ZyXEL Communications VMG1312B10D Wireless N VDSL2 Gateway with USB User Manual Book

ZyXEL Communications Corporation Wireless N VDSL2 Gateway with USB Book

Contents

User Manual-2

Chapter 18 Parental Control
Table 87 Parental Control Rule: Add/Edit (continued)
LABEL
DESCRIPTION
Add New
Service
Click this to show a screen in which you can add a new service rule. You can configure the
Service Name, Protocol, and Name of the new rule.
#
This shows the index number of the rule.
Service Name
This shows the name of the rule.
Protocol:Port
This shows the protocol and the port of the rule.
Modify
Click the Edit icon to go to the screen where you can edit the rule.
Click the Delete icon to delete an existing rule.
Site/URL Keyword
Block or Allow
the Web Site
If you select Block the Web URLs, the VMG prohibits the users from viewing the Web sites
with the URLs listed below.
If you select Allow the Web URLs, the VMG blocks access to all URLs except ones listed
below.
Add
Click Add to show a screen to enter the URL of web site or URL keyword to which the VMG
blocks or allows access.
#
This shows the index number of the rule.
WebSite
This shows the URL of web site or URL keyword to which the VMG blocks or allows access.
Modify
Click the Edit icon to go to the screen where you can edit the rule.
Click the Delete icon to delete an existing rule.
Redirect
blocked site to
ZyXEL Family
Safety page
Select this to redirect users who access any blocked websites listed above to the ZyXEL
Family Safety page as shown next.
Figure 119 ZyXEL Family Safety Page Example
OK
Click OK to save your changes.
Cancel
Click Cancel to to exit this screen without saving.
VMG1312-B10D User’s Guide
201
19
Scheduler Rule
19.1 Overview
You can define time periods and days during which the VMG performs scheduled rules of certain
features (such as Firewall Access Control) in the Scheduler Rule screen.
19.2 The Scheduler Rule Screen
Use this screen to view, add, or edit time schedule rules.
Click Security > Scheduler Rule to open the following screen.
Figure 120 Security > Scheduler Rule
The following table describes the fields in this screen.
Table 88 Security > Scheduler Rule
LABEL
DESCRIPTION
Click this to create a new rule.
This is the index number of the entry.
This shows the name of the rule.
This shows the day(s) on which this rule is enabled.
This shows the period of time on which this rule is enabled.
This shows the description of this rule.
Click the Edit icon to edit the schedule.
Click the Delete icon to delete a scheduler rule.
Note: You cannot delete a scheduler rule once it is applied to a certain feature.
19.2.1 Add/Edit a Schedule
Click the Add New Rule button in the Scheduler Rule screen or click the Edit icon next to a
schedule rule to open the following screen. Use this screen to configure a restricted access
schedule.
VMG1312-B10D User’s Guide
202
Chapter 19 Scheduler Rule
Figure 121 Scheduler Rule: Add/Edit
The following table describes the fields in this screen.
Table 89 Scheduler Rule: Add/Edit
LABEL
DESCRIPTION
Enter a name (up to 31 printable English keyboard characters, not including spaces) for this
schedule.
Select check boxes for the days that you want the VMG to perform this scheduler rule.
Range
Enter the time period of each day, in 24-hour format, during which the rule will be enforced.
Enter a description for this scheduler rule.
Click OK to save your changes.
Click Cancel to exit this screen without saving.
VMG1312-B10D User’s Guide
203
20
Certificates
20.1 Overview
The VMG can use certificates (also called digital IDs) to authenticate users. Certificates are based
on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Certificates provide a way to exchange public keys for use in authentication.
20.1.1 What You Can Do in this Chapter
The Local Certificates screen lets you generate certification requests and import the VMG's CA-
signed certificates (Section 20.4 on page 208).
The Trusted CA screen lets you save the certificates of trusted CAs to the VMG (Section 20.4 on
page 208).
20.2 What You Need to Know
The following terms and concepts may help as you read through this chapter.
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate
owner. There are commercial certification authorities like CyberTrust or VeriSign and government
certification authorities. The certification authority uses its private key to sign certificates. Anyone
can then use the certification authority's public key to verify the certificates. You can use the VMG
to generate certification requests that contain identifying information and public keys and then send
the certification requests to a certification authority.
20.3 The Local Certificates Screen
Click Security > Certificates to open the Local Certificates screen. This is the VMG’s summary
list of certificates and certification requests.
Figure 122 Security > Certificates > Local Certificates
VMG1312-B10D User’s Guide
204
Chapter 20 Certificates
The following table describes the labels in this screen.
Table 90 Security > Certificates > Local Certificates
LABEL
DESCRIPTION
Private Key is
protected by a
password
Select the checkbox and enter the private key into the text box to store it on the VMG.
The private key should not exceed 63 ASCII characters (not including spaces).
Choose File
Click this to find the certificate file you want to upload.
Import Certificate
Click this button to save the certificate that you have enrolled from a certification
authority from your computer to the VMG.
Create Certificate
Request Click this button to go to the screen where you can have the VMG generate a certification
request.
Current File
This field displays the name used to identify this certificate. It is recommended that you
give each certificate a unique name.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or company)
and C (Country). It is recommended that each certificate have unique
subject
information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department, organization or
company and country.
Valid From
This field displays the date that the certificate becomes applicable. The text displays in
red and includes a Not Yet Valid! message if the certificate has not yet become
applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
Modify
Click the View icon to open a screen with an in-depth list of information about the
certificate (or certification request).
For a certification request, click Load Signed to import the signed certificate.
Click the Remove icon to delete the certificate (or certification request). You cannot
delete a certificate that one or more features is configured to use.
20.3.1 Create Certificate Request
Click Security > Certificates > Local Certificates and then Create Certificate Request to
open the following screen. Use this screen to have the VMG generate a certification request.
VMG1312-B10D User’s Guide
205
Chapter 20 Certificates
Figure 123 Create Certificate Request
The following table describes the labels in this screen.
Table 91 Create Certificate Request
LABEL
DESCRIPTION
Certificate
Name Type up to 63 ASCII characters (not including spaces) to identify this certificate.
Common Name
Select Auto to have the VMG configure this field automatically. Or select Customize to
enter it manually.
Type the IP address (in dotted decimal notation), domain name or e-mail address in the field
provided. The domain name or e-mail address can be up to 63 ASCII characters. The
domain name or e-mail address is for identification purposes only and can be any string.
Organization
Name Type up to 63 characters to identify the company or group to which the certificate owner
belongs. You may use any character, including spaces, but the VMG drops trailing spaces.
State/Province
Name Type up to 32 characters to identify the state or province where the certificate owner is
located. You may use any character, including spaces, but the VMG drops trailing spaces.
Country/Region
Name Select a country to identify the nation where the certificate owner is located.
Apply
Click Apply to save your changes.
Cancel
Click Cancel to exit this screen without saving.
After you click Apply to generate a request, you still need to get the certificate request signed by a
Certificate Authority. If you already have, click the request’s Edit icon and then Load_Signed to
import the signed certificate into the VMG.
VMG1312-B10D User’s Guide
206
Chapter 20 Certificates
Figure 124 Certificate Request Created
20.3.2 Load Signed Certificate
After you create a certificate request and have it signed by a Certificate Authority, in the View
Certificate screen click the certificate request’s Load_Signed button to import the signed
certificate into the VMG.
Note: You must remove any spaces from the certificate’s filename before you can import
it.
VMG1312-B10D User’s Guide
207
Chapter 20 Certificates
Figure 125 Load Signed Certificate
The following table describes the labels in this screen.
Table 92 Load Signed Certificate
LABEL
DESCRIPTION
Name
This is the name of the signed certificate.
Certificate
Copy and paste the signed certificate into the text box to store it on the VMG.
Load_Signed
Click Load_Signed to import the signed certificate into the VMG.
Cancel
Click Cancel to exit this screen without saving.
20.4 The Trusted CA Screen
Click Security > Certificates > Trusted CA to open the following screen. This screen displays a
summary list of certificates of the certification authorities that you have set the VMG to accept as
trusted. The VMG accepts any valid certificate signed by a certification authority on this list as being
trustworthy; thus you do not need to import any certificate that is signed by one of these
certification authorities.
Figure 126 Security > Certificates > Trusted CA
VMG1312-B10D User’s Guide
208
Chapter 20 Certificates
The following table describes the fields in this screen.
Table 93 Security > Certificates > Trusted CA
LABEL
DESCRIPTION
Import
Certificate Click this button to open a screen where you can save the certificate of a certification
authority that you trust to the VMG.
#
This is the index number of the entry.
Name
This field displays the name used to identify this certificate.
Subject
This field displays information that identifies the owner of the certificate, such as Common
Name (CN), OU (Organizational Unit or department), Organization (O), State (ST) and
Country (C). It is recommended that each certificate have unique subject information.
Type
This field displays general information about the certificate. ca means that a Certification
Authority signed the certificate.
Modify
Click the View icon to open a screen with an in-depth list of information about the
certificate (or certification request).
Click the Remove button to delete the certificate (or certification request). You cannot
delete a certificate that one or more features is configured to use.
20.4.1 View Trusted CA
Certificate
Click the View icon in the Trusted CA screen to open the following screen. Use this screen to view
in-depth information about the certification authority’s certificate.
Figure 127 Trusted CA: View
VMG1312-B10D User’s Guide
209
Chapter 20 Certificates
The following table describes the fields in this screen.
Table 94 Trusted CA: View
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate.
This read-only text box displays the certificate in Privacy Enhanced Mail (PEM) format. PEM
uses base 64 to convert the binary certificate into a printable form.
You can copy and paste the certificate into an e-mail to send to friends or colleagues or you
can copy and paste the certificate into a text editor and save the file on a management
computer for later distribution (via floppy disk for example).
Back
Click
Back
to return to the previous screen.
20.4.2 Import Trusted CA Certificate
Click the Import Certificate button in the Trusted CA screen to open the following screen. The
VMG trusts any valid certificate signed by any of the imported trusted CA certificates.
Figure 128 Trusted CA: Import Certificate
The following table describes the fields in this screen.
Table 95 Trusted CA: Import Certificate
LABEL
DESCRIPTION
Certificate File
Path Type in the location of the certificate you want to upload in this field or click Choose File to
find it.
Apply
Click Apply to save your changes.
Cancel
Click Cancel to exit this screen without saving.
VMG1312-B10D User’s Guide
210
21
Log
21.1 Overview
The web configurator allows you to choose which categories of events and/or alerts to have the
VMG log and then display the logs or have the VMG send them to an administrator (as e-mail) or to
a syslog server.
21.1.1 What You Can Do in this Chapter
Use the System Log screen to see the system logs (Section 21.2 on page 212).
Use the Security Log screen to see the security-related logs for the categories that you select
(Section 21.3 on page 212).
21.1.2 What You Need To Know
The following terms and concepts may help as you read this chapter.
Alerts and Logs
An alert is a type of log that warrants more serious attention. They include system errors, attacks
(access control) and attempted access to blocked web sites. Some categories such as System
Errors consist of both logs and alerts. You may differentiate them by their color in the View Log
screen. Alerts display in red and logs display in black.
Syslog Overview
The syslog protocol allows devices to send event notification messages across an IP network to
syslog servers that collect the event messages. A syslog-enabled device can generate a syslog
message and send it to a syslog server.
Syslog is defined in RFC 3164. The RFC defines the packet format, content and system log related
information of syslog messages. Each syslog message has a facility and severity level. The syslog
facility identifies a file in the syslog server. Refer to the documentation of your syslog program for
details. The following table describes the syslog severity levels.
Table 96 Syslog Severity Levels
CODE
SEVERITY
0
Emergency: The system is unusable.
1
Alert: Action must be taken immediately.
2
Critical: The system condition is critical.
3
Error: There is an error condition on the system.
4
Warning: There is a warning condition on the system.
VMG1312-B10D User’s Guide
211
Chapter 21 Log
Table 96 Syslog Severity Levels
CODE
SEVERITY
5
Notice: There is a normal but significant condition on the system.
6
Informational: The syslog contains an informational message.
7
Debug: The message is intended for debug-level purposes.
21.2 The System Log Screen
Use the System Log screen to see the system logs. Click System Monitor > Log to open the
System Log screen.
Figure 129 System Monitor > Log > System Log
The following table describes the fields in this screen.
Table 97 System Monitor > Log > System Log
LABEL
DESCRIPTION
Level
Select a severity level from the drop-down list box. This filters search results according to
the severity level you have selected. When you select a severity, the VMG searches through
all logs of that severity or higher.
Category
Select the type of logs to display.
Clear Log
Click this to delete all the logs.
Refresh
Click this to renew the log screen.
Export Log
Click this to export the selected log(s).
Email Log Now
Click this to send the log file(s) to the E-mail address you specify in the Maintenance >
Logs Setting screen.
System Log
#
This field is a sequential value and is not associated with a specific entry.
Time
This field displays the time the log was recorded.
Facility
The log facility allows you to send logs to different files in the syslog server. Refer to the
documentation of your syslog program for more details.
Level
This field displays the severity level of the log that the device is to send to this syslog
server.
Category
This field displays the type of the log.
Messages
This field states the reason for the log.
21.3 The Security Log Screen
Use the Security Log screen to see the security-related logs for the categories that you select.
Click System Monitor > Log > Security Log to open the following screen.
VMG1312-B10D User’s Guide
212
Chapter 21 Log
Figure 130 System Monitor > Log > Security Log
The following table describes the fields in this screen.
Table 98 System Monitor > Log > Security Log
LABEL
DESCRIPTION
Level
Select a severity level from the drop-down list box. This filters search results according to
the severity level you have selected. When you select a severity, the VMG searches through
all logs of that severity or higher.
Category
Select the type of logs to display.
Clear Log
Click this to delete all the logs.
Refresh
Click this to renew the log screen.
Export Log
Click this to export the selected log(s).
Email Log Now
Click this to send the log file(s) to the E-mail address you specify in the Maintenance >
Logs Setting screen.
#
This field is a sequential value and is not associated with a specific entry.
Time
This field displays the time the log was recorded.
Facility
The log facility allows you to send logs to different files in the syslog server. Refer to the
documentation of your syslog program for more details.
Level
This field displays the severity level of the log that the device is to send to this syslog server.
Category
This field displays the type of the log.
Messages
This field states the reason for the log.
VMG1312-B10D User’s Guide
213
22
Traffic Status
22.1 Overview
Use the Traffic Status screens to look at network traffic status and statistics of the WAN, LAN
interfaces and NAT.
22.1.1 What You Can Do in this Chapter
Use the WAN screen to view the WAN traffic statistics (Section 22.2 on page 214).
Use the LAN screen to view the LAN traffic statistics (Section 22.3 on page 215).
Use the NAT screen to view the NAT status of the VMGs client(s) (Section 22.4 on page 216)
22.2 The WAN Status Screen
Click System Monitor > Traffic Status to open the WAN screen. The figure in this screen shows
the number of bytes received and sent on the VMG.
Figure 131 System Monitor > Traffic Status > WAN
VMG1312-B10D User’s Guide
214
Chapter 22 Traffic Status
The following table describes the fields in this screen.
Table 99 System Monitor > Traffic Status > WAN
LABEL
DESCRIPTION
Refresh
Interval Select how often you want the VMG to update this screen.
Connected
Interface This shows the name of the WAN interface that is currently connected.
Packets Sent
Data
This indicates the number of transmitted packets on this interface.
Error
This indicates the number of frames with errors transmitted on this interface.
Drop
This indicates the number of outgoing packets dropped on this interface.
Packets Received
Data
This indicates the number of received packets on this interface.
Error
This indicates the number of frames with errors received on this interface.
Drop
This indicates the number of received packets dropped on this interface.
Disabled
Interface This shows the name of the WAN interface that is currently disconnected.
Packets Sent
Data
This indicates the number of transmitted packets on this interface.
Error
This indicates the number of frames with errors transmitted on this interface.
Drop
This indicates the number of outgoing packets dropped on this interface.
Packets Received
Data
This indicates the number of received packets on this interface.
Error
This indicates the number of frames with errors received on this interface.
Drop
This indicates the number of received packets dropped on this interface.
22.3 The LAN Status Screen
Click System Monitor > Traffic Status > LAN to open the following screen. The figure in this
screen shows the interface that is currently connected on the VMG.
Figure 132 System Monitor > Traffic Status > LAN
VMG1312-B10D User’s Guide
215
Chapter 22 Traffic Status
The following table describes the fields in this screen.
Table 100 System Monitor > Traffic Status > LAN
LABEL
DESCRIPTION
Refresh Interval
Select how often you want the VMG to update this screen.
Interface
This shows the LAN or WLAN interface.
Bytes Sent
This indicates the number of bytes transmitted on this interface.
Bytes Received
This indicates the number of bytes received on this interface.
Interface
This shows the LAN or WLAN interfaces.
Sent (Packets)
Data
This indicates the number of transmitted packets on this interface.
Error
This indicates the number of frames with errors transmitted on this interface.
Drop
This indicates the number of outgoing packets dropped on this interface.
Received (Packets)
Data
This indicates the number of received packets on this interface.
Error
This indicates the number of frames with errors received on this interface.
Drop
This indicates the number of received packets dropped on this interface.
22.4 The NAT Status Screen
Click System Monitor > Traffic Status > NAT to open the following screen. The figure in this
screen shows the NAT session statistics for hosts currently connected on the VMG.
Figure 133 System Monitor > Traffic Status > NAT
The following table describes the fields in this screen.
Table 101 System Monitor > Traffic Status > NAT
LABEL
DESCRIPTION
Refresh Interval
Select how often you want the VMG to update this screen.
Device Name
This displays the name of the connected host.
IP Address
This displays the IP address of the connected host.
MAC Address
This displays the MAC address of the connected host.
No. of Open
Sessions This displays the number of NAT sessions currently opened for the connected host.
Total
This displays what percentage of NAT sessions the VMG can support is currently being used
by all connected hosts. You can also see the number of active NAT sessions and the
maximum number of NAT sessions the VMG can support.
VMG1312-B10D User’s Guide
216
23
ARP Table
23.1 Overview
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address, also known as a Media Access Control or MAC address, on
the local area network.
An IP (version 4) address is 32 bits long. In an Ethernet LAN, MAC addresses are 48 bits long. The
ARP Table maintains an association between each MAC address and its corresponding IP address.
23.1.1 How ARP Works
When an incoming packet destined for a host device on a local area network arrives at the device,
the device's ARP program looks in the ARP Table and, if it finds the address, sends it to the device.
If no entry is found for the IP address, ARP broadcasts the request to all the devices on the LAN.
The device fills in its own MAC and IP address in the sender address fields, and puts the known IP
address of the target in the target IP address field. In addition, the device puts all ones in the target
MAC field (FF.FF.FF.FF.FF.FF is the Ethernet broadcast address). The replying device (which is either
the IP address of the device being sought or the router that knows the way) replaces the broadcast
address with the target's MAC address, swaps the sender and target pairs, and unicasts the answer
directly back to the requesting machine. ARP updates the ARP Table for future reference and then
sends the packet to the MAC address that replied.
VMG1312-B10D User’s Guide
217
Chapter 23 ARP Table
23.2 ARP Table Screen
Use the ARP table to view IP-to-MAC address mapping(s). To open this screen, click System
Monitor > ARP Table.
Figure 134 System Monitor > ARP Table
The following table describes the labels in this screen.
Table 102 System Monitor > ARP Table
LABEL
DESCRIPTION
#
This is the ARP table entry number.
IPv4/IPv6
Address This is the learned IPv4 or IPv6 IP address of a device connected to a port.
MAC Address
This is the MAC address of the device with the listed IP address.
Device
This is the type of interface used by the device.
VMG1312-B10D User’s Guide
218
24
Routing Table
24.1 Overview
Routing is based on the destination address only and the VMG takes the shortest path to forward a
packet.
24.2 The Routing Table Screen
Click System Monitor > Routing Table to open the following screen.
Figure 135 System Monitor > Routing Table
The following table describes the labels in this screen.
Table 103 System Monitor > Routing Table
LABEL
DESCRIPTION
IPv4/IPv6 Routing Table
Destination
This indicates the destination IPv4 address or IPv6 address and prefix of this route.
Gateway
This indicates the IPv4 address or IPv6 address of the gateway that helps forward this
route’s traffic.
Subnet Mask
This indicates the destination subnet mask of the IPv4 route.
VMG1312-B10D User’s Guide
219
Chapter 24 Routing Table
Table 103 System Monitor > Routing Table (continued)
LABEL
DESCRIPTION
Flag
This indicates the route status.
U-Up: The route is up.
!-Reject: The route is blocked and will force a route lookup to fail.
G-Gateway: The route uses a gateway to forward traffic.
H-Host: The target of the route is a host.
R-Reinstate: The route is reinstated for dynamic routing.
D-Dynamic (redirect): The route is dynamically installed by a routing daemon or redirect.
M-Modified (redirect): The route is modified from a routing daemon or redirect.
Metric
The metric represents the "cost of transmission". A router determines the best route for
transmission by choosing a path with the lowest "cost". The smaller the number, the lower
the "cost".
Interface
This indicates the name of the interface through which the route is forwarded.
brx indicates a LAN interface where x can be 0~3 to represent LAN1 to LAN4 respectively.
ptm0 indicates a DSL WAN interface using IPoE, IPoA or in bridge mode.
ethx indicates an Ethernet WAN interface using IPoE or in bridge mode.
ppp0 indicates a WAN interface using PPPoE or PPPoA.
VMG1312-B10D User’s Guide
220
25
Multicast Status
25.1 Overview
Use the Multicast Status screens to look at IGMP/MLD group status and traffic statistics.
25.2 The IGMP Status Screen
Use this screen to look at the current list of multicast groups the VMG has joined and which ports
have joined it. To open this screen, click System Monitor > Multicast Status > IGMP Status.
Figure 136 System Monitor > Multicast Status > IGMP Status
The following table describes the labels in this screen.
Table 104 System Monitor > Multicast Status > IGMP Status
LABEL
DESCRIPTION
Refresh
Click this button to update the information on this screen.
Interface
This field displays the name of an interface on the VMG that belongs to an IGMP multicast
group.
Multicast Group
This field displays the name of the IGMP multicast group to which the interface belongs.
Filter Mode
INCLUDE means that only the IP addresses in the Source List get to receive the multicast
group’s traffic.
EXCLUDE means that the IP addresses in the Source List are not allowed to receive the
multicast group’s traffic but other IP addresses can.
Source List
This is the list of IP addresses that are allowed or not allowed to receive the multicast
group’s traffic depending on the filter mode.
Member
This is the list of the members of the multicast group.
25.3 The MLD Status Screen
Use this screen to look at the current list of multicast groups the VMG has joined and which ports
have joined it. To open this screen, click System Monitor > Multicast Status > MLD Status.
VMG1312-B10D User’s Guide
221
Chapter 25 Multicast Status
Figure 137 System Monitor > Multicast Status > MLD Status
The following table describes the labels in this screen.
Table 105 System Monitor > Multicast Status > MLD Status
LABEL
DESCRIPTION
Refresh
Click this button to update the status on this screen.
Interface
This field displays the name of an interface on the VMG that belongs to an MLD multicast
group.
Multicast Group
This field displays the name of the MLD multicast group to which the interface belongs.
Filter Mode
INCLUDE means that only the IP addresses in the Source List get to receive the multicast
group’s traffic.
EXCLUDE means that the IP addresses in the Source List are not allowed to receive the
multicast group’s traffic but other IP addresses can.
Source List
This is the list of IP addresses that are allowed or not allowed to receive the multicast
group’s traffic depending on the filter mode.
Member
This is the list of members in the multicast group.
VMG1312-B10D User’s Guide
222
26
xDSL Statistics
26.1 The xDSL Statistics Screen
Use this screen to view detailed DSL statistics. Click System Monitor > xDSL Statistics to open
the following screen.
Figure 138 System Monitor > xDSL Statistics
The following table describes the labels in this screen.
Table 106 Status > xDSL Statistics
LABEL
DESCRIPTION
Refresh Interval
Select the time interval for refreshing statistics.
Line
Select which DSL lines statistics you want to display.
xDSL Training
Status This displays the current state of setting up the DSL connection.
Mode
This displays the ITU standard used for this connection.
Traffic Type
This displays the type of traffic the DSL port is sending and receiving. Inactive displays if
the DSL port is not currently sending or receiving traffic.
Link Uptime
This displays how long the port has been running (or connected) since the last time it was
started.
VMG1312-B10D User’s Guide
223
Chapter 26 xDSL Statistics
Table 106 Status > xDSL Statistics (continued)
LABEL
DESCRIPTION
xDSL Port Details
Upstream
These are the statistics for the traffic direction going out from the port to the service
provider.
Downstream
These are the statistics for the traffic direction coming into the port from the service
provider.
Line Rate
These are the data transfer rates at which the port is sending and receiving data.
Actual Net Data
Rate
These are the rates at which the port is sending and receiving the payload data without
transport layer protocol headers and traffic.
Trellis Coding
This displays whether or not the port is using Trellis coding for traffic it is sending and
receiving. Trellis coding helps to reduce the noise in ADSL transmissions. Trellis may reduce
throughput but it makes the connection more stable.
SNR Margin
This is the upstream and downstream Signal-to-Noise Ratio margin (in dB). A DMT sub-
carrier’s SNR is the ratio between the received signal power and the received noise power.
The signal-to-noise ratio margin is the maximum that the received noise power could
increase with the system still being able to meet its transmission targets.
Actual Delay
This is the upstream and downstream interleave delay. It is the wait (in milliseconds) that
determines the size of a single block of data to be interleaved (assembled) and then
transmitted. Interleave delay is used when transmission error correction (Reed- Solomon)
is necessary due to a less than ideal telephone line. The bigger the delay, the bigger the
data block size, allowing better error correction to be performed.
Transmit Power
This is the upstream and downstream far end actual aggregate transmit power (in dBm).
Upstream is how much power the port is using to transmit to the service provider.
Downstream is how much port the service provider is using to transmit to the port.
Receive Power
Upstream is how much power the service provider is receiving from the port. Downstream
is how much power the port is receiving from the service provider.
Actual INP
Sudden spikes in the lines level of external noise (impulse noise) can cause errors and
result in lost packets. This could especially impact the quality of multimedia traffic such as
voice or video. Impulse noise protection (INP) provides a buffer to allow for correction of
errors caused by error correction to deal with this. The number of DMT (Discrete Multi-
Tone) symbols shows the level of impulse noise protection for the upstream and
downstream traffic. A higher symbol value provides higher error correction capability, but it
causes overhead and higher delay which may increase error rates in received multimedia
data.
Total Attenuation
This is the upstream and downstream line attenuation, measured in decibels (dB). This
attenuation is the difference between the power transmitted at the near-end and the power
received at the far-end. Attenuation is affected by the channel characteristics (wire gauge,
quality, condition and length of the physical line).
Attainable Net
Data Rate
These are the highest theoretically possible transfer rates at which the port could send and
receive payload data without transport layer protocol headers and traffic.
xDSL Counters
Downstream
These are the statistics for the traffic direction coming into the port from the service
provider.
Upstream
These are the statistics for the traffic direction going out from the port to the service
provider.
FEC
This is the number of Far End Corrected blocks.
CRC
This is the number of Cyclic Redundancy Checks.
ES
This is the number of Errored Seconds meaning the number of seconds containing at least
one errored block or at least one defect.
SES
This is the number of Severely Errored Seconds meaning the number of seconds containing
30% or more errored blocks or at least one defect. This is a subset of ES.
VMG1312-B10D User’s Guide
224
Chapter 26 xDSL Statistics
Table 106 Status > xDSL Statistics (continued)
LABEL
DESCRIPTION
UAS
This is the number of UnAvailable Seconds.
LOS
This is the number of Loss Of Signal seconds.
LOF
This is the number of Loss Of Frame seconds.
LOM
This is the number of Loss of Margin seconds.
VMG1312-B10D User’s Guide
225
27
3G Statistics
27.1 Overview
Use the 3G Statistics screens to look at 3G Internet connection status.
27.2 The 3G Statistics Screen
To open this screen, click System Monitor > 3G Statistics. The 3G status is available on this
screen only when you insert a compatible 3G dongle in a USB port on the VMG.
Figure 139 System Monitor > 3G Statistics
The following table describes the labels in this screen.
Table 107 System Monitor > 3G Statistics
LABEL
DESCRIPTION
Refresh
Interval Select how often you want the VMG to update this screen. Select
No Refresh
to stop
refreshing.
3G Status
This field displays the status of the 3G Internet connection. This field can display:
GSM - Global System for Mobile Communications, 2G
GPRS - General Packet Radio Service, 2.5G
EDGE - Enhanced Data rates for GSM Evolution, 2.75G
WCDMA - Wideband Code Division Multiple Access, 3G
HSDPA - High-Speed Downlink Packet Access, 3.5G
HSUPA - High-Speed Uplink Packet Access, 3.75G
HSPA - HSDPA+HSUPA, 3.75G
VMG1312-B10D User’s Guide
226
Chapter 27 3G Statistics
Table 107 System Monitor > 3G Statistics (continued)
LABEL
DESCRIPTION
Service
Provider
This field displays the name of the service provider.
Signal Strength
This field displays the strength of the signal in dBm.
Connection
Uptime This field displays the time the connection has been up.
3G Card
Manufacturer This field displays the manufacturer of the 3G card.
3G Card Model
This field displays the model name of the 3G card.
3G Card F/W
Version This field displays the firmware version of the 3G card.
SIM Card IMSI
The International Mobile Subscriber Identity or IMSI is a unique identification number
associated with all cellular networks. This number is provisioned in the SIM card.
VID/PID
This field displays the USB Vendor ID and Product ID of the 3G card.
VMG1312-B10D User’s Guide
227
28
System
28.1 Overview
In the System screen, you can name your VMG (Host) and give it an associated domain name for
identification purposes.
28.2 The System Screen
Click Maintenance > System to open the following screen.
Figure 140 Maintenance > System
The following table describes the labels in this screen.
Table 108 Maintenance > System
LABEL
DESCRIPTION
Host Name
Type a hostname for your VMG. Enter a descriptive name of up to 16 alphanumeric
characters, not including spaces, underscores, and dashes.
Domain Name
Type a Domain name for your host VMG.
Apply
Click Apply to save your changes.
Cancel
Click Cancel to abandon this screen without saving.
VMG1312-B10D User’s Guide
228
29
User Account
29.1 Overview
In the User Account screen, you can view the settings of the “admin” and other user accounts
that you used to log in the VMG.
29.2 The User Account Screen
Click Maintenance > User Account to open the following screen.
Figure 141 Maintenance > User Account
The following table describes the labels in this screen.
Table 109 Maintenance > User Account
LABEL
DESCRIPTION
Add New
Account
Click this button to add a new user account.
#
This is the index number
User Name
This field displays the name of the account used to log into the VMG web configurator.
Retry Times
This field displays the number of times consecutive wrong passwords can be entered for this
account. 0 means there is no limit.
Idle Timeout
This field displays the the length of inactive time before the VMG will automatically log the
user out of the web configurator.
Lock Period
This field displays the length of time a user must wait before attempting to log in again after
a number if consecutive wrong passwords have been entered as defined in Retry Times.
Group
This field displays whether this user has Administrator or User privleges.
Modify
Click the Edit icon to configure the entry.
Click the Delete icon to remove the entry.
29.2.1 The User Account Add and Edit Screens
Click Add New Account or the Edit icon of an existing account in the Maintenance > User
Account to open the following screen.
VMG1312-B10D User’s Guide
229
Chapter 29 User Account
Figure 142 Maintenance > User Account > Add/Edit
The following table describes the labels in this screen.
Table 110 Maintenance > User Account > Add/Edit
LABEL
DESCRIPTION
User Name
Enter a new name for the account. This field displays the name of an existing account.
Old Password
Type the default password or the existing password used to access the VMG web
configurator.
Password/New
Password Type a new password (up to 256 characters) for this account. Note that as you type a
password, the screen displays a (*) for each character you type. After you change the
password, use the new password to access the VMG.
Verify
Password/
Verify New
Password
Type the new password again for confirmation.
Retry Times
Enter the number of times consecutive wrong passwords can be entered for this account. 0
means there is no limit.
Idle Timeout
Enter the length of inactive time before the VMG will automatically log the user out of the
web configurator.
Lock Period
Enter the length of time a user must wait before attempting to log in again after a number if
consecutive wrong passwords have been entered as defined in Retry Times.
Group
Specify whether this user will have Administrator or User privleges.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving.
VMG1312-B10D User’s Guide
230
30
Remote Management
30.1 Overview
Remote management controls through which interface(s), which services can access the VMG.
Note: The VMG is managed using the Web Configurator.
30.2 The Remote MGMT Screen
Use this screen to configure through which interface(s), which services can access the VMG. You
can also specify the port numbers the services must use to connect to the VMG. Click Maintenance
> Remote MGMT to open the following screen.
Figure 143 Maintenance > Remote MGMT
The following table describes the fields in this screen.
Table 111 Maintenance > Remote MGMT
LABEL
DESCRIPTION
WAN Interface
used for
services
Select Any_WAN to have the VMG automatically activate the remote management service
when any WAN connection is up.
Select Multi_WAN and then select one or more WAN connections to have the VMG activate
the remote management service when the selected WAN connections are up.
service
This is the service you may use to access the VMG.
VMG1312-B10D User’s Guide
231
Chapter 30 Remote Management
Table 111 Maintenance > Remote MGMT (continued)
LABEL
DESCRIPTION
LAN/WLAN
Select the Enable check box for the corresponding services that you want to allow access to
the VMG from the LAN/WLAN.
WAN
Select the Enable check box for the corresponding services that you want to allow access to
the VMG from all WAN connections.
Trust Domain
Select the Enable check box for the corresponding services that you want to allow access to
the VMG from the trusted hosts configured in the Maintenance > Remote MGMT > Trust
Domain screen.
If you only want certain WAN connections to have access to the VMG using the
corresponding services, then clear WAN, select Trust Domain and configure the allowed IP
address(es) in the Trust Domain screen.
Port
You may change the server port number for a service if needed, however you must use the
same port number in order to use that service for remote management.
Apply
Click Apply to save your changes back to the VMG.
Cancel
Click Cancel to restore your previously saved settings.
30.3 The Trust Domain Screen
Use this screen to view a list of public IP addresses which are allowed to access the VMG through
the services configured in the Maintenance > Remote MGMT screen. Click Maintenance >
Remote MGMT > Turst Domain to open the following screen.
Note: If this list is empty, all public IP addresses can access the VMG from the WAN
through the specified services.
Figure 144 Maintenance > Remote MGMT > Trust Domain
The following table describes the fields in this screen.
Table 112 Maintenance > Remote MGMT > Trust Domain
LABEL
DESCRIPTION
Add Trust
Domain
Click this to add a trusted host IP address.
IP Address
This field shows a trusted host IP address.
Delete
Click the Delete icon to remove the trust IP address.
30.3.1 The Add Trust Domain Screen
Use this screen to configure a public IP address which is allowed to access the VMG. Click the Add
Trust Domain button in the Maintenance > Remote MGMT > Turst Domain screen to open the
following screen.
VMG1312-B10D User’s Guide
232
Chapter 30 Remote Management
Figure 145 Maintenance > Remote MGMT > Trust Domain > Add Trust Domain
The following table describes the fields in this screen.
Table 113 Maintenance > Remote MGMT > Trust Domain > Add Trust Domain
LABEL
DESCRIPTION
IP Address
Enter a public IPv4 IP address which is allowed to access the service on the VMG from the
WAN.
OK
Click OK to save your changes back to the VMG.
Cancel
Click Cancel to exit this screen without saving.
VMG1312-B10D User’s Guide
233
31
SNMP
31.1 Overview
This chapter explains how to configure the SNMP settings on the VMG.
31.2 The SNMP Screen
Simple Network Management Protocol is a protocol used for exchanging management information
between network devices. Your VMG supports SNMP agent functionality, which allows a manager
station to manage and monitor the VMG through the network. The VMG supports SNMP version one
(SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation.
Figure 146 SNMP Management Model
An SNMP managed network consists of two main types of component: agents and a manager.
An agent is a management software module that resides in a managed device (the VMG). An agent
translates the local management information from the managed device into a form compatible with
SNMP. The manager is the console through which network administrators perform network
management functions. It executes applications that control and monitor managed devices.
The managed devices contain object variables/managed objects that define each piece of
information to be collected about a device. Examples of variables include such as number of
packets received, node port status etc. A Management Information Base (MIB) is a collection of
managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing
these objects.
VMG1312-B10D User’s Guide
234
Chapter 31 SNMP
SNMP itself is a simple request/response protocol based on the manager/agent model. The
manager issues a request and the agent returns responses using the following protocol operations:
Get - Allows the manager to retrieve an object variable from the agent.
GetNext - Allows the manager to retrieve the next object variable from a table or list within an
agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it
initiates a Get operation, followed by a series of GetNext operations.
Set - Allows the manager to set values for object variables within an agent.
Trap - Used by the agent to inform the manager of some events.
Click Maintenance > SNMP to open the following screen. Use this screen to configure the VMG
SNMP settings.
Figure 147 Maintenance > SNMP
The following table describes the fields in this screen.
Table 114 Maintenance > SNMP
LABEL
DESCRIPTION
SNMP Agent
Select Enable to let the VMG act as an SNMP agent, which allows a manager station to
manage and monitor the VMG through the network. Select Disable to turn this feature
off.
Get Community
Enter the Get Community, which is the password for the incoming Get and GetNext
requests from the management station.
Set Community
Enter the Set community, which is the password for incoming Set requests from the
management station.
Trap Community
Enter the Trap Community, which is the password sent with each trap to the SNMP
manager. The default is public and allows all requests.
System Name
Enter the SNMP system name.
System Location
Enter the SNMP system location.
System Contact
Enter the SNMP system contact.
Trap Destination
Type the IP address of the station to send your SNMP traps to.
Apply
Click this to save your changes back to the VMG.
Cancel
Click this to restore your previously saved settings.
VMG1312-B10D User’s Guide
235
32
Time Settings
32.1 Overview
This chapter shows you how to configure system related settings, such as system time, password,
name, the domain name and the inactivity timeout interval.
32.2 The Time Screen
To change your VMG’s time and date, click Maintenance > Time. The screen appears as shown.
Use this screen to configure the VMGs time based on your local time zone.
Figure 148 Maintenance > Time
VMG1312-B10D User’s Guide
236
Chapter 32 Time Settings
The following table describes the fields in this screen.
Table 115 Maintenance > Time
LABEL
DESCRIPTION
Current Date/Time
Current Time
This field displays the time of your VMG.
Each time you reload this page, the VMG synchronizes the time with the time server.
Current Date
This field displays the date of your VMG.
Each time you reload this page, the VMG synchronizes the date with the time server.
Time and Date Setup
First ~ Fifth Time
Server Address Select an NTP time server from the drop-down list box.
Otherwise, select Other and enter the IP address or URL (up to 29 extended ASCII
characters in length) of your time server.
Select None if you don’t want to configure the time server.
Check with your ISP/network administrator if you are unsure of this information.
Time Zone
Time zone
Choose the time zone of your location. This will set the time difference between your time
zone and Greenwich Mean Time (GMT).
Daylight Savings
Daylight Saving Time is a period from late spring to early fall when many countries set
their clocks ahead of normal local time by one hour to give more daytime light in the
evening.
Active
Select
Enable
if you use Daylight Saving Time.
Start Rule
Configure the day and time when Daylight Saving Time starts if you enabled Daylight
Saving. You can select a specific date in a particular month or a specific day of a specific
week in a particular month. The Hour field uses the 24 hour format. Here are a couple of
examples:
Daylight Saving Time starts in most parts of the United States on the second Sunday of
March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M.
local time. So in the United States, set the day to Second, Sunday, the month to March
and the time to 2 in the Hour field.
Daylight Saving Time starts in the European Union on the last Sunday of March. All of the
time zones in the European Union start using Daylight Saving Time at the same moment
(1 A.M. GMT or UTC). So in the European Union you would set the day to Last, Sunday
and the month to March. The time you select depends on your time zone. In Germany
for instance, you would select 2 in the Hour field because Germany's time zone is one
hour ahead of GMT or UTC (GMT+1).
End Rule
Configure the day and time when Daylight Saving Time ends if you enabled Daylight
Saving. You can select a specific date in a particular month or a specific day of a specific
week in a particular month. The Time field uses the 24 hour format. Here are a couple of
examples:
Daylight Saving Time ends in the United States on the first Sunday of November. Each
time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So
in the United States you would set the day to First, Sunday, the month to November
and the time to 2 in the Time field.
Daylight Saving Time ends in the European Union on the last Sunday of October. All of the
time zones in the European Union stop using Daylight Saving Time at the same moment
(1 A.M. GMT or UTC). So in the European Union you would set the day to Last, Sunday,
and the month to October. The time you select depends on your time zone. In Germany
for instance, you would select 2 in the Time field because Germany's time zone is one
hour ahead of GMT or UTC (GMT+1).
VMG1312-B10D User’s Guide
237
Chapter 32 Time Settings
Table 115 Maintenance > Time (continued)
LABEL
DESCRIPTION
Apply
Click
Apply
to save your changes.
Cancel
Click
Cancel
to return to the previous configuration.
VMG1312-B10D User’s Guide
238
33
E-mail Notification
33.1 Overview
A mail server is an application or a computer that runs such an application to receive, forward and
deliver e-mail messages.
To have the VMG send reports, logs or notifications via e-mail, you must specify an e-mail server
and the e-mail addresses of the sender and receiver.
33.2 The E-mail Notification Screen
Click Maintenance > E-mail Notification to open the E-mail Notification screen. Use this
screen to view, remove and add mail server information on the VMG.
Figure 149 Maintenance > E-mail Notification
The following table describes the labels in this screen.
Table 116 Maintenance > E-mail Notification
LABEL
DESCRIPTION
Add New Email
Click this button to create a new entry.
Mail Server
Address This field displays the server name or the IP address of the mail server.
Username
This field displays the user name of the sender’s mail account.
Port
This field displays the port number of the mail server.
Security
This field displays the protocol used for encryption.
Email Address
This field displays the e-mail address that you want to be in the from/sender line of the e-
mail that the VMG sends.
Remove
Click this button to delete the selected entry(ies).
33.2.1 E-mail Notification Edit
Click the Add button in the E-mail Notification screen. Use this screen to configure the required
information for sending e-mail via a mail server.
VMG1312-B10D User’s Guide
239
Chapter 33 E-mail Notification
Figure 150 E-mail Notification > Add
The following table describes the labels in this screen.
Table 117 E-mail Notification > Add
LABEL
DESCRIPTION
Mail Server
Address Enter the server name or the IP address of the mail server for the e-mail address specified
in the Account E-mail Address field.
If this field is left blank, reports, logs or notifications will not be sent via e-mail.
Port
Enter the same port number here as is on the mail server for mail traffic.
Authentication
Username Enter the user name (up to 32 characters). This is usually the user name of a mail account
you specified in the Account E-mail Address field.
Authentication
Password Enter the password associated with the user name above.
Account E-mail
Address
Enter the e-mail address that you want to be in the from/sender line of the e-mail
notification that the VMG sends.
If you activate SSL/TLS authentication, the e-mail address must be able to be authenticated
by the mail server as well.
Connection
Security Select
SSL
to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) if you want
encrypted communications between the mail server and the VMG.
Select STARTTLS to upgrade a plain text connection to a secure connection using SSL/TLS.
OK
Click this button to save your changes and return to the previous screen.
Cancel
Click this button to exit this screen without saving.
VMG1312-B10D User’s Guide
240
34
Logs Setting
34.1 Overview
You can configure where the VMG sends logs and which logs and/or immediate alerts the VMG
records in the Logs Setting screen.
34.2 The Logs Setting Screen
To change your VMG’s log settings, click Maintenance > Logs Setting. The screen appears as
shown.
Figure 151 Maintenance > Logs Setting
VMG1312-B10D User’s Guide
241
Chapter 34 Logs Setting
The following table describes the fields in this screen.
Table 118 Maintenance > Logs Setting
LABEL
DESCRIPTION
Syslog Setting
The VMG sends a log to an external syslog server. Select Enable to enable syslog logging.
Select the syslog destination from the drop-down list box.
If you select Remote, the log(s) will be sent to a remote syslog server. If you select Local
File, the log(s) will be saved in a local file. If you want to send the log(s) to a remote syslog
server and save it in a local file, select Local File and Remote.
Enter the server name or IP address of the syslog server that will log the selected categories
of logs.
Enter the port number used by the syslog server.
E-mail Log Settings
Settings
Select Enable to have the VMG send logs and alarm messages to the configured e-mail
addresses.
Account
This section is available only when you select Enable in the E-mail Log Settings field.
Select a mail account from which you want to send logs. You can configure mail accounts in
the Maintenance > E-mail Notification screen.
Mail Subject
Type a title that you want to be in the subject line of the system log e-mail message that
the VMG sends.
Log Mail
Subject
Type a title that you want to be in the subject line of the security log e-mail message that
the VMG sends.
The VMG sends logs to the e-mail address specified in this field. If this field is left blank, the
VMG does not send logs via E-mail.
to
Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack,
system error, or forbidden web access attempt occurs. Enter the E-mail address where the
alert messages will be sent. Alerts include system errors, attacks and attempted access to
blocked web sites. If this field is left blank, alert messages will not be sent via E-mail.
Interval
Specify how often the alarm should be updated.
Active Log
Select the categories of system logs that you want to record.
Select the categories of security logs that you want to record.
Click Apply to save your changes.
Click Cancel to restore your previously saved settings.
34.2.1 Example E-mail Log
An "End of Log" message displays for each mail in which a complete log has been sent. The
following is an example of a log sent by e-mail.
You may edit the subject title.
The date format here is Day-Month-Year.
The date format here is Month-Day-Year. The time format is Hour-Minute-Second.
"End of Log" message shows that a complete log has been sent.
VMG1312-B10D User’s Guide
242
Chapter 34 Logs Setting
Figure 152 E-mail Log Example
Subject:
Date:
From:
To:
Firewall Alert From
Fri, 07 Apr 2000 10:05:42
user@zyxel.com
user@zyxel.com
1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy |forward
| 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> |
2|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |default policy |forward
| 09:54:17 |UDP src port:00520 dest port:00520 |<1,00> |
3|Apr 7 00 |From:192.168.1.6 To:10.10.10.10 |match |forward
| 09:54:19 |UDP src port:03516 dest port:00053 |<1,01> |
……………………………..{snip}…………………………………..
……………………………..{snip}…………………………………..
126|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match |forward
| 10:05:00 |UDP src port:00520 dest port:00520 |<1,02> |
127|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |match |forward
| 10:05:17 |UDP src port:00520 dest port:00520 |<1,02> |
128|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match |forward
| 10:05:30 |UDP src port:00520 dest port:00520 |<1,02> |
End of Firewall Log
VMG1312-B10D User’s Guide
243
35
Firmware Upgrade
35.1 Overview
This chapter explains how to upload new firmware to your VMG. You can download new firmware
releases from your nearest ZyXEL FTP site (or www.zyxel.com) to use to upgrade your devices
performance.
Only use firmware for your devices specific model. Refer to the label on
the bottom of your VMG.
35.2 The Firmware Screen
Click Maintenance > Firmware Upgrade to open the following screen. The upload process uses
HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the
system will reboot.
Do NOT turn off the VMG while firmware upload is in progress!
Figure 153 Maintenance > Firmware Upgrade
The following table describes the labels in this screen. After you see the firmware updating screen,
wait two minutes before logging into the VMG again.
Table 119 Maintenance > Firmware Upgrade
LABEL
DESCRIPTION
Upgrade
Firmware
Current
Firmware
Version
This is the present Firmware version and the date created.
File Path
Type in the location of the file you wasnt to upload in this field or click Choose File to find
it.
VMG1312-B10D User’s Guide
244
Chapter 35 Firmware Upgrade
Table 119 Maintenance > Firmware Upgrade
LABEL
DESCRIPTION
Choose File
Click this to find the .bin file you want to upload. Remember that you must decompress
compressed (.zip) files before you can upload them.
Upload
Click this to begin the upload process. This process may take up to two minutes.
Upgrade WWAN
Package
Current
WWAN
Package
Version
This is the present WWAN Package version and the date created.
File Path
Type in the location of the file you want to upload in this field or click Choose File to find it.
Choose File
Click this to find the .bin file you want to upload. Remember that you must decompress
compressed (.zip) files before you can upload them.
Upload
Click this to begin the upload process. This process may take up to two minutes.
Figure 154 Firmware Uploading
The VMG automatically restarts in this time causing a temporary network disconnect. In some
operating systems, you may see the following icon on your desktop.
Figure 155 Network Temporarily Disconnected
After two minutes, log in again and check your new firmware version in the Status screen.
If the upload was not successful, the following screen will appear. Click OK to go back to the
Firmware Upgrade screen.
Figure 156 Error Message
VMG1312-B10D User’s Guide
245
36
Backup/Restore
36.1 Overview
The Backup/Restore screen allows you to backup and restore device configurations. You can also
reset your device settings back to the factory default.
36.2 The Backup/Restore Screen
Click Maintenance > Backup/Restore. Information related to factory defaults, backup
configuration, and restoring configuration appears in this screen, as shown next.
Figure 157 Maintenance > Backup/Restore
Backup Configuration
Backup Configuration allows you to back up (save) the VMG’s current configuration to a file on your
computer. Once your VMG is configured and functioning properly, it is highly recommended that you
back up your configuration file before making configuration changes. The backup configuration file
will be useful in case you need to return to your previous settings.
Click Backup to save the VMGs current configuration to your computer.
VMG1312-B10D User’s Guide
246
Chapter 36 Backup/Restore
Restore Configuration
Restore Configuration allows you to upload a new or previously saved configuration file from your
computer to your VMG.
Table 120 Restore Configuration
LABEL
DESCRIPTION
File Path
Type in the location of the file you want to upload in this field or click
Choose File
to find it.
Choose File
Click this to find the file you want to upload. Remember that you must decompress
compressed (.ZIP) files before you can upload them.
Upload
Click this to begin the upload process.
Do not turn off the VMG while configuration file upload is in progress.
After the VMG configuration has been restored successfully, the login screen appears. Login again
to restart the VMG.
The VMG automatically restarts in this time causing a temporary network disconnect. In some
operating systems, you may see the following icon on your desktop.
Figure 158 Network Temporarily Disconnected
If you uploaded the default configuration file you may need to change the IP address of your
computer to be in the same subnet as that of the default device IP address (192.168.1.1).
If the upload was not successful, the following screen will appear. Click OK to go back to the
Configuration screen.
Figure 159 Configuration Upload Error
Reset to Factory Defaults
Click the Reset button to clear all user-entered configuration information and return the VMG to its
factory defaults. The following warning screen appears.
VMG1312-B10D User’s Guide
247
Chapter 36 Backup/Restore
Figure 160 Reset Warning Message
Figure 161 Reset In Process Message
You can also press the RESET button on the rear panel to reset the factory defaults of your VMG.
Refer to Section 1.7 on page 20 for more information on the RESET button.
36.3 The Reboot Screen
System restart allows you to reboot the VMG remotely without turning the power off. You may need
to do this if the VMG hangs, for example.
Click Maintenance > Reboot. Click Reboot to have the VMG reboot. This does not affect the
VMG's configuration.
Figure 162 Maintenance > Reboot
VMG1312-B10D User’s Guide
248
37
Diagnostic
37.1 Overview
The Diagnostic screens display information to help you identify problems with the VMG.
The route between a CO VDSL switch and one of its CPE may go through switches owned by
independent organizations. A connectivity fault point generally takes time to discover and impacts
subscribers network access. In order to eliminate the management and maintenance efforts, IEEE
802.1ag is a Connectivity Fault Management (CFM) specification which allows network
administrators to identify and manage connection faults. Through discovery and verification of the
path, CFM can detect, analyze and isolate connectivity faults in bridged LANs.
37.1.1 What You Can Do in this Chapter
The Ping & TraceRoute & Nslookup screen lets you ping an IP address or trace the route
packets take to a host (Section 37.3 on page 250).
The 802.1ag screen lets you perform CFM actions (Section 37.5 on page 251).
The OAM Ping screen lets you send an ATM OAM (Operation, Administration and Maintenance)
packet to verify the connectivity of a specific PVC. (Section 37.5 on page 251).
37.2 What You Need to Know
The following terms and concepts may help as you read through this chapter.
How CFM Works
A Maintenance Association (MA) defines a VLAN and associated Maintenance End Point (MEP) ports
on the device under a Maintenance Domain (MD) level. An MEP port has the ability to send
Connectivity Check Messages (CCMs) and get other MEP ports information from neighbor devices’
CCMs within an MA.
CFM provides two tests to discover connectivity faults.
Loopback test - checks if the MEP port receives its Loop Back Response (LBR) from its target
after it sends the Loop Back Message (LBM). If no response is received, there might be a
connectivity fault between them.
Link trace test - provides additional connectivity fault analysis to get more information on where
the fault is. If an MEP port does not respond to the source MEP, this may indicate a fault.
Administrators can take further action to check and resume services from the fault according to
the line connectivity status report.
VMG1312-B10D User’s Guide
249
Chapter 37 Diagnostic
37.3 Ping & TraceRoute & Nslookup
Use this screen to ping, traceroute, or nslookup an IP address. Click Maintenance > Diagnostic >
Ping&TraceRoute&Nslookup to open the screen shown next.
Figure 163 Maintenance > Diagnostic > Ping &TraceRoute&Nslookup
The following table describes the fields in this screen.
Table 121 Maintenance > Diagnostic > Ping & TraceRoute & Nslookup
LABEL
DESCRIPTION
TCP/IP Address
Type the IP address of a computer that you want to perform ping, traceroute, or nslookup in
order to test a connection.
Ping
Click this to ping the IP address that you entered.
TraceRoute
Click this button to perform the traceroute function. This determines the path a packet
takes to the specified computer.
Nslookup
Click this button to perform a DNS lookup on the IP address of a computer you enter.
37.4 802.1ag
Click Maintenance > Diagnostic > 8.2.1ag to open the following screen. Use this screen to
perform CFM actions.
Figure 164 Maintenance > Diagnostic > 802.1ag
VMG1312-B10D User’s Guide
250
Chapter 37 Diagnostic
The following table describes the fields in this screen.
Table 122 Maintenance > Diagnostic > 802.1ag
LABEL
DESCRIPTION
802.1ag Connectivity Fault Management
Maintenance
Domain (MD)
Level
Select a level (0-7) under which you want to create an MA.
Destination
MAC Address
Enter the target devices MAC address to which the VMG performs a CFM loopback test.
802.1Q VLAN
ID
Type a VLAN ID (0-4095) for this MA.
VDSL Traffic
Type
This shows whether the VDSL traffic is activated.
Loopback
Message (LBM)
This shows how many Loop Back Messages (LBMs) are sent and if there is any inorder or
outorder Loop Back Response (LBR) received from a remote MEP.
Linktrace
Message (LTM)
This shows the destination MAC address in the Link Trace Response (LTR).
Set MD Level
Click this button to configure the MD (Maintenance Domain) level.
Send Loopback
Click this button to have the selected MEP send the LBM (Loop Back Message) to a specified
remote end point.
Send Linktrace
Click this button to have the selected MEP send the LTMs (Link Trace Messages) to a
specified remote end point.
37.5 OAM Ping
Click Maintenance > Diagnostic > OAM Ping to open the screen shown next. Use this screen to
perform an OAM (Operation, Administration and Maintenance) F4 or F5 loopback test on a PVC. The
VMG sends an OAM F4 or F5 packet to the DSLAM or ATM switch and then returns it to the VMG.
The test result then displays in the text box.
ATM sets up virtual circuits over which end systems communicate. The terminology for virtual
circuits is as follows:
Virtual Channel (VC) Logical connections between ATM devices
Virtual Path (VP) A bundle of virtual channels
Virtual Circuits A series of virtual paths between circuit end points
Figure 165 Virtual Circuit Topology
VMG1312-B10D User’s Guide
251
Chapter 37 Diagnostic
Think of a virtual path as a cable that contains a bundle of wires. The cable connects two points and
wires within the cable provide individual circuits between the two points. In an ATM cell header, a
VPI (Virtual Path Identifier) identifies a link formed by a virtual path; a VCI (Virtual Channel
Identifier) identifies a channel within a virtual path. A series of virtual paths make up a virtual
circuit.
F4 cells operate at the virtual path (VP) level, while F5 cells operate at the virtual channel (VC)
level. F4 cells use the same VPI as the user data cells on VP connections, but use different
predefined VCI values. F5 cells use the same VPI and VCI as the user data cells on the VC
connections, and are distinguished from data cells by a predefinded Payload Type Identifier (PTI) in
the cell header. Both F4 flows and F5 flows are bidirectional and have two types.
segment F4 flows (VCI=3)
end-to-end F4 flows (VCI=4)
segment F5 flows (PTI=100)
end-to-end F5 flows (PTI=101)
OAM F4 or F5 tests are used to check virtual path or virtual channel availability between two DSL
devices. Segment flows are terminated at the connecting point which terminates a VP or VC
segment. End-to-end flows are terminated at the end point of a VP or VC connection, where an ATM
link is terminated. Segment loopback tests allow you to verify integrity of a PVC to the nearest
neighboring ATM device. End-to-end loopback tests allow you to verify integrity of an end-to-end
PVC.
Note: The DSLAM to which the VMG is connected must also support ATM F4 and/or F5 to
use this test.
Note: This screen is available only when you configure an ATM layer-2 interface.
Figure 166 Maintenance > Diagnostic > OAM Ping
The following table describes the fields in this screen.
Table 123 Maintenance > Diagnostic > OAM Ping
LABEL
DESCRIPTION
Select a PVC on which you want to perform the loopback test.
F4 segment
Press this to perform an OAM F4 segment loopback test.
F4 end-end
Press this to perform an OAM F4 end-to-end loopback test.
F5 segment
Press this to perform an OAM F5 segment loopback test.
F5 end-end
Press this to perform an OAM F5 end-to-end loopback test.
VMG1312-B10D User’s Guide
252
38
Troubleshooting
This chapter offers some suggestions to solve problems you might encounter. The potential
problems are divided into the following categories.
Power, Hardware Connections, and LEDs
VMG Access and Login
Internet Access
Wireless Internet Access
USB Device Connection
UPnP
38.1 Power, Hardware Connections, and LEDs
The VMG does not turn on. None of the LEDs turn on.
1 Make sure the VMG is turned on.
2 Make sure you are using the power adaptor or cord included with the VMG.
3 Make sure the power adaptor or cord is connected to the VMG and plugged in to an appropriate
power source. Make sure the power source is turned on.
4 Turn the VMG off and on.
5 If the problem continues, contact the vendor.
One of the LEDs does not behave as expected.
1 Make sure you understand the normal behavior of the LED. See Section 1.6 on page 19.
2 Check the hardware connections.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
4 Turn the VMG off and on.
VMG1312-B10D User’s Guide
253
Chapter 38 Troubleshooting
5 If the problem continues, contact the vendor.
38.2 VMG Access and Login
I forgot the IP address for the VMG.
1 The default LAN IP address is 192.168.1.1.
2 If you changed the IP address and have forgotten it, you might get the IP address of the VMG by
looking up the IP address of the default gateway for your computer. To do this in most Windows
computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default
Gateway might be the IP address of the VMG (it depends on the network), so enter this IP address
in your Internet browser.
3 If this does not work, you have to reset the device to its factory defaults. See Section 1.7 on page
20.
I forgot the password.
1 See the cover page for the default login names and associated passwords.
2 If those do not work, you have to reset the device to its factory defaults. See Section 1.7 on page
20.
I cannot see or access the Login screen in the web configurator.
1 Make sure you are using the correct IP address.
The default IP address is 192.168.1.1.
If you changed the IP address (Section 8.2 on page 118), use the new IP address.
If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I
forgot the IP address for the VMG.
2 Check the hardware connections, and make sure the LEDs are behaving as expected. See Section
1.6 on page 19.
3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java
enabled.
4 If it is possible to log in from another interface, check the service control settings for HTTP and
HTTPS (Maintenance > Remote MGMT).
VMG1312-B10D User’s Guide
254
Chapter 38 Troubleshooting
5 Reset the device to its factory defaults, and try to access the VMG with the default IP address. See
Section 1.7 on page 20.
6 If the problem continues, contact the network administrator or vendor, or try one of the advanced
suggestions.
Advanced Suggestions
Make sure you have logged out of any earlier management sessions using the same user account
even if they were through a different interface or using a different browser.
Try to access the VMG using another service, such as Telnet. If you can access the VMG, check
the remote management settings and firewall rules to find out why the VMG does not respond to
HTTP.
I can see the Login screen, but I cannot log in to the VMG.
1 Make sure you have entered the password correctly. See the cover page for the default login names
and associated passwords. The field is case-sensitive, so make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using Telnet to access the VMG. Log out
of the VMG in the other session, or ask the person who is logged in to log out.
3 Turn the VMG off and on.
4 If this does not work, you have to reset the device to its factory defaults. See Section 38.1 on page
253.
I cannot Telnet to the VMG.
See the troubleshooting suggestions for I cannot see or access the Login screen in the web
configurator. Ignore the suggestions about your browser.
I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload
new firmware.
See the troubleshooting suggestions for I cannot see or access the Login screen in the web
configurator. Ignore the suggestions about your browser.
VMG1312-B10D User’s Guide
255
Chapter 38 Troubleshooting
38.3 Internet Access
I cannot access the Internet.
1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the
Quick Start Guide and Section 1.6 on page 19.
2 Make sure you entered your ISP account information correctly in the Network Setting >
Broadband screen. These fields are case-sensitive, so make sure [Caps Lock] is not on.
3 If you are trying to access the Internet wirelessly, make sure that you enabled the wireless LAN in
the VMG and your wireless client and that the wireless settings in the wireless client are the same
as the settings in the VMG.
4 Disconnect all the cables from your device and reconnect them.
5 If the problem continues, contact your ISP.
I cannot access the Internet through a DSL connection.
1 Make sure you have the DSL WAN port connected to a telephone jack (or the DSL or modem jack
on a splitter if you have one).
2 Make sure you configured a proper DSL WAN interface (Network Setting > Broadband screen)
with the Internet account information provided by your ISP and that it is enabled.
3 Check that the LAN interface you are connected to is in the same interface group as the DSL
connection (Network Setting > Interface Group).
4 If you set up a WAN connection using bridging service, make sure you turn off the DHCP feature in
the LAN screen to have the clients get WAN IP addresses directly from your ISPs DHCP server.
I cannot connect to the Internet using a second DSL
connection.
ADSL and VDSL connections cannot work at the same time. You can only use one type of DSL
connection, either ADSL or VDSL connection at one time.
I cannot connect to the Internet using an Ethernet connection.
1 Make sure you have the Ethernet WAN port connected to a Modem or Router.
VMG1312-B10D User’s Guide
256
Chapter 38 Troubleshooting
2 Make sure you configured a proper Ethernet WAN interface (Network Setting > Broadband
screen) with the Internet account information provided by your ISP and that it is enabled.
3 Check that the WAN interface you are connected to is in the same interface group as the Ethernet
connection (Network Setting > Interface Grouping).
4 If you set up a WAN connection using bridging service, make sure you turn off the DHCP feature in
the LAN screen to have the clients get WAN IP addresses directly from your ISPs DHCP server.
I cannot connect to the Internet using a 3G connection.
1 The DSL and Ethernet WAN connections have priority in that order. If the DSL or Ethernet WAN
connection is up, then the 3G connection will be down.
2 Make sure you have connected a compatible 3G dongle to the USB port.
3 Make sure you have configured Network Setting > Broadband > 3G Backup correctly.
4 Check that the VMG is within range of a 3G base station.
I cannot access the VMG anymore. I had access to the VMG, but my connection is not
available anymore.
1 Your session with the VMG may have expired. Try logging into the VMG again.
2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the
Quick Start Guide and Section 1.6 on page 19.
3 Turn the VMG off and on.
4 If the problem continues, contact your vendor.
38.4 Wireless Internet Access
What factors may cause intermittent or unstabled wireless connection? How can I solve this
problem?
The following factors may cause interference:
Obstacles: walls, ceilings, furniture, and so on.
Building Materials: metal doors, aluminum studs.
VMG1312-B10D User’s Guide
257
Chapter 38 Troubleshooting
Electrical devices: microwaves, monitors, electric motors, cordless phones, and other wireless
devices.
To optimize the speed and quality of your wireless connection, you can:
Move your wireless device closer to the AP if the signal strength is low.
Reduce wireless interference that may be caused by other wireless networks or surrounding
wireless electronics such as cordless phones.
Place the AP where there are minimum obstacles (such as walls and ceilings) between the AP and
the wireless client.
Reduce the number of wireless clients connecting to the same AP simultaneously, or add
additional APs if necessary.
Try closing some programs that use the Internet, especially peer-to-peer applications. If the
wireless client is sending or receiving a lot of information, it may have too many programs open
that use the Internet.
What is a Server Set ID (SSID)?
An SSID is a name that uniquely identifies a wireless network. The AP and all the clients within a
wireless network must use the same SSID.
38.5 USB Device Connection
The VMG fails to detect my USB device.
1 Disconnect the USB device.
2 Reboot the VMG.
3 If you are connecting a USB hard drive that comes with an external power supply, make sure it is
connected to an appropriate power source that is on.
4 Re-connect your USB device to the VMG.
38.6 UPnP
When using UPnP and the VMG reboots, my computer cannot detect UPnP and refresh My
Network Places > Local Network.
VMG1312-B10D User’s Guide
258
Chapter 38 Troubleshooting
1 Disconnect the Ethernet cable from the VMGs LAN port or from your computer.
2 Re-connect the Ethernet cable.
The Local Area Connection icon for UPnP disappears in the screen.
Restart your computer.
VMG1312-B10D User’s Guide
259
PART III
Appendices
Appendices contain general information. Some information may not apply to your device.
260
A
Customer Support
In the event of problems that cannot be solved by using this manual, you should contact your
vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you
bought the device.
See http://www.zyxel.com/homepage.shtml and also
http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml for the latest information.
Please have the following information ready when you contact an office.
Required Information
Product model and serial number.
Warranty Information.
Date that you received your device.
Brief description of the problem and the steps you took to solve it.
Corporate Headquarters (Worldwide)
Taiwan
ZyXEL Communications Corporation
http://www.zyxel.com
Asia
China
ZyXEL Communications (Shanghai) Corp.
ZyXEL Communications (Beijing) Corp.
ZyXEL Communications (Tianjin) Corp.
http://www.zyxel.cn
India
ZyXEL Technology India Pvt Ltd
http://www.zyxel.in
Kazakhstan
ZyXEL Kazakhstan
http://www.zyxel.kz
VMG1312-B10D User’s Guide
261
Appendix A Customer Support
Korea
ZyXEL Korea Corp.
http://www.zyxel.kr
Malaysia
ZyXEL Malaysia Sdn Bhd.
http://www.zyxel.com.my
Pakistan
ZyXEL Pakistan (Pvt.) Ltd.
http://www.zyxel.com.pk
Philippines
ZyXEL Philippines
http://www.zyxel.com.ph
Singapore
ZyXEL Singapore Pte Ltd.
http://www.zyxel.com.sg
Taiwan
ZyXEL Communications Corporation
http://www.zyxel.com/tw/zh/
Thailand
ZyXEL Thailand Co., Ltd
http://www.zyxel.co.th
Vietnam
ZyXEL Communications Corporation-Vietnam Office
http://www.zyxel.com/vn/vi
Europe
Austria
ZyXEL Deutschland GmbH
http://www.zyxel.de
Belarus
ZyXEL BY
http://www.zyxel.by
VMG1312-B10D User’s Guide
262
Appendix A Customer Support
Belgium
ZyXEL Communications B.V.
http://www.zyxel.com/be/nl/
http://www.zyxel.com/be/fr/
Bulgaria
ZyXEL България
http://www.zyxel.com/bg/bg/
Czech Republic
ZyXEL Communications Czech s.r.o
http://www.zyxel.cz
Denmark
ZyXEL Communications A/S
http://www.zyxel.dk
Estonia
ZyXEL Estonia
http://www.zyxel.com/ee/et/
Finland
ZyXEL Communications
http://www.zyxel.fi
France
ZyXEL France
http://www.zyxel.fr
Germany
ZyXEL Deutschland GmbH
http://www.zyxel.de
Hungary
ZyXEL Hungary & SEE
http://www.zyxel.hu
Italy
ZyXEL Communications Italy
http://www.zyxel.it/
VMG1312-B10D User’s Guide
263
Appendix A Customer Support
Latvia
ZyXEL Latvia
http://www.zyxel.com/lv/lv/homepage.shtml
Lithuania
ZyXEL Lithuania
http://www.zyxel.com/lt/lt/homepage.shtml
Netherlands
ZyXEL Benelux
http://www.zyxel.nl
Norway
ZyXEL Communications
http://www.zyxel.no
Poland
ZyXEL Communications Poland
http://www.zyxel.pl
Romania
ZyXEL Romania
http://www.zyxel.com/ro/ro
Russia
ZyXEL Russia
http://www.zyxel.ru
Slovakia
ZyXEL Communications Czech s.r.o. organizacna zlozka
http://www.zyxel.sk
Spain
ZyXEL Communications ES Ltd
http://www.zyxel.es
Sweden
ZyXEL Communications
http://www.zyxel.se
Switzerland
Studerus AG
VMG1312-B10D User’s Guide
264
Appendix A Customer Support
http://www.zyxel.ch/
Turkey
ZyXEL Turkey A.S.
http://www.zyxel.com.tr
UK
ZyXEL Communications UK Ltd.
http://www.zyxel.co.uk
Ukraine
ZyXEL Ukraine
http://www.ua.zyxel.com
Latin America
Argentina
ZyXEL Communication Corporation
http://www.zyxel.com/ec/es/
Brazil
ZyXEL Communications Brasil Ltda.
https://www.zyxel.com/br/pt/
Ecuador
ZyXEL Communication Corporation
http://www.zyxel.com/ec/es/
Middle East
Israel
ZyXEL Communication Corporation
http://il.zyxel.com/homepage.shtml
Middle East
ZyXEL Communication Corporation
http://www.zyxel.com/me/en/
VMG1312-B10D User’s Guide
265
Appendix A Customer Support
North America
USA
ZyXEL Communications, Inc. - North America Headquarters
http://www.zyxel.com/us/en/
Oceania
Australia
ZyXEL Communications Corporation
http://www.zyxel.com/au/en/
Africa
South Africa
Nology (Pty) Ltd.
http://www.zyxel.co.za
VMG1312-B10D User’s Guide
266
B
Wireless LANs
Wireless LAN Topologies
This section discusses ad-hoc and infrastructure wireless LAN topologies.
Ad-hoc Wireless LAN Configuration
The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of
computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within
range of each other, they can set up an independent network, which is commonly referred to as an
ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example
of notebook computers using wireless adapters to form an ad-hoc wireless LAN.
Figure 167 Peer-to-Peer Communication in an Ad-hoc Network
BSS
A Basic Service Set (BSS) exists when all communications between wireless clients or between a
wireless client and a wired network client go through one access point (AP).
Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless
client A and B can access the wired network and communicate with each other. When Intra-BSS is
disabled, wireless client A and B can still access the wired network but cannot communicate with
each other.
VMG1312-B10D User’s Guide
267
Appendix B Wireless LANs
ESS
Figure 168 Basic Service Set
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access
point, with each access point connected together by a wired network. This wired connection
between APs is called a Distribution System (DS).
This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only
provide communication with the wired network but also mediate wireless network traffic in the
immediate neighborhood.
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated
wireless clients within the same ESS must have the same ESSID in order to communicate.
VMG1312-B10D User’s Guide
268
Appendix B Wireless LANs
Channel
Figure 169 Infrastructure WLAN
A channel is the radio frequency(ies) used by wireless devices to transmit and receive data.
Channels available depend on your geographical area. You may have a choice of channels (for your
region) so you should use a channel different from an adjacent AP (access point) to reduce
interference. Interference occurs when radio signals from different access points overlap causing
interference and degrading performance.
Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should
be on a channel at least five channels away from a channel that an adjacent AP is using. For
example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to
select a channel between 6 or 11.
RTS/CTS
A hidden node occurs when two stations are within range of the same access point, but are not
within range of each other. The following figure illustrates a hidden node. Both stations (STA) are
within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they
cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore,
they are considered hidden from each other.
VMG1312-B10D User’s Guide
269
Appendix B Wireless LANs
Figure 170 RTS/CTS
When station A sends data to the AP, it might not know that the station B is already using the
channel. If these two stations send data at the same time, collisions may occur when both sets of
data arrive at the AP at the same time, resulting in a loss of messages for both stations.
RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest
size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is
invoked.
When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station
that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for
permission to send it. The AP then responds with a CTS (Clear to Send) message to all other
stations within its range to notify them to defer their transmission. It also reserves and confirms
with the requesting station the time frame for the requested transmission.
Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS
(Request To Send)/CTS (Clear to Send) handshake.
You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and
the "cost" of resending large frames is more than the extra network overhead involved in the RTS
(Request To Send)/CTS (Clear to Send) handshake.
If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be
fragmented before they reach RTS/CTS size.
Note: Enabling the RTS Threshold causes redundant network overhead that could
negatively affect the throughput performance instead of providing a remedy.
Fragmentation Threshold
A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes)
that can be sent in the wireless network before the AP will fragment the packet into smaller data
frames.
A large Fragmentation Threshold is recommended for networks not prone to interference while
you should set a smaller threshold for busy networks or networks that are prone to interference.
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you
set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames
will be fragmented before they reach RTS/CTS size.
VMG1312-B10D User’s Guide
270
Appendix B Wireless LANs
IEEE 802.11g Wireless LAN
IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b
adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or
lower depending on range. IEEE 802.11g has several intermediate rate steps between the
maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:
Table 124 IEEE 802.11g
DATA RATE (MBPS)
MODULATION
1
DBPSK (Differential Binary Phase Shift Keyed)
2
DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11
CCK (Complementary Code Keying)
6/9/12/18/24/36/48/
54
OFDM (Orthogonal Frequency Division Multiplexing)
Wireless Security Overview
Wireless security is vital to your network to protect wireless communication between wireless
clients, access points and the wired network.
Wireless security methods available on the VMG are data encryption, wireless client authentication,
restricting access by device MAC address and hiding the VMG identity.
The following figure shows the relative effectiveness of these wireless security methods available on
your VMG.
Table 125 Wireless Security Levels
SECURITY
LEVEL
SECURITY TYPE
Least
Secure
Most Secure
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
WPA2
Note: You must enable the same wireless security settings on the VMG and on all wireless
clients that you want to associate with it.
IEEE 802.1x
In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to
support extended authentication as well as providing additional accounting and control features. It
is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x
are:
User based identification that allows for roaming.
VMG1312-B10D User’s Guide
271
Appendix B Wireless LANs
Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for
centralized user profile and accounting management on a network RADIUS server.
Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional
authentication methods to be deployed with no changes to the access point or the wireless
clients.
RADIUS
RADIUS is based on a client-server model that supports authentication, authorization and
accounting. The access point is the client and the server is the RADIUS server. The RADIUS server
handles the following tasks:
Authentication
Determines the identity of the users.
Authorization
Determines the network services available to authenticated users once they are connected to the
network.
Accounting
Keeps track of the client’s network activity.
RADIUS is a simple package exchange in which your AP acts as a message relay between the
wireless client and the network RADIUS server.
Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the access point and the RADIUS
server for user authentication:
Access-Request
Sent by an access point requesting authentication.
Access-Reject
Sent by a RADIUS server rejecting access.
Access-Accept
Sent by a RADIUS server allowing access.
Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The access point
sends a proper response from the user and then sends another Access-Request message.
The following types of RADIUS messages are exchanged between the access point and the RADIUS
server for user accounting:
Accounting-Request
Sent by the access point requesting accounting.
Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a shared secret
key, which is a password, they both know. The key is not sent over the network. In addition to the
VMG1312-B10D User’s Guide
272
Appendix B Wireless LANs
shared key, password information exchanged is also encrypted to protect the network from
unauthorized access.
Types of EAP Authentication
This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and
LEAP. Your wireless LAN device may not support all authentication types.
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE
802.1x transport mechanism in order to support multiple types of user authentication. By using EAP
to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a
RADIUS server perform authentication.
The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that
supports IEEE 802.1x.
For EAP-TLS authentication type, you must first have a wired connection to the network and obtain
the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used
to authenticate users and a CA issues certificates and guarantees the identity of each certificate
owner.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server
sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by
encrypting the password with the challenge and sends back the information. Password is not sent in
plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to get
the plaintext passwords, the passwords must be stored. Thus someone other than the
authentication server may access the password file. In addition, it is possible to impersonate an
authentication server as MD5 authentication method does not perform mutual authentication.
Finally, MD5 authentication method does not support data encryption with dynamic session key. You
must configure WEP encryption keys for data encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless clients for
mutual authentication. The server presents a certificate to the client. After validating the identity of
the server, the client sends a different certificate to the server. The exchange of certificates is done
in the open before a secured tunnel is created. This makes user identity vulnerable to passive
attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity.
However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which
imposes a management overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-
side authentications to establish a secure connection. Client authentication is then done by sending
username and password through the secure connection, thus client identity is protected. For client
authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP,
CHAP, MS-CHAP and MS-CHAP v2.
VMG1312-B10D User’s Guide
273
Appendix B Wireless LANs
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then
use simple username and password methods through the secured connection to authenticate the
clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5,
EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is
implemented only by Cisco.
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
Dynamic WEP Key Exchange
The AP maps a unique key that is generated with the RADIUS server. This key expires when the
wireless connection times out, disconnects or reauthentication times out. A new WEP key is
generated each time reauthentication is performed.
If this feature is enabled, it is not necessary to configure a default encryption key in the wireless
security configuration screen. You may still configure and store keys, but they will not be used while
dynamic WEP is enabled.
Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange
For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic
keys for data encryption. They are often deployed in corporate environments, but for public
deployment, a simple user name and password pair is more practical. The following table is a
comparison of the features of authentication types.
Table 126 Comparison of EAP Authentication Types
EAP-MD5
EAP-TLS
EAP-TTLS
PEAP
LEAP
Mutual Authentication
No
Yes
Yes
Yes
Yes
Certificate – Client
No
Yes
Optional
Optional
No
Certificate Server
No
Yes
Yes
Yes
No
Dynamic Key Exchange
No
Yes
Yes
Yes
Yes
Credential Integrity
None
Strong
Strong
Strong
Moderate
Deployment Difficulty
Easy
Hard
Moderate
Moderate
Moderate
Client Identity Protection
No
No
Yes
Yes
No
WPA and WPA2
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a
wireless security standard that defines stronger encryption, authentication and key management
than WPA.
Key differences between WPA or WPA2 and WEP are improved data encryption and user
authentication.
If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use
WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use
VMG1312-B10D User’s Guide
274
Appendix B Wireless LANs
WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into
each access point, wireless gateway and wireless client. As long as the passwords match, a wireless
client will be granted access to a WLAN.
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on
whether you have an external RADIUS server or not.
Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less
secure than WPA or WPA2.
Encryption
WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity
Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but
offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter
mode with Cipher block chaining Message authentication code Protocol (CCMP).
TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.
AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm
called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check
(MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying
mechanism.
WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is
never used twice.
The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key
hierarchy and management system, using the PMK to dynamically generate unique data encryption
keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless
clients. This all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,
altering them and resending them. The MIC provides a strong mathematical function in which the
receiver and the transmitter each compute and then compare the MIC. If they do not match, it is
assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi
network than WEP and difficult for an intruder to break into the network.
The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference
between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force
password-guessing attacks but its still an improvement over WEP as it employs a consistent,
single, alphanumeric password to derive a PMK which is used to generate unique temporal
encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of
WEP)
User Authentication
WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate
wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange
messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a
network. Other WPA2 authentication features that are different from WPA include key caching and
VMG1312-B10D User’s Guide
275
Appendix B Wireless LANs
pre-authentication. These two features are optional and may not be supported in all wireless
devices.
Key caching allows a wireless client to store the PMK it derived through a successful authentication
with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not
need to go with the authentication process again.
Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an
AP) to perform IEEE 802.1x authentication with another AP before connecting to it.
Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the wireless
client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch
for Windows XP, Funk Software's Odyssey client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero
Configuration" wireless client. However, you must run Windows XP to use it.
WPA(2) with RADIUS Application Example
To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812),
and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server
looks as follows. "A" is the RADIUS server. "DS" is the distribution system.
1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants or denies
network access accordingly.
3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS
server and the client.
4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and
management system, using the PMK to dynamically generate unique data encryption keys. The
keys are used to encrypt every data packet that is wirelessly communicated between the AP and
the wireless clients.
VMG1312-B10D User’s Guide
276
Appendix B Wireless LANs
Figure 171 WPA(2) with RADIUS Application Example
WPA(2)-PSK Application Example
A WPA(2)-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must
consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and
symbols).
2 The AP checks each wireless client's password and allows it to join the network only if the password
matches.
3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not
sent over the network, but is derived from the PSK and the SSID.
4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information
exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data
exchanged between them.
Figure 172 WPA(2)-PSK Authentication
VMG1312-B10D User’s Guide
277
Appendix B Wireless LANs
Security Parameters Summary
Refer to this table to see what other security parameters you should configure for each
authentication method or key management protocol type. MAC address filters are not dependent on
how you configure these security features.
Table 127 Wireless Security Relational Matrix
AUTHENTICATION
METHOD/ KEY
MANAGEMENT PROTOCOL
ENCRYPTIO
N METHOD
ENTER
MANUAL KEY
IEEE 802.1X
Open
None
No
Disable
Enable without Dynamic WEP Key
Open
WEP
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
Shared
WEP
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
WPA
TKIP/AES
No
Enable
WPA-PSK
TKIP/AES
Yes
Disable
WPA2
TKIP/AES
No
Enable
WPA2-PSK
TKIP/AES
Yes
Disable
Antenna Overview
An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to
the antenna, which propagates the signal through the air. The antenna also operates in reverse by
capturing RF signals from the air.
Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Antenna Characteristics
Frequency
An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a)
is needed to communicate efficiently in a wireless LAN
Radiation Pattern
A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage
area.
Antenna Gain
Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width.
Higher antenna gain improves the range of the signal for better communications.
For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately
VMG1312-B10D User’s Guide
278
Appendix B Wireless LANs
2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of
approximately 5%. Actual results may vary depending on the network environment.
Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal
power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna
that sends out radio signals equally well in all directions. dBi represents the true gain that the
antenna provides.
Types of Antennas for WLAN
There are two types of antennas used for wireless LAN applications.
Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The
coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room
environment. With a wide coverage area, it is possible to make circular overlapping coverage
areas with multiple access points.
Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light
from its bulb. The angle of the beam determines the width of the coverage pattern. Angles
typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional
antennas are ideal for hallways and outdoor point-to-point applications.
Positioning Antennas
In general, antennas should be mounted as high as practically possible and free of obstructions. In
point-to–point application, position both antennas at the same height and in a direct line of sight to
each other to attain the best performance.
For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For
omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP
application, place omni-directional antennas as close to the center of the coverage area as possible.
For directional antennas, point the antenna in the direction of the desired coverage area.
VMG1312-B10D User’s Guide
279
C
IPv6
Overview
IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The
increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP
addresses.
IPv6 Addressing
The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This
is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
IPv6 addresses can be abbreviated in two ways:
Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can
be written as 2001:db8:1a2b:15:0:0:1a2f:0.
Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can
only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be
written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,
2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.
Prefix and Prefix Length
Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An
IPv6 prefix length specifies how many most significant bits (start from the left) in the address
compose the network address. The prefix length is written as “/x” where x is a number. For
example,
2001:db8:1a2b:15::1a2f:0/32
means that the first 32 bits (2001:db8) is the subnet prefix.
Link-local Address
A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a
“private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a
device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast
address format is as follows.
Table 128 Link-local Unicast Address Format
1111 1110 10
0
Interface ID
10 bits
54 bits
64 bits
VMG1312-B10D User’s Guide
280
Appendix C IPv6
Global Address
A global address uniquely identifies a device on the Internet. It is similar to a “public IP address” in
IPv4. A global unicast address starts with a 2 or 3.
Unspecified Address
An unspecified address (0:0:0:0:0:0:0:0 or ::) is used as the source address when a device does
not have its own address. It is similar to “0.0.0.0” in IPv4.
Loopback Address
A loopback address (0:0:0:0:0:0:0:1 or ::1) allows a host to send packets to itself. It is similar to
“127.0.0.1” in IPv4.
Multicast Address
In IPv6, multicast addresses provide the same functionality as IPv4 broadcast addresses.
Broadcasting is not supported in IPv6. A multicast address allows a host to send packets to all hosts
in a multicast group.
Multicast scope allows you to determine the size of the multicast group. A multicast address has a
predefined prefix of ff00::/8. The following table describes some of the predefined multicast
addresses.
Table 129 Predefined Multicast Address
MULTICAST ADDRESS
DESCRIPTION
FF01:0:0:0:0:0:0:1
All hosts on a local node.
FF01:0:0:0:0:0:0:2
All routers on a local node.
FF02:0:0:0:0:0:0:1
All hosts on a local connected link.
FF02:0:0:0:0:0:0:2
All routers on a local connected link.
FF05:0:0:0:0:0:0:2
All routers on a local site.
FF05:0:0:0:0:0:1:3
All DHCP severs on a local site.
The following table describes the multicast addresses which are reserved and can not be assigned
to a multicast group.
Table 130 Reserved Multicast Address
MULTICAST ADDRESS
FF00:0:0:0:0:0:0:0
FF01:0:0:0:0:0:0:0
FF02:0:0:0:0:0:0:0
FF03:0:0:0:0:0:0:0
FF04:0:0:0:0:0:0:0
FF05:0:0:0:0:0:0:0
FF06:0:0:0:0:0:0:0
FF07:0:0:0:0:0:0:0
VMG1312-B10D User’s Guide
281
Appendix C IPv6
Table 130 Reserved Multicast Address (continued)
MULTICAST ADDRESS
FF08:0:0:0:0:0:0:0
FF09:0:0:0:0:0:0:0
FF0A:0:0:0:0:0:0:0
FF0B:0:0:0:0:0:0:0
FF0C:0:0:0:0:0:0:0
FF0D:0:0:0:0:0:0:0
FF0E:0:0:0:0:0:0:0
FF0F:0:0:0:0:0:0:0
Subnet Masking
Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided
into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each
character (1 ~ 10, A ~ F). Each blocks 16 bits are then represented by four hexadecimal
characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.
Interface ID
In IPv6, an interface ID is a 64-bit identifier. It identifies a physical interface (for example, an
Ethernet port) or a virtual interface (for example, the management IP address for a VLAN). One
interface should have a unique interface ID.
EUI-64
The EUI-64 (Extended Unique Identifier) defined by the IEEE (Institute of Electrical and Electronics
Engineers) is an interface ID format designed to adapt with IPv6. It is derived from the 48-bit (6-
byte) Ethernet MAC address as shown next. EUI-64 inserts the hex digits fffe between the third and
fourth bytes of the MAC address and complements the seventh bit of the first byte of the MAC
address. See the following example.
MAC 00 : 13 : 49 : 12 : 34 :
56
EUI-64 02 : 13 : 49 : FF : FE : 12 : 34 :
56
Identity Association
An Identity Association (IA) is a collection of addresses assigned to a DHCP client, through which
the server and client can manage a set of related IP addresses. Each IA must be associated with
exactly one interface. The DHCP client uses the IA assigned to an interface to obtain configuration
from a DHCP server for that interface. Each IA consists of a unique IAID and associated IP
information.
The IA type is the type of address in the IA. Each IA holds one type of address. IA_NA means an
identity association for non-temporary addresses and IA_TA is an identity association for temporary
addresses. An IA_NA option contains the T1 and T2 fields, but an IA_TA option does not. The
DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to
extend the lifetimes on any addresses in the IA_NA before the lifetimes expire. After T1, the client
sends the server (S1) (from which the addresses in the IA_NA were obtained) a Renew message. If
VMG1312-B10D User’s Guide
282
Appendix C IPv6
the time T2 is reached and the server does not respond, the client sends a Rebind message to any
available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's
discretion.
T2
T1
Renew
to S1
Renew
to S1
Renew
to S1
Renew
to S1
Renew
to S1
Renew
to S1
Rebind
to S2
Rebind
to S2
DHCP Relay Agent
A DHCP relay agent is on the same network as the DHCP clients and helps forward messages
between the DHCP server and clients. When a client cannot use its link-local address and a well-
known multicast address to locate a DHCP server on its network, it then needs a DHCP relay agent
to send a message to a DHCP server that is not attached to the same network.
The DHCP relay agent can add the remote identification (remote-ID) option and the interface-ID
option to the Relay-Forward DHCPv6 messages. The remote-ID option carries a user-defined string,
such as the system name. The interface-ID option provides slot number, port information and the
VLAN ID to the DHCPv6 server. The remote-ID option (if any) is stripped from the Relay-Reply
messages before the relay agent sends the packets to the clients. The DHCP server copies the
interface-ID option from the Relay-Forward message into the Relay-Reply message and sends it to
the relay agent. The interface-ID should not change even after the relay agent restarts.
Prefix Delegation
Prefix delegation enables an IPv6 router to use the IPv6 prefix (network address) received from the
ISP (or a connected uplink router) for its LAN. The VMG uses the received IPv6 prefix (for example,
2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs)
regularly by multicast, the VMG passes the IPv6 prefix information to its LAN hosts. The hosts then
can use the prefix to generate their IPv6 addresses.
ICMPv6
Internet Control Message Protocol for IPv6 (ICMPv6 or ICMP for IPv6) is defined in RFC 4443.
ICMPv6 has a preceding Next Header value of 58, which is different from the value used to identify
ICMP for IPv4. ICMPv6 is an integral part of IPv6. IPv6 nodes use ICMPv6 to report errors
encountered in packet processing and perform other diagnostic functions, such as "ping".
Neighbor Discovery Protocol (NDP)
The Neighbor Discovery Protocol (NDP) is a protocol used to discover other IPv6 devices and track
neighbor’s reachability in a network. An IPv6 device uses the following ICMPv6 messages types:
Neighbor solicitation: A request from a host to determine a neighbor’s link-layer address (MAC
address) and detect if the neighbor is still reachable. A neighbor being “reachable” means it
responds to a neighbor solicitation message (from the host) with a neighbor advertisement
message.
VMG1312-B10D User’s Guide
283
Appendix C IPv6
Neighbor advertisement: A response from a node to announce its link-layer address.
Router solicitation: A request from a host to locate a router that can act as the default router and
forward packets.
Router advertisement: A response to a router solicitation or a periodical multicast advertisement
from a router to advertise its presence and other parameters.
IPv6 Cache
An IPv6 host is required to have a neighbor cache, destination cache, prefix list and default router
list. The VMG maintains and updates its IPv6 caches constantly using the information from
response messages. In IPv6, the VMG configures a link-local address automatically, and then sends
a neighbor solicitation message to check if the address is unique. If there is an address to be
resolved or verified, the VMG also sends out a neighbor solicitation message. When the VMG
receives a neighbor advertisement in response, it stores the neighbor’s link-layer address in the
neighbor cache. When the VMG uses a router solicitation message to query for a router and
receives a router advertisement message, it adds the router’s information to the neighbor cache,
prefix list and destination cache. The VMG creates an entry in the default router list cache if the
router can be used as a default router.
When the VMG needs to send a packet, it first consults the destination cache to determine the next
hop. If there is no matching entry in the destination cache, the VMG uses the prefix list to
determine whether the destination address is on-link and can be reached directly without passing
through a router. If the address is unlink, the address is considered as the next hop. Otherwise, the
VMG determines the next-hop from the default router list or routing table. Once the next hop IP
address is known, the VMG looks into the neighbor cache to get the link-layer address and sends
the packet when the neighbor is reachable. If the VMG cannot find an entry in the neighbor cache
or the state for the neighbor is not reachable, it starts the address resolution process. This helps
reduce the number of IPv6 solicitation and advertisement messages.
Multicast Listener Discovery
The Multicast Listener Discovery (MLD) protocol (defined in RFC 2710) is derived from IPv4's
Internet Group Management Protocol version 2 (IGMPv2). MLD uses ICMPv6 message types, rather
than IGMP message types. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3.
MLD allows an IPv6 switch or router to discover the presence of MLD listeners who wish to receive
multicast packets and the IP addresses of multicast groups the hosts want to join on its network.
MLD snooping and MLD proxy are analogous to IGMP snooping and IGMP proxy in IPv4.
MLD filtering controls which multicast groups a port can join.
MLD Messages
A multicast router or switch periodically sends general queries to MLD hosts to update the multicast
forwarding table. When an MLD host wants to join a multicast group, it sends an MLD Report
message for that address.
An MLD Done message is equivalent to an IGMP Leave message. When an MLD host wants to leave
a multicast group, it can send a Done message to the router or switch. The router or switch then
sends a group-specific query to the port on which the Done message is received to determine if
other devices connected to this port should remain in the group.
VMG1312-B10D User’s Guide
284
Appendix C IPv6
Example - Enabling IPv6 on Windows XP/2003/Vista
By default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the
ipv6 install command on Windows XP/2003 to enable IPv6. This also displays how to use the
ipconfig command to see auto-generated IP addresses.
C:\>ipv6 install
Installing...
Succeeded.
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::2d0:59ff:feb8:103c%4
Default Gateway . . . . . . . . . : 10.1.1.254
IPv6 is installed and enabled by default in Windows Vista. Use the ipconfig command to check
your automatic configured IPv6 address as well. You should see at least one IPv6 address available
for the interface on your computer.
Example - Enabling DHCPv6 on Windows XP
Windows XP does not support DHCPv6. If your network uses DHCPv6 for IP address assignment,
you have to additionally install a DHCPv6 client software on your Windows XP. (Note: If you use
static IP addresses or Router Advertisement for IPv6 address assignment in your network, ignore
this section.)
This example uses Dibbler as the DHCPv6 client. To enable DHCPv6 client on your computer:
1 Install Dibbler and select the DHCPv6 client option on your computer.
2 After the installation is complete, select Start > All Programs > Dibbler-DHCPv6 > Client
Install as service.
3 Select Start > Control Panel > Administrative Tools > Services.
4 Double click Dibbler - a DHCPv6 client.
VMG1312-B10D User’s Guide
285
Appendix C IPv6
5 Click Start and then OK.
6 Now your computer can obtain an IPv6 address from a DHCPv6 server.
Example - Enabling IPv6 on Windows 7
Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7
computer.
To enable IPv6 in Windows 7:
1 Select Control Panel > Network and Sharing Center > Local Area Connection.
2 Select the Internet Protocol Version 6 (TCP/IPv6) checkbox to enable it.
3 Click OK to save the change.
VMG1312-B10D User’s Guide
286
Appendix C IPv6
4 Click Close to exit the Local Area Connection Status screen.
5 Select Start > All Programs > Accessories > Command Prompt.
6 Use the ipconfig command to check your dynamic IPv6 address. This example shows a global
address (2001:b021:2d::1000) obtained from a DHCP server.
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:b021:2d::1000
Link-local IPv6 Address . . . . . : fe80::25d8:dcab:c80a:5189%11
IPv4 Address. . . . . . . . . . . : 172.16.100.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::213:49ff:feaa:7125%11
172.16.100.254
VMG1312-B10D User’s Guide
287
D
Services
The following table lists some commonly-used services and their associated protocols and port
numbers.
Name: This is a short, descriptive name for the service. You can use this one or create a
different one, if you like.
Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service
uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP
protocol number, not the port number.
Port(s): This value depends on the Protocol.
If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.
If the Protocol is USER, this is the IP protocol number.
Description: This is a brief explanation of the applications that use this service or the situations
in which this service is used.
VMG1312-B10D User’s Guide
288
Appendix D Services
Table 131 Examples of Services
NAME
PROTOCOL
PORT(S)
DESCRIPTION
AH (IPSEC_TUNNEL)
User-Defined
51
The IPSEC AH (Authentication Header) tunneling
protocol uses this service.
AIM
TCP
5190
AOLs Internet Messenger service.
AUTH
TCP
113
Authentication protocol used by some servers.
BGP
TCP
179
Border Gateway Protocol.
BOOTP_CLIENT
UDP
68
DHCP Client.
BOOTP_SERVER
UDP
67
DHCP Server.
CU-SEEME
TCP/UDP
TCP/UDP
7648
24032
A popular videoconferencing solution from White
Pines Software.
DNS
TCP/UDP
53
Domain Name Server, a service that matches web
names (for instance www.zyxel.com) to IP
numbers.
ESP
(IPSEC_TUNNEL) User-Defined
50
The IPSEC ESP (Encapsulation Security Protocol)
tunneling protocol uses this service.
FINGER
TCP
79
Finger is a UNIX or Internet related command that
can be used to find out if a user is logged on.
FTP
TCP
TCP
20
21
File Transfer Protocol, a program to enable fast
transfer of files, including large files that may not
be possible by e-mail.
H.323
TCP
1720
NetMeeting uses this protocol.
HTTP
TCP
80
Hyper Text Transfer Protocol - a client/server
protocol for the world wide web.
HTTPS
TCP
443
HTTPS is a secured http session often used in e-
commerce.
ICMP
User-Defined
1
Internet Control Message Protocol is often used for
diagnostic purposes.
ICQ
UDP
4000
This is a popular Internet chat program.
IGMP (MULTICAST)
User-Defined
2
Internet Group Multicast Protocol is used when
sending packets to a specific group of hosts.
IKE
UDP
500
The Internet Key Exchange algorithm is used for
key distribution and management.
IMAP4
TCP
143
The Internet Message Access Protocol is used for e-
mail.
IMAP4S
TCP
993
This is a more secure version of IMAP4 that runs
over SSL.
IRC
TCP/UDP
6667
This is another popular Internet chat program.
MSN Messenger
TCP
1863
Microsoft Networks messenger service uses this
protocol.
NetBIOS
TCP/UDP
TCP/UDP
TCP/UDP
TCP/UDP
137
138
139
445
The Network Basic Input/Output System is used for
communication between computers in a LAN.
NEW-ICQ
TCP
5190
An Internet chat program.
NEWS
TCP
144
A protocol for news groups.
VMG1312-B10D User’s Guide
289
Appendix D Services
Table 131 Examples of Services (continued)
NAME
PROTOCOL
PORT(S)
DESCRIPTION
NFS
UDP
2049
Network File System - NFS is a client/server
distributed file service that provides transparent file
sharing for network environments.
NNTP
TCP
119
Network News Transport Protocol is the delivery
mechanism for the USENET newsgroup service.
PING
User-Defined
1
Packet INternet Groper is a protocol that sends
out
ICMP echo requests to test whether or not a rem
ote
host is reachable.
POP3
TCP
110
Post Office Protocol version 3 lets a client
computer
get e-mail from a POP3 server through a temporar
y
connection (TCP/IP or other).
POP3S
TCP
995
This is a more secure version of POP3 that runs
over SSL.
PPTP
TCP
1723
Point-to-Point Tunneling Protocol enables secure
transfer of data over public networks. This is the
control channel.
PPTP_TUNNEL (GRE)
User-Defined
47
PPTP (Point-to-Point Tunneling Protocol) enables
secure transfer of data over public networks. This is
the data channel.
RCMD
TCP
512
Remote Command Service.
REAL_AUDIO
TCP
7070
A streaming audio service that enables real time
sound over the web.
REXEC
TCP
514
Remote Execution Daemon.
RLOGIN
TCP
513
Remote Login.
ROADRUNNER
TCP/UDP
1026
This is an ISP that provides services mainly for
cable modems.
RTELNET
TCP
107
Remote Telnet.
RTSP
TCP/UDP
554
The Real Time Streaming (media control) Protocol
(RTSP) is a remote control for multimedia on the
Internet.
SFTP
TCP
115
The Simple File Transfer Protocol is an old way of
transferring files between computers.
SMTP
TCP
25
Simple Mail Transfer Protocol is the message-
exchange standard for the Internet. SMTP enables
you to move messages from one e-mail server to
another.
SMTPS
TCP
465
This is a more secure version of SMTP that runs
over SSL.
SNMP
TCP/UDP
161
Simple Network Management Program.
SNMP-TRAPS
TCP/UDP
162
Traps for use with the SNMP (RFC:1215).
SQL-NET
TCP
1521
Structured Query Language is an interface
to
access
data on many different types of database
systems, including mainframes, midrange systems,
UNIX systems and network servers.
SSDP
UDP
1900
The Simple Service Discovery Protocol supports
Universal Plug-and-Play (UPnP).
SSH
TCP/UDP
22
Secure Shell Remote Login Program.
STRM WORKS
UDP
1558
Stream Works Protocol.
VMG1312-B10D User’s Guide
290
Appendix D Services
Table 131 Examples of Services (continued)
NAME
PROTOCOL
PORT(S)
DESCRIPTION
SYSLOG
UDP
514
Syslog allows you to send system logs to a UNIX
server.
TACACS
UDP
49
Login Host Protocol used for (Terminal Access
Controller Access Control System).
TELNET
TCP
23
Telnet is the login and terminal emulation protocol
common on the Internet and in UNIX
environments. It operates over TCP/IP networks.
Its primary function is to allow users to log into
remote host systems.
VDOLIVE
TCP
UDP
7000
user-
defined
A
videoconferencing
solution. The UDP port number
is specified in the application.
VMG1312-B10D User’s Guide
291
E
Legal Information
Copyright
Copyright © 2016 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into
any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it
convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any
products described herein without notice. This publication is subject to change without notice.
Regulatory Notice and Statement
UNITED STATES of AMERICA
The following information applies if you use the product within USA area.
FCC EMC Statement
The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
(1) This device may not cause harmful interference, and
(2) This device must accept any interference received, including interference that may cause undesired operation.
Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the
device.
This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules.
These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device
generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause
harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular
installation.
If this device does cause harmful interference to radio or television reception, which is found by turning the device off and on, the user
is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna
Increase the separation between the devices
Connect the equipment to an outlet other than the receiver’s
Consult a dealer or an experienced radio/TV technician for assistance
FCC Radiation Exposure Statement
This device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment.
This transmitter must be at least 20 cm from the user and must not be co-located or operating in conjunction with any other antenna
or transmitter.
CANADA
The following information applies if you use the product within Canada area
Industry Canada ICES statement
ICAN ICES-3 (B)/NMB-3(B)
VMG1312-B10D User’s Guide
292
Appendix E Legal Information
Industry Canada RSS-GEN & RSS-247 statement
This device complies with Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions: (1)
this device may not cause interference, and (2) this device must accept any interference, including interference that may cause
undesired operation of the device.
This radio transmitter has been approved by Industry Canada to operate with the antenna types listed below with the maximum
permissible gain and required antenna impedance for each antenna type indicated. Antenna types not included in this list, having a
gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device.
Industry Canada radiation exposure statement
This device complies with IC radiation exposure limits set forth for an uncontrolled environment. This device should be installed and
operated with a minimum distance of 20 cm between the radiator and your body.
claration d’exposition aux radiations:
Cet équipement est conforme aux limites d’exposition aux rayonnements IC établies pour un environnement non contrôlé. Cet
équipement doit être instal et utili avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps.
EUROPEAN UNION
The following information applies if you use the product within the European Union.
Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive)
Compliance information for 2.4GHz and/or 5GHz wireless products relevant to the EU and other Countries following the EU Directive 1999/
5/EC (R&TTE)
Български
(Bulgarian) С настоящото ZyXEL декларира, че това оборудване е в съответствие със съществените изисквания и другите
приложими разпоредбите на Директива 1999/5/ЕC.
Español
(Spanish) Por medio de la presente ZyXEL declara que el equipo cumple con los requisitos esenciales y cualesquiera otras
disposiciones aplicables o exigibles de la Directiva 1999/5/CE.
Čtina
(Czech) ZyXEL tímto prohlašuje, že tento zařízení je ve shodě se základními požadavky a dalšími příslušnými ustanoveními
směrnice 1999/5/EC.
Dansk (Danish)
Undertegnede ZyXEL erkrer herved, at følgende udstyr udstyr overholder de væsentlige krav og øvrige relevante
krav i direktiv 1999/5/EF.
VMG1312-B10D User’s Guide
293
Appendix E Legal Information
Deutsch
(German) Hiermit erklärt ZyXEL, dass sich das Gerät Ausstattung in Übereinstimmung mit den grundlegenden Anforderungen
und den übrigen einschlägigen Bestimmungen der Richtlinie 1999/5/EU befindet.
Eesti keel
(Estonian) Käesolevaga kinnitab ZyXEL seadme seadmed vastavust direktiivi 1999/5/EÜ põhinõuetele ja nimetatud direktiivist
tulenevatele teistele asjakohastele sätetele.
Ελληνικά
(Greek) ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ ZyXEL ΗΛΩΝΕΙ ΟΤΙ εξοπλισμός ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩ∆ΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ
ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ∆ΙΑΤΑΞΕΙΣ ΤΗΣ Ο∆ΗΓΙΑΣ 1999/5/ΕC.
English
Hereby, ZyXEL declares that this device is in compliance with the essential requirements and other relevant provisions
of Directive 1999/5/EC.
Français
(French) Par la présente ZyXEL déclare que l'appareil équipements est conforme aux exigences essentielles et aux autres
dispositions pertinentes de la directive 1999/5/EC.
Hrvatski
(Croatian) ZyXEL ovime izjavljuje da je radijska oprema tipa u skladu s Direktivom 1999/5/EC.
Íslenska
(Icelandic) Hér m lýsir, ZyXEL því yfir þessinaður er í samræmi við grunnkröfur og önnur viðeigandi ákvæði tilskipunar
1999/5/EC.
Italiano
(Italian) Con la presente ZyXEL dichiara che questo attrezzatura è conforme ai requisiti essenziali ed alle altre disposizioni
pertinenti stabilite dalla direttiva 1999/5/CE.
Latviešu
valoda
(Latvian) Ar šo ZyXEL deklarē, ka iekārtas atbilst Direktīvas 1999/5/EK būtiskajām prasībām un citiem ar to saistītajiem
noteikumiem.
Lietuvių kalba
(Lithuanian) Šiuo ZyXEL deklaruoja, kad šis įranga atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas.
Magyar
(Hungarian) Alulírott, ZyXEL nyilatkozom, hogy a berendezés megfelel a vonatko alapve vetelményeknek és az 1999/5/EK
irányelv egyéb elõírásainak.
Malti (Maltese)
Hawnhekk, ZyXEL, jiddikjara li dan tagħmir jikkonforma mal-ħtiġijiet essenzjali u ma provvedimenti oħrajn relevanti li
hemm fid-Dirrettiva 1999/5/EC.
Nederlands
(Dutch) Hierbij verklaart ZyXEL dat het toestel uitrusting in overeenstemming is met de essentiële eisen en de andere
relevante bepalingen van richtlijn 1999/5/EC.
Polski (Polish)
Niniejszym ZyXEL oświadcza, że sprzęt jest zgodny z zasadniczymi wymogami oraz pozostałymi stosownymi
postanowieniami Dyrektywy 1999/5/EC.
Português
(Portuguese) ZyXEL declara que este equipamento está conforme com os requisitos essenciais e outras disposições da Directiva
1999/5/EC.
Română
(Romanian) Prin prezenta, ZyXEL declară acest echipament este în conformitate cu cerinţele esenţiale şi alte prevederi
relevante ale Directivei 1999/5/EC.
Slovenčina
(Slovak) ZyXEL týmto vyhlasuje, že zariadenia spĺňa základ požiadavky a etky príslušné ustanovenia Smernice 1999/5/EC.
Slovenščina
(Slovene) ZyXEL izjavlja, da je ta oprema v skladu z bistvenimi zahtevami in ostalimi relevantnimi določili direktive 1999/5/EC.
Suomi
(Finnish) ZyXEL vakuuttaa täten että laitteet tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja si koskevien
direktiivin muiden ehtojen mukainen.
Svenska
(Swedish) Härmed intygar ZyXEL att denna utrustning står I överensstämmelse med de väsentliga egenskapskrav och övriga
relevanta bestämmelser som framgår av direktiv 1999/5/EC.
Norsk
(Norwegian) Erklærer herved ZyXEL at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante
bestemmelser I direktiv 1999/5/EF.
This device is restricted to indoor use only when operating in the 5150 to 5350 MHz frequency range.
National Restrictions
This product may be used in all EU countries (and other countries following the EU Directive 1999/5/EC) without any limitation except for
the countries mentioned below:
Ce produit peut être utili dans tous les pays de l’UE (et dans tous les pays ayant transposés la directive 1999/5/CE) sans aucune
limitation, excepté pour les pays mentionnés ci-dessous:
Questo prodotto è utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttiva 1999/5/EC) senza nessuna limitazione,
eccetto per i paesii menzionati di seguito:
Das Produkt kann in allen EU Staaten ohne Einschränkungen eingesetzt werden (sowie in anderen Staaten die der Richtlinie 1999/5/CE
folgen) mit Außnahme der folgenden aufgehrten Staaten:
In the majority of the EU and other European countries, the 2.4GHz and 5GHz bands have been made available for the use of wireless
local area networks (LANs). Later in this document you will find an overview of countries in which additional restrictions or requirements
or both are applicable.
The requirements for any country may evolve. ZyXEL recommends that you check with the local authorities for the latest status of their
national regulations for both the 2.4GHz and 5GHz wireless LANs.
The following countries have restrictions and/or requirements in addition to those given in the table labeled “Overview of Regulatory
Requirements for Wireless LANs”:.
Belgium
VMG1312-B10D User’s Guide
294
Appendix E Legal Information
The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range
exceeding 300 meters. Please check http://www.bipt.be for more details.
Draadloze verbindingen voor buitengebruik en met een reikwijdte van meer dan 300 meter dienen aangemeld te worden bij het Belgisch
Instituut voor postdiensten en telecommunicatie (BIPT). Zie http://www.bipt.be voor meer gegevens.
Les liaisons sans fil pour une utilisation en extérieur d’une distance supérieure à 300 tres doivent être notifiées à l’Institut Belge des
services Postaux et des Télécommunications (IBPT). Visitez http://www.ibpt.be pour de plus amples détails.
Denmark
In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor
usage.
I
Danmarkfrekvensbåndet 5150 - 5350 og anvendes udendørs.
Italy
This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless
this wireless LAN product is operating within the boundaries of the owner's property, its use requires a “general authorization.Please
check
http://www.sviluppoeconomico.gov.it/
for more details.
Questo prodotto è conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in
Italia. Se non viene installato all 'interno del proprio fondo, l'utilizzo di prodotti Wireless LAN richiede una “Autorizzazione Generale”.
Consultare
http://www.sviluppoeconomico.gov.it/
per maggiori dettagli.
Latvia
The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http://
www.esd.lv for more details.
2.4 GHz frekvenèu joslas izmantoðanai ârpus telpâm nepiecieðama atïauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://
www.esd.lv.
Notes:
1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in
those countries.
2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding
the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).
List of national codes
COUNTRY
ISO 3166 2 LETTER CODE
COUNTRY
ISO 3166 2 LETTER CODE
Austria
AT
Liechtenstein
LI
Belgium
BE
Lithuania
LT
Bulgaria
BG
Luxembourg
LU
Croatia
HR
Malta
MT
Cyprus
CY
Netherlands
NL
Czech Republic
CZ
Norway
NO
Denmark
DK
Poland
PL
Estonia
EE
Portugal
PT
Finland
FI
Romania
RO
France
FR
Serbia
RS
Germany
DE
Slovakia
SK
Greece
GR
Slovenia
SI
Hungary
HU
Spain
ES
Iceland
IS
Switzerland
CH
Ireland
IE
Sweden
SE
Italy
IT
Turkey
TR
Latvia
LV
United Kingdom
GB
Safety Warnings
Do not use this product near water, for example, in a wet basement or near a swimming pool.
Do not expose your device to dampness, dust or corrosive liquids.
Do not store things on the device.
Do not install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
Connect ONLY suitable accessories to the device.
Do not open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY
qualified service personnel should service or disassemble this device. Please contact your vendor for further
information.
Make sure to connect the cables to the correct ports.
Place connecting cables carefully so that no one will step on them or stumble over them.
Always disconnect all cables from this device before servicing or disassembling.
Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting
it to a power outlet.
Do not allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor
or cord.
VMG1312-B10D User’s Guide
295
Appendix E Legal Information
Please use the provided or designated connection cables/power cables/ adaptors. Connect it to the right supply voltage (for example,
110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it
from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one.
Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
CAUTION: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose
them at the applicable collection point for the recycling of electrical and electronic devices. For detailed information about recycling of
this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.
Do not obstruct the device ventilation slots, as insufficient airflow may harm your device.
The following warning statements apply, where the disconnect device is not incorporated in the device or where the plug on the power
supply cord is intended to serve as the disconnect device,
For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device;
For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible.
Environment Statement
ErP (Energy-related Products)
ZyXEL products put on the EU market in compliance with the requirement of the European Parliament and the Council published Directive
2009/125/EC establishing a framework for the setting of ecodesign requirements for energy-related products (recast), so called as "ErP
Directive (Energy-related Products directive) as well as ecodesign requirement laid down in applicable implementing measures, power
consumption has satisfied regulation requirements which are:
Network standby power consumption < 12W, and/or
Off mode power consumption < 0.5W, and/or
Standby mode power consumption < 0.5W.
Wireless setting, please refer to "Wireless" chapter for more detail.
European Union - Disposal and Recycling Information
The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic
waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate
collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.
Die folgende Symbol bedeutet, dass Ihr Produkt und/oder seine Batterie gemäß den örtlichen Bestimmungen getrennt vom Hausmüll
entsorgt werden muss. Wenden Sie sich an eine Recyclingstation, wenn dieses Produkt das Ende seiner Lebensdauer erreicht hat. Zum
Zeitpunkt der Entsorgung wird die getrennte Sammlung von Produkt und/oder seiner Batterie dazu beitragen, natürliche Ressourcen zu
sparen und die Umwelt und die menschliche Gesundheit zu schützen.
El símbolo de abajo indica que según las regulaciones locales, su producto y/o su batería deberán depositarse como basura separada de la
dostica. Cuando este producto alcance el final de su vida útil, llévelo a un punto limpio. Cuando llegue el momento de desechar el
producto, la recogida por separado éste y/o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y
medioambiental.
Le symbole ci-dessous signifie que selon les réglementations locales votre produit et/ou sa batterie doivent être éliminés séparément des
ordures ménagères. Lorsque ce produit atteint sa fin de vie, amenez-le à un centre de recyclage. Au moment de la mise au rebut, la
collecte parée de votre produit et/ou de sa batterie aidera à économiser les ressources naturelles et protéger l'environnement et la
santé humaine.
Il simbolo sotto significa che secondo i regolamenti locali il vostro prodotto e/o batteria deve essere smaltito separatamente dai rifiuti
domestici. Quando questo prodotto raggiunge la fine della vita di servizio portarlo a una stazione di riciclaggio. Al momento dello
smaltimento, la raccolta separata del vostro prodotto e/o della sua batteria aiuta a risparmiare risorse naturali e a proteggere l'ambiente
e la salute umana.
Symbolen innebär att enligt lokal lagstiftning ska produkten och/eller dess batteri kastas separat från hushållsavfallet. r den här
produkten når slutet av sin livsngd ska du ta den till en återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och
mänsklig hälsa genom att göra dig av med den ett återvinningsslle.
VMG1312-B10D User’s Guide
296
Appendix E Legal Information
Environmental Product Declaration
VMG1312-B10D User’s Guide
297
Appendix E Legal Information
台灣
以下訊息僅適用於產品具有無線功能且銷售至台灣地區
第十二條 經型式認證合格之低功率射電機,非經許可,公司,商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。
第十四條 低功率射頻電機之使用不得影響飛航安全及干合法通信;經發現有干擾現象時,應立即停用並改至無干擾時方得繼續使用。
前項合法通信,依電法規作業無線通信。
低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。
無線資訊傳輸設備忍受法通信之干不得擾合通信;如造干擾,應立即停用,
無干擾之虞,始得繼續使用。
無線資訊傳設備的製造商應確保頻率定性如依造廠商使用冊上所述正作,
發射信號應維持於操作帶中
以下訊息僅適用產品作於
5.25-5.35 秭赫頻帶內並銷售至台灣地區
5.25-5.35 秭赫頻帶內操作之無線資訊傳輸設備,限於室內使
用。
以下訊息僅適用於產品屬於專業安裝並銷售至台灣地區
本器材須經專業工程人員安裝設定,始得 設置使用,且不得直接販售給一般消
安全警告
為了您的安全,請先閱以下警告
及指示
:
請勿將此產品接近水、火焰或放置在溫的
境。
避免設備接觸任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水蝕性的液體或其他水
份。
灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材
料。
雷雨天氣時,不安裝,使用維修設備有遭電擊
險。
切勿重摔或撞擊設備,並勿使不正的電源變壓
器。
若接上不確的源變器會有爆炸的風
險。
請勿隨意更換產內的
池。
如果更換正確電池式,有爆的風,請製造說明書處理使用過之電
池。
請將廢電池丟棄在適當的電器或電子備回
處。
請勿將設
體。
請勿阻礙備的熱孔,空氣對流不足將會造成設
害。
請插在正確的電壓供給插座
(
:
北美 / 台灣電壓
110V AC歐洲是 230V
AC)
假若電源變壓器或電源壓器的纜線壞,請從插座拔除若您還繼續插電使,會有觸電死亡的
險。
請勿試圖理電變壓器或電源變壓的纜,若有毀損,請直接聯絡購買店家購買一個新的電源變壓
器。
請勿將此設備安裝於室外,此備僅合放置於室
內。
隨一般垃圾
棄。
閱產品背貼上的設備額定
率。
請參考產品型錄或是彩盒上的業溫
度。
產品沒有電裝或者採用電線的插頭視為斷電裝置的部分,以下警語將
:
對永久連接之設備,
設備部須安裝可及之電裝置;
對插接式之設備,
插座必須近安裝之地而且易於及的。
Viewing Certifications
Go to http://www.zyxel.com to view this product’s documentation and certifications.
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific
period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the
authorized ZyXEL local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of
purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or
replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to
VMG1312-B10D User’s Guide
298
Appendix E Legal Information
restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally
equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has
been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other
warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind to the purchaser.
To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought
the device at http://www.zyxel.com/web/support_warranty_info.php.
Registration
Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at
www.us.zyxel.com for North American products.
VMG1312-B10D User’s Guide
299
Appendix E Legal Information
Open Source Licenses
This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are
provided with the firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under
those Licenses, please contact support@zyxel.com.tw to get it.
VMG1312-B10D User’s Guide
300
Index
Index
A
ACL rule 193
activation firewalls
190 media server
188
SIP ALG 166
SSID 94
Address Resolution Protocol 217
administrator password 21
antenna
directional 279
gain 278
omni-directional 279
AP (access point) 269
applications
Internet access 16
media server 187
activation 188
iTunes server 187
applications, NAT 170
ARP Table 217, 219
authentication 105, 106
RADIUS server 106
B
backup
configuration 246
Basic Service Set, See BSS 267
Basic Service Set, see BSS
blinking LEDs 20
Broadband 59
broadcast 85
BSS 108, 267
example 108
C
CA 204, 273
Canonical Format Indicator See CFI
CCMs 249
certificate
factory default 205
Certificate Authority
See CA.
certificates 204
authentication 204
CA
creating 205
public key 204
replacing 205
storage space 205
Certification Authority 204
Certification Authority. see CA
certifications 295
viewing 298
CFI 85
CFM 249
CCMs 249
link trace test 249
loopback test 249
MA 249
MD 249
MEP 249
MIP 249
channel 269
interference 269
channel, wireless LAN 104
client list 122
configuration
backup 246
firewalls 190
reset 247
restoring 247
static route 81, 133, 135, 174
Connectivity Check Messages, see CCMs
contact information 261
VMG1312-B10D User’s Guide
301
Index
copyright 292
CoS 153
CoS technologies 140
creating certificates 205
CTS (Clear to Send) 270
CTS threshold 101, 105
customer support 261
D
data fragment threshold 101, 105
DDoS 190
default server address 165
Denials of Service, see DoS
DHCP 117, 129
Differentiated Services, see DiffServ 153
DiffServ 153
marking rule 153
digital IDs 204
disclaimer 292
DLNA 187
DMZ 165
DNS 117, 129
DNS server address assignment 85
Domain Name 171
Domain Name System, see DNS
Domain Name System. See DNS.
DoS 190
DS field 153
DS, dee differentiated services
DSCP 153
dynamic DNS 173
wildcard 173
Dynamic Host Configuration Protocol, see DHCP
dynamic WEP key exchange 274
DYNDNS wildcard 173
E
EAP Authentication 273
ECHO 171
e-mail
log example 242
Encapsulation 81
MER 82
PPP over Ethernet 82
encapsulation
RFC 1483 82
encryption 107, 275
ESS 268
Extended Service Set IDentification 90, 96
Extended Service Set, See ESS 268
F
file sharing 18
filters
MAC address 106
Finger 171
firewalls 189
add protocols 191
configuration 190
DDoS 190
DoS 190
LAND attack 190
Ping of Death 190
SYN attack 190
firmware 244
version 56
forwarding ports 158
fragmentation threshold 101, 105, 270
FTP 158, 171
G
General wireless LAN screen 88
H
hidden node 269
HTTP 171
VMG1312-B10D User’s Guide
302
Index
I
IBSS 267
IEEE 802.11g 271
IEEE 802.1Q 85
IGA 169
IGMP 85
multicast group list 221
version 85
ILA 169
Independent Basic Service Set
See IBSS 267
initialization vector (IV) 275
Inside Global Address, see IGA
Inside Local Address, see ILA
interface group 179
Internet
wizard setup 28
Internet access 16
wizard setup 28
Internet Protocol version 6 61
Internet Protocol version 6, see IPv6
IP address 117, 130
ping 250
private 130
WAN 60
IP Address Assignment 84
IP alias
NAT applications 171
IPv6 61, 280
addressing 61, 86, 280
EUI-64 282
global address 281
interface ID 282
link-local address 280
Neighbor Discovery Protocol 280
ping 280
prefix 61, 86, 280 prefix
delegation 63 prefix
length 61, 86, 280
unspecified address 281
iTunes server 187
L
LAN 116
client list 122
DHCP 117, 129
DNS 117, 129
IP address 117, 118, 130
MAC address 122
status 57
subnet mask 117, 118, 130
LAND attack 190
LBR 249
limitations
wireless LAN 107
WPS 114
link trace 249
Link Trace Message, see LTM
Link Trace Response, see LTR
login 21
passwords 21
logs 211, 214, 221, 226, 241
Loop Back Response, see LBR
loopback 249
LTM 249
LTR 249
M
MA 249
MAC address 122
filter 106
Mac filter 196
Maintenance Association, see MA
Maintenance Domain, see MD
Maintenance End Point, see MEP
Management Information Base (MIB) 234
managing the device
good habits 15
Maximum Burst Size (MBS) 83
MBSSID 108
MD 249
media server 187
activation 188
iTunes server 187
VMG1312-B10D User’s Guide
303
Index
MEP 249
MTU (Multi-Tenant Unit) 84
multicast 85
Multiple BSS, see MBSSID
multiplexing 82
LLC-based 83
VC-based 82
multiprotocol encapsulation 82
N
NAT 157, 158, 159, 169, 170
applications 170
IP alias 171
example 170
global 169
IGA 169
ILA 169
inside 169
local 169
outside 169
port forwarding 158
port number 171
services 171
SIP ALG 166
activation 166
NAT example 172
Network Address Translation, see NAT
Network Map 54
network map 24
NNTP 171
P
Pairwise Master Key (PMK) 275, 277
passwords 21
PBC 109
Peak Cell Rate (PCR) 83
Per-Hop Behavior, see PHB 153
PHB 153
PIN, WPS 110
example 111
Ping of Death 190
Point-to-Point Tunneling Protocol, see PPTP
POP3 171
port forwarding 158
ports 20
PPPoE 82
Benefits 82
PPTP 171 preamble
101, 105 preamble
mode 109 prefix
delegation 63 private
IP address 130
PSK 275
push button 19
Push Button Configuration, see PBC
push button, WPS 109
Q
QoS 139, 153
marking 140
setup 139
tagging 140
versus CoS 140
Quality of Service, see QoS
R
RADIUS 272
message types 272
messages 272
shared secret key 272
RADIUS server 106
reset 20, 247
restart 248
restoring configuration 247
RFC 1058. See RIP.
RFC 1389. See RIP.
RFC 1483 82
RFC 3164 211
RIP 138
router features 16
Routing Information Protocol. See RIP
VMG1312-B10D User’s Guide
304
Index
RTS (Request To Send) 270
threshold 269, 270
RTS threshold 101, 105
S
security
wireless LAN 105
Security Log 212
Security Parameter Index, see SPI
service access control 231, 232
Service Set 90, 96
Services 171
setup
firewalls 190
static route 81, 133, 135, 174
Simple Network Management Protocol, see SNMP
Single Rate Three Color Marker, see srTCM
SIP ALG 166
activation 166
SMTP 171
SNMP 171, 234, 235
agents 234
Get 235
GetNext 235
Manager 234
managers 234
MIB 234
network components 234
Set 235
Trap 235
versions 234
SNMP trap 171
SPI 190
srTCM 155
SSID 106
activation 94
MBSSID 108
static route 132, 138, 239
configuration 81, 133, 135, 174
example 132
static VLAN
status 54
firmware version 56
LAN 57
WAN 56
wireless LAN 57
status indicators 20
subnet mask 117, 130
Sustained Cell Rate (SCR) 83
SYN attack 190
syslog
protocol 211
severity levels 211
system
firmware 244
version 56
passwords 21
reset 20
status 54
LAN 57
WAN 56
wireless LAN 57
time 236
T
Tag Control Information See TCI
Tag Protocol Identifier See TPID
TCI
The 60
thresholds
data fragment 101, 105
RTS/CTS 101, 105
time 236
TPID 85
traffic shaping 83
trTCM 156
Two Rate Three Color Marker, see trTCM
U
unicast 85
Universal Plug and Play, see UPnP
upgrading firmware 244
UPnP 123
cautions 118
NAT traversal 117
VMG1312-B10D User’s Guide
305
Index
USB features 18
V
Vendor ID 127
VID
Virtual Circuit (VC) 82
Virtual Local Area Network See VLAN
VLAN 84
Introduction 84
number of possible VIDs
priority frame
static
VLAN ID 85
VLAN Identifier See VID
VLAN tag 85
W
Wake on LAN 127
WAN
status 56
Wide Area Network, see WAN 59
warranty 298
note 298
web configurator 21
login 21
passwords 21
WEP 107
WEP Encryption 92, 93
WEP encryption 91
WEP key 91
Wi-Fi Protected Access 274
wireless client WPA supplicants 276
wireless LAN 87, 103
authentication 105, 106
BSS 108
example 108
channel 104
encryption 107
example 104
fragmentation threshold 101, 105
limitations 107
MAC address filter 106
MBSSID 108
preamble 101, 105
RADIUS server 106
RTS/CTS threshold 101, 105
security 105
SSID 106
activation 94
status 57
WEP 107
WPA 107
WPA-PSK 107
WPS 109, 111
example 112
limitations 114
PIN 110
push button 19, 109
wireless security 271
Wireless tutorial 36
wizard setup
Internet 28
WLAN
interference 269
security parameters 278
WPA 107, 274
key caching 276
pre-authentication 276
user authentication 275
vs WPA-PSK 275
wireless client supplicant 276
with RADIUS application example 276
WPA2 274
user authentication 275
vs WPA2-PSK 275
wireless client supplicant 276
with RADIUS application example 276
WPA2-Pre-Shared Key 275
WPA2-PSK 275
application example 277
WPA-PSK 107, 275
application example 277
WPS 109, 111
example 112
limitations 114
PIN 110
example 111
push button 19, 109
VMG1312-B10D User’s Guide
306
Index
Z
ZyXEL Family Safety page 201
VMG1312-B10D User’s Guide
307

Navigation menu