TP-Link TL-ER5120 - Manual

-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER5120 Router. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for Network Engineer and Network Administrator. 1.2 Conventions In this Guide the following...

-4- Chapter 2 Introduction Thanks for choosing the Gigabit Load Balance Broadband Router TL-ER5120. 2.1 Overview of the Router The Gigabit Load Balance Broadband Router TL-ER5120 from TP-LINK possesses excellent data processing capability and multiple powerful functions including Load Balance, Acces...

-8- Note: Please use only the power cord provided with this Router.

-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other information related to this Router. Choose the menu Network → Status to load the following page.

-11- Figure 3-2 Network Topology - NAT Mode If your Router is connecting the two networks of different areas in a large network environment with a network topology as the Figure 3-3 shown, and forwards the packets between these two networks by the Routing rules, you can set it to Non-NAT mode. Figur...

-12- Figure 3-4 Network Topology – Classic Mode Choose the menu Network → System Mode to load the following page. Figure 3-5 System Mode You can select a System Mode for your Router according to your network need. z NAT Mode NAT (Network Address Translation) mode allows the Router to translate priva...

-13- source IP address can be transported by NAT, whereas the packet with 20.31.76.80 as its source IP address will be dropped. z Non-NAT Mode In this mode, the Router functions as the traditional Gateway and forwards the packets via routing protocol. The Hosts in different subnets can communicate w...

-15- Figure 3-7 WAN – Static IP The following items are displayed on this screen: ¾ Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address for your computer. IP Address: Enter the IP address assigned by your ISP. If you are not clear, please consult your ISP. Subnet...

-16- Secondary DNS: Optional. If a Secondary DNS Server address is available, enter it. Upstream Bandwidth: Specify the bandwidth for transmitting packets on the port. Downstream Bandwidth: Specify the bandwidth for receiving packets on the port. 2) Dynamic IP If your ISP (Internet Service Provider)...

-19- Figure 3-9 WAN - PPPoE The following items are displayed on this screen: ¾ PPPoE Settings Connection Type: Select PPPoE if your ISP provides xDSL Virtual Dial-up connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the In...

-23- Figure 3-10 WAN - L2TP The following items are displayed on this screen: ¾ L2TP Settings Connection Type: Select L2TP if your ISP provides a L2TP connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connectio...

-24- not clear, please consult your ISP. Password: Enter the Password provided by your ISP. Server IP: Enter the Server IP provided by your ISP. MTU: MTU (Maximum Transmission Unit) is the maximum data unit transmitted by the physical network. It can be set in the range of 576-1460. The default MTU ...

-26- Figure 3-11 WAN - PPTP The following items are displayed on this screen: ¾ PPTP Settings Connection Type: Select PPTP if your ISP provides a PPTP connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connectio...

-29- The following items are displayed on this screen: ¾ BigPond Settings Connection Type: Select BigPond if your ISP provides a BigPond connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connection and release ...

-30- Auth Domain: Enter the domain name of authentication server. It's only required when the address of Auth Server is a server name. Auth Mode: You can select the proper Active mode according to your need. z Manual: Select this option to manually activate or terminate the Internet connection by th...

-31- IP Address: Displays the IP address assigned by your ISP. Subnet Mask: Displays the Subnet Mask assigned by your ISP. Default Gateway: Displays the IP address of the default gateway assigned by your ISP. Note: To ensure the BigPond connection re-established normally, please restart the connecti...

-32- 3.1.4.2 DHCP The Router with its DHCP (Dynamic Host Configuration Protocol) server enabled can automatically assign an IP address to the computers in the LAN. Choose the menu Network → LAN → DHCP to load the following page. Figure 3-13 DHCP Settings The following items are displayed on this scr...

-34- Figure 3-15 DHCP Reservation The following items are displayed on this screen: ¾ DHCP Reservation MAC Address: Enter the MAC address of the computer for which you want to reserve the IP address. IP Address: Enter the reserved IP address. Description: Optional. Enter a description for the entry....

-35- 3.1.5 DMZ DMZ (Demilitarized Zone) is a network which has fewer default firewall restrictions than the LAN does. TL-ER5120 provides a DMZ port to allow all the local hosts connected to this port to be exposed to the Internet for some special-purpose services, such as such as Internet gaming and...

-37- Set the MAC Address for LAN port: In a complex network topology with all the ARP bound devices, if you want to change to use TL-ER5120 instead of the current router in a network node, you can just set the MAC address of TL-ER5120 ‘s LAN port the same to the MAC address of the previous router, w...

-38- to apply. Note: To avoid a conflict of MAC address on the LAN, it’s not allowed to set the MAC address of the Router’s LAN port to the MAC address of the current management PC. 3.1.7 Switch Some basic switch port management functions are provided by TL-ER5120, which facilitates you to monitor t...

-39- Unicast: Displays the number of normal unicast packets received or transmitted on the port. Broadcast: Displays the number of normal broadcast packets received or transmitted on the port. Pause: Displays the number of flow control frames received or transmitted on the port. Multicast: Displays ...

-41- The entry in Figure 3-21 indicates: The outgoing packets sent by port 1, port 2, port 3 and port 5 (mirrored ports) will be copied to port 4 (mirroring port). Tips: If both the mirrored port and the mirroring port are the LAN ports, these two LAN ports should be in the same Port VLAN. For examp...

-42- Figure 3-22 Rate Control The following items are displayed on this screen: ¾ Rate Control Port: Displays the port number. Ingress Limit: Specify whether to enable the Ingress Limit feature. Ingress Mode: Select the Ingress Mode for each port. Options include: z All Frames: Select this option to...

-43- Figure 3-23 Port Config The following items are displayed on this screen: ¾ Port Config Status: Specify whether to enable the port. The packets can be transported via this port after being enabled. Flow Control: Allows you to enable/disable the Flow Control function. Negotiation Mode: Select th...

-44- 3.1.7.6 Port VLAN A VLAN (Virtual Local Area Network) is a network topology configured according to a logical scheme rather than the physical layout, which allows you to divide the physical LAN into multiple logical LANs so as to control the communication among the ports . The VLAN function can...

-47- Group Structure: Click this button to view the tree structure of this group. All the members of this group will be displayed, including Users and sub-Groups. The Group Names are displayed in bold. Available Member: Displays the Users and the Groups which can be added into this group. Selected M...

-50- The first entry in Figure 3-30 indicates that: This is a Multi-Nets NAT entry named tplink1. The subnet under the LAN port of the Router is 192.168.2.0/24 and this entry is activated. After the corresponding Static Route entry is set, the hosts within this subnet can access the Internet through...

-51- Configuration procedure 1. Establish the Multi-Nets NAT entries with Subnet/Mask of VLAN2 and VLAN3. The configured entries are as follows: 2. Then set the corresponding Static Route entry, enter the IP address of the interface connecting the Router and the three layer switch into the Next Hop ...

-52- 3.3.1.4 Virtual Server Virtual server can be used for setting up public services in your private network, such as DNS, Email and FTP. Virtual server can define a service port. All the service requests to this port will be transmitted to the LAN server appointed by the Router via IP address. Cho...

-53- Status: Activate or inactivate the entry. Note: ● The External port and Internal Port should be set in the range of 1-65535. ● The external ports of different entries should be different, whereas the internal ports can be the same. ¾ List of Rules In this table, you can view the information of ...

-54- ¾ Port Triggering Name: Enter a name for Port Triggering entries. Up to 28 characters can be entered. Trigger Port: Enter the trigger port number or range of port numbers. Only when the trigger port initiates connection will all the corresponding incoming ports open and provide service for the ...

-55- Choose the menu Advanced → NAT → ALG to load the following page. Figure 3-33 ALG The following items are displayed on this screen: ¾ ALG FTP ALG: Enable or disable FTP ALG. The default setting is enabled. It is recommended to keep the default setting if no special requirement. H.323 ALG: Enable...

-56- Figure 3-34 Configuration The following items are displayed on this screen: ¾ General Disable Bandwidth Control: Select this option to disable Bandwidth Control. Enable Bandwidth Control all the time: Select this option to enable Bandwidth Control all the time. Enable Bandwidth Control When: Wi...

-57- Interface: Displays the current enabled WAN port(s). The Total bandwidth is equal to the sum of bandwidth of the enabled WAN ports. Upstream Bandwidth: Displays the bandwidth of each WAN port for transmitting data. The Upstream Bandwidth of WAN port can be configured on WAN page. Downstream Ban...

-59- Note: ● The premise for single rule taking effect is that the bandwidth of the interface for this rule is sufficient and not used up. ● It is impossible to satisfy all the guaranteed bandwidth if the total guaranteed bandwidth specified by all Bandwidth Control rules for certain interface excee...

-60- Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be disabled. ¾ Session Limit Group: Select a group to define the controlled user. Max. Sessions: Enter the max. Sessions for the users. Description: Give a description for the entry. Status: A...

-61- Figure 3-38 Configuration With the box before Enable Application Optimized Routing checked, the Router will consider the source IP address and destination IP address of the packets as a whole and record the WAN port they pass through. And then the packets with the same source IP address and des...

-62- The following items are displayed on this screen: ¾ General Protocol: Select the protocol for the entry in the drop-down list. If the protocol you want to set is not in the list, you can add it to the list on 3.3.4.4 Protocol page. Source IP: Enter the source IP range for the entry. 0.0.0.0 - 0...

-64- Timing: Link Backup will be enabled if the specified effective time is reached. All the traffic on the primary WAN will switch to the backup WAN at the beginning of the effective time; the traffic on the backup WAN will switch to the primary WAN at the ending of the effective time. Failover: Sp...

-65- Figure 3-41 Protocol The following items are displayed on this screen: ¾ Protocol Name: Enter a name to indicate a protocol. The name will display in the drop-down list of Protocol on Access Rule page. Number: Enter the Number of the protocol in the range of 0-255. ¾ List of Protocol You can vi...

-67- The first entry in Figure 3-42 indicates: If there are packets being sent to a device with IP address of 172.31.70.28 and subnet mask of 255.255.255.0, the Router will forward the packets from WAN1 port to the next hop of 116.10.1.254. Application Example There is a network topology as the foll...

-68- The distance of RIP refers to the hop counts that a data packet passes through before reaching its destination, the value range of which is 1–15. It means the destination cannot be reached if the value is more than 15. Optimal path indicates the path with the fewest hop counts. RIP exchanges th...

-69- Authentication: network situation, and the password should not be more than 15 characters. All Interfaces: Here you can operate all the interfaces in bulk. All the interfaces will not apply RIP if “Enable” option for All Interfaces is selected. ¾ List of RIP After RIP is enabled, the informatio...

-72- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-45 indicates: The IP address of 192.168.1.101 and MAC address of 00-19-66-83-53-CF have been bound and this entry is activated. Note: If all the entries in the binding li...

-73- Indicates that the IP and MAC address of this entry is already bound. To bind the entries in the list, check these entries and click the <Import> button, then the settings will take effect if the entries do not conflict with the existed entries. Note: If the local hosts suffered from ARP ...

-74- Figure 3-48 Attack Defense The following items are displayed on this screen: ¾ General Flood Defense: Flood attack is a kind of commonly used DoS (Denial of Service), which including TCP SYN, UDP, ICMP and so on. It is recommended to check all the Flood Defense options and specify the correspon...

-75- not sure. Packet Anomaly Defense: Packet Anomaly refers to the abnormal packets. It is recommended to select all the Packet Anomaly Defense options. Enable Attack Defense Logs: With this box checked, the Router will record the defense logs. 3.4.3 MAC Filtering On this page, you can control the ...

-76- Description: Give a description for the entry. ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. 3.4.4 Access Control 3.4.4.1 URL Filtering URL (Uniform Resource Locator) specifies where an identified resource is available and the mechanism for ret...

-79- Figure 3-52 Access Rule The following items are displayed on this screen: ¾ Access Rules Policy: Select a policy for the entry: y Block: When this option is selected, the packets obeyed the rule will not be allowed to pass through the Router. y Allow: When this option is selected, the packets o...

-81- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The smaller the value is, the higher the priority is. The first entry in Figure 3-52 indicates: The TELNET packets transmitted from the hosts within the network of 192.168.0.0/24 will be not allowed...

-82- The following items are displayed on this screen: ¾ Service Name: Enter a name for the service. The name should not be more than 28 characters. The name will display in the drop-down list of Protocol on Access Rule page. Protocol: Select the protocol for the service. The system predefined proto...

-84- Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate the entry. ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-54 indicates: The ...

-85- 3.5.1.1 General On this page, you can configure PPPoE function globally. Choose the menu Services → PPPoE Server → General to load the following page. Figure 3-56 General The following items are displayed on this screen: ¾ General PPPoE Server: Specify whether to enable the PPPoE Server functio...

-86- Idle Timeout: Enter the maximum idle time. The session will be terminated after it has been inactive for this specified period. It can be 0-10080 minutes. If you want your Internet connection to remain on at all times, enter 0 in the Idle Timeout field. The default value is 30. Authentication: ...

-87- Figure 3-57 IP Address Pool The following items are displayed on this screen: ¾ IP Address Pool Pool Name: Specify a unique name to the IP Address Pool for identification and management purposes. IP Address Range: Specify the start and the end IP address for IP Pool. The start IP address should...

-89- Status: Activate or inactivate the entry. MAC Binding: Select a MAC Binding type from the pull-down list. Options include: z Disable: Select this option to disable the MAC Binding function. z Manual: Select this option to bind the account to a MAC address manually. Only from the Host with this ...

-90- IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in the same IP range with LAN port or DMZ port of the Router. The start IP address should not exceed the end address and the IP address ranges must not overlap. Description: ...

-91- Figure 3-61 E-Bulletin The following items are displayed on this screen: ¾ General Enable E-Bulletin: Specify whether to enable electronic bulletin function. Interval: Specify the interval to release the bulletin. Enable Logs: Specify whether to log the E-Bulletin. ¾ E-Bulletin Title: Enter a t...

-93- DNS database. Therefore, the users can use the same domain name to access the DDNS client even if the IP address of the DDNS client has changed. DDNS is usually used for the Internet users to access the private website and FTP server, both of which are established based on Web server. The Route...

-95- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the server. z Online: DDNS works normally. z Authorization fails: The Account Name or Password is incorrect. Please check and enter it again. ¾ List of No-IP Accou...

-96- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the server. z Online: DDNS works normally. z Authorization fails: The Account Name or Password is incorrect. Please check and enter it again. Domain Name: Displays...

-98- Figure 3-66 UPnP The following items are displayed on this screen: ¾ General UPnP Function: Enable or disable the UPnP function globally. ¾ List of UPnP Mapping After UPnP is enabled, all UPnP connection rules will be displayed in the list of UPnP Mapping. Up to 64 UPnP service connections are ...

-99- Figure 3-67 Password The following items are displayed on this screen: ¾ Administrator Current User Name: Enter the current user name of the Router. Current Password: Enter the current password of the Router. New User Name: Enter a new user name for the Router. New Password: Enter a new passwor...

-100- ¾ General Web Management Port: Enter the Web Management Port for the Router. Telnet Management Port: Enter the Telnet Management Port for the Router. Web Idle Timeout: Enter a timeout period that the Router will log you out of the Web-based Utility after a specified period ( Web Idle Timeout )...

-104- Figure 3-74 Interface Traffic Statistics The following items are displayed on this screen: ¾ Interface Traffic Statistics Interface: Displays the interface. Rate Rx ： Displays the rate for receiving data frames. Rate Tx: Displays the rate for transmitting data frames. Packets Rx: Displays the ...

-105- Figure 3-75 IP Traffic Statistics The following items are displayed on this screen: ¾ General Enable IP Traffic Statistics: Allows you to enable or disable IP Traffic Statistics. Enable Auto-refresh: Allows you to enable/disable refreshing the IP Traffic Statisticsautomatically. The default re...

-106- Figure 3-76 Diagnostics The following items are displayed on this screen: ¾ Ping Destination IP/Domain: Enter destination IP address or Domain name here. Then select a port for testing, if you select “Auto”, the Router will select the interface of destination automatically. After clicking <...

-107- ¾ Tracert Destination IP/Domain: Enter destination IP address or Domain name here. Then select a port for testing, if Auto is selected, the Router will select the interface of destination automatically. After clicking the <Start> button, the Router will send Tracert packets to test the c...

-108- DNS Lookup: Enter the IP address of DNS server in Manual mode. 0.0.0.0 means DNS Lookup is disabled. ¾ List of WAN status Port: Displays the detected WAN port. Detection: Displays whether the Online Detection is enabled. WAN Status: Display the detecting results. 3.6.5 Time System Time is the ...

-109- Get GMT: When this option is selected, you can configure the time zone and the IP Address for the NTP Server. The Router will get GMT automatically if it has connected to a NTP Server. z Time Zone: Select your local time. z Primary/Secondary NTP Server: Enter the IP Address for the NTP Server....

-110- Send System Logs: Select Send System Logs and specify the server IP, then the new added logs will be sent to the specified server. The Logs of switch are classified into the following eight levels. Severity Level Description emergencies 0 The system is unusable. alerts 1 Action must be taken i...

-111- Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and FTP services for all the staff. The dedicated line access service was used by this company, which costs greatly in network maintain and cable layout. Wit...

-113- Figure 4-3 WAN – Static IP 4.2.1.4 Link Backup Set the connection of WAN1 as the primary link, the connection of WAN 2 as the secondary link. Choose the menu Advanced → Load Balance → Link Backup to load the configuration page. Select WAN1 as Primary WAN , WAN2 as Backup WAN , select the Failo...

-114- 4.2.2 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 to use IM/P2P application, you can set up a User Group and specify the network bandwidth limit and session limit for this group. The detailed configuratio...

-116- Figure 4-7 App Rules 4.2.2.3 Bandwidth Control To enable Bandwidth Control, you should configure the total bandwidth of interfaces and the detailed bandwidth control rule first. 1) Enable Bandwidth Control Choose the menu Advanced → Traffic Control → Setup to load the configuration page. Check...

-118- Max. Sessions: 250 Status: Activate Click the <Add> button to apply. Figure 4-11 Session Limit 4.2.3 Network Security You can enable the IP-MAC Binding function to defend the ARP attack from local or public network and enable Sending GARP packets function to defend ARP attack. Moreover, ...

-120- Figure 4-15 IP-MAC Binding 4.2.3.2 WAN ARP Defense To prevent the WAN ARP attack, you can bind the default gateway and IP address of WAN port. Obtain the MAC address of WAN port by ARP Scanning first. Choose the menu Firewall → Anti ARP Spoofing → ARP Scanning to load the configuration page. E...

-121- Figure 4-16 Attack Defense 4.2.3.4 Traffic Monitoring 1) Port Mirror Choose the menu Network → Switch → Port Mirror to load the configuration page. Check the box before Enable Port Mirror and select the Ingress&Egress mode. Select the Port 5 for the Mirroring Port and the Port 3 and the Po...

-123- Figure 4-19 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.

-124- Chapter 5 CLI TL-ER5120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the Router by accessing the CLI from console (such as Hyper Terminal) or Telnet. The following part will introduce the steps to access CLI via Hyper Terminal and some ...

-126- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto detect for Emulation and click OK . Figure 5-5 Connection Properties Settings

-129- ip - Display or Set the IP configuration ip-mac - Display or Set the IP mac bind configuration sys - System manager user - User configuration 2) Type a command and a question mark separated by space. If there are keywords in this command, all the keywords and their brief descriptions will disp...

-132- TP-LINK # sys import config Server address: [192.168.1.101] Username: [admin] Password: [admin] File name: [config.bin] Import the configuration file. The steps are as the above item shown. Try to get the configuration file < config.bin > ... Get configuration file < config bin > s...

-133- TP-LINK > user set password Enter old password: Enter new password: Confirm new password: Modify the password of the Guest. TP-LINK # user get Username: admin Password: admin Query the user name and password of the Administrator. TP-LINK # user set password Enter old password: Enter new pas...

-134- TP-LINK > history 1. history 2. sys show 3. history View the history command. TP-LINK > history clear 1. history 2. sys show 3. history 4. history clear Clear the history command. 5.4.6 exit The exit command is used to exit the system only when logging in by Telnet. TP-LINK > exit Exi...

-135- Appendix A Hardware Specifications Standards IEEE 802.3 、 IEEE 802.3u 、 IEEE 802.3x 、 TCP/ IP 、 DHCP 、 ICMP 、 NAT 、 PPPoE 、 SNTP 、 HTTP 、 DNS One 10/100/1000M Auto-Negotiation WAN RJ45 port (Auto MDI/MDIX) Three adjustable 10/100/1000M Auto-Negotiation WAN/LAN RJ45 ports (Auto MDI/MDIX) One 10...

-136- Appendix B FAQ Q1. What can I do if I cannot access the web-based configuration page? 1. For the first login, please try the following steps: 1) Make sure the cable is well connected to the LAN port of the Router. The corresponding LED should flash or be solid light. 2) Make sure the IP addres...

-137- Q3: What can I do if the Router with the remote management function enabled cannot be accessed by the remote computer? 1. Make sure that the IP address of the remote computer is in the subnet allowed to remotely access the router. 2. If the router’s management port has been modified, please lo...

-138- Appendix C Glossary Glossary Description DSL (Digital Subscriber Line) A technology that allows data to be sent or received over existing traditional phone lines. ALG （ Application Layer Gateway ） Application Level Gateway (ALG) is application specific translation agent that allows an applicat...