This section is divided into:
For general information on interfaces, see
Network > Interfaces
.
Static means that you assign a fixed IP address to the interface.
|
Step 1
|
Click on the
Configure
icon  in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
|
•
|
You can configure
X0
through X8
, depending on the number of interfaces on your appliance.
|
|
Step 3
|
Select
Static
from the IP Assignment
menu.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab.
The
Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the ADTRAN. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
Transparent Mode enables the
firewall to bridge the WAN subnet onto an internal interface. To configure an interface for transparent mode, complete the following steps:
|
Step 1
|
Click on the
Configure
icon in the Configure
column for Unassigned
Interface you want to configure. The Edit Interface
window is displayed.
|
|
Step 3
|
Select
Transparent Mode
from the IP Assignment
menu.
|
|
Step 4
|
From the
Transparent Range
menu, select an address object that contains the range of IP addresses you want to have access through this interface. The address range must be within the WAN zone and must not include the WAN interface IP address. If you do not have an address object configured that meets your needs:
|
|
a.
|
In the
Transparent Range
menu, select Create New Address Object.
|
|
b.
|
In the
Add Address Object
window, enter a name for the address range.
|
|
a.
|
For
Zone Assignment
, select WAN.
|
|
d.
|
Click
OK
to create the address object and return to the Edit Interface
window.
|
See
“
Network > Address Objects
”
for more information.
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone” on page 404
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab. The Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the ADTRAN. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
A Wireless interface is an interface that has been assigned to a Wireless zone
.
|
Step 1
|
Click on the
Configure
icon in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
Step 2
|
In the
Zone
list, select WLAN or a custom Wireless zone.
|
|
Step 4
|
E
nter any optional comment text in the Comment
field. This text is displayed in the Comment
column of the Interface
table.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab.
The
Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the ADTRAN. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
On
NetVanta 2830 and 2840 appliances, select the Enable 802.1p tagging
checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules
page. For information on QoS and bandwidth management, see “Firewall Settings > QoS Mapping”
.
Configuring the WAN interface enables Internet connect connectivity. You can configure up to
two WAN interfaces on the firewall.
|
Step 1
|
Click on the
Edit
icon in the Configure
column for the Interface you want to configure. The Edit Interface
window is displayed.
|
|
|
•
|
Static
- configures the ADTRAN for a network that uses static IP addresses.
|
|
|
•
|
DHCP
- configures the ADTRAN to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.
|
|
|
•
|
PPPoE
- uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.
|
|
|
•
|
PPTP
- uses PPTP (Point to Point Tunneling Protocol) to connect to a remote server. It supports older Microsoft Windows implementations requiring tunneling connectivity.
|
|
|
•
|
L2TP
- uses IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations.
|
|
Step 4
|
If you want to enable remote management of the
firewall from this interface, select the supported management protocol(s): HTTP
, HTTPS
, SSH
, Ping
, SNMP
, and/or SSH
. You can also select HTTP
for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.
|
To allow access to the WAN interface for management from another zone on the same
appliance, access rules must be created. See “Allowing WAN Primary IP Access from the LAN Zone”
for more information.
|
Step 6
|
Check
Add rule to enable redirect from HTTP to HTTPS
, if you want an HTTP connection automatically redirected to a secure HTTPS connection to the firewall management interface.
|
The
Advanced
tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, setting up bandwidth management, and creating a default NAT policy automatically.
If you need to force an Ethernet speed, duplex and/or MAC address, click the
Advanced
tab. The Ethernet Settings
section allows you to manage the Ethernet settings of links connected to the ADTRAN. Auto Negotiate
is selected by default as the Link Speed
because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed
menu:
You can choose to override the
Default MAC Address
for the Interface by selecting Override
Default MAC Address
and entering the MAC address in the field.
Check
Enable Multicast Support
to allow multicast reception on this interface.
On
NetVanta 2830 and 2840 appliances, check Enable 802.1p tagging
to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules
page. For information on QoS and bandwidth management, see “
Firewall Settings > QoS Mapping
”
.
You can also specify any of these additional
Ethernet Settings
:
|
|
•
|
Interface MTU
- Specifies the largest packet size that the interface can forward without fragmenting the packet.
|
SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress
(inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the firewall. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.
Use the
Bandwidth Management
section of the Edit Interface
screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.
Configuring the
Expansion Pack Module Interface (NetVanta 2840)
The
NetVanta 2840 security appliances support the following optional Expansion Pack modules:
These interfaces are listed in the
Interface Settings
table as the Mx interfaces.
Log into the
ADTRAN management interface. You can now begin configuring the desired expansion module. The following sections describe how to configure the
ADSL is an acronym for Asymmetric Digital Subscriber Line (or Loop). The line is asymmetric
because, when connected to the ISP, the upstream and downstream speeds of transmission are different. The DSL technology allows non-voice services (data) to be provided on regular single copper wire-pair POTS connections (such as your home phone line). It allows voice calls and data to pass through simultaneously by using higher band frequencies for data transmission.
The
ADTRAN ADSL module cards support only one subscriber ADSL line (one port). Two types of ADSL module cards are supported:
|
|
•
|
1 Port ADSL (RJ-11) Annex A
– ADSL over plain old telephone service (POTS) with a downstream rate of 12.0 Mbit/s and an upstream rate of 1.3 Mbit/s.
|
|
|
•
|
1 Port ADSL (RJ-45) Annex B
– ADSL over an Integrated Services Digital Network (ISDN) with a downstream rate of 12.0 Mbit/s and an ups.tream rate of 1.8 Mbit/s.
|
The following ADSL standards are supported
The ADSL module card uses 2 LEDs to indicate connectivity status. The upper green LED is
the ADSL link. Its status is as follows:
The lower green LED shows the system and ADSL module activity.
The ADSL module card is detected on boot, and assigned an interface name of M0 or M1. The
interface name is based to it based on the expansion slot hosting the module card. You will see the assigned entry when you log into the Network Interfaces page.
The ADSL interface never unassigned. When plugged in, it is always present in the WAN zone
and zone assignment cannot be modified by the administrator
Click on the
Configure
icon to the right of the interface entry. You will see a menu with three tabs: General, Advanced, and DSL Settings. The DSL Settings tab allows you to configure ISP-specific settings for the ADSL connection.
It displays the configurable DSL fields:
Virtual Path Identifier (VPI)
Virtual Channel Identifier (VCI)
Multiplexing Method (LLC or VC)
The values for these parameters should match the settings on the ISP DSLAM, and are
provided by the ISP. These values vary from one ISP to another, and from country to country.
The SNWL default uses the most common values in the USA. The VPI and VCI settings are
used to create the Permanent Virtual Circuit (PVC) from the NetVanta 2840 to the ISP DSLAM.
When finished configuring these ISP settings, click
OK
.
The Ethernet-specific settings on the Advanced tab, even if set, do not apply to the ADSL
module. The Link Speed field in the Advanced tab has a fixed "N/A" selection, since it does not apply to ADSL. The ADSL link speed can't be customized but is predetermined by the DSL Provider.
The standard WAN ethernet settings are not affected by the presence of the ADSL module.
When the ADSL module is first plugged in, it should be added to the WAN Load Balancing
default group so that the ADSL module can be used to handle default route traffic. Go to the Failover and LB screen and click the Configure
icon to edit the settings.
On the General menu, add the ADSL interface to the Load Balancing group. If the default
primary WAN, X1, is unused or unconfigured, it can be removed for a cleaner interface configuration.
When done, click
OK
, and the ADSL module will be added to the group.
The
1-port T1/E1 Module provides the connection of a T1 or E1 (digitally multiplexed telecommunications carrier system) circuit to a ADTRAN appliance using an RJ-45 jack.
The
ADTRAN T1/E1 module fully supports Point-to-Point Protocol (PPP) and Cisco HDLC encapsulation, and can connect to Cisco routers and HP ProCurve devices.
To configure the T1/E1 Module, perform the following tasks:
|
Step 1
|
Click on the
Edit
icon in the Configure
column for the Interface of the expansion module you want to configure. The Edit Interface
window is displayed.
|
The General tab allows you to set up the type of encapsulation: PPP or HDLC, as well as the
management interface type and level of user security login. The Zone setting is disabled.
If you want to enable remote management of the
firewall from this interface, select the supported management protocol(s): HTTP
, HTTPS
, SSH
, Ping
, SNMP
, and/or SSH
. You can also select HTTP
for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also set the level of security (HTTP
or HTTPS
) at this time.
You will see two radio buttons, one for T1 and one for E1. Only one button should be selected
at a time. Different Line Coding, Framing and Encapsulation configuration choices are offered, depending on the button.
If desired, you can specify the Data DSO range.
For T1, the range is 1 to 24 (default)
For E1, the range is 1 to 31
Each number can be individually set. For example, “5 to 15”, “1 to 1”, 1 to 20” are valid settings.
CRC is configured with an enable/disable check-box. When T1 is selected, the check-box is
labeled CRC6, when E1 is selected the check-box is labeled CRC4.
You can also choose to enable multicast.
The T1/E1 module interface will be added to the pool of available WAN interfaces
This module allows you to perform a physical bypass of the firewall when the interface is
bridged to another interface with LAN bypass capability. This allows network traffic to continue flowing if an unrecoverable firewall error occurs.
|
Step 1
|
Click on the
Edit
icon in the Configure
column for the Interface of the expansion module you want to configure. The Edit Interface
window is displayed. The Bypass option is only displayed if an interface capable of performing the bridge is present.
|
|
Step 2
|
The window shows the LAN interface, and has a checkbox “
Engage Physical ByPass on
Malfunction
” to enable the physical bypass feature. This is only displayed when the interface is bridged to another interface capable of performing the LAN bypass. Enabling this checkbox means that the packets between the bridged pairs will not fail, even if the firmware or appliance fails.
|
If the checkbox is not enabled, the ports will behave like normal Ethernet ports.
Click
OK
to configure the interface.
|
Step 1
|
Click on the
Edit
icon in the Configure
column for the Interface of the expansion module you want to configure. The Edit Interface
window is displayed.
|
Select one of the following LAN Network Addressing Modes from the
IP Assignment
menu.
|
|
•
|
Static
- configures the interface for a network that uses static IP addresses.
|
|
|
•
|
Transparent
- configures the interface to use interfaces as the top level of the management hierarchy and span multiple interfaces.
|
Depending on the option you choose from the IP Assignment menu, complete the
corresponding fields that are displayed after selecting the option.
|
Step 4
|
If you want to enable remote management of the
firewall from this interface, select the supported management protocol(s): HTTP
, HTTPS
, SSH
, Ping
, SNMP
, and/or SSH
. You can also select HTTP
for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also use a checkbox to add a rule to redirect from HTTP to HTTPS to enforce security on the interface.
|
|
Step 5
|
Click
OK
to configure the interface.
|
The
Advanced
tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, enabling multicast support on the interface, and enabling 802.1p tagging. Packets sent out with 802.1p tagging are tagged VLAN id=0 and carry 802,1p priority information. Devices connected to this interface need to support priority frames.
|
Step 7
|
Click on the
Edit
icon in the Configure
column for the Interface you want to configure.
|
For each interface, on the
General
tab of the Edit Interface
window, select LAN
from the Zone
menu. Fill in the desired IP assignment. The subnet will be assigned for you. Add the desired management options and click Okay
. Then configure the Advanced
settings.