Cisco Router DPC3925 User Manual

							4021192 Rev B  51 
 
 Configure Wireless Settings 
 
Wireless > WDS Settings 
The Wireless Distribution System (WDS) Settings page allows you to expand the 
coverage of your wireless network by deploying signal repeaters.  Make sure the 
channel settings are the same for all WDS enabled devices.  
Select the WDS Settings tab to open the Wireless WDS Settings page. Use this page 
to configure the WDS settings. 
 
Wireless WDS Settings Page Description 
Use the descriptions and instructions in the following table to configure the wireless 
distribution system settings for your residential gateway. After you make your 
selections, click Save Settings to apply your changes or Cancel Changes to cancel. 
Section Field Description   
WDS  WDS MAC Address 
Displays the WDS MAC Address (or BSSID) of your gateway access point 
Allow Wireless Signal To Be Repeated by a Repeater 
Check this box to allow a wireless client to connect to a repeater and route 
traffic between the wireless client and a repeater. A maximum of 3 
repeaters are allowed.  
Remote Access Points MAC Address (MAC 1 through 3) 
Use the three fields (MAC 1, 2, and 3) to enter the MAC address of the 
repeaters 
   
						

							52  4021192 Rev B 
 
Configure Wireless Settings 
 
Wireless > QoS 
Quality of Service (QoS) ensures better service to high-priority types of network 
traffic, which may involve demanding, real-time applications, such as video 
conferencing. QoS settings allow you to specify priorities for different types of 
traffic. Lower priority traffic will be slowed down to allow greater throughput or 
less delay for high priority traffic. Select the QoS tab to open the Wireless QoS page. 
 
Wireless QoS Page Description 
Use the descriptions and instructions in the following table to configure each QoS 
setting. After you make your selections, click Save Settings to apply your changes or 
Cancel Changes to cancel. 
Section Field Description   
Quality of Service 
(QoS) 
            Wireless 
 
 
WMM Support 
If WMM (Wi-Fi Multimedia) is supported by your wireless 
clients, enabling this feature means that voice and multimedia 
traffic will be given higher priority than other traffic. Select 
the desired option: 
 Enable (factory default) 
 Disable  
						

							4021192 Rev B  53 
 
 Configure Wireless Settings 
 
Section Field Description   
No ACK 
Allows you to enable or disable NO ACK. This feature is 
recommended for data services where transmission is 
important and packet loss is tolerable to a certain degree. If 
you select Disable, an acknowledge packet is returned for 
every packet received. This provides a more reliable 
transmission, but it increases traffic load, which decreases 
performance. 
Select the desired option: 
 Enable 
 Disable (factory default) 
 
  
						

							54  4021192 Rev B 
 
Configure Security 
 
Configure Security 
Security > Firewall 
Advanced firewall technology deters hackers and protects the home network from 
unauthorized access. Use this page to configure a firewall that can filter out various 
types of unwanted traffic on the gateway’s local network. 
Select the Firewall tab to open the Security Firewall page. 
 
Use the descriptions and instructions in the following table to configure the firewall 
for your residential gateway. After you make your selections, click Save Settings to 
apply your changes or Cancel Changes to cancel. 
Section Field Description   
Firewall SPI Firewall Protection  
SPI Firewall Protection blocks Denial of Service (DoS) attacks. A DoS attack does not 
attempt to steal data or damage your computers, but it overloads your Internet 
connection so you cannot use it.  
Select the desired option: 
 Enable (factory default) 
 Disable   
						

							4021192 Rev B  55 
 
 Configure Security 
 
Section Field Description   
Filters Filter Proxy 
Enables/disables filter proxy. If local users have access to WAN proxy servers, they 
may be able to circumvent the content filters and access Internet sites blocked by 
the device. If you select the Filter Proxy feature, it will block access to any WAN 
proxy servers. 
Block Pop-Up Windows  
Enables/disables popup windows. Some commonly used applications employ 
popup windows as part of the application. If you disable popup windows, it may 
interfere with some of these applications.  
Block Web Page Cookies 
Enables/disables cookie blocking. This feature filters the unsolicited delivery of 
cookies to devices from the Internet to devices in your private local network. 
Cookies are computer files that contain personal information or web surfing 
behavior data. 
Block Java and ActiveX Scripts 
Enables/disables java applets and ActiveX scripts. This feature helps to protect the 
devices in your private network from irritating or malicious Java applets that are 
sent, unsolicited, to devices in your private network from the Internet. These 
applets run automatically when they are received by a PC.  
Java is a programming language for websites. If you select the Filter Java Applets 
feature, you may not have access to Internet sites created using this programming 
language.  
This feature also helps to protect the devices in your private network from irritating 
or malicious ActiveX controls that are sent, unsolicited, to devices in your private 
network from the Internet. These ActiveX controls run automatically when they are 
received by a PC. 
Block fragmented IP packets 
Enables/disables filtering of fragmented IP packets. This feature helps protect your 
private local network from Internet based denial of service attacks. 
Block Port Scan Detection 
Enables/disables the gateway from responding to Internet based port scans. This 
feature is designed to protect your private local network from Internet based 
hackers who attempt to gain unsolicited access your network by detecting open IP 
ports on your gateway. 
Block IP Flood Detection (checked – factory default) 
Blocks malicious devices that are attempting to flood devices or networks with 
illegal broadcast packets. Also referred to as ―broadcast storm.‖ 
Block WAN 
Requests 
Block Anonymous Internet Requests (checked – factory default) 
Enable this feature to keep your network from being pinged or detected by other 
Internet users. The Block Anonymous Internet Requests feature also hides your 
network ports. Both make it more difficult for outside users to enter your network.    
						

							56  4021192 Rev B 
 
Configure Security 
 
Security > VPN Passthrough 
Use this page to configure Virtual Private Network (VPN) support. Enabling the 
settings on this page allows VPN tunnels using IPsec or PPTP protocols to pass 
through the gateways firewall. Select the VPN Passthrough tab to open the Security 
VPN Passthrough page. 
 
Use the descriptions and instructions in the following table to configure the VPN 
passthrough for your residential gateway. After you make your selections, click Save 
Settings to apply your changes or Cancel Changes to cancel. 
Section Field Description   
VPN 
Passthrough 
IPSec Passthrough 
Enables/disables Internet Protocol Security (IPsec). IPsec is a suite of 
protocols used to implement secure exchange of packets at the IP layer. If 
you enable IPSec Passthrough, applications that use IPsec (IP Security) can 
pass through the firewall. To disable IPSec Passthrough select Disable. 
Select the desired option: 
 Enable (factory default) 
 Disable 
PPTP Passthrough 
Enables/disables Point-to-Point Tunneling Protocol (PPTP). PPTP allows the 
Point-to-Point Protocol (PPP) to be tunneled through an IP network. If you 
enable PPTP passthrough, applications that use Point to Point Tunneling 
Protocol (PPTP) can pass through the firewall To disable PPTP Passthrough 
select Disable. 
Select the desired option: 
 Enable (factory default) 
 Disable 
   
						

							4021192 Rev B  57 
 
 Configure Security 
 
Security > VPN 
A Virtual Private Network (VPN) is a connection between two endpoints in different 
networks that allows private data to be sent securely over public networks or other 
private networks. This is accomplished by creating a VPN tunnel. A VPN tunnel 
connects the two PCs or networks and allows data to be transmitted over the 
Internet as if it were on a private network. The VPN tunnel uses IPsec to encrypt the 
data sent between the two endpoints and encapsulate the data within a normal 
Ethernet/IP frame allowing the data to pass between networks securely and 
seamlessly.  
A VPN provides a cost-effective and more secure alternative to using a private, 
dedicated, leased line for a private network. Using industry standard encryption and 
authentication techniques, an IPsec VPN creates a secure connection that operates as 
if you were directly connected to your local private network. 
For example, a VPN allows users to sit at home and connect to his/her employers 
corporate network and receive an IP address in their private network just as though 
they were sitting in their office connected to their corporate LAN.  
Select the VPN tab to open the Security VPN page. 
Use this page to configure the VPN for your residential gateway. 
  
						

							58  4021192 Rev B 
 
Configure Security 
 
Security VPN Tunnel Page Description 
Use the descriptions and instructions in the following table to configure the VPN 
tunnel for your gateway. After you make your selections, click Save Settings to 
apply your changes or Cancel Changes to cancel. 
Section Field Description   
VPN Tunnel Select Tunnel Entry 
Allows you to display a list of created VPN tunnels 
Create Button 
Click this button to create a new tunnel entry 
Delete Button 
Click this button to delete all settings for the selected tunnel 
Summary Button 
Click this button to display the settings and status of all enabled tunnels 
IPSec VPN Tunnel 
Allows you to enable or disable Internet Security Protocol for the VPN tunnel 
Tunnel Name 
Enter the name for this tunnel 
Local Secure 
Group 
Select the local LAN user(s) that can use this VPN tunnel. This may be a single IP 
address or sub-network. Note that the Local Secure Group must match the remote 
gateways Remote Secure Group. 
IP 
Enter the IP address of the local network 
Mask 
If the Subnet option is selected, enter the mask to determine the IP address on the 
local network 
Remote 
Secure 
Group 
Select the remote LAN user(s) behind the remote gateway who can use this VPN 
tunnel. This may be a single IP address, a sub-network, or any addresses. If Any 
is set, the Gateway acts as responder and accepts requests from any remote user. 
Note that the Remote Secure Group must match the remote gateways Local Secure 
Group. 
IP 
Enter the IP address of the remote network 
Mask 
If the Subnet option is selected, enter the mask to determine the IP addresses on 
the remote network  
						

							4021192 Rev B  59 
 
 Configure Security 
 
Section Field Description   
Remote 
Secure 
Gateway 
Select the desired option, IP Addr., Any, or FQDN. If the remote gateway has a 
dynamic IP address, select Any or FQDN. If Any is selected, then the Gateway will 
accept requests from any IP address. 
FQDN 
If FQDN is selected, enter the domain name of the remote gateway, so the 
Gateway can locate a current IP address using DDNS 
IP 
The IP address in this field must match the public (WAN or Internet) IP address of 
the remote gateway at the other end of this tunnel 
Key 
Management 
Key Exchange Method 
The gateway supports both automatic and manual key management. When 
automatic key management is selected, Internet Key Exchange (IKE) protocols are 
used to negotiate key material for Security Association (SA). If manual key 
management is selected, no key negotiation is needed. Basically, manual key 
management is used in small static environments or for troubleshooting purposes. 
Note that both sides must use the same key management method.  
						

							60  4021192 Rev B 
 
Configure Security 
 
Section Field Description   
Key 
Management 
(continued) 
Select one of the following options for the key exchange method: 
 Auto (IKE) 
– Encryption: The Encryption method determines the length of the key used 
to encrypt/decrypt ESP packets. Notice that both sides must use the same 
method. 
– Authentication: The Authentication method authenticates the 
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice 
that both sides (VPN endpoints) must use the same method.  
 MD5: A one-way hashing algorithm that produces a 128-bit digest 
 SHA: A one-way hashing algorithm that produces a 160-bit digest 
– Perfect Forward Secrecy (PFS): If PFS is enabled, IKE Phase 2 negotiation 
will generate new key material for IP traffic encryption and authentication. 
Note that both sides must have PFS enabled. 
– Pre-Shared Key: IKE uses the Pre-Shared Key to authenticate the remote 
IKE peer. Both character and hexadecimal values are acceptable in this 
field, e.g., My_@123 or 0x4d795f40313233. Note that both sides must use 
the same Pre-Shared Key. 
– Key Lifetime: This field specifies the lifetime of the IKE generated key. If 
the time expires, a new key will be renegotiated automatically. The Key 
Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is 
3600 seconds. 
 Manual 
– Encryption: The Encryption method determines the length of the key used 
to encrypt/decrypt ESP packets. Notice that both sides must use the same 
method. 
– Encryption Key: This field specifies a key used to encrypt and decrypt IP 
traffic. Both character and hexadecimal values are acceptable in this field. 
Note that both sides must use the same Encryption Key. 
– Authentication: The Authentication method authenticates the 
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice 
that both sides (VPN endpoints) must use the same method.  
 MD5: A one-way hashing algorithm that produces a 128-bit digest  
 SHA: A one-way hashing algorithm that produces a 160-bit digest 
– Authentication Key: This field specifies a key used to authenticate IP 
traffic. Both character and hexadecimal values are acceptable in this field. 
Note that both sides must use the same Authentication Key. 
– Inbound SPI/Outbound SPI: The Security Parameter Index (SPI) is carried 
in the ESP header. This enables the receiver to select the SA, under which a 
packet should be processed. The SPI is a 32-bit value. Both decimal and 
hexadecimal values are acceptable. e.g., 987654321 or 0x3ade68b1. Each 
tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels 
share the same SPI. Note that the Inbound SPI must match the remote 
gateways Outbound SPI, and vice versa.