP oEoA site with a dynamically assigned IP addr ess # SYSTEM configuration set system name=Branch2 # USER configuration set user securedelay=600 # Define a security officer. add user=secoff pass=<your secoff passw[...]
-
Page 49
Page 49 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=branch2 lease=7200 add dhcp poli=branch2 rou=192.168.142.254 add dhcp poli=branch2 subn=255.255.255.0 create dhcp range=branch2_hosts poli=branch2 ip=192.168.142.16 num=32 ena [...]
-
Page 50
Page 50 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # Create an IPsec policy for branch 2 to headquarters VPN traffic. create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1 peer=200.200.200.1 isa=hq set ipsec pol=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0 rma=255.255.0.0 # Create another IPsec poli[...]
-
Page 51
Page 51 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=branch2 ru=7 ac=allo int=ppp0 prot=tcp po=23 # ip=192.168.142.254 gblip=0.0.0.0 gblp=23 # INT configuration - if prioritising VoIP set int=ppp0 mtu=256 set int=ppp0 frag=[...]
-
Page 52
Page 52 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Extra configuration scripts for lab testing the VPN solution This section pr ovides additional configuration th at y ou ma y need if y ou want to lab test the VPN solution. It has scr ipts for : z setting up a PPP oE access concentrator for branch offi ce 2 to connect to . In a[...]
-
Page 53
USA Headq u ar ters | 19800 Nor th Cr eek Parkwa y | S u ite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 E u r opea n Headq u ar ters | Via Motta 24 | 6830 Chiasso | Switzerla n d | T: +41 91 69769.00 | F: +41 91 69769.11 Asia-Paci f ic Headq u ar ters | 11 T ai Se ng Li n k | Si ng apor e | 534182 | T: +65 6383 3832 | [...]