EMS - Enfusion CNX PDF

eNfusion™ CNX® Cabin Gateway Series
Network Administrator’s Guide
This Guide provides configuration and operation procedures for the equipment
listed below.
Model PN
eNfusion™ CNX-100 Airborne Router 1110-A-0501-01
eNfusion™ CNX-200 Network Accelerator 1110-A-0501-02
MN-1110-50106
Revision F00
03 March 2011
PROPRIETARY STATEMENT
This document contains information that is proprietary and confidential to either or both of EMS
Technologies Canada, Ltd., or EMS Aviation Inc. (collectively "EMS Aviation") and is supplied on
the express condition that it is not to be used for any purpose other than the purpose for which it
was issued, nor is it to be copied or communicated in whole or in part, to any third party other than
the recipient organization, without the prior written permission of EMS Aviation.
© 2011 EMS Technologies Canada, Ltd., EMS Aviation Inc.
eNfusion™ CNX® Cabin Gateway Series Network Administrator’s Guide

Document Number: MN-1110-50106
Revision F00
03 March 2011
Revision Table
Revision ECR Description
A00 050247 Updated for new software release and after technical
review.
B00 050421 Added new router and ISDN features. Added wireless.
C00 050661 Updated and added new features such as VLAN and
Wtachdog Triggering. Updated trademark usage for CNX.
D00 060542 Updated and added corporate copyright and trademark
information.
E00 070855 Removed information on ISDN Bonding, VHSI interface,
Ethernet to VHSI, Serial Modem interface, and MPDS
over Ethernet.
Updated product names.
F00 00660 Updated special PPPoE service names in Table 18.
Copyright © 2011 EMS Technologies Canada, Ltd., EMS Aviation Inc.d. All rights reserved. CNX®
and Cabin Network Xcelerator® are registered trademarks of EMS Technologies Canada, Ltd.
Cisco® is a registered trademark of Cisco System Inc. Other product, brand, service, and company
names herein may be the trademarks of their respective owners.
Our products are under continuous research and development. Any information may therefore be
changed without prior notice. EMS Aviation reserves the right to make improvements or changes
in the product described in this manual at any time without notice. While reasonable efforts have
been made in the preparation of this document to assure its accuracy, EMS assumes no liability
resulting from any errors or omissions in this document, or from the use of the information contained
herein.
Printed in Canada.
EMS Aviation
400 Maple Grove Road, Ottawa, Ontario, K2V 1B8, CANADA
EMS Aviation Reception: (613) 591-9064
EMS Aviation Product Support: (888) 300-7415 (calls are routed to an on-call Product
Support specialist after regular business hours)
+44 1684 290 020 (UK)
(613) 591-3086 (outside North America)
EMS Aviation E-mail Help: [email protected]
EMS Aviation Web site: www.emsaviation.com
EMS Aviation Sales and Marketing: 800-600-9759
Blank Page
eNfusion™ CNX ® Cabin Gateway Series Network Administrator’s Guide
Contents
Introducing the CNX Cabin Gateway ............................................................. 1
Available models ...................................................................................................... 1
CNX-200 - Two products in one ............................................................................... 1
Related products ...................................................................................................... 2
Key features ............................................................................................................. 2
Finding what you need.................................................................................... 4

Document conventions ............................................................................................ 4
Related documentation ............................................................................................ 5
Abbreviations and acronyms ......................................................................... 6
Product Terms and Conditions ...................................................................... 8

Important: Avoid costly airtime charges ................................................................... 8
Getting Started .......................................................................9

The CNX Cabin Gateway network ................................................................ 10
Overview of configuration steps .................................................................. 11
Default settings.............................................................................................. 12
Network module management ..................................................................... 13

Starting the Network web-based manager ............................................................. 13
The Network profile selection page ....................................................................... 14
Network module web-based manager features ..................................................... 16
Network session lifetime ........................................................................................ 18
Remote management .................................................................................... 19

Network module ..................................................................................................... 19
Configuring administrative settings ............................................................ 21

Configuring the Network System Settings ............................................................. 21
Saving Network module configuration files................................................ 24

To view the configuration file .................................................................................. 24
To save the configuration file ................................................................................. 24
To upload a configuration file ................................................................................. 26
i
Network Connections and Connection Profiles................27
Configuration and operation essentials ...................................................... 28

Disabling connections ............................................................................................ 28
Viewing network connections ...................................................................... 30
Choosing a connection type ........................................................................ 31

Base WAN connections ......................................................................................... 31
Base LAN connections .......................................................................................... 32
Connection profile options ..................................................................................... 32
Modifying base WAN connections ............................................................... 35
Creating connection profiles ........................................................................ 36

PPP over ISDN connection profile ......................................................................... 36
PPP over Ethernet connection profile .................................................................... 47
Network Bridging (LAN Bridge) connection profile ................................................ 52
IPSec connection profile ........................................................................................ 57
ISDN bonding connection profile ........................................................................... 63
Using backup connections ........................................................................... 69
Base Network Connection Settings ...................................71
WAN Ethernet................................................................................................. 72
Settings .................................................................................................................. 72
WAN Ethernet-VHSI ....................................................................................... 75

Settings .................................................................................................................. 75
WAN ISDN....................................................................................................... 78
Settings .................................................................................................................. 78
WAN modem .................................................................................................. 82

Settings .................................................................................................................. 82
LAN Wireless Access Point .......................................................................... 83

Settings .................................................................................................................. 85
LAN Ethernet.................................................................................................. 88
Settings .................................................................................................................. 89
LAN VHSI ........................................................................................................ 92

Settings .................................................................................................................. 92
ii
Network Management ..........................................................95
System Monitoring ........................................................................................ 96

Obtaining a traffic trace .......................................................................................... 97
DNS management .......................................................................................... 98

Dynamic DNS ........................................................................................................ 99
IP address distribution (DHCP) .................................................................. 101

Assigning static IP addresses .............................................................................. 103
Routing ......................................................................................................... 104

Routing Table ....................................................................................................... 104
Routing Protocols ................................................................................................ 105
VLAN ............................................................................................................. 106
VRRP............................................................................................................. 107
About VRRP ........................................................................................................ 107
VRRP settings ..................................................................................................... 107
User authentication ..................................................................................... 109
Simple Network Management Protocol ...................................................... 111
Firmware upgrades (Network module) ...................................................... 112
Restoring and restarting ............................................................................. 114
Watchdog triggering.................................................................................... 115
Network Security................................................................117
Pre-defined firewall settings....................................................................... 118
Access controls ........................................................................................... 120
Local servers ............................................................................................... 122

Application level gateways ................................................................................... 124
DMZ host ...................................................................................................... 125
Advanced filtering ....................................................................................... 126

Filter interesting traffic .......................................................................................... 128
iii
iv
Security log .................................................................................................. 130

Log event descriptions ......................................................................................... 131
Accelerator Configuration.................................................133
Accelerator module management .............................................................. 134

Starting the Accelerator web-based manager ...................................................... 134
Using the Accelerator module command line interface ....................................... 135
Accelerator session timeout ................................................................................. 135
Licensing...................................................................................................... 136
Viewing licensing information ............................................................................... 138
Basic Accelerator settings ......................................................................... 139
Links ............................................................................................................. 140
Routing ......................................................................................................... 141

Using OSPF and RIP ........................................................................................... 141
Adding manual routes .......................................................................................... 142
Using VRRP ......................................................................................................... 142
TCP acceleration ......................................................................................... 143

TCP acceleration commands ............................................................................... 143
Example Accelerator module configuration ......................................................... 144
Firmware upgrades (Accelerator module) ................................................ 146
Saving Accelerator module configuration files ........................................ 147
Appendix A : Installation Information Sheet ................. A-1
Appendix B : Installation Verification Checklist............ B-1
iv
Introducing the CNX Cabin Gateway Series

The CNX Cabin Gateway products from EMS Aviation are the first aircraft-certified,
single-solution, networking devices designed to integrate with mobile communications
equipment, including SATCOM systems operating over the Inmarsat satellite network.
The CNX Cabin Gateway products meet DO-160D environmental specifications and are
designed for easy installation.
Available models
The CNX Cabin Gateway products currently includes two models.
Model Part Number Description

CNX-100 1110-A-0501-01 Network module only. A network appliance that
Airborne provides on-board routing and security.
Router
CNX-200 1110-A-0501-02 Network and Accelerator modules. A complete
Network appliance that includes the network capabilities of the
Accelerator CNX-100 product plus a network accelerator for data
rates up to 400% faster. Accelerator features require
a complementary groundside unit.
CNX-200 Product - Two products in one

The CNX-200 product is two products in one: the Network and Accelerator modules are
distinct products in one ruggedized, lightweight unit. The CNX-100 product operates with
the Network module only.
Network Module Accelerator Module

A multiport network router with options for An application management system
creating Internet and intranet connections. powered by AcceleratorOS 5 from Expand
• ISDN, Serial and Ethernet WAN Networks for ensuring optimal application
interfaces performance over the WAN using
acceleration and compression.
• Ethernet Switch
• average 100 to 400% additional
• 802.11G Wireless Access Point
bandwidth capacity
• VPN
• high performance, low latency algorithms
• web-based or command line interface
management
• stateful firewall
Introducing the CNX Cabin Gateway Series 1

8
Related products
The following products are part of the complete EMS network solution.
Product EMS Part Number Description

Groundside 1110-F-0316 Required complementary Groundside
Accelerator Unit Accelerator unit for operation of the
CNX-200 product.
Key features
The CNX Cabin Gateway products offer a complete networking solution with simple
cabling and installation that:
• Use one power source (28 VDC)
• Support Multi-Channel HSD (High Speed Data) Swift64 configurations and supports all
Inmarsat Swift64 services, including Mobile Packet Data Services (MPDS)
• Support Point-to-Point Protocol (PPP) and Multi-Link PPP (MLPPP) protocols
• Inmarsat Broadband Global Area Network (BGAN) SwiftBroadband services
• Are certified for Aeronautical installations to DO-160D. Refer to the CNX Installation
Guide, MN-1110-50108, for details.
Other key management features include:

• Web-based managers to simplify configuration as well as a Command line interface
• Configurable, easy-to-use configuration profiles for end-users
• Stateful firewall with NAT (Network Address Translation), DMZ (Demilitarized Zone),
port blocking, port forwarding, and custom filtering settings
• VPN security: IPSec (3DES), PPTP (Point to Point Tunneling Protocol) client and server
2 Introducing the CNX Cabin Gateway Series

Finding what you need

This Guide has six major sections.
Section Title Contents
1 Getting Started Explains how to access the CNX Cabin Gateway

product web-based managers, how to configure
the system settings, and how to restart, restore
defaults, and perform firmware upgrades.
2 Network Connections and Explains how to configure network connections

Connection Profiles and create connection profiles for end-users.
3 Base Network Connection Provides a reference for configuring the physical

Settings interface (base) connections on which the
connection profiles are based.
4 Network Management Describes the basic and advanced features of

the CNX-200 product and explains how to
configure these settings.
5 Network Security Describes how to configure the CNX-200 product

firewall to ensure secure communications.
6 Accelerator Configuration Describes the important settings for configuring

the CNX-200 product.
Document conventions
This document uses the following conventions.
Example Description
Advanced > Users Shortcuts are used to refer to specific configuration pages in
the web-based manager. Keywords are separated by the “>”
character. The first item is always an option in the side-bar
menu.
The example presented here translates to: Click the
Advanced option in the side-bar menu, then click the Users
icon.
IP address Items in bold indicate parameter labels on a configuration

page.
expand (config)# All CLI commands are in Courier font. Prompts are in plain
tcp-acceleration font and user-entered commands are in bold.
Finding what you need 3

8
Related documentation
For detailed product information not covered in this Guide, please refer to the documents
listed below.
Document no. Location
Installation Guide MN-1110-50108 http://portal.emsaviation.com/aero

/
CNX-200 product
Expand AcceleratorOS 5
Software Configuration Guide 99-128-29/0704 http://www.expand.com/
4 Finding what you need

Abbreviations and acronyms

ALG Application Level Gateway
BGAN Broadband Global Area Network
CHAP Challenge Handshake Authentication Protocol
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
DTR Data Terminal Ready (signal)
GAN Global Area Network
HSD High Speed Data
ICMP Internet Control Message Protocol
IGMP Internet Group Multicast Protocol
IP Internet Protocol
IPSec Internet Protocol Security
ISDN Integrated Services Digital Network
ISP Internet Service Provider
LAN Local Area Network
LED Light Emitting Diode
MAC Media Access Control (hardware address)
MLPPP Multilink Point-to-Point Protocol
MSN Multiple Subscriber Number
MX Mail exchange (record)
NAPT Network Address Port Translator
NAT Network Address Translation
NT Network Termination
PAP Password Authentication Protocol
PPP Point-to-Point Protocol
SCPS Space Communications Protocol Standards
SNMP Simple Network Management Protocol
SSID Service Set Identifier (wireless)
STP Spanning Tree Protocol
TCP Transmission Control Protocol
TE Terminal Endpoint
TEI Terminal Endpoint Identifier
TKIP Temporal Key Integrity Protocol (wireless security)
Abbreviations and acronyms 5

8
TOS Type of Service

UDP User Datagram Protocol
VPN Virtual Private Network
VR Virtual Router
VRRP Virtual Router Redundancy Protocol
WAN Wide Area Network
WAP Wireless Application Protocol
WBM Web-based Manager
WEP Wireless Equivalent Privacy
WPA Wi-Fi Protected Access
6 Abbreviations and acronyms

Product Terms and Conditions

As stipulated in the Terms and Conditions of Sale, which accompanied the Product, EMS
shall not at any time be liable for the activation, continuation or cancellation of satellite
airtime services relating to the Product nor be responsible for any Product-related airtime
or network charges, however incurred. In the event EMS is charged network or airtime
fees relating to the customer's use of the Product, the customer shall immediately upon
notification by EMS reimburse EMS in full for such charges.
Important: Avoid costly airtime charges

When using the CNX Cabin Gateway products on demand features, it is very important
to configure the network and CNX-200 product correctly to avoid costly airtime charges.
Some applications and protocols will attempt to access the Internet for updates or
information, resulting in connections that are not obvious to the user.
To avoid this situation, EMS Aviation recommends manually connecting and disconnecting
connections.
EMS Aviation also recommends close monitoring of network and airtime usage during the
first month of normal operation. With close monitoring, applications creating unwanted
traffic can be identified quickly and this traffic can be selectively blocked using the built-in
CNX Cabin Gateway product security features.
See Network Security on page 105.
See System Monitoring on page 84.
Product Terms and Conditions 7

8
Blank Page
8 Product Terms and Conditions

SECTION 1
Getting Started
This chapter describes how to access the web-based manager for the CNX-200 product
and configure some of the basic settings.
In this chapter Page

The CNX Cabin Gateway network 10
Overview of configuration steps 11
Default settings 12
Network module management 13
Remote management 19
Configuring administrative settings 21
Saving Network module configuration files 24
9
26
The CNX Cabin Gateway network

This discussion focuses on the CNX-200 product network. The CNX-100 product operates
like an airborne router. The CNX-200 product works with the groundside unit to provide
connectivity, security, and faster data speeds. The CNX Cabin Gateway product connects
seamlessly with high speed data terminals and antennas, mobile or stationary, for a
complete EMS Aviation solution.
Figure 1: Example CNX-200 product network topology
10 The CNX Cabin Gateway network

Overview of configuration steps

This section describes the general steps required to configure the CNX Cabin Gateway
product. Each step includes a link to the applicable section in this Guide.
1 Install the CNX Cabin Gateway See the CNX Installation Guide,
hardware. MN-1110-50108.
2 Access the CNX-200 product See Network module management on
web-based managers. page 13.
See Accelerator module management on
page 122.
3 Configure the administrative settings. See Configuring administrative settings on
page 21.
4 Plan your network and the types of Plan your network and connections based
connections you require. on your specific end-user requirements.
See also Configuration and operation
essentials on page 28.
5 Configure the base Network See Modifying base WAN connections on
connections. page 34.
6 Configure the Network connection See Creating connection profiles on
profiles required for your end-users. page 35.
7 Configure the CNX-200 product See Accelerator Configuration on page 121.
settings, mobile and ground.
8 Configure the firewall, logging, DNS, See Network Management on page 83.
DHCP, and router settings as
required.
Overview of configuration steps 11

26
Default settings
The CNX-200 product’s Network and Accelerator modules act as separate devices on the
network. Change the default settings so the modules are operating on the same subnet.
Setting Network module Accelerator module

IP Address 192.168.1.1 192.168.1.3 (or 10.0.99.99 with
early software versions)
Subnet Mask 255.255.255.0 255.255.255.0 (or 255.255.0.0
with early software versions)
12 Default settings
Network module management

The Network web-based manager provides full control of all CNX Network functions. The
management computer must have a web browser and be set to operate as a DHCP client.
Note: For Accelerator module (CNX-200 only) web-based management see Accelerator
module management on page 122.
Starting the Network web-based manager

By default, the Network module operates as a DHCP server on the subnet 192.168.1.0,
with the IP address 192.168.1.1.
1. Connect a computer to a CNX LAN (Local Area Network) port using a standard
Ethernet cable.
2. Turn on the computer, or release/renew its IP (Internet Protocol) address.
3. Specify the IP address of the Network module in the browser address bar. The default
IP address is 192.168.1.1.
The first time you access the management interface a welcome page appears, as
shown in Figure 2.
Figure 2: First-time access Welcome page

26
4. Optionally, make a bookmark or add the management interface to your Favorites and
click OK. (Reset the bookmark later if the IP address of the unit changes.)
The login setup page appears. The default User Name is admin and the Password is
blank.
5. Enter a new password and click OK.

The Quick Setup page appears.
6. Click Cancel.
Note: If you forget or lose your password, you can physically reset the CNX unit and
restore the default settings. See To restore factory default settings on page 103.
The Network profile selection page

The Network profile selection page displays the connections available to the end-user.
Once enabled, the profile selection page is the first thing users see when they access the
Network web-based manager.
Connection profiles are based on different communications protocols and settings that
run over base physical connections. Using this Guide, you can configure connection
profiles that are visible to end-users through the web-based manager without logging in.
When they want to connect, end-users will choose a connection profile and begin sending
and receiving data through the CNX Cabin Gateway.
14 Network module management

Important! The profile selection page is disabled by default. To activate the profile
selection page, go to Advanced > System Settings, and select the Enable Profile
Selection Page option. You also need to enable each profile when you configure it by
selecting Show in Profile Selection Page in the General settings for that connection
profile.
Connection profiles specify:

• connection types and related settings
• authentication settings
• whether the connection is brought up and down manually or automatically by the
Network module
For more details about configuring connection profiles, see Creating connection profiles
on page 35.
Figure 3 shows the profile selection page. Click Admin Login to log in.
Figure 3: First-time access – profile selection page

26
Network module web-based manager features

Once you are logged in, the web-based manager provides an easy to navigate structure
for configuring and administering the Network module.
Configuration options
Access all configuration options using the menu on the left side of the interface.
Display the Network Map.
Quickly configure basic network connections.
Create, configure, and view network connections.
Configure the firewall and regulate communications between the

Internet and the local network.
Block access to specific Internet hosts or web.
Control network parameters (DHCP server, DNS) and perform

administrative functions, including changing passwords and
upgrading the system.
View network status, traffic statistics, and the system log.
Log out from the CNX web-based manager.
Figure 4: Web-based manager menu

Navigation bar
The navigation bar at the top of the web-based manager provides an easy way to locate
the current page in the hierarchy of web-based management pages. You can also use it
to quickly return to a page that is above the current page.
The current path in the web-based manager

Display the network map (Home)
View the connection status of each computer and all connections on the network
Figure 5: Web-based manager navigation bar
Managing Lists
Lists are used throughout the web-based manager to display information.
Figure 6: Example of the network connections list
Lists contain user defined entries for network connections, local servers, restrictions, and
configurable settings.
Table 1 describes the icons that may appear in the Action column. These icons appear
in lists throughout the web-based manager.
Table 1: Network module web-based manager icons

Icon Description
Add: Click to add a new item to the list.
Edit: Click to edit an item from the list.
Delete: Click to remove an item from the list.

26
Network session lifetime

By default, web-based manager sessions will automatically timeout after 900 seconds
(15 minutes) of inactivity. The login page appears and you must re-enter your username
and password to proceed.
Session timeout helps to prevent unauthorized users from accessing the Network
web-based manager and changing the settings.
To change the network module session lifetime

1. Go to Advanced > System Settings.
2. Under EMS Management Console, change the Session Lifetime by entering a new
session lifetime value between 30 and 1200 seconds.
3. Click OK.

Remote management
You can access and control the CNX Network module from the local network, or from the
Internet. This allows you to view or change settings from any Internet access point around
the world. It also enables your Internet Service Provider (ISP) to change settings or help
you troubleshoot functionality or communication issues from a remote location.
Network module
Remote access to the Network module is blocked by default to ensure the security of the
local network. Use the Remote Administration page to enable these services as required.
Remote access is supported by the following services:
• Telnet: Used to access a command-line and all system settings.
• Web-Management/HTTP: Used to access the web-based manager.
• Diagnostic Tools: Used for troubleshooting and remote system management
by your ISP.
Configuring Network remote administration services

Go to Advanced > Remote Administration.
Figure 7: Remote administration settings
Table 2 describes the remote administration settings.
Remote management 19
26
Table 2: Remote administration settings

Allow Incoming Access to the Telnet Server
The telnet server provides access to the CNX command line interface. Although this
service is password-protected, the traffic itself is not secure unless a VPN connection
is used.
Using Primary Telnet Open TCP port 23 for telnet access.

Port (23)
Using Secondary Telnet Open TCP port 8023 for telnet access. If a local server is
Port (8023) using port 23, select port 8023 to avoid conflicts.
Allow Incoming Access to the Web-Management
This option controls remote access to the web-based manager via an Internet connection.
Using Primary HTTP Port Open TCP port 80 for HTTP access.
(80)
Using Secondary HTTP Open TCP port 8080. If a local server is using port 80 select
Port (8080) port 8080 to avoid conflicts.
Allow SNMP Control and Diagnostic Requests
This setting allows an SNMP server to access the CNX unit for management.
Allow Incoming SNMP Permit incoming SNMP requests from the Internet
Requests
Diagnostic Tools
These services may be used for troubleshooting and remote system management.
Allow Incoming ICMP Permits remote managers to determine if the CNX unit is
Echo Requests (e.g. active.
pings and ICMP
traceroute queries)
Allow Incoming UDP Permits the CNX Network module to respond to traceroute
Traceroute Queries queries.
20 Remote management
Configuring administrative settings

Configure the basic network settings before setting up the base WAN (Wide Area Network)
or LAN (Local Area Network) connections.
Configuring the Network System Settings

Go to Advanced > System Settings.
Figure 8: System Settings

26
Table 3 describes the CNX System Settings.
Table 3: System Settings

System
Hostname Specify a name for the CNX Network.
Local Domain Enables access to the CNX using a DNS name. For example, if
the Hostname is CNX and Local Domain is Home, then computers
on the LAN interfaces can reach the CNX web-based manager
by specifying .home instead of an IP address.
Management Console
Enable Profile Select to make the profile selection page available to users. For
Selection Page more information, see The Network profile selection page on
page 14.
Automatic Refresh
Select to automatically refresh the profile selection page as
specified by the Refresh Interval below.
Refresh Interval
Enter the number of seconds to wait before refreshing the profile
selection page.
Enable DNS Redirection
Select to enable the Network module to redirect the user’s current
home page to the profile selection page.
Automatic Refresh Select to automatically refresh system monitoring web pages as
of System specified by the Refresh Interval below. If not selected, the user
Monitoring Web must manually refresh the pages to view new content.
Pages
Warn User Before Select to enable a warning message each time the network
Network configuration will change.
Configuration
Changes
Session Lifetime Specify how long an administrator’s session can be idle before it
is automatically disconnected.
Language Choose the language to use in the web-based manager.
Management application ports
Primary HTTP Port Specify the port to use for web-based management sessions.
Secondary HTTP Specify an alternate port to use for web-based management
Port sessions.
Primary Telnet Port Specify the port to use for Telnet sessions.
Secondary Telnet Specify an alternate port to use for Telnet sessions.
Port
22 Configuring administrative settings

Table 3: System Settings

System Remote Logging
System Notify Level Determines the messages that are sent to a remote syslog server.
Choose from None, Error, Warning, and Information. The CNX
Network module will log all messages at and above the log level
you select. For example, if you select Information: Information,
Warning, and Error messages will be logged.
Security Remote Logging
Security Notify Level Determines the messages that are sent to a remote syslog server.
Choose from None, Error, Warning, and Information. The CNX
Network module will log all messages at and above the log level
you select. For example, if you select Information: Information,
Warning, and Error messages are logged.

26
Saving Network module configuration files
Note: For Accelerator module configuration files, see Saving Accelerator module
configuration files on page 135.
View and save configuration files to:

• perform testing
• troubleshoot
• maintain a backup of the current configuration
To view the configuration file

1. Go to Advanced > Technical Information.
2. Click Configuration File to view the complete contents of the CNX configuration file.
Important! You should save your configuration file as a backup before performing
firmware upgrades or other maintenance.
To save the configuration file

2. Click Configuration File.
The configuration file is displayed.
24 Saving Network module configuration files

3. Click Download Configuration File.

The File Download window appears.
4. Click Save.
5. Browse to the location you want to save the file, select Save as type: All Files, and
name the file with the file extension .txt (text file).
6. Click Save.
Saving Network module configuration files 25

26
To upload a configuration file

2. Click Configuration File.
The current (old) configuration file is displayed.
3. Click Upload Configuration File.
The File Upload window appears.
4. Click Browse.
The file explorer window appears.
5. Find and select the configuration file and click Open.
The Network module uploads the configuration file and reboots.
26 Saving Network module configuration files

SECTION 2
Network Connections and

Connection Profiles
This section describes the base network connections and how to create some simple
connection profiles for end-users.
Connection profiles are based on one of the physical interfaces (base connections) of the
CNX-200 product Network module. Once enabled, connection profiles can be selected
by end users on the profile selection page when they access the domain name or IP
address of the Network module.
Setting up a connection profile requires the following general steps.
1. Determine the requirements for your configuration.
2. Choose a physical interface on which to base the connection and configure the
physical interface settings. See Base Network Connection Settings on page 65.
3. Configure a new connection profile based on the physical interface.
In this section Page

Configuration and operation essentials 28
Viewing network connections 30
Choosing a connection type 31
Modifying base WAN connections 34
Creating connection profiles 35
PPP over ISDN connection profile 35
PPP over Ethernet connection profile 47
Network Bridging (LAN Bridge) connection profile 52
IPSec connection profile 57
Using backup connections 63
27
64
Configuration and operation essentials

Table 4 describes some common connection requirements and the essential settings for
configuring them.
Table 4: Connection configuration essentials

Connecting to... Using... Decisions and essential settings
the Internet (ISP) PPP over ISDN • use DHCP
• override the subnet mask with 255.255.255.0
• set Routing to Basic
• obtain the correct username, password, and
remote ISDN number from the service
provider
• add the pound sign (#) to the end of the ISDN
number
a corporate intranet PPP over ISDN • use a static IP address
• set Routing to Advanced and enable Default
Route
• obtain the correct username, password, and
remote ISDN number from the service
provider
• add the pound sign (#) to the end of the ISDN
number to dial
the Internet (ISP) PPP over • use DHCP
Ethernet • override the subnet mask with 255.255.255.0
• set Routing to Basic
Disabling connections
There are several options to disable a connection.
Manual disconnect
The profile selection page provides a disable option for each active connection. The user
can click this option to terminate the connection.
Automatic disconnect
If the connection type has the On Demand option enabled, it will automatically disconnect
after being idle for a specified amount of time. By default, this timer is set to 0, which
means never disconnect. These options are defined on the Settings page for the
connection type.
However, since the On Demand option is active, the connection will automatically
reconnect when the user sends data.
28 Configuration and operation essentials

You can use PPP active filters to define what traffic is “interesting” and should not be
ignored for On Demand operations. This prevents a connection from being reconnected
or kept alive by the transmission of unimportant data traffic. See Filter interesting traffic
on page 116.
Disable profile after hanging up

Disable profile after hanging up is a feature enabled in the Settings for a connection
type. It is only available when the On Demand option is selected. Select Disable profile
after hanging up to prevent the connection from re-establishing itself even though On
Demand is enabled. When the idle timer for the connection expires, the connection is
disabled and the user must manually re-activate it on the profile selection page.
Configuration and operation essentials 29

64
Viewing network connections

The Network Connections list displays the status of all the defined network connections.
Figure 9: Network Connections list
Each row in the list defines a connection. For a description of the icons that may appear
in the Action column, see Table 1 on page 17.
30 Viewing network connections

Choosing a connection type

There are four base physical WAN connections, and nine options for creating connection
profiles based on the WAN connections.
Base WAN connections

Before you set up a WAN connection, configure the base, or underlying, connection that
it will use. For example, if you are going to create a PPP connection over ISDN, then you
must first configure the WAN ISDN connection type.
Choose a base WAN connection from the options described in Table 5.
Table 5: Base WAN connections

Base WAN connection Description
WAN Ethernet Base connection type for creating a link to the Internet
via Ethernet. Used by other connection types (such as
PPPoE) as the underlying connection to establish the
Internet link or a link to a corporate network. Set the WAN
Ethernet properties before you configure new
connections that use it as the base, or underlying,
connection.
See WAN Ethernet on page 66.
WAN ISDN Base connection type for creating a link to the Internet
via ISDN.
See WAN ISDN on page 69.

64
Base LAN connections

You can create the following LAN connections through the CNX-200 product Network
module, including setting up the wireless cabin network.
Table 6: LAN connections

LAN connection type Description
LAN Bridge Combines several LAN devices under one virtual
network (LAN Ethernet and LAN Wireless Access Point).
LAN Ethernet Connects the CNX unit to a local area network.
LAN Wireless Access Point Connects to an 802.11b or 802.11g wireless network.
Connection profile options

Once you configure a WAN base connection, you can select from the connection types
shown and described in Figure 10 and Table 7 to create a connection profile.
Figure 10: New connection profile options
32 Choosing a connection type

Table 7: WAN connections for connection profiles

WAN connection Description
Point-to-Point Protocol over Connects the CNX device (or unit) to the Internet or a
Ethernet (PPPoE) corporate network using a PPP tunnel over WAN
Ethernet connection. See PPP over Ethernet connection
profile on page 47.
Point-to-Point Protocol over Connects the CNX device (or unit) to the Internet or a
ISDN (PPPoI) corporate network using a PPP tunnel over a WAN ISDN
connection. PPP over ISDN connection profile on
page 35.
Network Bridging Connects separate network interfaces (such as LAN
Ethernet and LAN Wireless Access Point) to form one
seamless LAN.
Internet Protocol Security Enable secure transfer of data to another location over
(IPSec) the Internet, using private and public keys for encryption,
and digital certificates for authentication. See IPSec
connection profile on page 57.
Point-to-Point Remote Access Enables remote users to securely access the local
Server (PPP RAS Server) network via dial-up connections. RAS servers are used
to establish router to router connections between the
CNX-200 product Network module and private networks.

64
Modifying base WAN connections

Before configuring a connection profile over a base WAN connection, make sure the
connection is configured and operating correctly.
1. Go to Network Connections and click Edit in the Action column for the connection.
The properties page for the connection appears.
2. Click Settings to configure or edit advanced options.

The complete configuration page for the connection appears.
3. Make any required changes and click OK.

4. Go to System Monitoring > Connections to check that the connection is enabled
and configured correctly.
34 Modifying base WAN connections

Creating connection profiles

Once created, all connections appear on the Network Connections page. This section
describes how to create the following most common connection profiles:
• PPP over ISDN connection profile
• PPP over Ethernet connection profile
• Network Bridging (LAN Bridge) connection profile
• IPSec connection profile
PPP over ISDN connection profile

Before creating a connection profile using PPP over ISDN (PPPoI) make sure the WAN
ISDN settings are configured correctly. See WAN ISDN on page 69.
To create a new PPPoI connection

1. Go to Network Connections and click New Connection.
2. Select Point to Point Protocol over ISDN and click Next.
3. Enter a Login User Name, Password, and B Channel Remote Number for the
connection, as shown below.
4. Click Next.
A short connection summary appears.
5. Click Finish to create the connection or Back to make changes.
The Network Connections page appears, showing the new connection as Disabled.

64
To enable the connection

1. To enable the connection, click Edit in the Action column.
The WAN PPPoI Properties page appears.
2. Click Enable.
To configure the PPP over ISDN settings

1. Go back to Network Connections and click Edit for the connection you want to
configure.
2. Click Settings.
Use the descriptions in the following tables to configure the correct settings.
3. Click OK when changes are complete.
General settings
General settings are similar for each type of connection.
Figure 11: WAN PPPoI connection settings - General
36 Creating connection profiles

Table 8 describes the General information and settings for the PPPoI connection.
Table 8: WAN PPPoI connection settings - General

Device Name Name assigned to the physical or connection profile interface
by the CNX-200 product Network module. For example, ppp2
or eth0.
Status Connected, Disconnected, or Disabled.
Network WAN or LAN.
Connection Type PPP over ISDN.
Underlying Device(s) Click to view the connection properties.
The physical interface used for the connection: WAN ISDN.
See WAN ISDN on page 69.
Associated IPSec Select a configured IPSec connection from the list. All traffic will
Connection be routed through the selected IPSec tunnel.
Important! IPSec and other LAN connections do not appear

on the profile selection page. To use IPSec, associate the
IPSec connection with a WAN base connection which users
can choose from the profile selection page.
Show in Profile Enable to make this connection available to end-users from the
Selection Page profile selection page.
PPP settings
Figure 12: WAN PPPoI connection settings - PPP
Table 9 describes the PPP settings for the PPPoI connection.
Table 9: WAN PPPoI connection setting - PPP

Login User Name Enter a login user name for this connection. User Names are
case sensitive.
Login Password Enter a login password for this connection.

64

On Demand Select On Demand to have the CNX-200 product Network
module control the connection based on use and idle time.
Selecting On Demand saves bandwidth and means users do
not have to remember to disconnect when not sending or
receiving data.
CAUTION: Selecting On Demand means the router goes

into call when connected devices generate traffic destined for
the Internet. Many application and operating system features
may automatically perform background tasks requiring an
Internet connection, which may result in unwanted and
expensive service charges. Configure the CNX Cabin
Gateway product Firewall and Active Filters to block this
unwanted traffic.
Automatically disable Enable this parameter to have the CNX-200 product Network
connection on remote module disable the connection if the remote host disconnects.
disconnect
Disable Profile After If On Demand is activated, this feature is not applicable to CNX
Hanging Up Cabin Gateway product operation. Do not enable. If you are
connecting and disconnecting manually, this feature acts as an
idle timer.
Use Active Filters Select to use active filters to ignore uninteresting traffic on the
connection.
To configure Active Filters, see Advanced filtering on page 114.
Idle Time Before Enter the time in seconds for the CNX Cabin Gateway product
Hanging Up to wait before disconnecting an idle connection.
Important! See caution for On Demand above. To reduce

call costs, set the Idle Time whether you are using On
Demand or manual dialing for the connection. 0 = disabled.
Time Between Enter a time in seconds to wait between reconnect attempts if
Reconnect Attempts the host was busy or unreachable. Default is 30 seconds.
B Channel Remote The ISDN or PRI phone number of the remote access server
Number you want to call. Country Code+Area Code+Number+# if using
on Inmarsat system.
PPP Multilink Click to access the PPP multilink configuration. See PPP
Multilink settings below.
The defaults are the recommended settings.
Select Use this connection in a multilink bundle to enable
support for multi-link PPP, which enables one or more B
channels to be combined into a single data pipe for faster
throughput. The CNX Network uses Bandwidth On Demand to
reduce connection charges. When bandwidth on demand is
enabled, additional B channels are only activated when extra
bandwidth is required.


Enable PPP debug Select to enable logging of PPP connection information to the
System Log for debugging.
LCP Echo Request Enter the PPP LCP echo request interval in seconds.
Interval 0 = disabled.
PPP Multilink settings
Figure 13: PPP Multilink
When more than one link is enabled, you will see standard settings for each link:
Figure 14: PPP Multilink settings

64
When Bandwidth on Demand is enabled you will see Bandwidth on Demand parameters
for each link:
Figure 15: PPP Multilink settings with Bandwidth on Demand
Table 10 describes the PPP Multilink settings for the PPPoI connection.
Table 10: PPP Multilink settings

General
Number of Links The number of PPP links configured.
Bandwidth on Select to have the CNX unit dynamically add/remove B channels
Demand according to bandwidth requirements.
Link n
Phone Number Phone number assigned to this channel.
Username Username assigned to this channel. Typically, all channels use
the same username and password.
Password Password assigned to this channel. Typically, all channels use
the same username and password.
Link n Bandwidth On The settings below are only visible when you select Bandwidth
Demand Parameters on Demand (BoD).
Important! See Bandwidth On Demand Recommended

Settings on page 42.
Wait Time Enter the time in seconds to wait after establishing the initial
connection activating BoD.
Up Threshold Enter the percentage of the bandwidth to be in use before this link
is established. For example, if you set the Up Threshold to 80%
and the Up Timer to 5 seconds, an extra channel is added when
the line traffic reaches 80% capacity for 5 consecutive seconds.

Table 10: PPP Multilink settings

Up Timer Enter the time in seconds you want the traffic to be at or above
the Up Threshold before adding an extra channel.
Down Threshold Enter the percentage of the bandwidth to be in use before starting
the Down Timer and removing the extra channel. For example, if
you set the Down Threshold to 70% and the Down Timer to 25
seconds, the extra channel is removed when the line traffic
reaches 70% capacity for 25 consecutive seconds.
Down Timer Enter the time in seconds you want the traffic to be at or below
the Down Threshold before removing the extra channel.

64
Bandwidth On Demand Recommended Settings

EMS recommends using the guidelines below to configure Bandwidth On Demand
Parameters.
Select an option Lower cost option1 Higher cost option2 Custom3

Wait Time 20 20 Set timers and
thresholds according to
Up Threshold 50 50 usage.
Up Timer 120 30
Down Threshold 40 40
Down Timer 30 120
1. Only provides bandwidth when needed for long durations.

2. Provides extra bandwidth quicker in burst situations but is less cost-effective.
3. EMS recommends monitoring your usage with your air time provider to look for short
duration 2nd, 3rd, and 4th channel calls. If you see many calls under 1 minute, increase
the thresholds.
PPP Authentication settings
Figure 16: WAN PPPoI connection settings - PPP Authentication
Table 11 describes the PPP Authentication settings for the PPPoI connection.
Note: To avoid communication errors, only select authentication protocols that the
remote access server supports.
Table 11: PPPoI WAN connection settings - PPP Authentication

Support Unencrypted Select to enable PPP authentication using PAP (Password
Password Authentication Protocol). Enabled by default.
Support Challenge Select to enable PPP authentication using CHAP (Challenge
Handshake Handshake Authentication Protocol). Enabled by default.
Authentication
Support Microsoft Select to enable PPP authentication using MS-CHAP. Enabled
CHAP by default.
Support Microsoft Select to enable PPP authentication using MS-CHAP v2.
CHAP Version 2 Enabled by default.

PPP Encryption settings
Figure 17: WAN PPPoI connection settings - PPP Encryption
Table 12 describes the PPP Encryption information and settings for the PPPoI connection.
Table 12: WAN PPPoI connection settings - PPP Encryption

Require Encryption Select to accept only encrypted data from the external network
through this connection.
Support Encryption Select to apply 40-bit encryption to traffic leaving the CNX Cabin
Gateway product through this connection.
Support Maximum Select to apply maximum strength 128-bit encryption to traffic
Strength Encryption leaving the CNX Cabin Gateway product through this connection.
Internet Protocol settings
Figure 18: WAN PPPoI connection settings - Internet Protocol
Table 13 describes the IP address settings for the PPPoI connection.
Table 13: WAN PPPoI connection settings - IP address

Internet Protocol Choose Obtain an IP Address Automatically (DHCP), or Use
the Following IP Address. For Internet access through an ISP,
you will usually obtain an IP address automatically. For access to
a corporate or other intranet, you will usually assign a static IP
address.
IP Address Enter an IP address for the connection (if not obtaining
automatically).
Override Subnet Select and enter a subnet mask to replace the one assigned by
Mask the DHCP server.
PPP Type of Service (TOS) settings
Important! TOS settings must be applied for the CNX-200 product when Dial on
Demand and Idle Time Before Hanging Up are enabled. Configure the same settings
for TOS in the Accelerator module and on the groundside Accelerator unit.

64
TOS requests are indicated by a value added to the IP header of a packet. The TOS value
tells the CNX-200 product Network module the type or quality of service required for the
packet.
The Accelerator module uses a keepalive feature to maintain the secure tunnel
established with the complementary unit on the groundside network. Enable TOS and set
the Precedence value to 7, Network Protocol, to ensure the CNX Cabin Gateway product
handles the keepalive messages correctly.
See RFC1349 for TOS implementation details.
Figure 19: WAN PPPoI connection settings - TOS
Table 14 describes the TOS settings for the PPPoI connection.
Table 14: WAN PPPoI connection settings - TOS

Enable TOS Select to enable traffic filtering by Type of Service (TOS), and to
view the TOS options.
Precedence If using the CNX-200 product set the precedence to Network
Protocol (TOS 7).
Delay Not applicable.
Throughput High Throughput
Reliability Not applicable.
Cost Not applicable.
DNS Server settings
Figure 20: WAN PPPoI connection settings - DNS server
Table 15 describes the DNS settings for the PPPoI connection.

Table 15: WAN PPPoI connection settings - DNS server

DNS Server Click to view the DNS Server list.
When Obtain an IP Address Automatically is enabled, choose
Obtain DNS Server Address Automatically to use DHCP, or
choose Use the Following DNS Server Addresses.to specify
your primary and secondary DNS servers.
Primary DNS Server When Use the Following DNS Server Addresses is selected,
enter the IP address of the primary DNS server.
Secondary DNS When Use the Following DNS Server Addresses is selected,
Server enter the IP address of the secondary DNS server.
Routing settings
Figure 21: WAN PPPoI connection settings - Routing
Table 16 describes the routing settings for the PPPoI connection.
Table 16: WAN PPPoI connection settings - Routing

Routing Click to view the CNX Cabin Gateway product routing table.
Select Advanced to view the routing settings. Select Basic to
use the default settings of the CNX Cabin Gateway product.
Routing Mode Select NAPT or Route as the Routing Mode. In NAPT (Network
Address Port Translator) mode, the CNX Cabin Gateway
product will translate internal network addresses and port
numbers into external IP addresses for egress traffic and vice
versa for ingress traffic.
Route mode requires entries in the routing table to tell the CNX
Cabin Gateway product where to send traffic.
Device Metric A value used by the CNX Cabin Gateway product to determine
if one route is better than another.
Default Route Select to use the default route.
Multicast - IGMP Select to enable the CNX Cabin Gateway product to act as an
Proxy Default IGMP (Internet Group Multicast Protocol) proxy for all
computers on the internal network.

64
Table 16: WAN PPPoI connection settings - Routing

Routing Information Select to enable RIP support and view the RIP settings.
Protocol (RIP)
Listen to RIP Select the version of RIP messages the CNX Cabin Gateway
Messages product will receive. Choose from RIPv1, RIPv2, or RIPv1/2.
Send RIP Messages Select the version and type of RIP messages the CNX Cabin
Gateway product will send. Choose from None, RIPv1, RIPv2 -
Broadcast, RIPv2 - Multicast.
Routing Table Click New Route to add a route to the table.
Internet Connection Firewall settings
Figure 22: WAN PPPoI Connection Settings - Firewall
Enable the Internet Connection Firewall and click the link to access the firewall
configuration pages, or click Security in the left menu bar. For details, see Pre-defined
firewall settings on page 106.

PPP over Ethernet connection profile

Before creating a connection profile using PPP over Ethernet make sure the WAN Ethernet
settings are configured correctly.
To create a new PPPoE connection

2. Select Point to Point Protocol over Ethernet (PPPoE) and click Next.
3. Enter a Login User Name and Password for the connection, as shown below.
4. Click Next.
To enable the connection

1. From the Network Connections list, click Edit in the Action column.
The WAN PPPoE Properties page appears.
2. Click Enable.

64

To configure the PPP over Ethernet settings

configure.
2. Click Settings.
Use the descriptions in the following tables to configure the correct settings.
General settings
Figure 23: WAN PPPoE connection settings - General
Table 17 describes the General information and settings for the PPPoE connection.
Table 17: WAN PPPoE connection settings - General

by the CNX Cabin Gateway product. For example, ppp2 or
eth0.
Network WAN or LAN.
Connection Type Connection protocols.
Underlying Device(s) Click to view the connection properties.
The physical interface used for the connection: WAN Ethernet.
See WAN Ethernet on page 66.
Associated IPSec Select a configured IPSec connection from the list. All traffic will
Connection be routed through the selected IPSec tunnel.
Show in Profile Enable to make this connection available to end-users from the
Selection Page profile selection page.

PPP settings
Figure 24: WAN PPPoE connection settings - PPP
Table 9 describes the PPP settings for the PPPoE connection.
Table 18: WAN PPPoE connection settings - PPP

Service Name Enter the Service Name only if one is provided by your ISP.
Usually 28# for SATCOM service.
The following is a list of special PPPoE service names:
• 123—PacketData Service to an available card
• 28#—Provides SCPC service to an available card
• ISDN—ISDN service to an available card
• MPDS—Standard IP MPDS Service to an available card
• MPDS-1—Standard IP MPDS Service to channel card 1
• MPDS-2—Standard IP MPDS Service to channel card 2
• PacketData—BGAN or MPDS Service to an available card,
depending on what is available on the system and in that
spot beam.
• SBB—Standard IP BGAN Service to an available card
• SBB-1—Standard IP BGAN Service to channel card 1
• SBB-2—Standard IP BGAN Service to channel card 2
Login User Name Enter a login user name for this connection. User names are
case sensitive.
Login Password Enter a login password for this connection.

64
Table 18: WAN PPPoE connection settings - PPP

On Demand Select On Demand to have the CNX Cabin Gateway product
control the connection based on use and idle time. Selecting
On Demand saves bandwidth and means users do not have to
remember to disconnect when not sending or receiving data.
CAUTION: Selecting On Demand means the router goes

into call when connected devices generate traffic destined for
the Internet. Many application and operating system features
may automatically perform background tasks requiring an
Internet connection, which may result in unwanted and
expensive service charges. Configure the CNX Cabin
Gateway product firewall to block this unwanted traffic.
Idle Time Before Enter the time in seconds for the CNX Cabin Gateway product
Hanging Up to wait before disconnecting an idle connection.
Important! To reduce call costs, set the Idle Time whether

you are using On Demand or manual dialing for the
connection. 0 = disabled.
Use Active Filters Select to use active filters to ignore uninteresting traffic on the
connection.
To configure Active Filters, see Advanced filtering on page 114.
Time Between Enter a time in seconds to wait between reconnect attempts if
Reconnect Attempts the host was busy or unreachable. Default is 30 seconds.
Enable PPP debug Select Display PPP LCP negotiation in system log to enable
logging of PPP connection information to the System Log.
PPP LCP echo interval Enter the PPP LCP echo request interval in seconds.
0 = disabled.
PPP Authentication settings

Same as for PPPoI connections. See PPP Authentication settings on page 42.
PPP Encryption settings

Same as for PPPoI connections. See PPP Encryption settings on page 43.
PPP Compression settings
Figure 25: WAN PPPoE connection settings - PPP Compression and ATM
Table 19 describes the PPP compression settings for the PPPoE connection.

Table 19: WAN PPPoE connection settings - PPP Compression and ATM
PPP Compression
BSD Choose one of the following options:
Reject PPP connections with peers that use the BSD
compression protocol.
Allow PPP connections with peers that use the BSD compression
protocol.
Require a connection with a peer use the BSD compression
protocol.
BSD is a defined PPP compression protocol. See RFC1977 at
ftp://ftp.rfc-editor.org/in-notes/rfc1977.txt.
Deflate Choose one of the following options:
Reject PPP connections with peers that use the Deflate
Allow PPP connections with peers that use the Deflate
Require a connection with a peer use the Deflate compression
protocol.
Deflate is a defined, PPP compression protocol. See RFC1979
at ftp://ftp.rfc-editor.org/in-notes/rfc1979.txt.

Same as for PPPoI connections. See Internet Protocol settings on page 43.
DNS Server settings

Same as for PPPoI connections. See DNS Server settings on page 44.
Routing settings
Same as for PPPoI connections. See Routing settings on page 45.


64
Network Bridging (LAN Bridge) connection profile

Network Bridging is used to create a LAN bridge which combines several LAN connections
into one virtual network. The factory default setting creates a single network using the
LAN ethernet and LAN wireless access point connections.
Before creating a LAN network bridge make sure the base connections that are part of
the bridge are configured correctly.
To create a new LAN (network) bridge

2. Select Network Bridging and click Next.
3. Select the LAN connections that will be part of the LAN bridge, as shown below.
4. Click Next.
To configure the LAN bridge settings

configure.
2. Click Settings.
Use the descriptions in the following tables (Table 20, Table 21, and Table 22) to
configure the correct settings.
To enable the LAN bridge

1. From the Network Connections list, click Edit in the Action column.
The LAN Bridge Properties page appears.
2. Click Enable.
3. Go to System Monitoring > Connections to check that the bridge is enabled and
configured correctly.

General settings
Figure 26: LAN Bridge connection settings - General
Table 20 describes the General information and settings for the LAN Bridge connection.
Table 20: LAN Bridge connection settings - General

by the CNX Cabin Gateway product. For example, ppp2 or
eth0.
Network LAN.
Connection Type Bridge.
Physical Address MAC address (virtual) associated with the LAN Bridge.
MTU Select Manual to specify the MTU for the interface, or select
Automatic.
The Maximum Transmission Unit (MTU) is the maximum
packet size for packets on the network. The Automatic and
standard packet size for Ethernet is 1500 bytes.
Figure 27: LAN Bridge connection settings - Internet Protocol
Table 21 describes the Internet Protocol for the LAN Bridge connection.

64
Table 21: LAN Bridge connection settings - Internet Protocol

Internet Protocol Specify how this interface obtains an IP address.
• No IP Address: No address is assigned to the interface.
• Obtain an IP Address Automatically: Select this option to
have the CNX operate as a DHCP client.
• Use the Following IP Address: Select this option to
manually define the IP address, subnet mask, and default
gateway.
Override Subnet Mask When Obtain an IP Address Automatically is selected, use
this setting to override the subnet mask of an automatically
assigned IP address.
DHCP Lease When Obtain an IP Address Automatically is selected, use
the DHCP Lease Renewed,
IP Address When Use the Following IP Address is selected, enter the IP
address of the interface.
Subnet Mask When Use the Following IP Address is selected, enter the
subnet mask for the IP address of the interface.
Default Gateway When Use the Following IP Address is selected, enter the
default gateway for the interface.
Bridge settings
Select the connections you want to join using the LAN Bridge.
Enable STP (Spanning Tree Protocol), a link management protocol, to enable
communication and loop-free operation between network bridges. This protocol is entirely
transparent to clients (end stations).
Figure 28: LAN Bridge connection settings - Bridge

IP Address Distribution settings
Figure 29: LAN Bridge connection settings - IP Address Distribution
Table 22 describes the IP Address Distribution information and settings for the LAN Bridge
connection.
Table 22: LAN Bridge connection settings - IP Address Distribution

IP Address Click to view the DHCP connections list.
Distribution Choose DHCP Server to use DHCP for this connection, or
choose Disable to disable DHCP.
Start IP Address When DHCP Server is selected, enter the Start IP Address for
the DHCP address pool range.
End IP Address When DHCP Server is selected, enter the End IP Address for
Subnet Mask When DHCP Server is selected, enter the Subnet Mask
associated with the DHCP addresses.
WINS Server IP When DHCP Server is selected, enter the address of the WINS
Address server that the CNX device will return to its DHCP clients.
Default gateway for When DHCP Server is selected, enter the IP address of the
DHCP clients default gateway. For the CNX-200 product, enter the IP address
of the Accelerator module.
Lease Time In Minutes When DHCP Server is selected, enter the number of minutes
the DHCP IP addresses should be valid.
Provide host name if Enable to have the CNX Cabin Gateway product create a host
not specified by client name for client stations if none is provided.
Routing settings
Same as for PPPoI connections. See Routing settings on page 45.

64

Additional IP Addresses
Click New IP Address to assign additional IP addresses (aliases) to the interface.

IPSec connection profile

Internet Protocol Security, or IPSec, is one of the most popular protocols for establishing
VPN (Virtual Private Network) tunnels for secure communications.
Before creating a connection profile using PPP over Ethernet make sure the base WAN
connection is configured correctly. See Base Network Connection Settings on page 65.
Important! IPSec and other LAN connections do not appear on the profile selection
page. To use IPSec, associate the IPSec connection with a WAN base connection
which users can choose from the profile selection page.
The CNX Cabin Gateway products web-based manager has a screen by screen
configuration for IPSec connections that will take you through the process. The first step
is specifying whether the IPSec tunnel will be network to network or gateway to gateway.
Configuring a Network-to-Network IPSec connection

2. Select Internet Protocol Security and click Next.
The IPSec Topology screen appears.

64
3. Select Network-to-Network and click Next.

The Remote Address Type window appears.
4. Select the remote address types:
Remote Gateway Address Select to only accept connections from a specified

remote gateway.
Any Remote Gateway Select to accept connections from any remote
gateway.
Remote Subnet Select to only accept connections from a specified
remote subnet.
Any Remote Subnet Select to accept connections from any remote
subnet.

5. Click Next.
The IPSec connection properties page appears showing the required settings for the
tunnel you set up.
6. Enter the following information as required:
Remote Tunnel Endpoint Enter the IP address of the remote network gateway
Address (if required).
Remote Subnet Enter the Remote Subnet IP Address and the
Remote Subnet Mask for the remote subnet (if
required).
Shared Secret Enter the shared secret to establish the IPSec tunnel.
7. Click Next.
9. To enable the connection, in the Action column, click the Edit icon for the new
connection.
The IPSec Properties page appears.

64
10. Click Enable.

12. Associate the IPSec connection with a base WAN connection. See Using IPSec with
a base WAN connection on page 62.
To configure a Gateway-to-Gateway IPSec connection

2. Select Internet Protocol Security (IPSec) and click Next.
The IPSec Topology screen appears.
3. Select Gateway-to-Gateway and click Next.

The Remote Address Type page appears.

4. Select the remote address type:
Remote Gateway Address Select to only accept connections from a specified

remote gateway.
Any Remote Gateway Select to accept connections from any remote
gateway.
5. Click Next.
The IPSec connection properties page appears showing the required settings for the
tunnel you set up.
6. Enter the following information as required:
Remote Tunnel Endpoint Enter the IP address of the remote network gateway
Address (if required).
Shared Secret Enter the shared secret to establish the IPSec tunnel.
7. Click Next.


64
9. To enable the connection, in the Action column, click the Edit icon for the new
connection.
The IPSec Properties page appears.
10. Click Enable.

12. Associate the IPSec connection with a base WAN connection. See Using IPSec with
a base WAN connection on page 62.
Using IPSec with a base WAN connection
Important! IPSec and other LAN connections do not appear on the profile selection
page. To use IPSec, associate the IPSec connection with a WAN base connection
which users can choose from the profile selection page.
1. Go to Network Connections, select the WAN connection you want to associate with
IPSec, and click Settings.
2. Under General, Associated IPSec Connection, select the IPSec connection to
associate with the base WAN connection.
3. Click OK.

Using backup connections

The CNX can automatically switch to a backup connection if a primary connection fails.
To designate primary and backup connections, you assign a routing metric. The metric
defines the priority of each connection type. The CNX device automatically uses the
highest priority connection first, and switches to the other connections, in order, if the
primary is not available.
Create the primary and backup connections first, then use the Device Metric to prioritize
the connections.
To define the metric for a connection

1. Open the Network Connections page.
2. Click the connection type.
3. Click Settings.
4. Set Routing to Advanced.
5. Set the Device Metric.
A lower metric indicates a higher priority. By default all metrics are set to 20.
6. Click Apply.
Using backup connections 63

64
Blank Page
64 Using backup connections

SECTION 3
Base Network Connection

Settings
This chapter describes the settings for each base connection type. Base connection
settings describe the physical interfaces of the CNX Cabin Gateway product. All WAN
connection types are considered base, or underlying, connections on which to build
connection profiles for end-users.

WAN Ethernet 66
WAN ISDN 69
LAN Wireless Access Point 73
LAN Ethernet 78
65
82
WAN Ethernet
To view this page go to Network Connections > WAN Ethernet > Settings.
Figure 30: WAN Ethernet connection settings
Settings
Table 23 describes the settings for the WAN Ethernet connection type.
Table 23: WAN Ethernet connection settings

General
Device Name Name assigned to the physical or connection profile interface by
the CNX Cabin Gateway product. For example, ppp2 or eth0.
Status The interface is Connected, Disconnected, or Disabled.
Network WAN
Connection Type Ethernet
Physical Address The Ethernet MAC (Media Access Control) address of the
interface.
66 WAN Ethernet

Automatic.
The Maximum Transmission Unit (MTU) is the maximum packet
size for packets on the network. The Automatic and standard
packet size for Ethernet is 1500 bytes.
Associated IPSec Not available if the connection uses No IP Address. Select a
Connection configured IPSec connection from the list. All traffic will be routed
through the selected IPSec tunnel.
Important! IPSec and other LAN connections do not appear on

the profile selection page. To use IPSec, associate the IPSec
connection with a WAN base connection which users can
choose from the profile selection page.
Show in Profile Not available if the connection uses No IP Address. Enable to
Selection Page make this connection available to end-users accessing the profile
selection page.
have the CNX operate as a DHCP client.
• Use the Following IP Address: Select this option to manually
define the IP address, subnet mask, and default gateway.
Override Subnet When Obtain an IP Address Automatically is selected, use this
Mask setting to override the subnet mask of an automatically assigned
IP address.
DHCP Lease When Obtain an IP Address Automatically is selected, use the
DHCP Lease Renewed,
subnet mask for the IP address of the interface.
Default Gateway When Use the Following IP Address is selected, enter the
default gateway for the interface.
DNS Server Click to view the DNS Server list.
When Obtain an IP Address Automatically is enabled, choose
Obtain DNS Server Address Automatically to use DHCP, or
choose Use the Following DNS Server Addresses to specify
your primary and secondary DNS servers.
Primary DNS Server When Use the Following DNS Server Addresses is selected,
enter the IP address of the primary DNS server.
Secondary DNS When Use the Following DNS Server Addresses is selected,
Server enter the IP address of the secondary DNS server.
WAN Ethernet 67
82

Routing Select Basic or Advanced.
Select Basic to use default settings that apply for most IPS
connections and use Network Address Translation (NAT).
Advanced allows for the configuration of Static routing and RIPv2
which are generally used in private networks.
For details about the routing table see Routing on page 93.
Routing Mode Select NAPT or Route as the Routing Mode. In NAPT (Network
Address Port Translator) mode the Network module will translate
internal network addresses and port numbers into external IP
addresses for egress traffic and vice versa for ingress traffic.
Route mode requires entries in the routing table to tell the Network
module where to send traffic.
Device Metric A value used by the Network module router to determine if one
route is better than another.
Default Route Select to use the default route.
Multicast - IGMP Select to enable the Network module to act as an IGMP (Internet
Proxy Default Group Multicast Protocol) proxy for all computers on the internal
network.
Routing Information Select to enable RIP support and view RIP settings.
Protocol (RIP)
Listen to RIP Messages: Select the version of RIP messages
the Network module will receive. Choose from None, RIPv1,
RIPv2, or RIPv1/2.
Send RIP Messages: Select the version and type of RIP
messages the Network module will send. Choose from None,
RIPv1,
RIPv2 - Broadcast, or RIPv2 - Multicast.
Routing Table Click New Route to add a route to the table.
Internet Connection Select to enable the CNX Cabin Gateway product firewall. For
Firewall firewall configuration settings see Pre-defined firewall settings on
page 106.
Additional IP Click New IP Address to assign additional IP addresses (aliases)
Addresses to the interface.
68 WAN Ethernet
WAN ISDN
To view this page go to Network Connections > WAN ISDN > Settings.
Figure 31: WAN ISDN connection settings (partial screen)
Settings
Table 24 describes the settings for the WAN ISDN connection type.
Table 24: WAN ISDN connection settings

General
the Network module. For example, ppp2 or eth0.
Network WAN or LAN.
WAN ISDN 69
82

ISDN Port x
Interface Type • MULTI-POINT: Standard configuration used by most lines.
Supports multiple terminal equipment (TE).
• POINT-TO-POINT: This option is used automatically when
NT mode is enabled. Supports a single TE only.
• LEASED: Requires no call setup.
Redirect calls to Important! When using ISDN redirection, the connected ISDN
another ISDN port phone or device requires a separate external power supply to
operate.
ISDN redirect allows multiple ISDN devices to share a single

ISDN line.
Only available when NT Mode is selected. Select to enable the
redirection of incoming calls from this port to another ISDN port.
Select the ISDN port to which you want to redirect calls. Choose
from a specific port or select auto to automatically redirect calls
to an available port.
To set up ISDN redirection

1. Go to Network Settings > WAN ISDN > Settings.
2. Select NT Mode to set up a port to act in NT mode.
3. Connect your NT equipment to the NT mode port.
4. Enable Redirect calls to another ISDN port.
5. Select the ISDN port you wish to redirect the calls to or select
Auto.
6. Connect the selected redirect port to your TE equipment.
7. From your device at the NT end dial the number at the TE end.
8. The call should be redirected from the NT port to the selected
port.
How ISDN redirection works

The ISDN redirector bridges a port running in TE mode to a port
running in NT mode. You can specify which TE port the NT should
be bound too, or the redirector can auto-detect which TE to use.
Auto-detect works by locating a TE which is idle and connected
to the ISDN network. The search starts at the highest ISDN
interface adjacent to the NT port. For example, if interface 4 is
configured for NT mode, the redirector will determine the
suitability of interface 3, then 2 and finally 1. If none of the
interfaces are free the redirector will ask Multilink PPP to drop
(bump) a channel so that the redirector always takes priority.
MLPPP will drop the last channel to be connected.
70 WAN ISDN

Voice call MSN Only available when Redirect calls to another ISDN port is
selected. Enter the MSN number assigned to this interface for
voice calls.
Important! You only need to configure the Voice and Data call
MSN numbers when there is a combined function device
connected to the NT mode port. These settings inform the
redirector how to handle incoming calls. For example, an ISDN
T/A WAN ISDN functions as a modem for data calls and
provides POTS ports for voice calls.
For example, if you connect an ISDN T/A to use POTS

functionality (i.e. for making regular voice calls on the ISDN
network), and the ISDN T/A has an associated MSN, enter that
MSN here. When a call arrives, the redirector checks the called
party number to see if it matches that of the ISDN T/A. If so, the
redirector will handle the call as a voice call. Similarly, for outgoing
calls, the redirector will check the ISDN calling party number of
the TE device (if present). Again, if it matches the configured
Voice call MSN the redirector will apply the necessary logic for
handling voice calls so dial tones are available.
Data call MSN Only available when Redirect calls to another ISDN port is
selected. Enter the MSN number assigned to this interface for
data calls.
Default redirector Only available when Redirect calls to another ISDN port is
mode selected. Select the mode to use when there is no MSN matching
the called ID (incoming call) or the calling party number (outgoing
call).
Data: Handle non-matching calls as data calls.
Voice: Handle non-matching calls as voice calls (provide support
for dial tones).
Number of bearer Select the number of bearer channels provided by the ISDN
channels physical layer.
Switch Type Specify the type of ISDN switch to which the CNX unit is
connected.
• EuroISDN: Common European standard.
• NI-1: Common North American standard.
Stable Layer 2 Mode Set to match central office.
• PERMANENT: Always connected. Default setting.
• ON DEMAND: Default setting for EMS equipment. Connected
only when a call is initialized.
• NO DISCONNECT: The CNX Cabin Gateway product will close
the B channels but keep the delta channel open.
WAN ISDN 71
82

NT Mode Enabling NT (Network Termination) mode disables all PPPoI
connections. In NT Mode operation, the CNX unit emulates an
NT device. Typically used to connect the CNX unit to other local
ISDN terminal endpoint (TE) equipment. Used with Redirect
calls to another ISDN port.
Terminal Endpoint Specify the TEI number to assign to the D channel. Value can be
Identifier (TEI) between 1 and 255. A value of 255 means automatic assignment
by the ISDN switch.
B1 Channel
Multiple Subscriber Specify the MSN number assigned to channel B1. Not applicable
Number in NT Mode.
B2 Channel
Multiple Subscriber Specify the MSN number assigned to channel B2. Not applicable
Number in NT Mode.
72 WAN ISDN
LAN Wireless Access Point

By default the wireless access point is bridged with the LAN Ethernet base connection.
Configure any wireless clients with complementary settings.
Click the Advanced button on the Network Connections page to display both the LAN
Ethernet and LAN Wireless Access Point connections.
To view LAN Wireless Access Point properties go to Network Connections > LAN Bridge
> Settings and then click LAN Wireless Access Point. Click Settings to make changes.
Figure 32: LAN Wireless Access Point settings
If you remove the LAN wireless access point from the bridge connection, it will appear on
the Network Connections page as a base connection type with additional parameters, as
shown in Figure 33.

82
Figure 33: LAN Wireless Access Point additional settings
74 LAN Wireless Access Point

Settings
Table 25: LAN Wireless Access Point connection settings
General
Network LAN
Connection Type Wireless Access Point
Physical Address The Ethernet MAC (Media Access Control) address of the interface.
Automatic.
size for packets on the network. The Automatic and standard packet
size for Ethernet is 1500 bytes.
Wireless Access Point
SSID The Service Set Identifier is the name of the wireless LAN.
Configure client stations with the SSID to enable communication
with the CNX Cabin Gateway product and other points on the
network. You can use the same network name for multiple wireless
access points.
The SSID can be up to 32 alphanumeric characters long and is
case sensitive.
Normally a client station can specify the network name 'ANY' to
access any wireless network within range that does not require
encryption. However, by default the CNX Cabin Gateway product
ignores requests for the 'ANY' network.
Channel Sets the operating channel for the wireless network. If more than
one wireless network is operating, select a channel at least five
channels away from the channel used by the other network to avoid
interference with other 2.4 GHz devices.
Note: Channel availability is subject to government regulation. You

are responsible for making sure that the channel you select
conforms to local regulations. In some areas it may not be possible
to choose two channels that have the necessary separation to
reduce interference.
802.11 Mode Select the 802.11 mode for the wireless network.
• Mixed: Supports both 802.11b and 802.11g.
• 802.11b only: Supports 802.11b/g with a maximum data rate of
11 mbps.
• 802.11g only: Supports 802.11g only with a maximum data rate
of 54 mbps.

82

Network Automatically set to Open System Authentication.This value cannot
Authentication be changed.
Wireless security
Accept WPA Enables support for WPA. Provides encryption of the wireless data
stations stream using TKIP. More secure than WEP.
Authentication Sets the authentication method to use with WPA.
Method • Pre-shared key: Sets the pre-shared key that is used to validate
user logins and encrypt wireless traffic. TKIP (Temporal Key
Integrity Protocol) encryption is used.
• 802.1x is a standard authentication method that supports
EAP-based authentication protocols. To validate user logins with
802.1x, the CNX Cabin Gateway product uses the services of an
external RADIUS server. To configure the connection to the
RADIUS server, open the Advanced > RADIUS page.
Accept 802.1x Allow 802.1x station to use WEP encryption.
WEP Stations
Group Key Update Defines the interval at which the WEP key is cycled for 802.1x client
Interval stations.
Accept non-802.1x If this is the only encryption method selected, you can specify up
WEP Stations to four keys for encryption of the wireless traffic. The key you select
as the Active key is used for encrypting traffic, while the other keys
are used for decrypting traffic. Key configuration must match on all
wireless client stations that will connect to the CNX Cabin Gateway
product.
Note: If WPA support is enabled, key 1 is reserved for WPA and

cannot be used by WEP.
Encryption keys can be specified in either ASCII or hexadecimal.

• If the Key Length is 40-bit, specify10 hexadecimal characters or
5 ASCII characters.
• If the Key Length is 104-bit, specify 26 hexadecimal characters
or 13 ASCII characters.
• Obtain an IP Address Automatically: Select this option to have
the CNX operate as a DHCP client.
IP address.
DHCP Lease Renewed,
76 LAN Wireless Access Point


Subnet Mask When Use the Following IP Address is selected, enter the subnet
mask for the IP address of the interface.
Default Gateway When Use the Following IP Address is selected, enter the default
gateway for the interface.
IP Address If required, the CNX Cabin Gateway product can operate as a
Distribution DHCP server. If you enable this option, you need to define settings
for:
Start IP Address Starting IP address of the DHCP address pool.
End IP Address Last IP address in the DHCP address pool.
Subnet Mask Subnet mask associated with the DHCP addresses.
WINS Server IP Address of the WINS server that the CNX Cabin Gateway product
Address will return to its DHCP clients.
Lease Time In Amount of time DHCP addresses are valid for.
Minutes
Provide Host The CNX Cabin Gateway product will create a host name for client
Name If Not stations if none is provided.
Specified by Client
Routing Basic: Hides all routing parameters. Although hidden, these
parameters are still active.
Advanced: Shows all routing parameters.If the Advanced option is
selected, the following parameters are visible.
Routing Mode Route: Disables NAPT support.
NAPT: Enables support for network address and port translation.
When enabled, the IP addresses and ports of all local devices are
hidden from the external network, and allows a single external
address to be shared by many local computers.
Device Metric Set the priority of this connection within the routing table. A lower
metric means higher priority. By default, a priority of 50 is assigned.
Default Route The route that is used when no route is found from a data packet.
Multicast - IGMP The CNX Cabin Gateway product acts as an IGMP proxy for all
Proxy Internal computers on the internal network.
Routing When enabled, the CNX Cabin Gateway product will automatically
Information broadcast its own routes, and listen to the broadcasts from other
Protocol (RIP) devices in an effort to update its routing table.
Internet Use this option to enable or disable the firewall on the interface.
Connection
Firewall
Additional IP Use this option to assign additional IP addresses (aliases) to the
Address interface.

82
LAN Ethernet
Important! CNX Cabin Gateway products with serial number 220 and lower (before the
implementation of VLAN) have mismatched mapping of physical ethernet ports to the
software labels in the web-based manager. For assistance contact EMS Product
Support.
To view this page go to Network Connections > LAN Ethernet > Settings.
Figure 34: LAN Ethernet connection settings (partial screen, 1 of 2)
78 LAN Ethernet
Figure 35: LAN Ethernet connection settings (partial screen, 2 of 2)
Settings
Table 26 describes the settings for the LAN Ethernet connection type.
Table 26: LAN Ethernet connection settings

General
Network The interface is operating on the WAN or the LAN.
Connection Type Ethernet
Physical Address The Ethernet MAC (Media Access Control) address of the
interface.
Automatic.
size for packets on the network. The Automatic and standard
packet size for Ethernet is 1500 bytes.
LAN Ethernet 79
82

have the CNX unit operate as a DHCP client.
address of the LAN interface.
subnet mask for the IP address of the LAN interface.
IP address.
Release and Renew buttons to release or renew the IP address.
IP Address Click to view the DHCP connections list.
Distribution Choose DHCP Server to use DHCP for this connection, or
choose Disable to disable DHCP.
Start IP Address When DHCP Server is selected, enter the Start IP Address for
End IP Address When DHCP Server is selected, enter the End IP Address for the
DHCP address pool range.
Subnet Mask When DHCP Server is selected, enter the Subnet Mask
associated with the DHCP addresses.
WINS Server IP When DHCP Server is selected, enter the address of the WINS
Address server that the CNX unit will return to its DHCP clients.
Lease Time In When DHCP Server is selected, enter the number of minutes the
Minutes DHCP IP addresses should be valid.
Routing Select Basic or Advanced.
Select Basic to use default settings that apply for most IPS
connections and use Network Address Translation.
Advanced allows for the configuration of Static routing and
RIPv2. Used in private networks.
For details about the routing table see Routing on page 93.
Internet Connection Select to enable the CNX Cabin Gateway product firewall. For
Firewall firewall configuration settings see IP address distribution (DHCP)
on page 90.
Additional IP Click New IP Address to assign additional IP addresses (aliases)
Addresses to the interface.
80 LAN Ethernet

LAN Ethernet 1 – 8 VLAN support is defined on a port by port basis for each LAN
Ethernet port, using the following parameters.
Frame Format Select the frame format used to communicate with external
devices.
Untagged (802.3): The port sends expects to receive standard
Ethernet frames. The port drops all other frames.
Tagged (802.1q): The port sends and expect to receive tagged
Ethernet frames. The port drops all other frames.
VLAN Identifier(s) For Untagged Frame Format, you have the option of entering a
single default VLAN ID if you want to forward traffic to another
LAN Ethernet port that is configured for VLAN support. The
default VLAN ID is assigned to all traffic.
Note: Untagged ports with a VLAN ID assigned cannot

communicate with other untagged ports that have none or
different VLAN IDs. For more information about VLAN
configuration see VLAN on page 95.
For Tagged Frame Format, enter one or more VLAN IDs

separated by commas. Untagged or non-matching frames are
dropped. The specified rate applies to 802.1q frames as follows:
Priority 0 frames use the specified rate, priority 1 frames use twice
the rate as Priority 0 frames, Priority 2 frames use twice the rate
of Priority 1 frames (max. 32 Mbps), Priority 3 frames use twice
the rate of Priority 2 frames (max. 64 Mbps).
Maximum Rate Tagged Frame Format only. Select the rate limitation for all traffic
(802.1p) sent or received by the port. Options range from Not Limited up
to a maximum data rate of 8 Mbps.
The rate applies to 802.1q frames as follows:
• Priority 0 frames use the defined rate
• Priority 1 frames use twice (2x) the rate as Priority 0 frames
(unless the rate is Not Limited)
• Priority 2 frames use twice (2x) the rate as Priority 1 frames. If
Priority 0 frames have a defined Maximum Rate, then Priority 3
frames are limited to a maximum rate of 32 Mbps.
• Priority 3 frames use twice (2x) the rate as Priority 2 frames. If
Priority 0 frames have a defined Maximum Rate, then Priority 3
frames are limited to a maximum rate of 64 Mbps.
Bridge Access for Enter the VLAN ID to define which VLAN can exchange traffic
VLAN Identifier with the wireless and WAN interfaces.This VLAN may be
assigned to multiple ports, Tagged or Untagged.
Port Monitoring Enables port monitoring on the port specified below. The monitor
port collects a copy of all traffic sent and received on the other
Ethernet port.
Using Port Select the monitor port.
LAN Ethernet 81
82
Blank Page
82 LAN Ethernet
SECTION 4
Network Management
This chapter explains how to operate and configure the CNX® network settings using the
web-based manager. Most network management features are accessible through the
Advanced menu.

System Monitoring 84
DNS management 87
IP address distribution (DHCP) 90
Routing 93
VLAN 95
VRRP 96
User authentication 98
Simple Network Management Protocol 100
Firmware upgrades (Network module) 101
Restoring and restarting 103
Watchdog triggering 104
83
104
System Monitoring
CNX Cabin Gateway product System Monitoring includes features to monitor connections,
traffic through the Network module, ISDN, virtual LEDs, and system status (including a
system event log). Monitoring is done in real time, so that problems can be identified
quickly.
Table 27 provides a brief description of the CNX Cabin Gateway product network
monitoring features.
Table 27: CNX Cabin Gateway Product System Monitoring features

Connections Displays the status, connection type, devices, IP addresses, and
more for each connection.
After configuring a connection it is a good practice to go to
System Monitoring > Connections to check that the connection
is enabled and configured correctly.
Traffic To view details of packets or errors sent and received via the CNX
Cabin Gateway product for each interface go to System
Monitoring > Traffic.
The Traffic monitoring feature includes a trace feature. See
Obtaining a traffic trace on page 85.
ISDN Displays the status of and information about all ISDN
connections, including the status of each B channel.
System Log The System Log records system events and errors during start-up
and operation.
LEDs Shows a virtual picture of the CNX Cabin Gateway product LED
outputs. Since the CNX Cabin Gateway product is often installed
out of sight, use the LEDs to monitor status of connections and
power.
System Displays the system up time in hours and minutes (how long the
CNX Cabin Gateway product has been continuously operating).
84 System Monitoring
Obtaining a traffic trace

The CNX Cabin Gateway product traffic monitoring feature includes a trace application to
record information for up to 1000 packets (1 MB) to a downloadable file. Trace files are
in binary format and you require an application capable of reading tcpdump style traces
(such as Ethereal or tcpdump) to view them.
To view details of packets or errors sent and received via the CNX Cabin Gateway product
for each interface go to System Monitoring > Traffic.
Figure 36: Example traffic monitoring page
To obtain a trace:
1. Go to System Monitoring > Traffic.
2. Click Start Trace.
The button changes to Stop Trace and the trace begins. When the trace is complete
the Stop Trace button changes to Download Trace.
3. Click Download Trace.
System Monitoring 85
104
4. Save the trace file with a new name or the default name of EMS.trace.
86 System Monitoring
DNS management
Domain Name System (DNS) provides a service that translates domain names into IP
addresses and vice versa. The CNX DNS server is an auto-learning DNS, which means
that the DNS server learns the name of any new computer connected to the network and
automatically adds it to the DNS table. Other network users may immediately
communicate with this computer using either its name or its IP address.
In addition, the CNX DNS server:
• Shares a common database of domain names and IP addresses with the DHCP server.
• Supports multiple subnets within the LAN simultaneously.
• Automatically appends a domain name to unqualified names.
• Allows new domain names to be added to the database using the web-based manager.
• Permits a computer to have multiple host names.
• Permits a host name to have multiple IP addresses (needed if a host has multiple
network cards).
The DNS server does not require configuration. However, you may want to view the list
of computers known by the DNS, edit the host name or IP address of a computer on the
list, or manually add a new computer to the list.
To view or modify the DNS table

1. Go to Advanced > DNS Server.
The DNS Server list appears.
2. To add a DNS entry, click New DNS Entry.

The DNS Entry page appears.
Figure 37: DNS Entry page
DNS management 87
104
3. Enter the computer’s host name and IP address and click OK.
Dynamic DNS
The Dynamic DNS service enables you to alias a dynamic IP address to a static hostname.
This is essential for establishing IPSec VPN (Virtual Private Network) tunnels for secure
communication. Both ends of the tunnel must be reachable by static IP address or by
using Dynamic DNS.
Typically, when you connect to the Internet, your service provider assigns an unused IP
address from a pool of IP addresses, and this address is used only for the duration of a
specific connection. Dynamically assigning addresses extends the usable pool of
available IP addresses, while maintaining a constant domain name. Each time the IP
address provided by your ISP changes, the DNS database will change accordingly to
reflect the change in IP address. In this way, even though the IP address will change often,
your domain name will still be accessible.
To use the Dynamic DNS feature you must open a DDNS account, free of charge, at
http://www.dyndns.org/account/create.html. When applying for an account, you will need
to specify a user name and password. Please have them readily available when
customizing DDNS support. For more information regarding Dynamic DNS, visit
http://www.dyndns.org.
To configure dynamic DNS

1. Go to Advanced > Dynamic DNS.
2. Configure the following settings as required:
Connection to Update Select the connection that will use DNS from the list
of Connection Profiles.
Offline Select to enable offline URL redirection.
Status The status of the connection DNS settings: Updated
or Not Updated.
88 DNS management
User name Enter your DYNDNS user name.

Password Enter you DYNDNS password.
Host Name Enter a sub-domain name, and select a suffix to
define your host name.
Wildcard Select to enable wildcards. You can use the *
wildcard to have all requests for sub-domains point
to one address. For example, with wildcard enabled,
all sub-domain requests for *.yourhost.dyndns.org
will point to yourhost.dyndns.org.
Mail Exchanger Enter your mail exchange server address to redirect
all e-mails arriving at your DYNDNS address to your
mail server.
Backup MX Enable storing a backup of the MX (mail exchange)
record. The MX record is the entry in a domain name
database that identifies the mail server used for a
domain name.
DNS management 89
104
IP address distribution (DHCP)

By default, the CNX unit operates as a DHCP server on the LAN port. Addresses are
assigned in the range 192.168.1.2 to 192.168.1.254.
To configure DHCP server settings

1. Go to Advanced > IP Address Distribution.
2. Click Edit in the Action column.

The DHCP Settings page appears.
3. Choose DHCP Server as the service for IP Address Distribution.

4. Configure the DHCP server settings as required.
Start IP Address Enter the first IP address in the range of IP addresses

to be assigned by the DHCP server.
End IP Address Enter the last IP address in the range of IP addresses to
be assigned by the DHCP server.
Subnet Mask Enter the subnet mask for the IP addresses in the range.
WINS Server IP Address If required, enter the IP address of the Windows Internet
Naming Service (WINS) server.
90 IP address distribution (DHCP)

Default gateway for Important for CNX-200 product configuration: the

DHCP clients Default Gateway must be the IP address of the
Xcelerator module.
WINS Server IP Address Enter the IP address of the WINS (Windows Internet
Name Service) on your network if applicable.
Lease Time in Minutes Enter the lease time for the IP addresses assigned by
the DHCP server. When the lease expires the server will
determine if the computer has disconnected from the
network. If it has, then the server may reassign this IP
address to a newly-connected computer. This feature
ensures that IP addresses that are not in use will become
available for other computers on the network.
Provide Host Name If Not Enable to have the CNX Cabin Gateway product assign
Specified By Client the DHCP client a default name if it does not have one.
5. To save your changes click OK.
To view DHCP connections

To view the list of computers currently recognized by the DHCP server:
1. Go to Advanced > IP Address Distribution.
2. Click Connection List.

The DHCP Connections page appears.
IP address distribution (DHCP) 91

104
Assigning static IP addresses

You can assign IP addresses to devices that do not have a DHCP client. In this case, a
specific IP address is linked with the MAC address of the device.
1. Click New Static Connection on the DHCP Connections page.
The DHCP Connection Settings page opens.
2. Enter a host name for this connection.

3. Enter the static IP address of the computer.
4. Enter the MAC address of the computer network card.
5. To save your changes, click OK.
92 IP address distribution (DHCP)

Routing
To view the routing table go to Advanced > Routing.
For details about VRRP, see VRRP on page 96.
Figure 38: Routing table example
Routing Table
The Routing Table displays information about each route, as described in Table 28.
Table 28: Routing table information

Name The name that identifies the route.
Destination The destination IP or destination network IP for the route.
Gateway The gateway to send traffic to that is
Netmask The network mask.
Metric Also called the Device Metric, the metric is a value used by the
CNX Cabin Gateway product to determine if one route is better
than another. The lower the metric the better and shorter the
route.
Status Shows Applied if the route is active.
Action Click Edit to make changes to the route. Click Remove to delete
the entry from the table.
New Route Click to create a new entry in the routing table.
To add a route to the Routing Table

1. Go to Advanced > Routing.
2. Click New Route.
3. Enter the Destination IP address, the Gateway IP address, and the Netmask for the
new route.
Routing 93
104
4. Click OK.
The new route is added to the Route Table.
Routing Protocols
Table 29: Routing protocols
Multicasting Select to enable the CNX Cabin Gateway product to act as an
IGMP (Internet Group Multicast Protocol) proxy for all computers
on the internal network.
Multicasting allows hosts connected to the network to be updated
when important network changes occur. A multicast is a message
sent simultaneously to a pre-defined group of recipients.
Routing Information Select to enable RIPv1 and RIPv2 support.
Protocol (RIP)
94 Routing
VLAN
The CNX Cabin Gateway product includes a VLAN feature to enable seamless integration
with multiplexed VLAN topologies.
VLAN support is configured on a port by port basis for each LAN Ethernet port. VLAN
parameters are described under LAN Ethernet on page 78.
Table 30 summarizes VLAN configuration options.
Table 30: VLAN Configuration Summary

Port
Configuration Can communicate with Cannot communicate with
Tagged • Tagged ports with the same • Tagged ports with a different VLAN
VLAN ID ID
• Untagged ports with the same • Untagged ports with no VLAN ID
VLAN ID or a different VLAN ID
• Wireless and WAN ports
according to the Bridge Access for
VLAN Identifier parameter.
Untagged with • Untagged ports with no VLAN ID • Tagged ports
no VLAN ID • Wireless and WAN ports • Untagged ports with a VLAN ID
Untagged with • Tagged ports with the same • Untagged ports with no VLAN ID
VLAN ID VLAN ID or a different VLAN ID
• Untagged ports with the same
VLAN ID
• Wireless and WAN ports
according to the Bridge Access for
VLAN Identifier parameter.
Note: All ports, whether they have a VLAN ID or not, will have access to the wireless
and WAN ports if all eight ports are configured as Untagged.
VLAN 95
104
VRRP
To view the VRRP (Virtual Router Redundancy Protocol) configuration settings go to
Advanced > VRRP.
Figure 39: VRRP settings
About VRRP
VRRP allows routers on a multiaccess link to use the same virtual IP address. One router
is the master (based in its priority) and the other routers act as backups in case the master
router fails. The master periodically advertises its status, to alert the other VRRP routers
that it is functioning, and that they can remain as backups.
If the master stops advertising its status, then a new master is chosen from the backup
virtual router(s) based on priority. The new master then handles the routing of packets to
the VR (Virtual Router) address, and will begin to advertise its status.
The VRRP v2 implementation is used by the CNX Cabin Gateway product (conforms to
RFC2338.)
VRRP settings
Table 31: VRRP advanced settings
General
Enable the Virtual Select to enable the VR.
Router
Interface Select the operating interface for the VR.
Address Enter the IP address for the VR.
96 VRRP
Table 31: VRRP advanced settings

VRID Enter the Virtual Router ID for the VR. This is only required to
identify VRs if there is more than one.
Advanced Settings
Priority Determines the selection of the VR master. Leave at default
setting (100). Set the Accelerator VRRP priority higher (120), so
that the Accelerator is chosen as the VR master and the Network
module is the backup master.
Interval The time (in seconds) between VRRP advertisements. Only
applies when the CNX Cabin Gateway product is the master.
Preemptive Mode Determines whether the CNX Cabin Gateway product will try to
usurp the owner of an interface when it participates in an election.
To configure VRRP
1. Go to Advanced > VRRP.
2. Select Enable the Virtual Router.
3. Select the interface on which VRRP will be active.
4. Enter the IP address of the VR. (Use the same IP for the Accelerator VRRP
configuration.)
5. Enter the VRID of the VR, if required.
6. Click OK.
VRRP is now running.
7. Configure the same IP and set the Priority for the Accelerator module. See Using
VRRP on page 130.
Disable VRRP by deselecting Enable the Virtual Router on the VRRP configuration
page and clicking OK.
VRRP 97
104
User authentication
The CNX unit lets you build a list of user accounts to validate administrator logins and
remote user logins to the PPTP server.
To view the User list go to Advanced > Users.
Figure 40: User list
To add a user
1. Go to Advanced > Users and click New User.
The User Settings appear.
2. Specify the following authentication settings, as required:
General
Full Name Enter the remote user’s full name.
User Name Enter the name the remote user will use to log in to
the PPTP server.
New Password Enter a password for the remote user. If you do not
want to change the remote user’s password, leave
this field empty.
Retype New Password Re-enter the new password or leave blank if
password not changed.
98 User authentication
Permissions Enable Administrator Privileges to grant

modification privileges via Telnet or the web-based
manager to the user.
Enable Remote Access by PPTP to enable access
without system modification privileges for the
new user.
E-Mail
Address Enter the user’s email address.
• Retype New Password: If a new password was assigned, type it again.

• Permissions: Select the remote user’s privileges once logged in:
• Remote Access by PPTP: Grants access with no system modification
privileges.
• Administrator Privileges: Grants remote system setting modification via
web-based management or Telnet.
User authentication 99
104
Simple Network Management Protocol

Simple Network Management Protocol (SNMP) enables network management systems
to remotely configure and monitor the CNX unit. Your Internet Service Provider (ISP) may
use SNMP for troubleshooting.
To configure SNMP support

1. Go to Advanced > SNMP.
2. Configure the following SNMP settings as required:
Enable SNMP Agent Enable or disable SNMP support.

Read-Only Community Name Enter the password which controls read-only
access to the CNX via SNMP.
Read-Write Community Name Enter the password which controls read-write
access to the CNX via SNMP.
3. To save and activate your changes, click OK.
Important! The CNX unit will now respond to SNMP requests on the LAN port only. To
enable SNMP on the WAN ports, see Remote management on page 19.
100 Simple Network Management Protocol

Firmware upgrades (Network module)

You must upgrade the Network and Accelerator modules separately. To upgrade the
Accelerator firmware, see Firmware upgrades (Accelerator module) on page 134.
Important! Save a backup configuration file before performing an upgrade.

See Saving Network module configuration files on page 24.
Firmware upgrades can be performed automatically or manually. To use either option, go

to Advanced > EMS Firmware Upgrade.
Figure 41: Firmware Upgrade settings
To upgrade from the Internet
Note: The Upgrade from the Internet feature will be supported in a future release.
To upgrade from a computer in the network

To upgrade the CNX firmware using a file that you have previously downloaded from the
Internet or received on CD:
1. When you receive notification that a new software version is available, retrieve the
file as instructed and store it on a computer on the local network.
2. Save your configuration to a file. See Saving Network module configuration files on
page 24.
3. Restore the Network module factory default settings to avoid possible conflicts with
any new features. See Restoring and restarting on page 103.
Firmware upgrades (Network module) 101

104
4. Go to Advanced > EMS Firmware Upgrade and click Upgrade Now.
5. Click Browse.
6. Choose the file to upload to the CNX unit and click Open.
The file must have a .rmt extension (for example, emsar-5.rmt).
7. Click OK.
The file is uploaded to the CNX unit.
8. After the file has been transferred to the CNX Cabin Gateway product, its validity will
be verified and you will be asked to confirm that you want to upgrade the CNX Cabin
Gateway product. Click Yes to confirm.
The upgrade process begins and should take about one minute to complete.
9. When the upgrade is complete, the CNX Cabin Gateway product automatically
reboots.
10. Cycle power to the CNX Cabin Gateway product to ensure a clean restart.
11. Upload the configuration file saved in step 2. See Saving Network module
configuration files on page 24.
12. Go to Advanced > Restart and restart the CNX Cabin Gateway product.
13. Cycle power to the CNX Cabin Gateway product.
102 Firmware upgrades (Network module)

Restoring and restarting

You can restore the CNX Cabin Gateway product factory default settings or restart the
CNX Cabin Gateway product if required. You may want to clear the settings for testing
and then restore your original settings in a configuration file. For details see Saving
Network module configuration files on page 24.
Important! All CNX Cabin Gateway product settings will revert to the default values. This
includes the administrator user name and password, and the IP address assigned to the
LAN and WAN ports. Save a backup configuration file before restoring the default
settings. See Saving Network module configuration files on page 24.
To restore factory default settings

Use a pointed object – such as a paperclip – to press and hold the reset button on the
back panel of the CNX unit for 15 seconds.
or
Go to Advanced > Restore Defaults and click OK.
Figure 42: Restore Default settings
To restart the CNX unit

1. Go to Advanced > Restart.
2. Click OK to restart the CNX unit.

It can take up to one minute for the CNX unit to restart and become operational.
To access the web-based manager after restarting, click the Refresh button in your web
browser.
Restoring and restarting 103

104
Watchdog triggering
The watchdog timer will safely restart the CNX Cabin Gateway product if the system is
not responding and does not recover within a specified period of time. To access the
watchdog settings go to Advanced > Watchdog Triggering.
To configure the watchdog

1. Go to Advanced > Watchdog Triggering.
2. Enable watchdog triggering.
3. Enter Keep Alive Signal Margin and the Ending Message as required:
Keep Alive Signal Margin Enter the amount of time in seconds that the
watchdog should wait before restarting if the CNX
Cabin Gateway product is not communicating.
Ending Message Optional. Enter a message to send to the console
when the watchdog is triggered.
4. Click OK.
104 Watchdog triggering

SECTION 5
Network Security
This chapter explains how to operate and configure the CNX® security and firewall settings
using the web-based manager.
The CNX unit features a customizable stateful firewall that can be used to control both
incoming and outgoing traffic on all LAN and WAN connections.
The firewall regulates the flow of data between the LAN and WAN connections. Both
incoming and outgoing packets are inspected and either accepted (allowed to pass
through the CNX network) or rejected (barred from passing through the CNX network)
according to a flexible and configurable set of rules. Firewall rules are global and apply
to all connection types for which the firewall is enabled.
There are a two important guidelines for configuring a firewall:
• Block everything first (use Maximum Security), then selectively open ports to allow
specific applications
• Use the Security Log to record rejected connection attempts to monitor for potentially
malicious traffic

Pre-defined firewall settings 106
Access controls 108
Local servers 110
DMZ host 113
Advanced filtering 114
Security log 118
105
120
Pre-defined firewall settings

Go to Security > General to view the three pre-defined firewall settings you can customize
or use as-is.
Table 32 summarizes the behavior of the firewall for each security level.
Table 32: Firewall security levels

Security Level Traffic originating from the WAN Requests originating from the
LAN
Maximum Blocked: No access to the local Limited: Only commonly-used
network from the Internet, except as services, such as Web-browsing
configured on the Local Servers, (HTTP/HTTPS), e-mail (SMTP),
DMZ Host and Remote Access Telnet, FTP, DNS, IMAP, POP3, and
pages. Ping are permitted.
Typical Blocked: No access to the local Unrestricted: All services are
(Default) network from the Internet, except as permitted, except as configured on
configured on the Local Servers, the Access Control page
DMZ host and Remote Access
pages
Minimum Unrestricted: Permits full access Unrestricted: All services are
from Internet to the local network; all permitted, except as configured on
connection attempts are permitted. the Access Control page
106 Pre-defined firewall settings

Note: Using the Minimum Security setting may expose your LAN to significant security
risks, and thus should only be used, when necessary, for short periods of time.
Block IP Fragments
Enable this option to protect your network from a common type of hacker attack that makes
use of fragmented data packets.
Note: VPN over IPSec and some UDP-based services make legitimate use of IP
fragments. These services will not work if this option is enabled.
Pre-defined firewall settings 107

120
Access controls
Access controls enable you to add additional rules to the firewall to block computers on
the local network from accessing services on the Internet. For example, you could prohibit
one computer from surfing the Web, another computer from transferring files using FTP,
and the whole network from receiving incoming e-mail.
Access Controls work by placing restrictions on the types of requests that can pass from
the local network out to the Internet, and thus may block traffic flowing in both directions.
In the e-mail example given above, you may prevent computers on the local network from
receiving incoming e-mail by blocking their outgoing requests to POP3 servers on the
Internet.
To add access controls

1. Go to Security > Access Controls.
108 Access controls

2. Click New Entry.

The Add Access Control Rule page appears (partial screen shown).
3. Select the service or services that you want to block.

To block a service that is not included in the list, click New User-Defined Service and
add a new service that filters the required port and protocol.
4. Enter the IP address of the Local Host computer that you would like to block from
accessing the service(s), or select Block Entire LAN to block all LAN computers.
5. Click OK to save your changes.
Access controls 109

120
Local servers
For optimum security of the local network, the CNX unit blocks all external computers from
accessing computers connected to the local network. This will stop certain applications
from working on local computers, including:
• certain Internet-based games
• voice and chat applications
• local web and FTP servers
To enable support for these types of applications use the Local Servers page to open up
the firewall for each specific application on a per-computer basis.
The Local Servers page provides a list of the most commonly used applications that
require special handling—all you have to do is identify which of the applications you want
to use and the local IP address of the computer that will be using the service.
For example, if you want to use the Net2Phone voice application on a local computer you
would simply select ‘Net2Phone’ from the list and enter the local IP address of that
computer in the right-hand column. All Net2Phone-related data arriving at the CNX unit
from the Internet will then be forwarded to the specified computer.
Figure 43: Security - Local Servers
Similarly, if you want to grant Internet users access to servers on the local network, you
must identify each service that you want to provide and the computer that will provide it.
For example, if you want to host a Web server on the local network you must select
HTTP - Web Server from the list and enter the local IP address of the computer that will
host the web server in the right-hand column. Then when an Internet user points their
browser to the external IP address of the CNX unit, the CNX unit will forward the incoming
HTTP request to the computer that is hosting the web server.
110 Local servers

Local Servers also enable you to redirect traffic to a different port. For example, if you
have a web server running on your PC on port 8080 and you want to grant access to this
server to anyone who accesses the CNX unit via HTTP, you must:
1. Define a local server for the HTTP service, with the IP address or hostname of the
computer.
2. Specify 8080 in the Forwarded Port field.
All incoming HTTP traffic will now be forwarded to the local computer running the web
server on port 8080.
To add a new local server

1. Go to Security > Local Servers.
2. Click New Entry.
The Add Local Servers page appears.
3. For the Local Host, specify the IP address of the computer that will provide the service
(the “server”).
Note that only one LAN computer can be assigned to provide a specific service or
application.
4. Select the service the computer will provide. To add a service that is not included in
the list click Add User Defined Service.
Application level gateways

Some applications, such as FTP, TFTP, PPTP, and H323, require the support of special,
application-specific Application Level Gateway (ALG) modules in order to work. Data
packets associated with these applications contain information that allows them to be
Local servers 111

120
routed correctly. An ALG is needed to handle these packets and ensure that they reach
their intended destinations. The CNX unit is equipped with a robust list of ALG modules
in order to enable maximum functionality in the home network.
112 Local servers

DMZ host
The DMZ (Demilitarized Zone) Host feature allows one local computer to be exposed to
the Internet outside the protection of the firewall. Designate a DMZ host when:
• You want to use a special-purpose Internet service, such as a video-conferencing
program, that is not present in the Local Servers list and for which no port range
information is available.
• You are not concerned with security and want to expose one computer to all services
without restriction.
Entries on the Local Servers page take priority over the DMZ host. This means that if the
DMZ host is a web server, but you also have defined another local computer to receive
web traffic on the Local Servers page, all incoming web traffic will be sent this computer
and not the DMZ host.
Important! A DMZ host is not protected by the firewall and may be vulnerable to
attack. Designating a DMZ host may also put other computers in the home network at
risk. When designating a DMZ host, you must consider the security implications and
protect it if necessary.
To add a DMZ host

1. Go to Security > DMZ Host.
2. Specify the local IP address of the computer that you want to designate as a DMZ host.
Note: Note that only one local computer can be a DMZ host at any time.
DMZ host 113

120
Advanced filtering
Advanced filtering gives you comprehensive control over the firewall. You can define
specific input and output rules, control the order of logically similar sets of rules, and make
a distinction between rules that apply to WAN and LAN network devices.
You can configure two sets of rules, Input Rules and Output rules. Each set of rules
consists of three subsets: Initial rules, Network devices rules and Final rules. These
subsets determine the sequencing by which the rules will be applied.
Inbound Packets – Input Rule Sets

Input rule sets are applied in the following order:
• Initial rules.
• All rules in the set of the network device the packet is on.
• Local servers rules from the local server tab in the security page.
• Rules to accept all the packets on a device for which the Firewall check box “Internet
Connection Firewall” in the connection settings page is cleared.
• Remote administration rules from the remote administration tab.
• Final rules.
Outbound Packets – Output Rules Sets

Output rule sets are applied in the following order:
• Initial rules.
• All rules in the set of the network device the packet is on.
• Rules to accept all the packets on a device for which the Firewall check box “Internet
Connection Firewall” in the connection settings page is unchecked.
• IP/hostname filtering rules and access control rules from the tabs in the security page.
• Final rules.
Other rules are automatically inserted by the firewall to provide improved security and
block harmful attacks.
114 Advanced filtering

To add an advanced filtering rule

1. Go to Security > Advanced Filtering.
2. Click Edit for the rule subset you want to view, or click on the title directly.
The Configure Rules page opens, displaying the entries currently part of the rule
subset you selected.
3. Use the buttons in the Action column to add, edit or delete rules. Follow the guidelines
in Table 33 when adding/editing rules.
Table 33: Guidelines for creating firewall rules

Matching
Source IP Address To apply a firewall rule, a match must be made between
IP addresses or ranges and ports. Use the Source IP and
Destination IP Address
Destination IP to define the coupling of source and
destination traffic. Port matching will be defined when
selecting services. For example, if you select the FTP
service, port 21 will be checked for matching traffic flow
between the defined source and destination IP
addresses.
Operation The action the rule will take.
Drop Deny access to packets that match the source and destination IP
addresses and service ports defined in Matching.

120
Table 33: Guidelines for creating firewall rules

Accept Allow access to packets that match the source and destination IP
addresses and service ports defined in Matching. The data transfer
session will be handled using Stateful Packet Inspection (SPI).
Accept Allow access to packets that match the source and destination IP
Packet addresses and service ports defined in Matching. The data transfer
session will not be handled using Stateful Packet Inspection (SPI),
meaning that other packets that match this rule will not be automatically
allowed access. This can useful when creating rules that allow
broadcasting.
Logging Select to add entries relating to this rule to the security log.
Services Select the services to which you would like to apply this rule. You can add
user-defined services by clicking New User-Defined Services.
Filter interesting traffic

You can use advanced filtering to define what type of traffic is “interesting” and will be
tracked for the purposes of On Demand operations. This prevents a connection from being
reconnected or kept alive by the transmission of unimportant data traffic.
For example, if all ping traffic is marked as interesting for a PPP over ISDN connection,
then Ping traffic will be removed from the active filter for that connection. If the connection
is On Demand and disconnected, then Ping traffic will cause the link to reconnect.
Any traffic not specified as “interesting” will simply be rejected when the link is down and
passed through if the link is already up. In the absence of any “interesting” traffic, the
connection will time out according to the idle timer (if one is specified).
To specify interesting PPP traffic

1. Go to Security > Advanced Filtering page.
2. Under Output Rules Sets, click the rule set for your current active PPP connection
(WAN PPP over ISDN Rules or WAN PPP over Modem Rules).
3. Click New Entry.
4. Under Operation, select Interesting PPP.
5. Select the type of service to classify as interesting. A number of services have been
predefined. To define your own service, click New User-Defined Service and specify
the appropriate settings.
6. Click OK.
7. When prompted to confirm, click OK again.
The new filter rule appears in the rule list.
To activate the filter for a connection

1. Go to Network Connections and select the connection for which you want to enable
the filter.
2. Disable the connection if it is active.
116 Advanced filtering

3. Click Settings.
4. Under PPP, enable On Demand.
5. Set the Idle Time Before Hanging Up as required.
6. Click Save.
7. Click Enable to activate the connection.

120
Security log
The Security log displays a list of firewall-related events, including attempts to establish
inbound and outbound connections, attempts to authenticate at an administrative interface
(Web-based Management or Telnet terminal), firewall configuration, and system start-up.
Figure 44: Security Log example
To change the log file settings

1. Go to Security > Security Log and click Settings.
The Security Log Settings page appears.
2. Select the types of activities for which log messages will be generated.
118 Security log

3. To stop logging activities when the memory allocated for the log is full, select Prevent
Log Overrun.
Log event descriptions

The events and event-types described in Table 34 are automatically recorded in the log.
Table 34: Security Log messages

Log message Description
Inbound/Outbound Traffic
Connection accepted The access request complies with the firewall security
policy.
Accepted - Host probed † This TCP connection request from a WAN host matches
the firewall security policy, but the WAN host is not
recognized as trusted. The WAN host is being challenged
to verify that it is a trusted host.
Accepted - Host trusted † A reply from a previously challenged WAN host. This client
becomes a trusted host.
Accepted - Internal All packets are allowed to move freely from one LAN host
traffic† to another.
Blocked - Policy violation This access request violates the firewall’s security policy.
Blocked - IP Fragment If the Firewall is configured to block all IP fragments, this

message is recorded for every blocked fragmented
packet.
Blocked - IP This message is recorded whenever a packet is blocked

Source-Routes due to a Source Route (either strict or loose) option set in
its IP header.
Blocked - State-table The Firewall encountered an error during State-table

error lookup or manipulation. Packet was blocked.
Firewall Setup
Aborting configuration The firewall configuration was aborted before complete.
Configuration complete Firewall configuration is complete.
WBM (Web-based manager) login
Authentication Success A user successfully logged in to the web-based manager.
Authentication Failure A user failed to successfully log in to the web-based

manager.
Security log 119

120
Table 34: Security Log messages

Log message Description
Telnet login
Authentication Success A user successfully logged in to the CLI via Telnet.
Authentication Failure A user failed to successfully log in to the CLI via Telnet.
System up/down
The system is going Notice of a system reboot.

DOWN for reboot
The system is UP! Notice of the system status.
† Inbound traffic only.
120 Security log

SECTION 6
Accelerator Configuration
This section only applies to the CNX-200 product and describes how to configure the
Accelerator module to optimize network speeds.
The CNX-200 product Accelerator module (mobile) and the groundside unit, when
configured with complementary settings, form an end-to-end link for high speed data.
Note: The CNX-200 product Accelerator module is powered by AcceleratorOS 5 from

Expand Networks. This guide only covers the Accelerator settings required for efficient
operation of the CNX Cabin Gateway product components. For more information about
Accelerator OS5 features please see the AcceleratorOS 5 Software Configuration Guide
at http://www.expand.com/.
In this section Page

Accelerator module management 122
Licensing 124
Basic Accelerator settings 127
Links 128
Routing 129
TCP acceleration 131
Saving Accelerator module configuration files 135
121
136
Accelerator module management

The Accelerator web-based manager and CLI provide access to the CNX Accelerator
functions. The management computer must have a web browser.
Starting the Accelerator web-based manager

The Accelerator module is distinct from the Network module on the network and has its
own IP address.
1. Connect a computer to a CNX Cabin Gateway product LAN port using a standard
Ethernet cable.
2. Specify the IP address of the Accelerator module in the browser’s address bar. By
default, this is 192.168.1.3 (10.0.99.99 for older software versions).
The Accelerator login page appears.
Figure 45: Accelerator login page
3. Enter the User name and Password. The default User Name is expand and the
Password is Expand. Both are case sensitive.
The Throughput monitor page appears.
4. Click Setup in the menu bar to access basic configuration settings.
Note: If you forget or lose your password, you can physically reset the CNX Cabin
Gateway product and restore the default settings. See To restore factory default settings
on page 103
122 Accelerator module management

Using the Accelerator module command line interface

The command line interface (CLI) provides full control of all Accelerator functions via a
Telnet session.
Telnet session
1. Connect a computer to a LAN port on the CNX unit using a standard Ethernet cable.
2. Connect power to the CNX unit.
3. Connect to 192.168.1.3 (or the IP address you assigned the Accelerator) via Telnet.
4. When prompted, enter a User Name and Password.
Note: Unless this is your first login after a reset, use the User Name and Password
you defined previously through the web-based manager.
For commands to configure TCP acceleration see TCP acceleration on page 131 For
more information about the Accelerator CLI, see the AcceleratorOS 5 Software
Configuration Guide (99-128-29/0704) at http://www.expand.com.
Accelerator session timeout

Your session will automatically timeout after a few minutes of inactivity. The login page
appears and you must re-enter your username and password to proceed.
Session timeout helps to prevent unauthorized users from accessing the Accelerator
web-based manager.
Accelerator module management 123

136
Licensing
The CNX-200 product Accelerator module requires a license from Expand Networks. The
Accelerator module comes with a 30-day grace period in which to activate the license.
You will receive an I-key document packaged with the CNX Cabin Gateway product. Use
the I-key to obtain your active license.
Note: If an I-key was not provided with the CNX Cabin Gateway product, please contact
EMS Technical Support for assistance.
To get an active license you will need to register on the Expand Customer Extranet and
then login and enter the I-key. The major steps to activate the license are:
• Find and format the serial number
• Register on the Expand Customer Extranet
• Activate the license
Find and format the serial number

A 3-digit serial number (SN) is located on the back label of the CNX Cabin Gateway
product. The serial number must be entered in the following format for license activation:
EMSC00xxx
Where xxx is the SN from the back label of the CNX Cabin Gateway product and EMSC00
is added in front of the number.
Register on the Expand Customer Extranet

1. Go to https://www.expand.com/register and click Register Here.
2. Click Terms & Conditions to read the document and check the Terms & Conditions
box if you agree.
The registration form opens.
3. Fill out the form with your company and user information.
4. Fill out the equipment section exactly as shown, inserting your Accelerator serial
number.
124 Licensing
5. Click Submit.
Registration is complete. Access to the Expand Customer Extranet will be granted
within 2 business days, usually sooner.
Activate the license

Once access is granted to the Expand Customer Extranet, you can activate the license.
1. Go to https://extranet.expand.com and click Licensing.
2. Click Add Product.
3. The Add Product form appears.
4. Fill out the complete Add Product form and click Submit.
You are prompted for the I-key.
5. Enter the I-key and click Activate.
The new serial number and active license are added to My Products. The active
license is a 16 digit alphanumeric string in the format xxx-xxx-xxx-xxx.
6. Log in to the Accelerator module web-based manager.

7. Go to Setup > My Accelerator > Licensing.
8. Enter the serial number and license key and click Upload & Activate.
The Accelerator module should now have an active license.
Errors in license activation

The following errors may occur during license activation.
Table 35: License activation errors

Error / Exception Action
Licensing 125
136
Table 35: License activation errors

Invalid Serial Number Get the correct serial number (SN) from the back label of the
CNX Cabin Gateway product. To enter the serial number,
type EMSC00xxx, where xxx is the number from the label.
For example, if the SN from the CNX Cabin Gateway product
label is 012 then type EMSC00012.
Get Product ID Product ID refers to the Accelerator Module only. Do not use
the Product ID for licensing. Check your serial number as
described above and try again.
Viewing licensing information

Go to Setup > My Accelerator > Licensing in the Accelerator module web-based
manager. When the Accelerator module is in evaluation mode, this is indicated on the
licensing page, as shown in Figure 46. When the license is active it is displayed in red on
the licensing page, as shown in Figure 47.
Figure 46: Example Accelerator license - Evaluation
Figure 47: Example Accelerator license - Active
126 Licensing
Basic Accelerator settings

This example describes settings for each end of the Accelerator link, including Basic,
Advanced, and My Routes.
To access the Basic settings go to SETUP > Basic.
Figure 48: Example of Basic Accelerator settings
Table 36 shows an example of a complementary configuration between the CNX-200

product Accelerator module and the groundside Accelerator unit.
Table 36: Basic Accelerator settings example, mobile and ground

Accelerator Groundside
module Accelerator
Basic
IP Address 192.168.1.3 192.168.4.3
Default Gateway 192.168.1.1 192.168.4.1
(IP address of Network module) (IP address of groundside LAN)
Subnet 255.255.255.0 255.255.255.0
Routing Strategy Auto Auto
Advanced Settings
Deployment Type On-LAN On-Path
Deployment Size 1-5 1-5
Default WAN 64 Kbps for one channel or 64 Kbps for one channel or
Bandwidth 128 Kpbs for two channels 128 Kpbs for two channels
Basic Accelerator settings 127

136
Links
A link is a logical connection between the CNX-200 product Accelerator module and the
groundside Accelerator unit. The network performance over this managed link is optimized
by the Accelerator.
1. In the Accelerator web-based manager, go to Setup > My Links.
2. Set the basic link properties:
Destination IP IP address of the other Accelerator unit.

Name Give the link an easily identifiable name.
Bandwidth Set the maximum throughput allowed to traverse the link.
IPComp IPComp (tunneled encapsulation) enables the best compression
rate for the link. IPComp sets the packets intercepted by the
Accelerator to be completely compressed. This means that the IP
header, the TCP/UDP header, and the payload are compressed
and the packet traversing the network will have an Accelerator
Proprietary IPComp header.
Router Router Transparency (RT) encapsulation is appropriate in an
Transparency environment where header preservation is necessary, including
QoS deployments, monitoring (NetFlow), Load Balancing, Billing,
encryption, and certain firewall environments.
In RT encapsulation, only the packets’ payload is compressed,
leaving the original IP header and the original TCP/UDP header
in their original forms so that their information is available across
the network. RT encapsulation is only available for On-Path
deployments and does not support TCP Acceleration.
3. Click Add.
128 Links
Routing
To access the routing settings go to SETUP > My Accelerator > My Routes. Configure
OSPF or RIP routing protocols, or manually add routes to the table according to the
network requirements. If you are configuring VRRP, you will need to use the command
line interface.
Figure 49: Example of My Routes Accelerator settings
Route Rules table

As shown in Figure 49 above, the Route Rules table lists all routes. Routes are displayed
in the table whether added dynamically or manually.
Table 37: Route Rules table description

# Type Subnet Mask Via Device
Order Gateway, The IP address of The subnet The IP address Local, or
route Manual, the destination mask. of the gateway Remote.
was Connected, or subnetwork. (router) that is
added. Dynamic. the next hop to
the destination
subnet.
Using OSPF and RIP

Access OSPF, RIP-1, or RIP-2 configuration by clicking the appropriate button.
For details about configuring these routing protocols for the Accelerator please see the
Accelerator online help or the AcceleratorOS 5 Software Configuration Guide at
http://www.expand.com/.
Routing 129
136
Adding manual routes

Configure manual routes so the Accelerators on both ends of the link can pass traffic to
the correct networks.
To manually add a route to the table

If the Accelerator network does not support dynamic routing, subnets can be added and
edited manually.
1. In the Accelerator web-based manager, go to Setup > My Accelerator > My Routes.
2. Under Static Routing, enter the route properties:
Subnet Destination subnet address.

Mask Destination subnet mask.
Next Hop The router or switch to which to send packets destined
for this subnet.
Add as local subnet Select to identify the route as a local subnet.
Advertise Local Subnet Local subnet only. Broadcast this subnet to other
devices on the network.
3. Click Add.
Using VRRP
Note: You must enable VRRP for the Network module. See VRRP on page 96 for
configuration procedures and a general description of Virtual Router Redundancy
Protocol.
To learn more about logging in to the CLI, see Using the Accelerator module command
line interface on page 123.
The command syntax is the same for all CLI commands.
To enter command mode

To make any changes via the CLI you must be in command mode.
expand> enable
expand# configure terminal
expand(config)#
To set up VRRP
Use the following commands to set up VRRP for the Accelerator module. By setting the
priority higher than the Network module, the Accelerator module will be the Master and
advertise the virtual router IP address. If the Accelerator module goes down, the Network
module becomes the master.
expand(config)# VRRP 1 IP <VR_IP> <- same as for Network module
expand(config)# VRRP 1 PRIORITY 120
130 Routing
TCP acceleration
Transmission Control Protocol (TCP) is designed for reliable IP communications over
LANs and smaller networks. TCP is not, however, ideally suited for high latency and high
packet loss WAN and GAN communication over satellite.
The CNX-200 product Accelerator module from Expand Networks uses the SCPS (Space
Communications Protocol Standards) protocol package to improve TCP performance.
For more information about SCPS, visit http://www.scps.org/.
For more information about Expand Networks, visit http://www.expand.com/.
Note: Advanced TCP acceleration settings can only be configured using the CLI. This
Guide describes how to use the CLI to configure all the relevant TCP acceleration settings
for the CNX Cabin Gateway product.
TCP acceleration commands

To learn more about logging in to the CLI, see Using the Accelerator module command
line interface on page 123
The command syntax is the same for all CLI commands.
To enter command mode

To make any changes via the CLI you must be in command mode.
expand> enable
expand# configure terminal
expand(config)#
To enter TCP Acceleration configuration for a link

TCP Acceleration must be configure on a per-link basis. Do not use global TCP
acceleration commands.
expand(config)# interface link <link_name or destination_IP>
expand(LINK)# tcp-acceleration
expand(TCP-ACC)#
Table 38 describes the commands and variables for configuring TCP acceleration.
Table 38: TCP acceleration CLI commands

Command & Syntax Description
Enabling commands
expand(LINK)# tcp_acceleration Enter these commands go into TCP

expand(TCP-ACC)# acceleration configuration and enable
tcp_acceleration enable TCP acceleration for a specific link.

136
Table 38: TCP acceleration CLI commands

Command & Syntax Description
Data rate commands

Configure typical data rates to help the Accelerator module determine optimum settings.
expand(TCP-ACC)# typical-rtt Enter this command in TCP acceleration

[value in milliseconds] mode to set the typical Return Trip Time
(rtt) for the network link.
expand(TCP-ACC)# Enter this command in TCP acceleration

typical-acceleration-rate mode to determine the percent increase in
[percent increase value] the data rates with TCP acceleration
enabled.
Example Accelerator module configuration

# AcceleratorOS configuration file
# Generated by AcceleratorOS v5.0(5) build 1.45 on Mar 30, 2005 at
16:26
!
!
interface local
ip address 192.168.4.2 255.255.255.0
ip default-gateway 192.168.4.1
routing-strategy routing-only
!
interface link 1
description L-192.168.1.3
bandwidth 128
link destination 192.168.1.3
subnet exclude 192.168.1.3 255.255.255.255
tcp-acceleration
use-global-tcp-acceleration disable
tcp-acceleration enable
typical-rtt 1200
window send 70000
window receive 70000
typical-acceleration-rate 300
!
!
interface ethernet 0/0
link-mode 10Mbit-full
!
interface ethernet 0/1
link-mode 10Mbit-half
132 TCP acceleration

!
ip route 192.168.1.0 255.255.255.0 192.168.4.3
!
!
End

136
Firmware upgrades (Accelerator module)

You must upgrade the Network and Accelerator modules separately. To upgrade the
Network module firmware, see Firmware upgrades (Network module) on page 101.
The AcceleratorOS software can be upgraded by uploading software from a remote server
or from the local drive.
1. Go to Tools > Upgrade.
2. From the Copy method field, select the way the file will be copied (ftp, tftp, http or scp).
3. Enter the user name, password and IP address of the device from which the files are
to be copied.
4. Enter the path to the file, followed by the file name (the file will be a .tgz file).
5. Copy the file to the user area.
6. Click the Copy Bundle button.
7. Reboot the Accelerator with the new file name.
After rebooting, the Accelerator will extract the file and run it.
8. 10 MB of free space is provided on the Compact Flash card for file extraction. The
Accelerator itself can be used as the server for upgrades to other Accelerators.
134 Firmware upgrades (Accelerator module)

Saving Accelerator module configuration files

The Accelerator module configuration operates separately and differently from the
Network module configuration. The Accelerator module configuration is not erased when
the software is upgraded.
Any changes to the Accelerator settings are stored in the running configuration until
changed or the unit is shut down. Save changes to the startup configuration to make them
permanent.
To access configuration tools go to Tools > Configuration Tools. From here you can
write, erase, or export the Accelerator configuration.
Figure 50: Accelerator configuration tools
To save the current configuration to the Accelerator

1. Make all the changes you want to permanently save.
2. Go to Tools > Configuration Tools and click Write Startup Configuration.
The new configuration is saved to the Accelerator and will be used at the next start-up.
Saving Accelerator module configuration files 135

136
To save the startup configuration to a file

1. Go to Tools > Configuration Tools and click Export Startup Configuration.
The configuration file appears in a new window.
2. Click Save....
3. Name the file, select .txt or .html file type, browse to the location you want to save it,
and click Save.
Writing the Accelerator configuration from a file

The Accelerator module does not automatically upload previously saved configuration
files. To apply a saved configuration, you must access the Command Line Interface (CLI)
and copy and paste the commands from the file.
1. Access the Accelerator module CLI. See Telnet session on page 123.
2. At the CLI prompt, type enable.
3. Type configure terminal.
4. Copy the configuration file content and paste at the CLI prompt.
5. Press Enter.
6. Type exit once to exit from the config terminal.
7. Type write to save the configuration.
The configuration is applied to the Accelerator module.
8. Type exit until you have exited fully from the CLI.
136 Saving Accelerator module configuration files

APPENDIX A: INSTALLATION INFORMATION SHEET

Use this sheet to keep track of installation information and when contacting product
support.
CNX Cabin Gateway Product

Part Number
Serial Number
Software Version
Mod Status
Aircraft Information
Owner
Tail Number
Serial Number
Model / Type
Installation Information
Installation Facility
Name of Installer
Checked by
STC Number
Date of Installation
1
2
Blank Page
2
APPENDIX B: INSTALLATION VERIFICATION CHECKLIST

Use this checklist to perform an electrical check that confirms correct electrical installation of the
CNX Cabin Gateway product.
Check 9
Power
Check that power LED is on: green
Check that SATCOM avionics are powered on
Ethernet Ports
1. Plug in a computer to an Ethernet port.
2. Open the web browser.
3. Go to 192.168.1.1 – You should see the CNX Cabin Gateway product Login
Page.
Note: The IP address may differ from the default, check with your network
administrator.
Repeat for each wired Ethernet port.
If an Ethernet port does not work check wiring.
Wireless Connection
If using wireless:
1. Turn on a laptop with a wireless connection.
2. Go to Start > Control Panel > Wireless Networks.
3. The laptop should automatically detect the wireless network.
4. Select the ems.home wireless network.
5. Open the web browser and connect to 192.168.1.1 – You should see the
CNX Cabin Gateway product Login Page.
administrator.
If not using wireless:
Make sure wireless service is turned off on the CNX-200 product Network
module to avoid unauthorized access to the network. See the CNX Installation
manual for instructions (MN-1252-50106).
Connection to SATCOM Avionics
Login to CNX-200 product Network module at 192.168.1.1.
administrator.
Go to Network Connections > ISDN and make sure ISDN0 or ISDN1 (for
connection to an HSD-128 or HSD-400) shows Connected.
Go to Network Connections > WAN Ethernet and make sure Eth (if wired to
an HSD) shows Connected.
1
2
Blank Page
2

EMS - Enfusion CNX PDF

Uploaded by

Copyright:

Available Formats

EMS - Enfusion CNX PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EMS - Enfusion CNX PDF

Uploaded by

Copyright:

Available Formats

eNfusion™ CNX® Cabin Gateway Series

Network Administrator’s Guide

eNfusion™ CNX® Cabin Gateway Series Network Administrator’s Guide

Finding what you need.................................................................................... 4

Abbreviations and acronyms ......................................................................... 6

Product Terms and Conditions ...................................................................... 8

Getting Started .......................................................................9

Overview of configuration steps .................................................................. 11

Network module management ..................................................................... 13

Remote management .................................................................................... 19

Configuring administrative settings ............................................................ 21

Saving Network module configuration files................................................ 24

Network Connections and Connection Profiles................27

Configuration and operation essentials ...................................................... 28

Viewing network connections ...................................................................... 30

Choosing a connection type ........................................................................ 31

Modifying base WAN connections ............................................................... 35

Creating connection profiles ........................................................................ 36

Using backup connections ........................................................................... 69

Base Network Connection Settings ...................................71

WAN Ethernet-VHSI ....................................................................................... 75

WAN modem .................................................................................................. 82

LAN Wireless Access Point .......................................................................... 83

LAN VHSI ........................................................................................................ 92

Network Management ..........................................................95

System Monitoring ........................................................................................ 96

DNS management .......................................................................................... 98

IP address distribution (DHCP) .................................................................. 101

Routing ......................................................................................................... 104

VLAN ............................................................................................................. 106

User authentication ..................................................................................... 109

Simple Network Management Protocol ...................................................... 111

Firmware upgrades (Network module) ...................................................... 112

Restoring and restarting ............................................................................. 114

Watchdog triggering.................................................................................... 115

Access controls ........................................................................................... 120

Local servers ............................................................................................... 122

DMZ host ...................................................................................................... 125

Advanced filtering ....................................................................................... 126

Security log .................................................................................................. 130

Accelerator module management .............................................................. 134

Basic Accelerator settings ......................................................................... 139

Links ............................................................................................................. 140

Routing ......................................................................................................... 141

TCP acceleration ......................................................................................... 143

Firmware upgrades (Accelerator module) ................................................ 146

Saving Accelerator module configuration files ........................................ 147

Appendix A : Installation Information Sheet ................. A-1

Appendix B : Installation Verification Checklist............ B-1

Introducing the CNX Cabin Gateway Series

Model Part Number Description

CNX-200 Product - Two products in one

Network Module Accelerator Module

Introducing the CNX Cabin Gateway Series  1

Product EMS Part Number Description

Other key management features include:

2  Introducing the CNX Cabin Gateway Series

Finding what you need

Section Title Contents

Introducing the CNX Cabin Gateway Series 1

2 Introducing the CNX Cabin Gateway Series

Finding what you need 3

4 Finding what you need

Abbreviations and acronyms 5

6 Abbreviations and acronyms

Product Terms and Conditions 7

8 Product Terms and Conditions

10 The CNX Cabin Gateway network

Overview of configuration steps 11

Network module management 13

14 Network module management

Network module management 15

16 Network module management

Network module management 17

18 Network module management

Configuring administrative settings 21

22 Configuring administrative settings