BTnet configuration

options and features

With our managed
Cisco Meraki equipment

About this guide

This is a brief guide to the default
settings and alternative options
for your BTnet service and Cisco
Meraki equipment.

It covers:

• Local area network (LAN)

• Wi-fi
• BTnet Security
(if you’ve included that
as part of your service)
Changing
your settings
Combined with BTnet, Cisco Meraki
gives you business grade internet and
wireless networking, to truly mobilise
your workforce. Cisco Meraki
equipment offers more features
and configuration options than we
provide as part of our managed CPE
BTnet service.
Changing your settings is a simple
Even though some of them aren’t process. Just use the portal to
compatible with BTnet, Meraki’s request any changes to your BTnet
wide range of settings, paired with service and your Cisco Meraki
our fast and reliable leased line equipment (please refer to our
internet service, still offer greater BTnet user portal guide for more
functionality, flexibility and information), or give us a call on
control than our traditional 0808 100 2440. We’ll make the
equipment options. changes you’ve asked for by the end
of the next working day, between
In this document, we’ve outlined the 08:00–17:00.
configuration options and features
that are available to you. To make Please note: although we’ll make any
sure you get the best possible configuration changes that you ask us
performance from your BTnet to, we’re not accountable for the
service – and to keep things simple subsequent behaviour of your
– we maintain, support and configure network or any connected devices.
your equipment for you. So you can So please only request changes to
concentrate on what matters most to your settings, if you have a full
your business. understanding of their impact.
Default settings
and alternative options
1. LAN
LAN option Available settings Default setting Notes

• Track clients by MAC address

Client tracking Track clients by MAC address You may need to switch to IP address tracking if your LAN equipment requires it.
• Track clients by IP address

Add static routes manually. 192.168.128.0/24 (default, data) You’ve got two route templates: one for data traffic and one for voice calls over the network. It’s unlikely that you’ll
Routes
Two set as default templates. 192.168.193.0/24 (voice) need any more than that, but you can change the actual internal IP addressing scheme for each if you need to.

This controls the behaviour of the LAN ports of the Managed CPE device and are set up as follows:
BTnet Express services – Four LAN ports: three ports configured as trunks, one configured as access.
Per-port VLAN config Manual port configuration BTnet 100Mbps circuits – 10 LAN ports: eight as trunks, two configured as access.
Note: Two of the eight trunk ports are Power Over Ethernet (PoE) ports. These can’t be changed.
BTnet 500Mbps and 1Gbps circuits – 24 LAN ports: 20 as trunks, four as access.

• Run a DHCP server If you want to turn off the DHCP server (used for simple LAN setup and plug-and-play connectivity) then you’ll need
Client addressing • Relay DHCP to another service Run DHCP Server to give us additional VLAN information and configuration details.
• Do not respond to DHCP requests Note: the pre-set lease time for IP addresses is set at one day (not configurable).

• Proxy to upstream DNS

• Use Google public DNS
DNS name servers BTnet name servers (specified) If you need to change to anything else.
• Use OpenDNS
• Specify name servers

Reserved IP ranges Manual configuration You can add reserved IP ranges on request.

Fixed IP assignments Manual configuration You can add fixed IP ranges on request.

Continued on next page

Configuration options,
defaults, and details
1. LAN
LAN option Available settings Default setting Notes

• Disabled
SNMP read-only access • V1/V2c Disabled To change this, you’ll need to place an order with your account manager.
• V3

Use this to forward traffic from different ports to specific devices or applications at internal IP addresses on your
Port forwarding Manual configuration LAN. You can set it up so multiple servers receive traffic from the same public IP address. You can add as many
forwarding rules as you need.

1:1 NAT (Network Address Translation) maps one internal address (usually private) to one external address (usually
public). It’s for companies with multiple public IP addresses, and for networks with multiple servers behind a firewall
(such as two web servers and two mail servers).
It can also translate public IP addresses in different subnets to the WAN interface address. But only if the ISP routes
1:1 NAT Manual configuration
traffic for the subnet towards the mail exchanger (MX) interface.
You can only set up 1:1 NAT mapping with IP addresses that don’t already belong to the Managed CPE device. Each
translation added is a 1:1 rule, which means traffic destined to the public IP address can only go to one internal IP
address. Within each translation, you can specify which ports to forward to the internal IP.

1: Many NAT configuration allows the Managed CPE device to forward traffic from a configured public IP to internal servers.
1: Many NAT Manual configuration Each one has many definitions so you need to specify the single public IP then set up multiple port forwarding rules to
send traffic to different devices on the LAN on a per-port basis.
Configuration options,
defaults, and details
2. Wi-fi
Wireless option Available settings Default setting Notes

• Enabled SSID stands for Service Set Identifier, and is your network’s name. You can enable this whenever you want, and choose
SSID 1 Disabled
• Disabled (and choose name) what to call your wi-fi network.

• Enabled
SSID 2 Guest Wi-Fi Disabled Use this to choose the name of your Guest Wi-Fi.
• Disabled (and choose name)

Wi-fi passwords
N/A This is where you set up your own passwords.
(per SSID)

• Open
Security encryption type • WEP N/A Choose the option from those available.
• WPA2

• Advertise this SSID publicly

Visibility of SSID Advertise this SSID publicly If you want to hide any of your active wi-fi networks. Can be set independently for each network if both are active.
• Hide this SSID

The following settings are only available for BTnet 500Mb and 1Gb circuits (provided with a separate wireless access point device)

• Unlimited
Per client bandwidth limit Unlimited You can change this if you need to set the wireless bandwidth limit for a certain connected device (client).
• Sliding scale of bandwidth steps

• Unlimited You can change this if you need to set the wireless bandwidth limit for a certain network, including limiting
Per SSID bandwidth limit Unlimited
• Sliding scale of bandwidth steps Guest Wi-Fi bandwidth.

• Disabled
• Enabled (with options then for):
– Available 08:00 – 17:00 daily
Choose from these options if you want to make each network only available at certain times. ‘Disabled’ setting means
Scheduled availability – Available 08:00 – 17:00 daily Disabled
your networks are available all the time.
except weekends
– Always available
– Customer schedule
Configuration options,
defaults, and details
3. BTnet Security
When it comes to our optional BTnet If you haven’t got the security
Security package, we understand that package but you’re interested in it,
you may want to tweak the default please talk to your account manager
settings to fit your own security policies. or specialist, or visit bt.com/btnet
Just use the BTnet User Portal to tell for more information.
us what you want to change and we’ll
sort it out for you.

Setting Description Available settings (default in bold)

Layer 3 firewall

You can create custom rules for outbound traffic, which we’ll add manually. You’ll need to tell us the protocol, source, source port, No default settings, custom set up
Outbound rules
destination, destination port and whether you want to allow/deny the access. on request.

Security appliance services ICMP ping is enabled for any remote IP addresses by default. But you can change this and specify IP addresses if you prefer. Any.

Continued on next page

Configuration options,
defaults, and details
3. BTnet Security
Setting Description Available settings (default in bold)

Layer 7 firewall and application control

This allows you to block pre-defined categories of applications. You can then block everything for that category or be more We’ve blocked these categories
specific by domain name, IP, port, host name or country. Available categories are: by default. You can add more from
the list:
• Blogging • Security • Peer-to-peer (P2P) – all.
• Email • Productivity • Web file sharing – all.
• File sharing • Remote monitoring and management
• Gaming • Business management
• News • Healthcare
Firewall rules • Online backup • Web payments
• Peer-to-peer (P2P) • Databases and cloud services
• Social web and photo sharing • Advertising
• Sports • HTTP hostname…
• Video and music • Port…
• VoIP and video conferencing • Remote IP range…
• Web file sharing • Remote IP range and port…
• Software and anti-virus updates

Advanced Malware Protection (AMP)

AMP helps protect you against known malware by classifying a file as ‘clean’, ‘malicious’ or ‘unknown’. The service is enabled by • Enabled.
Mode
default but you can switch it off if you wish. • Disabled.

Whitelisted URLs In case you need to whitelist certain URLs from being scanned by the AMP system. Add manually on request.

Whitelisted files In case you need to whitelist certain files from being scanned by the AMP system. Add manually on request.

Continued on next page

Configuration options,
defaults, and details
3. BTnet Security
Setting Description Available settings (default in bold)

Intrusion detection and prevention

• Disabled.
This helps to protect against known threats and patterns. You can change your setting to detection-only or turn it off altogether
Mode • Detection.
if you prefer (you must accept the additional risk in doing so as no action will be taken to prevent threats).
• Prevention.

Allows you to set up your intrusion detection and prevention, depending on how strict you would like it to be. There are three • Connectivity.
available modes, with the middle ‘balanced’ setting being the default: • Balanced.
Connectivity: contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10. • Security.
Balanced: contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of nine or more,
and which are in one of the following categories:
• Malware-CNC: rules for known malicious command and control activity for identified botnet traffic. This includes call
home, downloading of dropped files, and ex-filtration of data.
• Blacklist: rules for URLs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of
malicious activity.
• SQL Injection: rules designed to detect SQL Injection attempts.
Ruleset
• Exploit-kit: rules designed to detect exploit kit activity.
Security: rules from the current year and the previous three years for vulnerabilities with a CVSS score of eight or more, and which
are in one of the following categories:
• Malware-CNC: rules for known malicious command and control activity for identified botnet traffic. This includes call
home, downloading of dropped files, and ex-filtration of data.
• Blacklist: rules for URLs, user agents, DNS host names, and IP addresses that have been determined to be indicators of
malicious activity.
• SQL Injection: rules designed to detect SQL Injection attempts.
• Exploit-kit: rules designed to detect exploit kit activity.
• App-detect: rules that look for and control the traffic of certain applications that generate network activity.

Whitelisted rules To allow certain rules related to the intrusion detection system. Add manually on request.

Continued on next page

Configuration options,
defaults, and details
3. BTnet Security
Setting Description Available settings (default in bold)

Content (URL) filtering

You can block URL content by category to help protect your users and stop people accessing certain sites. There is a wide range of The following categories are blocked
categories available to choose from. The bold list in the next column shows the default categories, which we feel will be useful to by default:
most businesses as a starter. If you would like to add any more then please let us know. • Adult and pornography
The available categories include (subject to change): • Botnets
• Confirmed spam sources
• Abortion • Illegal • Questionable • Gross
• Abused drugs • Image and video search • Real estate • Hacking
• Adult and pornography • Individual stock advice and tools • Recreation and hobbies • Hate and racism
• Alcohol and tobacco • Internet communications • Reference and research • Illegal
• Auctions • Internet portals • Religion • Key loggers and monitoring
• Botnets • Job search • Spam URLs • Malware sites
• Cheating (academic) • Key loggers and monitoring • Search engines • Nudity
• Computer and internet info • Kids • Sex education • Parked domains
• Computer and internet security • Legal • Shareware and freeware • Peer-to-peer (P2P)
• Confirmed spam sources • Local information • Shopping • Phishing and other frauds
• Content delivery networks • Malware sites • Social networking • Proxy avoid and anonymizers
Blocked category selection
• Cult and occult • Marijuana • Society • Spam URLs
• Dating • Military • Sports • Spyware and adware
• Dynamically-generated content • Motor vehicles • Spyware and adware
• Educational institutions • Music • Streaming media
• Entertainment and arts • News and media • Swimsuits and intimate apparel
• Fashion and beauty • Nudity • Training and tools
• Financial services • Online greeting cards • Translation
• Gambling • Open HTTP proxies • Travel
• Games • Parked domains • Unconfirmed spam sources
• Government • Pay to surf • Violence
• Gross • Peer-to-peer • Weapons
• Hacking • Personal storage • Web advertisements
• Hate and racism • Personal sites and blogs • Web hosting
• Health and medicine • Philosophy and political advocacy • Web-based email
• Home and garden • Phishing and other frauds
• Hunting and fishing • Proxy avoidance and anonymizers

Continued on next page

Configuration options,
defaults, and details
3. BTnet Security
Setting Description Available settings (default in bold)

Content (URL) filtering

This helps to protect against known threats and patterns. You can change your setting to detection-only or turn it off altogether • Full list.
URL list size
if you would prefer (you must accept the additional risk in doing so as no action will be taken to prevent threats). • Top sites only.

URL blocking – blocked patterns In case you need to blacklist certain sites which the URL filtering controls would otherwise allow. Add manually on request.

URL blocking– whitelist In case you need to whitelist certain sites which the URL filtering controls would otherwise block. Add manually on request.

This document is not Terms and conditions for

exhaustive and is subject to BTnet and BTnet Security
change without notice Go to the Broadband and Internet
If you want to see the full service Access section at bt.com/terms.
descriptions for BTnet and BTnet
Security, please ask your account
manager or specialist for copies.

Offices Worldwide
The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective
standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2020. Registered office: 81 Newgate Street, London EC1A 7AJ.
Registered in England No. 1800000.
February 2021