ARRIS NVG599 DSL User Manual 3341 User Guide

ARRIS Group, Inc. DSL 3341 User Guide

Contents

User Manual.pdf

ARRIS
®
NVG599 VDSL2 Gateway
ARRIS
®
Embedded Software Version 9.1.0
Administrators Handbook
Administrator’s Handbook
Copyright
©ARRIS Enterprises, Inc. 2013 All rights reserved. No part of this publication may be reproduced in any form or by any means or
used to make any derivative work (such as translation, transformation, or adaptation) without written permission from ARRIS
Enterprises, Inc. (“ARRIS”). ARRIS reserves the right to revise this publication and to make changes in content from time to time
without obligation on the part of ARRIS to provide notification of such revision or change.
ARRIS and the ARRIS logo are all trademarks of ARRIS Enterprises, Inc. Other trademarks and trade names may be used in this
document to refer to either the entities claiming the marks and the names of their products. ARRIS disclaims proprietary interest in
the marks and names of others. MOTOROLA and the Stylized M logo are trademarks or registered trademarks of Motorola
Trademark Holdings, LLC. and are used by ARRIS under license. All other product or service names are the property of their
respective owners.
ARRIS provides this guide without warranty of any kind, implied or expressed, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. ARRIS may make improvements or changes in the product(s) described in this
manual at any time.
The capabilities, system requirements and/or compatibility with third-party products described herein are subject to change without
notice.
EXCEPT AS INDICATED IN THE APPLICABLE SYSTEM PURCHASE AGREEMENT, THE SYSTEM, DOCUMENTATION AND
SERVICES ARE PROVIDED "AS IS", AS AVAILABLE, WITHOUT WARRANTY OF ANY KIND. ARRIS GROUP, INC. (“ARRIS”)
DOES NOT WARRANT THAT THE SYSTEM WILL MEET CUSTOMER'S REQUIREMENTS, OR THAT THEIR OPERATION WILL
BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY ERRORS CAN OR WILL BE FIXED. ARRIS HEREBY DISCLAIMS ALL
OTHER WARRANTIES, EXPRESS OR IMPLIED, ORAL OR WRITTEN, WITH RESPECT TO THE SYSTEM AND SERVICES
INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, INTEGRATION,
MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE AND ALL WARRANTIES ARISING FROM ANY COURSE
OF DEALING OR PERFORMANCE OR USAGE OF TRADE.
EXCEPT AS INDICATED IN THE APPLICABLE SYSTEM PURCHASE AGREEMENT, ARRIS SHALL NOT BE LIABLE
CONCERNING THE SYSTEM OR SUBJECT MATTER OF THIS DOCUMENTATION, REGARDLESS OF THE FORM OF ANY
CLAIM OR ACTION (WHETHER IN CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE), FOR ANY (A) MATTER
BEYOND ITS REASONABLE CONTROL, (B) LOSS OR INACCURACY OF DATA, LOSS OR INTERRUPTION OF USE, OR
COST OF PROCURING SUBSTITUTE TECHNOLOGY, GOODS OR SERVICES, (C) INDIRECT, PUNITIVE, INCIDENTAL,
RELIANCE, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, LOSS OF
BUSINESS, REVENUES, PROFITS OR GOODWILL, OR (D) DIRECT DAMAGES, IN THE AGGREGATE, IN EXCESS OF THE
FEES PAID TO IT HEREUNDER FOR THE SYSTEM OR SERVICE GIVING RISE TO SUCH DAMAGES DURING THE 12-
MONTH PERIOD PRIOR TO THE DATE THE CAUSE OF ACTION AROSE, EVEN IF COMPANY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS ARE INDEPENDENT FROM ALL OTHER PROVISIONS OF THIS
AGREEMENT AND SHALL APPLY NOTWITHSTANDING THE FAILURE OF ANY REMEDY PROVIDED HEREIN.
All ARRIS products are furnished under a license agreement included with the product. If you are unable to locate a copy of the
license agreement, please contact ARRIS.
Part Number
591861-001-00
V9.1.0
TABLE 1.
Document Change Log
Draft version Firmware version Changes this draft
1 tbd First release
Table of Contents
Table of Contents
CHAPTER 1 - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About ARRIS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Internal Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
A Word About Example Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
CHAPTER 2 - Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Important Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
POWER SUPPLY INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
TELECOMMUNICATION INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
COAX INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
PRODUCT VENTILATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Status Indicator Lights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Battery Installation (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Battery Door Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Set up the ARRIS Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Microsoft Windows: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Macintosh MacOS 8 or higher or Mac OS X: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Accessing the Web Management Interface . . . . . . . . . . . . . . . . . . . . 21
Broadband Network Redirect Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
IP Diagnostics Page Redirect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Offline Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Device Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Device Access Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Tab Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Links Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Access Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Restart Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Broadband Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Broadband Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
IGMP Stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Administrator’s Handbook
Home Network Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
HPNA Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
WiFi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Wireless Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Wireless Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Subnets & DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
IP Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
HPNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Line Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Call Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Packet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Working with Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
NAT/Gaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Custom Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
IP Passthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Firewall Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Resets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Event Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
NAT Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
CHAPTER 3 - Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Status Indicator Lights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
LED Function Summary Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Factory Reset Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Log Event Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
CHAPTER 4 - Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . 101
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Starting and Ending a CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Logging In. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Ending a CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using the CLI Help Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
About SHELL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
SHELL Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
SHELL Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
SHELL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Common Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
WPS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Table of Contents
WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
About CONFIG Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
CONFIG Mode Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Navigating the CONFIG Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Entering Commands in CONFIG Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Guidelines: CONFIG Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Displaying Current Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Step Mode: A CLI Configuration Technique. . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Validating Your Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
CONFIG Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Connection Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Filter Set Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Global Filter Set (“IPv6 Firewall”) Commands. . . . . . . . . . . . . . . . . . . . . . . . . .128
Queue Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
IP Gateway Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
IPv6 Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
IP DNS Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
IP IGMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
NTP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Application Layer Gateway (ALG) Commands . . . . . . . . . . . . . . . . . . . . . . . . . .142
Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Link Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Remote Access Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Physical Interfaces Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
PPPoE Relay Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
NAT Pinhole Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Security Stateful Packet Inspection (SPI) Commands . . . . . . . . . . . . . . . . . . . .158
VoIP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Targeted Ad Insertion Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Debug Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Disclaimer and Warning Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
TR-069 CLI CShell Commands (debug mode) . . . . . . . . . . . . . . . . . . . . . . . . . .178
CHAPTER 5 - Technical Specifications and Safety Information. . . . . . 179
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Software and protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Agency approvals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Manufacturers Declaration of Conformance . . . . . . . . . . . . . . . . . . 181
Important Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
47 CFR Part 68 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
FCC Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
FCC Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
RF Exposure Statement: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Administrator’s Handbook
Electrical Safety Advisory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Caring for the Environment by Recycling . . . . . . . . . . . . . . . . . . . . . .186
Beskyttelse af miljøet med genbrug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Umweltschutz durch Recycling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Cuidar el medio ambiente mediante el reciclaje . . . . . . . . . . . . . . . . . . . . . . . 186
Recyclage pour le respect de l'environnement. . . . . . . . . . . . . . . . . . . . . . . . . 186
Milieubewust recycleren . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Dba³oÊç o Êrodowisko - recykling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Cuidando do meio ambiente através da reciclagem . . . . . . . . . . . . . . . . . . . . 187
Var rädd om miljön genom återvinning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Copyright Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Open Source Software Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Appendix A - ARRIS Gateway Captive Portal Implementation . . . . . . 213
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Captive Portal RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
X_00D09E_GetCaptivePortalParams RPC:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
X_00D09E_SetCaptivePortalParams RPC: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Appendix B - Quality of Service (QoS) Examples . . . . . . . . . . . . . . . . . 217
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Upstream QoS: Priority and Shaping . . . . . . . . . . . . . . . . . . . . . . . . .220
Downstream QoS: Ethernet Switch . . . . . . . . . . . . . . . . . . . . . . . . . .221
Downstream QoS: Egress queues . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
7
CHAPTER 1 Introduction
About ARRIS Documentation
This guide describes the wide variety of features and functionality of the ARRIS NVG599 Gateway, when used in Router
mode. The NVG599 device can also be delivered in Bridge mode. In Bridge mode, the NVG599 acts as a pass-through device
and allows the workstations on your LAN to have public addresses directly on the Internet. Documentation for the NVG599
in Bridge mode is available for download.
Related Documentation
ARRIS provides a suite of technical documents for its family of intelligent enterprise and consumer gateways.
This documentation consists of:
Administrators Handbook (this document)
Dedicated user manuals
Specific white papers covering related technology
The documents are available in electronic form as Portable Document Format (PDF) files. They can be viewed
(and printed) from Adobe Acrobat Reader, Exchange, or any other application that supports PDF files.
NOTE::
For the purposes of this manual the “ARRIS NVG599 Gateway” will be referred to as the “NVG599.
Administrator’s Handbook
8
Documentation Conventions
This manual uses the following conventions to present information.
General
The following typographic conventions are used in this guide.
Internal Web Interface
The following graphic conventions are used when describing elements of the Web interface in this guide.
Command Line Interface
Syntax conventions for the command line interface are as follows.
Convention Description
bold sans serif Menu commands and button names
underlined sans serif Web GUI page links
terminal Computer display text
bold terminal User-entered text
Italic The complete titles of manuals
Convention (Graphics) Description
An excerpt from a Web page or the visual truncation of a Web page
An area of emphasis on a Web page
Convention Description
[ ] Optional command arguments are shown with straight brackets
{ } Alternative values for an argument are presented in curly ({ }) brack-
ets, with values separated by vertical bars (|).
bold User-entered text
italic Variables for which you supply your own values
blue border
solid rounded rectangle
with an arrow
9
Organization
This guide consists of five chapters, two appendixes, and an index. It is organized as follows:
Chapter 1, “Introduction” — Describes the ARRIS
®
document suite and the purpose of, audience for, and
structure of this guide. It includes a table of style conventions.
Chapter 2, “Device Configuration”Describes how to get up and running with your NVG599.
Chapter 3, “Basic Troubleshooting” — Gives some simple suggestions for troubleshooting problems with
the initial configuration of your NVG599.
Chapter 4, “Command Line Interface” — Describes all the current text-based commands for both the SHELL
and CONFIG modes. A summary table and individual command examples for each mode are provided.
Chapter 5, “Technical Specifications and Safety Information” — Presents system and device specifications
and important compliance and safety statements.
Appendix A, "ARRIS Gateway Captive Portal Implementation" — Describes the ARRIS Gateway Captive Por-
tal Implementation.
Appendix B, "Quality of Service (QoS) Examples" — Describes the ARRIS Gateway Quality of Service (QoS)
Implementation.
A Word About Example Screens
This manual contains many example screen illustrations. Since ARRIS gateways offer a wide variety of features
and functionality, the example screens shown may not exactly match the screens for your particular device or
setup. The example screens are for illustrative and explanatory purposes, and should not be construed to
represent your own unique environment.
Administrator’s Handbook
10
11
CHAPTER 2 Device Configuration
Most users will find that the basic Quick Start configuration is sufficient to meet their needs. The Quick Start
section may be all that you need to configure and use your ARRIS NVG599 Gateway. For more advanced users,
a rich feature set is available. The following instructions cover installation in Router mode.
This chapter covers:
Important Safety Instructions” on page 12
Status Indicator Lights” on page 13
Battery Installation (optional)” on page 16
Battery Door Instructions” on page 17
Set up the ARRIS Gateway” on page 18
Accessing the Web Management Interface” on page 21
Device Status Page” on page 24
Tab Bar ” on page 27
Broadband Tab” on page 34
Home Network Tab” on page 39
WiFi” on page 43
Voice” on page 53
Firewall” on page 59
Diagnostics” on page 78
Administrator’s Handbook
12
Important Safety Instructions
POWER SUPPLY INSTALLATION
Connect the power supply cord to the power jack on the NVG599. Plug the power supply into an appropriate
electrical outlet. There is no power (on / off) switch to power off the device.
TELECOMMUNICATION INSTALLATION
When using your telephone equipment, basic safety precautions should always be followed to reduce the risk
of fire, electric shock, and injury, including the following:
Do not use this product near water, for example, near a bathtub, wash bowl, kitchen sink or laundry tub, in a
wet basement or near a swimming pool.
Avoid using a telephone (other than a cordless type) during an electrical storm. There may be a remote risk
of electrical shock from lightning.
Do not use the telephone to report a gas leak in the vicinity of the leak.
CAUTION: The external phone should be UL listed, and the connections should be made in accordance with
Article 800 of the NEC.
CAUTION: To reduce the risk of fire, use only No. 26 AWG or larger telecommunication line cord.
COAX INSTALLATION
Ensure that the outside coaxial cable system is grounded, so as to provide some protection against voltage
surges and built-up static charges. Article 820-20 of the NEC (Section 54, Part I of the Canadian Electrical Code)
provides guidelines for proper grounding and, in particular, specifies that the CATV cable ground be connected
to the grounding system of the building, as close to the point of cable entry as practical.
PRODUCT VENTILATION
The NVG599 is intended for use in a consumer's home. Ambient temperatures should not exceed 104°F (40°C).
The NVG599 should not be used in locations exposed to outside heat radiation or where it is subject to
trapping of its own heat. The product should have at least one inch of clearance on all sides except the bottom
when properly installed and should not be placed inside tightly enclosed spaces unless proper ventilation is
provided.
SAVE THESE INSTRUCTIONS
WARNING:
The power supply must be connected to a mains outlet with a protective earth connection. Do not defeat the
protective earth connection.
CAUTION:
Depending on the power supply provided with the product, either the direct plug-in power supply blades,
power supply cord plug or the appliance coupler serves as the mains power disconnect. It is important that
the direct plug-in power supply, socket-outlet or appliance coupler be located so it is readily accessible.
WARNING:
The battery used in this device may present a risk of fire or chemical burn if mistreated. Do not disassemble,
heat above manufacturer’s maximum temperature limit, or incinerate. Replace battery with ARRIS
P/N 586185-002-00 only. Use of another battery may present a risk of fire or explosion.
Dispose of used battery promptly. Keep away from children. Do not disassemble and do not dispose of in fire.
13
Status Indicator Lights
Colored LEDs on your NVG599 indicate the activity status of various ports.
ARRIS NVG599 Status Indicator Lights
LED Activity
Power
Solid Green = The device is powered.
Flashing Green = A power-on self-test (POST) is in progress
Flashing Red = A POST failure (not bootable) or device malfunction occurred.
Flashing Amber = Firmware upgrade in progress (see below)
Off = The unit has no AC power. If the battery is in use, the Battery LED will indicate battery status,
and all other LEDs will be off.
Power during
Firmware
Upgrade
During the software installation, you will lose Internet and phone service. The LEDs will function as
follows:
1. As firmware is being loaded into flash, the LEDs operate normally.
2. During the firmware upgrade, which takes a few minutes, the Power LED will flashes amber
(flash writing to memory), and all other LEDs are off.
3. The NVG599 restarts automatically.
As the device reboots, the LEDs display power-on behavior.
All during
Boot process
• Power LED = Flashing Green
• All other LEDs = Off
If the device does not boot and fails its self-test or fails to perform initial load of the bootloader:
• Power LED = Flashing Red
• ALL other LEDs = Off
If the device boots and then detects a failure:
Power LED = Flashing Green starting POST, and then all LEDs will flash red, including Power LED.
Battery
Solid Green = Battery in place but not being used.
Flashing Green = Battery charging.
Solid Red = Battery backup mechanism has a fault.
Flashing Red = Battery needs to be replaced.
Solid Amber = Battery in use.
Flashing Amber = Low battery.
Off = No battery, or battery has no charge.
Side View
Power
Battery
Ethernet
WiFi
HomePNA
USB
Broadband 1
Broadband 2
Service
Phone 1
Phone 2
WPS
Administrator’s Handbook
14
Ethernet
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
WiFi
Solid Green = Wi-Fi is powered.
Flickering Green = Activity seen from devices connected via Wi-Fi. The flickering of the light is syn-
chronized to actual data traffic.
Off = The device is not powered, or no powered devices are connected to the associated ports.
HomePNA
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
Broadband
1**, 2
Solid Green = Good broadband connection (good DSL sync or Gigabit Ethernet).
Flashing Green = Attempting broadband connection (DSL attempting sync).
Flashing Green and Red = If, after three consecutive minutes, the broadband connection fails to be
established, the LED switches to Flashing Green alternating with a five second steady Red while
attempting or waiting to establish a broadband connection. This pattern continues until the broad-
band connection is successfully established.
Flashing Red = No DSL signal on the line. This display is not used during times of temporary ‘no tone’
during the training sequence.
Off = The device is not powered.
** Broadband 1 LED is also the Gigabit Ethernet WAN LED when that is in play (and DSL is not).
Service
Solid Green = IP connected. The device has a WAN IP address from DHCP or 802.1x authentication
and the broadband connection is up.
Flashing Green = Attempting connection, attempting IEEE 802.1X authentication, or attempting to
obtain DHCP information.
Red = Device attempted to become IP connected and failed (no DHCP response, 802.1x authentica-
tion failed, no IP address from IPCP, etc.). The Red state times out after two minutes, and the Service
indicator light returns to the Off state.
Off = The device is not powered or the broadband connection is not present.
Phone 1, 2
Solid Green = The associated VoIP line has been registered with a SIP proxy server.
Flashing Green = Indicates a telephone is off-hook on the associated VoIP line.
Off = VoIP not in use, line not registered, or gateway power off.
USB
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, no cable or no powered devices connected to the associated ports.
LED Activity
15
Rear View
WPS
(appears after
using WPS
button)
Solid Green = Wi-Fi Protected Setup has been completed successfully. LED should stay on for 5 min-
utes or until push button is pressed again.
Flashing Green = Continues for 2 minutes, indicating when WPS is broadcasting.
Flashing Red = Continues for 2 minutes, indicating a Session overlap was detected (possible security
risk).
Solid Red = Error unrelated to security, such as failure to find a partner, or WPS is disabled. LED
should stay solid red for 5 minutes or until push button is pressed again.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
LED Activity
Ethernet
1, 2, 3, 4
Flashing Amber = A Gigabit Ethernet device is connected to each port.
Solid Green = A 10/100 Ethernet device is connected.
Flickering Green = Ethernet traffic activity.
Off = The device is not powered, or no powered devices are connected to the associated ports.
NOTE:
The NVG599 supports two VoIP lines over one RJ14 (FXS) VoIP port. In order to
connect two phone lines, the supplied inner/outer pair splitter adapters must
be attached to the RJ14 (FXS) VoIP port in order to terminate both lines. This is
a special-purpose splitter. You must use only the inner/outer pair splitter
adapters supplied by AT&T.
LED Activity
Gigabit Ethernet (WAN)
USB
DSL (WAN)
Ethernet (LAN)
F-Connector (HPNA)
RJ14 (FXS)
Reset
Power Jack
Administrator’s Handbook
16
Battery Installation (optional)
The optional backup battery is located in a compartment on the bottom of the unit. Installing the battery door
requires some care.
1. Note the tab on the bottom of the battery.
2. Insert the battery into the compartment on the bottom of the unit, as shown, and press into place so that
the battery contacts seat securely in the unit.
3. Close the compartment door. See Battery Door Instructions” on page 17.
CAUTION:
The battery used in this device may present a risk of fire or chemical burn if mistreated. Do not disassemble,
heat above manufacturer’s maximum temperature limit, or incinerate. Replace battery with ARRIS P/N
586185-002-00 only. Use of another battery may present a risk of fire or explosion.
Dispose of used battery promptly. Keep away from children. Do not disassemble and do not dispose of in fire.
Battery Compartment Door
17
Battery Door Instructions
1. Place NVG599 unit on a tabletop with the battery door side up.
2. Push in and upward to open the battery door as shown in Figure 1.
3. Swing back the battery door. See Figure 2.
4. Insert the battery in the compartment as shown in Figure 3.
5. Swing the door back down and snap closed.
Figure 1
Figure 2
Figure 3
Administrator’s Handbook
18
Set up the ARRIS Gateway
Refer to your Quick Start Guide for instructions on how to connect your NVG599 to your power source, PC, or
local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable
modem. Be sure to enable dynamic addressing on your PC. To set up the gateway, complete the following
steps:
Microsoft Windows:
1. Navigate to the TCP/IP Properties control panel to configure the IP address using one of the suggested path-
ways that follow. Note that Windows Vista and Windows 7 obtain an IP address automatically by default.
You may not need to configure it at all.
Windows 7 follows a path like this: Start menu -> Control Panel -> Network and Sharing Center -> Change
adapter settings -> Local Area Connection -> Change settings of this connection -> Local Area Connection
Properties -> Internet Protocol (TCP/IP) -> Properties
Windows XP follows a path like this: Start menu -> Settings -> Control Panel -> Network Connections -> Local
Area Connection -> Internet Protocol [TCP/IP] -> Properties
2. Select Obtain an IP address automatically.
3. Select Obtain DNS server address automatically, if available.
4. Remove any previously configured gateways, if available.
5. OK the settings. Restart if prompted.
To check:
1. Open the Networking control panel and select Internet Protocol Version 4 (TCP/IPv4).
2. Click the Properties button. The Internet Protocol Version 4 (TCP/IPv4) Properties window should appear as
shown.
Windows 7 Windows XP
19
3. Set the radio buttons to the values shown above, and click the OK button.
Administrator’s Handbook
20
Macintosh MacOS 8 or higher or Mac OS X:
1. Access the TCP/IP or Network control panel.
Mac OS X follows a path like this:
Apple Menu -> System Preferences -> Network
MacOS Classic follows a path like this:
Apple Menu -> Control Panels -> TCP/IP Control
Panel
2. Select Ethernet.
3. Select Configure Using DHCP.
4. Close and save, if prompted.
Proceed to Accessing the Web Management Interface” on page 21.
21
Accessing the Web Management Interface
1. Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer con-
nected to the NVG599 device.
2. Enter http://192.168.1.254 in the Location text box.
While the NVG599 is determining the broadband network type, the following screen appears.
The Device Status page appears.
Administrator’s Handbook
22
3. Check to make sure the Broadband and Service LEDs on your NVG599 device are lit GREEN to verify that the
connection to the Internet is active.
Congratulations! Your installation is complete. You can now surf to your favorite Web sites by typing a URL in
your browsers location box or by selecting one of your favorite Internet bookmarks.
Broadband Network Redirect Pages
After a few minutes, if the broadband network cannot be determined, the following screen appears. Contact
AT&T Customer Care at the number shown on your screen for assistance.
If you click the Continue button, the following screen appears. Here you can manually select the broadband
network type, if you know it.
23
IP Diagnostics Page Redirect
In the event that your connection to the Internet fails, the Broadband LED on your NVG599 device flashes
RED and you are redirected to the IP Diagnostics page.
Follow the on-screen troubleshooting suggestions.
For additional troubleshooting information, see Diagnostics” on page 78 and Basic Troubleshooting” on
page 87.
When your connection is restored or the problem is resolved, the Broadband LED turns GREEN.
Offline Troubleshooting
If the WAN is down, the following information is displayed at the top of the page:
NOTE:
For AT&T this function is enabled by default. See the CLI command set management lan-redirect enable
[ off | on ]” on page 149.
Administrator’s Handbook
24
Device Status Page
After you have performed the basic Easy Login configuration, any time you log in to your NVG599 you will
access the NVG599 Home page.
To access the Home page, type http://192.168.1.254 in your Web browser’s location box.
Device Access Code
On the Device Status page, you may be required to provide your device access code to access the Web
management configuration pages. The device access code is unique to your device. It is printed on a label on
the side of the NVG599.
Enter your device access code and click the Continue button.
25
The Device Status page appears.
DeviceStatusWindow
Administrator’s Handbook
26
The Device Status page displays the following information in the center section:
Some fields may or may not be displayed, depending on your particular setup.
The Diagnostics button will connect you to the Troubleshoot page. See Diagnostics” on page 78.
The frame at right displays some links to commonly performed tasks for easy access.
(icon) Field Description
(Broadband)
Broadband
Connection
Waiting for DSL is displayed while the NVG599 is training. This
should change to Up within two minutes.
Up is displayed when the ADSL line is synched and the session is
established.
Down indicates inability to establish a connection; possible line fail-
ure.
(Battery)
Status May display any of these values: Normal, Low Battery,
Charging, Warning: No battery or battery has no
charge or Warning: Battery backup mechanism has a
fault.
(WiFi)
Status Your wireless signal may be On or Off.
Network ID (SSID) The name or ID that is displayed to a client scan. The default SSID for
the NVG599 is attxxx where xxx is the last 3 digits of the serial
number located on the side of the NVG599.
Authentication Type The type of wireless encryption security in use. May be Disabled,
WPA, WEP, Default Key, or Manual.
Network Key Wireless network encryption key in use.
(Coax to STB)
Status Off or On.
(Voice)
Line 1 Indication of VoIP or other phone connection.
Line 2 Indication of VoIP or other phone connection.
Display additional troubleshooting steps » - OR -
Go to AT&T online support for troubleshooting and repair
This link will connect you to the IP Diagnostics page with
help for troubleshooting and the AT&T Help Desk infor-
mation. See IP Diagnostics Page Redirect” on page 23.
Modify your WiFi security or settings »
This link will connect you to the WiFi page. See WiFi” on
page 43.
Restart your device »
This link will connect you to the Restart Device page. See
Restart Device” on page 33.
Find a computer on your home network »
This link will connect you to the Device List page. See
Device List” on page 28.
Adjust firewall settings for gaming and applications »
This link will connect you to the NAT/Gaming page. See
NAT/Gaming” on page 67.
27
Tab Bar
The tab bar is located at the top of every page, allowing you to move freely about the site.
The tabs reveal a succession of pages that allow you to manage or configure several features of your Gateway.
Each tab is described in its own section.
Help
Online Help for your device is available in the rightmost frame on every page in the Web interface. For
example, the Help section at right is displayed on the System Information page.
Links Bar
The links bar appears at the top of each page, allowing you to configure aspects of the features displayed on
the page. For example, the links bar on the Home Summary page is as shown below:
The links bar on the Device Status page includes the following links. For more information about each link, see
the related section in this guide.
Status (see page 24)
Device List (see page 28)
System Information (see page 29)
Access Code (see page 30)
Remote Access (see page 31)
Battery (see page 32)
Administrator’s Handbook
28
Restart Device (see page 33)
Link: Device List
When you click the Device List link, the Device List page appears.
The page displays the following summary information for each home network device connected to the NVG599
device on your local area network: IPv4 address, network name, MAC address, and other status information.
Home Network Devices
MAC Address Client device’s unique hardware address.
IPv4 Address / Name Client device’s IP address or device network name.
Last Activity Date and time of last traffic for this client device.
Status May be off or on.
Allocation Type of IP address assignment, for example, static or DHCP.
Connection Type Type of connection, for example, Ethernet or WiFi.
29
For WiFi client connections, the Device List page displays the familiar bars indicating signal strength, as
follows:
Click the Clear Device List button to update the Home Network Devices summary.
Click the Scan for Devices button to seek out other devices that have been connected since the last Home
Network Devices summary update.
Link: System Information
When you click the System Information link, the System Information page appears.
The page displays the following information:
System Information
Manufacturer Manufacturer’s identifier name.
Model Number Manufacturer’s model number.
Serial Number Unique serial number of your device.
Software Version Version number of the current embedded software in your device.
MAC Address Unique hardware address of this NVG599 unit.
Administrator’s Handbook
30
Link: Access Code
When you click the Access Code link, the Access Code page appears and allows changes to the code that
controls access to your device’s configuration. Access to your NVG599 device is controlled through an account
named Admin. The default Admin password for your device is the unique access code printed on the label on
the side of your device.
As the Admin, you can change this password to one of your own choosing between 8 and 20 characters long.
The new password must include two characters from any these categories: alpha, number, and special
characters.
Example: “fru1tfl13s_likeabanana”
Enter your old access code, your new access code, and click the Use New Access Code button. The new access
code takes effect immediately.
You can always return to the original default password by clicking the Use Default Access Code button.
First Use Date Date and time the NVG599 device is first used. This field changes to the current date
and time after a reset to factory defaults.
Time Since Last Reboot Elapsed time since last reboot of the device in days:hr:min:sec.
Current Date/Time Current system date and time in days:hr:min:sec.
Datapump Version Underlying operating system software datapump version.
Legal Disclaimer Clicking the Licenses link displays a listing of software copyright attributions, also
shown in “Copyright Acknowledgments” on page 189.
31
Link: Remote Access
The Remote Access page lets you grant access to your NVG599 device to other users on the WAN. This
function can be used for advanced troubleshooting or remote configuration.
If remote access is not currently enabled, the Remote Access page will let you configure and enable it. If
remote access has been enabled, the Remote Access page will indicate that, and provides a button to disable
it.
To enable remote access:
1. Type a password in the Password field. This password must be at least 8 characters long, and must include at
least two of the following types of characters:
Alphabetic (letter) characters
Numeric (number) characters
Special characters (! @ # $ % ^ & * , etc)
2. If necessary, set a custom port number for secure HTTP access to the NVG599 remote access session in the
Port Value field.
3. Click the radio button that describes the type of remote access to allow:
Read only access - to allow the remote access session to view, but not change, the configuration and col-
lected statistics of the gateway.
Update access - to allow the session to make changes to the gateways configuration.
4. Click the Enable Remote Access button.
The NVG599 updates the Remote Access page and displays the current remote access settings, shows the URL
that a remote access client must use to connect to the remote access session, and provides a button for ending
the remote access session. The remote access client will need to connect to the URL shown on the Remote
Access page, and will need to log in with the user name “tech” and with the password configured when access
was enabled.
WARNING:
Enabling remote access allows anyone who knows or can determine the password, port ID, and URL
(address) of your NVG599 device to view any configuration settings or change the operation of your gateway.
Administrator’s Handbook
32
To end (disable) an existing remote access configuration, click the Disable Remote Access button, as shown
below:
Link: Battery
The Battery page shows the condition and status of the NVG599 internal battery, and provides control over the
battery condition audible alarm.
The battery condition audible alarm provides an on-hook ringing signal on a connected telephone if the
NVG599 battery needs recharging or replacing. This alarm uses a distinctive “splash” ring pattern and a battery
notification message on phones with caller ID displays or announcers. Additionally, the NVG599 provides an
off-hook voice notification to the subscriber if the NVG599 battery is low (and needs recharging) or faulty (and
needs replacing). After playing the recorded voice notification, the NVG599 provides a dial tone.
The alarm is triggered when the NVG599 determines that the installed battery is:
Below 35% charge and in need of recharging, or
Unable to charge past 80% of capacity and in need of replacing.
To change the alarm setting, click the Battery Audible Alert drop-down menu, and select the setting (On or Off)
for the alarm. Click the Save button to save the new settings, or Cancel to discard them.
Note:
A subscriber may interrupt the voice notification by dialing. The voice notification may be turned off by a
subscriber phone dialing “*#103”. This capability is included in the VOIP digit map with the parameter
*#103<:@C06>
33
Link: Restart Device
When the NVG599 is restarted, it will disconnect all users, initialize all its interfaces, and load the operating
system software.
In some cases, when you make configuration changes, you may be required to restart for the changes to take
effect.
Administrator’s Handbook
34
Broadband Tab
Links available on the Broadband tab provide access to pages that allow you to view information about the
broadband connection and configure connection details.
Link: Broadband Status
When you click the Broadband tab, the Broadband Status page is the first to appear.
35
The Status page displays information about the NVG599 device’s WAN connection(s) to the Internet.
Broadband Status
Broadband Connection
Source
The communications technology providing the NVG599 broadband uplink.
Broadband Connection May be Up (connected) or Down (disconnected).
Broadband IPv4 Address The public IP address of your device, whether dynamically or statically assigned.
Gateway IPv4 Address Your ISP's gateway router IP address.
MAC Address Your device’s unique hardware address identifier.
Primary DNS The IP address of the primary Domain Name System (DNS) server.
Secondary DNS The IP address of the backup DNS server, if available.
Primary DNS Name The name of the primary DNS server.
Secondary DNS Name The name of the backup DNS server, if available.
MTU Maximum transmittable unit before packets are broken into multiple packets.
DSL Status (for each line)
Line State May be Up (connected) or Down (disconnected).
Downstream Sync Rate The rate at which your connection can download (receive) data on your DSL line, in
kilobits per second.
Upstream Sync Rate The rate at which your connection can upload (send) data on your DSL line, in kilobits
per second.
Modulation Method of regulating the DSL signal. DMT (discrete multi-tone) allows connections to
work better when certain radio transmitters are present.
Data Path Type of path used by the device's processor.
Downstream and Upstream Statistics (DSL WAN)
SN Margin (db) Signal-to-noise margin, in decibels. Reflects the amount of unwanted noise on the DSL
line.
Line Attenuation Amount of reduction in signal strength on the DSL line, in decibels.
Output Power (dBm) Measure of power output in decibels (dB) referenced to one milliwatt (mW).
Errored Seconds The number of uncorrected seconds after being down for seven consecutive seconds.
Administrator’s Handbook
36
Loss of Signal The absence of any signal for any reason, such as a disconnected cable or loss of
power.
Loss of Frame A signal is detected but the device cannot sync with signal because of mismatched
protocols, wrong ISP connection configuration, or faulty cable.
FEC Errors Forwarded Error Correction errors. Count of received errored packets that were fixed
successfully without a retry.
CRC Errors Number of times data packets have had to be resent because of errors in transmission
or reception.
Ethernet Statistics (Ethernet WAN)
Line State Up or Down
Current Speed Line speed
Current Duplex Full- or half-duplex
Receive Packets Number of packets received
Transmit Packets Number of packets sent
Receive Bytes Number of bytes received
Transmit Bytes Number of bytes sent
Receive Unicast Receive Unicast statistics
Transmit Unicast Transmit Unicast statistics
Receive Multicast Receive Multicast statistics
Transmit Multicast Transmit Multicast statistics
Receive Drops Received packets dropped
Transmit Drops Sent packets dropped
Receive Errors Count of received errored packets that were fixed successfully without a retry.
Transmit Errors Number of times data packets have had to be resent due to errors in transmission.
Collisions Count of packet collisions.
Aggregated Information
Bonded Downstream Rate The bonded channel receive rate.
Bonded Upstream Rate The bonded channel transmit rate.
IPv6
Status May be Enabled or Unavailable.
Global Unicast IPv6 Address The public IPv6 address of your device, whether dynamically or statically assigned.
Border Relay IPv4 Address The public IPv4 address of your device.
IPv4 Statistics
Transmit Packets IPv4 packets transmitted.
Transmit Errors Errors on IPv4 packets transmitted.
Transmit Discards IPv4 packets dropped.
IPv6 Statistics
Transmit Packets IPv6 packets transmitted.
Transmit Errors Errors on IPv6 packets transmitted.
Transmit Discards IPv6 packets dropped.
37
Link: Configure
When you click the Configure link, the Broadband Configure screen appears. Here you can reconfigure your
type of broadband connection should it change in the future.
Broadband Source Override - Auto (automatically detected), DSL - Line 1, DSL - Line 2, DSL - Line 1 / Line -2
(Bonded), or Ethernet WAN.
If you switch from DSL to Ethernet or from Ethernet to DSL, the device will prcoceed to reconnect as in its ini-
tial connection to the Internet, as described earlier. See Accessing the Web Management Interface” on
page 21.
The WAN connection is automatically configured. However, you can adjust the Maximum allowable MTU
(maximum transmittable unit) value, if your service provider suggests it. The default 1500 is the maximum
value, but some services require other values (1492 is common).
If you make any change here, click the Save button.
Administrator’s Handbook
38
Link: IGMP Stats
When you click the IGMP Stats link, the IGMP Stats screen appears. The IGMP statistics screen reports IGMP
proxy groups and multicast forwarding information. It also displays a packet counter.
39
Home Network Tab
When you click the Home Network tab, the Home Network Status page appears.
The Home Network Status page displays information
about the NVG599 device’s local area network.
If you click the Run Congestion Detection button, the
device will generate statistics for each of the 11
channels available, displaying:
Channel number
AP (access point) count
Congestion score (1 - 10) - Note that higher val-
ues mean lower congestion.
The wireless congestion feature provides simple data
to the user to show the level of network congestion
in each wireless channel. This data can be used to
determine router placement or to determine which
channels to avoid.
The display tells the user how many access points
(APs) are active within each channel, and provides a
score of 1 - 10 to indicate how clear the channel is. A
higher score indicates less congestion in a channel;
thus, a 10 indicates a channel extremely clear of
wireless traffic and noise. Alternatively, a score of 1
indicates more severe congestion in a channel.
You can clear the current statistics information by
clicking the Clear Statistics button.
Administrator’s Handbook
40
Home Network Status
Device IPv4 Address The NVG599 device’s own IP address on the network.
DHCP Netmask The device’s own netmask on the network.
DHCPv4 Start Address The starting IP address of the DHCP range served by the device.
DHCPv4 End Address The ending IP address of the DHCP range served by the device.
DHCP Leases Available The number of IP addresses of the DHCP range available to be served by the device.
DHCP Leases Allocated The number of IP addresses of the DHCP range currently being served by the device.
DHCP Primary Pool Source pool of the IP addresses served by the NVG599 device, Public or Private.
IPv6
Status May be Enabled or Unavailable.
Global IPv6 Address The public IPv6 address of your device, whether dynamically or statically assigned.
Link-local IPv6 Address The private IPv6 address of your device, whether dynamically or statically assigned.
Router Advertisement Prefix The IPv6 prefix to include in router advertisements.
IPv6 Delegated LAN Prefix The IPv6 network address prefix that identifies the NVG599 network.
IPv4 Statistics
Transmit Packets IPv4 packets transmitted.
Transmit Errors Errors on IPv4 packets transmitted.
Transmit Discards IPv4 packets dropped.
IPv6 Statistics
Transmit Packets IPv6 packets transmitted.
Transmit Errors Errors on IPv6 packets transmitted.
Transmit Discards IPv6 packets dropped.
WiFi Status
WiFi Radio Status Status of the Wi-Fi radio: Enabled or Disabled.
Mode May be 802.11B only, 802.11G only, 802.11N only, 802.11 B/G or 802.11 B/G/N. For
the 5.0 Ghz radio, may be 802.11AC as well.
Bandwidth The capacity of the wireless LAN to carry traffic in megahertz.
Current Radio Channel The radio channel that your Wi-Fi network is broadcasting on.
Radio Channel Selection May be set to automatic or manually selected.
MAC Address Filtering May be either On or Off. If On, you can accept or block client devices from your WLAN
based on their MAC address.
Power Level May be adjusted up to 100%, lower if multiple wireless access points are in use, and
might interfere with each other.
WiFi MAC Address Shows the information of the MAC address of the wireless subsystem.
User SSID May be either On or Off for either frequency.
Guest SSID May be either On or Off for the 2.4 Ghz radio only.
Network Name (SSID) The name or ID that is displayed to a client scan. The default SSID for the NVG599 is
attxxx where xxx is the last 3 digits of the serial number located on the side of the
NVG599 device.
Hide SSID May be either On or Off. If On, your SSID will not appear in a client scan.
Wireless Security The type of wireless encryption security in use. May be Disabled, WPA, WEP,
Default Key, or Manual.
41
The links at the top of the Home Network page provide access to a series of pages that allow you to configure
and monitor features of your device.
The links bar on the Home Network page includes the following links. For more information about each link,
see the related section in this guide.
Configure (see page 42)
HPNA Configure (see page 42)
Wifi (see page 43)
MAC Filtering (see page 46)
Wireless Scan (see page 47)
Subnets & DHCP (see page 47)
IP Allocation (see page 49)
HPNA (see page 51)
Password Shows the information of the security encryption key in use.
WiFi Network Statistics
Transmit Bytes Number of bytes transmitted on the Wi-Fi network.
Receive Bytes Number of bytes received on the Wi-Fi network.
Transmit Packets Number of packets transmitted on the Wi-Fi network.
Receive Packets Number of packets received on the Wi-Fi network.
Transmit Error Packets The number of errors on packets transmitted on the Wi-Fi network.
Receive Error Packets The number of errors on packets received on the Wi-Fi network.
Transmit Discard Packets The number of packets transmitted on the Wi-Fi network that were dropped.
Receive Discard Packets The number of packets received on the Wi-Fi network that were dropped.
LAN Ethernet Statistics
State May be Up or Down.
Transmit Speed The maximum speed of which the port is capable.
Transmit Packets The number of packets sent out from the port.
Transmit Bytes The number of bytes sent out from the port.
Transmit Dropped The number of packets sent out from the port that were dropped.
Transmit Errors The number of errors on packets sent out from the port.
Receive Packets The number of packets received on the port.
Receive Bytes The number of bytes received on the port.
Receive Unicast The number of unicast packets received on the port.
Receive Multicast The number of multicast packets received on the port.
Receive Dropped The number of packets received on the port that were dropped.
Receive Errors The number of errors on packets received on the port.
Administrator’s Handbook
42
Link: Configure
When you click the Configure link, the Configure page for the Ethernet LAN appears.
For each Ethernet Port, 1 through 4, you can select:
Ethernet Auto (the default self-sensing rate), 10M full- or half-duplex, 100M full- or half-duplex, or 1G
full- or half-duplex.
MDI-XAuto (the default self-sensing crossover setting), Off, or On.
Click the Save button.
Link: HPNA Configure
When you click the HPNA Configure link, the HPNA Configure page for the HomePNA network appears.
Here you can set HomePNA Networking On or Off.
If desired, you can also set the Output Jack, as either the Coax jack or the Phone jack.
Click the Save button.
43
Link: WiFi
When you click the WiFi link, the WiFi page appears. The WiFi page displays the status of your wireless LAN
elements.
The WiFi page center section contains a summary of the configuration settings and operational status for the
wireless access point.
Summary Information
Field Status and/or Description
Radio Selection Display the settings for either the 2.4 Ghz or the 5.0 Ghz frequency radio.
WiFi Operation May be either On or Off.
Mode Wireless transmission mode. For the 2.4 Ghz radio, may be 802.11B only, 802.11G only,
802.11N only, 802.11 B/G or 802.11 B/G/N. For the 5.0 Ghz radio, may be 802.11AC as
well.
Bandwidth The capacity of the wireless LAN to carry traffic in megahertz, 20 or 40.
Channel The radio channel on which your Wi-Fi network is broadcasting.
Power Level May be adjusted up to 100%, lower if multiple wireless access points are in use, and
might interfere with each other.
User SSID Enable May be either On or Off for either frequency.
Guest SSID Enable May be either On or Off for the 2.4 Ghz radio only.
Network Name (SSID) The name or ID that is displayed to a client scan. The default SSID for the NVG599 is
attxxx where xxx is the last 3 digits of the serial number located on the side of the
device.
Hide SSID May be either Off or On. If On, your SSID will not appear in a client scan.
Security The type of wireless encryption security in use. May be OFF-No Privacy, WPA-
PSK, WEP, Default Key or Manual.
Administrator’s Handbook
44
WiFi Operation – Automatically enabled by default. If you deselect the checkbox, the WiFi options are dis-
abled, and the wireless access point will not provide or broadcast its wireless LAN services.
Mode – The drop-down menu allows you to select and lock the NVG599 into the wireless transmission mode
you want: A/C, B/G/N, B-only, B/G, G-only, or N-only.
For compatibility with clients using 802.11b (up to 11 Mbps transmission), 802.11g (up to 20+ Mbps),
802.11a (up to 54 Mbit/s using the 5 GHz band), or 802.11n (from 54 Mbit/s to 600 Mbit/s with the use of
four spatial streams at a channel width of 40 MHz), select B/G/N. To limit your wireless LAN to one mode or
the other, select the option that applies to your setup.
Bandwidth – Use a single 20-MHz channel (20MHz setting) , or combine two 20-MHz channels (40MHz set-
ting) to increase data speeds. The 40-MHz mode may only be selected if the Mode setting is 801.11 B/G/N
or 802.11 N-Only. To prevent interference with lower bandwidth clients, the wireless network will revert to
20MHz operation if non-compatible (802.11B, 802.11G, or 20-MHz 802.11N) clients are detected.
Channel – Channel (1 through 11, for North America) on which the network will broadcast. This is a fre-
quency range within the 2.4-Ghz or 5.0-Ghz band. The Automatic setting allows the wireless access point to
automatically determine the best channel for broadcast.
Power Level – Sets the wireless transmit power, scaling down the wireless access point’s wireless transmit
coverage by lowering its radio power output. Default is 100% power. Transmit power settings are useful in
large venues with multiple wireless routers where you want to reuse channels. Since there are only three
non-overlapping channels in the 802.11 spectrum, it helps to size the wireless access point cell to match the
location. This allows you to install a router to cover a small “hole” without conflicting with other routers
nearby.
Network Name (SSID) – Preset to a number unique to your unit. You can either leave it as is, or change it by
entering a freeform name of up to 32 characters, for example “Brian’s Wireless LAN. In client PC software,
this might also be called the wireless ID. The Network Name is used to identify this particular wireless LAN.
Depending on their operating system or client wireless card, users must either:
• Select from a list of available wireless LANs that appear in a scanned list on their client.
• Enter this name on their clients in order to join this wireless LAN.
Hide SSID – If enabled, this mode hides the wireless network from the scanning features of wireless client
computers. Hiding the SSID prevents casual detection of your wireless network by unwanted neighbors and
passers-by. The gateway WLAN will not appear when clients scan for access points. If Hide SSID is enabled,
you must remember to enter your SSID when adding clients to the wireless LAN.
Security, WPA Version, WEP Key Length, Key – See Wireless Security” on page 45.
WiFi Protected Setup (WPS) – Not a security protocol. WPS is an easier way to add and securely configure
new clients to your WLAN. By default, Privacy is set to WiFi Protected Access (WPA-PSK) with a 12-character
security key. WPS allows you to securely share your exact security configuration with a new client that you
are adding to the WLAN, without needing to look up and type this security key. Clients can be added using
the WPS button on the router, or by entering the client WPS PIN on this page. Not all client wireless devices
support WPS. Refer to their documentation.
To add a client: Enter your WPS PIN and click the Submit button. Follow the instructions that came with
your wireless client.
WPA Version If WPA is selected, may be Both, WPA-1, or WPA-2.
WEP Key Length May be 10 characters for 40/64-bit, or 26 characters for 128-bit WP encryption.
Key Here you can enter a manual encryption key.
WiFi Protected Setup (WPS) May be either On or Off.
General Information
NOTE:
If you choose to limit the operating mode to 802.11b or 802.11g only, clients using the mode you excluded
will not be able to connect.
NOTE:
While hiding the SSID may prevent casual discovery of your wireless network, enabling security is the only
true method of securing your network.
45
Wireless Security
By default, wireless security is set to WPA-PSK with a pre-defined WPA-Default Key.
Other options are available from the Security drop-down menu:
WEP - Manual: WEP security is a privacy option that is based on encryption between the router and any PCs
(clients) you have with wireless cards. For WEP-Manual encryption to work, both your wireless access point
and each client must share the same wireless ID (SSID), and both must be using the same encryption keys.
See WEP-Manual” on page 45.
WPA-PSK: Allows you to enter your own key, the most secure option for your wireless network. The key
can be between 8 and 63 characters, but for best security it should be at least 20 characters. If you select
WPA-PSK as your privacy setting, the WPA Version drop-down menu allows you to select the WPA ver-
sion(s) that will be required for client connections. Choices are:
• Both, for maximum interoperability
• WPA-1, for backward compatibility
• WPA-2, for maximum security
All clients must support the version(s) selected in order to successfully connect. Be sure that your Wi-Fi cli-
ent adapter supports this option. Not all Wi-Fi clients support WPA-PSK.
OFF - No Privacy: Disables privacy on your network, allowing any wireless users to connect to your wireless
LAN. Select this option if you are using alternative security measures such as VPN tunnels, or if your network
is for public use.
Click the Save button.
WEP-Manual
You can provide a level of data security by enabling WEP (Wired Equivalent Privacy) for encryption of network
data. You can enable 40- or 128-bit WEP Encryption (depending on the capability of your client wireless card)
for IP traffic on your LAN.
WEP - Manual allows you to enter your own encryption keys manually. This is a difficult process, but only
needs to be done once. Avoid the temptation to enter all the same characters.
Key Length: The drop-down menu selects the length of each encryption key. The longer the key, the stronger
the encryption and the more difficult it is to break the encryption.
NOTE:
WEP is a less current and less secure authentication method than WPA-PSK. It may be required if your wire-
less clients do not support WPA.
NOTE:
WEP is a less current and less secure authentication method than WPA-PSK. It may be required if your wire-
less clients do not support WPA.
Administrator’s Handbook
46
Key: You must enter a key using hexadecimal digits. For 40/64-bit encryption, you need ten digits; 26 digits for
128-bit WEP. Hexadecimal characters are 0 – 9, and a – f.
Examples:
40 bits: 02468ACE02
128 bits: 0123456789ABCDEF0123456789
Any WEP-enabled client must have an identical key of the same length as the router, in order to successfully
receive and decrypt the traffic. Similarly, the client also has a default key that it uses to encrypt its
transmissions. In order for the router to receive the clients data, it must likewise have the identical key of the
same length.
Click the Save button.
Link: MAC Filtering
When you click the MAC Filtering link the MAC Filtering page appears.
MAC filtering allows you to specify which client PCs are allowed to join the wireless LAN by unique hardware
(MAC) address.
To enable this feature, select Blacklist or Whitelist from the MAC Filtering Type menu. Blacklist means that
only MAC addresses you specify will be denied access; Whitelist means that only MAC addresses you specify
will be allowed access.
You add wireless clients that you want to whitelist or blacklist for your wireless LAN by selecting them from
the MAC Address drop-down list or by entering the MAC addresses in the Manual Entry field provided.
Click the Add button.
Your entries will be added to a list of clients that will be either authorized (whitelisted) or disallowed
(blacklisted) depending on your selection.
47
Click the Save button.
You can add or delete any of your entries later by returning to this page.
Link: Wireless Scan
Your device automatically checks for the best channel to broadcast wireless services. However, in some cases it
may be useful to switch to a different channel (1 through 11, for North America) on which the network will
broadcast.
The scan covers a frequency range within the 2.4 Ghz or 5.0 Ghz band. Channel selection depends on
government regulated radio frequencies that vary from region to region. Channel selection can have a
significant impact on performance, depending on other wireless activity close to this device. You need not
select a channel at any of the computers on your wireless network. They will automatically scan available
channels seeking a wireless device broadcasting on the SSID for which they are configured.
This scan will disconnect any wireless client devices from the wireless network.
If you want to scan for a different channel on which the device will broadcast, click the Continue button.
Link: Subnets & DHCP
When you click the Subnets & DHCP link, the Subnets & DHCP page appears.
Administrator’s Handbook
48
The server configuration determines the functionality of your DHCP settings. This functionality enables the
NVG599 to assign your LAN computer(s) a “private” IP address and other parameters that allow network
communication. This feature simplifies network administration because the NVG599 maintains a list of IP
address assignments. Additional computers can be added to your LAN without the need to configure an IP
address. This is the default mode for your NVG599 device.
Private LAN Subnet
Device IPv4 Address: The IP address of your device as seen from the LAN.
Subnet Mask: Subnet mask of your LAN.
DHCP
DHCPv4 Start Address: First IP address in the range being served to your LAN by the NVG599 DHCP server.
DHCPv4 End Address: Last IP address in the range being served to your LAN by the NVG599 DHCP server.
DHCP Lease: Specifies the default length for DHCP leases issued by the router. Enter lease time in
dd:hh:mm:ss (days/hours/minutes/seconds) format.
Public Subnet
Public Subnet Enable: If you select On from the drop-down menu, you can enable a second subnet to dis-
tribute public addresses to DHCP clients; this means that IP addresses assigned to LAN clients will be public
addresses.
Public IPv4 Address: The IP address of your NVG599 device as seen from the WAN.
Public Subnet Mask: Public subnet mask.
DHCPv4 Start Address: First IP address in the range being served from a DHCP public pool.
49
DHCPv4 End Address: Last IP address in the range being served from a DHCP public pool.
Primary DHCP Pool: Choose the source of the DHCP pool IP address assignment by selecting either Private
(local to your LAN) or Public (assigned remotely).
Cascaded Router
Cascaded Router Enable: If you have another router behind this device, choose On from the drop-down
menu.
Cascaded Router Address: If you chose On from the drop-down menu, enter the IP address of the router
you are using behind this device in the LAN private IP subnet range.
Network Address: If you chose On from the drop-down menu, enter the Network Address that defines the
range of IP addresses available to clients of the router you are using behind this device.
Subnet Mask: If you chose On from the drop-down menu, enter the subnet mask for the network address
that defines the range of IP addresses available to clients of the router you are using behind this device.
If you make any changes here, click the Save button, and if prompted, restart the NVG599 device.
Link: IP Allocation
When you click the IP Allocation link, the IP Allocation page appears.
The IP Allocation page lets you set aside or assign IP addresses to client devices on your network. With IP
allocation, you can configure known devices to either use DHCP for dynamic IP address assignment, or set
aside a specific IP address for a client device. When IP allocation is enabled for a client, that device is assigned
a pre-determined IP address by the DHCP server of the NVG599. IP allocation lets you set up client devices as
common DHCP systems, but ensures that they always receive the same IP address from the gateway.
The IP Allocation table shows a list of all identified and active client devices the NVG599 is serving.
To change the allocation method used by a client:
1. Locate the client in the IP Allocation table. The client may be identified by the Name value (in the IPv4
Address/Name column) or the device MAC address.
2. Click the Allocate button associated with the client entry.
NOTE:
IP Allocation functions require you to enter your NVG599 Gateways access code. Information on the device
code is provided in Device Access Code” on page 24
Administrator’s Handbook
50
The IP Allocation window for the client opens.
3. Scroll through the New Allocation values and select the address or method to use for the clients DHCP
assignment:
Click Address from DHCP Pool to set the client to accept any valid DHCP address available (standard
operation).
Click any of the private fixed IP addresses (192.168.1.64 to 192.168.1.253) shown in the list to allocate
that IP address to the selected client.
4. Click the Save button to save the IP allocation settings. A redChanges saved” message appears at the top of
the IP Allocation page.
51
Link: HPNA
When you click the HPNA link, the HPNA Network page appears.
The HPNA Network page displays information about the
NVG599 gateway’s HPNA-connected devices in 15-minute
intervals. You can test the performance of each station to
station pair by clicking the Run extended Test button.
The following page appears as a warning about this invasive
test.
If you do not run the extended test, the station-to-station
performance section is not displayed.
You can generate updated statistics by clicking the Refresh
button.
HomePNA statistics for the current and previous intervals
are displayed below the following static values:
Station ID
HPNA MAC Address
HPNA Firmware (C-coax, T=TP)
HPNA Version
HPNA Master
Administrator’s Handbook
52
Interval statistic fields supply the following information:
Label Statistic Displayed
Short Tx Pkt Transmitted Packets
Short Rx Pkt Received Packets
CRC Errors Rx Receipt errors
Dropped Tx Transmit packets dropped
Dropped Rx Receipt packets dropped
Tx Error % Percentage of transmitted errors
Rx Error % Percentage of receipt errors
Frames Tx Number of frames transmitted
Frames Rx Number of frames received
Bytes Tx Bytes transmitted
Bytes Rx Bytes received
Unicast Tx Number of unicast packets transmitted
Unicast Rx Number of unicast packets received
Multicast Tx Number of multicast packets transmitted
Multicast Rx Number of multicast packets received
Local Control Req Number of requests made to the device by local control
Local Control Repl Number of replies made by the device to local control
Remote Control Req Number of requests made to the device by remote control
Remote Control Repl Number of replies made by the device to remote control
53
Voice
When you click the Voice tab, the Voice Status page appears.
Voice-over-IP (VoIP) refers to voice telephone calls transmitted over the Internet. This type of service differs
from traditional phone service that uses the Public Switched Telephone Network (PSTN). VoIP calls use an
Internet protocol, Session Initiation Protocol (SIP), to transmit sound over a network or the Internet in the form
of data packets.
The Voice page displays information about your VoIP phone lines, if configured. Your device supports two
phones, Line 1 and Line 2.
If either one or both are registered with a SIP server by your service provider or not registered, the Voice
page will display their Registration Details.
The links at the top of the Voice page provide access to a series of pages that allow you to configure and
monitor features of your device.
The links bar on the Voice page includes the following links. For more information about each link, see the
related section in this guide.
Line Details (see page 54)
Call Statistics (see page 55)
Administrator’s Handbook
54
Link: Line Details
When you click the Line Details link, the Line Details page appears.
If your service provider has enabled your VoIP phone lines, you can register them by clicking the Register
Line 1 or Register Line 2 button.
To test if the lines are enabled, click the Ring Line 1 or Ring Line 2 button. If enabled and registered, the
respective phone will ring for 30 seconds.
To clear the current state of each phone line, click the Reset Line 1 or Reset Line 2 button. This will disconnect
any calls currently in progress as well.
To update the display, click the Refresh button.
55
Link: Call Statistics
When you click Call Statistics, the Call Statistics page appears.
Administrator’s Handbook
56
For Line 1 and Line 2, the two available phone lines, the Call Statistics page displays the following information:
Call Statistics - Line 1 and Line 2
Last Call/Cumulative – Incoming/Outgoing
RTP Packet Loss Real-time Transport Protocol packets dropped
RTP Packet Loss percentage Percent of Real-time Transport Protocol packets dropped
Total RTCP Packets Total Real-time Transport Control Protocol packets
Average Inter Arrival Jitter Calculated continuously in milliseconds as each data packet is received and averaged.
Max Inter Arrival Jitter The maximum value in milliseconds recorded as each data packet is received.
Sum of Inter Arrival Jitter Calculated continuously in milliseconds as each data packet is received and totalled.
Sum of Inter Arrival Jitter
Squared
Calculated continuously in milliseconds as each data packet is received and the total is
squared.
Sum of Franc Loss Fraction Lost: The fraction of RTP data packets lost since the previous SR or RR packet
was sent. This fraction is defined to be the number of packets lost divided by the num-
ber of packets expected. This number will be calculated on every RTCP SR packet. Sum
of the fraction lost is calculated with all the RTCP packets.
Sum of Franc Loss Squared Fraction lost is squared with every RTCP SR or RR packet. Sum of all values will give the
Sum of Franc Loss Squared.
Max One Way Delay One-way delay will be calculated in milliseconds on every RTCP SR or RR packet. This
value is (systime - lsr - dslr) / 2
lsr means last SR timestamp
dslr means delay since last SR.
Sum of One Way Delay The sum of all the one-way delays calculated in milliseconds on every RTCP packet is
displayed as Sum of One Way Delay.
Sum of One Way Delay
Squared
One-way delay is squared with every RTCP SR or RR packet. Sum of all values will give
the Sum of One Way Delay Squared.
Avg Round Trip Time Average time in milliseconds from this local source to destination address and back
again for all logged calls
Max Round Trip Time Maximum amount of time in milliseconds from this local source to destination
address and back again for all logged calls
Sum of Round Trip Time Sum of time in milliseconds from this local source to destination address and back
again for all logged calls
Sum of Round Trip Time
Squared
Sum squared of time from this local source to destination address and back again for
all logged calls
57
For Line 1 and Line 2, the two available phone lines, the Call Summary section displays the following
information:
Call Summary - Line 1 and Line 2
Current Call/Last Completed Call
Call Timestamp Date and time of the current call
Type May be Incoming or Outgoing
Duration Length of time in seconds of call connection
Codec in Use Audio codec used for decoding the call packet traffic.
Far-End Host Information SIP server IP information: IP address and port number
Far-End Caller Information Caller ID information, if available
Cumulative Since Last Reset
Last Reset Timestamp Date and time of the last call
Number of Calls Total number of calls for each VoIP line
Duration Time in seconds since the last call
Number of Incoming Calls Failed Number of incoming calls that fail to connect
Number of Outgoing Calls Failed Number of outgoing calls that fail to connect
Administrator’s Handbook
58
The following table shows VoIP line states during various conditions.
The following table provides the state changes during the boot-up procedure.
VoIP Line
1/2 Hook state WAN IP Reg-state FXS
Voltage Tone LED
Disabled On/Off-hook Up Idle Off N/A Off
Enabled On-hook Up Registered On N/A Solid
Enabled Off-hook Up Registered On Dial tone Blink
Enabled On/Off hook Up Failure Off N/A Off
Enabled On/Off hook Down Idle Off N/A Off
VoIP Line
1/2 WAN Status Hook State Reg-state FXS
Voltage Tone LED
Disabled Down Off-hook Idle On-to-off Off Off
Enabled Down On/Off-hook Idle On Congestion Off
Enabled Up Off-hook Registered On Congestion.
Dial Tone played
after the hook
state is
changed.
On
59
Firewall
When you click the Firewall tab, the Firewall Status page appears. The Firewall page displays the status of your
system firewall elements.
All computer operating systems are vulnerable to attack from outside sources, typically at the operating
system or Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data
packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or
blocked. Stateful inspection improves security by tracking data packets over a period of time, examining
incoming and outgoing packets. Outgoing packets that request specific types of incoming packets are tracked;
only those incoming packets constituting a proper response are allowed through the firewall.
Stateful inspection is a security feature that prevents unsolicited inbound access when network address
translation (NAT) is disabled. You can configure UDP and TCP “no-activity” periods that will also apply to NAT
timeouts if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN
interface only if enabled on your system. Stateful inspection can be enabled on a WAN interface whether NAT
is enabled or not.
The Firewall Status page shows whether the each firewall feature is On or Off.
The links at the top of the Firewall page provide access to series of pages that allow you to configure security
features of your device.
The links bar on the Firewall page includes the following links. For more information about each link, see the
related section in this guide.
Packet Filter (see page 60)
NAT/Gaming (see page 67)
IP Passthrough (see page 73)
Firewall Advanced (see page 76)
Administrator’s Handbook
60
Link: Packet Filter
When you click the Packet Filter link, the Packet Filter page appears.
Security should be a high priority for anyone administering a network connected to the Internet. Using packet
filters to control network communications can greatly improve your network’s security. The Packet Filter
engine allows creation of a maximum of eight filtersets. Each filterset can have up to eight rules configured.
ARRIS’s packet filters are designed to provide security for the Internet connections made to and from your
network. You can customize the NVG599 devices filtersets for a variety of packet filtering applications. Typically,
you use filters to selectively admit or refuse TCP/IP connections from certain remote networks and specific
hosts. You will also use filters to screen particular types of connections. This is commonly called firewalling
your network.
Before creating filtersets, you should read the next few sections to learn more about how these powerful
security tools work.
WARNING:
Before attempting to configure filters and filtersets, please read and understand this entire section thor-
oughly. The ARRIS NVG599 device incorporating NAT has advanced security features built in. Improperly add-
ing filters and filtersets increases the possibility of loss of communication with the device and the Internet.
Never attempt to configure filters unless you are local to the NVG599 device.
Although using filtersets can enhance network security, there are disadvantages:
• Filters are complex. Combining them in filtersets introduces subtle interactions, increasing the likelihood of
implementation errors.
• Enabling a large number of filters can have a negative impact on performance. Processing of packets will
take longer if they have to go through many checkpoints in addition to NAT.
• Too much reliance on packet filters can cause too little reliance on other security methods. Filtersets are
not a substitute for password protection, effective safeguarding of passwords, and general awareness of how
your network may be vulnerable.
61
Parts of a Filter
A filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the
following attributes:
The source IP address (where the packet was sent from)
The destination IP address (where the packet is going)
The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP
Other Filter Attributes
There are three other attributes to each filter:
The filters order (i.e., priority) in the filterset
Whether the filter is currently active
Whether the filter is set to forward packets or to block (discard) packets
Design Guidelines
Careful thought must go into designing a new filterset. You should consider the following guidelines:
Be sure the filterset’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set,
and that can actually make your network less secure.
Be sure each individual filters purpose is clear.
Determine how filter priority will affect the sets actions. Test the set (on paper) by determining how the fil-
ters would respond to a number of different hypothetical packets.
Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the
packet is:
• Forwarded if all the filters are configured to discard (not forward)
• Discarded if all the filters are configured to forward
• Discarded if the set contains a combination of forward and discard filters
An Approach to Using Filters
The ultimate goal of network security is to prevent unauthorized access to the network without compromising
authorized access. Using filtersets is part of reaching that goal.
Each filterset you design will be based on one of the following approaches:
That which is not expressly prohibited is permitted.
That which is not expressly permitted is prohibited.
We strongly recommend that you take the latter, and safer, approach to all of your filterset designs.
Administrator’s Handbook
62
Working with Packet Filters
To work with filters:
1. Accessing the Packet Filter page by clicking the Packet Filter link.
2. Globally turn filters on or off by clicking the Enable/Disable Packet Filters button.
3. Select the type of packet filter rule by clicking either the Add a ‘Drop’ Rule or Add a ‘Pass’ Rule button.
• If you select a drop rule, the specified packets will be blocked.
• If you select a pass rule, the specified packets will be forwarded.
4. Click the Add Match button to enter the source IP address or destination IP address this filter will match on.
As you create new matches, the list items change. There can only be one match from each match type for a
given rule. Match types like Source Port, Destination Port, and TCP Flags are only available if other matches
(for example, Protocol =TCP) have previously been created.
5. Select a protocol, if necessary, from the pull-down menu: ICMP, TCP, UDP, or None to specify any another IP
transport protocol.
If you chose by number, enter the Protocol by number here.
If you chose by name, enter the Protocol by name here.
Enter the Source Port this filter will match on.
Enter the Destination Port this filter will match on.
If you selected ICMP, enter the ICMP Type here.
63
When you are finished configuring the filter, click the Enter Match button.
The filter is automatically saved.
Packet Filter Rules List
Your entries to the packet filter rules list are displayed as a table.
NOTE:
Default Forwarding Filter
If you create one or more filters that have a matching action of forward, then action on a packet matching
none of the filters is to block any traffic.
Therefore, if the behavior you want is to force the routing of a certain type of packet and pass all others
through the normal routing mechanism, you must configure one filter to match the first type of packet and
apply Force Routing. A subsequent filter is required to match and forward all other packets.
Management IP traffic
If the Force Routing filter is applied to source IP addresses, it may inadvertently block communication with
the router itself. You can avoid this by preceding the Force Routing filter with a filter that matches the desti-
nation IP address of the NVG599 device itself.
Administrator’s Handbook
64
Example:
Assume a configured Custom Service/Hosted Application for an internal web server whose global port range is
8080-8080. Also assume that we want to allow only one external subnet access to this internal server:
207.53.17.0/24. And finally, assume that we want to disallow one IP address on that subnet, 207.53.17.9, from
access to that same server (perhaps they were abusing the system in some way). We would need the following
rules:
Input Rules
Rule
Order Action Source IP Destination IP Protocol Source
Port
Destination
Port
1 Drop 207.53.17.9 - TCP 8080
2 Pass 207.53.17.0/24 - TCP 8080
3 Drop - - TCP 8080
Caution:
If the packet filter or port forwarding rule involves TCP port 80 or 3389; or UDP port 47806, 43962, 69, 123,
or 53; or if you attempt to add or change a match such that this occurs and you are running in VDSL/Ethernet
mode, the following warning will appear.
65
Example 2
The following example uses the GUI to detail how to create a public subnet.
1. Select Home Network -> Subnets & DHCP from the Web management GUI.
2. Select On from the Public Subnet Enable drop-down menu.
3. Enter all applicable public subnet IP address information and select Save at the bottom of the view.
4. Select Firewall -> Packet Filter to create a packet filter that will allow specific traffic to flow to a public LAN
client.
5. Scroll to the bottom of the screen and select Add a Pass Rule. This rule will allow traffic to flow through the
public subnet based on the match criteria that will be set up next.
The new rule will be at the bottom of the Packet Rules list (as shown below).
Administrator’s Handbook
66
6. Select the Add Match button below the new rule created above. This opens the Match Entry view.
7. For this example, the filter will be made based on a TCP port. Select Protocol from the Match Type drop-
down menu. This automatically fills in TCP in the Match Value field. At this point do not enable the rule until
all criteria have been entered.
8. Click Enter Match. This will return the GUI to the Packet Rules list.
9. Select Add Match below the rule created earlier.
10.Select Destination Port from the Match Type drop-down menu and enter 21 (this value corresponds to FTP)
in the Match Value entry box.
11.Click Enter Match.
12.Select Add Match below the same rule created earlier.
13.Select Destination IP Address from the Match Type drop-down menu and enter the IP address entered in
Step 3 of this procedure.
14.Select the Enable Rule check box and click Enter Match. The GUI returns to the Packet Rules list and the rule
is active and grayed out. It cannot be edited without first disabling the rule.
67
Link: NAT/Gaming
When you click the NAT/Gaming link, the NAT/Gaming page appears.
The NAT/Gaming feature allows you to host internet applications when NAT (network address translation) is
enabled. You can host different games and software on different PCs.
From the Service drop-down menu, you can select any of a large number of predefined games and software.
(See List of Supported Games and Software” on page 71.) In addition to choosing from these predefined
services you can also select a user defined custom service. (See Custom Services” on page 69.)
Administrator’s Handbook
68
For each supported game or service, you can view the protocols and port ranges used by the game or service
by clicking the Service Details button. For example:
1. Select a hosting device from the Needed by Device drop-down menu.
2. Once you choose a software service or game, click Add.
3. Select a PC to host the software from the Select Host Device drop-down menu and click Save.
Each time you enable a software service or game, your entry will be added to the list of Service names dis-
played on the NAT Configuration page.
69
To remove a game or software from the hosted list, choose the game or software you want to remove and
click the Remove button.
Custom Services
To configure a custom service, click the Add/Edit Services button. The Custom Services page appears.
Enter the following information:
Service Name: A unique identifier for the custom service.
Global Port Range: Range of ports on which incoming traffic will be received.
Base Host Port: The port number at the start of the port range your NVG599 device should use when for-
warding traffic of the specified type(s) to the internal IP address.
Protocol: Protocol type of Internet traffic, TCP or UDP.
Once you define a custom service it becomes available in the Application Hosting Entry Service menu as one of
the services to select.
Click the Add button.
Administrator’s Handbook
70
Each time you add a custom service, your entry will be added to the list of service names displayed on the
Custom Services page.
Changes are saved immediately.
To remove this Service, click the Delete button.
To edit this Service, click the Edit button.
NOTE:
You cannot edit a custom service if that service is active; it must be inactive before it can be edited.
71
List of Supported Games and Software
AIM Talk Act of War - Direct Action Age of Empires II
Age of Empires, v.1.0 Age of Empires: The Rise of Rome,
v.1.0
Age of Mythology
Age of Wonders America's Army Apache
Asheron's Call Azureus Baldur's Gate I and II
Battlefield 1942 Battlefield Communicator Battlefield Vietnam
BitTornado BitTorrent Black and White
Blazing Angels Online Brothers in Arms - Earned in Blood Brothers in Arms Online
Buddy Phone CART Precision Racing, v 1.0 Calista IP Phone
Call of Duty Citrix Metaframe/ICA Client Close Combat III: The Russian Front,
v 1.0
Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v
2.0
Combat Flight Sim 2: WWII Pacific
Thr, v 1.0
Combat Flight Sim: WWII Europe
Series, v 1.0
Counter Strike DNS Server
Dark Reign Delta Force (Client and Server) Delta Force 2
Delta Force Black Hawk Down Diablo II Server Dialpad
DirecTV STB 1 DirecTV STB 2 DirecTV STB 3
Doom 3 Dues Ex Dune 2000
Empire Earth Empire Earth 2 F-16, Mig 29
F-22, Lightning 3 FTP Far Cry
Fighter Ace II GNUtella Grand Theft Auto 2 Multiplayer
H.323 compliant (Netmeeting,
CUSeeME)
HTTP HTTPS
Half Life Half Life 2 Steam Half Life 2 Steam Server
Half Life Steam Half Life Steam Server Halo
Hellbender for Windows, v 1.0 Heretic II Hexen II
Hotline Server ICQ 2001b ICQ Old
IMAP Client IMAP Client v.3 IPSec IKE
Internet Phone Jedi Knight II: Jedi Outcast Kali
KazaA Lime Wire Links LS 2000
Lord of the Rings Online MSN Game Zone MSN Game Zone DX
MSN Messenger Mech Warrior 3 MechWarrior 4: Vengeance
Medal of Honor Allied Assault Microsoft Flight Simulator 2000 Microsoft Flight Simulator 98
Microsoft Golf 1998 Edition, v 1.0 Microsoft Golf 1999 Edition Microsoft Golf 2001 Edition
Administrator’s Handbook
72
Midtown Madness, v 1.0 Monster Truck Madness 2, v 2.0 Monster Truck Madness, v 1.0
Motocross Madness 2, v 2.0 Motocross Madness, v 1.0 NNTP
Need for Speed 3, Hot Pursuit Need for Speed, Porsche Net2Phone
Operation FlashPoint Outlaws POP-3
PPTP PlayStation Network Quake 2
Quake 3 Quake 4 Rainbow Six
RealAudio Return to Castle Wolfenstein Roger Wilco
Rogue Spear SMTP SNMP
SSH server ShoutCast Server SlingBox
Soldier of Fortune StarCraft StarLancer, v 1.0
Starfleet Command TFTP TeamSpeak
Telnet Tiberian Sun: Command and Con-
quer
Timbuktu
Total Annihilation Ultima Online Unreal Tournament Server
Urban Assault, v 1.0 VNC, Virtual Network Computing Warlords Battlecry
Warrock Westwood Online, Command and
Conquer
Win2000 Terminal Server
Wolfenstein Enemy Territory World of Warcraft X-Lite
XBox 360 Media Center XBox Live 360 Yahoo Messenger Chat
Yahoo Messenger Phone ZNES eDonkey
eMule eMule Plus iTunes
mIRC Auth-IdentD mIRC Chat mIRC DCC - IRC DCC
pcAnywhere (incoming)
73
Link: IP Passthrough
When you click the IP Passthrough link, the IP Passthrough page appears.
IP Passthrough
The IP Passthrough feature allows a single PC on the LAN to have the ARRIS Gateways public address assigned
to it. It also provides PAT (port address translation) (or NAPT – network address and port translation) via the
same public IP address for all other hosts on the private LAN subnet.
Using IP Passthrough, the public WAN IP is used to provide IP address translation for private LAN computers.
The public WAN IP is assigned and reused on a LAN computer.
Administrator’s Handbook
74
DHCP address serving can automatically serve the WAN IP address to a LAN computer.
When DHCP is used for addressing the designated passthrough PC, the acquired or configured WAN address is
passed to DHCP, which will dynamically configure a single-servable-address subnet, and reserve the address
for the configured PCs MAC address. This dynamic subnet configuration is based on the local and remote
WAN address and subnet mask.
The two DHCP modes assign the needed WAN IP information to the client automatically.
• You can select the MAC address of the PC you want to be the IP Passthrough client with fixed mode, or,
• with “first-come-first-served” – dynamic – the first client to renew its address will be assigned the WAN IP.
Manual mode is like statically configuring your PC. With Manual mode, you configure the TCP/IP Properties
of the LAN client PC you want to be the IP Passthrough client. You then manually enter the WAN IP address,
gateway address, and so on that matches the WAN IP address information of your ARRIS device. This mode
works the same as the DHCP modes. Unsolicited WAN traffic will get passed to this client. The client is still
able to access the ARRIS NVG599 device and other LAN clients on the 192.168.1.x network, etc.
The Passthrough DHCP Lease – By default, the passthrough host's DHCP leases will be shortened to two min-
utes. This allows for timely updates of the host's IP address, which will be a private IP address before the
WAN connection is established. After the WAN connection is established and has an address, the
passthrough host can renew its DHCP address binding to acquire the WAN IP address. You may alter this set-
ting.
Click Save. Changes take effect upon restart.
A Restriction
Because both the NVG599 device and the passthrough host will use the same IP address, new sessions that
conflict with existing sessions will be rejected by the NVG599. For example, suppose you are a teleworker using
an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint,
such as the VPN access concentrator at your employers office. In this case, the first one to start the IPSec
traffic will be allowed; the second one – because, from the WAN, it is indistinguishable – will fail.
75
NAT Default Server
The NAT default server feature allows you to:
Direct your NVG599 device to forward all externally initiated IP traffic (TCP and UDP protocols only) to a
default host on the LAN, specified by your entry in the Internal Address field.
Enable the default server for certain situations:
– Where you cannot anticipate what port number or packet protocol an in-bound application might use. For
example, some network games select arbitrary port numbers when a connection is opened.
– When you want all unsolicited traffic to go to a specific LAN host.
This feature allows you to direct unsolicited or non-specific traffic to a designated LAN station. With NAT on in
the device, these packets normally would be discarded. For instance, this feature could be used for application
traffic where you do not know in advance the port or protocol that will be used. Some game applications fit
this profile.
Click Save. Changes take effect immediately.
Administrator’s Handbook
76
Link: Firewall Advanced
When you click the Firewall Advanced link the Firewall Advanced screen appears.
All computer operating systems are vulnerable to attack from outside sources, typically at the operating
system or Internet Protocol (IP) layers. Stateful inspection firewalls intercept and analyze incoming data
packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or
blocked. Stateful inspection improves security by tracking data packets over a period of time, examining
incoming and outgoing packets. Outgoing packets that request specific types of incoming packets are tracked;
only those incoming packets constituting a proper response are allowed through the firewall.
Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can
configure UDP and TCP “no-activity” periods that will also apply to NAT timeouts if stateful inspection is
enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your
NVG599 device. Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.
DoS Protection – Denial-of-service (DoS) attacks are common on the Internet, and can render an individual PC
or a whole network practically unusable by consuming all its resources. Your NVG599 includes default settings
to block the most common types of DoS attacks. For special requirements or circumstances, a variety of
additional blocking characteristics are offered. See the following table.
Menu item Function
Drop packets with invalid source or desti-
nation IP address
Whether packets with invalid source or destination IP address(es) are to be
dropped
Protect against port scan Whether to detect and drop port scans.
Drop packets with unknown ether types Whether packets with unknown ether types are to be dropped
Drop packets with invalid TCP flags Whether packets with invalid TCP flag settings (NULL, FIN, Xmas, etc.)
should be dropped
Drop incoming ICMP Echo requests Whether all ICMP echo requests are to be dropped; On or Off.
77
If you make any changes here, click the Save button.
Flood Limit Whether packet flooding should be detected and offending packets be
dropped; On or Off.
Flood rate limit Specifies the number limit of packets per second before dropping the
remainder.
Flood burst limit Specifies the number limit of packets in a single burst before dropping the
remainder.
Flood limit ICMP enable Whether ICMP traffic packet flooding should be detected and offending
packets be dropped; On or Off.
Flood limit UDP enable Whether UDP traffic packet flooding should be detected and offending
packets be dropped; On or Off.
Flood limit UDP Pass multicast Allows exclusion of UDP multicast traffic. On by default.
Flood limit TCP enable Allows exclusion of TCP traffic. Off by default.
Flood limit TCP SYN-cookie Allows TCP SYN cookies flooding to be excluded.
Neighbor Discovery Attack protection Prevents downstream traffic from an upstream device that sends excessive
traffic but receives no replies; On or Off.
ESP Header Forwarding Allows the use of Encapsulating Security Payload (ESP) data payload encryp-
tion for IP Secure (IPsec) from qualifying endpoints; On or Off.
Authentication Header Forwarding Accept and forward IPSec packets with Authencation Headers, which may
be used by some IPSec implementations to validate packet sources ; On or
Off.
Reflexive ACL When IPv6 is enabled, Reflexive Access Control Lists can deny inbound IPv6
traffic unless this traffic results from returning outgoing packets (except as
configured through firewall rules).
Menu item Function
Administrator’s Handbook
78
Diagnostics
When you click the Diagnostics tab, the Troubleshoot page appears.
This automated multi-layer test examines the functions of the router from the physical connections to the data
traffic being sent by users through the router.
You can run all the tests in order by clicking the Run Full Diagnostics button.
The device will automatically test a number of components to determine any problems. You can see detailed
results of the tests by clicking the Details buttons for each item. The details presented depend on the
configuration of your router and your network type.
79
Here is an example of the Ethernet Details screen.
Test Internet Access
Internet access tests send a ping from the modem to either the LAN or WAN to verify connectivity. A ping could
be either an IP address (163.176.4.32) or domain name (www.arris.com). You enter a Web address URL or an IP
address in the respective field.
Click the Ping, Trace, NSLookup, or Detect Missing Filter button.
Results will be displayed in the Progress Window as they are generated.
Ping - tests the reachability of a particular network destination by sending an ICMP echo request and waiting
for a reply.
Traceroute - displays the path to a destination by showing the number of hops and the router addresses of
these hops.
NSLookup - converts a domain name to its IP address and vice versa.
Detect Missing Filter - if you click the Detect Missing Filter button, a warning message appears at the top
since the detection takes up to 2 minutes. When completed the Progress area might look like following.
To use the ping capability, type a destination address (domain name or IP address) in the text box and click the
Ping, Trace, or Lookup button. The results are displayed in the Progress Window.
This sequence of tests takes approximately one minute to generate results. Be sure to wait for the test to run to
completion.
Administrator’s Handbook
80
Each test generates one of the following result codes:
Below are some specific tests:
Result Meaning
* PASS: The test was successful.
* FAIL: The test was unsuccessful.
* SKIPPED: The test was skipped because a test on which it depended failed.
* PENDING: The test timed out without producing a result. Try running the test again.
* WARNING: The test was unsuccessful. The service provider equipment your modem connects to may not
support this test.
Action If Ping Fails, Possible Causes Are:
From the Check Connection Page:
Ping the Internet default gateway IP address DSL is down, DSL settings are incorrect; gateways IP
address or subnet mask are wrong; gateway router is
down.
Ping an Internet site by IP address Site is down.
Ping an Internet site by name Servers are down; site is down.
From a LAN PC:
Ping the modem’s LAN IP address IP address and subnet mask of PC are not on the same
scheme as the modem; cabling or other connectivity
issue.
Ping an Internet site by IP address PC's subnet mask may be incorrect, site is down.
Ping an Internet site by name DNS is not properly configured on the PC, site is down.
81
Link: Logs
When you click Logs, the Logs page appears.
The current status of the device is displayed for all logs: System, Firewall, or VoIP. Choose the log you want to
display from the drop-down menu.
You can clear all log entries by clicking the Clear Log button.
You can save logs to a text (.TXT) file by clicking the Save to File button. This will download the file to your
browsers default download location on your hard drive. The file can be opened with your favorite text edi-
tor.
NOTE:
Some browsers, such as Internet Explorer for Windows XP, require that you specify the ARRIS device’s URL as
a “Trusted site” in “Internet Options: Security.” This is necessary to allow the download of the log text file to
the PC.
Administrator’s Handbook
82
The following is an example log portion saved as a .TXT file:
83
Link: Update
When you click Update, the Update page appears.
Operating system software is what makes your NVG599 device run, and occasionally it needs to be updated.
Your Current software version is displayed at the top of the page.
To update your software from a file on your PC, you must first download the software from your service
provider's support site to your PC's hard drive.
1. Browse your computer for the operating system file you downloaded and select the file.
2. Click the Update button.
The LEDs will operate normally as described in Status Indicator Lights” on page 88.
3. The installation may take a few minutes and the Web page will indicate a 3-part countdown before returning
you to the Home page; wait for it to complete. During the software installation, you will lose Internet and
phone service. The LEDs will function as follows:
The Power LED will flash Orange/Amber during firmware upgrade (flash writing to memory) and all
other LEDs will be off.
4. The Gateway will restart automatically.
As the device reboots, the LEDs display power-on behavior.
5. Your new operating system will then be running.
Administrator’s Handbook
84
Link: Resets
When you click the Resets link, the Resets page appears.
In some cases, you may need to clear all the configuration settings and start over again to program the
ARRIS NVG599 device. You can perform a factory reset to do this.
It might also be useful to reset your connection to the Internet without deleting all of your configuration
settings.
Click the Reset IP button to refresh your Internet WAN IP address. LAN-side users will be briefly disconnected
from the Internet, but will otherwise be unaffected.
Click the Reset Connection button to disconnect and reconnect all of your connections, including your VoIP
phones.
Click the Reset Device button to reset the Gateway back to its original factory default settings.
Click the Restart button to reboot the device. Previous configuration settings are still retained.
NOTE:
Exercise caution before performing a factory reset. This will erase any configuration changes that you may
have made and allow you to reprogram your NVG599 device.
85
Link: Syslog
When you click the Syslog link the Syslog configuration page appears. You can configure a UNIX-compatible
(BSD Syslog protocol - RFC 3164) Syslog client to report a number of subsets of the events entered in the device
logs.
You can enable or disable the Syslog client dynamically. When enabled, it will report any appropriate and
previously unreported events.
You can specify the Syslog servers address and port, if required, either in dotted decimal format or as a DNS
name of up to 63 characters.
You can specify the UNIX Syslog facility to use by selecting from the Facility drop-down menu.
From the Log Level drop-down menu, you can select a level from a list organized in decreasing severity level:
Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
By toggling each event descriptor to either On or Off, you can determine which ones are logged and which
are ignored.
You will need to install a Syslog client daemon program on your PC and configure it to report the events you
specified in the Syslog configuration screen.
Click the Save button.
Administrator’s Handbook
86
Link: Event Notifications
When you click the Event Notifications link, the Event Notifications page appears.
If you select the Broadband Status Notification checkbox, the device will alert users on your network if the
connection to the Internet should fail. In that event, troubleshooting suggestions will display.
If you select the Missing Filter Notification checkbox, the device will alert users on your network if hardware
line filters are either missing or improperly installed. In that event, troubleshooting suggestions will display.
Link: NAT Table
When you click the NAT Table link, the NAT Table page appears.
The NAT Table page displays the network address translation sessions in use by the NVG599 device. You can
use the drop-down menu to limit the displayed sessions to selected IP addresses.
To refresh all the sessions displayed, click the Reset button.
87
CHAPTER 3 Basic Troubleshooting
This chapter gives some simple suggestions for troubleshooting problems with your NVG599 VDSL2 Gateways
initial configuration. This chapter covers the following topics:
Status Indicator Lights on page 88
Factory Reset Switch on page 95
Event Log Messages on page 96
Before troubleshooting, make sure you have:
Read this guide
Plugged in all the necessary cables
Set your PC’s TCP/IP controls to obtain an IP address automatically
Administrator’s Handbook
88
Status Indicator Lights
The first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below.
ARRIS NVG599 VDSL2 Gateway Status Indicator Lights
LED Activity
Power
Solid Green = The device is powered.
Flashing Green = A power-on self-test (POST) is in progress
Flashing Red = A POST failure (not bootable) or device malfunction occurred.
Flashing Amber = Firmware upgrade in progress (see below)
Off = The unit has no AC power. If the battery is in use, the Battery LED will indicate battery status,
and all other LEDs will be off.
Power during
Firmware
Upgrade
During the software installation, you will lose Internet and phone service. The LEDs will function as
follows:
1. As firmware is being loaded into flash, the LEDs operate normally.
2. During the firmware upgrade, which takes a few minutes, the Power LED will flashes amber
(flash writing to memory), and all other LEDs are off.
3. The NVG599 restarts automatically.
As the device reboots, the LEDs display power-on behavior.
All during
Boot process
• Power LED = Flashing Green
• All other LEDs = Off
If the device does not boot and fails its self-test or fails to perform initial load of the bootloader:
• Power LED = Flashing Red
• ALL other LEDs = Off
If the device boots and then detects a failure:
Power LED = Flashing Green starting POST, and then all LEDs will flash red, including Power LED.
Battery
Solid Green = Battery in place but not being used.
Flashing Green = Battery charging.
Solid Red = Battery backup mechanism has a fault.
Flashing Red = Battery needs to be replaced.
Solid Amber = Battery in use.
Flashing Amber = Low battery.
Off = No battery, or battery has no charge.
Side View
Power
Battery
Ethernet
Wireless
HomePNA
USB
Broadband 1
Broadband 2
Service
Phone 1
Phone 2
WPS
89
Ethernet
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
WiFi
Solid Green = Wi-Fi is powered.
Flickering Green = Activity seen from devices connected via Wi-Fi. The flickering of the light is syn-
chronized to actual data traffic.
Off = The device is not powered, or no powered devices are connected to the associated ports.
HomePNA
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
Broadband
1**, 2
Solid Green = Good broadband connection (good DSL sync or Gigabit Ethernet).
Flashing Green = Attempting broadband connection (DSL attempting sync).
Flashing Green and Red = If, after three consecutive minutes, the broadband connection fails to be
established, the LED switches to Flashing Green alternating with a five second steady Red while
attempting or waiting to establish a broadband connection. This pattern continues until the broad-
band connection is successfully established.
Flashing Red = No DSL signal on the line. This display is not used during times of temporary ‘no tone’
during the training sequence.
Off = The device is not powered.
** Broadband 1 LED is also the Gigabit Ethernet WAN LED when that is in play (and DSL is not).
Service
Solid Green = IP connected. The device has a WAN IP address from DHCP or 802.1x authentication
and the broadband connection is up.
Flashing Green = Attempting connection, attempting IEEE 802.1X authentication, or attempting to
obtain DHCP information.
Red = Device attempted to become IP connected and failed (no DHCP response, 802.1x authentica-
tion failed, no IP address from IPCP, etc.). The Red state times out after two minutes, and the Service
indicator light returns to the Off state.
Off = The device is not powered or the broadband connection is not present.
Phone 1, 2
Solid Green = The associated VoIP line has been registered with a SIP proxy server.
Flashing Green = Indicates a telephone is off-hook on the associated VoIP line.
Off = VoIP not in use, line not registered, or NVG599 power off.
USB
Solid Green = Powered device connected to the associated port (includes devices with wake-on-LAN
capability where a slight voltage is supplied to the Ethernet connection).
Flickering Green = Activity seen from devices associated with the port. The flickering of the light is
synchronized to actual data traffic.
Off = The device is not powered, no cable or no powered devices connected to the associated ports.
LED Activity
Administrator’s Handbook
90
Rear View
WPS
(appears after
using WPS
button)
Solid Green = Wi-Fi Protected Setup has been completed successfully. LED should stay on for 5 min-
utes or until push button is pressed again.
Flashing Green = Continues for 2 minutes, indicating when WPS is broadcasting.
Flashing Red = Continues for 2 minutes, indicating a Session overlap was detected (possible security
risk).
Solid Red = Error unrelated to security, such as failure to find a partner, or WPS is disabled. LED
should stay solid red for 5 minutes or until push button is pressed again.
Off = The device is not powered, or no cable or no powered devices are connected to the associated
ports.
LED Action
Ethernet
1,2 3,4
Flashing Amber = A Gigabit Ethernet device is connected to each port.
Solid Green = A 10/100 Ethernet device is connected.
Flickering Green = Ethernet traffic activity.
Off = The device is not powered, or no powered devices are connected to the associated ports.
NOTE:
The NVG599 supports two VoIP lines over one RJ11 VoIP port. In order to con-
nect two phone lines the supplied inner/outer pair splitter adapters must be
attached to the RJ11 VoIP port in order to terminate both lines. This is a spe-
cial-purpose splitter. You must only use the inner/outer pair splitter adapters
supplied by AT&T.
LED Activity
Gigabit Ethernet (WAN)
USB
DSL (WAN)
Ethernet (LAN)
F-Connector (HPNA)
RJ14 (FXS)
Reset
Power Jack
91
LED Function Summary Matrix
Power Solid Green =
The device is
powered.
Flashing Green =
A power-on self-
test (POST) is in
progress.
Orange/Amber =
Firmware
upgrade (see
Power during
Firmware
Upgrade” on
page 88)
Flashing Red = A
POST failure (not
bootable) or
device malfunc-
tion occurred.
*
When the
device encoun-
ters a POST fail-
ure, all indicator
lights on the
front of the
device continu-
ously flash.
Off = The unit
has no AC power.
Battery Solid Green =
Battery in place
but not being
used.
Flashing Green =
Battery charging.
Solid Amber =
Battery in use.
Flashing Amber =
Low battery.
Solid Red = Bat-
tery backup
mechanism has a
fault.
Flashing Red =
Battery needs to
be replaced.
Off = No battery
or battery has no
charge.
Cycle between
all colors = Bat-
tery conducting
self-test.
Ethernet Solid Green =
Powered device
connected to the
associated port
(includes devices
with wake-on-
LAN capability
where a slight
voltage is sup-
plied to the
Ethernet connec-
tion).
Flashing Green =
Activity seen
from devices
associated with
the port. The
flickering of the
light is synchro-
nized to actual
data traffic.
Off = The device
is not powered,
no cable or no
powered devices
connected to the
associated ports.
WiFi Solid Green = Wi-
Fi is powered.
Flashing Green =
Activity seen
from devices
connected via
Wi-Fi. The flick-
ering of the light
is synchronized
to actual data
traffic.
Off = The device
is not powered
or no powered
devices con-
nected to the
associated ports.
HomePNA Solid Green =
Powered device
connected to the
associated port
(includes devices
with wake-on-
LAN capability
where a slight
voltage is sup-
plied to the
Ethernet connec-
tion).
Flickering Green
= Activity seen
from devices
associated with
the port. The
flickering of the
light is synchro-
nized to actual
data traffic.
Off = The device
is not powered,
no cable or no
powered devices
connected to the
associated ports.
Administrator’s Handbook
92
Broadband
1**, 2
Solid Green =
Good broadband
connection (i.e.,
good DSL Sync).
** Broadband 1
LED is also the
Gigabit ethernet
WAN LED when
that is in play
(and DSL is not).
Flashing Green =
Attempting
broadband con-
nection (i.e., DSL
attempting sync).
Flashing Green &
Red = If the
broadband con-
nection fails to
be established
for more than
three consecu-
tive minutes the
LED switches to
Flashing Green
when attempt-
ing or waiting to
establish a
broadband con-
nection alternat-
ing with a five
second steady
Red. This pattern
continues until
the broadband
connection is
successfully
established.
Flashing Red =
No DSL signal on
the line. This is
only used when
there is no signal,
not during times
of temporary ‘no
tone’ during the
training
sequence.
Off = The device
is not powered.
Service Solid Green = IP
connected (The
device has a
WAN IP address
from DHCP or
802.1x authenti-
cation and the
broadband con-
nection is up).
Flashing Green =
Attempting PPP
connection.þ
Attempting IEEE
802.1X authenti-
cation or
attempting to
obtain DHCP
information.
Red = Device
attempted to
become IP con-
nected and failed
(no DHCP
response, 802.1x
authentication
failed, no IP
address from
IPCP, etc.). The
Red state times
out after two
minutes and the
Service indicator
light returns to
the Off state.
Off = The device
is not powered
or the broad-
band connection
is not present.
Phone 1, 2 Solid Green =
The associated
VoIP line has
been registered
with a SIP proxy
server.
Flashing Green =
Indicates a tele-
phone is off-hook
on the associated
VoIP line.
Off = VoIP not in
use, line not reg-
istered or
NVG599 power
off.
93
USB Solid Green =
Powered device
connected to the
associated port
(includes devices
with wake-on-
LAN capability
where a slight
voltage is sup-
plied to the
Ethernet connec-
tion).
Flickering Green
= Activity seen
from devices
associated with
the port. The
flickering of the
light is synchro-
nized to actual
data traffic.
Off = The device
is not powered,
no cable or no
powered devices
connected to the
associated ports.
WPS Solid Green = Wi-
Fi Protected
Setup has been
completed suc-
cessfully. It
should stay on
for 5 minutes or
until push but-
ton is pressed
again.
Flashing Green =
Indicates when
WPS is broad-
casting.
Solid Red = Error
unrelated to
security, such as
failed to find any
partner, or proto-
col prematurely
aborted. It
should stay Solid
Red for 5 min or
until push but-
ton is pressed
again.
Flashing Red =
Session overlap
detected (possi-
ble security risk)
in Scenario.
Off = WPS is not
active, the device
is not powered,
no cable or no
powered devices
connected to the
associated ports.
Administrator’s Handbook
94
If a status indicator light does not look correct, look for these possible problems:
LED Not Lit Possible Problems
Power Make sure the power adapter is plugged into the DSL modem properly.
Try a known good wall outlet.
If a power strip is used, make sure it is switched on.
Broadband Make sure that any telephone has a microfilter installed.
Make sure that you are using the correct cable. The DSL cable is the thinner stan-
dard telephone cable and is labeled “Data Cable.
Make sure the DSL cable is plugged into the correct wall jack.
Make sure the DSL cable is plugged into the DSL port on the DSL modem.
Make sure the DSL line has been activated at the central office DSLAM.
Make sure the DSL modem is not plugged into a micro filter.
Ethernet Make sure the you are using the yellow Ethernet cable, not the DSL cable. The
Ethernet cable is thicker than the standard telephone cable.
Make sure the Ethernet cable is securely plugged into the Ethernet jack on the PC.
Make sure the Ethernet cable is securely plugged into the Ethernet port on the DSL
modem.
Make sure you have Ethernet drivers installed on the PC.
Make sure the PC’s TCP/IP properties for the Ethernet network control panel are
set to obtain an IP address via DHCP.
Make sure the PC has obtained an address in the 192.168.1.x range. (You may have
changed the subnet addressing.)
Make sure the PC is configured to access the Internet over a LAN.
Disable any installed network devices (Ethernet, HomePNA, wireless) that are not
being used to connect to the DSL modem.
95
Factory Reset Switch
Lose your access code? This section shows how to use the factory reset switch to reset the NVG599 so that you
can access the configuration screens once again.
If you don't have an access code, the only way to access the NVG599 is to follow these steps:
1. Referring to the diagram below, find the round Reset switch opening.
2. Carefully insert the point of a pen or an unwound paperclip into the opening.
If you press the factory reset switch for less than ten seconds, the device will be rebooted.
The indicator lights on the device will respond immediately and start blinking red within one second of the
reset switch being pressed.
The lights will blink whether the switch is still being pressed or has been released. The indicator lights will
flash for a minimum of five seconds, even if the reset switch is released within five seconds of being pressed.
If the reset switch is held for more than five seconds, it will continue to blink until released or until ten sec-
onds have elapsed (see below).
If you press the factory reset switch for a longer period of time, the device will be reset to the factory
default shipped settings. If the switch is held for ten seconds, the Power indicator continues to blink for an
additional five seconds, and then the indicator lights return to their normal operating mode, whether or not
the reset switch is still depressed.
NOTE:
Keep in mind that all of your settings will need to be reconfigured.
Reset Switch
Administrator’s Handbook
96
Log Event Messages
The system generates the log messages described in the following tables for events related to administrative
access, system operation, DSL issues, packet access, or firewall issues.
Administration-Related Log Messages
1. administrative access attempted: This log message is generated whenever the user attempts to access the
router's management interface.
2. administrative access authenti-
cated and allowed:
This log message is generated whenever the user attempts to access the
router's management interface and is successfully authenticated and
allowed access to the management interface.
3. administrative access allowed: If for some reason, a customer does not want password protection for the
management interface, this log message is generated whenever any user
attempts to access the router's management interface and is allowed access
to the management interface.
4. administrative access denied -
invalid user name:
This log message is generated whenever the user tries to access the router's
management interface and authentication fails because of an incorrect
username.
5. administrative access denied -
invalid password:
This log message is generated whenever the user tries to access the router's
management interface and authentication fails because of an incorrect
password.
6. administrative access denied -
telnet access not allowed:
This log message is generated whenever the user tries to access the router's
Telnet management interface from a public interface and is not permitted
because remote management is disabled.
7. administrative access denied -
web access not allowed:
This log message is generated whenever the user tries to access the router's
HTTP management interface from a public interface and is not permitted
because remote management is disabled.
System Log Messages
1. Received NTP Date and Time: This log message is generated whenever NTP receives date and time from
the server.
2. EN: IP up: This log message is generated whenever Ethernet WAN comes up.
3. WAN: Ethernet WAN1 activated
at 100000 Kbps:
This log message is generated when the Ethernet WAN link is up.
4. Device Restarted: This log message is generated when the router has been restarted.
97
DSL Log Messages (Most Common)
1. WAN: Data link
activated at <Rate> Kbps (rx/tx)
This log message is generated when the DSL link comes up.
2.WAN: Data link deactivated This log message is generated when the DSL link goes down.
3. RFC1483 up This log message is generated when RFC1483 link comes up.
4. RFC1483-<WAN-instance>: IP
down
This log message is generated when RFC1483 link goes down.
5. PPP: Channel <ID> up Dialout
Profile name: <Profile Name>
This log message is generated when a PPP channel comes up.
6. PPP-<WAN Instance> down:
<Reason>
This log message is generated when a PPP channel goes down. The reason
for the channel going down is displayed as well.
Access-Related Log Messages
1. permitted: This log message is generated whenever a packet is allowed to traverse
router interfaces or allowed to access the router itself.
2. attempt: This log message is generated whenever a packet attempts to traverse
router interfaces or attempts to access the router itself.
3. dropped - violation of security
policy:
This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped by the firewall because it violates
the expected conditions.
4. dropped - invalid checksum: This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped because of invalid IP checksum.
5. dropped - invalid data length: This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped because the IP length is greater than
the received packet length or if the length is too small for an IP packet.
6. dropped - fragmented packet: This log message is generated whenever a packet, traversing the router, is
dropped because it is fragmented, stateful inspection is turned ON on the
packet's transmit or receive interface, and the deny-fragment option is
enabled.
7. dropped - cannot fragment: This log message is generated whenever a packet traversing the router is
dropped because the packet cannot be sent without fragmentation, but the
do-not-fragment bit is set.
8. dropped - no route found: This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped because no route is found to for-
ward the packet.
9. dropped - invalid IP version: This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped because the IP version is not 4.
10. dropped - possible land attack: This log message is generated whenever a packet, traversing the router or
destined to the router itself, is dropped because the packet is a TCP/UDP
packet and the source IP address and source port equals the destination IP
address and destination port.
11. TCP SYN flood detected: This log message is generated whenever a SYN packet destined to the
router's management interface is dropped because the number of SYN-sent
and SYN-receive messages exceeds one-half the number of allowable con-
nections in the router.
Administrator’s Handbook
98
12. Telnet receive DoS attack -
packets dropped:
This log message is generated whenever TCP packets destined to the
router's Telnet management interface are dropped due to overwhelming
receive data.
13. dropped - reassembly timeout: This log message is generated whenever packets, traversing the router or
destined to the router itself, are dropped because of reassembly timeout.
14. dropped - illegal size: This log message is generated whenever packets, traversing the router or
destined to the router itself, are dropped during reassembly because of ille-
gal packet size in a fragment.
Firewall Log Messages Detail (AT&T Requirement #841)
Reason Enumeration ( C ) Log Text Representation Why the Packet Was Logged
NM_LOGDROP_CAT_DIR DIRECTION Direction (generic)
NM_LOGDROP_CAT_DIR_UP DIRECTION-UP Upstream direction
NM_LOGDROP_CAT_DIR_DOWN DIRECTION-DOWN Downstream direction
NM_LOGDROP_CAT_ETH ETH Ethernet header (generic)
NM_LOGDROP_CAT_ETH_SRC_ADDR ETH-SRC Ethernet source MAC address
NM_LOGDROP_CAT_ETH_DST_ADDR ETH-DST Ethernet destination MAC address
NM_LOGDROP_CAT_ETH_PROT ETH-PROTOCOL Ethernet Protocol
NM_LOGDROP_CAT_ETH_VLAN ETH-VLAN Ethernet VLAN ID (where applica-
ble)
NM_LOGDROP_CAT_IP IP IP header (generic)
NM_LOGDROP_CAT_IP_SRC IP-SRC IP source address
NM_LOGDROP_CAT_IP_DST IP-DST IP destination address
NM_LOGDROP_CAT_IP_PROT IP-PROTOCOL IP Protocol
NM_LOGDROP_CAT_IP_SPOOF IP-SPOOF IP address is spoofed (could not
have been sent by a device legiti-
mately with the address in the
source address field)
NM_LOGDROP_CAT_IP_ILL IP-ILLEGAL IP address is illegal (either src or
dest)
NM_LOGDROP_CAT_TCP TCP TCP header (generic)
NM_LOGDROP_CAT_TCP_SRC_PORT TCP-SRC-PORT TCP source port
NM_LOGDROP_CAT_TCP_DST_PORT TCP-DST-PORT TCP destination port
NM_LOGDROP_CAT_TCP_FLAGS TCP-FLAGS TCP flags field
NM_LOGDROP_CAT_UDP UDP UDP header (generic)
NM_LOGDROP_CAT_UDP_SRC_PORT UDP-SRC-PORT UDP source port
NM_LOGDROP_CAT_UDP_DST_PORT UDP-DST-PORT UDP destination port
NM_LOGDROP_CAT_ICMP ICMP ICMP packet (generic)
NM_LOGDROP_CAT_ICMP_TYPE ICMP-TYPE ICMP Type field
NM_LOGDROP_CAT_ICMP_CODE ICMP-CODE ICMP Code field
NM_LOGDROP_CAT_ICMP6 ICMPv6 ICMPv6 (generic)
Access-Related Log Messages
99
NM_LOGDROP_CAT_POLICY POLICY Policy (generic). This currently
includes filterset rules, restricted
hosts, IPv6 profiles.
NM_LOGDROP_CAT_POLICY_INPUT POLICY-INPUT-GEN-DISCARD Packets destined for the CPE that
are generically discarded (we spec-
ify the packets we do want; the rest
are discarded.)
NM_LOGDROP_CAT_POLICY_WAN_MGMT POLICY-WAN-MGMT-ACCESS 1) Trying to access CPE service from
WAN side using LAN-side port
2) Trying to access CPE service from
LAN side using WAN-side IP address
3) Trying to access CPE service from
WAN side using IPv6
NM_LOGDROP_CAT_POLICY_ICMP_ECHO POLICY-ICMP-ECHO ICMP echo request discarded (more
specific than
NM_LOGDROP_CAT_ICMP_TYPE)
NM_LOGDROP_CAT_POLICY_UWC_RESTRICT POLICY-UWC-RESTRICT Packets dropped because of “Uni-
versal Wi-Fi Configuration” restric-
tions (currently unused)
NM_LOGDROP_CAT_POLICY_RESTRICTED_HO
ST
POLICY-RESTRICTED-HOST Packets dropped because of
“Restricted Host” feature (either
content or time restrictions) (cur-
rently unused)
NM_LOGDROP_CAT_POLICY_WAN_DNS_QUE
RY
POLICY-WAN-SIDE-DNS-
QUERY
DNS query packets received on a
WAN interface
NM_LOGDROP_CAT_POLICY_WAN_DHCP_TO
SRVR
POLICY-WAN-SIDE-DHCP-TO-
SRVR
DHCP Discover request received on
a WAN interface
NM_LOGDROP_CAT_POLICY_AH POLICY-IPV6-AH IPv6 packets with AH header (if so
configured)
NM_LOGDROP_CAT_POLICY_ESP POLICY-IPV6-ESP IPv6 packets with ESP header (if so
configured)
NM_LOGDROP_CAT_POLICY_DEP_HEADER POLICY-DEPRECATED-
HEADER
IPv6 packets with deprecated
header (currently this only includes
routing extension header type 0)
NM_LOGDROP_CAT_POLICY_CAPT_PORTAL POLICY-CAPTIVE-PORTAL [IPv6] packets dropped because
captive portal is enabled.
NM_LOGDROP_CAT_FLOW FLOW Packets rejected as a result of analy-
sis of multiple related packets
(generic)
NM_LOGDROP_CAT_FLOW_FLOOD FLOOD Packets rejected because of flood-
limiting
NM_LOGDROP_CAT_FLOW_PORTSCAN PORTSCAN Packets rejected because of port-
scan detection
NM_LOGDROP_CAT_FLOW_DOS_OTHER OTHER-DoS Packets rejected because of other
DoS detection. Currently this
includes downstream flows that
don't generate upstream responses
- specifically addressing IPv6 Neigh-
bor Discovery DoS attacks.
Firewall Log Messages Detail (AT&T Requirement #841)
Reason Enumeration ( C ) Log Text Representation Why the Packet Was Logged
Administrator’s Handbook
100
101
CHAPTER 4 Command Line Interface
The NVG599 VDSL2 Gateway operating software includes a command line interface (CLI) that lets you access
your NVG599 device over a Telnet connection. You can use the command line interface to enter and update the
units configuration settings, monitor its performance, and restart it.
This chapter covers the following topics:
Overview” on page 103
Starting and Ending a CLI Session” on page 105
Using the CLI Help Facility” on page 106
About SHELL Commands” on page 106
SHELL Commands” on page 107
About CONFIG Commands” on page 118
CONFIG Commands” on page 121
Debug Commands” on page 178
Administrator’s Handbook
102
CONFIG Commands
Connection Commands” on page 121
Filter Set Commands” on page 124
Queue Commands” on page 129
IP Gateway Commands” on page 132
IPv6 Commands” on page 132
IP DNS Commands” on page 139
IP IGMP Commands” on page 139
NTP Commands” on page 142
Application Layer Gateway (ALG) Commands” on page 142
Dynamic DNS Commands” on page 143
Link Commands” on page 143
Management Commands” on page 146
Remote Access Commands” on page 148
Physical Interfaces Commands” on page 150
PPPoE Relay Commands” on page 157
NAT Pinhole Commands” on page 157
Security Stateful Packet Inspection (SPI) Commands” on page 158
VoIP Commands” on page 160
System Commands” on page 173
103
Overview
The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are
provided below. Details of the entire command set follow in this section.
SHELL Commands
Command Description
arp Send ARP request
clear Erase all stored configuration information
clear_certificate Remove an SSL certificate that has been installed
clear_https_certkey Remove a secure HTTP certificate key value
clear_firewall_log Empty the contents of the firewall event log
clear_log Erase all stored log info in flash memory
configure Configure unit's options
diagnose Run self-test
download Download config file
exit Quit this shell
ffbb Show the number of POST fault states
help Get more: “help all” or “help help”
install Download and program an image into flash
log Add a message to the diagnostic log
loglevel Report or change diagnostic log level
netstat Show IP information
nslookup Send DNS query for host
ping Send ICMP echo request
quit Quit this shell
6rd-check Send a 6rd loopback packet to the border gateway
reset Reset subsystems
restart Restart unit
show Show system information
start Start subsystem
status Show basic status of unit
telnet Telnet to a remote host
traceroute Send traceroute probes
upload Upload config file
view Show configuration information
who Show who is using the shell
wps Enter Wireless Protection Settings mode
Administrator’s Handbook
104
CONFIG Commands
Command Verbs Description
delete Delete configuration list data
help Display a list of Help command options
save Save configuration data
script Print configuration data
set Set configuration data
validate Validate configuration settings
view View configuration data
Keywords
conn Connection options
ip TCP/IP protocol options
ip6 IPv6 protocol options
dns Domain Name System options
gfs Global filter set options
igmp IGMP configuration options
ntp Network Time Protocol options
gateway Gateway options
link WAN link options
management System management options
physical Physical interface options
dsl DSL configuration options
enet Ethernet options
pinhole Pinhole options
pppoe-relay Point to Point Protocol over Ethernet relay options
preferences Shell environment preferences
queue Queue options
security Security (firewall) options
system Gateway’s system options
target-ad-insertion Targeted Ad Insertion (TAI) options
voip IP Voice (VoIP) configuration options
log System activity logging options
Command Utilities
top Go to top level of configuration mode
quit Exit from configuration mode; return to shell mode
exit Exit from configuration mode; return to shell mode
105
Starting and Ending a CLI Session
To start a CLI session, you need to open a Telnet connection from a workstation on your network.
You initiate a Telnet connection by issuing the following command from an IP host that supports Telnet, for
example, a personal computer running a Telnet application such as NCSA Telnet.
telnet <ip_address>
You must know the IP address of the NVG599 device before you can make a Telnet connection to it. By default,
your NVG599 uses 192.168.1.254 as the IP address for its LAN interface. You can use a Web browser to
configure the NVG599 IP address.
Logging In
The command line interface log-in process emulates the log-in process for a UNIX host. To log in, enter the user
name and your password.
Entering the administrator password lets you display and update all NVG599 settings.
When you have logged in successfully, the command line interface lists the user name and the security level
associated with the password you entered in the diagnostic log.
Ending a CLI Session
You end a command line interface session by typing quit from the SHELL node of the command line interface
hierarchy.
Administrator’s Handbook
106
Using the CLI Help Facility
The help command displays online help for SHELL and CONFIG commands. To display a list of the commands
available to you from your current location within the command line interface hierarchy, type help or a
question mark (
?
).
To obtain help for a specific CLI command, type help <command>. You can truncate the help command to h
or a question mark when you request help for a CLI command.
About SHELL Commands
Begin in SHELL mode when you start a CLI session. SHELL mode lets you perform the following tasks:
Monitor NVG599 performance
Display and reset NVG599 device statistics
Issue administrative commands to restart NVG599 device functions
SHELL Prompt
When you are in SHELL mode, the CLI prompt is the name of the NVG599 device followed by a right angle
bracket (>). For example, if you open a CLI connection to the NVG599 device namedARRIS-3000/9437188,
you would see ARRIS-3000/9437188> as your CLI prompt.
SHELL Command Shortcuts
You can truncate most commands in the CLI to their shortest unique string. For example, you can use the
truncated command q in place of the full quit command to exit the CLI. However, you would need to enter rese
for the reset command, since the first characters of reset are common to the restart command.
The only commands you cannot truncate are restart and clear. To prevent accidental interruption of
communications, you must enter the restart and clear commands in their entirety.
You can use the Up and Down arrow keys to scroll backward and forward through recent commands you have
entered. Alternatively, you can use the !! command to repeat the last command you entered.
107
SHELL Commands
Common Commands
arp nnn.nnn.nnn.nnn
Sends an Address Resolution Protocol (ARP) request to match the nnn.nnn.nnn.nnn IP address to an Ethernet
hardware address.
clear [ yes ]
Clears the configuration settings in an NVG599 device. You are prompted to confirm the clear command by
entering yes.
clear_certificate
Removes an SSL certificate that has been installed.
clear_https_certkey
Removes any Secure HTTP certificate key value installed in the NVG599.
configure
Puts the command line interface into Configure mode, which lets you configure your NVG599 with config
commands. The config commands are described starting on page 121.
download [ server_address ] [ filename ] [ confirm ]
Installs a file of configuration parameters into the NVG599 device from a TFTP (Trivial File Transfer Protocol)
server. The TFTP server must be accessible on your Ethernet network.
You can include one or more of the following arguments with the download command. If you omit arguments,
the console prompts you for this information.
The server_address argument identifies the IP address of the TFTP server from which you want to copy the
NVG599 configuration file.
The filename argument identifies the path and name of the configuration file on the TFTP server.
If you include the optional confirm keyword, the download begins as soon as all information is entered.
You can also download an SSL certificate file from a trusted certification authority (CA), on platforms that
support SSL, as follows:
download [-cert] [server_address ] [filename] [confirm]
ffbb
Displays the number of times that the NVG599 device has entered a Power-On Self-Test (POST) fault state.
install [ server_address ] [ filename ] [ confirm ]
Downloads a new version of the NVG599 operating software from a TFTP (Trivial File Transfer Protocol) server,
validates the software image, and programs the image into the NVG599 memory. After you install new
operating software, you must restart the NVG599 device.
Administrator’s Handbook
108
The server_address argument identifies the IP address of the TFTP server on which your NVG599 operating
software is stored. The filename argument identifies the path and name of the operating software file on the
TFTP server.
If you include the optional keyword confirm, you will not be prompted to confirm whether or not you want to
perform the operation.
log message_string
Adds the message in the message_string argument to the NVG599 diagnostic log.
loglevel [ level ]
Displays or modifies the types of log messages you want the NVG599 to record. If you enter the loglevel
command without the optional level argument, the command line interface displays the current log level
setting.
You can enter the loglevel command with the level argument to specify the types of diagnostic messages you
want to record. All messages with a level number equal to or greater than the level you specify are recorded.
For example, if you specify log level 3, the diagnostic log will retain high-level informational messages (level 3),
warnings (level 4), and failure messages (level 5).
Use the following values for the level argument:
1 or low – Low-level informational messages or greater; includes trivial status messages.
2 or medium – Medium-level informational messages or greater; includes status messages that can help
monitor network traffic.
3 or high – High-level informational messages or greater; includes status messages that may be significant
but do not constitute errors.
4 or warning – Warnings or greater; includes recoverable error conditions and useful operator information.
5 or failure – Failures; includes messages describing error conditions that may not be recoverable.
netstat -i
Displays the IP interfaces for your NVG599.
netstat -r
Displays the IP routes stored in your NVG599.
nslookup [ hostname | ip_address ]
Performs a domain name system lookup for a specified host.
The hostname argument is the name of the host for which you want DNS information; for example,
nslookup klaatu.
The ip_address argument is the IP address, in dotted decimal notation, of the device for which you want
DNS information.
ping [-s size] [-c count ] [ hostname | ip_address ]
Causes the NVG599 to issue a series of ICMP Echo requests for a device with the specified name or IP address.
The hostname argument is the name of the device you want to ping; for example,
ping ftp.arris.com.
The ip_address argument is the IP address, in dotted decimal notation, of the device you want to locate. If a
host using the specified name or IP address is active, it returns one or more ICMP echo replies, confirming
that it is accessible from your network.
109
The -s size argument lets you specify the size of the ICMP packet.
The -c count argument lets you specify the number of ICMP packets generated for the ping request. Values
greater than 250 are truncated to 250.
You can use the ping command to determine whether a hostname or IP address is already in use on your
network. You cannot use the ping command to ping the NVG599 device’s own IP address.
quit
Exits the NVG599 command line interface.
6rd-check [-s size] [-c count] conn_name
Generates and sends 6rd (IPv6 Rapid Deployment) loopback packets to the 6rd gateway.
reset arp
Clears the Address Resolution Protocol (ARP) cache on your unit.
reset crash
Clears crash-dump information, which identifies the contents of the NVG599 registers at the point of system
malfunction.
reset dhcp server
Clears the DHCP lease table in the NVG599 device.
reset enet [ all ]
Resets Ethernet statistics to zero. Resets individual LAN switch port statistics as well as wireless and WAN
Ethernet statistics (where applicable).
reset firewall-log
Rewinds the firewall log to the first entry.
reset ipmap
Clears the IPMap table (NAT).
reset log
Rewinds the diagnostic log display to the top of the existing NVG599 diagnostic log. The reset log command
does not clear the diagnostic log. The next show log command will display information from the beginning of
the log file.
reset wan
This function resets WAN interface statistics.
Administrator’s Handbook
110
restart [ seconds ]
Restarts your NVG599 device. If you include the optional seconds argument, your NVG599 will restart when
the specified number of seconds have elapsed. You must enter the complete restart command to initiate a
restart.
show all-info
Displays all settings currently configured in the NVG599 device.
show bridge interfaces
Displays bridge interfaces maintained by the NVG599 device.
show bridge table
Displays the bridging table maintained by the NVG599 device.
show config
Dumps the ARRIS Gateways configuration script just as the script command does in Configure mode.
show crash
Displays the most recent crash information, if any, for your NVG599 device.
show dhcp server leases
Displays the DHCP leases stored in RAM by your NVG599 device.
show dhcp client
Displays the DHCP clients stored in RAM by your NVG599 device.
show dsl [ all ]
Displays DSL port statistics, such as upstream and downstream connection rates and noise levels.
show dslf device-association
Displays LAN devices that conform with the TR111 Gateway requirement. It displays IP address, manufacture
OUI, and serial number.
show enet [ all ]
Displays Ethernet interface statistics maintained by the NVG599 device. Supports display of individual LAN
switch port statistics as well as WAN Ethernet statistics (where applicable).
Example:
Ethernet driver full statistics - LAN
10/100/1000 Ethernet
Port Status: Link up
111
General:
Transmit OK : 253
Receive OK : 22
Tx Errors : 0
Rx Errors : 0
Receiver:
Dropped Packets : 0
Transmitter:
Collisions : 0
Dropped Packet : 0
Upper Layers:
Rx No Handler : 0
Rx No Message : 0
Rx Octets : 4781
Rx Unicast Pkts : 22
Rx Multicast Pkts : 0
Tx Discards : 0
Tx Octets : 17204
10/100/1000 Ethernet port 1
Port Status: Link down
10/100/1000 Ethernet port 2
Port Status: Link up
Duplex: Full
Speed: 1000BASE-T
Transmit OK : 253
Transmit unicastpkts : 0
Tx Octets : 16192
Tx Collision : 0
Receive OK : 24
Receive unicastpkts : 0
Receive errors : 0
Rx Octets : 4781
10/100/1000 Ethernet port 3
Port Status: Link down
10/100/1000 Ethernet port 4
Port Status: Link down
HPNA port 5 (counter values include management traffic)
Port Status: Link up
Duplex: Full
Speed: 200 MBPS
Transmit OK : 1702
Transmit unicastpkts : 1173
Tx Octets : 226117
Tx Collision : 0
Receive OK : 1168
Receive unicastpkts : 1168
Receive errors : 0
Rx Octets : 202156
Ethernet driver statistics - Wireless
Port Status: Link down
Ethernet driver full statistics - PTM WAN
Port Status: Link down
Administrator’s Handbook
112
Ethernet driver full statistics - WAN
10/100/1000 Ethernet
Port Status: Link down
Ethernet driver full statistics - 10/100 Ethernet
Port Status: Link up
Type: 100BASET Duplex: Full
General:
Transmit OK : 434
Receive OK : 267
Tx Errors : 0
Rx Errors : 0
Receiver:
Incompl Packet Errors : 0
No RBD's For Packet : 0
Carrier Sense Lost : 0
Deferred Replen : 0
Transmitter:
TX Retries : 0
Single Collisions : 0
No Buf For Packet : 0
Upper Layers:
Rx No Handler : 0
Rx No Message : 0
Rx Octets : 30773
Rx Unicast Pkts : 267
Rx Multicast Pkts : 0
Tx Discards : 0
Tx Octets : 31692
10/100 Ethernet phy.enet.port
Port Status: Link up
Duplex: Full-duplex active
Speed: 100BASE-T
Transmit OK : 434
Transmit unicastpkts : NA
Receive OK : 267
Receive unicastpkts : 267
show enet tx-queue
"show enet tx-queue"
This is an output of what is should look like:
NOS/128600225699776/UNLOCKED> show enet tx-queue
No transmit software queue configured on Ethernet port 1
No transmit software queue configured on Ethernet port 2
No transmit software queue configured on Ethernet port 3
No transmit software queue configured on Ethernet port 4
No transmit software queue configured on Ethernet port 5
No transmit software queue configured on Ethernet port 6
Ethernet switch queue stats:
Port 1:
TxQ1: 54257
TxQ2: 0
113
TxQ3: 0
TxQ4: 508
Port 2:
TxQ1: 55767
TxQ2: 0
TxQ3: 0
TxQ4: 508
Port 3:
TxQ1: 0
TxQ2: 0
TxQ3: 0
TxQ4: 0
Port 4:
TxQ1: 0
TxQ2: 0
TxQ3: 0
TxQ4: 0
Port 5:
TxQ1: 92950
TxQ2: 0
TxQ3: 0
TxQ4: 508
show group-mgmt
Displays the IGMP Snooping table. See IP IGMP Commands” on page 139 for detailed explanation.
show ip arp
Displays the Ethernet address resolution table stored in your NVG599 device.
show ip igmp
Displays the contents of the IGMP Group Address table and the IGMP Report table maintained by your NVG599
device.
show ip interfaces
Displays the IP interfaces for your NVG599 device.
show ip firewall
Displays firewall statistics.
show ip lan-discovery
Displays the LAN Host Discovery table of hosts on the wired or wireless LAN, and whether or not they are
currently online.
show ip routes
Displays the IP routes stored in your NVG599 device.
show ipmap
Displays IPMap table (NAT).
Administrator’s Handbook
114
show ipv6 interfaces
Displays IPv6 interfaces.
show ipv6 routes
Displays the IPv6 route table.
show ipv6 neighbors
Displays the IPv6 neighbor table.
show ipv6 dhcp server leases
Displays the DHCPv6 server lease table.
show ipv6 statistics
Displays IPv6 statistics information.
show log
Displays blocks of information from the NVG599 diagnostic log. To see the entire log, you can repeat the show
log command, or you can enter show log all.
show firewall-log
Displays blocks of information from the NVG599 firewall log.
show memory [ all ]
Displays memory usage information for your NVG599 device. If you include the optional all argument, your
NVG599 will display a more detailed set of memory statistics.
show ptm
Displays statistics information for each PTM session.
show post-results
Displays Power-On Self-Test results.
show pppoe
Displays status information for each PPPoE socket, such as the socket state, service names, and host ID values.
show rootcert
Dumps the Subject line for the list of all the trusted root certificates for the 802.1x supplicant.
show rtsp
Displays RTSP ALG session activity data.
115
show status
Displays the current status of an NVG599 device, the device's hardware and software revision levels, a
summary of errors encountered, and the length of time the device has been running since it was last restarted.
Identical to the status command.
show summary
Displays a summary of WAN, LAN, and gateway information.
show vlan
Displays detail of VLAN status and statistics.
show wireless [ all ]
Shows wireless status and statistics.
show wireless clients [ MAC_address ]
Displays details on connected clients, or more details on a particular client if the MAC address is added as an
argument.
show voip
Displays VoIP call statistics.
show voiplog
Displays VoIP event logs.
telnet [ hostname | ip_address ] [ port ]
Lets you open a Telnet connection to the specified host through your NVG599 device.
The hostname argument is the name of the device to which you want to connect, for example, telnet
ftp.arris.com.
The ip_address argument is the IP address, in dotted decimal notation, of the device to which you want to
connect.
The port argument is the number of the port over which you want to open a Telnet session.
traceroute ( ip_address | hostname )
Traces the routing path to an IP destination.
upload [ server_address ] [ filename ] [ confirm ]
Copies the current configuration settings of the NVG599 to a TFTP (Trivial File Transfer Protocol) server. The
TFTP server must be accessible on your Ethernet network. The server_address argument identifies the IP
address of the TFTP server on which you want to store the NVG599 settings. The filename argument identifies
the path and name of the configuration file on the TFTP server. If you include the optional confirm keyword,
you will not be prompted to confirm whether or not you want to perform the operation.
view config
Dumps the NVG599 device’s configuration just as the view command does in Configure mode.
Administrator’s Handbook
116
who
Displays the names of the current shell and PPP users.
wps
Enters the wireless WPS (Wi-Fi Protected Setup) mode.
WPS Commands
The following commands are available in WPS mode:
pushbutton
Sets the NVG599 device to WPS “pushbutton” mode, initiating protected setup.
pin
Sets the NVG599 device to PIN mode, enabling authorized devices to be identified and added by MAC address
personal identification number.
list
Lists the WPS-ready client devices (enrollees) known to the NVG599.
self-pin
Displays the NVG599’s own Personal Identification Number (PIN) value.
WAN Commands
atmping vccn [ segment | end-to-end ]
Lets you check the ATM connection reachability and network connectivity. This command sends five
Operations, Administration, and Maintenance (OAM) loopback calls to the specified VPI/VCI destination. There
is a five second total timeout interval.
Use the segment argument to ping a neighbor switch.
Use the end-to-end argument to ping a remote end node.
reset dhcp client release [ vcc-id ]
Releases the DHCP lease the NVG599 device is currently using to acquire the IP settings for the specified DSL
port. The vcc-id identifier is an “index” letter in the range B-I, and does not directly map to the VCC in use.
Enter the reset dhcp client release command without the variable to see the letter assigned to each virtual
circuit.
reset dhcp client renew [ vcc-id ]
Renews the DHCP lease the NVG599 device is currently using to acquire the IP settings for the specified DSL
port. The vcc-id identifier is an “index” letter in the range B-I, and does not directly map to the VCC in use.
Enter the reset dhcp client release command without the variable to see the letter assigned to each virtual
circuit.
117
reset dsl
Resets any open DSL connection.
reset ppp vccn
Resets the point-to-point connection over the specified virtual circuit. This command only applies to virtual
circuits that use PPP framing.
show atm [all]
Displays ATM statistics for the NVG599 device. The optional all argument displays a more detailed set of ATM
statistics.
show ppp [{ stats | lcp | ipcp }]
Displays information about open PPP links. You can display a subset of the PPP statistics by including an
optional stats, lcp, or ipcp argument for the show ppp command.
start ppp vccn
Opens a PPP link on the specified virtual circuit.
Administrator’s Handbook
118
About CONFIG Commands
You can reach the Configuration mode of the command line interface by typing configure (or any truncation of
configure, such as con or config) at the CLI SHELL prompt.
CONFIG Mode Prompt
When you are in CONFIG mode, the CLI prompt consists of the name of the NVG599 device followed by your
current node in the hierarchy and two right angle brackets (>>). For example, when you enter CONFIG mode
(by typing config at the SHELL prompt), the prompt
ARRIS-3000/9437188 (top)>>
reminds you
that you are at the top of the CONFIG hierarchy. If you move to the IP node in the CONFIG hierarchy (by typing
ip at the CONFIG prompt), the prompt changes to
ARRIS-3000/9437188 (ip)>>
to identify your
current location.
Some CLI commands are not available until certain conditions are met. For example, you must enable IP for an
interface before you can enter IP settings for that interface.
Navigating the CONFIG Hierarchy
Moving from CONFIG to SHELL — You can navigate from anywhere in the CONFIG hierarchy back to the
SHELL level by entering quit at the CONFIG prompt and pressing Enter.
ARRIS-3000/9437188 (top)>> quit
ARRIS-3000/9437188 >
Moving from top to a subnode — You can navigate from the top node to a subnode by entering the node
name (or the significant letters of the node name) at the CONFIG prompt and pressing R
ETURN
. For example,
you move to the IP subnode by entering
ip
and pressing Enter.
ARRIS-3000/9437188 (top)>> ip
ARRIS-3000/9437188 (ip)>>
As a shortcut, you can enter the significant letters of the node name in place of the full node name at the
CONFIG prompt. The significant characters of a node name are the letters that uniquely identify the node. For
example, since only one CONFIG node starts with “b,” you could enter the letter “b” to move to the bridge
node.
Jumping down several nodes at once — You can jump down several levels in the CONFIG hierarchy by
entering the complete path to a node.
Moving up one node — You can move up through the CONFIG hierarchy one node at a time by entering the
up command.
Jumping to the top node — You can jump to the top level from anywhere in the CONFIG hierarchy by enter-
ing the top command.
Moving from one subnode to another — You can move from one subnode to another by entering a partial
path that identifies how far back to climb.
Moving from any subnode to any other subnode — You can move from any subnode to any other subnode
by entering a partial path that starts with a top-level CONFIG command.
Scrolling backward and forward through recent commands — You can use the Up and Down arrow keys
to scroll backward and forward through recent commands you have entered. When the command you want
appears, press Enter to execute it.
Entering Commands in CONFIG Mode
CONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action
you want to take or the entity on which you want to act. Arguments in a CONFIG command specify the values
appropriate to your site. For example, the following CONFIG command consists of three keywords (ip, dns and
domain-name) and one argument (domain_name_value).
119
set ip dns domain-name domain_name_value
When you use the command to configure your NVG599 device, you would replace the argument with a value
appropriate to your site.
For example:
set ip dns domain-name arris.com
Guidelines: CONFIG Commands
The following table provides guidelines for entering and formatting CONFIG commands.
If a command is ambiguous or miskeyed, the CLI prompts you to enter additional information. For example,
you must specify which virtual circuit you are configuring when you are setting up an NVG599 device.
Displaying Current Gateway Settings
You can use the view command to display the current CONFIG settings for your NVG599. If you enter the view
command at the top level of the CONFIG hierarchy, the CLI displays the settings for all enabled functions. If you
enter the view command at an intermediate node, you see settings for that node and its subnodes.
Step Mode: A CLI Configuration Technique
The NVG599 command line interface includes a step mode to automate the process of entering configuration
settings. When you use the CONFIG step mode, the command line interface prompts you for all required and
optional information. You can then enter the configuration values appropriate for your site without having to
enter complete CLI commands.
When you are in step mode, the command line interface prompts you to enter required and optional settings.
If a setting has a default value or a current setting, the command line interface displays the default value for
the command in parentheses. If a command has a limited number of acceptable values, those values are
presented in brackets, with each value separated by a vertical line.
Command
Component Rules for Entering CONFIG Commands
Command Verbs CONFIG commands must start with a command verb (set, view, delete).
You can truncate CONFIG verbs to three characters (set, vie, del).
CONFIG verbs are case-insensitive. You can enter SET, Set, or set.
Keywords Keywords are case-insensitive. You can enter Ethernet, ETHERNET, or ethernet as a keyword with-
out changing its meaning.
Keywords can be abbreviated to the length that they are differentiated from other keywords.
Argument Text Text strings can be as many as 64 characters long, unless otherwise specified. In some cases they
may be as long as 255 bytes.
Special characters are represented using backslash notation.
Text strings can be enclosed in double (“) or single (‘) quotation marks. If the text string includes
an embedded space, it must be enclosed in quotation marks.
Special characters are represented using backslash notation.
Numbers Enter numbers as integers, or in hexadecimal format, where so noted.
IP Addresses Enter IP addresses in dotted decimal notation (0 to 255).
Administrator’s Handbook
120
For example, the following CLI step command indicates that the default value is
off
and that valid entries are
limited to
on
and
off
.
option (off) [on | off]:
on
You can accept the default value for a field by pressing the Enter key. To use a different value, type it and press
Enter.
You can enter the CONFIG step mode by entering set from the top node of the CONFIG hierarchy. You can enter
step mode for a particular service by entering set service_name. In stepping set mode (press Control-X Enter)
to exit. For example:
ARRIS-3000/9437188 (top)>> set system
...
system
name (“ARRIS-3000/9437188”): Mycroft
Diagnostic Level (High): medium
Stepping mode ended.
Validating Your Configuration
You can use the validate CONFIG command to make sure that your configuration settings have been entered
correctly. If you use the validate command, the NVG599 device verifies that all required settings for all services
are present and that settings are consistent.
ARRIS-3000/9437188 (top)>> validate
Error: Subnet mask is incorrect
Global Validation did not pass inspection!
You can use the validate command to verify your configuration settings at any time. Your NVG599 device
automatically validates your configuration any time you save a modified configuration.
121
CONFIG Commands
This section describes the keywords and arguments for the various CONFIG commands.
Connection Commands
The conn commands are used to create connections, for example, a WAN or LAN connection. There may be
more than one of each depending on your model. The name commands correspond to the system object IDs
(OIDs), but you can name them yourself.
set conn name name link-oid value
Sets the connection named name to point to an associated link specified by the link-oid value.
set conn name name type [ static | dhcpc | ppp ]
Specifies whether the type of the connection named name is static, DHCPC, or PPP.
set conn name name side [ lan | wan ]
Specifies whether this connection is LAN- or WAN-side. A connection can be either lan or wan.
set conn name name lan-type [ private | public | public-delegated ]
Specifies whether this connection’s LAN is private, public, or public-delegated. The default is private, the usual
type of local network.
set conn name name dhcp-server-enable [ on | off ]
Turns the DHCP server for this connection on or off. The DHCP server can be enabled per connection. The
default is on.
set conn name name mcast-forwarding [ off | on ]
Turns IP IGMP multicast forwarding for this connection off or on. The default is off.
set conn name name rip-send [ off | v1 | v2 | v1-compat | v2-md5 ]
Specifies whether the device should use Routing Information Protocol (RIP) broadcasts to advertise its routing
tables to other gateways. RIP Version 2 (RIP-2) is an extension of the original Routing Information Protocol (RIP-
1) that expands the amount of useful information in the RIP packets. While RIP-1 and RIP-2 share the same
basic algorithms, RIP-2 supports several additional features, including inclusion of subnet masks in RIP packets
and implementation of multicasting instead of broadcasting (which reduces the load on hosts that do not
support routing protocols. RIP-2 with MD5 authentication is an extension of RIP-2 that increases security by
requiring an authentication key when routes are advertised. Depending on your network needs, you can
configure your device to support RIP-1, RIP-2, or RIP-2MD5.
If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31
characters, and must match the other gateway keys for proper operation of MD5 support. The default is off.
set conn name name rip-receive [ off | v1 | v2 | v1-compat | v2-md5 ]
Specifies whether the device should use Routing Information Protocol (RIP) broadcasts to update its routing
tables with information received from other gateways on the other side of the connection. If you specify v2-
md5, you must also specify a rip-receive-key. Keys are ASCII strings with a maximum of 31 characters, and must
match the other gateway keys for proper operation of MD5 support. The default is off.
Administrator’s Handbook
122
set conn name name icmp-echo-drop [ off | on ]
If set to on, drops echo-requests received on the particular interface. The default is off.
set conn name name icmp-err-suppress [ off | on ]
An additional option to suppress ICMP error messages on WAN IP interfaces. The default is off.
set conn name name static ipaddr ipaddr
Specifies a static IP address when the connection type has been set to static. The default is 192.168.1.254.
Example:
NOS/128600225634272/conf
Config Mode v1.3
NOS/128600225634272 (top)>> conn
NOS/128600225634272 (conn)>> set
conn
(conn) node list ...
"LAN"
"WAN"
Select (name) node to modify from list,
or enter new (name) to create.
conn name (?):
name "LAN"
link-oid ("LAN") [ LAN | WAN | PPPoE | ]:
type (static) [ static | dhcpc | ppp ]:
side (lan) [ lan | wan ]:
lan-type (private) [ private | public | public-delegated ]:
mcast-forwarding (off) [ off | on ]:
rip-send (off) [ off | v1 | v2 | v1-compat | v2-md5 ]:
rip-receive (off) [ off | v1 | v2 | v1-compat | v2-md5 ]:
fs-egress ("") [ Security | QosUpstream | WanEgress | ]:
fs-ingress ("") [ Security | QosUpstream | WanEgress | ]:
static
ipaddr ("192.168.1.254"):
netmask ("255.255.255.0"):
dhcp-server-enable (on) [ off | on ]:
dhcp-server
start-addr ("192.168.1.64"):
end-addr ("192.168.1.253"):
lease-time (01:00:00:00):
subnet-order (1) [ 1 - 8 ]:
gen-option
(gen-option) node list ...
Select (name) node to modify from list,
or enter new (name) to create.
gen-option name (?):
option-group
(option-group) node list ...
Select (name) node to modify from list,
or enter new (name) to create.
option-group name (?):
NOTE:
You must also set the gateway address OR turn it off, otherwise the settings cannot be saved. See IP Gate-
way Commands” on page 132.
123
filterset
(filterset) node list ...
Select (name) node to modify from list,
or enter new (name) to create.
filterset name (?):
name "WAN"
link-oid ("WAN") [ LAN | WAN | PPPoE | ]:
type (dhcpc) [ static | dhcpc | ppp ]: static
side (wan) [ lan | wan ]:
mcast-forwarding (off) [ off | on ]:
nat-enable (on) [ off | on ]:
rip-receive (off) [ off | v1 | v2 | v1-compat | v2-md5 ]:
icmp-echo-drop (on) [ off | on ]:
icmp-err-suppress (off) [ off | on ]:
fs-egress ("WanEgress") [ Security | QosUpstream | WanEgress | ]:
fs-ingress ("") [ Security | QosUpstream | WanEgress | ]:
static
ipaddr (""): 10.3.53.100
netmask ("255.255.255.0"):
NOS/128600225634272 (conn)>> set ip gateway address 10.3.53.1
NOS/128600225634272 (conn)>> save
If you do not want the gateway use this command to turn it off:
set ip gateway enable off
set conn name name static netmask netmask
Specifies a static netmask when the connection type has been set to static. The default is 255.255.255.0.
set conn name name dhcp-server start-addr ipaddr
If dhcp-server-enable is set to on, specifies the first address in the DHCP address range. The NVG599 can
reserve a sequence of up to 253 IP addresses within a subnet, beginning with the specified address for dynamic
assignment. The default is 192.168.1.64
set conn name name dhcp-server end-addr ipaddr
If dhcp-server-enable is set to on, specifies the last address in the DHCP address range. The default is
192.168.1.253
set conn name name dhcp-server lease-time seconds
If dhcp-server-enable is set to on, specifies the default length for DHCP leases issued by the NVG599. Lease
time is in seconds. Default is 3600.
set conn name name dhcp-server subnet-order [1... 8]
If dhcp-server-enable is set to on, specifies the order in which to address the first of 8 possible subnets.
Ordinarily, this is the first one, the default 1.
set conn name name nat-enable [ on | off ]
Specifies whether you want the NVG599 device to use network address translation (NAT) when communicating
with remote gateways. NAT lets you conceal details of your network from remote gateways. It also permits all
LAN devices to share a single IP address. By default, address NAT is turned on.
Administrator’s Handbook
124
set conn name name dhcp-client discover-time seconds
The DHCP client parameters appear when the connection type has been set to dhcpc. The discover-time value
is in seconds; the default is 30.
set conn name name dhcp-client dns-enable [ on | off ]
Allows you to enable or disable the default behavior of acting as a DNS proxy. The default is on.
set conn name name dhcp-client dns-override [ off | on ]
Allows you to enable or disable overriding default DNS behavior. The default is off.
set conn name name dhcp-client vendor-class string
The vendor-class default information varies by model and components. This is information that identifies the
unit.
set conn name name fs-egress filterset_name
Attaches a user filterset to a connection, which is applied to transmitted packets. See Filter Set Commands
on page 124.
set conn name name fs-ingress filterset_name
Attaches a user filter set to a connection, which is applied to received packets. See Filter Set Commands” on
page 124.
Filter Set Commands
Filter sets provide packet filtering and QoS configuration. Packets are identified by characteristics that allow
QoS and forwarding decisions to be made. These characteristics can be at the MAC layer, IP layer, TCP | UDP |
ICMP layer(s), or (in applicable circumstances) 802.1q/p (VLAN-tagging) layer.
Your NVG599 device is capable of adding and stripping 802.1Q tags to and from frames before transmission on
its LAN interfaces. See also Link Commands” on page 143 for more information.
A maximum of 8 filter sets are supported. Each filter set can have up to 8 rules configured. A maximum 8
egress queues are supported. Each queue can have up to 8 entries.
A filter set rule identifies packet attributes to match with its match parameters. It acts on these packets using
its default action parameters.
set filterset name filterset_name rule number order number
Determines order of execution of filter set rules (1 before 2, etc). If order is unspecified, the value of order is
set to 1 more than the last order in the filter set. If order is set to an already existing order value, order values
of other rules are incremented automatically.
set filterset name filterset_name rule number enable [ on | off ]
Dynamically enables or disables the specified filter set rule.
125
set filterset name filterset_name rule number match-eth-proto number
Matches Ethernet protocol field to the supplied value.
set filterset name filterset_name rule number match-eth-length number
Matches Ethernet length field to the supplied value.
set filterset name filterset_name rule number match-eth-p-bits number
Matches VLAN priority bits.
set filterset name filterset_name rule number match-eth-vid number
Matches VLAN ID number.
set filterset name filterset_name rule number match-eth-src-mac-addr
mac_address
Matches supplied source MAC address field.
set filterset name filterset_name rule number match-eth-dst-mac-addr
mac_address
Matches supplied destination MAC address field.
set filterset name filterset_name rule number match-src-ip-addr
ip_address_range
Matches supplied value with packet's source IP address field.
set filterset name filterset_name rule number match-dst-ip-addr
ip_address_range
Matches supplied value with packet's destination IP address field.
set filterset name filterset_name rule number match-protocol protocol_string
Matches supplied value with packet's protocol field.
set filterset name filterset_name rule number match-tos [ number |
descriptive_value ]
Matches TOS field from numeric value 0-255; or one of the following descriptive values:
Minimize-Delay (0x10)
Maximize-Throughput (0x08)
Maximize-Reliability (0x04)
Minimize-Cost (0x02)
Normal-Service (0x00)
set filterset name filterset_name rule number match-dscp [ number |
diffserv_class_string ]
Matches DiffServ class with supplied numerical value, which can be in decimal (ex: 32) or in Hex (ex: 0x20);
Administrator’s Handbook
126
Or match the supplied DiffServ class. This value may be any of the BE, EF, AFxx or CSx classes. A full list is:
{ "CS0", 0x00 }
{ "CS1", 0x08 }
{ "CS2", 0x10 }
{ "CS3", 0x18 }
{ "CS4", 0x20 }
{ "CS5", 0x28 }
{ "CS6", 0x30 }
{ "CS7", 0x38 }
{ "BE", 0x00 }
{ "AF11", 0x0a }
{ "AF12", 0x0c }
{ "AF13", 0x0e }
{ "AF21", 0x12 }
{ "AF22", 0x14 }
{ "AF23", 0x16 }
{ "AF31", 0x1a }
{ "AF32", 0x1c }
{ "AF33", 0x1e }
{ "AF41", 0x22 }
{ "AF42", 0x24 }
{ "AF43", 0x26 }
{ "EF", 0x2e }
set filterset name filterset_name rule number match-src-port number [ number ]
Matches TCP|UDP source port field or port range.
set filterset name filterset_name rule number match-dst-port number
[number ]
Matches TCP|UDP destination port field or port range.
set filterset name filterset_name rule number match-tcp-flags tcp_flag_string
Matches TCP flags in a packet. The flag string is comma-delimited.
set filterset name filterset_name rule number match-packet-length number
[number ]
Matches packet length against value or range.
set filterset name filterset_name rule number action forward [ pass | drop |
reject ]
Executes the named filter sets default action: pass, drop, or reject.
set filterset name filterset_name rule number match-qos-marker-enable [ off |
on ]
Turns the function of tagging the packet according to the queue marker name on or off. Default is off.
127
set filterset name filterset_name rule number action set-qos-marker
qos_marker_string
Tags the packet according to the queue marker name. See Queue Commands” on page 129.
set filterset name filterset_name rule number action set-tos number
Sets the packet TOD field to the supplied value.
set filterset name filterset_name rule number action set-dscp [ number |
diffserv_class_string ]
Sets the DSCP field to the supplied value.
set filterset name filterset_name rule number action set-eth-p-bits number
Sets VLAN priority bits to the supplied value.
set filterset filterset_name rule number action do-filterset name
Executes the supplied filter set.
Default Actions
If a packet passes through all of a filter's rules without a match, then the filter set's default actions come into
play. These behave the same way that rule actions behave.
set filterset name filterset_name default-action set-qos-marker
qos_marker_string
Tags the packet according to the queue marker name.
set filterset name filterset_name default-action set-tos number
Sets the packet TOS field to the supplied value.
set filterset name filterset_name default-action set-dscp [ number
|diffserv_class_string ]
Sets the DSCP field to the supplied value.
set filterset name filterset_name default-action set-eth-p-bits number
Sets VLAN priority bits to the supplied value.
set filterset name filterset_name default-action do-filterset name
Executes the supplied filter set.
set filterset name filterset_name default-action forward [ pass | drop | reject ]
Executes the named filter sets default action: pass, drop, or reject.
Administrator’s Handbook
128
Global Filter Set (“IPv6 Firewall”) Commands
Global filter sets exist at the root level of the hierarchy, outside the umbrella of both the “ip” and “ip6
subtrees, since they pertain to both.
Global filter set rules allow for the specification of these match attributes:
IP Protocol
Source and/or destination port:
UDP
TCP
TCP flags, for rules that specify TCP traffic
ICMP type, for IP-protocol types 1 (ICMP) and 58 (IPv6-ICMP)
LAN-side device/range:
By MAC address (or current IPv4/6 address, host name, equivalently)
IPv4 address, range, or subnet
IPv6 address or subnet
WAN-side range:
IPv4 address, range, or subnet
IPv6 address or subnet
Ingress and egress interface, by link-oid (such as “LAN”)
set gfs name filterset_name enable [ on | off ]
Dynamically enables or disables the specified filter set rule.
set gfs name filterset_name default-action value [ pass | drop ]
Executes the named filter sets default action: pass or drop.
set gfs name filterset_name rule number enable [ on | off ]
Dynamically enables or disables the specified filter set rule.
set gfs name filterset_name rule number active [ on | off ]
Activates or deactivates the specified filter set rule.
set gfs name filterset_name rule number type [ either | ipv4 | ipv6 ]
Specifies whether the named filter set rule applies to IPv4, IPv6, or both (either).
set gfs name filterset_name rule number action value [ pass | drop | accept ]
Executes the named filter set’s action: pass, drop, or accept.
set gfs name filterset_name rule number order number
Determines order of execution of filter set rules (1 before 2, etc). If order is unspecified, the value of order is
set to 1 more than the last order in the filter set. If order is set to an already existing order value, order values
of other rules are incremented automatically.
set gfs name filterset_name rule number match number category [ src-ip-addr |
dst-ip-addr | ip-proto | src-port | dst-port | tcp-flags | src-host-mac | dst-host-
mac | in-link-oid
129
| out-link-oid | icmp-type ]
Matches on the following categories:
set gfs name filterset_name rule number match number value [ value (category-
specific) ]
Queue Commands
Queue configuration typically requires a classification component to set a QoS marker to a packet and a
queueing component to schedule the marked packets to the link. This is accomplished using filter sets (Filter
Set Commands” on page 124).
The basic queue's size and length are controls for how many packets and total bytes can be enqueued before it
is considered to be full. Once it is full, any attempts to enqueue another packet will result in a “tail-drop.
Both constraints are simultaneously used, such that the queue is full when either packet count or byte count
exceeds the limit. This allows flexibility in obtaining a balance, where a large number of small packets, but only
a small number of large packets can be enqueued.
If there are no tail-drops – that is, the queue is not blocked from sending and doesn't over-fill and dump
packets – then these queue size/bytes parameters do not affect anything. Their only function is to adjust the
threshold at which the queue is considered full, which dictates when tail-drops will occur. So if there are no
tail-drops, then increasing the queue length will have no effect. Increasing the queue length has no effect
unless there are tail-drops.
The maximum size/bytes of a queue balances how much burstiness can be buffered versus having a queue that
is simply too long.
Burstiness smoothing requires queueing up the buffers. For example, if the upstream line rate is 1 mbps, but
the traffic source sends 100 mbps bursts for 10 ms every second (which coincidentally averages 1 mbps) then
src-ip-addr (ip[4|6] address or subnet spec (type ip4 or ip6 only))
dst-ip-addr (ip[4|6] address or subnet spec (type ip4 or ip6 only))
ip-proto (0-255 or iana-defined string equivalents)
src-port (1-65535[:1-65535], only if ip-proto == TCP or UDP)
dst-port (1-65535[:1-65535], only if ip-proto == TCP or UDP)
tcp-flags (only if ip-proto == TCP)
icmp-type (only if ip-proto == ICMP or IPv6 ICMP)
src-host-mac (MAC address of src)
dst-host-mac (MAC address of dest)
in-link-oid (oid of ingress link oid)
out-link-oid (oid of egress link oid)
NOTE:
A rule cannot contain data that specifies both IPv6 and IPv4 at the same time, and thus be applicable to nei-
ther iptables nor ip6tables; however, a rule can be IP-version agnostic, in which case it will be applied to both
iptables and ip6tables, given the proper conditions. For instance, if a LAN-side device has both an IPv4
address and a routable IPv6 address, then one can specify a rule for this device by referring to its MAC
address, and if no other match attributes of the rule preclude its use in both tables, the rule will be applied to
both iptables and ip6tables (given the assumption that the LAN Host Discovery database contains both
addresses).
Administrator’s Handbook
130
the router will have to buffer enough (about a full second worth of traffic) so that the burst of traffic doesn't
get tail-dropped when it arrives and is enqueued at the same time in the same burst.
On the other hand, it is undesirable to buffer too much data in the queue(s) since the packets may be stale by
the time they are sent. It may be desirable to drop the traffic sufficiently that there are queuing disciplines
such as Random Early Discard (RED) that do not drop packets from the tail of the queue. Instead, RED drops
packets towards the front of the queue, so that the congestion is noticed more quickly in order for the sender
to scale back bandwidth usage to avoid drops.
The following types of queue “building blocks” are supported:
basic queue
ingress queue
priority queue
wfq (weighted fair queue)
Basic queues have three different packet dropping options:
byte|packet fifo (bpfifo)
random early discard (red)
stochastic fairness queuing (sfq)
set queue name queue_name type [ basic | ingress | priority | wfq ]
Sets the type of queue.
set queue name queue_name options [ off | red | sfq ]
Sets the queue packet dropping options.
set queue name queue_name size [ 1... 64 ]
Sets the maximum number of packets that can be enqueued.
set queue name queue_name bytes [ 2048... 131072 ]
Sets the maximum total number of bytes that can be enqueued.
set queue name queue_name perturb [ 0... 100 ]
Sets the interval in seconds for queue algorithm perturbation when queue option is sfq.
set queue name queue_name police-rate [ 0... 100000000 ]
Sets the rate in milliseconds that is used for policing traffic when the queue type is ingress.
set queue name queue_name police-burst [ 0... 100000000 ]
Sets the burst rate in milliseconds that is used for policing traffic when the queue type is ingress.
set queue name queue_name bw-sharing [ on | off ]