REVIEW DRAFT - CISCO CONFIDENTIAL - FOR COMPLIANCE PURPOSES ONLY ADMINISTRATION GUIDE Cisco Small Business RV 110W Wireless-N VPN Firewall
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco
Contents Chapter 1: Introduction 1 Product Overview 1 Getting to Know the Cisco RV 110W 3 Front Panel 3 Back Panel 4 Mounting the Cisco RV 110W 5 Installation Guidelines 5 Wall Mounting 5 Connecting the Equipment 7 Using the Setup Wizard 8 Starting the Wizard 8 Connecting Your Hardware 9 Entering Login and Internet Connection Information 13 Configuring Security 14 Manually Connecting Your System 16 Verifying the Hardware Installation 17 Connecting to Your Wireless Network 1
Contents Chapter 2: Configuring Networking 30 Configuring the Wide Area Network (WAN) 30 Configuring the WAN for an IPv4 Network 30 Configuring the Internet Connection Type 30 Configuring Internet Address Information 32 Configuring Domain Name System (DNS) Server Information 33 Configuring Maximum Transmit Unit (MTU) 33 Configuring the Cisco RV 110W Media Access Control (MAC) Address 33 Configuring the WAN for an IPv6 Network 34 Configuring a Static IP Address 34 Configuring DHCPv6 35
Contents Configuring Port Management 52 Configuring Dynamic DNS (DDNS) 53 Configuring IPv6 54 Configuring the Routing Mode 54 Configuring IPv6 Static Routing 54 Configuring RIP next generation (RIPng) 55 Configuring IPv6 to IPv4 Tunneling 56 Configuring 6to4 Tunneling 56 Configuring Intra-Site Automatic Tunnel Addressing Protocol Tunnels 56 Viewing IPv6 Tunnel Information 57 Configuring Router Advertisement 57 Chapter 3: Configuring the Wireless Network 60 A Note About Wireless Secu
Contents Chapter 4: Configuring the Firewall 74 Cisco RV 110W Firewall Features 74 Configuring Basic Firewall Settings 76 Protecting from Attacks 76 Configuring Universal Plug and Play (UPnP) 77 Viewing UPnP Information 78 Enabling Session Initiation Protocol Application-Level Gateway (SIP ALG) 78 Configuring the Default Outbound Policy 79 Configuring Firewall Rules 79 Creating a Firewall Rule 80 Managing Firewall Rules 84 Creating Custom Services 84 Creating Firewall Schedules 85 B
Contents Configuring IP Security Policies 105 Configuring IKE Policies 105 Configuring VPN Policies 108 Configuring VPN Clients 113 Monitoring VPN Tunnel Status113 Configuring IPsec Users 114 Configuring VPN Passthrough 115 Configuring Security Using Certificates for Authentication 115 115 Uploading CA Certificates 117 Uploading Self Certificates 117 Generating a Self Certificate Request 117 Downloading the Router’s Current Certificate 118 Using the Cisco RV 110W With a RADIUS Server
Contents Using Diagnostic Tools 130 Using PING 131 Using Trace Route 131 Performing a DNS Lookup 131 Capturing and Tracing Packets 131 Configuring Logging 131 Configuring Local Logging 132 Configuring Remote Logging 133 Configuring the Logging Type and Notification 134 Configuring E-Mailing of Log Events 135 Configuring Discovery (Bonjour) Configuring VLAN Associations 135 136 Configuring Date and Time Settings 136 Backing Up and Restoring the System 137 Upgrading Firmware 138 R
1 Introduction This chapter provides information to familiarize you with the product features, guide you through the installation process, and get started using the browserbased Device Manager.
1 Introduction Product Overview The Cisco RV 110W incorporates a Stateful Packet Inspection (SPI)-based firewall with Denial of Service (DoS) prevention and a Virtual Private Network (VPN) engine for secure communication between mobile or remote workers and branch offices. The Cisco RV 110W supports up to ten gateway-to-gateway IP Security (IPsec) tunnels to facilitate branch office connectivity through encrypted virtual links.
Introduction Getting to Know the Cisco RV 110W 1 Getting to Know the Cisco RV 110W Front Panel POWER—The Power LED lights up green to indicate the device is powered on. Flashes green when the power is coming on or software is being upgraded. WAN LED—The WAN (Internet) LED lights up green when the device is connected to your cable or DSL modem. The LED flashes green when the device is sending or receiving data over the WAN port.
Introduction Getting to Know the Cisco RV 110W 1 Back Panel RESET Button—The Reset button has two functions: • If the Cisco RV 110W is having problems connecting to the Internet, press the RESET button for less than five seconds with a paper clip or a pencil tip. This is similar to pressing the reset button on your PC to reboot it. • If you are experiencing extreme problems with the Cisco RV 110W and have tried all other troubleshooting measures, press and hold in the RESET button for 10 seconds.
1 Introduction Mounting the Cisco RV 110W Mounting the Cisco RV 110W You can place your Cisco RV 110W on a desktop or mount it on a wall. Installation Guidelines • Ambient Temperature—To prevent the device from overheating, do not operate it in an area that exceeds an ambient temperature of 104°F (40°C). • Air Flow—Be sure that there is adequate air flow around the device. • Mechanical Loading—Be sure that the device is level and stable to avoid any hazardous conditions.
Introduction Mounting the Cisco RV 110W 1 STEP 3 Place the wall-mount slots over the screws and slide the device down until the screws fit snugly into the wall-mount slots.
1 Introduction Connecting the Equipment Connecting the Equipment Before you begin the installation, make sure that you have the following equipment and services: Required • Functional Internet Connection (Broadband DSL or cable modem). • Ethernet cable for WAN (Internet) connection. • PC with functional network adapter (Ethernet connection) to run the Setup Wizard or the Device Manager. The Setup Wizard is supported on Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7.
1 Introduction Connecting the Equipment Using the Setup Wizard Follow these steps to use the Cisco RV 110W Setup Wizard. The Setup Wizard displays on-screen instructions that guide you through the installation, but you may find it useful to refer to this document during installation. NOTE You must connect one PC with an Ethernet cable for the purpose of the initial configuration. After you complete the initial configuration, administrative tasks can be performed using a wireless connection.
1 Introduction Connecting the Equipment Connecting Your Hardware STEP 1 You should have an Ethernet cable connecting your PC to the cable or DSL modem. Unplug one end of the cable from your PC and plug it into the port marked “WAN” on the device. Click Next.
1 Introduction Connecting the Equipment STEP 2 Connect one end of a different Ethernet cable to one of the LAN (Ethernet) ports on the back of the device. (In this example, the LAN 2 port is used.) Connect the other end to an Ethernet port on the PC that is running the Setup Wizard. Click Next. STEP 3 Power on the cable or DSL modem and wait until the connection is active.
1 Introduction Connecting the Equipment STEP 4 Connect the power adapter to the Cisco RV 110W power port. Click Next. ! CAUTION Use only the power adapter that is supplied with the device. Using a different power adapter could damage the device. STEP 5 Plug the other end of the adapter into an electrical outlet.
1 Introduction Connecting the Equipment STEP 6 On the Cisco RV 110W, push in the ON/OFF POWER SWITCH button. The Setup Wizard searches for the Cisco RV 110W. The POWER LED on the front panel lights up green when the power adapter is connected properly and the device is turned on. Next: • If your hardware connection is successful, but the Setup Wizard needs more information about your Internet connection, the Enter Username and Password window appears.
1 Introduction Connecting the Equipment Entering Login and Internet Connection Information STEP 1 Enter the username and password for your Cisco RV 110W. The default username and password are both admin. Click Next. STEP 2 Choose your Internet connection type: • Telephone (DSL) • Cable broadband • I don’t know Click Next. STEP 3 The Setup Wizard confirms your Internet connection settings.
1 Introduction Connecting the Equipment • PPTP (Europe)—Provide your account name (for example, john@ISPname.net), password, and server IP address. Click Next after entering the information. • L2TP (Europe)—Provide your account name (for example, john@ISPname.net), password, and server IP address. Click Next after entering the information. STEP 5 The Setup Wizard configures your connection, verifies the router settings, and checks the network connection. Click Next.
1 Introduction Connecting the Equipment STEP 3 Select the type of security to use: Best Security (WPA2) Strong wireless security that uses a password (security key) to protect your network. Recommended for most networks. The devices you connect to your wireless network must support WPA2; see the support information for your device if you have questions. a. Enter a security key (must be at least 8 and no more than 63 characters) or use the randomly-generated one provided by the Cisco RV 110W.
1 Introduction Connecting the Equipment STEP 4 The security settings for your network are shown. To save these settings in a text file on your PC, check the box provided. To print, click Print these settings. Click Next to confirm these settings. (If you chose to save these settings to your desktop, then click OK.) NOTE You must enter this security information on each device that connects to your network.
1 Introduction Verifying the Hardware Installation See the “Getting Started in the Cisco RV 110W Device Manager” section on page 18 for more information. Verifying the Hardware Installation To verify the hardware installation, complete the following tasks: • Check the LED states, as described in Getting to Know the Cisco RV 110W, page 3. • Connect a PC to an available LAN port and verify that you can connect to a website on the Internet, such as www.cisco.com.
Introduction Getting Started in the Cisco RV 110W Device Manager 1 STEP 3 Choose the type of encryption and enter the security key that you chose when setting up the Cisco RV 110W. If you did not enable security (not recommended), leave these fields blank. STEP 4 Verify your wireless connection and save your settings.
Introduction Getting Started in the Cisco RV 110W Device Manager 1 STEP 3 In the Username and Password fields, enter the default user name (which is admin) and password (which is also admin), in lowercase letters. Then click Log In. Using the Getting Started Page The Getting Started page displays some of the most common configuration tasks. Click these underlined tasks to view the configuration windows.
Introduction Getting Started in the Cisco RV 110W Device Manager 1 Navigating through the Pages Use the navigation tree in the left pane to open the configuration pages. Click a menu item on the left panel to expand it. Click the menu names displayed underneath to perform an action or view a sub-menu.
Introduction Getting Started in the Cisco RV 110W Device Manager 1 Saving Your Changes When you finish making changes on a configuration page, click Save to save the changes, or click Cancel to undo your changes.
1 Introduction Viewing Device Statistics Viewing the Help Files To view more information about a configuration page, click the Help link near the top right corner of the page. Viewing Device Statistics The Cisco RV 110W provides real-time statistics for the device. To access statistics, in the Device Manager, choose Status. Viewing the System Summary To view the system summary, choose Status > System Summary. Click Refresh to refresh the information and obtain the latest information.
1 Introduction Viewing Device Statistics • Firmware MD5 Checksum—The message-digest algorithm used to verify the integrity of files. • PID VID—Product ID and vendor ID of the device. • CPU Usage—Percentage of CPU currently used. • Memory Usage—Percentage of memory currently used. LAN Information • MAC Address—Hardware address. • IPv4 Address—Address and subnet mask of the device. • IPv6 Address—Address and subnet mask of the device (shown only if IPv6 is enabled).
1 Introduction Viewing Device Statistics • Connection Type—Indicates if the WAN IPv4 address is obtained dynamically through a DHCP server, assigned statically by the user, or obtained through a PPPoE/PPTP/L2TP ISP connection. • Connection State—Indicates if the WAN port is connected to the Internet Service Provider. • IP Address—IP address of the WAN port. • Subnet Mask—Subnet Mask for the WAN port. • NAT—Indicates if the security appliance is in NAT mode (enabled) or routing mode (disabled).
1 Introduction Viewing Device Statistics Available Access Points Table The table displays the list of Access Points currently enabled in the device. The table also displays information related to the Access Point, such as Security and Encryption methods used by the Access Point. • SSID—This is the Service Set Identifier (SSID) that clients use to connect to the AP that has this profile. It is referenced in the AP tables and statistics.
1 Introduction Viewing Device Statistics • Multicast—The number of multicast packets sent over this radio. • Collisions—The number of packet collisions reported to the AP. AP Statistics This table displays transmit/receive data for a given AP. • AP Name—The name of the AP. • Packets—The number of transmitted/received (tx/rx) wireless packets on the AP. • Bytes—The number of transmitted/received (tx/rx) bytes of information on the AP.
1 Introduction Viewing Device Statistics Click Connect to establish an inactive SA (connection) or Drop to terminate an active SA (connection). The page refreshes automatically to display the most current status for an SA. To change the refresh settings, in the Poll Interval field, enter a value in seconds for the poll interval. This causes the page to re-read the statistics from the router and refresh the page automatically.
1 Introduction Viewing Device Statistics - System logs are those that are a part of user-space applications (for example, NTP, Session, DHCP). - IPSec VPN logs are those related to ipsec negotiations. These are related user space logs. Local0-Wireless are those related to wireless connection and negotiation. Click Refresh Logs to view the entries added after the page was opened. Click Clear Logs to delete all entries in the log window.
1 Introduction Viewing Device Statistics • Tx Packets—The number of IP packets going out of the port. • Rx Packets—The number of packets received by the port. • Collisions—The number of signal collisions that have occurred on this port. A collision occurs when the port tries to send data at the same time as a port on another router or computer that is connected to this port. • Tx B/s—The number of bytes going out of the port per second.
2 Configuring Networking The networking page allows you to configure networking settings.
Configuring Networking Configuring the Wide Area Network (WAN) 2 STEP 1 Choose Networking > WAN > IPv4 WAN Configuration. STEP 2 If you connect to the Internet using one of the following connection types, check the Internet Connection Requires a Login box: • Point-to-Point Protocol over Ethernet (PPPoE)—used mainly with asymmetric DSL. • Point-to-Point Tunneling Protocol (used in Europe). • Layer 2 Tunneling Protocol (used in Europe). STEP 3 Choose your ISP Connection Type: PPPoE a.
Configuring Networking Configuring the Wide Area Network (WAN) 2 L2TP a. Provide your username and password. These are assigned to you by the ISP to access your account. b. Enter your secret phrase. This phrase is known to you and your ISP for use in authenticating your logon. c. Choose the connectivity type: • Keep connected—The Internet connection is always on. • Connect on demand—The Internet connection is on only when traffic is present.
Configuring Networking Configuring the Wide Area Network (WAN) 2 Configuring Domain Name System (DNS) Server Information DNS servers map Internet domain names (for example, www.cisco.com) to IP addresses. Under DNS Server Source, you can choose whether to get DNS server addresses automatically from your ISP or to use ISP-specified DNS server addresses. STEP 1 If your ISP provides DNS servers, under DNS Server Source, choose Get Dynamically from ISP.
Configuring Networking Configuring the Wide Area Network (WAN) • 2 Use This MAC Address—Choose this option if you want to manually enter a MAC Address that is expected by your ISP. STEP 2 If you chose not to use the default MAC address, in the MAC Address field, enter a MAC address in the format of XX:XX:XX:XX:XX:XX, where X is a number from 0 through 9 or a letter from A through F. STEP 3 Click Save.
Configuring Networking Configuring the Wide Area Network (WAN) 2 STEP 5 Enter the primary and secondary DNS server IP addresses on the ISP's IPv6 network. DNS servers map Internet domain names (for example, www.cisco.com) to IP addresses. STEP 6 Choose the method by which the router obtains an IP address: STEP 7 Click Save. Configuring DHCPv6 When the ISP allows you to obtain the WAN IP settings via DHCP, you need to provide details for the DHCPv6 client configuration.
Configuring Networking Configuring the Local Area Network (LAN) 2 • PAP—The Cisco RV 120W uses Password Authentication Protocol when connecting with the ISP. • CHAP—The Cisco RV 120W uses Challenge Handshake Authentication Protocol when connecting with the ISP. • MS-CHAP or MS-CHAPv2—The Cisco RV 120W uses Microsoft Challenge Handshake Authentication Protocol when connecting with the ISP. STEP 5 Choose the connectivity type: • Keep connected—The Internet connection is always on.
Configuring Networking Configuring the Local Area Network (LAN) 2 If machines on your LAN use different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add aliases to the LAN port to give PCs on those networks access to the Internet. This allows the firewall to act as a gateway to additional logical subnets on your LAN. You can assign the firewall an IP address on each additional logical subnet. NOTE If you have IPv6 configured, see “Configuring IPv6 LAN Properties” on page 43.
Configuring Networking Configuring the Local Area Network (LAN) 2 STEP 1 Choose Networking > LAN > LAN Configuration. STEP 2 In the DHCP Section, in the DHCP Mode field, choose one of the following: • DHCP Server—Choose this to allow the Cisco RV 120W to act as the DHCP server in the network. Enter the following information: - Domain Name—Enter the domain name for your network (optional). - Starting and Ending IP Address—Enter the first and last of the contiguous addresses in the IP address pool.
Configuring Networking Configuring the Local Area Network (LAN) 2 the ISP, excluding the DNS Proxy IP address when it is disabled. The feature is useful for an “auto rollover” configuration. For example, if the DNS servers for each connection are different, then a link failure can render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.
Configuring Networking Configuring the Local Area Network (LAN) 2 STEP 5 To enable routing between this and other VLANS, check the Inter VLAN Routing Enable box. STEP 6 Click Save. Configuring Port VLANs You can associate VLANS on the Cisco RV 120W to the LAN ports on the device. By default, all 4 ports belong to VLAN1. You can edit these ports to associate them with other VLANS. To associate a LAN port to a VLAN: STEP 1 Choose Networking > LAN > Port VLAN.
Configuring Networking Configuring the Local Area Network (LAN) 2 NOTE If you have changed the port mode, you must save the change and return to the Port VLAN list before configuring the VLAN membership. Check the box next to the port and click Edit. STEP 6 If you selected General or Trunk mode, you can assign the LAN port to one or more VLANs by checking the box next to the VLAN. STEP 7 Click Save.
Configuring Networking Configuring the Local Area Network (LAN) 2 NOTE If you have changed the port mode, you must save the change and return to the Port VLAN list before configuring the VLAN membership. Check the box next to the port and click Edit. STEP 6 If you selected General or Trunk mode, you can assign the LAN port to one or more VLANs by checking the box next to the VLAN. STEP 7 Click Save.
Configuring Networking Configuring the Local Area Network (LAN) 2 - Starting and Ending IP Address—Enter the first and last of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN is assigned an IP address in this range. You can save part of the range for PCs with fixed addresses. These addresses should be in the same IP address subnet as the VLAN’s IP address. - Primary and Secondary DNS Server—DNS servers map Internet domain names (for example, www.cisco.
Configuring Networking Configuring the Local Area Network (LAN) 2 STEP 4 In the DHCPv6 field, choose to disable or enable the DHCPv6 server. If enabled, the Cisco RV 120W assigns an IP address within the specified range plus additional specified information to any LAN endpoint that requests DHCP-served addresses. STEP 5 Choose the DHCP mode. If stateless is selected, an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto-configured by the Cisco RV 120W.
Configuring Networking Configuring the Local Area Network (LAN) 2 STEP 1 Choose Networking > LAN > IPv6 LAN Configuration. STEP 2 In the List of Address Pools field, click Add. STEP 3 Enter the starting IP address and ending IP address of the pool. STEP 4 Enter the prefix length. The number of common initial bits in the network’s addresses is set by the prefix length field. STEP 5 Click Save.
Configuring Networking Configuring the Local Area Network (LAN) 2 STEP 1 Choose Networking > LAN > Static DHCP (LAN). STEP 2 Click Add. STEP 3 Enter the IP address of the device. STEP 4 Enter the MAC address of the device. The format for the MAC Address is XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive). NOTE The IP Address assigned should be outside the pool of the DHCP addresses configured.
Configuring Networking Configuring the Local Area Network (LAN) 2 You must configure a fixed (static) IP address for the endpoint that will be designated as the DMZ host. The DMZ host should be given an IP address in the same subnet as the router's LAN IP address but it cannot be identical to the IP address given to the LAN interface of this gateway. STEP 1 Choose Networking > LAN > DMZ Host. STEP 2 Check the Enable box to enable DMZ on the network.
2 Configuring Networking Configuring Routing Configuring Routing Choosing the Routing Mode The Cisco RV 120W provides two different routing modes. Network Address Translation (NAT) is a technique that allows several endpoints on a LAN to share an Internet connection. The computers on the LAN use a “private” IP address range while the WAN port on the router is configured with a single “public” IP address.
2 Configuring Networking Configuring Routing • Genmask—The netmask for the destination network. • Flags—For debugging purpose only; possible flags include: - U—Route is up. - H—Target is a host. - G—Use gateway. - R—Reinstate route for dynamic routing. - D—Dynamically installed by daemon or redirect. - M—Modified from routing daemon or redirect. - A—Installed by addrconf. - C—Cache entry. - !—Reject route. • Metric—The distance to the target (usually counted in hops).
Configuring Networking Configuring Routing 2 STEP 3 Enter the route name. STEP 4 If a route is to be immediately active, check the Active box. When a route is added in an inactive state, it will be listed in the routing table, but will not be used by the router. The route can be enabled later. This feature is useful if the network that the route connects to is not available when you added the route. When the network becomes available, the route can be enabled.
2 Configuring Networking Configuring Routing NOTE RIP is disabled by default on the Cisco RV 120W. To configure dynamic routing: STEP 1 Choose Networking > Routing > Dynamic Routing. STEP 2 To configure how the router sends and receives RIP packets, choose the RIP direction: • Both—The router both broadcasts its routing table and also processes RIP information received from other routers.
2 Configuring Networking Configuring Port Management • MD5 Key ID—Input the unique MD-5 key ID used to create the Authentication Data for this RIP v2 message. • MD5 Auth Key—Input the auth key for this MD5 key, the auth key that is encrypted and sent along with the RIP-V2 message. • Not Valid Before—Enter the start date when the auth key is valid for authentication. • Not Valid After—Enter the end date when the auth key is valid for authentication. STEP 5 Click Save.
Configuring Networking Configuring Dynamic DNS (DDNS) 2 Configuring Dynamic DNS (DDNS) DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must set up an account with a DDNS provider such as DynDNS.com or TZO.com. The router will notify dynamic DNS servers of changes in the WAN IP address, so that any public services on your network can be accessed by using the domain name.
2 Configuring Networking Configuring IPv6 STEP 4 Click Save. Configuring IPv6 The IPv6 configuration information for your router is performed in several sections on your Cisco RV 120W. Make sure you do the following: • Configure IPv6 WAN properties—See Configuring the WAN for an IPv6 Network, page 34. • Set the Routing Mode to IPv4/IPv6 mode. See Configuring the Routing Mode, page 54.
Configuring Networking Configuring IPv6 2 To create a static route: STEP 1 Select Networking > Routing > Static Routing. STEP 2 In the list of static routes, click Add. STEP 3 Enter the route name. STEP 4 If a route is to be immediately active, check the Active box. When a route is added in an inactive state, it will be listed in the routing table, but will not be used by the router. The route can be enabled later.
Configuring Networking Configuring IPv6 2 host is unreachable. By default, the routing update is sent every 30 seconds. If the router receives no routing updates from a neighbor after 180 seconds, the routes learned from the neighbor are considered as unreachable. After another 240 seconds, if no routing update is received, the router will remove these routes from the routing table. On the Cisco RV 120W, RIPng is disabled by default. To configure RIPng: STEP 1 Select Networking > IPv6 > Routing (RIPng).
2 Configuring Networking Configuring IPv6 To add an ISATAP tunnel: STEP 1 Choose Networking > IPv6 > ISATAP Tunnels. STEP 2 Click Add. STEP 3 Enter the ISATAP subnet prefix. This is the 64-bit subnet prefix that is assigned to the logical ISATAP subnet for this intranet. This can be obtained from your ISP or internet registry, or derived from RFC 4193. STEP 4 Choose the local endpoint address, or the endpoint address for the tunnel that starts with the Cisco RV 120W.
2 Configuring Networking Configuring IPv6 • Unicast only—Select this option to restrict advertisements to well-known IPv6 addresses only (router advertisements [RAs] are sent to the interface belonging to the known address only). STEP 4 If you chose Unsolicited Multicast in Step 3, enter the advertise interval. The advertise interval is a random value between the Minimum Router Advertisement Interval and Maximum Router Advertisement Interval. (MinRtrAdvInterval = 0.33 * MaxRtrAdvInterval.
Configuring Networking Configuring IPv6 2 STEP 4 If you chose 6to4 in Step 3, enter the Site-level aggregation identifier (SLA ID.) The SLA ID in the 6to4 address prefix is set to the interface ID of the interface on which the advertisements are sent. If you chose Global/Local/ISATAP in Step 3, enter the IPv6 prefix and prefix length. The IPv6 prefix specifies the IPv6 network address.
3 Configuring the Wireless Network This chapter describes how to configure your wireless network and includes the following sections: • A Note About Wireless Security, page 60 • Understanding the Cisco RV 120W’s Wireless Networks, page 63 • Configuring Access Points, page 66 • Configuring the Wireless Radio Properties, page 70 • Configuring the Wireless Radio Properties, page 70 • Configuring Wi-Fi Protected Setup, page 72 • Configuring a Wireless Distribution System (WDS), page 73 A Note Abo
Configuring the Wireless Network A Note About Wireless Security • 3 Change the default wireless network name or SSID Wireless devices have a default wireless network name or Service Set Identifier (SSID) set by the factory. This is the name of your wireless network, and can be up to 32 characters in length.
Configuring the Wireless Network A Note About Wireless Security • 3 Enable encryption Encryption protects data transmitted over a wireless network. Wi-Fi Protected Access (WPA/WPA2) and Wired Equivalency Privacy (WEP) offer different levels of security for wireless communication. Currently, devices that are Wi-Fi certified are required to support WPA2, but are not required to support WEP.
Configuring the Wireless Network Understanding the Cisco RV 120W’s Wireless Networks 3 Understanding the Cisco RV 120W’s Wireless Networks The Cisco Small Business RV 120W Wireless-N VPN Firewall provides four Wireless Access Points (APs), or virtual wireless networks. These networks can be configured and enabled with individual settings.
Configuring the Wireless Network Configuring Wireless Profiles 3 STEP 6 In the Security field, select the type of security. All devices on your network must use the same security mode and settings to work correctly. Cisco recommends using the highest level of security that is supported by the devices in your network. • Disabled—Any device can connect to the network. Not recommended. • Wired Equivalent Privacy (WEP)— Weak security with a basic encryption method that is not as secure as WPA.
Configuring the Wireless Network Configuring Wireless Profiles 3 security. In event of wireless client disconnecting from an AP, a notification is sent to the AP, which then sends the pre-authentication info to other APs in the network. WEP In the WEP Index and Keys section: a. In the Authentication field, choose Open System or Shared Key. If you choose open system, a wireless client doesn't need to provide a shared key in order to access the wireless network. Any client can associate to the router.
Configuring the Wireless Network Configuring Access Points 3 STEP 4 Click Save. Configuring RADIUS Authentication Parameters In WPA2 security, Pairwise Master Key Security Association (PMKSA) caching is used to store the master keys derived from successful RADIUS authentication. A client reconnecting within this interval (after successful RADIUS authentication) can skip the RADIUS authentication. This feature prevents a long RADIUS authentication process every time a client connects.
Configuring the Wireless Network Configuring Access Points 3 To enable or disable an AP: STEP 1 Choose Wireless > AP Profiles. STEP 2 In the Access Points Table, click the check box in the row of the AP and click Enable or Disable. You can enable or disable multiple APs at one time by checking multiple boxes.
Configuring the Wireless Network Configuring Access Points 3 Using MAC Filtering You can use MAC filtering to permit or deny access to the wireless network based on the MAC (hardware) address of the requesting device. For example, you can enter the MAC addresses of a set of PCs and only allow those PCs to access the network. MAC filtering is configured for each AP. To configure MAC filtering: STEP 1 Choose Wireless > AP Profiles.
Configuring the Wireless Network Configuring Access Points 3 To view the AP status: STEP 1 Choose Wireless > AP Profiles. STEP 2 In the List of Available Access Points, check the box in the row of the AP for which you want to view statistics and click Status. STEP 3 The following statistics are displayed: • AP Name—Name of the AP whose statistics are being displayed. • Radio—Wireless radio number on which the AP is configured. • Packets—Number of wireless packets transmitted and received.
Configuring the Wireless Network Configuring the Wireless Radio Properties 3 60 seconds. To cause the page to automatically refresh, click Start. To stop the page from refreshing, click Stop. Configuring the Wireless Radio Properties You can configure radio card properties, including the wireless standard (for example, 802.11n or 802.11g) on the Cisco RV 120W. Configuring Basic Wireless Radio Settings STEP 1 Choose Wireless > Radio Settings > Radio Settings.
Configuring the Wireless Network Configuring the Wireless Radio Properties 3 Configuring Advanced Wireless Radio Settings STEP 1 Choose Wireless > Radio Settings > Radio Settings. STEP 2 In the beacon interval field, enter the time in milliseconds between beacon transmissions. The default interval is 100 milliseconds. STEP 3 In the DTIM interval field, enter the interval at which the delivery traffic indication message should be sent.
Configuring the Wireless Network Configuring Wi-Fi Protected Setup 3 STEP 8 (Optional) Check the U-APSD box to enable the Unscheduled Automatic Power Save Delivery (also referred to as WMM Power Save) feature that allows the radio to conserve power. STEP 9 The short retry limit and long retry limit fields determine the number of times the AP will reattempt a frame transmission that fails. The limit applies to both long and short frames of a size less than or equal to the RTS threshold.
Configuring the Wireless Network Configuring a Wireless Distribution System (WDS) 3 Configuring a Wireless Distribution System (WDS) A Wireless Distribution System (WDS) is a system that enables the wireless interconnection of access points in a network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them. WDS peers are other access points in the network connected in the WDS.
4 Configuring the Firewall This chapter contains information about configuring the firewall properties of the Cisco RV 110W and includes the following sections: • Cisco RV 110W Firewall Features, page 74 • Configuring Basic Firewall Settings, page 76 • Configuring Firewall Rules, page 79 • Creating Firewall Schedules, page 85 • Blocking and Filtering Content and Applications, page 85 • Firewall Rule Examples, page 90 • Configuring Port Triggering, page 92 • Configuring Port Forwarding, page
4 Configuring the Firewall Cisco RV 110W Firewall Features • Schedules as to when the router should apply rules. • Keywords (in a domain name or on a URL of a web page) that the router should allow or block. • Rules for allowing or blocking inbound and outbound Internet traffic for specified services on specified schedules. • MAC addresses of devices whose inbound access to your network the router should block.
4 Configuring the Firewall Configuring Basic Firewall Settings Configuring Basic Firewall Settings To configure basic firewall settings, choose Firewall > Basic Settings. You can configure the following: Protecting from Attacks Attacks are malicious security breeches or unintentional network issues that render the Cisco RV 120W unusable. Attack checks allow you to manage WAN security threats such as continual ping requests and discovery via ARP scans.
4 Configuring the Firewall Configuring Basic Firewall Settings International Computer Security Association (ICSA) Settings • Block ICMP Notification—ICSA requires the firewall to silently block without sending an ICMP notification to the sender. Some protocols, such as MTU Path Discovery, require ICMP notifications. Enable this setting to operate in “stealth” mode. Enabled by default. • Block Fragmented Packets—ICSA requires the firewall to block fragmented packets from ANY to ANY. Enabled by default.
4 Configuring the Firewall Configuring Basic Firewall Settings Viewing UPnP Information To view UPnP information: STEP 1 Choose Firewall > Basic Settings > UPnP. STEP 2 The UPnP Portmap Table shows IP addresses and other settings of UPnP devices that have accessed the Cisco RV 120W. It includes the following fields: • Active—Indicates whether or not the port of the UPnP device that established a connection is currently active: Yes or No. • Protocol—The network protocol (i.e. HTTP, FTP, etc.
4 Configuring the Firewall Configuring Firewall Rules Configuring the Default Outbound Policy The Firewall Settings page allows the user to configure the default outbound policy for the traffic that is directed from the secure network (LAN) to the nonsecure network (dedicated WAN/optional). The default inbound policy for traffic flowing from the non-secure zone to the secure zone is always blocked and cannot be changed.
4 Configuring the Firewall Configuring Firewall Rules Creating a Firewall Rule To create firewall rules: STEP 1 Choose Firewall > Access Control > IPv4 Rules. STEP 2 Click Add. STEP 3 In the From Zone field, choose the source of originating traffic: • Trusted (LAN)—Choose if traffic will originate from the secure LAN. • Untrusted (WAN)—Choose this option to create an inbound rule. STEP 4 Choose the To Zone to configure the destination of traffic covered by this rule.
4 Configuring the Firewall Configuring Firewall Rules • News • PING • Post Office Protocol (POP3) • Point-to-Point Tunneling Protocol (PPTP) • RCMD (command) • Real Audio • Remote execution command (REXEC) • Remote login commend (RLOGIN) • Remote Telnet (RTELNET) • Real-Time Streaming Protocol (RTSP) TCP or UDP • Secure Shell File Transfer Protocol (SFTP) • Simple Mail Transfer Protocol (SMTP) • Simple Network Management Protocol (SNMP) TCP or UDP • SNMP Traps (TCP or UDP) • S
4 Configuring the Firewall Configuring Firewall Rules • SSH • SIP-TCP STEP 6 Choose the action: • Always Block—Always block the selected type of traffic. • Always Allow—Never block the selected type of traffic. • Block by schedule, otherwise allow—Blocks the selected type of traffic according to a schedule. See Creating Firewall Schedules, page 85. • Allow by schedule, otherwise block—Allows the selected type of traffic according to a schedule. See Creating Firewall Schedules, page 85.
4 Configuring the Firewall Configuring Firewall Rules • Minimize-Cost—Choose this option when data must be transferred over a link that has a lower “cost.” The IP packets for services with this priority are marked with a TOS value of 2. • Maximize-Reliability—Choose this option when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 4.
4 Configuring the Firewall Configuring Firewall Rules This gateway supports multi-NAT, and the Internet Destination IP address does not necessarily have to be the WAN address. On a single WAN interface, multiple public IP addresses are supported. If your ISP assigns you more than one public IP address, one of these can be used as your primary IP address on the WAN port, and the others can be assigned to servers on the LAN or DMZ.
Configuring the Firewall Creating Firewall Schedules 4 STEP 5 In the Start Port field, enter the first TCP or UDP port of the range that the service uses. STEP 6 In the Finish Port field, enter the last TCP or UDP port of the range that the service uses. STEP 7 Click Save. Creating Firewall Schedules You can create firewall schedules to apply firewall rules on specific days or at specific times of the day. To create a schedule: STEP 1 Choose Firewall > Access Control > Schedules.
Configuring the Firewall Blocking and Filtering Content and Applications 4 You also need to turn on content filtering to set up trusted domains. Blocking Web Applications and Components STEP 1 Choose Firewall > Access Control > Content Filtering. STEP 2 Check the Enable box. STEP 3 Certain commonly-used web components can be blocked for increased security. Some of these components can be used by malicious websites to infect computers that access them.
Configuring the Firewall Blocking and Filtering Content and Applications • 4 Cookies—Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. NOTE Many websites require that cookies be accepted in order for the site to be accessed properly. Blocking cookies can cause many websites to not function properly.
Configuring the Firewall Blocking and Filtering Content and Applications 4 STEP 1 Choose Firewall > Access Control > Blocked Keywords. STEP 2 Click Add. STEP 3 Enter the keyword to block. Keywords prevent access to websites that contain the specified characters in the URL or the page contents. STEP 4 Select the group to which to apply the keyword blocking. (These groups are configured in the Networking > LAN > LAN Groups page.) STEP 5 Click Save.
Configuring the Firewall Blocking and Filtering Content and Applications 4 it to connect. However, host2 is able to connect because its MAC address is not in the list. If the policy is “permit and block the rest,” then host1 is able to connect to a website, but host2 is blocked because its URL is not in the list. The MAC filtering policy does not override a firewall rule that directs incoming traffic to a host. STEP 3 Click Save. STEP 4 In the MAC Addresses table, click Add.
4 Configuring the Firewall Firewall Rule Examples Firewall Rule Examples Example 1: Allow inbound HTTP traffic to the DMZ In this example, you host a public web server on your local DMZ network. You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at any time of day. Create an inbound rule as follows: Parameter Value From Zone Insecure (WAN1/WAN2) To Zone Public (DMZ) Service HTTP Action Allow always Send to Local Server (DNAT IP) 192.168.5.
4 Configuring the Firewall Firewall Rule Examples Parameter Value Action Allow always Send to Local Server (DNAT IP) 192.168.1.11 Destination Users Address Range From 132.177.88.2 To 134.177.88.254 Enable Port Forwarding Yes (enabled) Example 3: Multi-NAT Configuration In this example, you want to configure multi-NAT to support multiple public IP addresses on one WAN port interface. Create an inbound rule that configures the firewall to host an additional public IP address.
4 Configuring the Firewall Configuring Port Triggering Parameter Value Send to Local Server (DNAT IP) 192.168.1.2 (local IP address of your web server) Destination Users Single Address From 10.1.0.
Configuring the Firewall Configuring Port Triggering 4 Port triggering opens an incoming port for a specific type of traffic on a defined outgoing port. Port triggering is more flexible than static port forwarding (available when configuring firewall rules) because a rule does not have to reference a specific LAN IP or IP range. Ports are also not left open when not in use, thereby providing a level of security that port forwarding does not offer.
4 Configuring the Firewall Configuring Port Forwarding Configuring Port Forwarding Port forwarding is used to redirect traffic from the Internet from one port on the WAN to another port on the LAN. The port forwarding rules menu allows selection of a service. Common services are available or you can define a custom service and associated ports to forward. The Port Forwarding Rules table lists all the available port forwarding rules for this device and allows you to configure port forwarding rules.
4 Configuring the Firewall Configuring Port Forwarding • BOOT_P Server • CU-SeeMe (videoconferencing) UDP or TCP • Domain Name System (DNS), UDP or TCP • Finger • File Transfer Protocol (FTP) • Hyptertext Transfer Protocol (HTTP) • Secure Hypertext Transfer Protocol (HTTPS) • Internet Control Message Protocol (ICMP) type 3 through 11 or 13 • ICQ (chat) • Internet Message Access Protocol (IMAP) 2 or 3 • Internet Relay Chat (IRC) • News • PING • Post Office Protocol (POP3) • Poi
4 Configuring the Firewall Configuring Port Forwarding • STRMWORKS • Terminal Access Controller Access-Control System (TACACS) • Telnet (command) • Trivial File Transfer Protocol (TFTP) • Routing Information Protocol (RIP) • IKE • Simple HTTPD web server • UDP Encapsulation of IPsec packets (IPSEC-UDP-ENCAP) • IDENT protocol • VDOLive (web video delivery) • SSH • SIP-TCP • SIP-UDP STEP 4 Choose the action: • Always Block—Always block the selected type of traffic.
Configuring the Firewall Configuring Port Forwarding 4 STEP 7 If you chose Single Address in Step 6, enter the IP address in the field. STEP 8 If you chose Address Range in Step 6, enter the starting IP address of the range in the From field and the ending IP address of the range in the To field. STEP 9 Enter the Destination IP address, or the address where traffic meeting the rule should be sent.
4 Configuring the Firewall Configuring Remote Management STEP 5 In the UDP Session Timeout Duration field, enter the time, in seconds, after which inactive UDP sessions are removed from the session table. This value ranges from 0 through 4,294,967 seconds. The default is 120 seconds (2 minutes). STEP 6 In the Other Session Timeout Duration (seconds) field, enter the time, in seconds, after which inactive non-TCP/UDP sessions are removed from the session table.
Configuring the Firewall Configuring One-to-One Network Address Translation (NAT) 4 • IP Address Range—Choose to allow any IP address in the configured range to access the Cisco RV 120W. In the From field, enter the starting IP address for the allowed range. In the To field, enter the ending IP address for the allowed range • Only this PC—Choose to restrict access to only the PC you are currently using to manage the Cisco RV 120W.
Configuring the Firewall Configuring One-to-One Network Address Translation (NAT) 4 This table displays the following fields: • LAN Server IP—This column shows the configured LAN Host IP Address. • Service—This column shows the service to be accepted by the LAN Host. To add a one-to-one NAT rule: STEP 1 Choose Firewall > Access Control > One-to-One NAT. STEP 2 In the One-to-One NAT Rules table, click Add.
5 Configuring Virtual Private Networks (VPNs) and Security This chapter describes VPN configuration, beginning with the “Configuring VPNs” section on page 102. It also describes how to configure router security, beginning with the “Configuring Security” section on page 115.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 Configuring VPNs A VPN provides a secure communication channel (“tunnel”) between two gateway routers or a remote PC client and a gateway router. The following types of tunnels can be created: • Gateway-to-gateway VPN—Connects two or more routers to secure traffic between remote sites. • Remote Client (client-to-gateway VPN tunnel)—A remote client initiates a VPN tunnel.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 To quickly set up a VPN tunnel using VPN Wizard: STEP 1 Choose IPsec > VPN Wizard. STEP 2 Set the Connection Name and Pre-Shared key. The connection name is used for management, and the pre-shared key will be required on the VPN client or gateway to establish the tunnel. STEP 3 Choose the Remote Gateway Type (IIP Address or Fully-Qualified Domain Name). STEP 4 Enter the Remote WAN IP Address/Internet Name.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs Parameter Default value from Wizard Exchange Mode Aggressive ID Type FQDN Local WAN ID wan_local.com Remote WAN ID wan_remote.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 Configuring IP Security Policies The VPN Wizard is the recommended method to configure corresponding IKE and VPN policies for establishing a VPN tunnel. Once the Wizard creates the matching IKE and VPN policies, you can modify the required fields using the Edit button.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 NOTE If either the Local or Remote identifier type is not an IP address, then negotiation is only possible in Aggressive Mode. If FQDN, User FQDN or DER ASN1 DN is selected, the router disables Main mode and sets the default to Aggressive mode.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs • AES-192 • AES-256 5 STEP 2 Specify the authentication algorithm for the VPN header: • MD5 • SHA-1 • SHA2-256 • SHA2-384 • SHA2-512 NOTE Ensure that the authentication algorithm is configured identically on both sides. STEP 3 Choose the authentication method: • Select Pre-Shared Key for a simple password based key that is shared with the IKE peer.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 STEP 6 To enable dead peer detection, check the box. Dead Peer Detection is used to detect whether the peer is alive or not. If peer is detected as dead, the router deletes the IPsec and IKE Security Association. STEP 7 In the Detection Period field, enter the interval, in seconds, between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPsec traffic is idle.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 STEP 3 Enter the information in the following sections and press Save. General Parameters STEP 1 Enter a unique name to identify the policy. STEP 2 Choose the Policy Type: • Manual—All settings (including the keys) for the VPN tunnel are manually input for each end point. No third-party server or organization is involved. • Auto—Some parameters for the VPN tunnel are generated automatically.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs - 5 Subnet—Allows an entire subnet to connect to the VPN. Enter the network address in the Start IP Address field, and enter the Subnet Mask in the Subnet Mask field. STEP 2 In the Start Address field, enter the first IP address in the range. If you selected Single, enter the single IP address in this field and leave the End IP Address field blank. STEP 3 In the End Address field, enter the last IP address in the range.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs • - SHA-1— 20 characters - SHA2-256—32 characters - SHA2-384— 48 characters - SHA2-512—64 characters 5 Key-Out—Enter the integrity key (for ESP with Integrity-mode) for the outbound policy. The length of the key depends on the algorithm chosen, as shown above. Manual Policy Example: Creating a VPN tunnel between two routers: Router 1: WAN1=10.0.0.1 LAN=192.168.1.1 Subnet=255.255.255.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 Auto Policy Parameters STEP 1 SA Lifetime—Enter the duration of the Security Association and choose the unit from the drop-down list: • Seconds—Choose this option to measure the SA Lifetime in seconds. After the specified number of seconds passes, the Security Association is renegotiated. The default value is 3600 seconds. The minimum value is 300 seconds. • Kbytes—Choose this option to measure the SA Lifetime in kilobytes.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 Configuring VPN Clients VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel the client wishes to use: encryption, authentication, life time, and PFS key-group. Upon establishing these authentication parameters, the VPN Client user database must also be populated with an account to give a user access to the tunnel.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs 5 The Active IPsec SAs table displays a list of active IPsec SAs. Table fields are as follows: Field Description Endpoint IP address of the remote VPN gateway or client. Policy Name IKE or VPN policy associated with this SA. State Status of the SA for IKE policies: Not Connected or IPsec SA Established. Tx (KB) Kilobytes of data transmitted over this SA. Tx (Packets) Number of IP packets transmitted over this SA.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security 5 Configuring VPN Passthrough VPN passthrough allows VPN traffic that originates from VPN clients to pass through the router. For example, if you are not using a VPN that is configured on the Cisco RV 110W, but are using a laptop to access a VPN at another site, configuring VPN passthrough allows that connection. To configure VPN passthrough: STEP 1 Choose VPN > VPN Passthrough.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security 5 The certificates menu allows you to view a list of certificates (both from a CA and self-signed) currently loaded on the gateway. The following certificate data is displayed in the list of Trusted (CA) certificates: • CA Identity (Subject Name)—The certificate is issued to this person or organization. • Issuer Name—The name of the Certificate Authority that issued this certificate.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security 5 Uploading CA Certificates To upload CA Certificates: STEP 1 In the Trusted Certificates (CA Certificate) Table, click Upload. STEP 2 Browse to select the certificate file and press Upload. Uploading Self Certificates To upload Self Certificates: STEP 1 In the Active Self Certificates Table, click Upload. STEP 2 Browse to select the certificate file and press Upload.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security 5 STEP 8 (Optional) Enter the e-mail address of the company contact that is used when generating the self certificate request. STEP 9 Click Generate. A new certificate request is created and added to the Self Certificate Requests table. To view a request, click on the View button next to the appropriate request in this table.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security 5 STEP 4 In the Secret field, enter the shared key that allows the Cisco RV 110W to authenticate with the RADIUS server. This key must match the key configured on the RADIUS server. The single quote, double quote, and space characters are not allowed in this field. STEP 5 In the Timeout field, enter the timeout interval after which the Cisco RV 110W re- authenticates with the RADIUS server.
6 Configuring Quality of Service (QoS) The Cisco RV 110W provides configuration for QoS features, such as bandwidth profiles, traffic selectors, and traffic meters. It contains the following sections: • Configuring Bandwidth Profiles, page 120 • Configuring Traffic Flows, page 121 • Configuring Traffic Metering, page 122 • Configuring 802.
Configuring Quality of Service (QoS) Configuring Traffic Flows 6 Add Profiles STEP 1 In the Bandwidth Profiles Table, Click Add. STEP 2 Enter the Profile Name, or the name used to identify and associate the profile to traffic selection criteria. STEP 3 Choose the Profile Type: priority (to limit bandwidth by high, medium, or low priority) or rate (to limit bandwidth by the transmission rate. STEP 4 If you chose priority, enter the priority for this profile (low, medium, or high).
Configuring Quality of Service (QoS) Configuring Traffic Metering 6 • DSCP—Enter the DSCP value. • BSSIDs—Choose the Basic Service Set Identifier, or the MAC address of the wireless access point (WAP). STEP 6 Click Save. Configuring Traffic Metering Traffic metering allows you to measure and limit the traffic routed by this router. To configure traffic metering: STEP 1 Choose QoS > Traffic Meter. STEP 2 Check the Enable box to enable traffic metering on the optional WAN port.
Configuring Quality of Service (QoS) Configuring Traffic Metering 6 STEP 5 In the Increase This Month's Limit By field, if the monthly traffic limit has been reached and you need to temporarily increase the limit, check this option and enter the value by which you want to increase the limit. NOTE The This Month's Limit field displays the data transfer limit applicable for this month, which is the sum of the value in the Monthly Limit field and the Increase this Month's Limit field.
Configuring Quality of Service (QoS) Configuring 802.1p • 6 Block All Traffic Except E-mail—If selected, then when the traffic limit is reached, all traffic to and from the WAN will be blocked, but e-mail traffic will be allowed. This feature works only if you enable e-mail logs on the Administration > Logging > Remote Logging page. See Configuring Logging, page 131. STEP 8 Click Save. You can also view the Internet Traffic Statistics.
Configuring Quality of Service (QoS) Configuring 802.1p 6 STEP 3 Check the Enable box to enable 802.1p CoS to DSCP remarking for IP packets. Class of Service (CoS) or 802.1p specifies a priority value between 0 and 7 that can be used by Quality of Service (QoS) disciplines to differentiate traffic.
7 Administering Your Cisco RV 120W This chapter describes the administration features of the Cisco RV 110W, including creating users, configuring network management, diagnostics and logging, date and time, and other settings.
Administering Your Cisco RV 120W Configuring User Accounts 7 Password complexity forces new passwords to conform to the following requirements: • Passwords must be a minimum number of characters in length. Enter the minimum password length. • Passwords must contains characters from at least 3 of the following 4 categories: - Uppercase letters - Lowercase letters - Numbers - Special characters available on a standard keyboard.
Administering Your Cisco RV 120W Setting the Timeout Value 7 STEP 5 Enter the new password. It is recommended that passwords contains no dictionary words from any language, and are a mix of letters (both uppercase and lowercase), numbers, and symbols. The password can be up to 30 characters. STEP 6 Click Save. Setting the Timeout Value The timeout value is the number of minutes of inactivity that are allowed before the Device Manager session is ended.
Administering Your Cisco RV 120W Configuring Simple Network Management (SNMP) • NoAuthNoPriv—Doesn't require any Authentication and Privacy. • AuthNoPriv—Submit only Authentication algorithm and password. • AuthPriv—Submit Authentication/privacy algorithm and password. 7 STEP 3 If you chose AuthNoPriv or AuthPriv, choose the type of authentication algorithm (M MD5 or SHA) and enter the authentication password.
Administering Your Cisco RV 120W Using Diagnostic Tools 7 To configure access control rules: STEP 1 In the Access Control List Table, click Add. STEP 2 Enter the IP Address of the specific SNMP manager or trap agent on which to create an access rule. STEP 3 Enter the subnet mask used to determine the list of allowed SNMP managers. STEP 4 Enter the community string to which the agent belongs. Most agents are configured to listen for traps in the Public community. STEP 5 Choose the access type.
Administering Your Cisco RV 120W Configuring Logging 7 Using PING This utility can be used to test connectivity between this router and another device on the network connected to this router. Enter an IP address and click Ping. A popup window appears, indicating the ICMP echo request status. Using Trace Route This utility will display all the routers present between the destination IP address and this router.
Administering Your Cisco RV 120W Configuring Logging 7 Configuring Local Logging The router can be configured to log and e-mail notifications for denial of service attacks, general attack information, login attempts, dropped packets, etc. to a specified e-mail address or a Syslog server. Routing Logs This section is used to configure the logging options for each network segment (for example, LAN-WAN).
Administering Your Cisco RV 120W Configuring Logging 7 Other Event Logs Select the type of event to be logged. The following events can be recorded: • Source MAC Filter—Check this box to log packets matched due to source MAC filtering. Uncheck this box to disable source MAC filtering logs. • Bandwidth Limit—Check this box to log packets dropped due to Bandwidth Limiting.
Administering Your Cisco RV 120W Configuring Logging 7 • Respond to Identd from SMTP Server—Check this radio box to configure the router to respond to an IDENT request from the SMTP server. • To confirm that the e-mail logs function is configured correctly, press Test. Send E-mail logs by Schedule To receive e-mail logs according to a schedule, configure the appropriate schedule settings: • Unit—Select the period of time that you need to send the log: Hourly, Daily, or Weekly.
Administering Your Cisco RV 120W Configuring Discovery (Bonjour) 7 Configuring E-Mailing of Log Events The variety of events that can be captured and logged for review can be e-mailed. To configure e-mailing of log events, choose Administration > Logging > Logs Facility: STEP 1 Select the type of functionality from which to generate logs: Kernel, System, or Local0-wireless. STEP 2 Select the events to log: Emergency, Alert, Critical, Error, Warning, Notification, Information, Debugging.
Administering Your Cisco RV 120W Configuring Date and Time Settings 7 Configuring VLAN Associations You can select the available VLAN to enable Bonjour service types. Available VLANs are populated for the Bonjour Association VLAN list after the VLANs are configured for the device. (See Configuring Virtual LANs (VLANs), page 39, for more information.) Currently, by default, LAN/Default-VLAN is the broadcasting domain for service.
Administering Your Cisco RV 120W Backing Up and Restoring the System 7 STEP 5 If you chose a default NTP server, choose the server from the list. If you chose a custom NTP server, enter the server addresses or fully-qualified domain name. If you chose to set the date and time manually, enter the date and time. STEP 6 Click Save.
Administering Your Cisco RV 120W Upgrading Firmware 7 Upgrading Firmware ! CAUTION During a firmware upgrade, do not try to go online, turn off the device, shut down the PC, or interrupt the process in any way until the operation is complete. This process takes about a minute, including the reboot process. Interrupting the upgrade process at specific points when the flash is being written to may corrupt the flash memory and render the router unusable.
A Using Cisco QuickVPN for Windows 2000, XP, or Vista Overview This appendix explains how to install and use the Cisco QuickVPN software that can be downloaded from www.cisco.com. QuickVPN works with computers running Windows 2000, XP, or Vista. (Computers using other operating systems will have to use third-party VPN software.) For Windows Vista, QuickVPN Client version 1.2.5 or later is required.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Installing the Cisco QuickVPN Software A Installing the Cisco QuickVPN Software Installing from the CD-ROM STEP 1 Insert the Cisco RV 110W CD-ROM into your CD-ROM drive. After the Setup Wizard begins, click the Install QuickVPN link. STEP 2 The License Agreement window appears. Click Yes to accept the agreement and the appropriate files are copied to the computer.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Installing the Cisco QuickVPN Software A Copying Files Finished Installing Files STEP 3 Click Finished to complete the installation. Proceed to “Using the Cisco QuickVPN Software,” on page 142.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software A Downloading and Installing from the Internet STEP 1 In Appendix B, “Where to Go From Here,” go to the Software Downloads link. STEP 2 Enter RV 110W in the search box and find the QuickVPN software. STEP 3 Save the zip file to your PC, and extract the .exe file. STEP 4 Double-click the .exe file, and follow the on-screen instructions. Proceed to the next section, “Using the Cisco QuickVPN Software,” on page 142.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software A QuickVPN Login To save this profile, click Save. (If there are multiple sites to which you will need to create a tunnel, you can create multiple profiles, but note that only one tunnel can be active at a time.) To delete this profile, click Delete. For information, click Help. STEP 3 To begin your QuickVPN connection, click Connect.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software A QuickVPN Status To terminate the VPN tunnel, click Disconnect. To change your password, click Change Password. For information, click Help. STEP 5 If you clicked Change Password and have permission to change your own password, you will see the Connect Virtual Private Connection window. Enter your password in the Old Password field. Enter your new password in the New Password field.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software A NOTE You can change your password only if the Allow User to Change Password box has been checked for that username. See Configuring IPsec Users, page 114. Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.
B Where to Go From Here Cisco provides a wide range of resources to help you obtain the full benefits of the Cisco RV 110W. Product Resources Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Online Technical Support and Documentation (Login Required) www.cisco.com/support Phone Support Contacts www.cisco.com/en/US/support/ tsd_cisco_small_ business_support_ center_contacts.html Software Downloads (Login Required) Go to tools.cisco.