Configuration Guide
Contents
1. dial in connection 4 modems PortMaster E E workstation 1 workstation 2 11820017 Network Dial Out Only Access Network dial out only access can be set on ports dedicated to Internet connections or connections to another office In this configuration the port is used to establish communication from the PortMaster to an outside location SLIP or PPP is used for these types of connections Figure 5 5 shows an example of a dial out only configuration Configuring an Asynchronous Port Configuring a Port for Network Access 5 18 Figure 5 5 Dial Out Only Access branch office d N workstation 1 L4 a a LA dial out p connection main office ge La j UN modems workstation 2 mm PortMaster Ss workstation 1 Ne D 11820018 Network Dial In and Out Two Way Access Dial in and out service on a selected port is also called two way access Two way access is specified for ports where both dial in and dial out access are needed Dial in modes with modems allow users to connect to the main network without the cost of a leased line connection This method can also be used for connecting to remote sites that need only occasional telecommuting or backup connectivity To configure two way access set the port type for network use and then2. 00 cc eee eee eee eee 5 18 Configuring a Port for a Dedicated Connection 0 00 5 20 Setting the Protocol tcc eres Hee LEE EEE EE EEE EE e ERS 5 22 Setting thesMEUSIZEG Ree oposite stb se tesa tasetasetasitelisds 5 22 Setting the Destination IP Address and Netmask 0 0000 caus 5 22 Setting the IPX Network Number 0 0 0 0 cece eee eens 5 22 Contiguring RIP Routing aaea PROMO RAL Male Dole Bole Boe Bone ees 5 23 Configuring Compression llle eee eee eee eens 5 23 Setting the PPP Asynchronous Map 0 eee eee es 5 24 Setting Input and Output Filters 0 2 0 ee ees 5 25 Connecting without TCP IP Support 0 0 eh 5 25 6 Configuring a Synchronous WAN Port Synchronous Port Uses 0 s 6 1 Configuring WAN Port Settings csse 6 4 General Synchronous Settings 0 0 cece eee ees 6 4 Settings for Hardwired Connections llle eee 6 7 7 Configuring Dial In Users Configuring the User Table 0 0 cece nee ee eee 7 1 Displaying User Information llle 7 2 Adding Users to the User Table 1 2 0 0 cece eh 7 2 Deleting Users from the User Table 2 2 2 0 eee eee 7 3 Useryp es sg oh EE RR OE OEE ERE EEE ERE CE SE CECE REO EERE 7 3 Network UserS 4 0 got test iastiastivstigebiestiee bias bts hd ae bbl 7 3 LOoSiD USeIrS ae eee RARE EN A A es ee ga 7 3 Contents vii Contents viii Configuri
3. 22 cleseee ees 13 42 NAT Friendly Applications llle eee 13 43 Uniriendly Applications eas mas als RR cR a aos a a ads a eae a RA ca UR E 13 43 Debugging and Troubleshooting NAT 0 0 0 eh 13 44 Eogging Gontrol 212 oe eat hati fetitediiedide dics b ALL LLL EbECA 13 44 Debugging NAT 224204446444 Rr REFERRE EE ERE METERS 13 45 Network Diagnostic Tools for NAT lees 13 46 14 Configuring L2TP Overview oL bAIP prasad ere hoe ee ERLTRRCTWRtetatetetetita 14 1 L2IP GODpOnDenBtiS lvauwanedqu e AR UR RE EE ER ER ER Ed Tre 14 1 How L2TP WOEIES ou ac Ret eo ate ee ae A T eade 14 3 Configuring L2TP on the PortMaster 3 essel 14 4 Setting Up a WA Ceti erret a woke ahs EN EN eae he Ge hs eae Gee ERE 14 4 Setting Up an ENSc v erased d eke ot aoe he ee SN DIES oe ees ee eee ete DAS 14 5 Load Balancing among Tunnel Server End Points Optional 14 5 Setting L2TP Tunnel Authentication Optional 0 20 00 14 6 Overview of Gall Check yc Pe ee oe ee ee ee eee De eee eee bes 14 7 Enabling Call Check on a PortMaster 0 0 0 cece eee 14 7 How Call Check Works 00 0 ee ene 14 7 Configuring L2TP on the RADIUS Server 0 0 eee eee ee 14 8 Configuring Call Check 0 2 ce eens 14 9 Contiguring User Prohlles rur s rr o o o o o Ro Tu RS A RR 14 9 Configuring ACCOUNTS sec cesses bg RR SRS es exe Rex Rex E Rex SRS 14 11 Contents XV Contents
4. 1 NetWare Core Protocol A Novell protocol for accessing Novell NetWare file and print service functions via an underlying IPX or IP transport protocol 2 Network Control Protocol A series of protocols for establishing and configuring different network layer protocols over the Point to Point Protocol PPP In OSPE two routers that have interfaces to a common network On multiaccess networks neighbors are dynamically discovered by the OSPF hello protocol To boot from a network server usually a Trivial File Transfer Protocol TFIP server or the process of doing so A 32 bit number that distinguishes the portion of an IP address referring to the network or subnet from the portion referring to the host Compare subnet mask PortMaster Configuration Guide Glossary netmask length A number between 0 and 32 preceded by a slash and following an IP address prefix The netmask length indicates the number of high order bits in the prefix that an IP address must match to fall within the range indicated by the prefix For example the prefix and netmask length 10 0 0 0 8 describe all networks whose IP addresses begin with 128 See also IP address prefix NetWare Core Protocol See NCP network A collection of computers terminals and other devices and the hardware and software that enable them to exchange data and share resources over short or long distances network access server See remote access server network address tr
5. Configuring the PortMaster 3 Using ISDN BRI Using Frame Relay Using Synchronous Leased Lines See the PortMaster Command Line Reference for more detailed command descriptions and instructions 18 1 Figure 18 1 Continuous Internet Connection PortMaster office Internet Internet service provider 11820010 18 2 PortMaster Configuration Guide Overview of Continuous Internet Connections Overview of Continuous Internet Connections You can configure two types of continuous connections e Dial up A continuous dial up connection starts as soon as the PortMaster boots and is redialed whenever the telephone connection is dropped If you use a continuous dial out link from the S1 serial port one location table entry is needed for the ISP e Dedicated circuit also known as a network hardwired connection The network hardwired configuration is typically used if you are using a leased analog or digital line or an asynchronous to synchronous converter If you use a network hardwired port no entries are needed in the location table This example provides configuration information for both types of continuous connections For this example IPX packets are not transmitted to or from the ISP You can also connect to an ISP with a dial on demand configuration as described in Chapter 17 Using Office to Office Connections However dial on dema
6. ChoiceNet starts if configured The PortMaster is now ready to begin providing service How the PortMaster Works 2 3 On Demand Connections On Demand Connections The PortMaster establishes on demand connections in the following way e When the PortMaster receives packets going to an on demand location that is suspended not currently active it dials out to that location if a line is available e If idle timers expire on a connection the connection is brought down freeing the port for other uses e At regular intervals packet queues are checked for dial out locations configured for multiline load balancing to determine if more bandwidth is needed If it needs more bandwidth the PortMaster dials out on an additional port and adds that port to the existing interface e When users dial in they are authenticated and provided with their configured service PortMaster Security Management The PortMaster provides security through the user table or if configured RADIUS security When a dial in user attempts to authenticate at the login prompt or via PAP or CHAP authentication the PortMaster refers to the entry in the user table that corresponds to the user If the password entered by the user does not match the PortMaster denies access with an Invalid Login message If no user table entry exists for the user and port security is off the PortMaster passes the user on to the host defined for that port using the selec
7. Configure Ethernet interface settings page 10 12 Configure ISDN port settings page 10 12 Configure dial in users page 10 13 Configure dial out locations page 10 14 3 Configure the following settings for the PortMaster in San Francisco a b C d e Configure global settings page 10 16 Configure Ethernet interface settings page 10 16 Configure ISDN port settings page 10 17 Configure dial in users page 10 18 Configure dial out locations page 10 19 4 Test the configuration page 10 20 5 Troubleshoot the configuration page 10 21 Figure 10 2 illustrates the ISDN BRI example in this section using unnumbered interfaces Figure 10 2 ISDN BRI Unnumbered S F Denver EtherO 192 168 100 1 24 EtherO 192 168 200 1 24 10 10 11820025 PPP 0 0 0 0 PPP 0 0 0 0 PortMaster Configuration Guide ISDN BRI Unnumbered IP Configuration Example For comparison Figure 10 3 shows a similar configuration using ISDN BRI with numbered interfaces Figure 10 3 ISDN BRI Numbered S F Denver EtherO 192 168 100 1 24 Ether0 192 168 200 1 24 11820026 PPP 10 0 0 0 24 PPP 10 0 0 2 24 Configuring the PortMaster in Denver Using ISDN BRI The PortMaster in Denver is being configured for an ISDN dial up connection to the PortMaster in San Francisco Configuring Global Settings Configure the global settings on the PortMaster in Denver to the values shown in Table 10 3 Table
8. Use the internal host table only when no other host mapping facility is n of network maintenance required Managing Network Security PortMaster products allow you to maintain network security using a variety of methods Security is a general term that refers to restricting access to network devices and data To enable security features you must identify sensitive information find the network access points to the sensitive information and secure and maintain the access points PortMaster security methods include e Callback for remote access users e Assignment of local passwords before connections are established e Access control filters for host connections e Inbound and outbound packet filtering e IP packet filtering by protocol source and destination address and port e IPX packet filtering by source and destination network node and socket e SAP filtering e PAP and CHAP authentication protocols for PPP connections e Password security for administrative access e Remote Authentication Dial In User Service RADIUS support e ChoiceNet filtering e 2TP tunnels Networking Concepts A 9 Managing Network Security Each of these security methods is described in more detail in this guide All or some of these security methods can be configured as you configure the system wide parameters and each interface RADIUS and ChoiceNet are described briefly in the next sections however for configuration information refer to the R
9. If you are using a PortMaster IRX Router running ComOS 3 2R or later as your gateway you can configure the netmask table on the router also This allows your PortMaster to listen to RIP messages from the other PortMaster routers and route directly to each of them Configuring Global Settings 3 25 Enabling NetBIOS Broadcast Packet Propagation Enabling NetBIOS Broadcast Packet Propagation NetBIOS is a programmable entry into the network that enables systems to communicate over multiple media NetBIOS over IPX uses type 20 broadcast packets propagated to all networks to get and forward information about the named nodes on the network NetBIOS uses a broadcast mechanism to get this information because it does not implement a network layer protocol Before forwarding the packets the PortMaster performs loop detection as described by the IPX Router Specification available from Novell Full NetBIOS protocol compliance requires that the PortMaster be set to propagate and forward type 20 broadcast packets across your IPX network router When the NetBIOS parameter is on the PortMaster broadcasts type 20 packets When the NetBIOS parameter is off the type 20 packets are not broadcast across the router The default is off To turn NetBIOS on or off use the following command Command gt set netbios on off Setting Authentication for Dial In Users 3 26 You can configure the PortMaster for three authentication methods PAP CHAP
10. The most obvious very high level feature of Perl A single simple pattern match in Perl can perform the work of many lines in a different language Regular expressions identify strings and help parse their contents using regular expression memory most often with the regular expression memory variables 1 2 3 and so on These variables are associated with parentheses inside a regular expression that can identify what its contents matched Perl5 regular expressions are constructed and parsed by means of grammatical rules and operators that are similar to those used for arithmetic expressions See also regular expression permanent virtual circuit See PVC Personal Computer Memory Card International Association See PCMCIA physical circuit A physical connection between two devices ping Packet Internet Groper A program used to test and debug networks Ping sends an Internet Control Message Protocol ICMP echo request packet to the specified host and waits for an echo reply packet Ping reports success or failure and sometimes statistics about its operation PKIX Public key infrastructure using X 509 A set of standards for an Internet public key infrastructure PKI that uses the ISO X 509 authentication standard A PKI defines data formats and procedures for distributing and managing cryptographic keys via certificates digitally signed by certification authorities plain old telephone service See POTS PMVision A Java bas
11. to Permit DNS into Your Local Network If the DNS name server for your domain is outside your local network you must add the following rule to your input filter Command gt set filter Filtername RuleNumber permit udp src eq 53 This rule permits DNS replies into your local network to Listen to RIP Information To permit incoming RIP packets add the following rule to your input filter Command gt set filter Filtername RuleNumber permit 172 16 0 0 32 192 168 0 0 32 udp dst eq 520 In the above example 172 16 0 0 32 is the other end of the Internet connection and 192 168 0 0 32 is the local address of the connection to Allow Authentication Queries To allow authentication queries used by some mailers and FIP servers add the following rule to your input filter Command gt set filter Filtername RuleNumber permit tcp dst eq 113 For more information about these types of queries refer to RFC 1413 PortMaster Configuration Guide Example Filters Rule to Allow Networks Full Access To allow some other network to have complete access to your network add the following rule In the example below 172 16 12 0 is granted full access to 192 168 1 0 24 Command gt set filter Filtername RuleNumber permit 172 16 12 0 24 192 168 1 0 24 network you might unknowingly allow other networks complete access as well Any network that can access a network having complete access privileges to your network also has access to your ne
12. Setting Command Port type set s9 device dev ttyre Speed 1 set s9 speed 1 9600 Speed 2 set s9 speed 2 9600 Speed 3 set s9 speed 3 9600 Modem control set s9 cd on Software flow control set s9 xon xoff on Host set s9 host default Device service set s9 service_device portmaster Leave all other settings at their default values After you configured port S9 as shown in Table 20 4 enter the following commands to reset the port and save the configuration Command gt reset s9 Command gt save all The workstation printer subsystem should now be able to send printer jobs to dev ttyre and reach the printer Accessing Shared Devices 20 7 Configuration Steps for Shared Device Access 20 8 Parallel Port PO Settings You can also configure the parallel port PO to access a printer To configure the PO port for a printer use the values shown in Table 20 5 Table 20 5 Parallel Port PO Values Setting Command Port type set PO device dev ttyre Host set PO host default Device service set PO service_device portmaster Leave all other settings at their default values After you have configure port PO as shown in Table 20 5 enter the following commands to reset the port and save the configuration Command gt reset PO Command gt save all Configuring a Network Device for Telnet Access To access modems or other devices attached to PortMaster ports via Telnet use the general configuration given
13. Table6 3 Keywords for Configuring RIP Routing Keyword Description on The PortMaster broadcasts and accepts RIP packets from the system at the other end of the WAN connection This is the default off The PortMaster neither broadcasts nor listens for RIP information on the interface broadcast The PortMaster broadcasts RIP packets to the system at the other end of the WAN connection listen The PortMaster accepts RIP packets from the device connected to the WAN port Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions Setting Input and Output Filters Input and output packet filters can be attached to a synchronous port for network hardwired ports Filters allow you to monitor and restrict network traffic If an input filter is attached all packets received from the interface are evaluated against the rule set for the attached filter Only packets permitted by the filter are passed through the PortMaster If an output filter is attached packets going to the interface are evaluated against the rule set in the filter and only packets permitted by the filter are sent out of the interface Note You must define a filter in the filter table before you can apply it For more information about filters see Chapter 12 Configuring Filters PortMaster Configuration Guide Configuring WAN Port Settings To apply an input filter to a synchronous port use the following command Comman
14. Use a similar configuration for the remaining PortMaster devices Note This example describes how to configure the first PortMaster pml edu com Connecting Modems Use the following steps to connect modems to the first PortMaster l Connect your modems to the serial ports using straight through modem cables Modems slower than 14 4Kbps are not recommended for network users 2 Make sure that the modem cables are securely fastened and that you provide enough room for the modems to stay cool Configuring Global Settings Configure the global settings on the first PortMaster to the values shown in Table 19 2 Table 19 2 Global Values Setting Command Default host Alternate host IP gateway Default routing Name service Name server Domain System name Loghost Assigned address set host 192 168 1 4 set host 2 any other available host set gateway 192 168 1 1 set default off set namesvc dns set nameserver 192 166 1 2 set domain edu com set sysname pm set loghost 192 168 1 2 set assigned_address 192 168 1 33 Providing User Dial In Access 19 5 Configuration Steps for Dial In Access For more information about global settings refer to Chapter 3 Configuring Global Settings After you configure the global settings as shown in Table 19 2 enter the following command to save the configuration Command gt save all Configuring Ports You must configure each port yo
15. set nameserver 3 5 19 5 set namesvc 3 4 19 5 set netbios 3 26 set PO device 20 8 set PO host 20 8 set PO service device 20 8 set pap 3 26 5 19 set password 3 2 set pool 3 10 set reported ip 3 10 set SO access 12 15 set SO cd 5 25 9 7 17 5 17 9 18 5 18 6 20 6 20 7 20 8 21 5 21 7 set SO compression 5 21 5 24 18 6 set SO databits 5 4 set SO destination 5 21 18 6 21 5 21 7 set SO device 5 13 20 7 20 8 set SO directory 10 6 set SO dn 10 6 set SO dtr idle 5 25 set SO extended 5 5 set SO group 5 5 10 13 10 17 17 5 17 9 18 5 set SO hangup 9 9 set SO host 5 9 20 6 20 7 set SO idletime 5 8 17 5 17 9 set SO ifilter 5 21 set SO ipxnet 5 21 21 5 21 7 set SO login 5 9 set SO map 5 21 set SO message 5 6 set SO modem 9 6 set SO mtu 5 21 18 6 21 5 21 7 set S0 nat inmap 13 6 set S0 nat outmap 13 6 set SO netmask 18 6 21 5 21 7 set SO network 5 16 5 21 10 13 10 17 17 5 17 9 18 5 18 6 21 5 set SO network hardwired 21 7 set SO network twoway 5 19 set SO ofilter 5 21 Command Index 3 Command Index set SO override 5 3 set SO parity 9 8 set SO prompt 5 5 set SO protocol 5 21 18 5 18 6 21 5 21 7 set SO rip 5 21 5 23 18 6 21 5 21 7 set SO rts cts 5 4 5 19 9 8 17 5 17 9 18 5 18 6 20 6 set SO security 5 6 20 6 set SO service_device 5 13 5 25 20 6 20 7 20 8 set SO service_login 5 9 20 6 set SO speed 5 4 9 7 17 5 17 9 18 5 18 6
16. 20 6 20 7 set SO spid 10 5 10 13 10 17 set SO termtype 5 9 set SO twoway 5 25 20 5 set SO username 5 7 set SO xon xoff 5 4 9 8 18 5 18 6 20 6 20 7 set sapfilter 12 8 set secret 19 8 set serial admin 3 9 set subinterface 4 7 set syslog 3 7 set syslog Facility Priority 3 8 set sysname 3 2 10 11 10 16 16 4 16 8 17 4 19 5 21 4 21 6 set telnet 3 6 5 25 set user address 10 14 10 18 16 10 set user compression 7 9 10 14 10 18 17 6 17 10 19 10 set user destination 7 6 16 5 17 6 17 10 19 10 set user dialback 7 10 7 13 set user host 7 11 set user idletime 7 4 set user ifilter 7 9 7 12 set user ipxnet 7 6 10 14 10 18 16 6 16 10 17 6 17 10 set user map 7 7 set user maxports 7 8 10 8 set user mtu 7 8 10 14 10 18 16 6 16 10 17 6 17 10 set user netmask 7 6 10 14 10 18 16 5 16 10 17 6 17 10 Command Index 4 set user ofilter 7 10 set user password 7 4 10 13 10 18 16 5 16 10 17 6 17 10 19 9 19 10 set user protocol 7 5 10 13 10 18 16 5 16 10 17 6 17 10 19 10 set user rip 7 6 10 14 10 18 16 6 16 10 17 6 17 10 19 10 set user service 7 13 19 9 set user session limit 7 4 set user netmask A 8 set W1 address 6 8 15 9 15 10 set W1 annex d 15 6 15 9 15 10 set W1 cd 6 6 15 9 15 10 16 5 16 9 set W1 destination 6 9 set W1 dlcilist 15 6 set W1 extended 6 4 set W1 group 6 7 15 15 16 5 16 9 set W1 hangup 6 7 set W1 idle 6 7 set W1
17. A database in which data is stored as objects in an object oriented programming environment See also database Open database connectivity A standard database access method developed by Microsoft Corporation to enable any application to access data handled by any database management system DBMS ODBC inserts a middle layer called a database driver between the application and the DBMS to translate the application s data queries into commands that the DBMS can recognize Both application and DBMS must be ODBC compliant the application must be able to issue ODBC commands and the DBMS must be able to respond to them Open Datalink Interface A Novell specification that isolates the protocol stack from the network adapter drivers to provide hardware independence for network connectivity one time password Glossary 50 A password that provides additional security for network access because it is used only once Also known as a dynamic password a one time password is generated in encrypted form via multiple iterations of a secure hash function by software running on a user s computer or by a hardware device The password is often based on a seed value sent by the server that provides access to the network plus the user s secret pass phrase The server runs software that calculates the same encrypted password The passwords produced by the generator and the server must match before the user is granted access to the network Users w
18. Configuring Ports for Modem Use 9 10 PortMaster Configuration Guide Using ISDN BRI 10 This chapter describes how to configure the PortMaster to connect two local area networks LANs via ISDN using V 25bis dialing on a Basic Rate Interface BRI with an integrated network termination device NT1 This chapter also provides an example to demonstrate this type of configuration For information on the PortMaster 3 and ISDN PRI service see Chapter 11 Configuring the PortMaster 3 This chapter discusses the following topics e Overview of ISDN BRI Connections on page 10 1 e Configuring ISDN on page 10 4 e ISDN Port Configuration Tips on page 10 9 e ISDN BRI Unnumbered IP Configuration Example on page 10 9 e Troubleshooting an ISDN BRI Connection on page 10 21 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of ISDN BRI Connections ISDN is most commonly used to provide low cost connectivity between sites that cannot justify the cost of a dedicated high speed leased line However ISDN connections provide more bandwidth than asynchronous dial up connections can as well as quicker call completion approximately 1 second instead of 45 seconds PortMaster products support manual dial on demand and automatic ISDN connections using the BRI port and the PPP protocol BRI supports two 64Kbps B channels for data and one 16Kbps D channel for signali
19. For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Settings Configure the synchronous WAN port with the values shown in Table 16 8 Table 16 8 Synchronous WAN Port Values Setting Command Port type set wl network twoway Transport protocol set w protocol ppp Netmask set w netmask 255 255 255 0 Modem control set wl cd on Group set wl group 1 After you configure the synchronous WAN port as shown in Table 16 8 enter the following commands to reset the port and save the configuration Command reset w1 Command gt save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Using Synchronous V 25bis Connections 16 9 Configuration Steps for a Synchronous V 25bis Connection Configuring a Dial In User A user account must be set up on the PortMaster router in Miami so the PortMaster in Boston can dial in when traffic is queued The new user boston must be configured on the PortMaster in Miami with the values shown in Table 16 9 Table 16 9 User Table Values for Miami Setting Command Username add netuser boston Password set user boston password anypasswd Protocol set user boston protocol ppp User IP address set user boston destination 192 168 200 1 Netmask set user boston netmask 255 255 255 0 IPX network set user boston ipxnet F3 RIP routing set user bos
20. See also check item SHA 1 Request for Comments See RFC Reverse Address Resolution Protocol See RARP RFC Request for Comments One of a series of documents that communicate information about the Internet Most RFCs document protocol specifications such as those for IP and BGP Some RFCs are designated as standards Glossary 61 Glossary RIP rlogin RMI roaming ROBO route router Glossary 62 Routing Information Protocol A vector state protocol used for the transmission of IP or IPX routing information RIP uses hop count as the only metric for determining the best path Remote login A terminal emulation program similar to Telnet offered in most UNIX implementations The rlogin program uses the local terminal type given in an environment TERM variable as the remote terminal type Remote method invocation A Java application programming interface API that enables a program running on one computer to call the methods of an object running on a remote computer A service that enables two or more Internet service providers ISPs to allow one another s users to dial in to any member ISP s network for service Users traveling outside their normal area of service are provided service through another ISP Remote office branch office An end user segment of the internetworking market See also SOHO A way for a packet to reach its target via the Internet For example a BGP route provides a path of auto
21. To change the number plan from the default manufacturer setting so that you can for example begin to place outbound calls successfully use the following command Command set isdn numberplan 0 1 2 7 8 The new setting becomes effective immediately it does not need to be saved to nonvolatile RAM Enter this command without a number plan value to display a list of all plan values available and the current setting Multilink PPP Using ISDN BRI Multilink PPP V 120 is supported on analog and ISDN interfaces The PortMaster accepts and detects both multiline load balancing and Multilink PPP connections Multiple lines can be used to increase bandwidth either with Multilink PPP as defined in RFC 1717 or with Lucent s multiline load balancing To enable Multilink PPP use the following command Command set location Locname multilink on Configuring ISDN Multiple Subscriber Network for an S T Interface For countries that support BRI via the S T bus interface you can enable the multiple subscriber network MSN feature When enabled this feature allows multiple ISDN devices attached to the same BRI line to receive calls not intended for the PortMaster When the MSN feature is disabled the PortMaster rejects the call if a port is not available In this case other S T connected devices are not given an opportunity to check or accept the call This is the default To enable the MSN for an ISDN S T interface enter the followi
22. VPNs and for remote user access through dial up connection to private networks IPSec provides two choices of security service Authentication Header AH which allows authentication of the sender of data and Encapsulating Security Payload ESP which supports both sender authentication and data encryption IPVPN IP based virtual private network See VPN IPX Internet Packet Exchange An Internet protocol defined by Novell Inc IPXWAN IPX Wide Area Network protocol The protocol used to establish and configure an IPX link over the Point to Point Protocol PPP as described in RFC 1634 IPX Wide Area Network See IPXWAN IRC Internet Relay Chat A protocol that provides real time communication over the Internet via a series of linked Internet connected IRC servers IRC allows anyone with Internet access and IRC client software to chat with others who have similar access Unlike older chat systems IRC is not limited to just two participants See also chat Glossary 34 PortMaster Configuration Guide Glossary IRX Routers A series of PortMaster products that provide wide area interconnectivity between Novell IPX TCP IP and mixed network environments ISDN Integrated Services Digital Network A digital communications standard that enables the transmission of information over existing twisted pair telephone lines at higher speeds than standard analog telephone service ISDN is available at two levels of service Basic R
23. amp Associates 1998 ISBN 1 56592 512 2 Getting Connected The Internet at 56K and Up Nutshell Handbook Kevin Dowd Sebastopol CA O Reilly amp Associates Inc 1996 ISBN 1565921542 Firewalls and Internet Security Repelling the Wily Hacker William R Cheswick and Steven M Bellovin Reading MA Addison Wesley Publishing Company 1994 ISBN 0 201 63357 4 Japanese translation ISBN 4 89052 672 2 Errata are available at ftp ftp research att com dist internet_security firewall book Frames Packets and Cells in Broadband Networking William A Flanagan New York Telecom Library Inc 1991 ISBN 0 036648 31 7 About This Guide XXV Additional References xxvi Internet Routing Architectures Bassam Halabi San Jose CA Cisco Press 1997 ISBN 1 56205 652 2 Internetworking Technologies Handbook 2nd edition The Cisco Press Fundamental Series Merilee Ford H Kim Lew Steve Spanier Tim Stevenson and Kevin Downs New York MacMillan Publishing Company 1998 ISBN 1578701023 Internetworking with TCP IP Volume 1 Principles Protocols and Architecture Douglas Comer Upper Saddle River NJ Prentice Hall Inc 1995 ISBN 0 13 216987 8 v 1 Internetworking with TCP IP Design Implementation and Internals Vol 2 3rd edition Douglas E Comer and David L Stevens Upper Saddle River NJ Prentice Hall 1998 ISBN 0139738436 IPv6 The New Internet Protocol 2nd edition Christian Huitema Upper Saddle
24. and so on with the values shown in Table 19 6 Table 19 6 User Table Values for userl Setting Command Username add user user Password set user user password passwd Login service set user user service portmaster Use the PortMaster login service if the in pmd daemon is running on the default host otherwise use rlogin After you configure user table settings as shown in Table 19 6 enter the following command to save the configuration Command save all For more information about configuring user table values refer to Chapter 7 Configuring Dial In Users Dial In Network Users Note Use the instructions in this section only if you are not using RADIUS Providing User Dial In Access 19 9 Configuration Steps for Dial In Access A user account must be set up on the PortMaster for each authorized network user Configure each new user usera userb and so on with the values shown in Table 19 7 Table 19 7 User Table Values for usera Parameter Command Username add netuser usera Password set user usera password passwd Protocol set user usera protocol ppp Address type set user usera destination assigned Compression set user usera compression on RIP routing set user usera rip off You can also use SLIP or CSLIP instead of PPP Refer to Chapter 7 Configuring Dial In Users for more information about this configuration After you configure user table settings as shown in Table
25. but is generally more complex and expensive Synchronous WAN ports on a PortMaster router or access concentrator provide high speed dedicated connections between two remote LANs over leased lines Frame Relay switched 56Kbps lines or ISDN lines Compare asynchronous 1 The process that handles system messages by reading and forwarding them to a log file or users depending on the priority of the message and the system facility that originated the message 2 The log file created by the syslog process System operator A person responsible for the day to day operation of a computer system or network resource for example server LAN bulletin board system BBS online service or special interest group SIG system operator T T1 See sysop A leased line digital WAN carrier system for transmitting data formatted for digital signal level 1 DS 1 at 1 544Mbps through the telephone switching network using alternate mark inversion AMI or bipolar 8 zero substitution B8ZS coding The system uses four wires and provides full duplex communication two wires for receiving and two for sending simultaneously The wires can be twisted pair copper wire coaxial cable optical fiber or other media Compare EI T3 Glossary 69 Glossary T3 table TCP IP telco Telnet terabyte terminal Glossary 70 A leased line digital WAN carrier system for carrying data formatted for digital signal level 3 DS 3 at 44 736Mbps
26. configuration is also useful when you are using the UNIX tip command and UNIX to UNIX Copy Protocol UUCP services Once a port is defined as host device a device service must be selected that defines the method used to connect the user to the specified port and device Host device services include PortMaster telnet and netdata Configuring an Asynchronous Port 5 11 Configuring a Port for Access to Shared Devices You can provide access to host device ports by establishing a pseudo tty connection to the port from a UNIX host with the PortMaster daemon software installed In this case the port operates as a host controlled device Figure 5 2 shows a host device configuration using the PortMaster device service and a pseudo tty connection This configuration is most commonly used to provide access to shared devices such as printers Figure 5 2 Host Device Configuration printer i 1 oO PortMaster 11820002 Figure 5 3 shows a host device configuration where the device service is set as rlogin telnet or netdata In this configuration the host device name is set as dev network This configuration is used in cases where users want to log in remotely via telnet or rlogin to the shared device before transferring data such as with a modem 5 12 PortMaster Configuration Guide Configuring a Port for Access to Shared Devices Figure 5 3 Network Device Configur
27. e Consultative Committee for International Telegraph and Telephone CCITT e International Organization for Standardization ISO e ISO CCITT Each branch and sub branch in the tree structure is known as an object and each object is represented by an object name and an object identifier OID Figure 3 1 traces the path from the ISO branch of the MIB to the Livingston MIB OIDs provide compact representations of object names An OID shows the position of an object in the MIB hierarchy As shown in Figure 3 1 the OID for the Livingston MIB is 1 3 6 1 4 1 307 Configuring Global Settings 3 11 Configuring SNMP Figure 3 1 Management Information Base MIB Hierarchy 3 experi mental 1 directory 4 private 307 Livingston 11820021 3 12 PortMaster Configuration Guide Configuring SNMP Figure 3 2 shows the tree structure of the private Livingston portion of the MIB Figure 3 2 Part of MIB Structure showing PortMaster Port SO Livingston Enterprise 305 306 807 308 1 not used 2 products 3 livingstonMib 1 livingstonSystem 2 livingstonInterfaces 1 livingstonSerial 2 livingstonT1E1 1 livingstonSerialTable 1 livingstonSerialEntry P dis um 1 Index 2 PortName 3 PhysType 4 User 11820020 Reading from the top down the object identifier OID in Figure 3 2 307 3 2 1 1 1 2 breaks out as follows e 307 refers to the Livingston namespace e 3refers to the MIB e
28. e You do not use Proxy ARP Instead you use your 192 168 206 0 network for the Ethernet and divide your other networks up among the PortMaster routers e Each network provides 30 addresses for the assigned pool of each PortMaster To create the subnets defined in this example enter the following commands on all the PortMaster routers Command set EtherO0 address 192 168 206 X for some value of X Command set gateway 192 168 206 Y where Y points at your gateway Command add netmask 192 168 207 0 255 255 255 224 Command add netmask 192 168 207 0 255 255 255 224 Command add netmask 192 168 207 0 255 255 255 224 Command set Ether0 rip on Command save all The netmask table collapses routes on the boundaries specified As a result if one PortMaster has an assigned pool starting at 192 168 207 33 it broadcasts a host route to 192 168 207 32 instead of broadcasting a route to the 192 168 207 0 network The other PortMaster routers consult their own netmask tables and convert that route back into a subnet route to 192 168 207 33 through 192 168 207 32 If your gateway on the Ethernet is not a PortMaster product the netmask table is not supported However you can set a static route on the gateway for each of the three destination networks for your assigned pools 192 168 207 0 192 168 208 0 and 192 168 209 0 pointing at one of the PortMaster routers The identified PortMaster then forwards packets to the proper PortMaster
29. empty set of rules An empty set of rules is equivalent to the permit rule If a filter contains one or more rules in the set any packet not explicitly permitted by a rule is denied at the end of the rule set Configuring Filters 12 3 Overview of PortMaster Filtering A maximum of 256 filter rules per filter is allowed for the PortMaster 3 and IRX For other PortMaster products the maximum number of filter rules allowed is 100 The PortMaster generates an error message when the number of filter rules exceeds the limit How Filters Work IP and IPX packet filters are attached to users locations Ethernet interfaces or network hardwired ports as either input or output filters SAP filters are attached as output filters only The Ethernet interface filter is enabled as soon as the name of the input or output filter is set Input and output are defined relative to the PortMaster interface As shown in Figure 12 1 an input filter is used on packets entering the PortMaster and an output filter is used on packets exiting the PortMaster Figure 12 1 Input and Output Filters Packets out to Packets in from network users network users 2 Ethernet interface Input filter Output filter PortMaster Output filter Input filter u Serial interface Packets in from Packets out to branch office branch office anis All packets entering a PortMaster through an interface with an input filter are evaluated against th
30. filters see Chapter 12 Configuring Filters When a filter is changed all ports in use by the location must be reset to have the changes take effect Note If a matching filter name is not found in the filter table this command is not y effective and all traffic is permitted Input Filters Input filters cause all packets received from the interface to be evaluated against the filter rule set Only packets allowed by the filter are accepted To set an input filter for a location use the following command Command set location Locname ifilter Filtername Output Filters Output filters cause all packets going out to the interface to be evaluated against the filter rule set Only packets allowed by the filter are passed out to the interface To set an output filter for a location use the following command Command set location Locname ofilter Filtername Configuring Dial Out Connections 8 13 Testing Your Location Configuration Testing Your Location Configuration When you are configuring a location you can set a manual connection for the location so that you can test the configuration before resetting the connection to on demand or automatic To test the configuration you must initiate a connection with the remote location by using the dial command from the command line To display the chat script if you are using one during dialing use the optional x keyword You can watch the connection process to ensure
31. transition to use of VLSMs ComOS sets user netmask to off by default This means that all netmasks specified in the user table or RADIUS are treated as if they were 255 255 255 255 To use VLSMs and have ComOS accept the value in Framed IP Netmask enter the following commands Command set user netmask on Command save all Caution The VLSM feature affects both routing and proxy ARP on the PortMaster and must be used with caution Using Naming Services and the Host Table A 8 Naming services are used to associate IP addresses with hostnames Many networks use the Domain Name System DNS or the Network Information Service NIS for mapping hostnames to IP addresses Both services are used to identify and locate objects and resources on the network To use DNS or NIS you must specify the IP address of the name server during the configuration process PortMaster Configuration Guide Managing Network Security The PortMaster enables you to specify an internal host table which can be used in addition to DNS and NIS The host table allows each unique IP address to be aliased to a unique name The host table is consulted when a port set for host access prompts for the name of the host The table is used to identify the IP address of the requested host If the user specified hostname is not found in the host table then NIS or DNS is consulted available Using the host table only when necessary reduces confusion and the amount Note
32. you must configure user attributes in individual user files in the RADIUS user database rather than in the PortMaster user table Refer to the RADIUS for UNIX Administrator s Guide for more information This chapter discusses the following topics e Configuring the User Table on page 7 1 e User Types on page 7 3 e Configuring Settings for Network and Login Users on page 7 4 e Configuring Network Users on page 7 4 e Configuring Login Users on page 7 10 nonvolatile memory of the PortMaster Therefore use RADIUS for user authentication when you must configure multiple PortMaster Communication Servers to handle more than a few dozen users Note Only 100 to 200 users can be configured in the user table and stored in the See the PortMaster Command Line Reference for more detailed command descriptions and instructions Configuring the User Table This section describes how to display user information and how to add users to or delete them from the user table 7 1 Configuring the User Table 7 2 Displaying User Information You can display the current users in the user table or the complete configuration information for a specified user To display the current users in the user table for example enter the following command Command gt show table user Name Type Address Host Netmask Service RIP jozef Netuser negotiated 0000000000 adele Login User default Telnet elena Netuser assigned 255
33. 10 3 Global Values Setting Command IP gateway set gateway 192 168 1 1 System name set sysname denver ISDN switch set isdn switch ni l After you configure the global settings shown in Table 10 3 enter the following command to save the configuration Command save all For more information about global settings refer to Chapter 3 Configuring Global Settings 10 11 ISDN BRI Unnumbered IP Configuration Example Configuring Ethernet IP Interface Settings Configure the following Ethernet interface settings to the values shown in Table 10 4 Table 10 4 Ethernet Values Setting Command Protocol set ether0 ipx enable IP address set ether0 address 192 168 200 1 Netmask set ether netmask 255 255 255 0 IPX network set ether0 ipxnet FI IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on After you configure the Ethernet interface as shown in Table 10 4 enter the following command to save the configuration Command save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring ISDN Port Settings Configure the ISDN port with the values shown in Table 10 5 for the example in this chapter This example assumes that the BRI used is port S1 S2 on a PortMaster ISDN Office Router OR U If your application uses ports 10 through 29 on a PortMaster 2E adjust
34. 15 using with in pmd daemon 20 3 devices shared 5 11 dial groups 5 5 6 7 8 8 dialback See callback dial in access 5 2 19 1 configuration tip 1 5 dial in users configuration tip 1 5 defining 10 13 16 5 16 10 ISDN connections 10 18 maximum ports 7 8 network users 19 10 dial in only access 5 16 dial on demand connections 8 4 dial out configuration tip 1 5 connection types 8 3 dial out ports configuration 18 5 configuration tip 1 5 LocationWizard 1 2 multiline load balancing 8 12 dial out only access 5 17 dial up connections continuous 18 3 digital modems 11 13 directory number 10 6 11 8 disconnecting a dial in user 5 7 6 7 DISCONNECTING port status 2 6 DLCI bundling 15 12 learning 15 5 list 15 6 use with PVCs 15 2 DNS A 8 B 1 on hosts behind the NAT 13 31 outside local subnet 12 12 setting 3 4 using instead of the host table 3 4 document advisory xxviii document conventions xxvii documentation related xxii Domain Name System See DNS DSR value 5 26 DTR idle 5 25 DTR for hangup 6 7 9 9 dynamically setting the IP address 3 9 E E amp M wink start protocol 11 4 El channel groups 11 3 El lines encoding method 11 7 framing format 11 6 grouping fractional 11 3 in band signaling 11 2 pulse code modulation 11 7 setting use 11 2 encoding method 11 7 endpoint discriminator setting for Multichassis PPP 11 20 escaping PPP characters 5 24 ESTABLISHED port status 2 6 Ethernet 802 2 4 6 802 2 II 4 6 802
35. 19 7 enter the following command to save the configuration Command gt save all For more information about configuring user table values refer to Chapter 7 Configuring Dial In Users Testing the User Dial In Setup To test the configuration follow these steps for each PortMaster set up for user dial in access 1 Enter the following commands Command gt set console Command gt set debug 0x51 2 Dial in to the PortMaster you are testing using the username and password you have created in either RADIUS or the user table 19 10 PortMaster Configuration Guide Configuration Steps for Dial In Access 3 If everything connects as expected turn off debugging and save the configuration Command gt set debug off Command gt save all 4 If you notice a problem do the following a b C d Reset the port Check your configuration Dial the PortMaster again Repeat this procedure until the connection is made correctly 5 When you have configured the PortMaster correctly reset the ports and save the configuration Command reset all Command save all Providing User Dial In Access 19 11 Configuration Steps for Dial In Access 19 12 PortMaster Configuration Guide Accessing Shared Devices 20 This chapter uses an example to demonstrate how to configure the PortMaster to connect from networked hosts to shared devices attached to the PortMaster This type of connection provides user a
36. 255 255 0 Modem control set wl cd on RIP routing set wl rip listen Annex D set w annex d 10 LMI can be used instead of Annex D 15 10 PortMaster Configuration Guide Troubleshooting a Frame Relay Configuration Table 15 5 WAN Port Parameter Values Continued Setting Command DLCI add dlci w 16 192 168 20 1 You do not need to set a DLCI list if the remote router supports Inverse ARP After you configure the synchronous WAN port as shown in Table 15 5 enter the following commands to reset the port and save the configuration Command reset w1 Command save all If LMI or Annex D is set the PortMaster receives DLCI information in the full status update messages from the Frame Relay switch The PortMaster then attempts to discover IP addresses of other routers using Inverse ARP You can set DLCI lists statically as well The show arp frm1 command lists both the static and dynamic DLCI lists for the W1 port If Annex D is available from your carrier for a new connection it is preferable to LMI To connect to Cisco routers using Frame Relay the Cisco router must be set to use encapsulation frame relay ietf for the serial interface otherwise the Cisco frame relay map command for your DLCI must have the ietf keyword appended For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Troubleshooting a Frame Relay Configuration Most synchro
37. 3 This section describes how to configure the PortMaster portion of an L2TP configuration Because locally stored profiles are not supported for L2TP you must use RADIUS For information about configuring the RADIUS portion of L2TP see Configuring L2TP on the RADIUS Server on page 14 8 You use the following command to configure L2TP on a PortMaster 3 Command set 12tp disable enable lac lns Setting Up a LAC You designate a PortMaster 3 as a LAC by enabling the LAC feature in ComOS The LAC feature is disabled by default To designate a PortMaster 3 as a LAC enter the following command Command set 12tp enable lac Command save all Command reboot 14 4 PortMaster Configuration Guide Configuring L2TP on the PortMaster 3 To disable the LAC functionality on the PortMaster enter the following commands Command gt set 12tp lac disable Command gt save all Command gt reboot Setting Up an LNS The LNS feature is disabled by default You designate a PortMaster 3 as the end point of an L2TP tunnel by enabling the LNS feature in ComOS The PortMaster thereafter supports in band channelized connections only To designate a PortMaster 3 as an LNS enter the following command Command gt set 12tp enable Ins Command gt save all Command gt reboot To disable the LAC functionality on the PortMaster enter the following command Command gt set 12tp Ins disable Command gt save all Command gt reboot Refer to t
38. 3 4 6 filters 12 2 II 4 6 subinterfaces 4 7 Ethernet interface enabling IPX traffic 4 5 filters 4 2 12 2 IP address 4 3 IP traffic 4 4 IPX frame type 4 6 IPX network number 4 5 NetBIOS 3 26 parameter descriptions 4 1 routing 4 1 6 9 7 6 8 7 subnet mask 4 4 Subject Index 3 Subject Index extended information asynchronous ports 5 5 synchronous ports 6 4 F FilterEditor 1 2 filters access filters 5 6 12 14 adding rules 12 5 asynchronous ports 5 25 attaching 12 4 authentication queries 12 12 ChoiceNet 1 3 A 10 creating 12 5 deleting 12 8 dial out 8 13 displaying 12 8 DNS outside local subnet 12 12 empty rule set 12 3 Ethernet interface 4 2 12 2 examples 12 9 filter table 12 3 FilterEditor 1 2 filtering options 12 2 FIP 12 11 hardwired port 12 10 input 4 2 6 11 7 9 8 13 12 4 18 10 Internet 12 10 IP 12 6 IPX rules 12 8 location filters 12 5 logging results 12 14 network access 12 13 output 4 3 6 11 7 10 8 13 12 4 packet filters 7 9 12 2 permit and deny 12 9 removing 4 3 6 11 7 10 RIP packets 12 12 rules with L2TP firewalls 14 14 SAP filters 12 8 security 12 2 Subject Index 4 storing 12 3 synchronous ports 6 10 TCP and UDP port services B 1 TCP options 12 6 12 7 user filters 12 5 firewalls accounting for in filters 14 14 flow control 5 4 hardware 9 2 9 8 software 9 8 foreign exchange station protocol 11 4 fractional El enabling 11 2 fractional TI enabling 11 2 on the
39. 3 7 messages 3 7 setting 3 6 system name setting 3 2 T T1 channel groups 11 3 T1 expansion card clocking 11 17 for fractional T1 11 18 for full T1 11 18 troubleshooting 11 19 T1 lines encoding method 11 7 external clocking 11 2 framing format 11 6 grouping fractional 11 3 Subject Index 12 in band signaling 11 2 internal clocking 11 17 pulse code modulation 11 7 setting use 11 2 TA 10 2 TCP default Telnet port 5 15 packets filtering 12 7 services and ports B 1 TCP IP header compression 5 23 6 11 7 8 8 8 TCP IP support connecting without 5 25 TCP CLEAR channel access 5 15 tech bulletin livingston com mailing list xxx technical support xxviii telephone number setting for dial out 8 5 Telnet access to shared devices 20 8 device services 5 15 login service 5 10 7 12 using as console port 3 6 using for administrative tasks 3 5 terminal adapter 10 2 terminal identifier 10 6 terminal type asynchronous ports 5 11 terminal connecting to console port 9 1 ticks setting 3 22 TID 10 6 training PortMaster xxix transport protocol setting 6 8 troubleshooting Frame Relay 15 11 Frame Relay subinterfaces 15 14 ISDN 10 21 L2TP 14 13 leased line connections 21 8 modem connections 14 13 PPP tracing on LNS and LAC 14 13 PPPDecoder 1 2 PPPSmartAgent 1 2 V 25bis 16 13 tunneling See L2TP VPN PortMaster Configuration Guide Subject Index tunnels authentication on the PortMaster 14 6 auth
40. 5 5 13 5 14 5 18 inband signaling E amp M wink start protocol 11 4 FXS loop start protocol 11 4 initialization steps 2 3 strings 9 4 INITIALIZING port status 2 6 Internet input filter example 12 10 restrictive filter example 12 13 Internet connections 5 2 18 1 18 11 IP address pools static netmasks 3 24 IP addresses address pools 3 9 19 4 class A A 3 class B A 3 class C A 4 class D A 4 class E A 4 classes A 2 conventions A 6 description A 1 destination 5 22 7 5 8 6 negotiating 5 22 6 8 notation A 2 private IP networks A 5 reported 3 10 reserved addresses A 5 setting for Ethernet interface 4 3 subnetting A 7 synchronous ports 6 8 IP traffic setting on Ethernet interface 4 4 IPX default gateway setting 3 3 displaying routing table entries 3 20 enabling traffic 4 5 encapsulation 4 6 frame type 4 6 network address 6 9 packets filtering 12 4 12 7 route destinations 3 22 Subject Index 5 Subject Index IPX addresses conventions A 6 IPX network number 7 5 7 6 8 6 asynchronous ports 5 22 Ethernet interface 4 5 ISDN BRI ports 10 2 BRI definition 10 1 data over voice 8 10 10 8 dial in users defining 10 13 10 18 directory number 10 6 11 8 encoding method for PRI line 11 7 framing format for PRI line 11 6 multiline load balancing 10 7 Multilink PPP 10 7 multiple subscriber network 10 8 on demand connections 17 15 18 11 port limits 10 8 provisioning 10 3 11 9 pul
41. Addressing A 6 IP Address Conventions If the bits in the host portion of an address are all 0 that address refers to the network specified in the network portion of the address For example the class C address 192 31 7 0 refers to a particular network Historically this address was used as a broadcast The standard for broadcast is high which uses all 1s in the host portion for example 192 168 1 255 however many networks still use all Os The PortMaster can be configured either way and should be set to match the other systems on your network Note Do not assign an IP address with all Os or all 1s in the host portion of the address to a host on the network because these are reserved as broadcast addresses With CIDR networks are specified with an IP prefix and netmask length for example 172 16 0 0 16 192 168 1 0 24 or 192 168 200 240 28 IPX Addressing An IPX address consists of 10 bytes expressed in hexadecimal notation which gives an IPX network host a unique identifier IPX addresses are made up of the following two parts e Network segment address expressed as 8 hexadecimal digits These 4 bytes 32 bits specify on which network segment the node resides e Node address expressed as dotted triplets of 4 digit hexadecimal numbers These 6 bytes 48 bits provide the media access control MAC address of the node The two elements of the IPX address are separated by a colon For example 00000003 0001 8423 45
42. An access router uses an Ethernet port to connect to a LAN and one or more asynchronous and or synchronous ports to provide the LAN with a long distance connection to another router on another network PortMaster Office Routers and PortMaster IRX products are access routers access server See remote access server accounting See RADIUS accounting accounting server The RADIUS server component responsible for handling RADIUS accounting Glossary 2 PortMaster Configuration Guide Glossary ActivCard An authentication system available from ActivCard Inc ActivCard uses tokens and a software server to generate and confirm one time passwords to identify users and grant or deny them network access address A number used to identify a computer or other device on a network or internetwork See also IP address MAC address address resolution A method for translating one type of address into another for example an IP address into a media access control MAC address Address Resolution Protocol See ARP adjacency A relationship between two routers on the same physical network or between the endpoints of a virtual link that controls the distribution of routing protocol packets by limiting their exchange to those routers or endpoints ADSL Asymmetric digital subscriber line A modem and compression technology that can transmit multiple channels of multimedia data over regular telephone lines An ADSL circuit is much faster tha
43. Called Station ID When lines are configured for channelized T1 you must configure a PortMaster 3 directory number because the Called Station ID feature is not supported under this configuration To set a telephone number for an individual port when the line is configured as ISDN B channels use the following command Table 11 10 explains the directory number options Command set SO directory Number Table 11 10 Directory Number Options Options Description S0 One of the ISDN ports Number Access telephone number 11 8 PortMaster Configuration Guide Using Non Facility Associated Signaling NFAS Using Non Facility Associated Signaling NFAS Non facility associated signaling NFAS is an ISDN PRI protocol that allows you to define two D channels to carry signaling messages for up to 20 TI interfaces This feature relieves telcos and Internet service providers ISPs of the need to provide D channel signaling for each TI interface and increases bandwidth by making those D channels available to carry data NFAS is supported only on the PortMaster 3 To enable NFAS you configure one TI line as the primary interface another TI line as the secondary interface and the remaining TI lines as slave interfaces The D channel on the primary T1 interface in in service mode carries signaling messages for the following B channels e B channels on its own interface e B channels on the TI interface configure
44. ERE e EE Se Se ERI EL ES 9 7 EV ens eV dns Od Wid ve Wid ve E EA 9 7 E 9 8 DoatonioaSunis utens depot ctu e utet Te cate 9 8 iuahdbok daher doRderdondondenc fons iz alate ts 9 9 PortMaster Configuration Guide Contents Troubleshooting an ISDN BRI Connection sese 10 21 Interpreting ISDN BRI Port Status llle 10 22 11 Configuring the PortMaster 3 Configuring General Settings 0 0 cc eee eee 11 1 Displaying Line Stats zw asa dena desea vad ws x AA OR d SUA SCR ROADS CA PURA 11 2 Configuring Line Users scudo eoe CE MOS Ss EN EOS X Eee N OR Roe necs 11 2 Setting Channel Groups esie bt ate tebe bebe Peete leds eds leds dada fes 11 3 Setting the Channel Rate llle eee 11 3 Setting the Inband Signaling Protocol for T1 0 0 eee eee 11 4 Setting the Inband Signaling Protocol for El l llle 11 4 Configuring ISDN PRI Settings llle eh 11 5 Setting the ISDN PRI Switch llle 11 5 Setting the Framing Format llle eee 11 6 Setting the Encoding Method 0 0 eee eens 11 7 Setting the Pulse Code Modulation 0 0 00 ee nee 11 7 Setting the Loopback och ies oe fy ew E ew So eo a ee ee d 11 8 Setting the Directory Numbers 2 2 occas ee a bia bani Doku 11 8 Using Non Facility Associated Signaling NFAS 0 00 e eee eee eee 11 9 PIOVISIONING 2229393608940 GGG AG RU AI a A De aad ea 11 9 Understanding NBAS i0 42400 DDPDPTuP
45. IPX network set sl ipxnet F3 Modem control set s1 cd off RIP routing set s rip on MTU set sl mtu 1500 If you are not sure of the IP address on the other end of the connection you can set the IP destination to 255 255 255 255 and the PortMaster will attempt to learn the address Leave all other settings at their default values After you configure the port S1 as shown in Table 21 6 enter the following commands to reset the port and save the configuration Command reset s1 Command save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Using Synchronous Leased Lines 21 7 Troubleshooting a Leased Line Connection Troubleshooting a Leased Line Connection 21 8 Use the information in this section to debug your configuration If you have trouble with a leased line connection verify the following Enter the following commands to view the PPP negotiation on port SI if this is the port you are using Command set console s1 Command set debug 0x51 Command reset s1 For information about the interpreting the results of the debug command refer to the PortMaster Troubleshooting Guide After you verify that the PPP negotiation is correct enter the following commands to turn off the debug utility Command set debug off Command reset console The error counters should be 0 zero except for abort errors If your counters are nonzero the problem
46. IRR PortMaster 3 QUEEN PortMaster with NAPT 10 0 0 8 10 0 0 9 10 0 055 11820030 Configuring NAT 13 33 NAT and NAPT Examples 13 34 To configure location corporate power as a dial out location using defaultnapt for user tesla as illustrated in Figure 13 5 enter the following commands on the PortMaster Command gt Command gt Command gt Command gt Command gt Command gt Command gt Command gt Command gt Command gt add set set set set set set set set set location location location location location location location location location location corporate power corporate power corporate power corporate power corporate power corporate power corporate power corporate power corporate power telephone 5558583 username tesla password ACrules destination 192 168 2 5 maxports 2 idletime 15 minutes on demand local ip address assigned corporate nat outmap defaultnapt Using Basic NAT to Avoid Address Renumbering This example shows how you can avoid the laborious process and potential errors of renumbering the IP addresses of hosts in an existing network when merging with a larger network In this example Figure 13 6 the company Smallfry 10 1 1 0 24 which has just merged with Bigfish Inc 192 168 0 0 16 renumbers its hosts to access the Bigfish network Smallfry has an ISDN connection from its PortMaster to the Bigfi
47. In BGP the final autonomous system in the autonomous system path whose IP address prefixes and associated netmasks are reported in the network layer reachability information NLRI field of an update message A destination and its path comprise a BGP route See also path route Any machine or hardware component that attaches to a computer or network Examples of devices include printers modems routers and network access servers Dynamic Host Configuration Protocol The underlying protocol for a network administration software tool that enables network managers to set up servers to automatically supply IP addresses and configuration settings to clients DHCP extends and enhances the BOOTP protocol by providing reusable IP addresses and allocating IP addresses based on subnet client ID string or media access control MAC address See callback dialed number identification service dial group dictionary See DNIS A number that is used to associate dial out locations with ports on a PortMaster See RADIUS dictionary digital service unit See DSU digital signal processor See DSP Glossary 19 Glossary digital subscriber line See DSL direct memory access See DMA distributed database DLCI DLL DMA DNIS DNS Glossary 20 A database that can be dispersed or replicated among different points in a network See also database Data link connection identifier A unique number that represents
48. LAC before the tunnel is established A session using Call Check as a Service Type and Called Station Id as a check item with L2TP proceeds as follows l The dial up user places a call 2 The LAC detects the incoming call 3 Using call check the LAC sends an authentication request to a RADIUS server containing the Called Station Id and Calling Station Id before answering the call See Overview of Call Check on page 14 7 4 RADIUS accepts the user if authentic and sends an accept message to the LAC containing information about how to create the L2TP tunnel for this session 5 The LAC creates a tunnel to the LNS by encapsulating the PPP frames into IP packets and forwarding those packets to the LNS 6 The LNS negotiates PPP with the end user Figure 14 1 illustrates the basic operation of L2TP tunneling Tunnel authentication can be set to either end of the tunnel or to both ends for mutual authentication See Setting L2TP Tunnel Authentication Optional on page 14 6 Configuring L2TP 14 3 Configuring L2TP on the PortMaster 3 Figure 14 1 L2TP Tunnel Operation ae a a LAC detects 5 tunnel 7 incoming calls established P4 LAC LNS user Calls O PortMaster 3 L2TP Tunnel PortMaster 3 RADIUS 3 4 RADIUS authentication N authentication LNS negotiates request reply PPP with user d d RADIUS RADIUS 11820040 Configuring L2TP on the PortMaster
49. Load yy Balancing among Tunnel Server End Points Optional on page 14 5 Configuring Accounting Both the LAC and the LNS can log user sessions to RADIUS accounting but the data available to each depends upon whether you use call check or partial authentication on the LNS Configuring L2TP 14 1 Administering L2TP on the PortMaster e Call Check If you use call check to establish the tunnel the LAC accounting data includes only the calling line ID CLID information The username is not present because that information has not yet been passed over the link The LNS has both the CLID and username in its accounting data along with the assigned IP address e Partial Authentication If partial authentication instead of call check is taking place on the LAC the username might be available If the username is available it appears in the RADIUS accounting logs for both the LNS and the LAC In both cases the LNS shows the NAS Port Type as virtual In addition the LAC has the NAS Port Type set to the connection type of the physical interfaces which is the normal behavior of a network access server NAS Administering L2TP on the PortMaster 14 12 This section describes administrative tasks you can perform to monitor or change L2TP settings on the PortMaster and includes the following topics e Manually Creating a Tunnel on page 14 12 e Displaying L2TP Information on page 14 13 e Resetting L2TP Tunnels on pag
50. Locname command Verify the DLCI list on a location using the show arp Interface command replacing Interface with the name of the interface A list of interfaces can be shown with the ifconfig command Always reset the port after changing the DLCTI list Verify that all DLCIs are accounted for by checking the DLCI list for your primary interface If you enter the wrong DLCI for the subinterface the DLCI for the subinterface is applied to the primary interface if LMI or Annex D is in use Enter the following two commands to view the LMI or Annex D keepalives Command gt set console wl Command gt set debug 0x51 After you verify that the proper keepalives are being received enter the following commands to turn off the debug utility Command gt set debug off Command gt reset console If you have a Cisco router on the other end of your connection verify that it is set for encapsulation frame relay ietf for the serial interface otherwise the Cisco frame relay map command for your DLCI must have the ietf keyword appended PortMaster Configuration Guide Frame Relay Subinterfaces Example Configuring a Frame Relay Subinterface This set of example commands configures a PortMaster IRX 111 router with Frame Relay packets coming into port W1 with DLCIs 16 17 and 18 Port WI has already been configured for Frame Relay so that portion is not shown here The following commands split the Frame Relay port into a primary subinterf
51. NAT on their local router Outsource mode NAT allows a PortMaster to handle the NAT processing and management for one or more connected network interfaces When a remote client dials in to a WAN port on a PortMaster configured to do network address translation for it the PortMaster performs NAT service for that device With outsource NAT all NAT configuration is done on the PortMaster where a central site administrator maintains NAT mappings for all sites connected to it Central site administration avoids the complexity of managing a number of separate routers with different capabilities In Figure 13 4 a PortMaster at an ISP does network address translation for two sites that dial in via ISDN routers which cannot do network address translation Note that both sites which are different clients of the ISP use the same 10 1 1 0 24 network As long as the individual client networks connect to different interfaces on the PortMaster there is no conflict of address space In this example network user tesla and network user edison have assigned identical IP addresses to their workstations but the PortMaster running NAT does not confuse them This aspect of the NAT protocol is convenient for situations in which companies merge or when large companies take over small companies Rather than search through potentially thousands of private addresses for conflicts or renumber entire networks see Using Basic NAT to Avoid Address Renumbering on
52. National Standards Institute ANSI T1 617 Annex D LMI Although the PortMaster supports both LMI on the PortMaster refers to the Cisco Stratacom implementation See also Annex D PortMaster Configuration Guide LNS Glossary L2TP network server A Point to Point Protocol PPP server with Layer 2 Tunneling Protocol L2TP capabilities that is the end point of a session The LNS handles the authentication of the user via a RADIUS server and routes network traffic to and from the user The LNS has no physical ports only virtual interfaces On a PortMaster 4 an LNS can be an LNS board a Quad T1 or Tri El board or the entire device See also LAC local area network See LAN local exchange carrier See LEC Local Management Interface See LMI local preference location location table lockstep In BGP the degree of preference number that the PortMaster assigns to every external route it advertises to an internal or confederation member BGP peer A higher number indicates a greater preference for a route when more than one exists to a destination Internal and confederation member peers receiving this route use this local preference rather than calculating their own degree of preference for a route You can use a routing policy rule to override this value and assign your own local preference to a route you advertise See also degree of preference A dial out destination on a PortMaster A database on the PortMaster wh
53. OSPF routing protocol on an Ethernet interface To set OSPF on the interface use the following command entered all on one line Command set Ether0 ospf on off cost Number hello interval Seconds dead time Seconds The on keyword enables OSPF on the specified Ethernet interface off disables OSPF on that interface You can specify the cost of sending a packet on the interface with a link state metric by using the cost Number keyword and value The Number metric is a 16 bit number between 1 and 65535 the default is 1 Routers in OSPF networks continually exchange hello packets with their neighbor routers You can set the interval that elapses between the transmission of hello packets on the interface by using the hello interval Seconds keyword and value Seconds can range from 10 to 120 seconds the default is 10 seconds If the PortMaster stops receiving hello packets from a neighbor it treats that router as inactive or down You can specify how long the PortMaster waits for hello packets from neighbors by using the dead time Seconds keyword and value Seconds can range from 40 to 1200 seconds the default is 40 seconds Note You must set the same cost value the same hello interval value and the same dead time value on all routers attached to a common network To enable acceptance of RIP packets on the OSPF network use the following command Command set ther0 ospf accept rip on off See the PortMaster Routing Guide
54. Outbound Sessions You use outbound maps to translate the private IP addresses of internal hosts when those hosts communicate with hosts external to the private network Outbound maps can be static or dynamic depending on whether you possess sufficient global addresses for all your internal hosts see NAT Addressing on page 13 6 The two types of address maps dynamic and static respectively are equivalent however only when you are mapping single IP addresses In practice users in a small office home office SOHO generally want to give several internal hosts access to the Internet or to some external host Figure 13 1 illustrates a typical use of outbound maps in a SOHO situation in which a PortMaster connects the SOHO to an ISP and does network address translation for one or more internal hosts with private IP addresses 13 10 PortMaster Configuration Guide NAT Maps Configuring NAT Figure 13 1 Outbound Map 192 168 5 3 Recte PortMaster 10 5 3 8 10 5 3 9 10 5 3 10 10 5 3 7 11820028 To map the private address 10 5 3 6 to the global address 192 168 5 3 you can create an outbound map in either of the following ways Command set map Mapname 1 addressmap 10 5 3 6 192 168 5 3 Command set map Mapname 1 staticaddressmap 10 5 3 6 192 168 5 3 The difference between a dynamic address map and a static address map becomes clear when you create an address map to give all
55. Point to Point Protocol PPP Based on the Lempel Ziv compression algorithm the Stac LZS data compression algorithm described in RFC 1974 supports all file types and both single and multiple compression histories See host The connection for the ISDN Basic Rate Interface BRI switch type used in Japan Europe and other countries using international ISDN standards In contrast the United States and the rest of North America use the U interface See also U interface Glossary 67 Glossary STP Shielded twisted pair A two pair wiring medium used in a variety of network implementations STP cable has a layer of shielded insulation to reduce electromagnetic interference See also twisted pair UTP structured query language See SQL stub area In OSPF an area into which no external routes are imported A stub area cannot contain autonomous system border routers and cannot be a transit area for virtual links Summary advertisements external to the area are by default imported into the stub area but might be squelched to further reduce area database size In this case the default route advertisement by the autonomous system border routers handle all routes external to the area subclass A class subordinate to another class known as a superclass that inherits some or all of the characteristics of the superclass Subclasses can also define their own methods and variables that are not contained in their superclasses See also cl
56. PortMaster is provided by two devices e L2TP access concentrator LAC an L2TP capable PPP access server that provides the physical connection usually a modem or ISDN port between the dial in user and the outsourcer an ISP or telephone company providing Internet service You can configure a PortMaster 3 as a LAC The primary function of a LAC is to transfer PPP frames from Layer 2 into Layer 3 and to forward those packets to a Layer 3 termination point The LAC is responsible for setting up the tunnel with information learned from the RADIUS server The LAC can also provide partial authentication through call check e L2TP network server LNS a PPP server with L2TP capabilities that is the end point of the L2TP session The LNS terminates the L2TP tunnel and the L2TP PPP sessions The LNS handles the actual authentication of the user via a RADIUS server and routes network traffic to and from the user The LNS does not support dial in dial out analog or ISDN connections However it can be configured for network hardwired and Ethernet connections You can configure a PortMaster 3 as an LNS An outsourcer can use L2TP to provide dial up access to a variety of clients usually businesses or organizations from a common physical dial up pool The dial up pool resides on a shared access server the LAC The dial up client maintains a home gateway the LNS and some type of IP connectivity to the outsourcer IP connectivity can take p
57. RFC 2153 LocationWizard Creates location entries for PortMaster products NetbootServer Interface to TFTP and BOOTP servers that can boot a PortMaster across a network or download a new ComOS version e pmd or in pmd the optional PortMaster daemon software that can be installed on UNIX hosts to allow the host to connect to printers or modems attached to a PortMaster The daemon also allows the PortMaster to multiplex incoming users onto the host using one TCP stream instead of multiple streams like rlogin The daemon is available for SunOS Solaris AIX HP UX and other platforms For installation and configuration instructions copy the PortMaster software to the UNIX host as described on the PortMaster Software CD package PortMaster Configuration Guide Preconfiguration Planning RADIUS The RADIUS server radiusd runs as a daemon on UNIX systems providing centralized authentication for dial in users The radiusd daemon is provided to customers in binary and source form for SunOS Solaris Solaris X8 6 AIX HP UX IRIX Alpha OSF 1 Linux and BSD OS platforms For installation and configuration instructions see the RADIUS for UNIX Administrator s Guide ChoiceNet ChoiceNet is a security technology invented by Lucent to provide a traffic filtering mechanism for networks using dial up remote access synchronous leased line or Ethernet connections When used with RADIUS ChoiceNet provides exceptional flexibility
58. Refer to the PortMaster Command Line Reference for more information Displaying the Routing Table 3 20 Use the following command to display the IP routing table entries Command show routes String Prefix NM You can replace String with ospf or bgp to display only OSPF or BGP routes Replacing Prefix NM with an IP address prefix and netmask displays only routes to that destination Enter the IP address prefix in dotted decimal format and the netmask as a number from 1 to 32 preceded by a slash for example 24 The netmask indicates the number of high order bits in the IP prefix To display the IPX routing table entries enter the following command Command show ipxroutes The routes appear in the following order 1 Default route 2 Host routes 3 Network routes 4 Expired routes that are no longer being advertised PortMaster Configuration Guide Setting Static Routes Setting Static Routes Static routes provide routing information unavailable from the Routing Information Protocol RIP Open Shortest Path First OSPF protocol or Border Gateway Protocol BGP RIP OSPF or BGP might not be running for one of the following two reasons e Network administrators choose not to run RIP OSPF or BGP e Hosts connected to the PortMaster do not support RIP OSPF or BGP Separate static routes tables are maintained for IP and for IPX which you display with the show routes and show ipxroutes commands You construc
59. SAP packets To disable the idle timer set the value to 0 To set the idle timer use the following command Command set W1 idletime Number minutes seconds Settings for Hardwired Connections The following settings can be used only when the synchronous port is configured for network hardwired connections Configuring a Synchronous WAN Port 6 7 Configuring WAN Port Settings 6 8 Setting the Transport Protocol The transport protocol for synchronous connections must be set for a network hardwired synchronous port Choose PPP for leased line switched 56Kbps and ISDN connections or Frame Relay for a Frame Relay connection Additional Frame Relay settings must be configured for Frame Relay connections described in Chapter 15 Using Frame Relay To set the transport protocol use the following command Command set W1 protocol ppp frame Setting the Port IP Address You can set the local IP address of the network hardwired synchronous port to create a numbered interface You can use any IP address If you set the local address of the WAN port to 0 0 0 0 for PPP the PortMaster uses the EtherO address for the end of the serial link If you set the WAN port address to 0 0 0 0 for a Frame Relay connection the port is disabled To set the IP address use the following command Command set Wl address Ipaddress Setting the Destination IP Address The destination IP address or hostname of the machine on the
60. Settings 3 7 Setting System Logging 3 8 To change the facility or priority of log messages use the following command Be sure to separate the Facility and Priority keywords with a period Command gt set syslog Logtype Facility Priority The facility and priority can be set for each of the five types of logged events listed in Table 3 2 Table 3 3 and Table 3 4 show the keywords used to identify facilities and priorities Lucent recommends that you use the auth facility or the localO through local7 facilities to receive syslog messages from PortMaster products but all the facilities are provided See your operating system documentation for information on configuring syslog on your host Table 3 3 syslog Facility Keywords Facility Facility Number Facility Facility Number kern 0 cron 15 user 1 localO 16 mail 2 locall 17 daemon 3 local2 18 auth 4 local3 19 syslog 5 local4 20 lpr 6 local5 21 news 7 local6 22 uucp 8 local7 23 Table 3 4 syslog Priority Keywords Priority Number Typically Used for emerg 0 System is unusable alert l Action must be taken immediately crit 2 Critical messages err 3 Error messages warning 4 Warning messages PortMaster Configuration Guide Setting Administrative Logins to Serial Ports Table 3 4 syslog Priority Keywords Continued Priority Number Typically Used for notice 5 Normal but significant messages info 6 Informational messages debu
61. TI expansion card 11 18 Frame Relay Annex D 15 3 15 6 burst speed 15 2 committed information rate 15 2 description 15 1 discarding frames 15 3 DLCI list 15 6 LMI 15 3 15 5 ordering service 15 3 port speed 15 2 PVC 15 2 subinterfaces 15 12 troubleshooting 15 11 troubleshooting subinterfaces 15 14 frame size setting with MTU 8 8 framing format 11 6 FTP filters 12 11 FXS loop start protocol 11 4 G gateways route for IP 3 21 route for IPX 3 22 setting the default 3 2 global parameters default gateway 3 2 default routing 3 3 PortMaster Configuration Guide Subject Index gateway for IP 3 21 gateway for IPX 3 22 host table 3 4 IP address assignment 3 9 name service 3 4 password 3 2 route destinations for IP 3 21 route destinations for IPX 3 22 static routes 3 21 subnet mask table 3 23 system logging 3 6 system name 3 2 Telnet 3 5 ticks 3 22 H hanging up a line 6 7 9 9 hardware flow control 5 4 9 2 9 8 hardwired connections 18 3 port configuration 18 6 tip for configuring 1 5 high speed dedicated connections 6 1 high water mark 8 11 8 12 hop count for IP and IPX gateway routes 3 2 in IP static route 3 21 host device configuration 5 12 5 14 host table 3 4 A 9 HOSTNAME port status 2 6 hostname resolution 3 5 hosts SNMP 3 19 hot swapping modems 11 14 I IDLE port status 2 6 idle timer asynchronous ports 6 7 dial out locations 8 10 disabling 7 4 users 7 4 in pmd 1 2 2
62. Table 17 2 Table 17 2 Ethernet Values Setting Command IPX network set ether0 ipxnet F3 IPX frame type set ether0 ipxframe ethernet 802 2 IP address set ether0 address 192 168 200 1 Netmask set ether netmask 255 255 255 0 17 4 PortMaster Configuration Guide Configuration Steps for an Office to Office Connection Table 17 2 Ethernet Values Continued Setting Command Broadcast address set ether0 broadcast high After you configure the Ethernet interface as shown in Table 17 2 enter the following command to save the configuration Command gt save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring PCMCIA Serial Port Settings The PCMCIA modem port on the PortMaster Office Router is designated S1 Configure the port with the values shown in Table 17 3 You must install the PCMCIA modem to configure port S1 Table 17 3 PCMCIA S1 Port Values Setting Command Port type set sl network twoway Speed 1 set sl speed 1 115200 Speed 2 set sl speed 2 115200 Speed 3 set sl speed 3 115200 Modem control set sl cd on Hardware flow control set sl rts cts on Software flow control set sl xon xoff off Idle timer set sl idletime 5 Dial group set sl group Leave all the other settings at their default values Using Office to Office Connections 17 5 Configuration Steps for an Office to Office Connection 1
63. V 32bis modems fall back to the next lower speed when line quality is impaired and fall back further as necessary They fall forward to the next higher speed when line quality improves An ITU T standard for data transmission via modems that allows data rates as high as 28 8Kbps An ITU T standard for data transmission at 48Kbps over 60kHz to 108kHz group band circuits It includes the 35 pin V 35 connector specifications normally implemented on a modular RJ 45 connector An ITU T standard for data transmission via modems at 56Kbps The V 90 standard resolves the difference between two modem technologies X2 and K56flex Both technologies now conform to V 90 and most previously manufactured 56Kbps modems can support V 90 via a software upgrade See also K56flex PortMaster Configuration Guide Glossary V 110 An ITU T standard for performing asynchronous rate adaptation into ISDN over a 64Kbps line The PortMaster supports 9600bps and 19 200bps over this older standard that allows pre ISDN devices to be adapted for ISDN V 120 An ITU T standard for performing asynchronous rate adaptation into ISDN variable length subnet mask See VLSM virtual circuit A logical connection between two endpoints on a switched digital network Virtual circuits can be switched or permanent A switched virtual circuit SVC is used for an ordinary telephone call an ISDN connection or a V 25 switched 56Kbps connection A permanent virtual circuit PV
64. Works 2 This chapter summarizes PortMaster operation and capabilities so you can choose how to configure your system Consult the glossary for definitions of unfamiliar terms This chapter discusses the following topics e Booting the PortMaster on page 2 1 e PortMaster Initialization on page 2 3 On Demand Connections on page 2 4 e PortMaster Security Management on page 2 4 e Port Status and Configuration on page 2 5 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Booting the PortMaster When you start up the PortMaster it carries out the following functions during the booting process 1 Self diagnostics are performed The results are displayed to asynchronous console port CO or SO if the console DIP switch first from the left also known as DIP 1 is up 2 Com0OS is loaded Ifthe netboot DIP switch second from the left also known as DIP 2 is down the PortMaster boots from the ComOS stored in nonvolatile Flash RAM The PortMaster uncompresses and loads the ComOS into dynamic RAM DRAM If a valid ComOS is not found in nonvolatile RAM the PortMaster attempts to boot from the network as described in the next paragraph Ifthe netboot DIP switch is up or if a valid ComOS is not found in nonvolatile RAM the PortMaster sends a Reserve Address Resolution Protocol RARP message to the EtherO Ethernet interface to find its IP address If it g
65. a particular permanent virtual circuit PVC on a particular physical segment of the Frame Relay network As the frame is passed through each switch the DLCI is remapped automatically by the switch as necessary Dynamic link library A file containing executable routines generally performing a specific function or set of functions that is stored separately loaded into memory only when required and unloaded when space is needed for other applications A DLL conserves memory can be shared by other programs and can be modified without changes to the calling program or other DLLs Direct memory access Transfer of data from a peripheral device such as a hard disk drive into a computer memory without mediation by a microprocessor Dialed number identification service A caller identification service that provides you with the number that the caller dialed DNIS is typically a feature of 800 and 900 lines and is useful when calls from multiple 800 or 900 numbers are routed to the same destination This service is most often provided on TI lines by passing touch tone dual tone multifrequency DTMF or multifrequency MF digits and requires a T1 voice board Domain Name System The system used on the Internet for translating between network hostnames such as bigcompany com and IP addresses such as 192 168 224 20 PortMaster Configuration Guide domain name Glossary A name that identifies one or more IP addresses Domain names are u
66. ae ee ee ee Y es 5 4 Setting Databits x ope hae oo tab etotetatetitatelitetatitetehic 5 4 Setting Flow Control 0 0 cee eee 5 4 Setting the Dial Groups riir t eee res 5 5 Displaying Extended Port Information 0 cee eee eee 5 5 Setting the Login Prompt c ggcgs bebe Pave babe rege rerererererereeebe es 5 5 Setting the Login Message 1 llle selle 5 6 Setting an Optional Access Filter 2 6 eee 5 6 Set ng POICSecuBty 23 119 wa Vw Vn Wa ARAMA WOR BARN eect ee 5 6 Allowing Users to Connect Directly to a Host 2 0 000 eee 5 6 S ttiniga Port as the Console sist oe ee qu Ye ERR UGG RU CRT 5 7 Setting tbe Port Idle DB6eE 2 sh is ete oa Ea e dsl ci 5 7 Configuring a PortMaster for Login Users llle 5 8 S tting the POrt Types fa oa Bee eho beh Or Gg we ET E ird 5 9 Setting the Login Service ceee ceoosut beet pev D E PER SP A aii 5 9 Setting the Login Hosts ers 4 ESO URGE RU RE RE RR RES 5 11 Setting the Terminal Types 2 4 uda ed e ed dede dede dn Rede de de deb AEG 5 11 Configuring a Port for Access to Shared Devices lille lees 5 11 Setting the Device Service e soe etes ee e e e eet rite e te A e d ra 5 14 Vi PortMaster Configuration Guide Contents Configuring a Port for Network Access 0 0 cece eee eh 5 15 Network Dial In Only Access 0 0 cece eee eee eee 5 16 Network Dial Out Only Access 20 0 eee ees 5 17 Network Dial In and Out Two Way Access
67. and username password login By default PAP and CHAP are set to on Dial in users are asked to authenticate with PAP when PPP is detected If users refuse they are asked to authenticate with CHAP If you set PAP to off and CHAP to on dial in users are asked to authenticate with CHAP PAP authentication is neither requested nor accepted If you set both PAP and CHAP to off dial in users must authenticate with a username password login To set PAP authentication use the following command Command set pap on off To set CHAP authentication use the following command Command set chap on off PortMaster Configuration Guide Setting Call Check Authentication Setting Call Check Authentication You can enable services without authenticating the user at the point of entry on PortMaster products that support PRI or in band signaling To enable the call check feature in the ComOS you must first configure call check user entries on the RADIUS server To enable call checking on the PortMaster use the following command Command gt set call check on off Note The call check feature is off by default n l For more information about enabling RADIUS call checking see Overview of Call Check on page 14 7 and refer to the RADIUS for UNIX Administrator s Guide Setting the ISDN Switch You can configure the switch provisioning for ISDN PRI and BRI connections to PortMaster ISDN ports See Chapter 11 Configuring the
68. and Etherl on which you have NAT enabled as your global interface you must disable RIP broadcasts To disable RIP broadcasts on the global interface enter the following command to set RIP to listen only Command set etherl rip listen If you want no routing updates enter the following command Command set etherl rip off If you are using OSPF specify the private IP address range as quiet by entering the following command Command set ospf area 0 0 0 0 range 10 0 0 0 8 quiet Configuring NAT 13 29 NAT Security If you are using BGP you must ensure that you do not advertise private IP address blocks to the Internet Refer to the PortMaster Routing Guide for details Routing Global IP Addresses for NAT and Static Routing Because NAT is not designed to advertise routing the global IP addresses or networks used by NAT might require that you add static routes on the routers with which the PortMaster has an external peer relationship In particular when basic NAT assumes management of a pool of global addresses you must add a static route for the pool of addresses on the next hop router of the PortMaster For example if a PortMaster 3 is providing outsource NAT service for dial in networks and is using the 192 168 38 0 24 network subnetted for the numbered IP links the post NAT packets have 192 168 38 x as the source address Another router on the same segment as the PortMaster 3 must have a static route to return the res
69. and Stac LZS compression on PortMaster 3 and on leased lines on Office Router products or Van Jacobson compression only on other PortMaster products This is the default off Disables compression stac Enables Stac LZS data compression only Stac LZS compression is supported only on PortMaster 3 and leased lines on Office Router products vj Enables Van Jacobson TCP IP header compression only users must use the user table or RADIUS instead Dial out locations must use the Note This command is used only on network hardwired asynchronous ports Dial in her location table instead To display compression information about a connection enter the following command Command show SO Setting the PPP Asynchronous Map The PPP protocol supports the replacement of nonprinting ASCII characters found in the data stream These characters are not sent through the connection but are instead replaced by a special set of characters that the remote system interprets as the original 5 24 PortMaster Configuration Guide Connecting without TCP IP Support characters The PPP asynchronous map is a bit map of characters that are replaced The default PPP asynchronous map is 00000000 If the remote host requires a PPP asynchronous map the PortMaster accepts the request for the map Setting Input and Output Filters Input and output packet filters can be attached to a network hardwired port Filters allow you to monitor and restric
70. and the Host Table llle A 8 Managing Network Security 0 eee es A 9 RADIUS extort DL DL S GT aR aee aR ae NU NTE Ra N A 10 ChOICeNet i4 d RHET see PERRA A 10 B TCP and UDP Ports and Services Glossary Command Index Subject Index xix Contents XX PortMaster Configuration Guide About This Guide Audience The PortMaster Configuration Guide provides general information about networking and network configuration as well as specific information needed to configure PortMaster products Review this guide thoroughly before configuring your PortMaster This guide provides the settings required for the most commonly used PortMaster configurations For information about configuring the PortMaster 4 see the PortMaster 4 User Manual To use this guide you must have successfully installed your PortMaster according to the instructions provided in the relevant installation guide This guide provides configuration information only You can use either of two interfaces to configure the PortMaster Command line interface use this guide and the PortMaster Command Line Reference for more detailed command descriptions and instructions e PMVision graphical user interface GUI use this guide to help you understand how to configure a PortMaster and its features Consult the PMVision User s Guide and PMVision online help for instructions for using PMVision This guide assumes you are using the command line int
71. broadcasts nor listens for RIP information on this interface broadcast The PortMaster broadcasts RIP information on this interface listen The PortMaster listens for RIP information on this interface Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions Configuring Compression Compression can increase the performance of interactive TCP sessions over network hardwired asynchronous lines Lucent implements Van Jacobson TCP IP header compression and Stac LZS data compression Compression is on by default Compression cannot be used with multiline load balancing but can be used with Multilink PPP Compression must be enabled on both ends of the connection if you are using SLIP For PPP connections the PortMaster supports both bidirectional and unidirectional compression Refer to RFC 1144 for more information about header compression Configuring an Asynchronous Port 5 23 Configuring a Port for a Dedicated Connection The PortMaster supports Stac LZS data compression only for PPP connections with bidirectional compression Stac LZS data compression cannot be used for SLIP connections To configure compression use the following command Command gt set SO compression on stac vj off Table 5 4 describes the results of using each keyword Table 5 4 Keywords for Configuring Compression Keyword Description on Enables compression The PortMaster tries to negotiate both Van Jacobson
72. can be used to connect to synchronous leased lines from 9600bps to T1 1 544Mbps or El 2 048Mbps for continuous operation A channel service unit digital service unit CSU DSU must be attached to the WAN port on the PortMaster For more information see Chapter 21 Using Synchronous Leased Lines 6 1 Synchronous Port Uses 6 2 Routing over Frame Relay Frame Relay provides connectivity using a packet switched network Its two advantages over a leased line network are lower cost and the ability to have multiple permanent virtual circuits PVCs come into a single physical port It is especially popular for hub and spoke network arrangements For example a dozen field offices with 56Kbps or fractional T1 Frame Relay connections can connect to a central office using a fractional T1 or T1 Frame Relay connection The central office requires only one CSU DSU and synchronous port on the router instead of twelve For more information see Chapter 15 Using Frame Relay Routing over Switched 56Kbps Switched 56Kbps can be less expensive than Frame Relay in applications where short bursts of connectivity are required but dial up modems do not provide enough bandwidth V 25bis dialing is used to establish a link over a switched network and the link is brought down after a specified period with no traffic For more information see Chapter 16 Using Synchronous V 25bis Connections Routing over ISDN Integrated Services Digital Ne
73. change the setting to something other than the default This command sets the method for compressing and expanding or companding digitized audio signals To set the pulse code modulation use the following command Table 11 9 explains the pulse code modulation options Command set LineO pcm u law a law Table 11 9 Pulse Code Modulation Options Option Description Lineo LineO or Linel u law Default method for T1 PRI lines a law Default method for E1 PRI lines Configuring the PortMaster 3 11 7 Configuring ISDN PRI Settings Setting the Loopback You can test the telephone line of your T1 or El ISDN connection by setting the local network loopback To set the loopback use the following command Command set LineO loopback on off Setting the Directory Number Normally a T1 or El line has a single telephone number However when the line is set up as ISDN B channels you can set a telephone number for an individual port This feature allows you to identify the circuit telephone number associated with a specific ISDN port You configure a directory number when a TI line is configured for ISDN PRI If local exchange numbers are used however do not set a directory number because the PortMaster 3 will not respond with the correct telephone number to a second channel request If a local exchange is used and no directory is configured when a second channel is requested the PortMaster 3 uses the caller s
74. copy filters across PortMaster products and files See the FilterEditor online help for more information Overview of PortMaster Filtering Packet filters can increase security and decrease traffic on your network Filters can be used to limit certain kinds of internetwork communications by permitting or denying the passage of packets through network interfaces By creating appropriate filters you can control access to specific hosts networks and network services 12 1 Overview of PortMaster Filtering Security on your network can be enhanced by limiting authorized activities to certain hosts For example you can restrict the DNS and SMTP interchange with the Internet to a well secured host on your network All Internet hosts can then access only this single server for those services If you have several name servers or mail servers you can use additional rules to allow access to these servers You use Ethernet filters to constrain the types of packets allowed to pass through the local Ethernet port and you can set filters on asynchronous ports configured for hardwired operation when security with another network is an issue The packet filtering process analyzes the header information contained in each packet sent or received through a network interface The header information is evaluated against a set of rules that either allow the packet to pass through the interface or cause the packet to be discarded A maximum of 256 filter
75. data when the incoming data for an ISDN line is 128Kbps Figure 16 1 shows an example of an ISDN or switched 56Kbps connection Figure 16 1 Example of an ISDN or Switched 56Kbps Connection workstation 1 a O MMMM TT IRX Router IRX Router terminal adapter Boston workstation 2 workstation 3 workstation 1 workstation 2 16 2 Miami terminal adapter O IRX Router AILLMIALIHLNU ALLE IAL TRENT LLL TCE IRX Router workstation 3 11820007 11820007 PortMaster Configuration Guide Configuration Steps for a Synchronous V 25bis Connection Configuration Steps for a Synchronous V 25bis Connection This example connects a PortMaster located in Boston with a PortMaster located in Miami using a synchronous interface that is initiated on demand by an ISDN or switched 56Kbps connection To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of the installation guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps 1 Configure the following settings for the PortMaster in Boston a b C d e Global settings page 16 4 Ethern
76. device to identify it on a LAN Management Information Base See MIB management station master Glossary 42 A workstation or PC capable of retrieving and analyzing statistical information from networked Simple Network Management Protocol SNMP agents In Multichassis PPP the PortMaster through which an initial connection for a given user is made Every master also has a corresponding slave Masters are for a given connection only and a PortMaster that functions as a master for one user s connection can be a slave for a different user s connection See also slave PortMaster Configuration Guide Glossary maximum transmission unit Mb MB MBone Mbps MD5 See MTU Megabit s 1 048 576 bits or 1 024 kilobits Megabyte s 1 048 576 bytes Multicast backbone An experimental framework for developing and refining multicast protocols and applications on the Internet The MBone network within the Internet supports IP multicasting the two way transmission of data between multiple sites Multicasting sends files usually audio and video streams to multiple users at roughly the same time somewhat as radio and TV programs are broadcast over the airwaves Megabits per second A unit for measuring data rates Message digest algorithm 5 An iterative cryptographic hash function for message authentication Used in Simple Network Management Protocol SNMP v 2 for example MD5 verifies the integrity of the commu
77. e Are you using a name service Domain Name System DNS or Network Information Service NIS e Have you obtained a sufficient number of network addresses or do you want to use the network address translator NAT software e Are you running IP IPX or both Do you want to enable Simple Network Management Protocol SNMP for network monitoring e Do you want dial in only dial out only or two way communication on each port e What characteristics do you want to assign to the dial out locations e How do you want to configure dial in users Do you want to use RADIUS to authenticate dial in users or the internal user table on the PortMaster Do you want to use ChoiceNet to filter network traffic e Do you want to use the console port for administration functions or do you want to attach an external modem to the port e For dial in uses do you receive service on analog lines ISDN Basic Rate Interface BRI ISDN Primary Rate Interface PRI channelized TI or E1 e OnTlorEI lines using ISDN PRI do you want to implement non facility associated signaling NFAS to maximize bandwidth Many other decisions must be made during the configuration process This guide discusses the various configuration options and their implications 1 4 PortMaster Configuration Guide Configuration Tips Configuration Tips PortMaster configuration can be confusing because settings can be configured for a port a user or a remote l
78. each packet is queued on the port with the least amount of traffic in the queue Ports with very different speeds must not be combined for load balancing purposes The overall throughput for a given number of ports is approximately equal to the number of ports multiplied by the throughput of the slowest port Configuring Dial Out Connections 8 11 Setting Multiline Load Balancing 8 12 The following settings are used to configure load balancing and define when additional lines to this location are dialed Setting the Maximum Number of Dial Out Ports To configure load balancing you must define the number of dial out ports that can be used to dial and establish a connection with this location This setting creates a pool of ports that can be used at the same time to establish a connection with this location If the maximum number of ports is set to 0 no connection with this location is established If the maximum number of ports is set to any number greater than one the high water mark is used to determine when additional connections are established with this location When more than one line is open to a given location the PortMaster balances the load across each line When the ports are idle for the time specified by the set location idletime command see Setting the Idle Timer on page 8 10 all ports used for that connection are timed out simultaneously To set the maximum number of dial out ports for a location use the f
79. her identity is authenticated and session is authorized by RADIUS Remote access outsourcing The practice whereby one service provider or enterprise known as an outsourcer purchases remote access services from another service provider or wholesaler The wholesaler physically terminates the dial up access lines telephone ISDN digital subscriber line DSL or other circuits of one or more outsourcers and provides each outsourcer with a private dial up network The outsourcer is the end point for a session The wholesaler can maintain the remote access equipment on the outsourcer s premises or can integrate the equipment into its own network and often provides the outsourcer with tools for viewing resources The wholesaler s equipment can be statically partitioned among outsourcers or can dynamically allocate its ports to outsourcers as needed RAO is also known as wholesaling Reverse Address Resolution Protocol A protocol used in network routers that provides a method for finding IP addresses based on media access control MAC addresses Compare ARP See remote access server See RBOC Regional Bell operating company One of the seven regional telephone companies created by the breakup of AT amp T in 1984 Each owns two or more local telephone companies called Bell operating companies BOCs RBOCs are also known as Baby Bells or regional Bell holding companies RBHCs and more generally as local exchange carriers LECs See
80. idle 10 15 10 19 16 7 16 11 17 7 17 11 18 7 set location idletime 8 10 set location ifilter 8 13 18 7 set location ipxnet 8 6 10 15 10 19 16 6 16 11 17 7 17 11 set location manual 8 5 10 14 10 19 16 6 16 11 17 7 17 11 18 7 set location map 8 11 set location maxports 8 12 10 15 10 19 16 7 17 7 17 11 17 15 18 8 set location mtu 8 8 10 15 10 19 16 6 16 11 17 7 17 11 18 7 set location multilink 10 7 set location nat inmap 13 13 set location nat outmap 13 6 13 12 set location netmask 8 6 10 14 10 19 15 15 16 6 16 11 17 7 17 11 18 7 set location ofilter 8 13 18 7 set location on_demand 8 4 10 20 16 12 17 12 set location password 8 5 10 9 10 15 10 19 16 7 16 11 17 7 17 11 17 15 18 8 18 11 set location protocol 8 5 10 14 10 19 15 15 17 7 17 11 18 7 set location protocol ppp 16 6 16 11 set location rip 8 7 10 15 10 19 15 15 16 6 16 11 17 7 17 11 18 7 set location subinterface 15 13 set location telephone 8 5 10 9 10 15 10 19 16 7 16 11 17 7 17 11 17 15 18 7 18 11 set location username 8 5 10 9 10 15 10 19 16 7 16 11 17 7 17 11 17 15 18 7 18 11 set location voice 8 10 10 8 set loghost 3 6 19 5 set MO 11 13 set MO lastcall 11 14 set map ipaddr 13 14 13 15 set map addressmap 13 5 13 7 13 11 set map blank 13 14 set map staticaddressmap 13 5 13 9 13 11 set map static tcp udp portmap 13 5 13 13 set maximum pmconsole 3 6
81. ifilter 6 11 set W1 ipxnet 6 9 set W1 Imi 15 6 set W1 nat inmap 13 6 set W1 nat outmap 13 6 set W1 netmask 6 9 15 9 15 10 16 9 set WI network 6 4 15 9 15 10 16 5 16 9 set W1 ofilter 6 11 set W1 protocol 6 8 15 9 15 10 16 9 set W1 rip 6 10 15 9 15 10 set W1 speed 6 5 show arp 15 14 show filter 12 8 show ipxroutes 3 20 show 12tp 14 13 show Line 11 11 show LineO 11 2 11 16 show location 15 13 show MO 11 14 show map 13 15 show mcppp 11 20 show modem 9 3 show modems 11 15 14 14 PortMaster Configuration Guide Command Index show nfas 11 11 show nfas history 11 11 11 12 show PO 2 5 show routes 3 20 show SO 2 5 10 9 show syslog 3 9 show table filter 12 8 show table location 8 2 show table modem 9 2 show table user 7 2 show user 7 2 show W1 2 5 Command Index 5 Command Index Command Index 6 PortMaster Configuration Guide Subject Index A access filters creating 12 1 12 5 restricting user access to hosts 7 11 address pools creating 3 9 example 19 4 size 3 9 addresses See IP addresses IPX addresses administrative logins enabling and disabling 3 9 analog modems enabling on PortMaster 3 11 14 Annex D defined 15 3 keepalives 15 6 use with DLCI 15 11 using to discover Frame Relay addresses 6 8 asynchronous character map defined 8 11 network user 7 7 asynchronous ports access filters 5 6 databits 5 4 destination IP address 5 22 destination netma
82. initial call Call check can also be used to limit the number of active calls on a given number The call check feature supports virtual points of presence POPs by allowing for redirection of calls For example you can set up two telephone numbers one that is accepted and one that is redirected If a customer calls the first number the customer is authenticated normally if a customer calls the second number the call is accepted but forwarded through an L2TP session to an LNS for complete authentication of the user Call check is available for the PortMaster 3 in ComOS 3 9 and later Enabling Call Check on a PortMaster The call check feature is off by default To enable or disable the call check feature use the following command Command gt set call check on off How Call Check Works When call check is enabled the PortMaster sends a RADIUS access request message for all incoming calls before accepting calls containing the Calling Station Id and Caller Station Id check items The PortMaster expects to receive one of the following replies from the RADIUS server e RADIUS access accept message with attributes to accept the call and provide the indicated service such as connecting the user via an L2TP session to a given LNS e RADIUS access accept message with no attributes to accept the call and perform the usual RADIUS authentication e RADIUS access reject message to reject the call When you enable call check the show glob
83. inmap isp in By adding these two rules to isp in you ensure that all inbound FIP sessions to 192 168 2 22 are translated to the FIP port at 10 4 2 9 and all inbound HTTP sessions to 192 168 2 22 are translated to the HTTP port at 10 4 2 17 These examples statically map a global address to a specific port on a private address See Configuring Static Address Pools for Inbound NAT on page 13 8 for a discussion of static address to address mapping for inbound sessions Configuring NAT 13 13 NAT Maps Note Because ComOS interprets map rules in numerical order for best performance assign the lowest numbers to the most commonly used rules See Modifying and Deleting Maps on page 13 14 for a guidelines on working with rules Modifying and Deleting Maps You can use the set map command to remove the contents of a map or to remove a rule you no longer want For example to remove the contents of a NAT map enter the following command Command gt set map Mapname blank You can then use the set map command to modify the map Suppose you have a map called trustworthy with the following two rules Command gt show map trustworthy 1 addrmap 172 16 0 0 12 ipaddr 2 addrmap 10 0 0 0 8 ipaddr To remove rule 1 from NAT map trustworthy enter the following command Command gt set map trustworthy 1 NAT Map trustworthy has rule 1 Removed You can enter the following command to verify that the rule has been removed Command gt show map trus
84. internal to external confederation member autonomous system console port See CMAS A serial port on a PortMaster attached to a terminal or PC through which you enter commands to communicate with ComOS Consultative Committee for International Telegraph and Telephone cookie See CCITT A small data file written to your hard drive by some websites when you view them in your browser These data files contain information the site can use to track such things as passwords lists of pages you have visited and the date when you last looked at a certain page Cookies maintain continuity in a series of requests and responses to the website Glossary 15 Glossary cost CPE CRC CRC error CSU An arbitrary value assigned by a network administrator and used to compare paths through an internetwork environment Cost is normally based on hop count media bandwidth or other measures Routing protocols use cost values to determine the best lowest cost path to a particular destination Customer premises equipment Any hardware or software installed at a customer s site such as routers access servers communications servers terminal adapters or modems to enable communications with the public switched telephone network PSTN Maintenance of this equipment is primarily the responsibility of the customer rather than the responsibility of the local and or long distance carrier Cyclic redundancy check An error detectio
85. is given a unique number on each physical circuit along the path between the two devices This unique number is called a data link connection identifier DLCI The DLCI is automatically changed to the PVC number of the next physical circuit as it passes through each switch along the path A DLCI is different from a network address because it identifies a circuit in both directions not a particular end point A frame contains only one DLCI not a source and destination In general the only DLCI numbers you see are those numbers assigned to the physical circuits on the perimeter of the Frame Relay cloud Line Speed The physical circuit between point A and the network must be ordered with a certain line speed This speed is the physical maximum bandwidth for your connection to the Frame Relay network Expansion beyond this limit is not possible without a hardware change and a new circuit installation Port Speed The connection into the telecommunications provider s Frame Relay network must be ordered at a particular port speed which is the maximum bandwidth rate that the telecommunications provider accepts from your connection This number must be less than or equal to the line speed This speed is the maximum rate at which you can transmit data to any of your PVCs under any circumstances The port speed differs from line speed only in that it can be upgraded through software without a circuit installation or hardware change CIR and Burst
86. lineO nfas sla Command set lineO nfas sla Command set lineO nfas sla Command set lineO nfas sla 40 O01 43 C9 Q1 O1 oo O1 Configure the remaining PortMaster 3s according to this scheme Use the save all command to save the configuration and reboot each PortMaster Using True Digital Modems Use the following settings to configure the built in digital modems on the PortMaster 3 Setting Digital Modems The digital modems are numbered from MO to m59 for a maximum of 60 modems Modem slot 0 is allocated numbers MO through M9 modem slot 1 is allocated numbers M10 through M19 and so on Whether 8 port or 10 port modem cards are installed the allocation of numbers to the modem slots does not change For example an 8 modem card installed in modem slot 0 has modems numbered MO through M7 Modems on an 8 modem card installed in modem slot 1 are numbered M10 through M17 To make the digital modems available or unavailable use the following command Table 11 11 explains the digital modem options Command set MO on off Table 11 11 Digital Modem Options Option Description MO Any modem number from MO to M59 Changes to the default setting must be made to individual modems on Makes the modem available for use This is the default off Busies the modem so it is unavailable Note Digital modems do not require any configuration or initialization string Configuring the PortMaster 3 11 13 Using True Di
87. local host table The PortMaster always checks the local host table before using DNS or NIS For information on setting the NIS or DNS name service refer to Setting the Name Service on page 3 4 Setting the Name Service The PortMaster can work with network name services such as the Network Information Service NIS or the Domain Name System DNS Appendix A Networking Concepts describes these name services You must explicitly identify any name service used on your network The PortMaster stores all information by address rather than name As a result configuring the name server is useful only if you are using the command line interface for administration or if you prompt a login user for a host If you are not using either of these features you do not need to set the name service To set the name service use the following command Command set namesvc dns nis Once the name service is set you must set the address of your NIS or DNS name server and enter the domain name of your network See Setting the Name Server on page 3 5 for instructions PortMaster Configuration Guide Setting the Telnet Port Setting the Name Server The PortMaster supports RFC 1877 which allows remote hosts also supporting RFC 1877 to learn a name server through PPP negotiation You must provide the IP address of the name server if you use a name service You must set a name service before you set a name server See Setting the Name Servic
88. of the Ethernet interface you must reboot the PortMaster for the change to take effect Configuring the Ethernet Interface 4 3 Setting IP Parameters 4 4 Setting the Subnet Mask The default subnet mask is 255 255 255 0 If you have divided your network into subnets enter the subnet mask that identifies how your network addresses are divided between the network portion and the host portion To set the subnet mask use the following command Command set Fther0 netmask Ipmask See Appendix A Networking Concepts for more information about using subnet masks Setting the Broadcast Address You can define the IP address used as the local broadcast address The RIP routing protocol uses this address to send information to other hosts on the local Ethernet network The actual broadcast address is constructed from the IP address of the Ethernet interface and the netmask The two valid values are high where the host part of the address is all 1s such as 192 168 1 255 or low where the host part of the address is all Os such as 192 168 1 0 The PortMaster default is low The standard for hosts is to broadcast high but some hosts still use the low broadcast address including hosts running SunOS 4 x Solaris 1 x and earlier The broadcast address you set for the Ethernet interface on the PortMaster must match the broadcast address set for other hosts on your local Ethernet segment To set the broadcast address use the fol
89. of time this interface has been up or down Estimate of the current receive signal level in decibels of the interface Total number of blue alarms on the interface Total number of yellow alarms on the interface Total number of times the interface has lost the carrier signal PortMaster Configuration Guide Configuring SNMP Table3 7 T1 E1 Interfaces Table Continued Object Definition SyncLoss Total number of times the interface has lost frame synchronizations BipolarErrors Total number of frame level CRC errors detected on the interface CRCErrors Total number of frame level CRC errors detected on the interface SyncErrors Total number of frame synchronization errors detected on the interface PortMaster Modem Table Table 3 8 lists the objects in the modem table from the Livingston Extensions section of the MIB Modem objects are supported only on the PortMaster 3 Table 3 8 Modem Table Object Type Definition livingstonModemIndex Unique value for each modem interface livingstonModemPortName livingstonModemStatus livingstonModemProtocol livingstonModemCompression livingstonModemInSpeed livingstonModemOutSpeed livingstonModemInByteCount livingstonModemOutByteCount Textual string containing the name of the serial interface for example SO S1 and so on Current state of the modem Error correcting protocol being used in the modem Compression being used in the modem int
90. or dynamic address pools If your environment is a small office home office SOHO with a simple Internet service provider ISP dial up account or you require no more than a default NAPT map for outbound sessions refer to the section Quick Setup of Outbound NAPT on page 13 32 See also NAT and NAPT Examples on page 13 31 To configure NAT you must first create a NAT map Although Lucent recommends the sequence in this section the rest of the NAT configuration can be done in any order Perform the following tasks to set up network address translation on your PortMaster l Create a NAT map Use the following command to create a NAT map Command add map Mapname 2 Specify the address map as static or dynamic and enter an address range a Use the following command to specify a map type and address range Command set map Mapname addressmap staticaddressmap Ipaddrxfrom Ipaddrxto See NAT Addressing on page 13 6 and NAT Maps on page 13 9 for a discussion of these topics b For static address maps that use a TCU UDP port or port range use the following command Command set map Mapname static tcp udp portmap c See Using TCP UDP Maps on page 13 18 for details Refer to Modifying and Deleting Maps on page 13 14 as needed 13 5 NAT Addressing Save the map Use the following command to save the map Command gt save map Specify the direction of an address map and associate it with an interface user or l
91. ospf 4 8 set EtherO rip 3 25 4 1 10 12 10 16 15 10 16 4 16 8 19 6 21 4 21 6 set filter 12 6 Command Index 2 set filter icmp 12 6 set filter tcp 12 7 set filter udp 12 7 set gateway 3 3 3 25 10 11 10 16 15 8 16 4 16 8 17 4 18 4 19 5 21 4 21 6 set host 19 5 20 4 set ipxfilter 12 8 set ipxgateway 3 23 set isdn msn 10 8 set isdn switch 10 5 10 11 10 16 11 5 set I2tp 14 4 set I2tp authenticate remote 14 6 set I2tp choose random tunnel endpoint 14 5 set I2tp enable lac 14 4 set I2tp enable Ins 14 5 set I2tp lac disable 14 5 set I2tp secret 14 6 set LineO 11 12 set LineO el 11 2 set LineO encoding 11 7 11 16 set LineO fractional 11 2 set LineO framing 11 6 11 16 set LineO group 11 3 set LineO group channels 11 3 set LineO inband 11 2 11 16 set LineO isdn 11 2 set LineO loopback 11 8 set LineO nfas 11 11 set LineO pcm 11 7 set LineO signaling 11 4 11 16 set LineO t1 11 2 set line2 clock 11 17 set line2 fractional 11 18 set location address 15 15 set location analog 11 14 set location chap 8 11 set location compression 8 9 17 7 17 11 18 7 set location continuous 8 4 18 8 set location destination 8 6 10 14 10 19 16 6 16 11 17 7 17 11 18 7 set location group 8 8 10 15 10 19 15 15 16 7 16 11 17 7 17 11 18 7 PortMaster Configuration Guide Command Index set location high_water 8 13 10 15 10 19 16 7 17 7 17 11 17 15 18 7 set location
92. other end of the connection is used for leased line connections only The destination IP address can also be set to 255 255 255 255 for PPP users This setting allows the PortMaster to learn the IP address of the system on the other end of the connection using PPP IPCP address negotiation Do not set a destination IP address for Frame Relay connections Instead use the data link connection identifier DLCI list to link IP addresses to DLCIs or use LMI or Annex D and Inverse ARP to discover Frame Relay addresses dynamically See Chapter 15 Using Frame Relay for more information For network dial in or dial out connections do not set a destination IP address for the port Instead you set the destination address in the user table or RADIUS for dial in or in the location table for dial out See Chapter 7 Configuring Dial In Users and Chapter 8 Configuring Dial Out Connections for more information PortMaster Configuration Guide Configuring WAN Port Settings To set the destination IP address for a leased line connection only use the following command Command set W1 destination Ipaddress Ipmask Setting the Subnet Mask The default subnet mask is 255 255 255 0 If you have divided your network into subnets enter the subnet mask that identifies how your network addresses are divided between the network portion and the host portion The value of Ipmask is dependent upon the size of the IP subnet of which the IP addres
93. override 5 3 set all rts cts 5 4 19 7 set all security 19 7 set all speed 5 4 9 7 19 7 set all termtype 5 9 5 11 set all xon xoff 5 4 set alternate 19 8 set assigned 19 5 set assigned address 3 9 Command Index 1 Command Index set authentic 19 8 set call check 3 27 14 7 set chap 3 26 set compression 6 11 set console 3 6 5 7 10 20 10 21 10 22 11 21 15 12 15 14 16 12 16 13 17 12 18 8 19 10 21 8 set debug 10 20 10 22 15 12 15 14 16 12 16 13 17 12 18 8 19 10 21 8 set debug isdn 10 5 10 20 10 21 16 12 set debug I2tp 14 13 set debug mcppp 11 21 set debug mcppp event 11 21 set debug mdp events 11 21 set debug mdp status 11 21 set debug nfas 11 12 set debug off 11 21 set default 3 3 10 16 16 8 19 5 set domain 3 5 19 5 set endpoint 11 20 set EtherO address 3 25 4 3 10 12 10 16 15 8 15 10 16 4 16 8 17 4 17 8 18 5 19 6 20 5 21 4 21 6 set EtherO broadcast 4 4 10 12 10 16 15 10 16 4 16 8 17 5 17 8 18 5 19 6 20 5 21 4 21 6 set EtherO ifilter 4 3 set EtherO ip 4 5 set EtherO ipx 4 6 10 12 10 16 16 4 16 8 set EtherO ipxframe 4 6 10 12 10 16 16 4 16 8 17 4 17 8 21 4 21 6 set EtherO ipxnet 4 5 10 12 10 16 16 4 16 8 17 4 17 8 21 4 21 6 set EtherO nat inmap 13 6 set EtherO nat outmap 13 6 set EtherO netmask 4 4 10 12 10 16 15 8 15 10 16 4 16 8 17 4 17 8 18 5 19 6 20 5 21 4 21 6 set EtherO ofilter 4 3 set EtherO
94. products automatically send and accept route information as RIP messages To configure RIP routing use the following command Command set Ether0 rip on broadcast listen off 4 1 Setting General Ethernet Parameters 4 2 Note ComOS releases earlier than ComOS 3 5 use the keyword routing instead of the rip keyword Table 4 1 describes the results of using each keyword Table 4 1 Keywords for Configuring RIP Routing Keyword Description on The PortMaster broadcasts and listens for RIP information from other routers on the local Ethernet This is the default off The PortMaster neither broadcasts nor listens for RIP information from the local Ethernet broadcast The PortMaster broadcasts RIP information to the local Ethernet listen The PortMaster listens for RIP information from the local Ethernet See the PortMaster Routing Guide for OSPF and BGP routing configuration instructions Applying Filters Filters enable you to control network traffic After you have created filters in the filter table you can apply them to the Ethernet interface as either input or output filters For more information about filters see Chapter 12 Configuring Filters Filters applied to the Ethernet interface take effect immediately If you change the filter the change will not take effect until you set the filter on the interface again or reboot the PortMaster Input Filters When an input filter is used a
95. serial interface distinguished according to the physical or link protocol s currently being used on the interface User Name of the active user Blank if not active SessionId Unique session identifier that matches the RADIUS session ID Type Active type of service being provided by the serial interface Direction Direction in which the active session was initiated PortMaster Configuration Guide Configuring SNMP Table 3 6 Serial Interfaces Table Continued Object Definition PortStatus Status of the serial interface Started Amount of time this session has been active Idle Amount of time this session has been idle InSpeed Estimate of the current inbound bandwidth in bits per second of the serial interface OutSpeed Estimate of the current outbound bandwidth in bits per second of the serial interface ModemName Text string containing the name of the digital modem in use PortMaster 3 only IpAddress ifDescr InOctets OutOctets QOctets ModemStatus ModemConppression Port Master 3 only ModemProtocol PortMaster 3 only ModemRetrains PortMaster 3 only ModemRenegotiates PortMaster 3 only by the serial interface IP address associated with the serial interface When characterizing a network port this value is the IP address of the remote user When characterizing a device or login port this value is the IP address of the host to which the user is connected Text string cont
96. set sl speed 2 115200 Speed 3 set sl speed 3 115200 set 51 cd on set 5 rts cts on set s1 xon xoff off set sl group 1 Using Internet Connections 18 5 Configuration Steps for an Internet Connection Leave all other settings at their default values After configuring the serial port enter the following commands to reset the port and save the configuration Command reset s1 Command save all For more information about configuring asynchronous ports refer to Chapter 5 Configuring an Asynchronous Port Refer also to Chapter 9 Using Modems Serial Port Settings for a Hardwired Connection To establish a hardwired connection on a serial port configure the port with the values shown in Table 18 4 Table 18 4 Serial Port Values for a Hardwired Port Modem control Hardware flow control Software flow control IP destination Netmask RIP routing Compression Setting Command Port type set s network hardwired Protocol set sl protocol ppp MTU set sl mtu 1500 Speed 1 set sl speed 1 115200 set 5 cd on set s rts cts on set s xon xoff off set s destination 192 168 5 6 set s netmask 255 255 255 0 set s rip off set sl compression on Leave all other settings at their default values After configuring the serial port enter the following commands to reset the port and save the configuration Command reset s1 Command save all 18 6 PortMaster Configuration Guid
97. shown in Table 20 1 Table 20 1 Global Value Setting Command Default host set host 192 168 200 2 This is the user s workstation If you want to use the other ports for another host use the set SO host command to set ports S2 and S9 to 192 168 200 2 PortMaster Configuration Guide Configuration Steps for Shared Device Access After you configure global settings as shown in Table 20 1 enter the following command to save the configuration Command gt save all Configuring Port Settings You must configure settings for your Ethernet interface dial in and out two way port and printer port You can connect the printer to either a serial port or a parallel port Ethernet Interface Settings Configure the Ethernet interface to the values shown in Table 20 2 Table 20 2 Ethernet Values Setting Command IP address set ether0 address 192 168 200 1 Netmask set ether netmask 255 255 255 0 Broadcast address set ether0 broadcast high After you configure the Ethernet interface as shown in Table 20 2 enter the following command to save the configuration Command save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Two Way Serial Port S2 Settings In the example the workstation user wants to dial in to port S2 sometimes and use the tip command dial out through the modem connected to port S2 at other times Configure the S
98. specify the optional stats keyword only the statistics are reset Entering this command with no keyword closes all open PPP sessions and resets all L2TP tunnels Troubleshooting L2TP Use the following command to display L2TP information Command set debug 12tp max packets Bytes setup stats on off PPP Tracing Use the set debug 0x51 command for PPP tracing on the LNS If you are not using the call check feature this command also works normally on the LAC Modem Connections You can view the Tx transmit speed of the connection on both the LAC and LNS and extended connection information such as Rx receive speed retrained changed speeds and any changes due to modem renegotiations on the LAC only Configuring L2TP 14 13 Troubleshooting L2TP To view the connect speed on the LNS and display the speed and other information about the LAC use the following command Command show modems Accounting for Firewalls between a LAC and an LNS L2TP operates entirely over the User Datagram Protocol UDP on destination port 1701 The source port is determined by the PortMaster and is based on available ports with values greater than 1024 Keep this in mind when defining filter rules if you have a firewall between your LAC and LNS 14 14 PortMaster Configuration Guide Using Frame Relay 15 Frame Relay is a method of encapsulating network information that allows for fast delivery and high line utilization PortMaster router
99. speed appropriate to your application and a CIR that is high enough to provide minimally acceptable performance for your application In most cases ordering according to these criteria provides service that is close to your port speed The CIR is a guaranteed minimum throughput not a maximum limit Port speed is the maximum limit LMI Types The following Frame Relay terms relate to network management The Frame Relay specification supports automatic network status updates which are exchanged between adjacent devices in the Frame Relay network These status updates are known as the Local Management Interface LMI Two forms of LMI are available in the PortMaster Cisco Stratacom LMI which is commonly referred to as LMI and ANSI T1 617 Annex D LMI which is commonly referred to as Annex D Generally your telecommunications provider offers three LMI options for your physical circuit LMI Annex D or none Because LMI exists only between your router and the switch to which your physical circuit connects it does not need to match what the remote ends of your PVCs are using However your circuit LMI must match the configuration on your PortMaster Generally Annex D is recommended because it is a more feature rich and robust version of LMI Using Frame Relay 15 3 Frame Relay Configuration on the PortMaster Frame Relay Configuration on the PortMaster 15 4 You configure Frame Relay by selecting the Frame Relay protocol setting th
100. subl group 1 Command set wl group 1 The rest of the location table entries are set as described in Chapter 8 Configuring Dial Out Connections including setting an IP address routing and filtering for each interface Creating a DLCI Entry The next step in configuring the subinterfaces is to create an entry in the DLCI table Entries can be followed with an optional IP address or hostname The keyword ipxdlci is available for IPX networks To create a DLCI table entry for the subinterface subl enter the following commands Command add ipdlci subl 16 Command add ipdlci subl 19 192 168 2 19 Command add ipdlci subl 20 192 168 2 20 Command add ipxdlci subl 21 0e0a001e To remove an entry enter the following commands Command delete dlci subl Command delete ipxdlci subl 21 Displaying DLCI Entries DLCI entries that are added or deleted are linked to the location table Use the show location Locname command to display the DLCI entries Using Frame Relay 15 13 Frame Relay Subinterfaces Troubleshooting Subinterfaces Packets received on a subinterface can be identified as belonging to that subinterface only if the DLCI is properly entered in the DLCI table for that location If you are having problems do the following 15 14 Wait a few moments Subinterfaces come up after the primary interface This process can take a few moments Check the list of DLCIs tied to each location using the show location
101. termination errors resulting from plugging and unplugging cables If your error counters are nonzero the problem is external to the PortMaster e Verify that you are using the correct cables and that they are attached securely to the correct port e Verify that the ISDN status LED is solidly lit otherwise refer to the hardware installation guide for more information This LED indicates connectivity to the ISDN switch e Verify your configuration as described in this chapter e Contact your carrier to review the ISDN switch type SPIDs and the status of their line 10 21 Troubleshooting an ISDN BRI Connection e To view the PPP negotiation enter the following commands Command gt set console Command gt set debug 0x51 For more information about the interpreting the results of the debug command refer to the PortMaster Troubleshooting Guide After you verify that the PPP negotiation is correct enter the following commands to turn off the debug utility Command gt set debug off Command gt reset console Interpreting ISDN BRI Port Status Table 10 13 describes how to interpret the output of the show 10 command for ISDN BRI ports Table 10 13 ISDN BRI Port Status Port Status Modem Status Description NO SERVICE DCD CTS TELCO NTI No SPID is set NO SERVICE DCD CTS TELCO NTI Port has either no cable or no circuit connecting it to the telephone company NO SERVICE DCD CTS TELCO NT1 Cable and I
102. that location specific settings are configured correctly This keyword also resets some debugging values previously set with set debug When your location is configured correctly change the connection type from manual to automatic or on demand To test your configuration use the following command Command dial Locname x 8 14 PortMaster Configuration Guide Using Modems 9 This chapter explains how to configure external modems to work with PortMaster products For information on using the internal digital modems with the PortMaster 3 see Chapter 11 Configuring the PortMaster 3 This chapter discusses the following topics e Null Modem Cable and Signals on page 9 1 e Modem Functions on page 9 2 e Using Automatic Modem Configuration on page 9 2 e Configuring Ports for Modem Use on page 9 6 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Because the PortMaster is a DTE device a straight through RS 232 cable is used to connect modems to it Straight through cables for modems use pins 2 3 4 5 6 7 8 and 20 Null Modem Cable and Signals Ports SO through S29 are asynchronous data terminal equipment DTE ports with female RS 232 connectors To connect these ports to a terminal or other DTE use a null modem cable typically male to female Directions input output are with respect to the PortMaster The PortMaster does not use the Data Set Read
103. the LAC which initiates an L2TP tunnel on the user s behalf to an LNS at IP address 192 168 1 55 sara Password apassword Tunnel Type L2TP Tunnel Medium Type IP Tunnel Server Endpoint 192 168 1 55 PortMaster Configuration Guide Configuring L2TP on the RADIUS Server Configuring Redundant Tunnel Server End Points To ensure continuous L2TP service in the event that the LNS fails you can configure user profiles to contain redundant tunnel server end points In this way if the primary LNS goes down inbound L2TP tunnels are redirected to alternative LNSs You can configure up to three redundant tunnel server end points in a user profile The following sample RADIUS user profile uses redundant tunnel server end points Each tunnel server end point is preceded by the Tunnel Medium Type for that tunnel DEFAULT Service Type Call Check Called Station Id 5551234 Service Type Framed User Framed Protocol PPP Tunnel Type L2TP Tunnel Medium Type IP Tunnel Server Endpoint 192 168 11 2 Tunnel Medium Type IP Tunnel Server Endpoint 192 168 11 17 Tunnel Medium Type IP Tunnel Server Endpoint 192 168 230 97 Acceptance of a tunnel server end point is based on whether the host is running L2TP However if the machine designated as the tunnel server end point is configured as a LAC instead of an LNS the session fails Note This feature provides redundant backup not load balancing See
104. the login host for the user is not permitted by the access filter the PortMaster refuses service with an Access Denied message If the access override parameter is set on the port the PortMaster instructs the user to authenticate himself even though the default access filter is set to deny access Refer to the RADIUS for UNIX Administrator s Guide for more information about RADIUS See Chapter 14 Configuring L2TP for additional security features Port Status and Configuration Use the following command to display the current status active configuration and default configuration of each port Command show SO S10 W1 pO Table 2 2 describes each possible status Refer to the PortMaster Troubleshooting Guide for verification information How the PortMaster Works 2 5 Port Status and Configuration 2 6 Table 2 2 PortMaster Port Status Status Description IDLE USERNAME HOSTNAME PASSWORD CONNECTING ESTABLISHED DISCONNECTING INITIALIZING COMMAND NO SERVICE The port is not in use The data carrier detect DCD signal has been asserted and observed on the port On older PortMaster expansion cards ports S10 through 29 and system cards ports SO through S9 DCD floats high when nothing is attached to the port On newer cards in two way and device environments DCD is high when the device is busy When terminals are attached to the device port and modem control is set
105. the modem table enter Command add modem para3811 Paradyne 3811 115200 AT amp FSO 18WNr OK Note Use a r for a carriage return and a caret to separate the send and expect characters in the string In the example above the PortMaster expects OK Never use on or off for a modem short name 9 3 Using Automatic Modem Configuration Table 9 1 shows the current factory default settings for commonly used modems Table 9 1 Factory Default Modem Table Entries Modem Name Modem Name DTE Short Long Rate Initialization String at amp t v32 AT amp T Keep In 57600 ATSF amp D3 amp T5 amp RO D1S0 15W OK Touch cardinal Cardinal 115200 AT amp F1 amp C1 amp D2 amp K3S0 1S82 129S10 20 amp 6W0 amp MVP288XF wil card v34 p Cardinal 115200 AT amp F amp C1 amp D3S0 1s2 129S10 205W MVP288CC PCMCIA eiger v32 p Eiger 14 4 PCMCIA 57600 AT amp F amp C1 amp D3S0 1S10 20 amp W eiger v34 p Eiger 28 8 PCMCIA 115200 AT amp F amp C1 amp D3S0 1S10 20 amp W gvc 14 4 GVC Maxtech V 32 57600 AT amp F amp C1 amp D3S0 1S10 20 amp W0 gvc 28 8 GVC Maxtech V 34 115200 AT amp F amp C1 amp D3S0 1S10 20 amp W0 hay cent2 Hayes Century 2 115200 AT amp F amp C1 amp D2 amp K3S0 1S10 20 amp W0 Rack V 32bis intel v32 p Intel V 32bis 115200 AT amp F amp C1 amp D3S0 1EWEW14 rOK PCMCIA megahz v32 p Megahertz XJ2288 115200 ATSF amp C1 amp D3S0 1EW V 34bis PCMCIA megahz v32 p Megahertz XJ2288 115200 ATSF amp C1 amp D3S0 1EW V 34bis PCMCIA micro desk Microc
106. these values accordingly 10 12 PortMaster Configuration Guide ISDN BRI Unnumbered IP Configuration Example Using ISDN BRI Table 10 5 ISDN Port Values Setting Command Port type S1 set s1 network twoway Port type S2 set s2 network twoway Dial group SI set sl group 2 Dial group 2 set s2 group 2 Directory number S1 set s directory 5551111 Directory number S2 set s2 directory 7005551112 SPID S1 set s spid 700555111100 SPID S2 set s2 spid 700555111201 All the other parameters are left at their default values After you configure the ISDN BRI port as shown in Table 10 5 enter the following commands to reset the ports and save the configuration Command gt reset s1 Command gt reset s2 Command gt save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Configuring a Dial In User A user account must be set up on the PortMaster router in Denver so that PortMaster in San Francisco can dial in when traffic is queued The new user sf should be configured with the values shown in Table 10 6 Table 10 6 User Table Values Setting Command Username add netuser sf Password set user sf password anypasswd Protocol set user sf protocol ppp 10 13 ISDN BRI Unnumbered IP Configuration Example 10 14 Table 10 6 User Table Values Continued Setting Command User IP address set user sf address 192 168 100 1 N
107. this restriction Inbound maps are a convenient way to make internal servers accessible to Internet users You can make an internal web site accessible to the Internet or an external network by mapping the location which you have set up for dialing to your ISP to the internal web server For example you might set up a web server with the private address 10 4 2 17 see Figure 13 2 Assume that 192 168 2 22 is the global address assigned to you by your ISP and that this is the address of the PortMaster running NAT To configure this router using an inbound map called isp in so that Internet users can connect to your web server enter the following commands Command add map isp in Command set map isp in 1 static tcp udp portmap 192 168 2 22 http 10 4 2 17 http 13 12 PortMaster Configuration Guide NAT Maps Figure 13 2 Inbound Map 192 168 2 22 Fame PortMaster 10 4 2 9 10 4 2 17 FTP server HTTP server 11820027 To make an internal FIP server accessible to Internet users you can add a rule to isp in that maps the global address of your router to the FIP server For example to allow external access to your internal FIP server with private address 10 4 2 9 you can statically map the internal FIP site to the global address by entering the following commands Command gt set map isp in 2 static tcp udp portmap 192 168 2 22 ftp 10 4 2 9 ftp Command gt set location isp nat
108. to a user when the user dials in and establishes a connection all packets received from the user are evaluated against the rule set for the applied filter Only packets allowed by the filter can pass through the PortMaster If an output filter is applied to a user packets going to the user are evaluated against the rule set for the applied filter Only packets allowed by the filter are sent out of the PortMaster to the user If either filter is changed while a user is logged on the change does not take effect until the user disconnects and logs in again Note You must define a filter in the filter table before you can apply it For more y information about filters see Chapter 12 Configuring Filters To apply an input filter for a network user use the following command Command set user Username ifilter Filtername Configuring Dial In Users 7 9 Configuring Login Users To apply an output filter for a network user use the following command Command gt set user Username ofilter Filtername Omitting the Filtername removes any filter previously set on the port Note Filters are applied to the user the next time the user dials in fe Specifying a Callback Location You can configure the user for callback connections to enhance network security or to simplify telephone charges When a network user logs in the PortMaster disconnects the user and then calls back to the location specified for that user The location is st
109. to the port from a UNIX host with the PortMaster daemon software installed In this case the port operates as a host controlled device Figure 20 1 shows a diagram of the host device configuration using the PortMaster device service and a pseudo tty connection Figure 20 1 Host Device Configuration printer C Workstation with ce ics O PortMaster PortMaster daemon connects with pseudo tty connection Mita Does esha es col pseudo tty 9 c Workstation without PortMaster daemon cannot connect 11820002 In this configuration a workstation with in pmd installed can access a printer attached to a PortMaster port even if the printer is on the other side of the country Network Device Configuration This configuration sets the port for host device access but uses the rlogin telnet or netdata device service to access the attached device In this configuration the host device name is set as dev network This configuration is used in cases where users want to use telnet or rlogin to log in to the shared device from multiple hosts or from a host that does not support in pmd Figure 20 2 shows an example of the network device configuration The network user configuration is most commonly used to provide a telnet session with the device attached to a specified PortMaster port The example in this chapter sets ports for network access so the administrato
110. username with the set location username command Set the password with the set location password command For more information about ISDN connections see Chapter 10 Using ISDN BRI For information about locations see Chapter 8 Configuring Dial Out Connections Using Office to Office Connections 17 15 Using ISDN for On Demand Connections 17 16 PortMaster Configuration Guide Using Internet Connections 18 This chapter uses an example to demonstrate how to configure the PortMaster to establish a continuous connection to an Internet service provider ISP shown in Figure 18 1 This connection creates a gateway from your office to the Internet using a dial out connection through one of the serial ports on your PortMaster Internet connections can also be set for on demand operation The following topics are discussed Overview of Continuous Internet Connections on page 18 3 e Configuration Steps for an Internet Connection on page 18 3 e Providing Network Filtering on page 18 10 e Using ISDN for Internet Connections on page 18 11 For information on related topics refer to the following chapters Topic Chapter On demand connections Configuring a PortMaster for an ISDN connection Frame Relay connections Synchronous leased lines Chapter 8 Configuring Dial Out Connections Chapter 17 Chapter 11 Chapter 10 Chapter 15 Chapter 21 Using Office to Office Connections
111. values shown in Table 21 3 Port S1 is used in this example The IP address for the port is left unconfigured accepting the default IP address value of 0 0 0 0 Table 21 3 Synchronous WAN Port Values Setting Command Port type set s network hardwired Transport protocol set sl protocol ppp IP destination set s destination 192 168 1 1 Netmask set s netmask 255 255 255 0 IPX network set sl ipxnet F3 Modem control set s1 cd off RIP routing set s rip on MTU set sl mtu 1500 If you are not sure of the IP address on the other end of the connection you can set the IP destination to 255 255 255 255 and the PortMaster will attempt to learn the address Leave all other settings at their default values After you configure the port S1 as shown in Table 21 3 enter the following commands to reset the port and save the configuration Command reset s1 Command save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Using Synchronous Leased Lines 21 5 Configuration Steps for Leased Line Connections Configuring the PortMaster Office Router in Florence Configure the settings for the PortMaster Office Router in Florence with the values in the following sections Configuring Global Settings Configure the global settings to the values shown in Table 21 4 Table 21 4 Global Values Setting Command IP gateway set gateway 192 168 200 1 System name
112. vs Outbound A NAT session is a communication that passes through NAT software Sessions are deemed inbound or outbound with reference to the router doing the translation A session originating on an external host is inbound to the NAT router A session originating on an internal host is outbound to NAT router Configuring NAT 13 3 NAT Restrictions Basic NAT and NAPT Basic NAT maps one private IP address to one global IP address This is called one to one mapping and requires one global IP address for each internal host that attempts to connect concurrently to external hosts Because basic NAT is capable of many one to one mappings of private to global addresses basic NAT mapping is sometimes referred to as many to many translation For basic NAT you can configure IP address pools from which IP addresses are allocated dynamically If all your internal hosts do not usually require global addresses at the same time you can potentially have an address pool with fewer addresses than you have internal hosts The obvious danger in this approach is that you will have a shortage on those occasions when all internal hosts try to access the external network simultaneously Alternatively you can guarantee external access for all internal hosts by creating a static map where each private address is permanently assigned to a global address In this case the IP address pool size matches the actual number of internal hosts requiring address trans
113. w24 inmap Command gt reset w24 defaultnapt in Outsource Mode for a Dial In User This example Figure 13 9 shows how to provide NAT service for user tesla connecting in an outsource mode NAPT configuration using the defaultnapt map on a PortMaster 3 at IP address 192 168 96 162 The global IP address 192 168 129 130 is assigned to the dial up router and will be used for NAT translated packets Because this configuration uses the defaultnapt map the IP addresses in the internal client network are not important PortMaster Configuration Guide NAT and NAPT Examples Figure 13 9 Dial in User Using defaultnapt 192 168 129 130 Fn PortMaster 3 o non NAT router FTP host host host host 11820034 To provide outsource mode NAPT service to dial in user tesla as illustrated in Figure 13 9 add the following commands to the PortMaster 3 configuration Command add netuser tesla Command set user tesla password ACpower Command set user tesla maxports 2 Command set user tesla protocol ppp Command set user tesla destination 192 168 129 130 Command set user tesla local ip address 192 168 96 162 Command set user tesla nat outmap defaultnapt outsource Configuring NAT 13 39 NAT and NAPT Examples No NAT configuration is needed on the dial up router side If you want user tesla to run an FIP server with private IP address 172 16 5 1
114. 0 Serial Line Internet Protocol 5 19 Service Advertising Protocol 12 8 service profile identifier 10 5 services well known B 1 session limit 7 4 management NAT 13 28 NAT resetting 13 28 setting call check 3 27 shared device access 5 2 20 1 shared devices 5 11 host device 20 1 Telnet 20 8 shared secret 14 6 Simple Network Management Protocol See SNMP SLIP connections 5 19 SNMP agents 3 10 community strings 3 18 configuring 3 10 monitoring 3 18 read and write hosts 3 19 viewing settings 3 19 software flow control 5 4 9 8 new releases and upgrades xxviii PortMaster 1 1 SPID 10 5 Stac LZS data compression 5 23 7 8 8 8 star configuration 5 1 static netmasks example 3 23 using with IP address pools 3 24 static routing setting 3 21 statistics L2TP 14 13 subinterfaces Ethernet 4 7 Frame Relay 15 12 subnet masks A 7 Ethernet interface 4 4 setting on Ethernet interface 4 4 synchronous port 6 9 subnetting connecting two networks 21 2 routing issues A 8 subnet mask A 7 Subject Index 11 Subject Index support technical xxviii switch types BRI 10 4 PRI 11 5 switched 56Kbps connections 16 1 synchronous leased lines 21 1 synchronous ports connection type 6 4 description 6 1 destination IP address 6 8 DLCI list 15 6 extended information 6 4 filters 6 10 modem control 6 6 port type 6 4 speed 6 5 subnet mask 6 9 TCP header compression 6 11 transport protocol 6 8 See also WAN ports system logging disabling
115. 01 gt 192 168 247 6 80 Mar 24 17 29 23 nat or NAT ptp3 Out TCP 172 16 3 1 34178 192 168 247 6 80 translated to 192 168 129 129 20002 gt 192 168 247 6 80 Debugging NAT Configuring NAT NAT provides several ComOS debugging options To turn off NAT logging enter set debug off and then reset console e To view FIP payload processing enter the following command Command set debug nat ftp on e To view ICMP ICMP error payload processing enter the following command Command set debug nat icmp err on 13 45 Debugging and Troubleshooting NAT e To view NAT parameter changes during interface binding use the following command Command gt set debug nat rt interface on e To enable full NAT debugging use the following command Command gt set debug nat max on Network Diagnostic Tools for NAT Because NAT includes ICMP and UDP translation the two most common network diagnostic tools ping and traceroute can be used However the following restrictions apply e When using NAPT traceroute or ping inbound is not available to the private hosts because you cannot reach these hosts directly from the outside But any of the private hosts can use the tools in an outbound direction without any problems e You can use basic NAT inbound only if you have an inbound map active The map must include an entry for the host you are trying to ping or trace a route to As with NAPT you can do all network diagnostics in ou
116. 1 Netmask set ether0 netmask 255 255 255 0 IPX network set ether0 ipxnet FI IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on After you configure the Ethernet interface as shown in Table 16 2 enter the following command to save the configuration Command save all 16 4 PortMaster Configuration Guide Configuration Steps for a Synchronous V 25bis Connection For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Settings Configure the synchronous WAN port parameters with the values shown in Table 16 3 Table 16 3 Synchronous WAN Port Values Setting Command Port type set w network twoway Modem control set wl cd on Dial group set wl group 1 After you configure the synchronous WAN port as shown in Table 16 3 enter the following commands to reset the port and save the configuration Command reset wl Command save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Configuring a Dial In User A user account must be set up on the PortMaster router in Boston so the PortMaster in Miami can dial in when traffic is queued The new user miami must be configured on the PortMaster router in Boston with the values shown in Table 16 4 Table 16 4 User Table Values Setting Command U
117. 1 staticaddressmap 192 168 65 1 192 168 65 14 10 1 1 1 10 1 1 14 This example uses hyphen separated address ranges of 14 addresses each These same address ranges can be configured in CIDR notation as follows Command set map Mapname 1 staticaddressmap 192 168 65 0 28 10 1 1 0 28 To mix a hyphen separated address range with an address range of equal size in CIDR notation enter the addresses as follows Command set map Mapname 1 staticaddressmap 192 168 65 0 28 10 1 1 1 10 1 1 14 With the 28 netmask and 192 168 65 0 reserved for the network 192 168 65 1 through 192 168 65 14 are available for mapping And because this is a static address map 10 1 1 1 always maps to 192 168 65 1 10 1 1 2 always maps to 192 168 65 2 and so on Again the only requirement is that the ranges span the same number of addresses NAT Maps Address maps allow you to map the private IP addresses of internal hosts to individual addresses or pools of global addresses NAT supports static and dynamic address maps Static address maps establish links between private and global addresses that span multiple sessions Dynamic address maps establish unique links between private and global addresses for each session Mirror image inbound and outbound static address maps are ideal for network renumbering see Using Basic NAT to Avoid Address Renumbering on page 13 34 or in any situation where you require a permanent mapping of private to global addresses Dyna
118. 1 workstation 2 workstation 3 11820008 The PortMaster ISDN Office Router OR U has an ISDN BRI port designated S1 S2 instead of a PCMCIA modem port The ISDN port can be used for ISDN dial on demand connections 17 2 PortMaster Configuration Guide Configuration Steps for an Office to Office Connection The example in this chapter uses the PCMCIA asynchronous modem port on the OR M To use the ISDN port on the OR U see Using ISDN for On Demand Connections on page 17 15 Configuration Steps for an Office to Office Connection The example described in this chapter connects a PortMaster router located in a branch office London with a PortMaster router located in the main office Paris using a dial on demand modem configuration To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of the installation guide Once you have assigned an IP address to the PortMaster continue with the steps The examples in this chapter show variables in italics When you are configuring your PortMaster use values appropriate for your network 1 Configure the following settings for the PortMaster PCMCIA Office Router in the London office a Global settings page 17 4 b Ethernet interface settings page 17 4 c PCMCIA serial port settings page 17 5 d Dial in users page 17 6 e Dial out locations page 17 7 2 Configure the fo
119. 10 1 1 1 on his network and have it accessible globally you must complete the following additional steps 1 Create an inbound map called tesla inmap Command add map tesla inmap Set the TCP UDP port mapping and set the port being configured as the destination address Command set map tesla inmap 1 static tcp udp portmap ipaddr ftp 10 1 1 1 ftp Specify that the map be used in outsource mode Command gt set user tesla nat inmap tesla inmap outsource PortMaster Configuration Guide Configuring Outsource NAT Configuration for edison To configure outsource NAT for user edison as illustrated in Figure 13 4 follow this procedure 1 Create user edison Command gt add netuser edison Set a password for user edison Command gt set user edison password DCpower Set the maximum network dial out ports for this user Command gt set user edison maxports 2 Set the protocol to ppp Command gt set user edison protocol ppp Set the destination address Command gt set user edison destination 192 168 129 130 Set the local IP address of the port Command gt set user edison local ip address 192 168 96 163 Set the map to default NAPT outsource Command gt set user edison nat outmap defaultnapt outsource No NAT configuration is needed on the dial up router side FTP Configuration for edison If you want user edison to be able to run an FIP server with private IP address 10 1 1 1 on his network and have it ac
120. 1tr6 Germany older switch ntt Japan kdd Japan ts014 Australia To use this switch type set the port type to network hardwired set the directory number for the port appropriately and reset the port Setting the Framing Format To set the framing format for the El or TI line use the following command Table 11 7 explains the framing format options Command set LineO framing esf d4 crc4 fas Table 11 7 Tl Inband Signaling Protocol Options Option Description LineO LineO or Linel esf Extended superframe This is the default format for T1 lines d4 D4 framing an alternative format for TI lines crc4 Cyclic redundancy check 4 This is the default format for E1 lines fas Frame Alignment Signal an alternative format for El lines PortMaster Configuration Guide Configuring ISDN PRI Settings Setting the Encoding Method This command sets the encoding method used with T1 and E1 lines Table 11 8 explains the encoding method options Command set LineO encoding b8zs ami hdb3 Table 11 8 Encoding Method Options Option Description LineO LineO or Linel b8zs Bipolar 8 zero substitution This is the default for T1 lines ami Alternate mark inversion hdb3 High density bipolar 3 This is the default for E1 lines Setting the Pulse Code Modulation You need to set the pulse code modulation only if you are using digital modems and your PRI service provider instructs you to
121. 2 Monitor the dial and connect sequence between the two locations 3 If everything connects as expected do the following a Turn off debugging on the console Command gt set debug off Command gt reset console b Reset the port on the Office Router in Denver and change the location type of location sf to on demand Command reset s1 Command set location sf on demand PortMaster Configuration Guide Troubleshooting an ISDN BRI Connection 4 If you notice a problem do the following a Reset the port on the PortMaster in Denver b Change the settings you think are causing the problem c Dial San Francisco again d Repeat this procedure until the connection is made correctly 5 Repeat Steps 1 through 4 dialing from San Francisco to Denver Troubleshooting an ISDN BRI Connection Using ISDN BRI Most ISDN configurations come up with little trouble if you have configured the PortMaster using information from your telephone company However if you are having problems use the information in this section to try to debug your configuration To display ISDN debug information on the console enter the following commands Command set console s1 Command set debug isdn on To turn off debugging enter the following commands Command set debug isdn off Command reset console If you are having trouble with an ISDN connection verify the following e The error counters are 0 except for a small number of abnormal
122. 2 port with the values shown in Table 20 3 Table 20 3 Serial Port Values S2 Setting Command Port type set s2 twoway dev ttyrf Accessing Shared Devices 20 5 Configuration Steps for Shared Device Access Table 20 3 Serial Port Values S2 Continued Modem control Hardware flow control Software flow control Host Security Login service Device service Setting Command Speed 1 set s2 speed 1 115200 Speed 2 set s2 speed 2 115200 Speed 3 set s2 speed 3 115200 set s2 cd on set s2 rts cts on set s2 xon xoff off set s2 host default set s2 security on If you turn security on you must also configure the user table or RADIUS set s2 service login portmaster set s2 service device portmaster Leave all other settings at their default values After you configure port S2 as shown in Table 20 3 enter the following commands to reset the port and save the configuration Command reset s2 Command save all For more information about serial asynchronous ports refer to Chapter 5 Configuring an Asynchronous Port 20 6 PortMaster Configuration Guide Configuration Steps for Shared Device Access Serial Printer Port S9 Settings In the example a serial printer is connected to port S9 Configure the S9 port with the values shown in Table 20 4 If the printer is a DTE use a null modem cable to connect to the port Table 20 4 Serial Port Values S9
123. 255 255 255 No taffy Login User defaults PortMaster john Netuser 192 168 7 8 0000000000 No To display configuration information for a particular user for example use the following command Command show user elena Username elena Type Dial in Network User Address Assigned Netmask 255 255 255 255 Protocol PPP Options Quiet compressed MTU 1500 Async Map 00000000 Adding Users to the User Table You must add users to the user table before configuring any settings for them The username is a string of from 1 to 8 printable nonspace ASCII characters The optional user password is a string of from 0 to 16 printable ASCII characters You cannot add users with blank usernames To add a login user to the user table use the following command Command add user Username password Password To add a network user to the user table use the following command Command add netuser Username password Password PortMaster Configuration Guide User Types Note To add a network user you must use the netuser keyword Thereafter you can use either the netuser or the user keyword to configure settings for the network user Ey You must always use the user keyword when configuring login users Deleting Users from the User Table To delete a user from the user table use the following command Command gt delete user Username User Types User settings define the nature and behavior of dial in users The user table contains en
124. 29s10 20 amp W tdk 288 p TDK DF2814 V Fast 115200 AT amp F amp C1 amp D3S0 1 amp W PCMCIA usr v32 p USR 57600 AT amp F1 amp W Courier Sportster V 32bis PCMCIA usr v34 p USR 115200 AT amp F1S0 1 amp W Courier Sportster V 34 PCMCIA usr v32 USR 57600 AT amp F1S0 1 amp W Courier Sportster V 32bis Using Modems 9 5 Configuring Ports for Modem Use Table 9 1 Factory Default Modem Table Entries Continued Modem Name Modem Name DTE Short Long Rate Initialization String usr v34 USR 115200 AT amp F1S0 1 amp W Courier Sportster V 34 usr spt v32 USR Sportster 57600 AT amp F1S0 1S10 20S13 0 1 amp W0 V 32bis usr spt 336 USR Sportster 33 6 115200 AT amp F1S0 1S10 20S13 0 1 amp W0 zyxel Zyxel U1496E 57600 AT amp FM0 amp D2S0 1S82 1 Associating a Modem with a Port To automatically configure a modem and associate it in the modem table with the port it is attached to use the following commands Command set S0 all modem type ModemName short Command reset SO all For example to associate a U S Robotics V 34 modem with port S1 and configure the modem enter Command set s1 modem usr v34 Command reset sl To configure all ports for the same modem type use all instead of the port number in the previous example After the modem is attached to the port configure the other modem settings described in Configuring Ports for Modem Use on page 9 6 To configure the modem not to answer when us
125. 2refers to interfaces e 1 refers to serial interfaces e 1 refers to the serial interfaces table e 1 refers to an entry in the serial interfaces table e 2 refers to the PortName variable Configuring Global Settings 3 13 Configuring SNMP The SNMP manager queries the agents by means of OIDs Each OID uniquely identifies a single MIB variable For example the OID 307 3 2 1 1 1 2 0 returns the port name for port SO and the OID 307 3 2 1 1 1 2 1 returns the port name for port S1 see Table 3 5 Table 3 5 Partial View of the Livingston Serial Interfaces Table OID SO 0 S1 1 S2 2 S3 3 S4 4 307 3 2 1 1 1 1 Index Index Index Index Index 207 3 2 1 1 1 2 PortName PortName PortName PortName PortName 307 3 2 1 1 1 3 PhysType PhysType PhysType PhysType PhysType 207 3 2 1 1 1 4 User User User User User 307 3 2 1 1 1 5 SessionId SessionId SessionId SessionId SessionId 207 3 2 1 1 1 6 Type Type Type Type Type 307 3 2 1 1 1 7 Direction Direction Direction Direction Direction PortMaster Serial Interfaces Table 3 6 lists the objects in the serial interface table from the Livingston Extensions section of the MIB Modem specific objects apply to the PortMaster 3 only Table 3 6 Serial Interfaces Table Object Definition Index Unique value for each serial interface PortName Text string containing the name of the serial interface for example SO W1 and so on PhysType Type of physical
126. 3 has an integrated channel service unit digital service unit CSU DSU However the other end of a T1 E1 connection might require an external clock signal provided by the telephone company or a CSU DSU Why Use Channelized T1 Channelized T1 service provides 24 channels of 56Kbps capacity each An ISDN PRI line provides 23 channels of 64Kbps capacity each plus one 64Kbps signaling channel However channelized T1 is available in many service areas that do not yet provide ISDN PRI In areas where PRI is available the cost of channelized T1 can be significantly less than the cost of PRI How to Order DS 1 Service from the Telephone Company The telephone company will ask you the following two questions when you order digital service level 1 DS 1 service e What signaling protocol do you use You can use either of the following signaling protocols on the PortMaster 3 E amp M wink start Foreign exchange station FXS e If you use E amp M wink start how many Directory Number Identification Service DNIS digits do you need ComOS 3 6 and later releases require one DNIS digit Record the line parameters provided by the telephone company Configuring the PortMaster 3 11 15 Using Channelized T1 Configuring the PortMaster 3 for Channelized T1 Follow these steps to configure the PortMaster 3 to use channelized T1 service l Set the line for inband signaling Command set LineO inband 2 Set the signaling protocol a
127. 5 6 For more information about global settings see Chapter 3 Configuring Global Settings After configuring the global settings enter the following command to save the configuration Command save all Configuring Port Settings You must configure settings for your Ethernet port and settings for either a dial out or hardwired connection on your asynchronous port Ethernet Interface Settings Set the Ethernet parameters to the values shown in Table 18 2 18 4 PortMaster Configuration Guide Configuration Steps for an Internet Connection Table 18 2 Ethernet Port Parameter Values Broadcast address Setting Command IP address set ether0 address 192 168 200 1 Netmask set ether netmask 255 255 255 0 set ether0 broadcast high After configuring the Ethernet interface enter the following commands to reset it and save the configuration Command reset ether0 Command gt save all For more information on Ethernet interface parameters refer to Chapter 4 Configuring the Ethernet Interface Serial Port Settings for Dial Out For continuous dial out on a serial port configure the port with the values shown in Table 18 3 Table 18 3 Serial Port Values for Continuous Dial Out Modem control Hardware flow control Software flow control Dial group Setting Command Port type set sl network dialout Protocol set sl protocol ppp Speed 1 set sl speed 1 115200 Speed 2
128. 67 Network segment Node address address The first 8 digits represent the network segment and the following 12 digits represent the node or MAC address of the node AII digits are expressed in hexadecimal PortMaster Configuration Guide Network Addressing Netmasks A netmask is a four octet number that identifies either a supernetwork supernet or a subnetwork subnet A netmask that designates a subnet is called a subnet mask Using Subnet Masks to Create IP Subnets Subnet masks are used to divide networks into smaller more manageable groups of hosts known as subnets Subnetting is a scheme for imposing a hierarchy on hosts on a single physical network The usual practice is to use the first few bits in the host portion of the network address for a subnet field RFC 950 Internet Standard Subnetting Procedure describes subnetting A subnet mask identifies the subnet field of a network address This mask is a 32 bit number written in dotted decimal notation with all 1s ones in the network and subnet portions of the address and all Os zeros in the host portion This scheme allows for the identification of the host portion of any address on the network Table A 3 shows the subnet masks you can use to divide a class C network into subnets Table A 3 Subnet Masks for a Class C Network Length Number of Subnet Number of Hosts per Hexadecimal Dotted Decimal Bits Subnets Subnet Subnet Mask Subnet Mask 24 1 254 Ox
129. 68 5 1 etherO OSEE PM IRX 211 192 168 2 254 ether1 192 168 2 1 192 168 2 2 primary server backup server 11820032 defaultnapt Providing Inbound HTTP Service This example shows how to direct inbound HTTP packets to an internal HTTP server on a private network while providing outbound access to the Internet using default NAPT for the other hosts on the private network In this example Figure 13 8 Linel on a PortMaster 3 is a T1 WAN link with the private network 10 0 0 0 8 behind it The T1 PPP interfaces are numbered with global addresses local 192 168 44 99 destination 192 168 44 254 The HTTP server at 10 1 1 10 resides in the private network Configuring NAT 13 37 NAT and NAPT Examples 13 38 Figure 13 8 T1 Link Using defaultnapt 192 168 44 254 W24 192 168 44 99 PortMaster 3 10 1 1 10 http HTTP server 11820033 To configure a PortMaster to direct inbound HTTP packets to an internal web server and provide outbound access to internal hosts as illustrated in Figure 13 8 add the following commands to the PortMaster configuration Command gt set w24 address 192 168 44 99 Command gt set w24 destination 192 168 44 254 Command gt set w24 nat outmap defaultnapt Command gt add map w24 inmap Command gt set map w24 inmap 1 static tcp udp portmap 192 168 44 99 http 10 1 1 10 http Command gt set w24 nat inmap
130. 7 6 After you configure the port as shown in Table 17 3 enter the following commands to reset the port and save the configuration Command gt reset sl Command gt save all For more information about asynchronous ports refer to Chapter 5 Configuring an Asynchronous Port For more information about configuring modems refer to Chapter 9 Using Modems Dial In User Settings for London You must set up a user account on the Office Router in the London office so the PortMaster 2 in the Paris office can dial in when traffic is queued at the main office The new user paris must be configured with the values shown in Table 17 4 Table 17 4 User Table Values Setting Command Username add netuser paris Password set user paris password anypasswd Protocol set user paris protocol ppp User IP address set user paris destination 192 168 1 1 Netmask set user paris netmask 255 255 255 0 IPX network number set user paris ipxnet F2 RIP routing set user paris rip on MTU set user paris mtu 1500 Compression set user paris compression on After you configure the user table as shown in Table 17 4 enter the following command to save the configuration Command save all For more information about configuring user table settings refer to Chapter 7 Configuring Dial In Users PortMaster Configuration Guide Configuration Steps for an Office to Office Connection Dial Out Location Settings for London You m
131. 9 Type of Service in the Internet Protocol Suite 1413 Identification Protocol 1483 Multiprotocol Encapsulation over ATM Adaption Layer 5 1490 Multiprotocol Interconnect Over Frame Relay 1542 Clarifications and Extensions for the Bootstrap Protocol 1552 The PPP Internet Packet Exchange Control Protocol IPXCP 1587 The OSPF NSSA Option 1597 Address Allocations for Private Internets 1627 Network 10 Considered Harmful Some Practices Shouldn t be Codified 1634 Novell IPX Over Various WAN Media IPXWAN 1661 The Point to Point Protocol PPP 1700 Assigned Numbers 1723 RIP Version 2 1771 A Border Gateway Protocol 4 BGP 4 1812 Requirements for IP Version 4 Routers 1814 Unique Addresses are Good 1818 Best Current Practices 1824 Requirements for IP Version 4 Routers 1825 Security Architecture for the Internet Protocol 1826 IP Authentication Header 1827 IP Encapsulating Payload 1828 IP Authentication Using Keyed MD5 1829 The ESP DES CBC Transform 1851 The ESP Triple DES Transform 1877 PPP Internet Protocol Control Protocol Extensions for Name Server Addresses 1878 Variable Length Subnet Table for IPv4 1918 Address Allocation for Private Internets 1962 The PPP Compression Control Protocol CCP 1965 Autonomous System Confederations for BGP 1966 BGP Route Reflection An Alternative to Full Mesh IBGP 1974 PPP Stac LZS Compression Protocol 1990 The PPP Multilink Protocol MP 1994 PPP Challenge H
132. A router configured to transmit routes received from internal BGP peers to one or more other internal peers within its same cluster These peers are called the route reflector s clients See also cluster cluster ID route reflection One of the interface addresses configured on a BGP speaker The router ID is chosen as the address that uniquely identifies the BGP speaker on the Internet Routing Information Protocol routing table See RIP A database of routes to particular network destinations stored on a router or other device The routing table stored on the PortMaster contains the following information for each route IP address and netmask length of the destination IP address of the gateway source of the route if any type of route hop count metric and PortMaster interface used to forward packets along the route RS 232 interface RSA A standard for data communication using serial data control signals and clock signals Rivest Shamir Adelman A public key encryption and authentication technology that uses an algorithm developed in 1977 by Ron Rivest Adi Shamir and Leonard Adleman The RSA algorithm is the most commonly used encryption and authentication algorithm especially for data sent over the Internet The technology is owned by RSA Data Security Inc now a subsidiary of Security Dynamics Glossary 63 Glossary runt packet SAP scalable schema secret A packet below the minimum size On an Ethern
133. ADIUS for UNIX Administrator s Guide RADIUS RADIUS is a nonproprietary protocol invented by Lucent and described in RFC 2138 and RFC 2139 RADIUS provides an open and scalable client server security system for distributed network environments The RADIUS server can be adapted to work with third party security products Any communications server or network hardware that supports the RADIUS protocol can communicate with a RADIUS server RADIUS consolidates all user authentication and network service access information on the authentication RADIUS server The server can authenticate users against a UNIX password file NIS databases or separately maintained RADIUS database The PortMaster acts as a RADIUS client it sends authentication requests to the RADIUS server and acts on responses sent back by the server For more information about RADIUS refer to the RADIUS for UNIX Administrator s Guide Or for a more fully featured RADIUS server use the Lucent NavisRadius product which supports vendor specific attributes Choice Net ChoiceNet is a client server packet filtering application created by Lucent ChoiceNet provides a mechanism to filter network traffic on dial up remote access synchronous leased line or asynchronous connections Filter information is stored in a central location known as the ChoiceNet server ChoiceNet clients can be one or more PortMaster products ChoiceNet clients communicate with the ChoiceNet server t
134. Administering L2TP on the PortMaster 0 0 ee ee 14 12 Manually Creating a Tunnel 20 0 ee eee 14 12 Displaying L2TP Information 0 ce he 14 13 Resetting E2TPT nnels 5 osci soos yc ed E ee t te d 14 13 Troubleshoot L2 UP ai vw de t aa a law RCM een soe aser atlas aves wells 14 13 BPP ITAICE PR RR ac aca ait aoa test athe atest aad ee Ricks dig cde gdh a ah Eig diced Seda 14 13 Modem Connections celle c ee 14 13 Accounting for Firewalls between a LAC andan LNS 00005 14 14 15 Using Frame Relay Overview of Frame Relay o 42 HOS BONSRADGRANE As Unease ee eie ep 15 1 PV Gscanid DECIS apace bot wood ott pee oti a web bese bere tobebarebets 15 2 Eine Speedzx oS AAs AA ee oe eu e e Puede 15 2 Port Speed sss anaintea rear raaa ARA ARA 15 2 GIR nd Burst Speeds DEL RES RES RES RES P REG Y Eu Y En Y YN EIE 15 2 Discarding EranmeSza aee ERU Yea xen ua xu ax a Yu a Ya a Ya S 15 3 Ordering Frame Relay Service 0 eens 15 3 LMITypes ec ee Rex A ARW ARR aaadaasddadddadGASGdd4Gdaadas 15 3 Frame Relay Configuration on the PortMaster 0 een 15 4 Enabling EME 2222259000 4IMRURPC UR eU RC Sek dee ETE RR Ree 15 5 Enabling Annex Dn ropt nPE PER N DEAT PESE BENINA D PEE PEU PEIE HERE pd 15 6 Listing DLCIs for Frame Relay Access 000 cece eee eee eee 15 6 Configuration Steps for a Frame Relay Connection 00 0000000 15 7 Configuring the PortMa
135. BPYUVMRG ee Seles Seles Seles Seles Sele ees 11 9 Configuring NEAS o s3 m dean e teni e eI RR RUE SUE A ee leee tee 11 11 Example NFAS Configuration llle 11 12 Using True Digital Modems i444 ec e eR RENE EN EE Y 11 13 Setting Digital Modems our e e de a de dinde eee ws 11 13 Hot Swapping Digital Modem Cards 0 cece eee eee 11 14 Setting Digital Modems to Analog Service 0 0 ccc eee ees 11 14 Contents xi Contents 12 xii Usme Gbannpelzed TE ezs2 8 64 000UDILRLPxRCLBR RucIDAeRueAUSRueRue RueR3e uebuem debent 11 15 Why Use Channelzed TI is E ee ua Rd an ERES Sa ga Ea RU US 11 15 How to Order DS 1 Service from the Telephone Company 11 15 Configuring the PortMaster 3 for Channelized Tl 2 065 11 16 Example Channelized TI Configuration llle 11 16 Using the T1 Expansion Card 1 0 0 eee ah 11 17 Clocking Voth E Ces obese te bit t e N 11 17 Configuring the T1 Expansion Card for Fractional Tl 11 18 Troubleshooting the TI Expansion Card 0 0 ee eee ee eee 11 19 Using Multichassis PPP rereh aeaaee eee eh 11 20 Setting Multichdssis PPP sc 64ebebebareboberobebobereterebetebepes 11 20 Displaying Multichassis PPP Addresses 0 00 cece eee eee eens 11 20 Disconnecting a User from a Virtual Port llle 11 20 Troubleshooting the PortMaster 3 llle es 11 21 Configuring Filters Overv
136. C is used in Frame Relay See also PVC SVC virtual connection In Multichassis PPP a connection made when a slave forwards all the packets it receives for a particular connection to its corresponding master for processing virtual LAN See VLAN virtual port In Multichassis PPP a port corresponding to the physical port of the slave virtual private data network See VPN virtual private dial up network See VPN virtual private network See VPN Virtual Terminal Protocol See VTP Glossary 75 Glossary VLAN VLSM voice over IP VoIP VoIP Forum VPDN VPN VTP Glossary 76 Virtual LAN A group of devices on one or more LANs that communicate as if they were connected to the same wire even though they are physically located on different LAN segments Because VLANs are configured through software rather than hardware they are extremely flexible Variable length subnet mask A means of specifying a different subnet mask for the same network number on different subnets VLSMs often allow addresses to be assigned more efficiently OSPF and BGP support classless or VLSM routes See VoIP Voice over IP A category of hardware and software that allows people to use the Internet as the transmission medium for telephone calls Currently VoIP does not offer the same quality of telephone service as direct telephone connections VoIP is also known as Internet telephony and Voice over the Internet VOI A subgroup of t
137. DN Port Values Setting Command Port type S1 set s1 network twoway Port type S2 set s2 network twoway Dial group SI set s group 2 Dial group 2 set s2 group 2 set directory number SI set s directory 5552222 set directory number 2 set s2 directory 5552223 SPID S1 set sl spid 700555222200 SPID S2 set s2 spid 7005552222301 All the other settings are left at their default values After you configure the synchronous WAN port as shown in Table 10 10 enter the following commands to reset the ports and save the configuration Command gt reset s1 Command gt reset s2 Command gt save all For more information about synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port 10 17 ISDN BRI Unnumbered IP Configuration Example Configuring a Dial In User A user account must be set up on the PortMaster router in San Francisco so that PortMaster in Denver can dial in when traffic is queued The new user denver should be configured with the values shown in Table 10 11 Table 10 11 User Table Values Setting Command Username add netuser denver Password set user denver password anypasswd Protocol set user denver protocol ppp User IP address set user denver address 192 168 200 1 Netmask set user denver netmask 255 255 255 0 IPX network set user denver ipxnet F3 RIP routing set user denver rip on MTU set user denver mtu 1500 Compression set user denver compression on After
138. G Rs 8 3 Setting the Connection Type ciscaageuasgeng pee yox Eo X Ye o Yo go YO yon d 8 3 Setting tbe Telephone Number licii i 4242420282 929340 2 xard ds 8 5 Setting the Username and Password 00 0 eee ees 8 5 PortMaster Configuration Guide Contents Setting the Protocoli ees WkeBRRRRAPPRPPTRRPETRRRRPRRRRRPRRRRDRRRRRRRRRLRESY 8 5 Setting the Destination IP Address llle eese 8 6 Setting the Destination Netmask 0 0 eens 8 6 Setting the IPX Network Number lesse 8 6 Setting RIP ROUTINE oss oi sana x WAN SAAR EAN AR ANWR AGUA AR AAA OR 8 7 Setting the Dial Grops seese feei BARA ERS ETA Ge eu ex a RE aM AS ae e gd as 8 8 Setting the MEUCSIZOR Mt Labia CAG Se SoBe a DEAS PSS See eR ee et 8 8 Configuring Compression 0 eee eee nee eens 8 8 Setting the Idle Timer 1 2 llle eee 8 10 Setting Data over Voice 2 ence hh 8 10 Setting CHAR out etepPPPPHPPPEREPPPLEBPBUSSSSISASBIBSSSPISRSSUDTS BS 8 10 Setting the Asynchronous Character Map 0 ee eee eere 8 11 Setting Multiline Load Balancing 0 0 eee 8 11 Setting the Maximum Number of Dial Out Ports 0 20 00 eee 8 12 Setting Bandwidth on Demand llle elles 8 12 Setting Filters A a aa ee eta eo Oe a he ERD ER SU ER SEER I EERE s 8 13 Input Filters suck agin Aids bade badd dada dada de ea dade dade bode id 8 13 Output Filters o uude wade E ERES GE EEG NE x Ee SEES 8 13 Testing Your Location Co
139. IDR A 2 A 6 Cisco routers setting for Frame Relay 15 11 class A IP addresses A 3 class B IP addresses A 3 class C IP addresses A 4 class D IP addresses A 4 class E IP addresses A 4 classes PortMaster xxix cloud Frame Relay 15 1 COMMAND port status 2 6 committed information rate Frame Relay 15 2 community strings 3 18 ComOS downloading with NetbootServer 1 2 overview 1 1 compression 5 23 6 11 7 8 8 8 Subject Index 2 configuration basic steps 1 5 planning 1 3 CONNECTING port status 2 6 connection types 8 3 console port 5 7 contact information CALA xxix Europe Middle East and Africa xxviii mailing lists xxix NetworkCare xxviii North America Latin America and Asia Pacific xxix technical support xxviii continuous connections 8 3 8 4 continuous Internet connections 18 3 conventions in this manual xxvii D daemons See in pmd data carrier detect See DCD data link connection identifier See DLCI data over voice 8 10 10 8 Data Set Ready signal 5 26 Data Terminal Ready See DTR databits setting 5 4 DCD for port behavior 6 6 9 7 debugging digital modems 11 21 Frame Relay 15 12 ISDN BRI 10 21 leased line 21 8 Multichassis PPP events 11 21 NFAS 11 12 synchronous V 25bis connection 16 13 See also troubleshooting destination IP address setting 5 22 destination netmask for asynchronous ports 5 22 device services 5 14 netdata 5 15 PortMaster 5 14 PortMaster Configuration Guide Subject Index Telnet 5
140. IP connections can have a maximum MTU of 1006 bytes PPP can negotiate smaller MTUs when requested by the calling party Configuring Dial In Users 7 7 Configuring Network Users 7 8 The MTU size is typically set to the maximum allowed for the protocol being used either 1500 bytes for PPP or 1006 bytes for SLIP However smaller MTU values can improve performance for interactive sessions If you are using IPX the MTU must be set to at least 600 To set the MTU for a network user use the following command Command gt set user Username mtu MTU Setting the Maximum Number of Dial In Ports You can define the number of dial in ports that a user can use on the PortMaster for Multilink V 120 Multilink PPP only on ISDN and multiline load balancing If the maximum number of ports is unconfigured port limits are not imposed and PortMaster multiline load balancing Multilink V 120 and Multilink PPP sessions are allowed You can also set the dial in port limit using the RADIUS Port Limit attribute To set the maximum number of dial in ports use the following command Command gt set user Username maxports Number The Number variable can be set to between 0 and the number of available ports up to 64 Setting Compression Compression of TCP IP headers can increase the performance of interactive TCP sessions over network hardwired asynchronous lines Lucent implements Van Jacobson TCP IP header compression and Stac LZS data c
141. IP Address Pool on page 3 9 Setting the Reported IP Address on page 3 10 Configuring SNMP on page 3 10 Displaying the Routing Table on page 3 20 Setting Static Routes on page 3 21 Enabling NetBIOS Broadcast Packet Propagation on page 3 26 Setting Authentication for Dial In Users on page 3 26 Setting Call Check Authentication on page 3 27 Setting the ISDN Switch on page 3 27 3 1 Setting the System Name See the PortMaster Command Line Reference for more detailed command descriptions and instructions Setting the System Name The system name is the name that identifies the PortMaster for SNMP queries IPX protocol routing and CHAP authentication Enter a name that is valid for your network The system name can have up to 16 characters and appears in place of the Command gt prompt on PortMaster products that have it set To set the system name use the following command Command gt set sysname String Setting the Administrative Password The PortMaster is shipped without a password Press Enter at the password prompt when accessing the PortMaster for the first time The password is an ASCII printable string of up to 15 characters used to access the PortMaster administration features Only the administrator can change the password To set the password use the following command Command gt set password Password Using the set password command and pressing Enter resets th
142. ISDN provisioning for example a telephone service provider configures its own switch that connects via an ISDN line to the user s ISDN hardware Because switch configuration varies according to hardware telephone company switch and available ISDN line user and provider must work together to establish the correct settings Proxy Address Resolution Protocol See Proxy ARP Proxy ARP A variation of the Address Resolution Protocol ARP in which a router or other device sends an ARP response to the requesting host on behalf of another node Proxy ARP can reduce the use of bandwidth on slow speed WAN links See also ARP proxy service A service that enables access requests to be forwarded to other servers either directly or through intermediary servers for authentication and optionally authorization PSTN Public switched telephone network See POTS public key infrastructure See PKIX public switched telephone network See POTS PVC Permanent virtual circuit A circuit that defines a permanent connection in a switched digital service such as Frame Relay Frame Relay is the only switched digital service that uses PVCs supported by PortMaster products Glossary 57 Glossary Q Qos Quality of service An indicator of the performance of a transmission system on the Internet and other networks QoS is measured in transmission rate error rates latency and other characteristics and can to some extent be guaranteed to a custo
143. ISDN devices An asynchronous terminal adapter turns an asynchronous bit stream into ISDN and is treated by the PortMaster as if it were a modem A synchronous terminal adapter takes a synchronous bit stream and turns it into ISDN typically supports V 25bis dialing and connects to a PortMaster synchronous port Some terminal adapters can be configured for either synchronous or asynchronous operation terminal emulator A program that makes a PC or workstation screen and keyboard act like the video display terminal VDT of another computer TFIP Trivial File Transfer Protocol A simplified version of the File Transfer Protocol FTP that transfers files but does not provide password protection or user directory capability TFTP can be used by diskless devices that keep software in ROM and use it to boot themselves The PortMaster can be booted from the network by means of Reverse Address Resolution Protocol RARP and TFTP token A small hand held device that generates dynamic or one time passwords for user authentication Some tokens generate a response to a challenge entered by the user Other tokens are synchronized with the security server and independently generate a matching password on request See also ActivCard SecurID transit service In BGP the function provided by an autonomous system that is in the path of a route but not the origination or destination To provide reliable transit service an autonomous system must ensure th
144. Mapname 1 static tcp udp portmap Gipaddr ftp 10 1 1 1 ftp You can specify the port number or the port service See Appendix B TCP and UDP Ports and Services for a complete list of services and their corresponding port numbers Configuring NAT 13 15 NAT Maps Using the Default NAPT Map The reserved map name defaultnapt subjects all sessions on a port to network address port translation NAPT using the IP address assigned to the port The defaultnapt map name is supported for outbound NAPT only When you assign defaultnapt to outmap all outbound IP sessions from a given port are subject to NAPT using the IP address assigned to the port If you assign defaultnapt to outmap for the outsource port the outsource option in the command all inbound IP sessions on a given port are subject to outsource NAPT using the IP address assigned to the port To configure default NAPT outsource on your PortMaster follow these steps 1 13 16 Set the map to defaultnapt associate it with a user location or interface identify it as inbound or outbound and specify the outsource function Command gt set user superfly nat outmap defaultnapt outsource In this example user superfly is configured for default NAPT outsource Set the destination IP address of the network user Command gt set user superfly destination 192 168 200 112 This command sets the IP address of the user see Figure 13 3 In this example user superfly who
145. Master boots successfully the status LED is on blinking off once every 5 seconds Refer to the hardware installation guide for your PortMaster for the location of the status LED and for troubleshooting procedures if the LED is not behaving as described PortMaster Configuration Guide PortMaster Initialization PortMaster Initialization Once the PortMaster has successfully booted it does the following l 2 10 11 12 13 Ethernet interfaces are started Modem initialization strings are sent to asynchronous ports that have modem table entries defined Network hardwired ports are initiated Continuous dial out connections are initiated On demand dial out connections for locations that have routing enabled are initiated and routing information is exchanged between the PortMaster and those locations Broadcasting and listening for routing packets are initiated on interfaces configured for routing TCP connections to PortMaster hosts are established TCP connections are established to ports configured as host devices by means of the PortMaster device service The PortMaster listens for TCP connections to any ports configured as network devices The PortMaster listens for activity on TCP and UDP ports such as for administrative Telnet sessions on TCP port 23 PMconsole connections on TCP port 1643 and SNMP requests on UDP port 161 The syslog utility starts if configured RADIUS starts if configured
146. Memory Card International Association An international body and trade association that establishes standards for integrated circuit cards called PCMCIA cards or PC cards These are credit card sized devices that expand the capability of a portable computer or other device to include more memory modems or a portable disk drive For example the PortMaster PCMCIA Office Router features a slot for a PCMCIA card that allows the use of V 34 or V 32bis PCMCIA modems A router running BGP that the PortMaster running BGP communicates with via open messages notification messages update messages and keepalive messages A PortMaster can have both internal and external peers See also external peer internal peer Practical extraction and report language An interpreted language developed by Larry Wall and distributed free over USENET Perl version 5 Perl5 includes object oriented programming facilities and is a useful programming tool for the World Wide Web UNIX system administration and many other applications Perl5 provides a more concise and readable way to do many system management tasks that were formerly accomplished by C programs or shell programs Perl uses sophisticated pattern matching techniques to quickly scan large text files extract information and print reports Although optimized for scanning text Perl also handles binary data and can make dbm files look like associative arrays Glossary 53 Glossary Perl5 regular expression
147. NAT This section includes the following NAT example configurations e Quick Setup of Outbound NAPT on page 13 32 e Setting Up a Dial Out Location Using defaultnapt on page 13 33 e Using Basic NAT to Avoid Address Renumbering on page 13 34 e Redirecting Traffic to a Backup Server on page 13 36 e defaultnapt Providing Inbound HTTP Service on page 13 37 13 31 NAT and NAPT Examples defaultnapt in Outsource Mode for a Dial In User on page 13 38 Dial Out Location Using a Dynamic Address Basic NAT Map on page 13 40 Dial Out Location Mixing Static and Dynamic Address Maps on page 13 42 Quick Setup of Outbound NAPT 13 32 This section provides guidelines for quick setup of outbound NAPT Outbound NAPT or many to one is most common in small office home office SOHO situations where a user dials in to an Internet service provider ISP and is assigned a single dynamic IP address To configure outbound NAPT for a SOHO follow this procedure 1 Enable NAPT on the router dialing out to a location For example to enable NAPT on a PortMaster dialing out to location myisp enter the following command Command set location myisp nat outmap defaultnapt Set the local IP address for the location to assigned To set the location address use the following command Command gt set location myisp local ip address assigned This allows the location to receive an IP address dynamically Reset the port if curren
148. NAT Configuration Tasks on page 13 5 NAT Addressing on page 13 6 NAT Maps on page 13 9 Configuring Ports Locations and Users for NAT on page 13 18 Configuring Outsource NAT on page 13 24 NAT Session Management on page 13 28 Administration Considerations for NAT on page 13 29 NAT Security on page 13 30 NAT and NAPT Examples on page 13 31 Network Application Compatibility on page 13 42 Debugging and Troubleshooting NAT on page 13 44 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Note NAT is not supported on the PortMaster Office Router 13 1 Overview of NAT Overview of NAT The Lucent ComOS implementation of the Network Address Translator NAT protocol is based on RFC 2663 IP Network Address Translator NAT Terminology and Considerations A network address translator NAT is software that runs on a router and maps one IP address or group of IP addresses to another IP address or group of IP addresses This mapping or translation is transparent to users and applications NAT for ComOS includes the following e Basic NAT or one to one translation of private IP address to global IP address requires that one global IP address be available for each internal host with a private address concurrently connecting to an external host e Network address port translation NAPT or many to one translation is an extension to basic NAT whereby mult
149. NIX platforms Additional References Consult the following Requests for Comments RFCs and books for more information about the topics covered in this manual RFCs To find a Request for Comments RFC online visit the website of the Internet Engineering Task Force IETF at http www ietf org RFC 768 User Datagram Protocol REC 791 Internet Protocol RFC 792 Internet Control Message Protocol RFC 793 Transmission Control Protocol RFC 854 Telnet Protocol Specification RFC 950 Internet Standard Subnetting Procedure RFC RFC RFC RFC RFC RFC RFC 1058 Routing Information Protocol 1112 Host Extensions for IP Multicasting 1144 Compressing TCP IP Headers for Low Speed Serial Links 1157 A Simple Network Management Protocol SNMP 1166 Internet Numbers 1212 Concise MIB Definitions 1213 Management Information Base for Network Management of TCP IP based Internets MIB II About This Guide xxiii Additional References XXIV RFC RFC RFC 1256 ICMP Router Discovery Messages 1321 The MD5 Message Digest Algorithm 1331 The Point to Point Protocol PPP for the Transmission of Multiprotocol Datagrams over Point to Point Links RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC RFC 1332 The PPP Internet Protocol Control Protocol IPCP 1334 PPP Authentication Protocols 134
150. P 14 11 call check 14 9 example 19 8 L2TP 14 8 NavisRadius A 10 overview 1 3 partial authentication on LAC 14 10 redundant tunnel endpoints 14 11 requirement 14 1 security 2 4 A 10 shared secret 14 10 user profiles on LNS 14 9 when to use 7 1 RADIUS protocol description of A 10 radiusd daemon 1 3 RARP finding IP address 2 1 read and write hosts 3 19 rebooting for ISDN switch type 10 5 redundant tunnel server 14 11 references xxiii books xxv RFCs xxiii related documentation xxii releases new software xxviii Requests for Comments See RFC resetting a virtual port 11 20 RFC 1058 3 23 1144 5 23 7 8 8 9 1166 A 1 A 2 1213 3 11 1331 5 19 1332 5 19 1490 15 4 1597 A 5 1700 12 7 1717 5 19 10 7 1826 12 6 1827 12 6 PortMaster Configuration Guide Subject Index 1877 3 5 2003 12 6 2139 A 10 988 A 4 list of RFCs xxiii RIP asynchronous ports 5 23 network users 7 6 on Ethernet 4 1 routing setting 8 7 synchronous ports 6 9 rlogin login service 5 10 7 12 route boundaries 3 25 routing asynchronous ports 5 23 configuring the Ethernet interface 4 1 6 9 7 6 8 7 dial out locations 8 7 Frame Relay 6 2 ISDN 6 2 leased lines 6 1 route destinations for IP 3 21 route destinations for IPX 3 22 setting the default 3 3 switched 56Kbps 6 2 routing table displaying 3 20 RTS CTS 9 2 9 8 S SAP filters 12 8 security access filters 5 6 management 2 4 network A 9 ports 5 6 using filters 12 2 using NAT 13 3
151. P Filters The Service Advertising Protocol SAP is an IPX protocol used over routers and servers that informs network clients of available network services and resources SAP packets can be filtered only on output You can filter SAP packets according to the following information about the server that is advertising the service via SAP e Name PX network number e IPX node address e PX socket number To create a SAP filter rule use the following command entered on one line Command set sapfilter Filtername RuleNumber permit deny server String network Ipxnetwork host Ipxnode socket eg gt lt Ipxsock Displaying Filters To display the filter table use the following command Command show table filter To display a particular filter use the following command Command show filter Filtername Deleting Filters To delete a filter use the following command Command delete filter Filtername 12 8 PortMaster Configuration Guide Example Filters Example Filters Because filters are very flexible you must carefully evaluate the types of traffic that a specific filter permits or denies through an interface before attaching the filter If possible test a filter from both sides of the filtering interface to verify that the filter is operating as you intended Using the log keyword to log packets that match a rule to the loghost is useful when you are testing and refining IP filters Some of the following exam
152. PortMaster 3 for details on PRI connections See Chapter 10 Using ISDN BRL for details on BRI connections Configuring Global Settings 3 27 Setting the ISDN Switch 3 28 PortMaster Configuration Guide Configuring the Ethernet Interface 4 This chapter describes how to configure PortMaster Ethernet interfaces and subinterfaces and includes the following topics e Setting General Ethernet Parameters on page 4 1 e Setting IP Parameters on page 4 3 e Setting Ethernet IPX Parameters on page 4 5 e Configuring Ethernet Subinterfaces on page 4 7 e Setting OSPF on the Ethernet Interface on page 4 8 Before configuring the Ethernet interface you must make the appropriate Ethernet connection for your needs Refer to the relevant installation guide for your PortMaster product for information on making the Ethernet connection See the PortMaster Command Line Reference for more detailed command descriptions and instructions Setting General Ethernet Parameters The commands described in this section allow you to configure your Ethernet interface In addition to specifying the protocol type IP IPX or both and address you must specify any routing and filtering you want on the Ethernet interface This subsection describes the general Ethernet settings that apply to your network regardless of the protocol you use Configuring RIP Routing As described in the PortMaster Routing Guide PortMaster
153. PortMaster Configuration Guide Configuring a Port for Access to Shared Devices Setting the Login Host You can specify how the login host is determined for the selected port The three ways to determine the login host are described in Table 5 2 Table 5 2 Login Host Options Host Option Description default The host used for this port is the default or alternate host specified in the global settings prompt The user is given the opportunity to enter a hostname or IP address instead of the standard login prompt Ipaddress You set a primary host and up to three alternate hosts for this port This option allows you to assign specific ports to specific hosts Setting the Terminal Type You can set the terminal type for a port if it has been configured as a user login or two way port and you have set the login service to PortMaster rlogin or telnet The terminal type is passed as an environment variable when a connection is established with a host The terminal type must be compatible with the host you are logging in to You can set the terminal type for all asynchronous ports simultaneously using the set all termtype command Configuring a Port for Access to Shared Devices One of the functions of a communications server is to provide network users access to shared devices such as printers and modems The port connected to the printer or modem can provide shared access if it is configured as a host device port This
154. PortMaster Office Router in Rome with the values in the following sections Configuring Global Settings Configure the global settings to the values shown in Table 21 1 Table 21 1 Global Values Setting Command IP gateway set gateway 192 166 1 1 System name set sysname rome After you configure the global settings shown in Table 21 1 enter the following command to save the configuration Command gt save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet interface on the PortMaster Office Router in Rome to the values shown in Table 21 2 Table 21 2 Ethernet Values Setting Command IP address set ether0 address 192 168 200 1 Netmask set ether0 netmask 255 255 255 0 IPX network set ether0 ipxnet FI IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on PortMaster Configuration Guide Configuration Steps for Leased Line Connections After you configure the Ethernet interface as shown in Table 21 2 enter the following command to save the configuration Command gt save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Settings Configure the synchronous WAN port on the PortMaster Office Router in Rome with the
155. PortMaster Training Courses Lucent NetworkCare Professional Services offers hands on technical training courses on PortMaster products and their applications For course information schedules and pricing visit the Lucent NetworkCare website at http www lucent networkcare com consulting education Subscribing to PortMaster Mailing Lists Lucent maintains the following Internet mailing lists for PortMaster users About This Guide portmaster users a discussion of general and specific PortMaster issues including configuration and troubleshooting suggestions To subscribe send email to majordomo livingston com with subscribe portmaster users in the body of the message The mailing list is also available in a daily digest format To receive the digest send email to majordomo livingston com with subscribe portmaster users digest in the body of the message portmaster radius a discussion of general and specific RADIUS issues including configuration and troubleshooting suggestions To subscribe send email to majordomo livingston com with subscribe portmaster radius in the body of the message XXIX Subscribing to PortMaster Mailing Lists XXX The mailing list is also available in a daily digest format To receive the digest send email to majordomo livingston com with subscribe portmaster radius digest in the body of the message portmaster modems a discussion of problems and solutions for PortMaster 3 internal digital mo
156. PortMaster products and other devices running ComOS software PortMaster 4 User Manual This collection of the following three standalone manuals provides instructions and commands for installing configuring and troubleshooting PortMaster 4 products PortMaster 4 Installation Guide PortMaster 4 Configuration Guide PortMaster 4 Command Line Reference It also includes a comprehensive table of contents glossary and master indexes PortMaster Command Line Reference This reference provides the complete description and syntax of each command in the ComOS command set PortMaster Configuration Guide This guide provides a comprehensive overview of networking and configuration for PortMaster products PortMaster hardware installation guides PortMaster Configuration Guide Additional References These guides contain complete hardware installation instructions An installation guide is shipped with each PortMaster e PortMaster Routing Guide This guide describes routing protocols supported by PortMaster products and how to use them for a wide range of routing applications e PortMaster Troubleshooting Guide This guide can be used to identify and solve software and hardware problems in the PortMaster family of products e RADIUS for UNIX Administrator s Guide This guide provides complete installation and configuration instructions for Lucent Remote Authentication Dial In User Service RADIUS software on U
157. PortiVlaster Configuration Guide Lucent Technologies 4464 Willow Road Pleasanton CA 94588 925 737 2100 800 458 9966 May 2000 950 1182H Copyright and Trademarks 1995 1997 1998 1999 2000 Lucent Technologies Inc All rights reserved PortMaster ComOS and ChoiceNet are registered trademarks of Lucent Technologies Inc PMVision NavisAccess PMconsole IRX and NetworkCare are trademarks of Lucent Technologies Inc All other marks are the property of their respective owners Disclaimer Lucent Technologies Inc makes no express or implied representations or warranties with respect to the contents or use of this manual and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose Lucent Technologies Inc further reserves the right to revise this manual and to make changes to its content at any time without obligation to notify any person or entity of such revisions or changes This manual is dedicated to everyone who is now or ever was on the PortMaster team Contents About This Guide Audience tebebet epee ese bebe bebe tigi gigi eigidgigebtatiseties xxi PortMaster Documentation 0 0 ec ne eee eee eens xxii Additional References iioii ba e eae vr ER eere mer ees xxiii RFGS c EEEEUE erate ar E erga xxiii BOOKS onnbhef edad aves eu S bteb ient ok Se bs eee OP oe oe XXV Document GCONVENMONS 44 Via A RAE RA HS ELSES ac
158. River NJ Prentice Hall Inc 1997 ISBN 0138505055 OSPF Anatomy of an Internet Routing Protocol John T Moy Reading MA Addison Wesley Publishing Company 1998 ISBN 0 201 63472 4 Practical Internet UNIX Security Simson Garfinkel and Gene Spafford Sebastopol CA O Reilly amp Associates 1996 ISBN 1 56592 148 8 Routing in the Internet Christian Huitema Upper Saddle River NJ Prentice Hall PTR 1995 ISBN 0 13 132192 7 TCP IP Architecture Protocols and Implementation With Ipv6 and IP Security Sidnie Feit Boston and New York McGraw Hill 1998 ISBN 0070220697 TCP IP Illustrated The Protocols Vol 1 Professional Computing Series W Richard Stevens Reading MA Addison Wesley Publishing Company 1994 ISBN 020163346 9 TCP IP Network Administration 2nd edition Craig Hunt Sebastopol CA O Reilly amp Associates 1998 ISBN 1565923227 Troubleshooting TCP IP Analyzing the Protocols of the Internet 2 edition Mark Miller Foster City CA IDG Books Worldwide 1996 ISBN 1558514503 UNIX System Security A Guide for Users and System Administrators David Curry Addison Wesley 1992 ISBN 0 201 56327 4 PortMaster Configuration Guide Document Conventions Document Conventions The following conventions are used in this guide Square brackets Curly braces Vertical bar l Convention Use Examples Bold font Indicates a user Enter version to display the version
159. SDN circuit are functioning but the SPID is not registered IDLE DCD CTS TELCO NT1 SPID is registered and ready to use ESTABLISHED DCD CTS TELCO NT1 Port is connecting or providing device service but no carrier is sensed ESTABLISHED DCD CTS TELCO NT1 Port is connected ESTABLISHED DCD CTS TELCO NT1 Port is connected with a V 120 asynchronous connection but the other end of the connection is providing flow control information 10 22 PortMaster Configuration Guide Configuring the PortMaster 3 11 This chapter describes how to use the command line interface to configure the ISDN Primary Rate Interface PRI LineO and Linel and the digital modems on the PortMaster 3 The PortMaster 3 can also use many of the commands common to all PortMaster models Note After making any configuration changes to a line LineO or Linel you must use VAN the save all and reboot commands for the changes to take effect This chapter discusses the following topics e Configuring General Settings on page 11 1 e Setting the Inband Signaling Protocol for T1 on page 11 4 e Setting the Inband Signaling Protocol for E1 on page 11 4 e Configuring ISDN PRI Settings on page 11 5 e Using Non Facility Associated Signaling NFAS on page 11 9 e Using True Digital Modems on page 11 13 e Using Channelized T1 on page 11 15 e Using the Tl Expansion Card on page 11 17 e Using Mul
160. See RBOC regional Bell operating company See RBOC regular expression A powerful tool for matching patterns to manipulate text and data Regular expressions are generally included as part of a larger utility for example grep and are found in scripting languages including Perl Tcl awk and Python editors including Emacs vi and Nisus Writer programming environments including Delphi and Visual C and specialized tools including lex Expect and sed See also Perl5 regular expression relational database Glossary 60 A tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways See also database RDBMS PortMaster Configuration Guide Glossary relational database management system See RDBMS remote access outsourcing See RAO remote access server Any device that enables multiple remote users to access a network PortMaster 2 and PortMaster 3 products are remote access servers A remote access server is sometimes called a RAS or a network access server NAS Compare communications server Remote Authentication Dial In User Service See RADIUS remote method invocation See RMI remote office branch office See ROBO reply item A component of a RADIUS user profile that the RADIUS server sends one or more of to the network access server to specify a user s connection when all check items in the profile have been satisfied by the access request
161. Service Port Protocol Description kerberos 88 TCP Kerberos authentication kerberos 88 UDP Kerberos authentication pop3 110 TCP Post Office Protocol POP version 3 sunrpc 111 TCP SUN Remote Procedure Call RPC sunrpc 111 UDP SUN RPC auth 113 TCP Authentication service auth 113 UDP Authentication service nntp 119 TCP Network News Transfer Protocol NNTP ntp 123 TCP Network Time Protocol NTP ntp 123 UDP NTP snmp 161 TCP Simple Network Management Protocol SNMP snmp 161 UDP SNMP snmptrap 162 TCP SNMP system management messages snmptrap 162 UDP SNMP system management messages imap3 220 TCP Interactive Mail Access Protocol IMAP version 3 imap3 220 UDP IMAP version 3 exec 512 TCP Remote process execution login 513 TCP Remote login who 513 UDP Remote who daemon rwhod cmd 514 TCP Remote command rsh syslog 514 UDP System log facility printer 515 TCP Line printer daemon LPD spooler talk 517 TCP Terminal to terminal chat talk 517 UDP Terminal to terminal chat PortMaster Configuration Guide Table B 1 TCP and UDP Port Services Continued Service Port Protocol Description ntalk 518 TCP Newer version of Terminal to terminal chat router 520 UDP Routing Information Protocol RIP uucp 540 TCP UNIX to UNIX Copy Protocol UUCP uucp 540 UDP UUCP uucp rlogin 541 TCP Variant of UUCP TCP uucp rlogin 541 UDP Variant of UUCP IP klogin 543 TCP Kerberized login klogin 543 UDP Kerberized login p
162. Speed Each PVC has a property known as committed information rate CIR which represents the guaranteed minimum bandwidth available to the particular PVC under all conditions In some implementations an additional property can be assigned to a PVC known as burst speed or maximum burst This speed represents the highest rate at which data is allowed to flow over a given PVC regardless of bandwidth availability PortMaster Configuration Guide Overview of Frame Relay Discarding Frames The PortMaster pushes as much data out of the serial port as it can at port speed for any PVC that has traffic regardless of CIR The Frame Relay switch passes as much of the data as possible on to the next link However once a particular PVC has transmitted its CIR worth of bits each second the switch marks any additional frames as discard eligible If the switch receives more frames than it can pass along the frames are automatically discarded in the following order e Frames that would be marked discard eligible even if they are forwarded e Frames received that were marked as discard eligible If the switch must discard other frames the behavior is undefined In this case the Frame Relay network is improperly configured because the CIR total exceeds the line speed or port speed Ordering Frame Relay Service In general when ordering Frame Relay service for a private network order large bandwidth physical circuits T1 with a port
163. Table 15 3 enter the following commands to reset the port and save the configuration Command reset wl Command save all For more information on synchronous ports refer to Chapter 6 Configuring a Synchronous WAN Port Configuring the PortMaster in New York Configure the settings for the PortMaster in New York with the values in the following sections You do not need to specify a gateway for the PortMaster in New York because it is on the Internet Using Frame Relay 15 9 Configuration Steps for a Frame Relay Connection Configuring Ethernet Interface Settings Configure the Ethernet interface settings to the values shown in Table 15 4 Table 15 4 Ethernet Values Setting Command IP address set ether address 192 168 1 1 Netmask set ether netmask 255 255 255 0 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on After you configure the Ethernet interface as shown in Table 15 4 enter the following command to save the configuration Command save all For more information on Ethernet parameters refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Settings Configure the synchronous WAN port W1 to the values shown in Table 15 5 Table 15 5 WAN Port Parameter Values Setting Command Port type set wl network hardwired Protocol set wl protocol frame Port IP address set wl address 192 168 20 2 Netmask set w netmask 255
164. U Configuring Compression Compression of TCP IP headers can increase the performance of interactive TCP sessions over network hardwired asynchronous lines Lucent implements Van Jacobson TCP IP header compression and Stac LZS data compression Compression is on by default 8 8 PortMaster Configuration Guide Configuring the Location Table Compression cannot be used with multiline load balancing but can be used with Multilink PPP Compression must be enabled on both ends of the connection if you are using SLIP With SLIP TCP packets are not passed if only one side of the connection has compression enabled For PPP connections the PortMaster supports both bidirectional and unidirectional compression Refer to RFC 1144 for more information about header compression The PortMaster supports Stac LZS data compression only for PPP connections with bidirectional compression Stac LZS data compression cannot be used for SLIP connections To configure compression for a location use the following command Command gt set location Locname compression on off stac vj Table 8 3 describes the results of using each keyword Table 8 3 Keywords for Configuring Compression Keyword Description on Enables compression The PortMaster tries to negotiate both Van Jacobson and Stac LZS compression on PortMaster 3 and on leased lines on Office Router products or Van Jacobson compression only on other PortMaster products This is the def
165. U DSU out of loopback and set line loopback on the remote CSU DSU If the remote loopback test does not show network connectivity in the remote router the problem is either in the configuration of one of the CSU DSUS or in the line itself e When you finish enter the following commands to turn off the debug utility Command set debug off Command reset console e Contact your carrier to review your configuration and the status of their line Using Synchronous Leased Lines 21 9 Troubleshooting a Leased Line Connection 21 10 PortMaster Configuration Guide Networking Concepts A This chapter describes general network concepts that you must understand before you configure your PortMaster This chapter discusses the following topics e Network Addressing on page A 1 e Using Naming Services and the Host Table on page A 8 e Managing Network Security on page A 9 See the PortMaster Routing Guide for information on routing and how Lucent s ComOS implements routing protocols See the glossary for unfamiliar terms Network Addressing PortMaster products support packet routing using both IP and IPX protocols The Internet Protocol IP is a packet based protocol used to exchange data over computer networks IP provides addressing and control information that allows data packets to be routed across networks Novell Internetwork Packet Exchange IPX is another protocol used to exchange data over PC based networks IPX use
166. Your Location Configuration on page 8 14 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Configuring the Location Table A location defines a dial out destination and the characteristics of the dial out connection Locations control dial out network connections in much the same way the user table controls dial in network connections Locations are stored in the location table All dial out locations have the following minimum settings Location name Name and password that the local PortMaster uses to authenticate itself to the remote host Telephone number of the remote host IP address and netmask of the remote host Protocol used for the connection Dial group that associates the location with a particular dial out port Maximum number of ports 8 1 Configuring the Location Table 8 2 Locations can also optionally have the following settings Connection type dial on demand continuous or manual Routing protocol IPX network number MTU size Compression Idle timer Data over voice for ISDN connections CHAP authentication Asynchronous character map Multiline load balancing Note The location table is not used for dialing out with the tip command or UUCP For information on these applications refer to Chapter 20 Accessing Shared Devices To display the location table enter the following command Command gt show table location A location t
167. a telnet session the current connection becomes the console This feature is useful for administrators who log in to a port using telnet and need to access the console for debugging purposes Note Only one Telnet session can receive console messages at a time To set the current Telnet access port as a console port enter the following command Command set console Setting the Number of Management Application Connections PMVision ChoiceNet and the ComOS utilities pmdial pmcommand pminstall pmreadconf pmreadpass and pmreset all use port 1643 In order for more than one of these applications to connect at the same time you must set the maximum number of connections to two or higher The maximum is 10 connections To set the maximum number of concurrent connections for management applications into the PortMaster use the following command Command set maximum pmconsole Number Setting System Logging PortMaster products enable you to log authentication information to a system log file for network accounting purposes Setting the Loghost To set the IP address of the loghost the host to which the PortMaster sends syslog messages use the following command Command set loghost Ipaddress 3 6 PortMaster Configuration Guide Setting System Logging Note Do not set a loghost at a location configured for on demand connections because doing so keeps the connection up or brings up the connection each time a Ey sy
168. able display looks like the following The location table entries shown here are examples only PortMaster products have empty location tables by default Location Destination Netmask Group Maxcon Type hq 172 16 1 1 255 255 255 0 1 4 On Demand sf 192 168 1 21 255 255 255 0 99 1 Manual subl 192 168 3 1 255 255 255 0 2 0 Manual bsp 172 16 1 21 255 255 255 0 99 1 Manual PortMaster Configuration Guide Configuring the Location Table Creating a Location You must create a unique dial out location for each remote host or router you want to access Location table entries are identified by this unique location name which can contain up to 12 characters To create a location use the following command Command add location Locname Setting the Connection Type Because the default method of initiating a connection is manual you need to use the dial command to cause the PortMaster to manually dial out to a location You can change the connection type as shown in Table 8 1 If you are changing an existing location s connection type verify that the connection is not active Table 8 1 Dial Out Connection Types Connection Type Description on_demand This type of connection is automatically started when packets for the remote location are queued by the PortMaster automatic This type of connection is always active If the telephone connection is dropped the PortMaster initiates a new connection with the location after a 30 sec
169. about 40 times the speed of a TI line T3 transmissions support full screen full motion video Compare T1 A collection of records arranged in rows and columns in a relational database In relational database management systems RDBMs all user accessible information is stored in tables Transmission Control Protocol Internet Protocol An open network standard that defines how devices from different manufacturers communicate with each other over interconnected networks TCP IP protocols are the foundation of the Internet Telephone company The Internet standard protocol described in RFC 854 for remote terminal connection service A data measurement unit equal to 1 000 gigabytes or one trillion bytes A device from which you send commands to a remotely located computer usually via a serial interface A terminal at minimum consists of a keyboard a display screen and some simple circuitry Early terminals were called teletypes ttys later versions were known as video display terminals VDTs Currently terminal software in an intelligent PC or workstation at a network node can emulate a physical terminal and allow you to type commands to a remote computer As the Internet grows in size and intelligence simple terminals that support only communications and a browser might become the primary access to the World Wide Web PortMaster Configuration Guide Glossary terminal adapter A device that provides ISDN compatibility to non
170. access to the SNMP agent information The read community string must be known by any device allowed to access or read the MIB information The default read community string is public The write community string must be known by any device before information can be set on the SNMP agent The default write community string is private Community strings must be set on SNMP agents so that configuration information is not changed by unauthorized users To use this feature you must set both a read community string and a write community string for your network PortMaster Configuration Guide Configuring SNMP To set SNMP read and write community strings use the following command Command gt set snmp readcommunity writecommunity String Because it is the default it is known to all users and therefore provides no security Use Note Use of the default write community string private is strongly discouraged another value for the write community string Adding SNMP Read and Write Hosts PortMaster products allow you to control SNMP security by specifying the IP addresses of the hosts that are allowed to access SNMP information The specification of read and write hosts allows another level of security beyond the community strings If SNMP hosts are specified each host attempting to access SNMP information must not only possess the correct community string it must also be on the read or write host list This additional level of securit
171. ace for DLCI 18 and a secondary subinterface for DLCIs 16 and 17 Command Command Command Command Command Command Command Command Command Command Command Using Frame Relay set add set set set set set add wl group location location location location location location 1 sub1 sub1 sub1 sub1 sub1 sub1 protocol frame relay group 1 address 192 168 3 1 netmask 255 255 255 0 rip on ipdlci subl 16 ipdlci subl 17 add save all reset wl 15 15 Frame Relay Subinterfaces 15 16 PortMaster Configuration Guide Using Synchronous V 25bis Connections 16 This chapter uses an example to demonstrate how to configure the PortMaster to connect two local area networks LANs via synchronous V 25bis dialing applications such as ISDN terminal adapters or switched 56Kbps This chapter discusses the following topics e Overview of Synchronous V 25bis Dial Up Connections on page 16 1 e Configuration Steps for a Synchronous V 25bis Connection on page 16 3 e Troubleshooting a Synchronous V 25bis Connection on page 16 13 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Synchronous V 25bis Dial Up Connections PortMaster products support dial on demand ISDN and switched 56Kbps connections using synchronous ports and the PPP protocol ISDN speeds of up to 64Kbps are possible with an outside carr
172. ad AES TS xxvii Document Advisories e RR REA RR RR ARA RR RE AAA xxviii Contacting Lucent NetworkCare Technical Support llle xxviii For the EMEA Re9e10D iibpnidebhiexe at Rep is RR E RM eR e GE See p Se ES xxviii For North America CALA and the Asia Pacific Region 05 xxix PortMaster Training Courses llle xxix Subscribing to PortMaster Mailing Lists llle xxix l Introduction PortMaster Software eds EE fees ee ee ee eee Coed ered ease ses ee BRE i 1 1 Preconfiguration Planning 0 0 nee rs 1 3 Gonhliguradon pscuemwieAwfukmten SF SEES EEA SESE equ vu e V eq 1 5 Basic Configuration Steps 0 0 sse 1 5 2 How the PortMaster Works Booting the PortMaster fio were ee dee ete eee ESEESE XX YS xd xs 2 1 PortMaster Initialization sc fe a ee a el ee e badd 2 3 On Demand Connections 0 0 00 s 2 4 iii Contents PortMaster Security Management celere Port Status and Configuration ll lllleee eee Configuring Global Settings Setting the System Na mQuiiseio nie WAWEAAWARAAW4AWENGGRE RAW ease Nam sad Setting the Administrative Password llle eee Setting the Default Route Gateway csse Configuring Default Routing csse hs Configuring Name Resolution 0 0 eee eh Using the Host Table 2 0 cee rre Setting the Name Service llle sees Setting the Name Servers noinis bore here bebe rebe rere bees bes
173. aining information about the network interface bound to the serial interface Total number of octets received on the serial interface Total number of octets transmitted on the serial interface Total number of octets queued on the serial interface Status of the modem used by the serial interface Compression being used in the modem or by the serial interface Error correcting protocol being used in the modem or by the serial interface Number of retrains attempted by the modem attached to the serial interface Number of renegotiates attempted by the modem attached to the serial interface Configuring Global Settings Configuring SNMP PortMaster T1 El Interfaces Table 3 7 lists the objects in the T1 E1 interfaces from the Livingston Extensions section of the MIB TI EI interfaces are supported on the PortMaster 3 only Table 3 7 T1 E1 Interfaces Table Object Definition Index PhysType Function Status Framing Encoding PCM ChangeTime RecvLevel BlueAlarms YellowAlarms CarrierLoss Unique value for each T1 E1 interface Type of interface T1 or El Configured function of the interface Current operational state of the interface Operational states include the following up 1 down 2 loopback 3 Configured line framing Line framing types include the following esf 1 d4 2 crc4 3 fas 4 Configured line signal encoding Configured voice modulation Amount
174. al command displays the words call check Enable immediately after the ISDN switch type Configuring L2TP 14 7 Configuring L2TP on the RADIUS Server Note If the call check feature is enabled but no RADIUS support is configured all dial in users receive either a busy signal or dead air To use the call check feature you must modify the RADIUS dictionary on the RADIUS server See Configuring L2TP on the RADIUS Server on page 14 8 for details Configuring L2TP on the RADIUS Server This section describes how to configure the RADIUS portion of L2TP Configuring L2TP on the PortMaster 3 on page 14 4 describes the PortMaster portion of the configuration Note You must be running RADIUS 2 1 or later to configure L2TP en To define the tunnel configuration for L2TP you must add some new attributes to the RADIUS dictionary and use them to configure user profiles This section describes entries you make on the RADIUS server to support L2TP and includes the following topics e Configuring Call Check on page 14 9 e Configuring User Profiles on page 14 9 e Configuring Accounting on page 14 11 For more information about RADIUS 2 1 see the RADIUS for UNIX Administrator s Guide You can use entirely separate RADIUS servers for the LAC and the LNS or use the same one The difference between a LAC and an LNS is that they authenticate at different stages in the tunneling process Authentication is based on either a C
175. alled Station Id check item a Calling Station Id check item or both information currently available only for ISDN PRI 14 8 PortMaster Configuration Guide Configuring L2TP on the RADIUS Server Configuring Call Check To use the call check feature you must add the following entries to the dictionary on the RADIUS server and then restart RADIUS so that it reads the new dictionary VALUE Service Type Call Check 10 VALUE NAS Port Type Virtual 5 ATTRIBUTE Tunnel Type 64 integer ATTRIBUTE Tunnel Medium Type 65 integer ATTRIBUTE Tunnel Server Endpoint 67 string ATTRIBUTE Tunnel Password 69 string VALUE Tunnel Type L2TP 3 VALUE Tunnel Medium Type IP 1 3 8b15 which used the name Call Check User and the value 129 This name and value are no longer valid Make sure to remove any old entries in your dictionary and users file Caution The call check Service Type name and value have changed since ComOS Configuring User Profiles RADIUS user profiles on the LNS are the same as non L2TP user profiles On the LAC however some new user profiles are required Exactly which additional user profiles you decide to add depends upon whether you use call check or partial username based tunneling on the LAC The profiles in this section can be used on the RADIUS server serving the LAC for call check or partial username based tunneling The following sample user profile uses RADIUS check items Called Station Id and Call Check to rout
176. also LEC Glossary 59 Glossary RDBMS record redundant Relational database management system A DBMS that stores data in the form of related tables Relational databases require few assumptions about how data is related or how it is extracted from the database enabling the database to be viewed in many different ways In contrast to flat file databases which consist of a single table a relational system can spread the database over several tables Most full scale database systems are structured as an RDBMS Small database systems often use other designs that provide less flexibility in posing queries In a database management system DBMS a complete set of information that constitutes a single entry in a database table Records are composed of fields each of which contains one item of information In a typical database a set of records constitutes a file For example a personnel file might contain records that have three fields a name field an address field and a telephone number field Serving as a duplicate component to prevent failure of a system When one component fails the redundant one takes over its functions without interrupting service For example the optional third AC power supply on a PortMaster 4 is redundant because it is not required for normal operation unless one of the two required AC power supplies fails Redundancy generally improves reliability Compare hot swappable regional Bell holding company
177. and 65535 This range allows TCP IP to be used with a hardwired connection using an RS232 cable However some serial communications protocols such as FAX might have potential latency problems To set the login service type for a login user use the following command Command set user Username service portmaster rlogin telnet netdata Tport Specifying a Callback Telephone Number You can configure the login user for callback connections to enhance network security or to simplify telephone charges When a user logs in the PortMaster disconnects the user and then dials out to the telephone number specified for that user The user is reconnected to the host specified in the user table via the same port on which the user dialed in To enter the callback telephone number for a login user use the following command Command set user Username dialback callback String none The dialback and callback keywords are synonyms To disable callback connections for the user use the none keyword Configuring Dial In Users 7 13 Configuring Login Users 7 14 PortMaster Configuration Guide Configuring Dial Out Connections 8 This chapter discusses how to create locations settings for dial out destinations for dial out connections This chapter discusses the following topics Configuring the Location Table on page 8 1 Setting Multiline Load Balancing on page 8 11 Setting Filters on page 8 13 Testing
178. andshake Authentication Protocol CHAP 1997 BGP Communities Attribute RFC 2003 IP Encapsulation within IP RFC 2104 HMAC Keyed Hashing for Message Authentication PortMaster Configuration Guide Additional References RFC 2125 The PPP Bandwidth Allocation Protocol BAP The PPP Bandwidth Allocation Control Protocol BACP RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions RFC 2138 Remote Authentication Dial In User Service RADIUS RFC 2139 RADIUS Accounting RFC 2153 PPP Vendor Extensions RFC 2328 OSPF Version 2 RFC 2364 PPP over AAL5 RFC 2400 Internet Official Protocol Standards RFC 2403 The Use of HMAC MD5 96 within ESP and AH RFC 2404 The Use of HMAC SHA 1 96 within ESP and AH RFC 2405 The ESP DES CBC Cipher Algorithm with Explicit IV RFC 2451 The ESP CBC Mode Cipher Algorithm RFC 2453 RIP Version 2 RFC 2663 IP Network Address Translator NAT Terminology and Considerations Books ATM and Multiprotocol Networking Computer Communications George C Sackett and Christopher Metz Boston and New York McGraw Hill 1997 ISBN 0070577242 ATM User s Guide William A Flanagan New York Flatiron Publishing 1994 ISBN 0 936648 40 6 Building Internet Firewalls D Brent Chapman and Elizabeth D Zwicky Sebastopol CA O Reilly amp Associates Inc 1995 ISBN 1 56592 124 0 DNS and BIND 3rd edition Paul Albitz Cricket Liu Sebastopol CA O Reilly
179. anslator See NAT Network Control Protocol See NCP network handle A number assigned to an active socket on a PortMaster that can be used to close the socket manually rather than by request from the client network information center See NIC Network Information Service See NIS Network Information Service Plus See NIS network interface card See NIC Glossary 47 Glossary network layer reachability information See NLRI network management NFAS NIC NIS NIS NLRI node Glossary 48 In the Open System Interconnection OSI model the five functional application areas of accounting management configuration management fault management performance management and security management Non facility associated signaling Signaling that allows a D channel on one ISDN Primary Rate Interface PRI to control B channels located on other PRIs 1 Network information center Any office that handles information for a network The famous of these on the Internet is the InterNIC See also InterNIC 2 Network interface card A computer circuit board that provides network communication to and from a computer system A NIC is also known as an adapter Network Information Service A UNIX based client server protocol developed by Sun Microsystems for network naming and administration on LANs On a network using NIS each host client or server has information about the entire system A user at a host can access files
180. anwhile the switch attempts repeatedly to activate the primary interface When the primary interface comes up the D channel on that interface goes into standby mode it does not try to preempt the in service function from the secondary interface Message signals for the reactivated primary T1 interface are carried by the D channel on the secondary TI interface Note that when the primary interface fails all calls in process are dropped on all interfaces serviced by that D channel Call traffic does not resume until the D channel on the secondary interface switches to in service mode and begins carrying signaling messages Multichassis NFAS The ComOS implementation of NFAS is designed for use across multiple PortMaster 3s configured as a group on the same Ethernet A group is an arbitrary number between 1 and 99 that you assign to an interface You can define multiple groups of PortMaster products on the same Ethernet segment but each group must be supported by its own primary and secondary D channel pair NFAS message signaling travels over Ethernet using the User Datagram Protocol UDP A reliable proprietary protocol provides packet sequencing acknowledgment for packets and retransmission of lost packets The two T1 interfaces of any single PortMaster 3 cannot belong to different groups If only one interface exists or if one interface is disabled the single active interface can be part of a NFAS group by itself Once you config
181. ap if required Command set SO map Hex Set input and output filters if using Command set SO ifilter Filtername Command set SO ofilter Filtername Omitting Filtername removes any filter previously set on the port Save the configuration Command save all Reset the port Command reset S0 Configuring an Asynchronous Port 5 21 Configuring a Port for a Dedicated Connection Setting the Protocol The network protocol for the hardwired port can be set for PPP packet encapsulation or SLIP encapsulation as described in PPP and SLIP Connections on page 5 19 If you want to use PPP you have your choice of the following options e PPP with IP packet routing e PPP with IPX packet routing e PPP with both IP and IPX packet routing Select a protocol that is compatible with your network configuration Setting the MTU Size The maximum transmission unit MTU defines the largest frame or packet that can be sent through this port If a packet exceeds the specified MTU size it is automatically fragmented if IP or discarded if IPX PPP connections can have an MTU set from 100 to 1500 bytes SLIP connections can have an MTU set from 100 to 1006 bytes The remote host can negotiate smaller MTUs if necessary The MTU is typically set to the maximum allowed for the protocol being used either 1500 or 1006 bytes Setting smaller MTU values is useful for interactive typing users who send small packets while larger value
182. apses between keepalive messages from a peer the PortMaster identifies the peer as no longer operational and drops the session and any information learned from that peer See also notification message open message update message Glossary 37 Glossary key In a database management system DBMS a field used to sort data and thereby identify information keyed hashing message authentication code See HMAC kilobit See Kb kilobits per second See Kbps kilobyte See KB L L2F Layer 2 Forwarding A protocol developed by Cisco Systems and similar to the Point to Point Tunneling Protocol PPTP developed by Microsoft Corporation L2F supports the creation of secure virtual private networks VPNs over the Internet Cisco and Microsoft recently agreed to merge their protocols into a single standard called Layer Two Tunneling Protocol L2TP See also L2TP L2TP Layer 2 Tunneling Protocol An extension to the Point to Point Protocol PPP that enables Internet service providers ISPs and others to operate virtual private networks VPNs over the Internet L2TP interoperates with such existing standard security protocols as RADIUS See also L2F L2TP access concentrator See LAC L2TP network server See LNS Glossary 38 PortMaster Configuration Guide LAC LAN latency Glossary L2TP access concentrator A Point to Point Protocol PPP access server with Layer 2 Tunneling Protocol L2TP capabilities that pro
183. apsulation method and frame type were selected when your IPX network servers were installed The IPX frame type you set on the PortMaster must match the frame type set for your network Contact your IPX network administrator for information about the frame type used on your network To set the IPX frame type use the following command entered on one line Command set FtherO ipxframe ethernet 802 2 ethernet 802 2 ii ethernet 802 3 ethernet ii PortMaster Configuration Guide Configuring Ethernet Subinterfaces Configuring Ethernet Subinterfaces With the subinterface feature of the ComOS you can create up to 512 subinterfaces the total number of interfaces available on a PortMaster on a single primary Ethernet interface Because you have the bandwidth of only a single Ethernet interface however efficiency begins to degrade significantly when you add more than 8 subinterfaces Subinterfacing is essentially the segmenting of a single wire or port into multiple IP networks Instead of subnetting and routing you can create a subinterface and then set it up as you would a standard Ethernet interface To avoid routing loops however you must be sure not to create two subinterfaces in the same TCP IP network on the same port Each Ethernet subinterface must have a unique network A drawback to subinterfacing is that it supports static routing only IPX RIP OSPF packet filtering and route propagation are not supported on subinterface
184. as the same settings as LineO and Linel Valid line types include fractional and T1 All line framing and encoding types are supported When set to fractional the card supports only one line group The first line group found numerically is used for the configuration The fractional line group supports any number of time slots It also supports 56Kbps channels In addition to Line2 a new port is added to the list of active ports In a single PRI PortMaster 3 the port is identified as W2 in a two PRI PortMaster 3 it is identified as WAS If the Stac compression card is present in the PortMaster 3 Stac compression can be enabled for the TI line Although the T1 expansion card is hot swappable when you remove the card from the slot you must wait approximately 5 seconds before reinserting it If you remove the card and reinsert it immediately the PortMaster locks up and must be restarted Clocking With the T1 expansion card you can use internal clocking on the line Use the following command to set clocking Command set line2 clock internal external Configuring the PortMaster 3 11 17 Using the T1 Expansion Card When you specify internal the built in 1 544MHz crystal sets timing on the line This is useful for dry wire configurations or for back to back connections When you specify external the built in DSU CSU extracts timing from the line Configuring the Tl Expansion Card for Fractional TI 11 18 The T1 card is
185. ass subnet mask A 32 bit netmask used to indicate the bits of an IP address that are being used for the subnet address Compare netmask summarization The process of combining routing information from one routing protocol into another for advertisement For example the PortMaster summarizes non BGP route information it receives internally via the Interior Gateway Protocol IGP OSPF or RIP or via a static route into BGP for advertisement to BGP internal and external peers Summarized routing information must comply with BGP advertisement policy rules before advertisement Compare propagation SVC Switched virtual circuit A connection established between two physical circuits such as an ordinary telephone call or X 25 connection The call creates a virtual circuit between the originator and the party called Switched Multimegabit Data Service See SMDS Glossary 68 PortMaster Configuration Guide Glossary switched virtual circuit synchronous syslog sysop See SVC Occurring at the same time or at regular intervals established by a synchronized timing signal In synchronous communication the receiver and transmitter are synchronized either within the data signal or by a separate clock signal so that data is sent at a fixed rate Data is transmitted in a block as an entire message or frame rather than one character at a time Synchronous communication is faster and more efficient than asynchronous communication
186. at its BGP and non BGP routers agree on the interior routes and exit and entry points for each transit route through the autonomous system The PortMaster synchronizes routing information between the BGP and non BGP routers within its autonomous system by means of the lockstep feature See also lockstep Transmission Control Protocol Internet Protocol See TCP IP triple data encryption standard See 3DES Glossary 71 Glossary Trivial File Transfer Protocol tty twisted pair two way UDP U interface UNI Glossary 72 See TFTP 1 A primitive teletypewriter terminal with a mechanical printer limited character set and poor print quality 2 A UNIX command that displays the name of the current controlling terminal 3 In UNIX systems any terminal 4 In UNIX systems the serial communications hardware port on a computer Relatively low speed transmission medium consisting of two insulated wires shielded or unshielded in regular spiral patterns The wires are twisted around each other to minimize interference from other twisted pairs in the cable Twisted pair is common in telephone wiring and is increasingly common in data networks It is used for 1OBaseT Ethernet connections with RJ 45 connectors See also STP UTP Relating to a port configuration on the PortMaster that allows both incoming and outgoing calls User Datagram Protocol A connectionless protocol defined in RFC 768 UDP exchanges datagrams but doe
187. at support the Java Virtual Machine JVM Because PMVision also supports command entry you can use a combination of GUI panels and ComOS commands to configure monitor and debug a PortMaster When connected to one or more PortMaster products PMVision allows you to monitor activity and edit existing configurations PMVision replaces the PMconsole interface to ComOS Other Network Management Applications Table 1 1 describes additional Java based software tools and wizards that help you configure and troubleshoot a PortMaster See http www livingston com forms one click dnload cgi to download these applications which include online help I 1 PortMaster Software 1 2 Table 1 1 Network Management Applications Application Function PMWizard Simplifies PortMaster 3 configuration PMTools Supplement certain PMVision management functions with the following utilities pmbackup pmcommand pmdial pmdumpfilter pmreset and pmupgrade ORWizard Simplifies PortMaster ISDN Office Router configuration FilterEditor Helps you create edit and copy filters across different PortMaster products ChoiceNet files and ASCII files PPPSmartAgent Monitors Point to Point Protocol PPP negotiations across multiple PortMaster products diagnoses failures and proposes solutions PPPDecoder Translates the PPP hexadecimal debug output from a PortMaster into human readable form based on RFC 1332 RFC 1552 RFC 1661 RFC 1700 and
188. ata device service is sometimes referred to as the network device configuration because the shared device you are connecting to through the PortMaster is specified as dev network PortMaster Device Service The PortMaster device service is the most efficient and highest performance service This service can be used with any workstation that has the PortMaster in pmd daemon installed PortMaster service is the default and preferred service because it allows the specified port to operate like a serial port installed on the host When using the PortMaster device service you must use a host device name listed in the dev directory of each UNIX host with access to the shared device The standard device entries have ranges like the following e dev ttypO through dev ttypf e dev ttyqO through dev ttyqf e dev ttyrO through dev ttyrf These tty devices can be dynamically selected for use by a variety of host programs Most programs start their selection from the beginning of the device list Select devices at the end of the list to maximize the possibility of finding a device available PortMaster Configuration Guide Configuring a Port for Network Access Telnet Device Service Telnet is a remote terminal protocol supported by most computers using TCP IP protocols Telnet allows the user at one site to establish a TCP connection to a login server at another site Once the connection is established keystrokes are passed from one system t
189. ate Interface BRI for home and small business use and Primary Rate Interface PRI for larger users Both levels provide multiple B bearer channels for data voice and other services and one D channel for control and signaling information See also BRI PRI ISO International Organization for Standards The international organization that sets standards for network communication protocols ISP Internet service provider A company that provides individuals and other companies with access to the Internet and other related services An ISP has the equipment and the telecommunication line access required to provide points of presence POPs on the Internet for the geographic area served Larger ISPs who have their own high speed leased lines are less dependent on the telecommunication providers and can provide better service to their customers ITU T International Telecommunication Union Telecommunication Standardization Sector International organization that develops worldwide standards for telecommunications technologies The ITU T carries out the functions of the former CCITT See also CCITT jabber 1 A device that provides improper electrical signals on a network On an Ethernet network which uses electrical signal levels to determine whether the network is available for transmission a jabber can cause the network to halt because it indicates to all other devices that the Ethernet is busy 2 To transmit meaningless data via netw
190. ation user 2 host dev network oO PortMaster s C E user 1 11820003 Once the port type is set to accommodate a host device the device service must be selected and the hostname entered If the device service selected is PortMaster for pseudo tty service a hostname must be specified either in the port configuration or as the global default host In addition the PortMaster in pmd daemon must be installed on the specified host To configure a port for access to shared devices follow these steps 1 Set the port type to device Command set SO device Device 2 Set the device service Command set SO service device portmaster telnet netdata Tport 3 Save the configuration Command save all Configuring an Asynchronous Port 5 13 Configuring a Port for Access to Shared Devices Setting the Device Service The device service defines the method used to connect a host to a host device port The following device service options can be selected e PortMaster e telnet e netdata Selecting the host device port type with the PortMaster device service is sometimes referred to as the host device configuration because the shared device you are connecting to through the PortMaster is known to the host as dev tty where the double asterisk is the specific host device identifier Selecting the host device port type with the rlogin telnet or netd
191. ation entry The rules for the filter are set as follows deny 192 168 1 0 24 0 0 0 0 0 log Command gt Command gt Command gt Command gt Command gt Command gt Command gt Command gt Command gt set set set set set set set set set filter filter filter filter filter filter filter filter filter internet internet internet internet internet internet internet internet internet in in in in in in in in in Im WOON Do BW rn permit permit permit permit permit permit permit permit tcp estab 0 0 0 0 0 10 0 0 3 32 tcp dst eq 25 0 0 0 0 0 172 16 0 4 32 tcp dst eq 21 tcp 0 0 0 0 0 192 168 0 5 32 dst eq 80 tcp src eq 20 dst gt 1023 udp dst eq 53 tcp dst eq 53 icmp Table 12 3 describes line by line each rule in the filter Table 12 3 Description of Internet Filter Rule Description l Uo 40 Os ES wee Ius Denies any incoming packets from the Internet claiming to be from or spoofing your own network 192 168 1 0 This rule blocks IP spoofing attacks This rule also logs the header information in the spoofing packets to syslog Permits already established TCP connections that originated from your network packets with the ACK bit set Permits SMTP connections to 10 0 0 3 the mail server Permits FIP connections to host 172 16 0 4 Permits Hypertext Transfer Protocol HTTP access to host 192 168 0 5 Permits an FIP data channel Pe
192. ault off Disables compression stac Enables Stac LZS data compression only Stac LZS compression is supported only on the PortMaster 3 and on leased lines on Office Router products vj Enables Van Jacobson TCP IP header compression only To display compression information about a location enter the following command Command show SO Configuring Dial Out Connections 8 9 Configuring the Location Table 8 10 Setting the Idle Timer You can set the idle timer for a location with manual or on demand connections This timer defines the length of time the line can be idle with no network traffic in either direction before the PortMaster disconnects the connection You can set the idle time in seconds or minutes to any value from 0 to 255 The default setting is 0 minutes If the value is set to 2 seconds or a longer interval the port is reset after having no traffic for the designated time The idle timer is not reset by RIP keepalive or SAP packets To disable the idle timer set the value to 0 Note Idle timers for dial in connections are set on each port or for specific users Idle timers for dial out connections are set in the location table To set the idle time for a location with a manual or on demand connection use the following command Command set location Locname idletime Number minutes seconds Setting Data over Voice The PortMaster supports data over voice for inbound and outbound ISDN conn
193. blished over a modem This type of connection is useful when network communications are not available out of band signaling The transmission of signaling information over a different path from data and or voice information Compare in band signaling Glossary 51 Glossary outsourcer packet A company that purchases goods and or services for its customers and or employees from an outside or third party company known as a wholesaler For example an Internet service provider ISP or enterprise can purchase remote access services from another ISP or a telephone company See also RAO A unit of data sent across a network usually containing a header that has an address and other identifying information packet switching PAP parity check Glossary 52 A technology for sending data over a network the Internet for example The data that comes out of a connected device is broken into chunks called packets Each packet contains the address of its origin source and the address of its destination Data packets from many different sources can travel along the same lines and be sorted and directed through different routes by routers along the way When all the packets forming a message arrive at the destination they are recompiled into the original message Most modern WAN protocols are based on packet switching technology In contrast normal telephone service is based on circuit switching which allocates a dedicated line for t
194. cate with each other they are called BGP peers See also peer Service profile identifier A number used by some service providers to define the services to which an ISDN device subscribes The ISDN device uses the SPID when accessing the switch that initializes the connection to a service provider Structured query language A language conforming to ISO and American National Standards Institute ANSI standards that is used to create maintain and query relational databases SQL is not a full fledged language that can create standalone applications but is often embedded within other programming languages SQL uses plain English words for many of its commands making it easy to use Although different database applications have their own versions of SQL to implement their unique features all SQL capable databases support a common subset of SQL SQL supports distributed databases so that several users on a LAN can access the same database simultaneously Secure Sockets Layer A program layer and protocol designed by Netscape Communications to enable encrypted and authenticated communications across the Internet Many websites use SSL protocol to obtain confidential user information SSL uses a public and private key encryption system from RSA Data Security Inc which includes use of a digital certificate Stac LZS data compression station S T interface A data compression algorithm for efficiently compressing packets encapsulated for the
195. ccess to modems printers and other RS 232 devices The following topics are described e Overview of Shared Device Access Methods on page 20 1 e Configuration Steps for Shared Device Access on page 20 4 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Shared Device Access Methods Use one of the following methods for providing access to shared devices on the PortMaster e Host device configuration You use a UNIX host that supports the PortMaster in pmd daemon With this daemon you can configure ports as host devices and access them as pseudo tty terminals from the host using the tip command UUCP and other applications e Network device configuration You configure the ports as network devices and access them via telnet rlogin or a clear channel TCP connection netdata Host Device Configuration One function of a communications server is to provide network users with access to shared devices such as printers and modems This access can be provided if the port connected to the printer or modem is configured as a host device port This configuration is also useful for tip and UUCP services 20 1 Overview of Shared Device Access Methods 20 2 Once a port is defined as a host device you configure it with the PortMaster device service and select a pseudo tty terminal The host device port can now be accessed if you establish a pseudo tty connection
196. ce NAT 20 ee eee ss 13 24 GContiguration Iorteslaz d wbervtere PerePerTUPPFeIPF eLQPeUPPOfirpTeQ S 13 25 Configuration for edison ll llls selle 13 27 NAT Session Management tdo d dm eww m m mh Re mm chm Rm m ch RR m m Rm Rm tnt 13 28 Resetting NAT Sessions llle eee 13 28 Administration Considerations for NAT 0 2 0 0 eee ee tee 13 29 Advertising Routing Information selle eee 13 29 Routing Global IP Addresses for NAT and Static Routing 13 30 Ethernet ARP 2 llce edu e sg a dex dp dex edge te ME 13 30 NAT Security aoter or 0783089453940 A Ue oe Sede ka eda dada Sata Gade Seka me dae 13 30 DNS 644222208 Ra dDOSOLASREe Rv ewerevapaterevaseteretanewass vanes 13 31 NAT and NAPTI Examples i12 2 e user eae SLE eat asa ae RUE 13 31 Quick Setup of Outbound NAPT lllseee eee 13 32 Setting Up a Dial Out Location Using defaultnapt 00 005 13 33 Using Basic NAT to Avoid Address Renumbering leeren 13 34 Redirecting Traffic to a Backup Server 2 2 0 eee 13 36 defaultnapt Providing Inbound HTTP Service 0 0 0 ee eee 13 37 defaultnapt in Outsource Mode for a Dial In User 0 0 02 eee 13 38 PortMaster Configuration Guide Contents Dial Out Location Using a Dynamic Address Basic NAT Map 13 40 Dial Out Location Mixing Static and Dynamic Address Maps 13 42 Network Application Compatibility
197. ce to Office Connections 17 7 Configuration Steps for an Office to Office Connection After you configure the location table as shown in Table 17 5 enter the following command to save the configuration Command gt save all For more information about configuring location table settings refer to Chapter 8 Configuring Dial Out Connections Configuring the PortMaster 2 in Paris In the example the remote machine is a PortMaster 2 Communications Server in the Paris office Configuring Ethernet Interface Settings Configure the Ethernet settings for the Paris office shown in Table 17 6 Table 17 6 Ethernet Values Setting Command IP address set ether0 address 192 168 1 0 IPX network set ether0 ipxnet FI IPX frame type set ether0 ipxframe ethernet 802 2 Netmask set ether netmask 255 255 255 0 Broadcast address set ether0 broadcast high After you configure the Ethernet interface as shown in Table 17 6 enter the following command to save the configuration Command save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface 17 8 PortMaster Configuration Guide Configuration Steps for an Office to Office Connection Configuring Dial Out Port Settings For all ports on the PortMaster 2 in Paris that you want enabled for dial in and dial out two way service to the Office Router in the London office enter the values shown in Table 17 7 Tab
198. cessible globally you must complete the following additional steps 1 Configuring NAT Create an inbound map called edison inmap Command add map edison inmap 13 27 NAT Session Management 2 Set the TCP UDP port mapping and set the port being configured as the destination address Command set map edison inmap 1 static tcp udp portmap ipaddr ftp 10 1 1 1 ftp 3 Specify that the map be used in outsource mode Command gt set user edison nat inmap edison inmap outsource NAT Session Management A NAT session is any active connection involving network address translation You can view and manage NAT sessions in several ways To display active NAT sessions enter the following command Command gt show nat sessions To view statistics on NAT in real time enter the following command Command gt show nat statistics This command displays statistics on a per port basis including successful translations failures address shortages when you are using IP pools and unsuccessful translations and lookups due to timeouts To display a list of active IP address and port bindings including a list of the remaining resources available for use such as TCP UDP ports or IP addresses enter the following command Command gt show nat mapusage This command is useful for debugging and to monitor resource use Resetting NAT Sessions When you modify a NAT configuration on an active port or interface you must reset t
199. cessing Shared Devices Overview of Shared Device Access Methods 0 0 ce ee eee ee teens 20 1 Host Device Configuration ooa es aw o Aw RR Aw kw CR RR RR A 20 1 Network Device Configuration 0 00 0 eee 20 2 Configuration Steps for Shared Device AcceSS 1 0 eee ee eee 20 4 Configuring Global Settings 2 0 0 ees 20 4 Configuring Port Settings llle eere 20 5 Configuring a Network Device for Telnet AccesS 0 000 e eee eee 20 8 Using Synchronous Leased Lines Overview of Leased Line Connections 0 0 0c ees 21 1 Configuration Steps for Leased Line Connections 00 0000 eese 21 3 Configuring the PortMaster Office Router in Rome 0000 21 4 Configuring the PortMaster Office Router in Florence 4 21 6 Troubleshooting a Leased Line Connection eese 21 8 PortMaster Configuration Guide Contents Contents A Networking Concepts N tWOrk Addressing oorr AA EA AA ees A 1 IP Addressing 4 ER ASDA SRA Se TAA Dee ee eas A 1 IP Address Notati D i si eson oa xac RR RR RR R ERARA R ERRARE EA A 2 Reserved IP Addresses sss E x a EG RO RAE ARR AE AR A 5 Private IP NetwoIkSa ext oe ee ee EX ee ER Eu M ERO Eu Eo SuDLO A 5 IP Address Conventions eraen eia a a he A 6 IPX Addressing i4 p RR RR EUR ER nes aee eee eee mes A 6 Ne titiasks ii v 44 endo eho eta tide ieee eh a anar ar a ana edie A 7 Using Naming Services
200. ciated with the called and calling party information elements IEs used to exchange telephone numbers within a setup message in ISDN These values can vary among countries and telephone companies You can configure the PortMaster to automatically detect number plan and number type settings on incoming calls and if necessary automatically modify the PortMaster configuration If the PortMaster detects a difference between the current settings and those of an incoming call it sends the following console message indicating that the values are different and have been changed Call recvcd numberplans do not match n n The first n refers to the new number type and the second n refers to the new number plan setting Use the save all command to save modified settings to nonvolatile RAM To turn on autodetection of IEs enter the following command Command set isdn numberauto on PortMaster Configuration Guide Configuring ISDN Note numberauto is off by default Setting the Number Type To change the number type from the default manufacturer setting so that you can for example begin to place outbound calls successfully use the following command Command set isdn numbertype 0 1 2 4 The new setting becomes effective immediately it does not need to be saved to nonvolatile RAM Enter this command without a number type value to display a list of all plan values available and the current setting Setting the Number Plan
201. cols like IP IPX and AppleTalk Remote Access ARA protocol and relies on the Link Control Protocol LCP and Network Control Protocol NCP PPP also has built in security mechanisms such as the Challenge Handshake Authentication Protocol CHAP and Password Handshake Authentication Protocol PAP See also SLIP Point to Point Tunneling Protocol A protocol developed by Microsoft Corporation and similar to the Layer 2 Forwarding L2F protocol developed by Cisco Systems PPTP supports the creation of secure virtual private networks VPNs over the Internet Cisco and Microsoft recently agreed to merge their protocols into a single standard called Layer Two Tunneling Protocol L2TP See L2TP Primary Rate Interface The ISDN interface to primary rate access Primary rate access consists of a single 64Kbps D channel plus 23 64Kbps B channels on a TI line or 30 64Kbps B channels on an E1 line for voice data and other services Compare BRI Primary Rate Interface Glossary 56 See PRI PortMaster Configuration Guide Glossary propagation The process of translating and forwarding routes from one routing protocol into another Route propagation is also known as route redistribution Lucent recommends using route filters in propagation rules to ensure that you redistribute information without creating routing loops Compare summarization provisioning The process of supplying telecommunications service and equipment to a user In
202. configuration and the user s capabilities To set the network protocol for a network user use the following command Command gt set user Username protocol slip ppp If you set a nonzero IP address for a network user using PPP IP is automatically routed If you set a nonzero IPX network number for the user IPX is automatically routed Note Do not set an IPX number of all Os zeros or all Fs for the IPX network address Setting the User IP Address You must define the IP address or hostname of the remote host or router Table 7 1 describes three different ways that the user IP address can be determined Table 7 1 User IP Address Options IP Address Type Description assigned negotiated Ipaddress This option allows the PortMaster to assign a temporary IP address that is used for the current session only The address used comes from a pool of addresses set up during global configuration This method for assigning IP addresses to users is most commonly used when a large number of users are authorized to dial in This option is used only for PPP sessions Here the PortMaster learns the IP address of the remote host using IPCP negotiation This option allows you to define a specific IP address for the remote host or router This method for assigning an IP address to a user is most commonly used for routers that establish a connection with the PortMaster Configuring Dial In Users 7 5 Configur
203. ction portmaster rlogin telnet netdata PortMaster is the default login service and can be used to access any host that has the PortMaster in pmd daemon installed This type of login service is preferred because it makes the PortMaster port operate like a serial port attached to the host This service is the most cost effective in terms of host resources The remote login service rlogin uses the rlogin protocol to establish a login session to the specified host Generally rlogin is used on mixed UNIX networks where the PortMaster login service is impractical to use Telnet is supported on most TCP IP hosts This login service should be selected when the PortMaster and rlogin protocols are not available The default port number is 23 The netdata login service creates a virtual connection between the PortMaster port and another serial port on another PortMaster or between the PortMaster port and a host This login service creates a clear channel TCP connection To connect to another PortMaster port using netdata you must configure that port as dev network with the netdata device service and the same TCP port number The default netdata port is 6000 however you can specify any TCP port number between 1 and 65535 This range allows TCP IP to be used with a hardwired connection using an RS 232 cable However some serial communications protocols such as FAX might have latency problems with netdata 5 10
204. d set W1 ifilter Filtername To apply an output filter to a synchronous port use the following command Command set W1 ofilter Filtername You can remove filters from the port by entering the command without a filter name If a filter is changed you must reset the port for the change to take effect For example to remove the output filter from a synchronous port use the following commands Command set W1 ofilter Command reset W1 Command save all Note You must reset the port and re establish the connection for the new settings to A take effect Setting Compression You can set Van Jacobson TCP IP header compression and or Stac LZS data compression on the port To set compression use the following command Command set W1 compression on off stac vj Van Jacobson TCP IP header compression and Stac LZS data compression improve performance on asynchronous lines but can degrade performance on high speed synchronous lines Configuring a Synchronous WAN Port 6 11 Configuring WAN Port Settings 6 12 PortMaster Configuration Guide Configuring Dial In Users y This chapter describes how to configure the PortMaster user table to support dial in connections The user table settings define how each dial in user is authenticated and how dial in connections are made To configure network dial in connections from other routers you must define each remote router as a user on the PortMaster If you are using RADIUS
205. d The lowest order bit corresponds to the first ASCII character NUL and so on Most environments set the asynchronous map to 0 zero to achieve maximum throughput To set the PPP asynchronous map for a location use the following command Command set location Locname map Hex Setting Multiline Load Balancing You can set several ports to connect to a single location to distribute heavy traffic loads This capability is called multiline load balancing You can define a threshold known as a high water mark for a location The high water mark triggers the PortMaster to establish an additional connection to the location when the amount of data specified by the high water mark is queued The PortMaster examines the queue several times a minute to determine if the high water mark has been reached Load balancing is useful for on demand routing because additional ports for the location are added as the load exceeds what can be handled by one port When the ports are idle for the time specified by the set location idletime command see Setting the Idle Timer on page 8 10 all ports used for that connection are timed out simultaneously Load balancing can save you money because you do not need to configure your network to handle the maximum load between locations Periods of heavy traffic can be handled by additional ports on an as needed basis At other times the additional ports can be used for other purposes When multiple ports are in use
206. d awareness 1 A named characteristic of something 2 In RADIUS one half of an attribute value pair used to identify authenticate a user or to configure authorize a user s session attribute value pair In RADIUS the name of a characteristic that identifies authenticates a user or configures authorizes a user s session and its value Attribute value pairs also known as AV pairs define the RADIUS protocol Packets that are sent between a RADIUS server and a network access server consist of attribute value pairs for example password s64bigESrt authentication See RADIUS authentication authentication authorization and accounting Glossary 6 See AAA PortMaster Configuration Guide Glossary authorization See RADIUS authorization autonomous system A collection of routers under the control of a single technical administration using one or more Interior Gateway Protocols IGPs such as OSPF to route packets within itself and an Exterior Gateway Protocol EGP such as BGP to route packets to other autonomous systems An autonomous system typically uses a common BGP policy and always presents a consistent view of network reachability to other autonomous systems autonomous system border router In OSPF a router that exchanges information with routers from other autonomous systems Autonomous system border routers are also used to import routing information about RIP direct or static routes f
207. d Balancing 00005 17 13 Using ISDN for On Demand Connections 0 0 eects 17 15 Using Internet Connections Overview of Continuous Internet Connections ellen 18 3 Configuration Steps for an Internet Connection 0 00 ee eee 18 3 Configuring GlobalSettings 22s ce teens 18 4 Contiguring Port Settings soo eed Se ee fae a e ux e ue ess 18 4 Configuring a Dial Out Location cssc 18 7 Testing the Continuous Dial Out Setup 0 0 eee ee eee 18 8 Testing the Network Hardwired Setup llle eee eee 18 9 Contents xviii 19 20 21 Providing Network Filtering 0 cece as 18 10 Using ISDN for Internet Connections ls 0000 s 18 11 Providing User Dial In Access Overview of Dial In Configuration lsseee eee 19 1 Exariple Configurati n scs sd xu uo Ro ROAD ROAD GE ROS URDU RO AR 19 3 Configuration Steps for Dial In Access 0 0 00 cee eee 19 4 Gonnecting Modems s 0 0 b00h 2222 2222 bo llli bi bli 19 5 Configuring Global Settings 2 2 0 0 cee eens 19 5 Conlfigurng POE 252 Feed WEEE REE A a WS RU b b iS 19 6 Conlgurng Users vit un utt tas etu feta e ax des e i e as Wee ende 19 8 Dial In Logi USeES 5s eb ER EORR Md et Maced Spalt Sapa tp Sans a a 19 9 Dial In Network USers 5 2 225 E ERES ER An A A A A AE A A AA AE 19 9 Testing the User Dial In Setup v vuwwuuwswuweweswewsewvwswsweewewews 19 10 Ac
208. d T1 or El line into groups The isdn fractional keyword refers to PRI 11 2 PortMaster Configuration Guide Configuring General Settings Setting Channel Groups You can divide the channels of a T1 or E1 line into numbered groups after the line type has been set to fractional with the set Line0 fractional command To set the channel group for a T1 or EI line use the following command Table 11 2 explains the channel group options Command set LineO group Cgroup channels Channel list Table 11 2 Channel Group Options Option Description LineO Cgroup Channel list LineO or Linel Group number from 1 to 63 that designates a port number on each TI or El line or TI card Space separated list of one or more channel numbers from 1 through 24 for T1 or 1 through 30 for El The channel numbers do not have to be contiguous Setting the Channel Rate To set the channel rate to 56Kbps or 64Kbps for a channel group use the following command Table 11 3 explains the channel rate options Command set Line0 group Cgroup 56k 64k Table 11 3 Channel Rate Options Option Description LineO Cgroup 56k 64k LineO or Linel Defined channel group from 1 to 63 56Kbps typically used for D4 framing 64Kbps used for framing types other than D4 This is the default Configuring the PortMaster 3 Setting the Inband Signaling Protocol for T1 Setting the Inband Signaling Protoco
209. d all ports on the PortMaster 3 Note Be sure to use the set S0 rts cts on command to enable hardware flow control fay RTS CTS for all SLIP and PPP connections PAP and CHAP Authentication PAP and CHAP authentication occur in the following sequence 1 A user dials in to a port and starts sending PPP packets 2 The PortMaster negotiates the authentication protocol with the remote host 3 Ifthe host refuses PAP authentication the PortMaster prompts the host to authenticate using CHAP If the host refuses CHAP authentication the PortMaster hangs up Both the local communications server and the remote device must support CHAP to use this protocol To configure PAP or CHAP for PPP users the local user table or RADIUS must have an entry for each authorized user that includes the username and password The passwords on both ends of the connection must be identical or the authentication process fails To disallow PAP authentication and accept only CHAP enter the following command Command gt set pap off Configuring an Asynchronous Port 5 19 Configuring a Port for a Dedicated Connection Configuring a Port for a Dedicated Connection You can configure an asynchronous port for a permanent network connection also known as a hardwired connection Hardwired connections require no modem dialing or authentication protocol and are designed for connections to modems configured for leased line service asynchronous to synchronous co
210. d as the secondary interface e B channels on TI interfaces configured exclusively as slave interfaces The D channel on the secondary interface held in standby mode is referred to as the backup D channel Provisioning Because NFAS requires additional control command exchanges NFAS T1 interfaces are provisioned differently at the switch To help you determine the kind of provisioning you require for ISDN setup refer to the information in the hardware installation guide and on the Lucent website at http www livingston com Understanding NFAS After you reboot PortMaster 3s configured for NFAS D channels on the primary and secondary interfaces initialize in out of service mode The switch then puts the D channel on the primary interface in in service mode and the D channel on the secondary interface in standby mode As call traffic commences on the T1 interfaces the primary D channel handles signaling messages for all channels in the group which typically includes the primary TI interface the secondary T1 interface and other TI interfaces configured as slave interfaces Configuring the PortMaster 3 11 9 Using Non Facility Associated Signaling NFAS 11 10 If the primary interface fails the D channel on the secondary interface switches to in service mode and begins to carry signaling messages for channels on the secondary TI interface and all other slave interfaces previously serviced by the primary T1 interface Me
211. d sets the highest priority bit to 0 zero The remaining 24 bits form the host field Only 126 class A networks can exist 0 is reserved and 127 is used for loopback networks but each class A network can have almost 17 million hosts No new class A networks can be assigned at this time For example 10 100 232 1 Network Host address address Class B Addresses The class B IP address format allocates the highest 16 bits to the network field and sets the two highest order bits to 1 and 0 providing a range from 128 through 191 inclusive The remaining 16 bits form the host field More than 16 000 class B networks can exist and each class B network can have up to 65 534 hosts For example 172 16 232 121 Network Host address address A 3 Network Addressing Class C Addresses The class C IP address format allocates the highest 24 bits to the network field and sets the three highest order bits to 1 1 and 0 providing a range from 192 through 223 inclusive The remaining 8 bits form the host field More than two million class C networks can exist and each class C network can have up to 254 hosts For example e 192 168 20 22 Network Host address address o Class D Addresses The class D IP address format was designed for multicast groups as discussed in RFC 988 In class D addresses the 4 highest order bits are set to 1 1 1 and 0 providing a range from 224 through 239 inclusive Class D addr
212. daemon 1 2 device service 5 14 login service 5 10 7 12 new software releases xxviii software 1 1 software upgrades xxviii training xxix PortMaster 3 channel groups 11 3 channel rate 11 3 displaying line status 11 2 enabling analog modem service 11 14 enabling modems 11 13 enabling Multichassis PPP support 11 20 encoding method 11 7 framing format 11 6 inband signaling 11 4 network loopback 11 8 PMWizard 1 2 pulse code modulation 11 7 switch type 11 5 portmaster announce mailing list xxx portmaster radius mailing list xxix Subject Index 9 Subject Index portmaster users mailing list xxix ports configuring for NAT 13 19 dial groups 5 5 6 7 for modem use 9 7 idle timer 6 7 ISDN BRI 10 2 number used for dial in access 19 1 port limits 10 8 printer port 20 7 security 5 6 speed 15 2 synchronizing speed 9 7 synchronous port speed 6 5 two way access 20 5 well known B 1 PPP address negotiation 8 6 asynchronous character map 5 24 connections 5 19 PPPDecoder 1 2 PPPSmartAgent 1 2 using for dial in and dial out 5 19 PPPDecoder 1 2 PPPSmartAgent 1 2 printer port configuration 20 7 prompt for login host 5 11 protocol asynchronous ports 5 22 location table 8 5 transport protocol 6 8 user 7 5 provisioning ISDN 10 3 11 9 pseudo tty connection 5 12 20 2 pulse code modulation 11 7 PVC burst speed 15 2 CIR 15 2 guaranteed maximum bandwidth 15 2 using with DLCIs 15 2 Subject Index 10 R RADIUS accounting for L2T
213. dems and also the external modems that work with PortMaster products To subscribe send email to majordomo livingston com with subscribe portmaster modems in the body of the message portmaster announce announcements of new PortMaster products and software releases To subscribe send email to majordomo livingston com with subscribe portmaster announce in the body of the message All announcements to this list also go to the portmaster users list You do not need to subscribe to both lists tech bulletin livingston com a moderated push list featuring technical notes Web links and information about the latest code and beta releases sent on a weekly basis as well as periodic technical updates To subscribe complete the form at http www livingston com tech bulletin index html PortMaster Configuration Guide Introduction l This chapter discusses the following topics PortMaster Software on page 1 1 Preconfiguration Planning on page 1 3 Configuration Tips on page 1 5 Basic Configuration Steps on page 1 5 PortMaster Software All PortMaster products are shipped with the following software ComOS The communication software operating system already loaded in nonvolatile Flash RAM on each PortMaster You can use the ComOS command line interface to configure your PortMaster through a console PMVision A GUI companion to the ComOS command line interface for Microsoft Windows UNIX and other platforms th
214. ds and specifications in band signaling The transmission of signaling information over the same path as data and or voice information Compare out of band signaling injection policy A set of rules that determine the path and route information the PortMaster takes from BGP and places into its routing table used to forward packets to their destinations The PortMaster uses the information to determine how packets it receives are forwarded to their ultimate destinations See also policy integrated access server See remote access server Integrated Services Digital Network interface Interior BGP See ISDN Connection and interaction between hardware software and the user The interface between components in a network is called a protocol On the PortMaster the virtual connection between a PortMaster port and the network to which it is connected is called an interface The connection can be permanent as with the Ethernet interface or network hardwired ports or it can be temporary as with ports used for dial in or dial out connections See IBGP Glossary 31 Glossary internal peer A peer that resides in the same autonomous system or when confederations are in use in the same confederation member autonomous system CMAS as the current PortMaster internal router In OSPF a router with all of its directly connected interfaces or physical networks belonging to the same area and containing no virtual conn
215. dwired connection it cannot be used for any other purpose A hardwired connection must be used for a leased line or Frame Relay connection dialin Allows the port to accept dial in network connections for use with switched 56Kbps or ISDN connections The dial in user is required to enter a username and password before the connection is established Authorized users are managed through the user table described in Chapter 7 Configuring Dial In Users or through RADIUS PPP users wishing to authenticate with PAP or CHAP can start sending PPP packets When the packets are received the PortMaster automatically detects PPP and requests PAP or CHAP authentication dialout Allows dial out to establish connections with remote locations Dial out network destinations are managed through the location table described in Chapter 8 Configuring Dial Out Connections This network type can be used for ISDN and switched 56Kbps connections twoway Allows the port to accept dial in users and use dial out locations This network type can be used for ISDN and switched 56Kbps connections Setting the Port Speed Reference The port or line speed is set either by the external clock signal on the device to which the PortMaster is connected or by the carrier You can record this value as a reference associated with a synchronous port but it has no effect on PortMaster behavior To record the port speed use the following command Command
216. dy The circuit that is activated to inform the data communications equipment DCE when the data terminal equipment DTE is ready to send and receive data See also DCE DTE A network topology in which a device is connected to the network through two independent access points or points of attachment dynamic data exchange See DDE dynamic filter download Glossary 22 A feature of ChoiceNet that downloads filters from the server to a network access server upon request PortMaster Configuration Guide Glossary Dynamic Host Configuration Protocol See DHCP dynamic link library See DLL dynamic random access memory E El See DRAM A digital WAN carrier facility used predominantly in Europe that carries data at a rate of 2 048Mbps E1 lines can be leased for private use from common carriers and can be connected with T1 lines for international use Compare T1 easy multihome EBGP echo test A specialized predefined BGP policy that simplifies the use of PortMaster routers in straightforward multihomed environments When you define easy multihome for a peer you restrict what the PortMaster handles from the peer to information that is no more than two autonomous system hops away from the PortMaster Only information that meets this criterion is accepted from the peer put into the routing table used to forward packets to their destinations and advertised to other peers If you define easy multihome for a pee
217. e Configuration Steps for an Internet Connection For more information about asynchronous ports refer to Chapter 5 Configuring an Asynchronous Port Configuring a Dial Out Location If you are using a continuous dial out link a location entry on the PortMaster must be created for the location identified as isp This entry allows the PortMaster to establish a connection with the ISP as soon as it is booted The new location isp must be configured with the values shown in Table 18 5 or as instructed by your ISP Table 18 5 Location Table Values Setting Command Location name add location isp1 Type set location isp manual Change to continuous after testing the configuration Protocol set location isp protocol ppp IP destination set location isp destination 192 168 5 6 Netmask set location isp netmask 255 255 255 0 RIP routing set location isp rip broadcast MTU set location isp mtu 1500 Compression set location isp compression on Input filter set location sp1 ifilter internet in Output filter set location isp ofilter internet out Idle timer set location isp idletime 0 High water mark set location isp high water 0 Dial group set location isp group 1 Telephone number set location isp telephone 5551212 Username set location isp username office This value is provided by your ISP Using Internet Connections 18 7 Configuration Steps for an Internet Connection Table 18 5 Location Table Val
218. e on page 3 4 If you are not using a name service you do not need a name server To set the name server use the following command Command set nameserver Ipaddress You can set an alternate name server with the following command Command gt set nameserver 2 Ipaddress You must set a domain name for your network after you set a name server See Setting the Domain Name on page 3 5 You can disable the use of a name service by setting the name server s IP address to 0 0 0 0 Setting the Domain Name The domain name is used for hostname resolution If you are using DNS or NIS you must set a domain name for your network To set the domain name of your network use the following command Command gt set domain String Setting the Telnet Port The Telnet access port can be set to any number between 0 and 65535 The Telnet port enables you to access and maintain the PortMaster using a Telnet connection to this TCP port If O zero is used Telnet administration is disabled The default value is 23 Ports numbered 10000 through 10100 are reserved and must not be used for this function Up to four administrative Telnet sessions at a time can be used Configuring Global Settings 3 5 Setting the Number of Management Application Connections To set the Telnet access port to port number Tport use the following command Command set telnet port Using the Telnet Port as a Console Port If the console port is set from
219. e 14 13 Manually Creating a Tunnel To aid in troubleshooting and testing an L2TP tunnel configuration you can manually bring up an L2TP tunnel with the following command Command create 12tp tunnel udp Ipaddress Password none The Ipaddress is the end point of the L2TP tunnel The password is optional the default is none If you specify a password the PortMaster uses it when responding to a tunnel authentication request from the peer If you do not specify a password the PortMaster uses the L2TP secret if configured see Setting L2TP Tunnel Authentication Optional on page 14 6 If no L2TP secret is configured no authentication takes place For example to create a tunnel to an L2TP compatible device at IP address 192 168 10 19 enter the following command Command create 12tp tunnel udp 192 168 10 19 PortMaster Configuration Guide Troubleshooting L2TP Displaying L2TP Information Use the following command to display information about the current L2TP operation Command show l2tp global sessions stats tunnels You can see whether the PortMaster is configured to be an LNS or a LAC monitor states of tunnel sessions and view various internal statistics Resetting L2TP Tunnels Use the following command to reset counters displayed by the show l2tp stats command or to reset a particular tunnel Tunnel numbers are displayed by the show I2tp tunnels command Command reset 12tp stats tunnel Number When you
220. e IP address of the port and specifying the DLCIs during the synchronous port configuration Alternatively the PortMaster can discover DLCIs dynamically with LMI or Annex D and learn the IP addresses of the other routers through Inverse ARP if the other routers on your Frame Relay cloud support Inverse ARP as specified in RFC 1490 In this configuration the PortMaster sends an LMI status request every 10 configurable seconds by default Every sixth request is a full status request and the others are keepalives In this configuration the port state is CONNECTING until it receives three replies from the switch then the port state becomes ESTABLISHED After six unanswered requests the PortMaster resets the port Figure 15 1 shows an example of a Frame Relay connection Note All synchronous ports require an external clock signal to regulate the port speed PortMaster Configuration Guide Frame Relay Configuration on the PortMaster Figure 15 1 Frame Relay Configuration Bangkok workstation 1 IRX Router ALUUEELLLMLHLEELLLLLL LEE LLL LLL LEE LUE LLLA HELLE LLLI HELLE IRX Router CSU DSU EE workstation 3 New York CSU DSU e IRX Router AMIIEELLLLLLLELEELLE LLL LLL LLE LLL UOA LEUTE LLL UAOO DOA LLL LLL LLLI IRX Router workstation 2 workstation 3 11820004 Enabling LMI You can specify whether th
221. e PortMaster accepts Local Management Interface LMI frames from the attached Frame Relay switch If LMI is enabled on the switch you must enable LMI on the PortMaster The default keepalive value is 10 seconds However if your telephone company chooses another keepalive value change this value as they instruct you Enabling LMI causes the DLCI list to be completed automatically If the attached switch uses an interval keepalive timer different from the Frame Relay default be sure the keepalive timer on the PortMaster matches that of the attached switch Using Frame Relay 15 5 Frame Relay Configuration on the PortMaster 15 6 Note Contact your Frame Relay carrier to determine which keepalive they are using LMI or Annex D To enable LMI use the following command Command set W1 Imi Seconds Enabling Annex D The PortMaster also accepts the Annex D polling interval The Annex D default value is 10 seconds However if your telephone company chooses another keepalive value change this value as they instruct you Enabling LMI causes the DLCI list to be completed automatically Setting the keepalive value to 0 zero seconds or enabling LMI disables Annex D Note Contact your Frame Relay carrier to determine which keepalive they are using LMI or Annex D To enable Annex D use the following command Command set W1 annex d Seconds Listing DLCIs for Frame Relay Access If LMI or Annex D is not used you must enter
222. e Static Netmask Table Enabling NetBIOS Broadcast Packet Propagation Setting Authentication for Dial In Users Setting Call Check Authentication llle Setting the ISDN Switch 2 20 0 ee een Configuring the Ethernet Interface Setting General Ethernet Parameters 000005 Configuring RIP Routing eee Applyimg Eilterzsz e ERO UE eae ages aaah TES Setting IP Parameters llle Setting the IP Address 0 eee ee ees Setting the Subnet Mask 0 0 00 eee eee eee Setting the Broadcast Address 0 00 0 lees Enabling or Disabling IP Traffic leen Setting Ethernet IPX Parameters llle een Setting the IPX Network Address 000005 Enabling or Disabling IPX Traffic lees Setting the IPX Frame Type 00 eee eee eee Configuring Ethernet Subinterfaces 0004 Setting OSPF on the Ethernet Interface Contents Er 4 1 TEE 4 1 T Gadi BG atk SA 4 2 Pee et teet TE 4 3 D I p M 4 3 2444244642428 264 4 4 Contents 5 Configuring an Asynchronous Port Asynchronous Prt Uses ooh Di ia na e Be a Se was wads RV RI Era 5 1 General Asynchronous Port Settings 2 0 0 eee eee 5 3 Overriding Certain Port Settings 2l sees 5 3 Setting the Port Speed ssw Se eee eee eee eee eee ee ee ey see 5 3 Panty Checkins 2 ese ds ees ee ee
223. e a Cisco router on the other end of your connection verify that it is set for encapsulation frame relay ietf for the serial interface otherwise the Cisco frame relay map command for your DLCI must have the ietf keyword appended Frame Relay Subinterfaces PortMaster routers support a feature called DLCI bundling to allow the splitting of one synchronous port with multiple DLCIs into a maximum of 32 Frame Relay subinterfaces In this configuration the DLCIs are divided between the subinterfaces through the use of the location table and the DLCI table Each subinterface must have its own subnet or assigned network The PortMaster has a limit of 512 total active interfaces which can be further limited by available memory The port you are configuring must be set for network hardwired use and Frame Relay and must be in the same dial group as the location Configuring Subinterfaces The following sections describe how to configure a Frame Relay subinterface 15 12 PortMaster Configuration Guide Frame Relay Subinterfaces Adding a Location To configure a Frame Relay subinterface you add a location for each interface configure it with the Frame Relay protocol and associate it with a dial group Then associate a synchronous port with the same dial group For example to create a location called subl enter the following commands Command add location subl Command set location subl protocol frame relay Command set location
224. e bese bees Setting the Domain Namie c 24 2 ci Ses uecdecdesasedsurassuraudeirsPrqPiemW Setting the Telnet Port Gu sada ease ieee eee eee aetna ee nee Using the Telnet Port as a Console Port 2 00 cee ees Setting the Number of Management Application Connections Setting System EOSED Lac aae RC EN ON ONCE Y ee ea a ee ee EAD UN Setting tbe LogbBost 9v oec ux LEER EEELR audeas ameamqed Disabling and Redirecting Syslog Messages llle eee eens Setting Administrative Logins to Serial Ports 0 0 0 0 cee eee eee Configuring an IP Address Pool 2 0 ee eee teens Setting the Reported IP Address llle Gonfiguring SNMP uua ie SALES ee eee UR eee RUE E EG RD RAD About the livingston mib Definition File 0 0 0 eee eee eee Examining the MIB Structure 0 0c eee eens PortMaster Modem Tablets pc 2 ee oe C CAL AU LN OE EEN Setting SNMP Monitoring 0 0 cee heh Setting SNMP Read and Write Community Strings llle ees 2 4 2 5 3 2 3 2 3 2 3 3 3 4 3 4 PortMaster Configuration Guide Contents Adding SNMP Read and Write Hosts 04 Viewing SNMP Settings e Terora llle Monitoring SNMP Alarms 0 0 eee Displaying the Routing Table llle Setting Static Routes 0 llle eee Adding and Deleting a Static Route forIP Adding and Deleting a Static Route for IPX Modifying th
225. e callers that dial 555 1313 to the LNS at IP address 192 168 1 221 DEFAULT Called Station Id 5551313 Service Type Call Check Service Type Framed User Framed Protocol PPP Tunnel Type L2TP Tunnel Medium Type IP Tunnel Server Endpoint 192 168 1 221 Configuring L2TP 14 9 Configuring L2TP on the RADIUS Server 14 10 Configuring a Shared Secret The sample user profile in this section is the same as the profile in the previous section except that it uses a shared secret to authenticate the tunnel to the LNS DEFAULT Called Station Id 5551313 Service Type Call Check Service Type Framed User Framed Protocol PPP Tunnel Type L2TP Tunnel Medium Type IP Tunnel Password mysecret Tunnel Server Endpoint 192 168 1 221 In both sample user profiles the first item is the RADIUS check item the Called Station ID which is used to match the entry before the call is answered The L2TP parameters are pulled from matching entries The Tunnel Type specifies the tunneling protocol The Tunnel Medium Type IP in these examples specifies the transport medium over which the tunnel is created Tunnel Server Endpoint indicates the other end of the tunnel the LNS when L2TP is being used Configuring Partial Authentication on the LAC If you do not use call check but provider partial authentication based on the username you can use the following user profile In this sample user sara dials into
226. e flow control Software flow control uses the ASCII control characters DC1 and DC3 to communicate with the attached device and to start and stop the flow of data To set software flow control for a modem use the following command Command set SO xon xoff on off Hardware flow control allows the PortMaster to receive data from the attached device by raising the Request to Send RTS signal on pin 4 of the RS 232 connector The PortMaster sends information to the attached device only when the Clear to Send CTS modem line on pin 5 of the RS 232 connector is raised To set hardware flow control for a modem use the following command Command set SO rts cts on off Note Because it is more reliable always use hardware flow control if it is available Do not use both hardware and software flow control on the same port PortMaster Configuration Guide Configuring Ports for Modem Use Hanging Up a Line Using Modems You can specify whether the DTR signal is dropped and the modem disconnected after a session is terminated If line hangup is enabled and the session is terminated DTR is held low signaling the modem to disconnect If line hangup is disabled the DTR signal does not drop and the modem does not hang up when the user session terminates To set line hangup for a modem use the following command Command set SO hangup on off Note Resetting the port administratively with the reset command always drops DTR 9 9
227. e next most common use for the static netmask table is to allow dial in users to use specified IP addresses across multiple PortMaster products in situations where assigned IP addresses are not sufficient This use can result in very large routing tables and is not recommended except where no other alternative is possible The netmask table can be accessed only through the command line interface To add a static netmask use the add netmask command To delete a static netmask use the delete netmask command The show table netmask command shows both dynamic netmasks and static netmasks marking them accordingly Note Static routes use the netmask table entries that are in effect when the routes are added If the netmask table is changed the static route must be deleted from the route table and added again Example of Applying Static Netmasks Note Lucent recommends that you use OSPF in this circumstance instead of static routes This static netmask example assumes the following e You have anywhere between 8 and 250 PortMaster routers e You assign all the user addresses from the dynamic address assignment pools on the PortMaster routers PortMaster Configuration Guide Setting Static Routes e You are using 27 bit subnets of the three class C networks 192 168 207 0 192 168 208 0 and 192 168 209 0 e You are using the 192 168 206 0 network for your Ethernet e All PortMaster routers involved are running ComOS 3 1 2 or later
228. e password to the default value which is no password Setting the Default Route Gateway 3 2 The default route gateway is the address of a router of last resort to which packets are sent when the PortMaster has no routing information for a packet The default route gateway is also the destination address the PortMaster selects when it cannot locate the destination of a packet on the local Ethernet segment You identify the default gateway by its IP address entered in dotted decimal notation A PortMaster can never be its own default gateway You can set a metric between 1 and 15 for the IP and IPX gateways to indicate the hop count associated with the gateway route The PortMaster uses the hop count value for comparisons if the PortMaster is set to listen for default routes from other routers PortMaster Configuration Guide Configuring Default Routing Refer to Appendix A Networking Concepts for more information about address formats Refer to the PortMaster Routing Guide for more information about routing To set the default gateway use the following command Command gt set gateway Ipaddress Metric If you do not specify a value for Metric the PortMaster assumes a default value of 1 Configuring Default Routing As described in the PortMaster Routing Guide PortMaster products can automatically send and accept route information as part of RIP messages if routing is turned on If default routing is on default routes a
229. e rules in the filter As soon as a packet matches a rule the action specified by that rule is taken If no rules match the specific packet the packet is denied and is discarded Whenever an IP packet is discarded the PortMaster generates an ICMP Host Unreachable message back to the originator For interfaces with output filters attached all packets exiting the interface are evaluated against the filter rules and only those packets permitted by the filter are allowed to exit the interface 12 4 PortMaster Configuration Guide Creating Filters Creating Filters You construct a filter by creating the filter and then adding rules that permit or deny certain types of packets A maximum of 256 filter rules per filter is allowed for the PortMaster 3 and IRX For other PortMaster products the maximum number of filter rules allowed is 100 The PortMaster generates an error message when the number of filter rules exceeds the limit Packets are evaluated in the same order as the rules are listed Therefore the rules representing the highest security concern must be specified early in the list of rules followed by a rule limiting the volume of traffic User filters are attached to users configured for dial in SLIP or PPP access When a user makes a PPP or SLIP connection the designated filters are attached to the network interface created for that connection Location filters are attached to dial out locations using SLIP or PPP connect
230. e to all stations Generally a broadcast address is a media access control MAC destination address of all 1s ones broadcast packets Packets that are sent to all network nodes Glossary 9 Glossary browser A client software program used to locate and display World Wide Web pages Examples of some well known browsers are Netscape Navigator and Microsoft Explorer bulletin board system See BBS byte A set of bits usually 8 that represent a single character See also bit C callback A remote access server configuration that disconnects a dial in user and then calls the user back at a pre established telephone number before providing access Callback provides an extra layer of security and can simplify telephone charges Callback is sometimes known as dialback CAP Competitive access provider A company that provides network links between the customer and the interexchange carrier IEC or even directly to the Internet service provider ISP CAPs operate private networks independent of local exchange carriers See also CLEC Carrier Detect See CD CCITT Consultative Committee for International Telegraph and Telephone International organization formerly responsible for the development of communications standards and now called the ITU T See also ITU T CD Carrier Detect A signal that indicates whether an interface is active Also a data communications equipment DCE signal Data Carrier Detect DCD gene
231. e vere tote tek Gh teak oh 13 2 Private and Global Addressing 0 0 0c eee eee 13 2 Address MapplIBg sbnososcosedSerirevekevevexerrvucwewqugwuqug E A E 13 3 Sessions Inbound vs Outbound selle 13 3 Basic NAT and NAPT lee m rh 13 4 NAT Restrictions sirios oios oaa a e ee 13 4 NAT Configuration Tasks 0 0 cent es 13 5 NAT Addfessjmguu sebtRAPReRBRRUEFPITZITPIPEPPPLIPIPKEPPUPIPUPSUUPPPURREI 13 6 Configuring Dynamic Address Pools for Outbound NAT 4 13 7 Configuring Static Address Pools for Outbound NAT 000 13 7 Configuring Static Address Pools for Inbound NAT 000 13 8 Mixing IP Address Notations clle 13 8 NAT MADS S See eR SR Re E as chan es ORC tae secs st ghana esos Pus DAC 13 9 How NAT Maps Work 0 0 res 13 10 Creating Maps for Outbound Sessions 0 0 0 0 eel ees 13 10 xiii Contents xiv Creating Maps for Inbound Sessions 00 13 12 Modifying and Deleting Maps csse 13 14 Using the ipaddr Macro 1 0 ce eee 13 15 Using the Default NAPT Map 0 0 ccc eee ees 13 16 Usine TCP UDP Maps very oa Caw a a C UR aa a SS 13 18 Configuring Ports Locations and Users for NAT 0 00 eee eee eee 13 18 Configuring Ports for NAT loses 13 19 Configuring Locations for NAT 0 eee ee eee nee 13 21 Contiguring NAT Users SoG ER ER RR ee 13 22 Configuring Outsour
232. earlier in this chapter but use the settings shown in Table 20 6 This example is for port S1 Table 20 6 Serial Port Values to Allow a Telnet Connection to Ports SO through S29 Setting Command Port type set 5 device dev network Modem control set s cd off Device service set s service device telnet 6001 After resetting port SI you can access it using Telnet from your host or by entering the following commands Command reset s1 Command telnet pmi 6001 PortMaster Configuration Guide Configuration Steps for Shared Device Access The value pm is the hostname of the PortMaster you are accessing and 6001 is the TCP port set for the port you are accessing You can also set several ports to the same TCP port to create a pool of ports available for Telnet access Note If you are using this configuration to configure your modems refer first to y Chapter 9 Using Modems Accessing Shared Devices 20 9 Configuration Steps for Shared Device Access 20 10 PortMaster Configuration Guide Using Synchronous Leased Lines 21 This chapter uses an example to demonstrate how to configure the PortMaster to connect to a synchronous leased line at speeds up to T1 1 544Mbps or El 2 048Mbps This chapter also describes how to configure a dial backup connection for your synchronous line The example described in this chapter connects a PortMaster router located in one office with a PortMaster router located in an
233. ebug utility Command gt set debug off Command gt reset console Contact your carrier to review your configuration and the status of their line Using Synchronous V 25bis Connections 16 13 Troubleshooting a Synchronous V 25bis Connection 16 14 PortMaster Configuration Guide Using Office to Office Connections 17 This chapter uses an example to demonstrate how to configure the PortMaster to connect your office to another office using a dial on demand modem configuration This type of connection is designed to take the place of a costly dedicated line between the two locations where the amount and duration of traffic do not justify a leased line or Frame Relay connection This chapter also briefly describes how to configure multiline load balancing and ISDN BRI on demand connections for office to office use The following topics are discussed e Overview of Example Configuration on page 17 1 e Configuration Steps for an Office to Office Connection on page 17 3 e Setting the Console Port for Multiline Load Balancing on page 17 13 e Using ISDN for On Demand Connections on page 17 15 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Example Configuration The example described in this chapter connects a PortMaster Office Router located in a branch office in London with a PortMaster 2 in the headquarters in Paris These models are used as an examp
234. ections The PortMaster automatically accepts inbound voice calls and treats them as data calls You can force a data over voice call on an outbound ISDN connection by setting the capability to on To turn on the data over voice capability for ISDN connections to a location use the following command Command set location Locname voice on off For more information on ISDN connections see Chapter 11 Configuring the PortMaster 3 and Chapter 10 Using ISDN BRI Setting CHAP When you enter a username and password into the location table they are used as the system identifier and the RSA Data Security Inc MD5 Message Digest Algorithm MD5 secret for CHAP authentication You can turn on outbound CHAP authentication and eliminate the need to use the sysname identifier and user table configurations for CHAP unless the device being dialed also dials in to the PortMaster The default setting is off PortMaster Configuration Guide Setting Multiline Load Balancing To set CHAP authentication for a location use the following command Command set location Locname chap on off Setting the Asynchronous Character Map The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream These characters are not sent through the line but instead are replaced by a special set of characters that the remote site interprets as the original characters The PPP asynchronous map is a bit map of characters that are replace
235. ections and locations set for on demand dialing enter the IP address or a valid hostname of the system at the remote end of the connection Note Assigned addresses are not supported for dial out locations To set the destination IP address for a location use the following command Command set location Locname destination Ipaddress Setting the Destination Netmask If the host or network on the remote end of the connection requires a netmask you must define it in the location table To set the destination netmask for a location use the following command Command set location Locname netmask Ipmask Setting the IPX Network Number If you are using the IPX protocol you must assign a unique IPX network number to the network connection between the remote host and the PortMaster Enter the IPX network number in the hexadecimal format described in Appendix A Networking Concepts The number is a 32 bit hexadecimal value The number is used only for the serial link and must be different from the IPX network numbers used for Ethernets at either end To set the IPX network number for a location use the following command Command set location Locname ipxnet Ipxnetwork Note Do not set a value of all Os zeros or all Fs for the IPX network number PortMaster Configuration Guide Configuring the Location Table Setting RIP Routing You can associate RIP routing with locations for example a dial on demand connect
236. ections to the backbone area International Organization for Standards See ISO International Telecommunication Union Telecommunication Standardization Sector See ITU T Internet The total collection of interconnected networks and attached devices that use TCP IP protocols World wide the Internet currently consists of several large national backbone networks and several regional and campus networks Internet Control Message Protocol See ICMP Internet Engineering Task Force See IETF Internet Network Information Center See InterNIC Internet Packet Exchange protocol See IPX Internet Protocol See IP Internet Protocol Security See IPSec Glossary 32 PortMaster Configuration Guide Glossary Internet Relay Chat See IRC Internet service provider See ISP Internet telephony internetwork InterNIC See VoIP A network of networks Internet Network Information Center An organization that provides information and services related to networking technologies The InterNIC is where new domain names are registered interoperability intranet IP IP address The ability to exchange information among devices that have dissimilar operating systems or protocols A private internetwork inside a company or agency that uses the same kind of software running on the Internet but only for internal purposes A corporate intranet uses the Internet as its backbone but the firewall surrounding the intranet pr
237. ed graphical user interface GUI for monitoring managing debugging and configuring PortMaster products point of presence See POP Glossary 54 PortMaster Configuration Guide Glossary Point to Point Protocol See PPP Point to Point Tunneling Protocol policy POP port port limit PortMaster See PPTP In BGP the rule or set of rules a PortMaster product follows for accepting injecting and or advertising BGP routes to its BGP internal and external peers You assign policies to a peer when you add it to the PortMaster during configuration You can use the default policy easy multihome or create and assign your own policies One policy can handle all three functions or you can create separate policies for acceptance injection and advertisement See also acceptance policy advertisement policy injection policy 1 Point of presence The location of a switching dial in facility usually for a long distance telecommunications provider or an Internet service provider ISP Also a local telephone number through which you can access your ISP 2 Post Office Protocol An extensible protocol for retrieving email from a remote server 1 On a computer the physical channel or connection through which data flows 2 Ina TCP IP or UDP network a numbered end point to a logical connection that determines the way a client application program specifies a particular server application on the network Higher level application
238. ee also HTTP HyperText Transfer Protocol The application protocol for moving hypertext files across the Internet This protocol requires an HTTP client program on one end of a connection and an HTTP server program on the other A group of multiple telephone circuits that allows telephone calls to find an idle circuit to establish a link The order in which connections are made to a port For example if two ports are open a connection is made to the port with the lower hunt order HyperText Markup Language See HTML HyperText Transfer Protocol IBGP Glossary 30 See HTTP Interior BGP The BGP used between peers in the same autonomous system or when confederations are in use between peers in the same confederation member autonomous system CMAS All IBGP peers must maintain direct BGP connections to be fully meshed with every other internal peer but need not be physically attached to one another PortMaster Configuration Guide ICMP IETF Glossary Internet Control Message Protocol The part of the Internet Protocol IP that allows for generation of error messages test packets and informational messages related to IP This protocol is used by the ping function to send an ICMP Echo Request to a network host which replies with an ICMP Echo Reply Internet Engineering Task Force International community of network designers operators vendors and researchers working in groups to develop new Internet standar
239. een autonomous systems on the Internet BGP uses TCP as its transport protocol Version 4 of BGP See also BGP PortMaster Configuration Guide bit Glossary Binary digit 1 The basic unit of information 2 The amount of information obtained as the answer to a yes or no question 3 A computational quantity that can take on one of two values such as true and false or 0 and 1 4 The smallest unit of storage that is sufficient to hold one bit See also bps byte bits per second BONDING booting BOOTP See bps Bandwidth on Demand Interoperability Group A method for combining two B channels into a single 128Kbps channel The process in which a device obtains information and begins to process it to attain a state of normal operation Internet Bootstrap Protocol Protocol used by a network node to determine the IP address of its Ethernet interfaces for network booting When dumb hosts send a broadcast packet out on the network UNIX hosts running BOOTP reply with an IP address the address of a boot server and the path of a configuration file to be loaded at boot time Border Gateway Protocol bps BRI See BGP Bits per second A unit for measuring the data rate Basic Rate Interface An ISDN interface for homes and small businesses that consists of two 64Kbps B channels for voice or data and one 16Kbps D channel for signaling Compare PRI broadcast address A special address reserved for sending a messag
240. either a login or network user use the following command Command gt set user Username password Password The password can contain between 0 and 16 printable ASCH characters Setting the Idle Timer The idle timer defines the number of minutes or seconds the line can be idle in both directions before the PortMaster disconnects the user You can set the idle time in seconds or minutes with any value between 2 and 240 The default setting is 0 minutes The idle timer is not reset by RIP keepalive or SAP packets To set the idle timer use the following command Command set user Username idle Number minutes seconds To disable the idle timer set the time to 0 minutes Setting the Session Limit You can define the maximum length of a session permitted before the PortMaster disconnects the user The session length can be set to between 0 and 240 minutes To set the session limit use the following command Command set user Username session limit Minutes To disable the session limit set the time to 0 Configuring Network Users Network users establish PPP or SLIP connections with the network as soon as they have been authenticated 7 4 PortMaster Configuration Guide Configuring Network Users Setting the Protocol You can set the network protocol for the network user to PPP or SLIP as described in Chapter 5 Configuring an Asynchronous Port Select a protocol that is compatible with the rest of your network
241. entication partial 14 10 creating manually 14 12 endpoints redundant 14 11 passwords 14 10 resetting 14 13 two way access port configuration 20 5 type 20 broadcast packets 3 26 U UDP for NFAS 11 10 packets filtering 12 7 services and ports B 1 upgrades software xxviii user login configuration 5 8 user profiles RADIUS L2TP 14 9 sample 14 9 14 10 14 11 user table access filters 7 11 adding users 7 2 compression 7 8 displaying 7 2 IP address 7 5 IPX network number 7 6 login host 7 11 login service 7 12 maximum ports 7 8 MTU 7 7 packet filters 7 9 session limit 7 4 setting the protocol 7 5 TCP IP header compression 7 8 user types 7 3 USERNAME port status 2 6 username setting for dial out 8 5 username based tunneling 14 9 users configuring for NAT 13 22 defining dial in network users 19 10 defining dial in users 16 5 16 10 17 6 defining login users 19 9 deleting 7 3 disconnecting from virtual port 11 20 displaying configuration information 7 2 restricting access to hosts 7 11 session limit 7 4 utilities for allowing concurrent connections 3 6 V V 25bis connections 16 1 troubleshooting 16 13 variable length subnet mask A 8 virtual ports disconnecting users 11 20 resetting 11 20 virtual private dial up network 14 2 virtual switch 15 1 VLSM A 8 VPDN 14 2 W WAN ports example configuration 21 5 21 7 ISDN 10 12 10 17 setting up Frame Relay 15 10 switched 56Kbps 16 5 V 25bis d
242. entry a number command menu option button or Press Enter key orthename Open the permit list file of a file directory or utility except in code samples Italic font Identifies a e set Fther0 address Ipaddress command line placeholder Replace with a real name or value Enclose optional keywords and values in command syntax Enclose a required choice between keywords and or values in command syntax Separates two or more possible options in command syntax Replace Area with the name of the OSPF area e set nameserver 2 Ipaddress e set SO destination Ipaddress Ipmask set syslog Logtype disabled Facility Priority e set SO W1 ospf on off set SO host default prompt Ipaddress About This Guide xxvii Document Advisories Document Advisories AN N Note means take note Notes contain information of importance or special interest Caution means be careful You might do something or fail to do something that results in equipment failure or loss of data Warning means danger You might do something or fail to do something that results in personal injury or equipment damage Contacting Lucent NetworkCare Technical Support xxviii The PortMaster comes with a 1 year hardware warranty For all technical support requests record your PortMaster ComOS version number and report it to the staff of Lucent NetworkCare M Professional Services
243. epalive message notification message open message route Uniform resource locator The address of a file resource accessible on the Internet The type of resource depends on the Internet application protocol For the World Wide Web s protocol the Hypertext Transfer Protocol HTTP the resource can be an HTML page a program such as a Java applet or any other file supported by HTTP The URL contains the name of the protocol required to access the resource a domain name that identifies a specific computer on the Internet and if necessary a path to the resource on the computer See RADIUS user User Datagram Protocol See UDP User Network Interface See UNI Glossary 73 Glossary UTP UUCP V V 25bis V 32bis V 34 V 35 V 90 Glossary 74 Unshielded twisted pair A four pair wire medium used in a variety of networks UTP does not require the fixed spacing between connections necessary with coaxial connections The five grades of UTP cable commonly used are Category 1 through Category 5 Category 5 can carry the most data See also STP twisted pair UNIX to UNIX Copy Program Interactive communication system for connecting two UNIX computers to send and receive data An ITU T standard for data transmission that defines how to dial on synchronous devices such as ISDN or switched 56Kbps An ITU T standard for data transmission via modems that extends the V 32 connection range from 4800bps to 14 4Kbps
244. er Office Routers PortMaster Configuration Guide confederation Glossary In BGP an autonomous system that has been subdivided into smaller autonomous systems called confederation member autonomous systems CMASs A confederation appears like a single autonomous system to other autonomous systems and is recognized only by other confederation members Subdivision of an autonomous system into a confederation changes the peer relationships of confederation members in different CMASs from internal to external Use of confederations in an autonomous system requires that all routers in the autonomous system belong to a CMAS however the policies used by BGP peers can change across confederation boundaries Confederations are one method for avoiding the overhead of having all peers within an autonomous system fully communicate to be fully meshed with each other Route reflection clusters provide an easier method but require the use of identical policies on all peers within the autonomous system See also route reflection confederation member Any router running BGP and recognizing that its autonomous system is subdivided into smaller autonomous systems called confederation member autonomous systems CMASs The CMASs are recognized only by confederation members and not by peers external to the confederation Subdivision of an autonomous system into a confederation changes the peer relationships of confederation members in different CMASs from
245. er and an SNMP agent The SNMP agent returns values for MIB variables that can be changed or queried by the SNMP manager The agent gathers information from the MIB which resides on the target device MIB information can include device parameters and network status The agent is capable of responding to requests to get or set data from the manager PortMaster Configuration Guide Configuring SNMP PortMaster products support MIB II variables as specified in RFC 1213 along with a MIB specific to PortMaster products SNMP management can be enabled for any PortMaster Lucent ships configuration files compatible with various network management packages along with the PMVision software About the livingston mib Definition File livingston mib is the MIB definitions file that SNMP tools can read and use to query SNMP agents for information about PortMaster products The PortMaster extensions to the MIB are located in the latter part of this file under Livingston Extensions The livingston mib file can be found in the SNMP directory of the ComOS software or on the World Wide Web at http www livingston com marketing products pmtempl html To view the file scroll down to MIB Specifications and click LE38 in the table Examining the MIB Structure The entire management information base MIB hierarchy can be represented by a tree structure In this representation the unnamed root of the tree divides into the following main branches
246. er restrict in 9 permit 0 0 0 0 0 10 0 0 3 32 tcp dst eq 53 Command gt set filter restrict in 10 permit 0 0 0 0 0 10 0 0 3 32 icmp Configuring Filters 12 13 Restricting User Access Table 12 4 describes line by line each rule in the filter Table 12 4 Description of Restrictive Internet Filter Rule Description l Denies any incoming packets from your own network 192 168 1 0 and makes a log 2 Permits packets from any established TCP connection to 10 0 0 3 the Internet server Permits FIP from any IP address to 10 0 0 3 the server Permits the FIP data back channel Permits incoming NNTP news to 10 0 0 3 the Internet server Permits incoming SMTP mail to 10 0 0 3 the Internet server Permits HTTP requests to 10 0 0 3 the Internet server Permits DNS queries to 10 0 0 3 the Internet server BOS 299 N GN GM a cu Permits DNS zone transfers from 10 0 0 3 the Internet server e Permits ICMP to 10 0 0 3 the Internet server You can further limit ICMP packet types to types 0 3 8 and 11 using four rules instead of one To log all packets that are denied add the following rule to the end of your filter Command set filter Filtername RuleNumber deny log Restricting User Access Access filters enable you to restrict telnet or rlogin connections to a specific host or network or a list of hosts or networks You can create an access filter that restricts user access to particular
247. ere location settings are stored See also location A feature of BGP on the PortMaster that ensures consistency of routing information between the BGP and non BGP routers within its autonomous system Lockstep forces the PortMaster to advertise a route learned from an internal BGP peer only when it has learned the same route via an Interior Gateway Protocol IGP OSPF or RIP or a static route See also transit service Glossary 41 Glossary login status LSA Lucent MAC MAC address RADIUS accounting data for an individual RADIUS user Login status includes such information as username start and stop times connection times IP address of the network access server network access server port and IP address of the user framed IP address Link state advertisement The state of the router links interfaces networks summaries or autonomous system external links of an OSPF router that it periodically advertises Link states are also advertised when a link state changes Marked by clarity shining glowing with light resplendent 1 Media access control See MAC address 2 Message authentication code A mechanism used between two parties that share a secret key to verify the contents origin author and other attributes of information exchanged by the parties See also HMAC Media access control address A unique 48 bit binary number usually represented as a 12 digit hexadecimal number encoded in the circuitry of a
248. erface Estimate of the modem interface s current inbound bandwidth in bits per second Estimate of the modem interface s current outbound bandwidth in bits per second Total number of bytes received by the modem Total number of bytes transmitted by the modem Configuring Global Settings Configuring SNMP 3 18 Table 3 8 Modem Table Continued Object Type Definition livingstonModemRetrains Number of retrains attempted by the modem livingstonModemRenegotiates Number of renegotiates attempted by the modem livingstonModemCalls Number of times a call received by the modem livingstonModemDetects Number of analog calls received by the modem livingstonModemConnects Number of successful calls received by the modem Setting SNMP Monitoring Simple network management protocol SNMP monitoring is used to set and collect information on SNMP capable devices This feature is most often used to monitor network statistics such as usage and error rate If SNMP monitoring is on the PortMaster accepts SNMP queries If SNMP monitoring is off all SNMP queries are ignored To turn SNMP monitoring on or off use the following commands Command gt set snmp on off Command gt save all Command gt reboot Setting SNMP Read and Write Community Strings Community strings allow you to control access to the MIB information on selected SNMP devices The read and write community strings act like passwords to permit
249. erface and provides examples of command line usage This guide is designed for qualified system administrators and network managers and for persons with a working knowledge of networking and routing Appendix A Networking Concepts provides an overview of network address conventions but is intended as a quick refresher and should not be used as a substitute for careful study of these principles Refer to Additional References in this preface for appropriate RFCs and other suggested reading See the PortMaster Routing Guide for advanced information on routing protocols and routing with PortMaster products PortMaster Documentation PortMaster Documentation The following manuals are available from Lucent The hardware installation guides are included with most PortMaster products other manuals can be ordered through your PortMaster distributor or directly from Lucent The manuals are also provided as PDF and PostScript files on the PortMaster Software CD shipped with your PortMaster In addition you can download PortMaster information and documentation from http www livingston com xxii ChoiceNet amp Administrator s Guide This guide provides complete installation and configuration instructions for ChoiceNet server software PMvVision User s Guide This guide provides instructions for installing configuring and using the PMVision network management application a graphical configuration and monitoring tool for
250. ers dial in set SO 0 in the initialization string Configuring Ports for Modem Use The modem settings described in this section are configured for each port and must match the configuration on the attached modem 9 6 PortMaster Configuration Guide Configuring Ports for Modem Use Setting the Port Speed The speed of a port is defined as the DTE baud rate The PortMaster allows you to specify three different baud rates for each port and one baud rate for host device ports Port speeds are sequentially matched from the first baud rate through the third baud rate For example when a connection with this port is established the PortMaster uses the first baud rate value to try to synchronize the connection speed If no synchronization is possible the PortMaster tries to synchronize speeds using the second baud rate value If this fails the third baud rate value is used Each speed can be set between 300bps to 115200bps The default speed is 9600bps Modern modems and terminals must always be set to run at a fixed rate To define a fixed rate lock the DTE rate by setting all three speeds to the same value To set the port speed use the following command Command set S0 all speed 1 2 3 Speed You can substitute any of the following for Speed 300 1200 4800 19200 57600 115200 600 2400 9600 38400 76800 You can set the speed for all the asynchronous ports simultaneously by using the set all speed command Setting Modem Co
251. es are for a given connection only and a PortMaster that functions as a slave for one user s connection can be a master for a different user s connection See also master Serial Line Internet Protocol The protocol that was made obsolete by Point to Point Protocol PPP for point to point serial connections using TCP IP See also PPP small office home office SMDS SMTP SNMP SOHO Glossary 66 See SOHO Switched Multimegabit Data Service An emerging high speed packet switched public data communications service for exchanging large amounts of data over a WAN on a nonconstant or bursty basis SMDS provides an architecture and services for connecting geographically separate LANs into a WAN without a dedicated private line SMDS is expected to be widely used by telephone companies as the basis for their data networks Simple Mail Transfer Protocol A protocol defined in RFC 821 for exchanging email messages between servers across a network SMTP is the principle protocol for sending email over the Internet Simple Network Management Protocol A protocol defined in RFC 1157 for communicating between management consoles and network devices Small office home office An end user segment of the internetworking market See also ROBO PortMaster Configuration Guide speaker SPID SQL SSL Glossary A single BGP router that is able to communicate with other routers that run BGP When two BGP speakers communi
252. esses are currently used primarily for the multicast backbone MBONE of the Internet Many routers including PortMaster products do not support MBONE or multicast and therefore ignore class D addresses Class E Addresses The class E IP address is reserved for future use In class E addresses the 4 highest order bits are set to 1 1 1 and 1 Routers currently ignore class E IP addresses A 4 PortMaster Configuration Guide Network Addressing Reserved IP Addresses Some IP addresses are reserved for special uses and cannot be used for host addresses Table A 2 lists ranges of IP addresses and shows which addresses are reserved which are available to be assigned and which are for broadcast Table A 2 Reserved and Available IP Addresses Class IP Address Status A 0 0 0 0 Reserved 1 0 0 0 through 126 0 0 0 Available 127 0 0 0 Loopback networks on the local host B 128 0 0 0 Reserved 128 1 0 0 through 191 254 255 255 Available 191 255 0 0 Reserved C 192 0 0 0 Reserved 192 0 1 0 through 223 255 254 255 Available 223 255 255 0 Reserved D 224 0 0 0 through 239 255 255 255 Multicast group addresses E 240 0 0 0 through 255 255 255 254 Reserved 255 255 255 255 Broadcast Private IP Networks RFC 1597 reserves three IP network addresses for private networks The addresses 10 0 0 0 8 192 168 0 0 16 and 172 16 0 0 20 can be used by anyone for setting up their own internal IP networks Networking Concepts A 5 Network
253. et IP address and name of host running RADIUS IP address and name of host running DNS IP address of RADIUS accounting server IP address of RADIUS backup accounting server IP address of host running backup RADIUS IP address of host that shell users log in to IP addresses reserved for future hosts IP address and name of first PortMaster IP addresses and names for additional PortMaster products Reserved pool of assigned addresses for the first PortMaster Reserved pool of assigned addresses for the second PortMaster Class C assigned by your provider 192 168 1 0 192 168 1 1 gw edu com 192 168 1 2 rk2 edu com 192 168 1 2 rk2 edu com 192 168 1 2 rk2 edu com 192 168 1 3 rk3 edu com Optional 192 168 1 3 rk3 edu com Optional 192 168 1 4 rk4 edu com Optional 192 168 1 5 through 192 168 1 15 192 168 1 23 through 192 168 1 32 192 168 1 16 pml edu com 192 168 1 17 through 192 168 1 22 pm2 edu com through pm7 edu com 192 168 1 33 through 192 168 1 62 192 168 1 65 through 192 168 1 94 Providing User Dial In Access Configuration Steps for Dial In Access Table 19 1 Example Configuration Variables Continued Variable Description Value Reserved pool of assigned addresses for the 192 168 1 97 through third PortMaster Continue until the seventh 192 168 1 126 PortMaster Reserved pool of assigned addresses for the 192 168 1 225 thr
254. et interface settings page 16 4 Synchronous port settings page 16 5 Dial in users page 16 5 Dial out locations page 16 6 2 Configure the following settings for the PortMaster in Miami a b C d e Global settings page 16 8 Ethernet interface settings page 16 8 Synchronous port settings page 16 9 Dial in users page 16 10 Dial out locations page 16 11 3 Test the configuration page 16 12 4 Troubleshoot the configuration page 16 13 Configuring the PortMaster in Boston The PortMaster in Boston is being configured for a V 25bis dial up synchronous connection to the PortMaster in Miami Using Synchronous V 25bis Connections 16 3 Configuration Steps for a Synchronous V 25bis Connection Configuring Global Settings Configure the global settings to the values shown in Table 16 1 Table 16 1 Global Values Setting Command IP gateway set gateway 192 168 1 1 System name set sysname boston After you configure the global settings shown in Table 16 1 enter the following command to save the configuration Command gt save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet interface settings to the values shown in Table 16 2 Table 16 2 Ethernet Values Setting Command Protocol set ether0 ipx enabled IP address set ether0 address 192 168 200
255. et network a runt packet has a frame size between 8 and 63 bytes with frame check sequence FCS or alignment errors The runt packet is presumed to be a fragment resulting from a collision Service Advertisement Protocol An IPX protocol that provides a means of informing network clients via routers and servers of available network resources and services See also IPX Able to be changed in size or configuration to suit changing conditions For example a scalable network can be expanded from a few nodes to thousands of nodes In a database management system DBMS a collection of objects that are available to a user Schema objects are the logical structures that directly refer to the data in a database Schema objects include such structures as tables views sequences stored procedures synonyms indexes clusters and database links See shared secret secure hash algorithm See SHA 1 Secure Sockets Layer SecurID selector Glossary 64 See SSL An authentication system available from Security Dynamics Inc SecurID uses tokens and a software server to generate and confirm one time passwords to identify users and grant or deny them network access In a database management system DBMS a string used to identify a value in a database PortMaster Configuration Guide Glossary Serial Line Internet Protocol serial port server See SLIP A bidirectional channel through which data flows one bit as a time A
256. et to one of four values shown in Table 10 1 Table 10 1 North American ISDN BRI Switch Types ISDN Switch Type Used for ni l National ISDN 1 NI 1 default dms100 Northern Telecom DMS 100 Custom 5ess ATST 5ESS Custom Multipoint 5ess ptp ATST 5ESS Custom Point to Point International ISDN BRI Switch Types The PortMaster ISDN S T interface for use in Japan Europe and other countries following international ISDN standards uses a different set of switch type settings shown in Table 10 2 Table 10 2 International ISDN BRI Switch Types ISDN Switch Type Used for net3 EuroISDN standard includes Swiss standards net5 Australia vn2 France PortMaster Configuration Guide Configuring ISDN Table 10 2 International ISDN BRI Switch Types Continued ISDN Switch Type Used for vn4 France current national switch type 1tr6 Germany older switch type ntt Japan kdd Japan Setting the Switch Type To set the ISDN switch type for an ISDN BRI U interface use the following commands Command gt set isdn switch ni 1 dms 100 5ess 5ess ptp Command gt reboot To set the ISDN switch type for an ISDN BRI S T interface use the following commands Command set isdn switch net3 net5 vn2 vn4 1tr6 ntt kdd Command gt reboot Note You must reboot the PortMaster after changing the switch type for the change to y take effect Service Profile Identifier SPID for ISDN BRI The ser
257. etmask set user sf netmask 255 255 255 0 IPX network set user sf ipxnet F3 RIP routing set user sf rip on MTU set user sf mtu 1500 Compression set user sf compression on After you configure the user table as shown in Table 10 6 enter the following command to save the configuration Command save all For more information about configuring user table parameters refer to Chapter 7 Configuring Dial In Users Configuring a Dial Out Location A location entry on the PortMaster in Denver must be created for the location identified as sf This allows the PortMaster router in Denver to call the PortMaster in San Francisco when network traffic is queued The new location sf should be configured with the values shown in Table 10 7 Table 10 7 Location Table Values Setting Command Location name add location sf Type set location sf manual Set the location for manual dialing until after the configuration has been tested Once the configuration is verified change the connection type to on demand Protocol set location sf protocol ppp IP destination set location sf destination 192 168 100 1 Netmask set location sf netmask 255 255 255 0 PortMaster Configuration Guide ISDN BRI Unnumbered IP Configuration Example Table 10 7 Location Table Values Continued Setting Command IPX network RIP routing MTU Idle timer Dial group Username Telephone number Password High water mark Maxim
258. ets a reply 2 1 Booting the PortMaster 2 2 the PortMaster then attempts to boot itself across the network using the Trivial File Transfer Protocol TFIP to download a netbootable ComOS image from the host that replied to the RARP The TFIP process begins by transferring the tftpboot address typ file replacing address with the uppercase 8 character hexadecimal expression of the IP address of the PortMaster and fyp with the 3 character boot extension describing the model of PortMaster as shown in Table 2 1 If tftpboot address typ is not found the PortMaster requests tftpboot GENERIC OS Table 2 1 Boot Extensions Boot Extension PortMaster Model PM3 PM3 any model PM2 PM 2 PM 2E PM 2R PM 2ER PM 2i PM 2Ei IRX IRX any model P25 PM 25 PMO PortMaster Office Router any model The netbootable ComOS can also be downloaded via serial cable through the console port Refer to the PortMaster Troubleshooting Guide for details 3 The user configuration is loaded from nonvolatile RAM 4 The IP address is located If no address is configured for the Ethernet interface and no address was obtained from netbooting the PortMaster sends a RARP message to discover its IP address If the PortMaster receives a reply to the RARP message its IP address is set in dynamic memory At this point the PortMaster is fully booted with its configuration loaded into DRAM This process takes less than a minute After the Port
259. ets using Encapsulating Security Payload ESP protocol See RFC 1827 for more information on this protocol e ah matches packets using Authentication Header AH protocol See RFC 1826 for more information on this protocol e ipip matches packets using the IP Encapsulation within IP IPIP protocol See RFC 2003 for more information on this protocol If you are using ChoiceNet you can also replace either the source or destination IP address with the value ListName which specifies a list of sites in the etc choicenet lists directory in the ChoiceNet server The equal sign 2 must immediately precede the value Filtering ICMP Packets Internet Control Message Protocol ICMP packets commonly known as ping packets report errors and provide other information about IP packet processing You can filter ICMP packets by source and destination IP address or by ICMP packet type Packet types are identified in RFC 1700 To create an ICMP filter rule use the following command entered on one line Command set filter Filtername RuleNumber permit deny Ipaddress NM Ipaddress dest NM icmp type Itype log notify 12 6 PortMaster Configuration Guide Creating Filters Filtering TCP and UDP Packets TCP Packets You can filter TCP packets by source and destination IP address or by TCP port number Appendix B TCP and UDP Ports and Services lists port numbers commonly used for UDP and TCP port services For a more com
260. events unauthorized access Like the Internet intranets are used to share information See also Internet extranet Internet Protocol The protocol defined in RFC 791 A 32 bit number assigned by the system administrator usually written in the form of four decimal fields separated by periods for example 192 168 200 1 Any computing device that uses IP must be assigned an Internet or IP address Part of the Internet address is the IP network number IP network address and part is the host address IP host address All machines on a given IP network use the same IP network number and each machine has a unique IP host address The system administrator sets the subnet mask to specify how much of the address is network number and how much is host address Glossary 33 Glossary IP address prefix An IP address number that when paired with a netmask length represents a range of addresses rather than a single IP network For example the prefix and netmask length 10 0 0 0 8 describe all networks whose IP addresses begin with 128 See also netmask length IP Control Protocol See IPCP IPCP IP Control Protocol A protocol used by the Point to Point Protocol PPP for establishing and configuring an IP link over PPP IPSec Internet Protocol Security A set of protocols being developed by the Internet Engineering Task Force IETF to support secure exchange of packets at the network layer IPSec is useful for virtual private networks
261. face cards are DCEs Data channel or delta channel A full duplex 16Kbps Basic Rate Interface BRI or 64Kbps Primary Rate Interface PRI ISDN channel for performing call signaling and setup to establish a connection The D channel is sometimes also used to carry user data Dynamic data exchange A form of interprocess communication that uses shared memory to exchange data between applications Applications can use a one time data transfer or ongoing exchanges degree of preference Glossary 18 In BGP an arbitrary rating number that the PortMaster assigns to every route it receives from a BGP peer A higher number indicates a greater preference for a route when more than one exists to a destination A route from an internal peer is assigned the local preference number that the PortMaster learned with the route For a route learned from an external peer the PortMaster calculates a number based on the autonomous system path length the shortest path is preferred You can use a routing policy rule to override the calculated or learned value and assign your own degree of preference to a route See also local preference PortMaster Configuration Guide DES destination device DHCP dialback Glossary Data encryption standard A popular block encryption method based on a 56 bit key DES has been adopted by the U S Department of Defense and standardized as American National Standards Institute ANSI standards X3 92 and X3 106
262. ffffff00 255 255 255 0 25 2 126 Oxffffff80 255 255 255 128 26 4 62 OxffffffcO 255 255 255 192 27 8 30 OxffffffeO 255 255 255 224 28 16 14 OxfffffffO 255 255 255 240 29 32 6 Oxfffffff8 255 255 255 248 30 64 2 Oxfffffffc 255 255 255 252 32 256 1 Oxffffffff 255 255 255 255 Networking Concepts A 7 Using Naming Services and the Host Table Subnetting Routing and VLSMs Routers and hosts can use the subnet field for routing The rules for routing on subnets are identical to the rules for routing on networks Releases before ComOS 3 5 Before ComOS 3 5 correct routing required all subnets of a network to be physically contiguous The network must be set up so that it does not require traffic between any two subnets to cross another network Also RFC 950 implicitly required that all subnets of a network have the same number of bits in the subnet field As a result ComOS releases before ComOS 3 5 require the use of the same subnet mask for all subnets of a network ComOS used the value of 255 255 255 255 for the user s Framed IP Netmask regardless of the value of the attribute ComOS 3 5 and Later Releases ComOS 3 5 and subsequent releases support variable length subnet masks VLSMs therefore the restrictions in earlier ComOS releases no longer apply The subnets of a network need not be physically contiguous and can have subnet masks of different lengths However ComOS still ignores the Framed IP Netmask value by default To ease the
263. figures the modem for you provided the modem is in the factory default state when it is initialized After a modem type has been specified the PortMaster automatically sets the port for hardware flow control the correct speed and modem control when the port is reset Displaying Modem Settings and Status 9 2 To display the modems currently configured in your modem table use the following command Command show table modem PortMaster Configuration Guide Using Automatic Modem Configuration A modem table display looks like the following Short Name Long Name Type cardinal Cardinal MVP288XF System mega Massive MegaFast User supra 288 Supra V 34 System The modem type is either system or user System indicates that the configuration settings are the factory default settings User indicates that the user has configured the modem table settings for that modem To display the settings for a particular modem use the following command Command gt show modem ModemName short The display for a modem looks like this Short Name supra fax 288 Long Name SupraFax 28 8 Optimal Speed 115200 Type User Defined Init Script Send Command Wait for Reply AT amp F2 amp C1 amp D3S0 1S2 129s 10 208W OK Adding a Modem to the Modem Table Using Modems To add a modem to the modem table use the following command Command add modem ModemName short ModemName long Speed String For example to add a Paradyne 3811 modem to
264. for more information about OSPF PortMaster Configuration Guide Configuring an Asynchronous Port 5 Each asynchronous port can be configured for several different functions giving the PortMaster configuration more flexibility However each port can carry out only one function at a time For example if a port receives a dial in user login request this port cannot be used for anything else until the current session is terminated The port is then available for dial out use or any other purpose specified when the port was configured This chapter discusses the following topics e Asynchronous Port Uses on page 5 1 e General Asynchronous Port Settings on page 5 3 e Configuring a PortMaster for Login Users on page 5 8 e Configuring a Port for Access to Shared Devices on page 5 11 e Configuring a Port for Network Access on page 5 15 e Configuring a Port for a Dedicated Connection on page 5 20 e Connecting without TCP IP Support on page 5 25 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Asynchronous Port Uses The following examples describe various uses for asynchronous ports Connections between Offices Office to office connections can be achieved with either dial up asynchronous connections or dial up synchronous connections depending on your application Chapter 17 Using Office to Office Connections gives an example of a dial up asynchron
265. g London PortMaster Office Router pend 9 PortMaster workstation 1 workstation 2 workstation 3 11820009 17 14 PortMaster Configuration Guide Using ISDN for On Demand Connections To enable multiline load balancing you must configure the SO port using the same settings shown for the PCMCIA port in Table 17 3 In addition when you configure the location paris on the Office Router in the London office use the values shown in Table 17 10 for the maximum number of ports and the high water mark See Dial Out Location Settings for London on page 17 7 for the other values Table 17 10 Location Settings for Load Balancing Setting Command Maximum ports set location paris maxports 2 High water mark set location paris high_water 100 The value of the high water mark depends on the type of traffic and how many bytes of traffic you want queued before the second line is used Using ISDN for On Demand Connections Using the ISDN BRI port on the PortMaster ISDN Office Router OR U is very similar to using the PCMCIA port on the OR M except that you must do the following e Configure the ISDN switch type as a global setting e Set the SPID on the port e Do not set the port speed flow control or modem control Set the telephone number with the set location telephone command Set the
266. g 11 12 described 11 9 functionality 11 9 multichassis capability 11 10 UDP 11 10 without a backup D channel 11 10 NIS A 8 setting 3 4 using instead of the host table 3 4 PortMaster Configuration Guide Subject Index non facility associated signaling See NFAS NO SERVICE port status 2 6 note icon xxviii NTI device 10 1 null modem cable 9 1 O office to office connections 5 1 17 1 on demand connections 2 4 8 3 17 1 ORWizard 1 2 outsource NAT configuring 13 24 outsourcer using call check 14 7 using L2TP 14 2 overriding asynchronous port settings 5 3 P packet filtering 12 2 packet size setting with MTU 8 8 PAP authentication 3 26 5 19 parity checking 5 4 9 8 partial user based authentication 14 10 tunneling 14 9 Password Authentication Protocol See PAP authentication PASSWORD port status 2 6 passwords deleting 3 2 for authentication See CHAP authentication PAP authentication L2TP 14 6 netuser 7 4 setting 3 2 setting for dial out 8 5 tunnel 14 10 user 7 2 7 4 14 10 permanent virtual circuits See PVC planning your configuration 1 3 pmbackup 1 2 pmcommand 1 2 PMconsole 1 1 pmconsole setting concurrent connections 3 6 pmdial 1 2 pmdumpfilter 1 2 pmreset 1 2 PMTools 1 2 pmupgrade 1 2 PMVision overview 1 1 setting concurrent connections 3 6 PMWizard 1 2 Point to Point Protocol See PPP polling interval Annex D 15 6 LMI 15 5 pool IP address 3 9 port type 5 9 PortMaster
267. g 7 Debug level messages To determine current syslog settings enter the following command Command gt show syslog Setting Administrative Logins to Serial Ports When you log in using root administrative logins to the serial ports are enabled by default You can disable or enable them by using the following command Command gt set serial admin on off If administrative login is disabled you can still use port SO or CO by setting the console DIP switch first from the left also known as DIP 1 to the up position Configuring an IP Address Pool You can dynamically assign IP addresses to PPP or SLIP dial in users By assigning addresses as needed from a pool the PortMaster requires fewer addresses than if each user is assigned a specific address When a dial in connection is closed the address goes back into the pool and can be reused When creating an address pool you explicitly identify the first address in the sequence of addresses available for temporary assignment The PortMaster allocates one address in the pool of addresses for each port configured for network dial in To set the value of the first IP address to assign for dial in ports use the following command Command gt set assigned address Ipaddress The default number of addresses available for the address pool is equal to the number of ports configured for network dial in The address pool size is determined during the boot process You can instead set t
268. g Locations for NAT Configuring NAT You can set up to 20 parameters when configuring a NAT location This section offers general guidelines and discusses some common options See Setting Up a Dial Out Location Using defaultnapt on page 13 33 for an example of NAT location configuration Refer to the PortMaster Command Line Reference for command details 1 Create a location Use the following command to add a location to the location table Command gt add location Locname Assign the location a telephone number Use the following command to assign a telephone number to the location Command gt set location Locname telephone 5551212 Set the username for the dial out location Use the following command to set a user to the location Command gt set location Locname user Username Set the user password for the location Use the following command to set the password Command gt set location Locname password Password Set the protocol for the location Use the following command to set the transport protocol Command set location Locname protocol slip ppp frame relay x75 sync Set the destination address Use the following command to set the destination IP address Command set location Locname destination Ipaddress negotiated 13 21 Configuring Ports Locations and Users for NAT 13 22 10 11 1 Set the maximum number of dial out ports for this location Use the following command to set the maximum nu
269. gh the PortMaster Ethernet interface You can enable IPX on the Ethernet interface on any PortMaster products attached directly to a local Ethernet Disable IPX traffic on this port only if the PortMaster is not attached to a local Ethernet network Configuring the Ethernet Interface 4 5 Setting Ethernet IPX Parameters 4 6 To enable or disable IPX traffic use the following command Command set ether0 ipx enabled disabled Note This command is available only on the Ether0 port Cay Setting the IPX Frame Type The IPX frame type must be identified and set to the value used on the local IPX network The frame type identifies the encapsulation method used on your IPX ports The IPX protocol can be implemented with one of the four commonly used IPX encapsulation and frame types shown in Table 4 2 Table 4 2 Novell IPX Encapsulation and Frame Types IPX Frame Type Encapsulation Ethernet_802 2 Consists of a standard 802 3 media access control MAC header followed by an 802 2 Logical Link Control LLC header This is the default encapsulation used by Novell NetWare 4 0 Ethernet_802 2_II Not commonly used Ethernet_802 3 Consists of a standard 802 3 MAC header followed directly by the IPX header with a checksum of FFFF This is the default encapsulation used by Novell NetWare 3 11 Ethernet II Uses Novell s Ethernet II and is sometimes used for networks that handle both TCP IP and IPX traffic The enc
270. gital Modems 11 14 Hot Swapping Digital Modem Cards With the last call feature you can hot swap a modem card without dropping calls To force an active modem into ADMIN mode as soon as the last active call terminates use the following command Command set MO lastcall When the last call feature is set modem status displayed by the show m0 and show modems commands is ACT LC Setting Digital Modems to Analog Service When analog modem service is required for dial out network connections you can convert the analog service to digital service To set the digital modems to analog modem service for the specified location use the following command Table 11 12 explains the analog modem options Command set location Locname analog on off Table 11 12 Analog Modem Options Option Description Locname Location name that is in the location table on Enables analog modem service on dial out off Disables analog modem service on dial out Use the following command to display the settings for a particular modem Command show MO You can display the status for all digital modems Modem states are as follows e ACTIVE in use e READY available for use e ADMIN busy PortMaster Configuration Guide Using Channelized T1 e TEST under test e DOWN unavailable To display the status for all digital modems use the following command Command gt show modems Using Channelized T1 The PortMaster
271. gt set W1 speed Speed Configuring a Synchronous WAN Port 6 5 Configuring WAN Port Settings 6 6 You can substitute any of the following for Speed 9600 19200 56000 64000 115200 1536k tl el 14400 38400 57600 76800 1344k 2048k tle Setting Modem Control When modem control is on the PortMaster uses the condition of the carrier detect DCD signal from an attached modem to determine whether the line is in use Modem control is off for synchronous connections by default With modem control set off the PortMaster assumes the carrier detect line is always asserted Table 6 2 describes the effects of DCD condition on port behavior Table 6 2 Effects of Carrier Detect Condition on Port Behavior Connection Type Carrier Detect Asserted Carrier Detect De asserted Hardwired Port attempts to establish a Port is unavailable network connection Dialin PortMaster initiates Port is unavailable authentication and displays a login prompt Dialout No effect Transition from asserted to deasserted resets the port Twoway Port attempts to establish a Port is available network connection Set modem control on only if you want to use the DCD signal from the attached device In general set modem control on for network dial in or dial out configurations Modem control is usually off for leased line or Frame Relay connections but you can use it if the CSU DSU is configured accordingly To set modem control use the fol
272. he International Multimedia Teleconferencing Consortium IMTC that develops standards for Internet telephony The VoIP Forum plans to define technical guidelines for two party voice and other audio communications for compatibility with traditional telephone service networks via telephony and or IP gateways Virtual private dial up network or virtual private data network See VPN Virtual private network A restricted network that uses public wires to connect nodes A VPN provides a way to encapsulate or tunnel private data cheaply reliably and securely through a public network usually the Internet IP packets are encapsulated in a VPN protocol VPNs use encryption and other security mechanisms to prevent unauthorized users from accessing the network and intercepting the data Virtual Terminal Protocol An ISO application for establishing a virtual terminal connection across a network VTP provides terminal emulation that allows a computer system to appear to a remote system as if it were a directly attached terminal PortMaster Configuration Guide Glossary WAN Wide area network A data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers Frame Relay is an example of a WAN Compare LAN wide area network See WAN World Wide Web All the resources and users on the Internet that are using the Hypertext Transport Protocol HTTP The Web is made
273. he PortMaster Command Line Reference for more details about L2TP commands Load Balancing among Tunnel Server End Points Optional When you configure redundant tunnel server end points on the RADIUS server see Configuring Redundant Tunnel Server End Points on page 14 11 the PortMaster selects tunnel end points serially always beginning with the first To set the PortMaster to choose tunnel end points randomly use the following commands Command gt set 12tp choose random tunnel endpoint on off Command gt reset 12tp Command gt save all Configuring L2TP 14 5 Configuring L2TP on the PortMaster 3 14 6 Setting L2TP Tunnel Authentication Optional You authenticate L2TP users by setting a password in the RADIUS user profile see Configuring a Shared Secret on page 14 10 The user s session is then authenticated by the RADIUS server You can also authenticate the tunnel You can set tunnel authentication in RADIUS or you can set it on the LAC the LNS or both If you want the RADIUS server to authenticate the tunnel you must set a tunnel password in RADIUS see Configuring a Shared Secret on page 14 10 RADIUS tunnel authentication takes priority over authentication by either the LAC or the LNS If tunnel authentication is set on the LAC and or the LNS and on the RADIUS server the RADIUS server authenticates the tunnel To set tunnel authentication on the LAC or the LNS you must first set an L2TP password l
274. he interface or port for the changes to take effect To reset a port or interface use the following command Command reset nat Ether0 SO W1 13 28 PortMaster Configuration Guide Administration Considerations for NAT To reset all existing NAT sessions you can globally reset the entire NAT subsystem by entering the following command Command gt reset nat Caution This command resets all existing NAT sessions on the PortMaster just as if it had been rebooted When you reset NAT on a PortMaster with active sessions some connections might be left open on clients and servers or not shut down properly Because globally resetting NAT can leave connections between hosts in an unknown state Lucent recommends that you avoid using this command while sessions are active You can delete individual sessions by specifying the session identification number Use the show nat sessions command to display session identification numbers then use the following command to delete NAT sessions by session ID Command delete nat sessions Sessionid Administration Considerations for NAT A few special considerations must be taken when configuring your network in the presence of a NAT Advertising Routing Information Because NAT maps private addresses to global addresses you must disable network advertisements on the NAT router global interface For example if you are running NAT on an PortMaster IRX 211 with EtherO as your private interface
275. he number of IP addresses assigned to the pool with the set pool command Configuring Global Settings 3 9 Setting the Reported IP Address To limit the size of the IP address pool use the following command Command gt set pool Number Note You must reboot the PortMaster after you set or change the number of addresses in the pool for the change to take effect Setting the Reported IP Address Some sites require a number of different PortMaster devices to appear as a single IP address to other networks You can set a reported address different from the EtherO address For PPP connections this address is reported to the outside and placed in the PPP startup message during PPP negotiation For SLIP connections this address is reported and placed in the SLIP startup message during SLIP startup To set a reported IP address use the following command Command set reported ip Ipaddress Configuring SNMP 3 10 The simple network management protocol SNMP is an application layer protocol that allows devices to communicate management information You can configure the PortMaster to provide network and device information via SNMP to a network management system NMS You must have NMS software to use SNMP SNMP consists of the following parts e SNMP agent provided in ComOS e SNMP manager not provided Management Information Base MIB SNMP specifies the message format for exchanging information between the SNMP manag
276. he two locations 3 If everything connects as expected reset the port on the PortMaster 2 in the Paris office turn off debugging and change the location type to on demand Command reset s1 Command gt set debug off Command gt set location london on_demand 17 12 PortMaster Configuration Guide Setting the Console Port for Multiline Load Balancing 4 If you notice a problem do the following a b C d Reset the port on the PortMaster 2 in the Paris office Change the settings you think are causing the problem Dial the London office again Repeat this procedure until the connection is made correctly 5 Repeat Steps 1 through 4 dialing from the London office to the Paris office Setting the Console Port for Multiline Load Balancing Multiline load balancing is used to add additional lines when network traffic is heavy If more than one line to the same location is established the PortMaster balances the traffic among the lines To configure the Office Router for multiline load balancing you must attach an external modem to the console port In this example the console port is being configured for use as another serial port Once you set this configuration the port is no longer available for the system console Figure 17 2 shows the multiline load balancing configuration Using Office to Office Connections 17 13 Setting the Console Port for Multiline Load Balancing Figure 17 2 Multiline Load Balancin
277. ho do not have the algorithm of the device for generating the encrypted response cannot access the network See also ActivCard CHAP SecurID token PortMaster Configuration Guide Glossary open database connectivity See ODBC Open Datalink Interface See ODI open message A message sent between BGP peers to establish communication See also keepalive message notification message update message Open Shortest Path First See OSPF Open Systems Interconnection See OSI OSI Open Systems Interconnection An ISO standard for worldwide communications that defines a framework for the common functions in a telecommunications system Control is passed from one layer to the next starting at the application layer in one station proceeding to the bottom physical layer over the channel to the next station and back up the hierarchy Instead of serving as the universal standard as originally intended the OSI standard serves as the model for designing and understanding networking products and protocols OSPF Open Shortest Path First A link state interior gateway routing protocol designed for a hierarchical routing structure OSPF chooses routes on a best path least cost basis and supports variable length subnet masks VLSMs for classless networking allows up to 255 hops between routers and provides packet authentication See also RIP out of band connection A remote connection or a connection outside connected networks esta
278. hosts Access filters work as follows 1 The user specifies a host 2 The host address is compared against the access filter 3 If the address is permitted by the filter the connection is established 12 14 PortMaster Configuration Guide Restricting User Access 4 If the address is not permitted the connection is denied unless access override is enabled If you want a user to be able to override a port s access filter enable access override on that port In this case the process is as follows l 2 Access is denied by the access filter The user is prompted for a username and password The user is verified by the user table or RADIUS The access filter defined for this user is used to determine if the user has permission to access the specified host To enable a user to override a port s access filter with his or her own filter use the following command Configuring Filters Command set S0 access on 12 15 Restricting User Access 12 16 PortMaster Configuration Guide Configuring NAT 13 This chapter describes the ComOS implementation of network address translator NAT software The chapter provides a brief introduction to the feature followed by a discussion of NAT concepts and detailed configuration guidelines The chapter concludes with examples of typical uses for the technology This chapter includes the following sections NAT Concepts on page 13 2 NAT Restrictions on page 13 4
279. hosts in Figure 13 1 access to the Internet Again you can do this in either of the following ways Command set map Mapname 1 addressmap 10 5 3 6 10 5 3 10 192 168 5 3 192 168 5 7 Command set map Mapname 1 staticaddressmap 10 5 3 6 10 5 3 10 192 168 5 3 192 168 5 7 13 11 NAT Maps The first command uses a dynamic address map see Configuring Dynamic Address Pools for Outbound NAT on page 13 7 With this kind of map each time an internal host in the address range 10 5 3 6 10 5 3 10 initiates an outbound session it receives the first available address from the global IP address range 192 168 5 3 192 168 5 7 The second command uses a static address map see Configuring Static Address Pools for Outbound NAT on page 13 7 In this case whenever the internal host with private IP address 10 5 3 6 initiates an outbound session it always maps to global address 192 168 5 3 The internal host with private address 10 5 3 7 always maps to global address 192 168 5 4 and so on You must also define a location user or port for this map see Configuring Ports Locations and Users for NAT on page 13 18 For example to associate this outbound map which you name myisp outmap with location isp enter the following command Command set location isp nat outmap myisp outmap Creating Maps for Inbound Sessions Note Inbound maps are restricted to static address maps or static TCP or UDP port maps only Outbound maps do not have
280. ialing 16 5 See also synchronous ports warning icon xxviii well known ports B 1 well known services B 1 Subject Index 13 Subject Index Subject Index 14 PortMaster Configuration Guide
281. ications equipment See DCE data encryption standard See DES data link connection identifier See DLCI data service unit See DSU Data Set Ready See DSR data terminal equipment See DTE Data Terminal Ready See DTR Glossary 17 Glossary DBMS DCE D channel DDE Database management system A collection of programs that enables you to store modify and extract information organized in fields records and files from a database The DBMS accepts requests for data from the application program and instructs the operating system to transfer the appropriate data Requests for information from a database are made in the form of a query a stylized question The terms relational network flat and hierarchical refer to the way a DBMS organizes information internally The internal organization can affect how quickly and flexibly information is extracted New categories of data can be added to the database without disruption to the existing system A DBMS also controls the security and integrity of the database See also RDBMS Data communications equipment or data circuit terminating equipment Devices and connections of a communications network that make up the network end of the interface between the network and the user The DCE provides a physical connection to the network forwards traffic and provides a clocking signal to synchronize data transmission between DCE and data terminal equipment DTE devices Modems and inter
282. identified as Line2 in the PortMaster 3 Follow these steps to configure the PortMaster 3 to use fractional T1 service 1 Set the line for fractional T1 Command gt set line2 fractional 2 Set the channel group for fractional TI Command gt set line2 group Cgroup channels Channel list 3 Set the channel rate Command set line2 group Cgroup 56k 64k Note 56Kbps is typically used for D4 framing while 64Kbps the default is used for other framing types 4 Save the configuration and reboot the PortMaster Command save all Command reboot Note If you reboot the PortMaster before setting the group and the channel for fractional T1 you lose the line Configuring the PortMaster 3 for Full T1 To configure the card for full TI enter the following commands Command set line2 t1 Command save all PortMaster Configuration Guide Using the T1 Expansion Card Troubleshooting the T1 Expansion Card If the T1 expansion card is not properly installed the show line2 command displays the following status line2 not available This message indicates that the card is either not present or installed incorrectly If the card is present remove it wait 5 seconds and reinstall it Refer to your hardware installation guide for instructions When you remove the card the console displays the following message Card Service Stopping wancard in slot 0 When you correctly reinstall the card the console displays the fo
283. ides dial up network access to users and devices without network interfaces A communications server allows remote users nonnetwork printers mainframe computers and other peripherals to connect to a network through its asynchronous port s PortMaster 2 products are communications servers Compare remote access server A label that identifies a group of BGP destinations for the purpose of policy enforcement Assembling destinations into identifiable communities lets BGP peers base policy decisions on the identity of the group rather than on individual destinations The community identifier which consists either of one 32 bit value or two 16 bit values is advertised in update messages between BGP peers community string ComOS A character string assigned to a Simple Network Management Protocol SNMP agent to restrict read and write access to the SNMP variables The operating system for PortMaster products competitive access provider See CAP competitive local exchange carrier See CLEC compression protocol Glossary 14 A protocol that can improve Internet transmission speeds by as much as 400 percent by compressing data at the sending modem and decompressing it at the receiving modem For PortMaster products ComOS version 3 7 or later implements the PPP Compression Control Protocol RFC 1962 and Stac LZS Compression Protocol RFC 1974 Stac LZS data compression is available only on the PortMaster 3 and PortMast
284. ier and an external terminal adapter TA Speeds of up to 128Kbps are possible if the terminal adapter supports B channel bonding Contact your service provider for specific information about the required terminal adapter Switched 56Kbps connections require an external CSU DSU ISDN and switched 56Kbps connections can be initiated on an as needed basis or they can remain active all the time A dial out location must be specified in the location table for dial out connections and a dial in user must be specified in the user table for dial in connections PAP is available for dial in authentication when a router dials in to your PortMaster CHAP is available for dial in and dial out authentication When connecting an asynchronous ISDN terminal adapter to an asynchronous port using AT commands to dial configure the PortMaster just as you would for a modem Refer to Chapter 17 Using Office to Office Connections and Chapter 18 Using Internet Connections for more information In this configuration keep in mind that a 115 2Kbps asynchronous DTE rate can support only a single 64Kbps B channel because a byte of asynchronous data requires 10 bits including stop and start bits for transmission but a byte of synchronous data 16 1 Overview of Synchronous V 25bis Dial Up Connections requires only 8 bits A 115 2Kbps DTE rate cannot properly support two 64Kbps B channels because the terminal adapter is unable to buffer the excess
285. iew of PortMaster Filtering 2c 12 1 Filter Options y pee abe bad baie bad deeded baie baie daeed 12 2 Filter Organization ce eee res 12 3 How Filters Work 0 m rh 12 4 Creating FilteiS con RE ties Poe Cece Cee Cece Coes Cees Cees Cees Coens 12 5 Creating IP Elders WIRE SE APSE ER ESE SRSA SESAME ELSE SL LOS 12 6 Filtering TCP and UDP Packets 0 cece nes 12 7 Creating IPX Filters 2 eer 12 7 Displaying Bilters igiezidmineEu ey Oana Oa alae Ro RR naa nw anew en eens 12 8 Deleting Filters auus exu ee eis es EO Ss Ss Sas Sa Ss Ss SS 12 8 PortMaster Configuration Guide Contents 13 Contents EXAMPlesBUters alee natin eben Baer ne er ar er arererararneacnrare rare bares 12 9 Simple dter cucisGmeecuu fees ex Sake See See ee ae eee eS 12 9 Input Filter for an Internet Connection aasre eee ee eee 12 10 Input and Output Filters for FTP Packets 2 0 12 11 Rule to Permit DNS into Your Local Network 0 0000s eee eee 12 12 Rule to Listen to RIP Information 0 0 0 e 12 12 Rule to Allow Authentication Queries leen 12 12 Rule to Allow Networks Full Access leeee een 12 13 Restrictive Internet Filter leere 12 13 Restricting User Access 45 oov p nx eV ae Oe eve veu Vain Veta Rowen 12 14 Configuring NAT Overview of NAT 3 oot te a e oe ee CRS SS AS o kiiri 13 2 NAT GoOlceptss xot boe See nih tete ite testes rite Yeats Yate ete b
286. ific locations or to differentiate among different types of modems that are compatible with the remote location The dial group associated with a location works with the dial group specified for each port For example you create a dial out location called Home and specify that the dial group for home is 2 When you configure each port you can assign the port to a dial group Only ports assigned to group 2 are used to dial the location home while other ports are not used To associate a location with a dial group number use the following command Command gt set location Locname group Group Setting the MTU Size The maximum transmission unit MTU defines the largest frame or packet that can be sent through this port without fragmentation If an IP packet exceeds the specified MTU it is automatically fragmented An IPX packet that exceeds the specified MTU is automatically dropped PPP connections can have a maximum MTU of 1500 bytes SLIP connections can have a maximum MTU of 1006 bytes With PPP the PortMaster can negotiate smaller MTUs when requested during PPP negotiation The MTU is typically set to the maximum allowed for the protocol being used However smaller MTU values can improve performance for interactive sessions During PPP negotiation the smaller number is used If you are using IPX the MTU must be set to at least 600 To set the MTU for a location use the following command Command gt set location Locname mtu MT
287. igure dial out locations in the location table The location table is described in Chapter 8 Configuring Dial Out Connections Configure the Lucent ComOS network address translator NAT software to provide access to the Internet for hosts without public IP addresses See Chapter 13 Configuring NAT for instructions PortMaster Configuration Guide Basic Configuration Steps Introduction 13 14 15 16 17 Configure the Layer 2 Tunneling Protocol L2TP if you are setting up an L2TP tunnel to an L2TP compatible router See Chapter 14 Configuring L2TP for instructions Configure filters in the filter table Once the filters are created they can be assigned as input or output filters for the Ethernet interface users locations or hardwired ports Filters are described in Chapter 12 Configuring Filters Configure OSPF if you are using this protocol OSPF is described in the PortMaster Routing Guide Configure BGP if you are using this protocol BGP is described in the PortMaster Routing Guide Troubleshoot your configuration if necessary and back it up See the PortMaster Troubleshooting Guide for instructions Once you have correctly configured all the settings necessary for your circumstances your PortMaster is ready to provide communication service and routing for your network 1 7 Basic Configuration Steps 1 8 PortMaster Configuration Guide How the PortMaster
288. in fine tuning the level of access provided to users For installation and configuration instructions see the ChoiceNet Administrator s Guide Preconfiguration Planning Introduction Before the PortMaster can be used to connect wide area networks WANs you must install the hardware using the instructions in the installation guide for your system This configuration guide is designed to introduce the most common configuration options available for PortMaster products Review this material before you configure your PortMaster and if possible answer the following questions What general configuration do you want to implement Do you want to use a synchronous connection to a high speed line Will your high speed lines use Frame Relay ISDN switched 56Kbps or the Point to Point Protocol PPP If you want dial on demand routing do you want multiline load balancing Do you want multilink PPP RFC 1717 Do you want packet filtering for Internet connections Do you want packet filtering for connections to other offices Do you want dial in users to use the Serial Line Internet Protocol SLIP PPP or both 1 3 Preconfiguration Planning e If you use PPP do you want the authenticate users with the Password Authentication Protocol PAP or the Challenge Handshake Authentication Protocol CHAP e Do you want to use the Layer 2 Tunneling Protocol L2TP to provide security on the public networks linking your offices
289. ing Network Users To set the user IP address for a normal network user use the following command Command set user Username destination assigned negotiated Ipaddress Setting the Subnet Mask Do not set a subnet mask for a network user unless the user is routed to another network from your network In that case set the subnet mask to 255 255 255 255 To set the subnet mask use the following command Command set user Username netmask Ipmask Setting the IPX Network Number If you are using the IPX protocol for this user you must assign a unique IPX number to the network connection between the remote user device and the PortMaster Each user s connection requires a different IPX network number If you use Oxfffffffe as the IPX network number the PortMaster assigns the user an IPX network number based on an IP address from the IP address pool Note Do not set a value of all Os zeros or all Fs for the IPX network number To set the IPX network number use the following command Command set user Username ipxnet Ipxnetwork Configuring RIP Routing As described in the PortMaster Routing Guide PortMaster products automatically send and accept route information as RIP messages To configure RIP routing for a network user use the following command Command set user Username rip on off broadcast listen Note Releases earlier than ComOS 3 5 use the keyword routing instead of the rip by keyword 7 6 PortMas
290. int See also easy multihome multiline load balancing The ability of a PortMaster to add additional lines when network traffic is heavy If more than one line to a remote location is established the PortMaster balances the traffic among the lines Multiline load balancing is a proprietary PortMaster technique distinct from Multilink PPP Multilink PPP Multilink Point to Point Protocol A protocol defined in RFC 1990 that allows a PortMaster to automatically build up additional ISDN B channels as bandwidth needs increase See also Multichassis PPP Multipurpose Internet Mail Extensions See MIME Glossary 45 Glossary N name server name service NAS NAT NCP neighbor netboot netmask Glossary 46 A server connected to a network that resolves hostnames into network addresses The software system that provides a database of authorized users for a computer subnet or network The system can reside on one device or be distributed across several devices in a network See remote access server Network address translator Software that runs on a router and maps one IP address or group of IP addresses to another IP address or group of IP addresses The mapping or translation is transparent to users and applications The Lucent ComOS implementation of the Network Address Translator NAT protocol is based on the latest Internet Engineering Task Force IETF draft entitled The IP Network Address Translator NAT
291. ion where the remote router is defined as a location on the local PortMaster As described in the PortMaster Routing Guide PortMaster products automatically send and accept route information as RIP messages Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions To set RIP routing for a location use the following command Command set location Locname rip on off broadcast listen Table 8 2 describes the results of using each keyword Table 8 2 Keywords for Configuring RIP Routing Keyword Description on The PortMaster broadcasts and listens for RIP packets from this network interface when it is established off The PortMaster neither broadcasts nor listens for RIP packets from this network interface when it is established This is the default broadcast The PortMaster broadcasts RIP packets to this network interface when it is established listen The PortMaster listens for RIP packets from this network interface when it is established Note Releases earlier than ComOS 3 5 use routing instead of the rip keyword le Configuring Dial Out Connections 8 7 Configuring the Location Table Setting the Dial Group Dial groups associate locations with specific dial out ports By default all ports and locations belong to dial group 0 zero You can configure locations and ports into dial groups numbered from 0 to 99 Dial group numbers can be used to reserve ports for dial out to spec
292. ions When the connection is established to a remote site the designated filters are attached to the network interface used You can attach filters for incoming packets or for outgoing packets or for both It is usually more effective to filter incoming packets so that you can protect the PortMaster itself For more detailed instructions on using the filter commands see the PortMaster Command Line Reference To create a filter use the following command Command gt add filter Filtername You must then use the appropriate set command to add rules that permit or deny packets The PortMaster generates an error message when the number of filter rules exceeds the limit See the following sections for instructions e Creating IP Filters on page 12 6 e Filtering TCP and UDP Packets on page 12 7 e Creating IPX Filters on page 12 7 Configuring Filters 12 5 Creating Filters Creating IP Filters You can create a rule that filters IP packets according to their source and destination IP addresses For more information on the command syntax for creating filters see the PortMaster Command Line Reference To create an IP filter rule that filters by address use the following command entered on one line Command set filter Filtername RuleNumber permit deny Ipaddress NM Ipaddress dest NM protocol Number log notify You can replace protocol Number with one of the following keywords e esp matches pack
293. ions to NAT might add to their network In fact the use of NATs can compromise security by allowing the end user traffic payload to be sniffed by the NAT routers and or ALG extensions NAT routers that are not within a trusted boundary can cause a security problem Although you can encrypt NAT traffic usually NAT must be the end point to such encryption and decryption For example you cannot configure end to end IPSec with NAT routers in between The end point must be a NAT router In addition NAT operation can have an unintended consequence Placing your private network behind a NAT often makes the network appear inaccessible from the outside NAT is not an all in one security solution You must evaluate your organization s particular configuration and network topology to determine whether NAT will eliminate any need for further security measures such as a firewall When configuring DNS on hosts behind a NAT you can add a map similar to the following dns inmap example on the internal interface which is usually EtherO on a PortMaster Alternatively you can enter the IP address of your PortMaster as the DNS server This type of map is useful if you do not always have the same DNS server multiple providers but do not want to reconfigure all your private hosts Command set dns inmap 1 static tcp udp portmap ipaddr dns Ipaddrxto Tport1 Portname Command set ether0 nat inmap dns inmap NAT and NAPT Examples Configuring
294. iple IP addresses and associated TCP UDP ports are translated to a single IP address and its TCP UDP ports e Outsource NAT is an implementation of the NAT protocol in which NAT processing is done on the server side of a connection for external hosts Outsource NAT can be used for external hosts that do not have the ability to translate private IP addresses to global IP addressees or as a way to centralize management of external hosts The Lucent ComOS supports NAT NAPT and outsource NAT for outbound and inbound sessions NAT Concepts This section explains NAT terminology and offers some hints to help you make the most effective use of the NAT software Private and Global Addressing In general for NAT the terms private and global refer to addresses in a network while the terms internal and external apply to hosts ComOS maintains NAT map tables of associations of private IP addresses and global IP address Private addresses are IP addresses assigned to hosts in a private network Hosts in a private network are referred to as internal hosts PortMaster routers running NAT software translate private addresses to global addresses when internal hosts communicate outside the local network 13 2 PortMaster Configuration Guide NAT Concepts Global addresses are standard IP addresses that are accessible from any point on the Internet Global addresses are the addresses of hosts that are external to a private network When PortMaste
295. is being configured for a V 25bis dial up synchronous connection to the PortMaster in Boston Using Synchronous V 25bis Connections 16 7 Configuration Steps for a Synchronous V 25bis Connection Configuring Global Settings Configure the following global settings to the values shown in Table 16 6 Table 16 6 Global Value Setting Command IP gateway set gateway 192 168 1 2 This is the address of the next upstream router Default routing set default on System name set sysname miami After you configure the global settings shown in Table 16 6 enter the following command to save the configuration Command gt save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet settings to the values shown in Table 16 7 Table 16 7 Ethernet Values Setting Command Protocol set ether0 ipx enabled IP address set ether0 address 192 168 1 1 Netmask set ether netmask 255 255 255 0 IPX network set ether0 ipxnet F2 IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on 16 8 PortMaster Configuration Guide Configuration Steps for a Synchronous V 25bis Connection After you configure the Ethernet interface as shown in Table 16 7 enter the following command to save the configuration Command gt save all
296. is external to the PortMaster Note CRC errors will occur if the cable is ever unplugged from the PortMaster Verify that you are using the correct cable and that it is attached securely to the correct port Not all WAN ports are capable of the same speeds Verify that the DIP switch next to the synchronous port is set to V 35 for Lucent cables and that you are plugged into the correct V 35 interface on your CSU DSU Verify that the CSU DSU is providing the clock signal to the PortMaster The CSU DSU can generate the clock signal or receive it from the carrier Verify that the CSU DSU is configured properly If you have a Cisco router on the other end of your connection make sure that it is running Cisco s software release 9 14 5 or later and is using PPP encapsulation not High Level Data Link Control HDLC If the framing errors are greater than 0 verify that the router on the other end of the connection is running the PPP protocol PortMaster Configuration Guide Troubleshooting a Leased Line Connection e If you still have problems enter the following commands Command gt set debug 0x51 Command set console s1 Then set the CSU DSU for local loopback You should see the following message LCP APPARENT LOOP For more information about the interpreting the results of the debug command refer to the PortMaster Troubleshooting Guide e Ifthe local loopback shows network connectivity in the local router take the CS
297. ive maintenance over a given period of time 2 Mean time to repair The average amount of time needed to repair a failed unit PortMaster Configuration Guide Glossary MTU Maximum transmission unit The largest frame or packet that can be sent through a port on a PortMaster without fragmentation multicast backbone See MBone Multichassis PPP Multichassis Point to Point Protocol Multilink PPP over two or more chassis multiexit discriminator In BGP an arbitrary rating number that the PortMaster can use to enforce the use of preferred exit and entry points when multiple connections exist between its autonomous system and another The PortMaster assigns the multiexit discriminator to any route that it advertises to its external peers and forwards any multiexit discriminator it learns from its external peers on to its internal peers A lower number indicates a greater preference for a route when more than one exists to a destination through multiple peers within the same neighboring autonomous system You can use a routing policy rule to override this value and assign your own multiexit discriminator to a route that you learn or advertise multihome routing In BGP the process of choosing among multiple exit points to route packets out of a single autonomous system typically to the Internet Routers in a multihomed autonomous system usually store large amounts of network reachability information to help them select the best exit po
298. l for T1 To set the inband signaling protocol and the inband call options used with channelized T1 use the following command Table 11 4 explains the inband signaling protocol options Command set LineO signaling wink immediate fxs Table 11 4 T1 Inband Signaling Protocol Options Option Description Lineo LineO or Linel wink E amp M wink start protocol an option for use with T1 lines This is the T1 default immediate E amp M immediate start protocol used with T1 lines fxs Foreign exchange station FXS loop start protocol used with T1 lines Setting the Inband Signaling Protocol for E1 Although PortMaster products do not require dial digits the calling number and caller ID when establishing a connection most telecommunications service providers telcos transmit this information by default You can use the r2gen signaling option if you do not require dial digits but you must first arrange for the telco not to transmit these signals The PortMaster defaults to r2generic when you set the line to inband see Configuring Line Use on page 11 2 To accept caller ID and dial digit tones use the mrf2 option Because some countries implement different variations of multifrequency robbed bit signaling MFR2 you must specify a profile with the mfr2 option To set the inband signaling protocol and the inband call options used with channelized EI use the following command Command set LineO sig
299. l server storage of filters dynamic filter downloading and the control of user access based on lists of sites rather than individual sites Developed by Lucent Technologies the ChoiceNet server is shipped with all PortMaster remote access servers and routers Glossary 11 Glossary CIDR CIR class class library Classless interdomain routing A technique supported by BGP 4 that eliminates the necessity for network address classes by explicitly advertising the length netmask associated with each prefix Committed information rate The minimum bandwidth guaranteed to be available if required on a virtual circuit This value is also known as guaranteed bandwidth In object oriented programming a category of objects The class defines the common properties operations and behaviors of different objects that belong to it For example a class called shape might contain objects that are circles rectangles and triangles A class can be regarded as a template definition of the methods and variables in a particular kind of object A class with subclasses which inherit all or some of its characteristics is also known as a superclass The structure of a class and its subclasses is called a class hierarchy See also class library object subclass A collection of related classes that solve specific programming problems See also class classless interdomain routing See CIDR clearing house server CLEC Glossary 12 A forwa
300. lace over point to point dedicated circuits or over a network via Frame Relay Asynchronous Transfer Mode ATM or any supported data transfer protocol In this configuration L2TP provides virtual dial up ports to the outsourcer clients This setup is sometimes referred to as a virtual private dial up network VPDN The service is transparent to client users users still terminate PPP sessions on the client s network via the LNS and clients do their own RADIUS authentication accounting and IP address assignment Locally stored profiles are not supported for L2TP You must use RADIUS 2 1 in fact most of the L2TP setup involves RADIUS configuration See Configuring L2TP on the RADIUS Server on page 14 8 for more information Note L2TP is not supported on the PortMaster 2 PortMaster 25 PortMaster IRX or ky PortMaster Office Router platforms 14 2 PortMaster Configuration Guide Overview of L2TP How L2TP Works Basic L2TP service operates as follows The LAC accepts a call and establishes a tunnel to the LNS for that PPP session The LAC just accepts the call it does not process PPP packets If call check is used authentication can be done on the LAC otherwise authentication takes place on the LNS which terminates the call The tunnel can be established based upon the RADIUS check item Called Station Id or on the value of the User Name attribute If the call is based upon User Name partial authentication occurs on the
301. lation The network address port translator NAPT differs from basic NAT because it provides external access for a number of internal hosts using a single global IP address NAPT referred to as many to one translation translates internal addresses to one of the 64 000 available port numbers of a single global address NAT Restrictions 13 4 The Lucent ComOS implementation of NAT does not support the following e ComOS releases before ComOS 3 9 e SNMP applications across network address translation an Abstract Syntax Notation One ASN 1 payload might contain IP addresses and TCP UDP ports of private network e DNS zone transfer across network address translation NAT needs a distinct internal DNS server to maintain name mapping for internal hosts e Routing protocols across network address translation NAT cannot advertise the local network to the backbone e NAPT for applications sensitive to client side TCP UDP ports such as rlogin PortMaster Configuration Guide NAT Configuration Tasks e End to end virtual private network VPN tunnels e Multicast applications NAT Configuration Tasks Configuring NAT This section lists the tasks you must perform to configure NAT on your PortMaster with references to sections that provide detail and discussion to help you decide the best configuration for your situation You configure separate NAT address maps for inbound and for outbound traffic NAT maps can use static
302. le you can use any PortMaster for this configuration The PortMaster Office Router is designed to provide cost effective connectivity between small remote branch offices and larger headquarters main offices These types of connections are typically established on an as needed basis For most applications a continuous connection is not cost effective to maintain when a dial on demand connection can be established to transfer network traffic when necessary A dial on demand link establishes a connection with the specified location when network traffic is queued The PortMaster PCMCIA Office Router OR M is designed to support a dial on demand connection with another office using the PCMCIA modem port S1 Figure 17 1 shows an example of this configuration The console port SO can be 17 1 Overview of Example Configuration used as a console or with an external modem and a straight through cable connected as an additional dial on demand port for multiline load balancing during peak traffic periods Figure 17 1 Office to Office Dial On Demand Configuration workstation 1 workstation 2 O PortMaster Office Router external modem attached to console port J X London i Paris FK v x external Fae s modems ue workstation
303. le 17 7 Two Way Port Values Setting Command Port type set sl network twoway Speed 1 set sl speed 1 115200 Speed 2 set sl speed 2 115200 Speed 3 set sl speed 3 115200 Modem control set sl cd on Hardware flow control set sl rts cts on Software flow control set sl xon xoff off Idle timer set sl idletime 5 Dial group set sl group Leave all the other settings at their default values After you configure the port as shown in Table 17 7 enter the following commands to reset the port and save the configuration Command gt reset sl Command gt save all For more information about asynchronous ports refer to Chapter 5 Configuring an Asynchronous Port Using Office to Office Connections 17 9 Configuration Steps for an Office to Office Connection Configuring a Dial In User A user account must be set up on the PortMaster 2 in Paris so the Office Router in the London can dial in when traffic is queued The new user london must be configured with the values shown in Table 17 8 Table 17 8 User Table Values User IP address Netmask IPX network RIP routing MTU Compression Setting Command Username add netuser ondon Password set user ondon password anypasswd Protocol set user london protocol ppp set user ondon destination 192 168 200 1 set user ondon netmask 255 255 255 0 set user london ipxnet F2 When configuring the IPX network number for the dial in user you must set a nu
304. lephone 5551212 set location denver password anypasswd set location denver high_water 0 set location denver maxports 1 Using ISDN BRI 10 19 ISDN BRI Unnumbered IP Configuration Example Note Configuring the maximum ports setting to a value higher than 0 causes the PortMaster to dial out to a continuous location or become available for dial out to an on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location After you configure location table settings as shown in Table 10 12 enter the following command to save the configuration Command save all For more information about configuring location table parameters refer to Chapter 8 Configuring Dial Out Connections Use the dialer to connect between the two offices as instructed in the next section Once everything is working properly you can change the location type from manual to on demand on both routers and reset the ports Testing the Setup 10 20 You should test the configuration before setting either of the locations for on demand dialing To test the configuration follow these steps 1 Enter the following commands on the PortMaster in Denver to connect from location denver to location sf Command set console s1 Command gt set debug 0x51 Command gt set debug isdn on Command gt dial sf
305. les 172 16 0 2 is the address of your FIP server and 192 168 0 1 is the address of the host from which you allow outgoing FIP Caution This configuration is not recommended if you run any of the following protocols on any of the hosts from which you allow FIP access NFS X RPC or any other service that listens on ports above 1023 The rules for the input filter are as follows Command set filter internet in 1 permit 0 0 0 0 0 192 168 0 1 32 tcp src eq 20 dst gt 1023 Command set filter internet in 2 permit 0 0 0 0 0 192 168 0 1 32 tcp src eq 21 estab Command set filter internet in 3 permit 0 0 0 0 0 172 16 0 2 32 tcp dst eq 21 Command set filter internet in 4 permit 0 0 0 0 0 172 16 0 2 32 tcp src gt 1023 dst eq 20 estab Configuring Filters 12 11 Example Filters 12 12 Rule Rule Rule The rules for the output filter are as follows Command gt set filter internet out 1 permit 192 168 0 1 32 0 0 0 0 0 tcp dst eq 21 Command gt set filter internet out 2 permit 192 168 0 1 32 0 0 0 0 0 tcp src gt 1023 dst eq 20 estab Command gt set filter internet out 3 permit 172 16 0 2 32 0 0 0 0 0 tcp src eq 20 dst gt 1023 Command gt set filter internet out 4 permit 172 16 0 2 32 0 0 0 0 0 tcp src eq 21 dst gt 1023 estab If you allow any internal host to send out packets with FIP replace 192 168 0 1 32 with 0 0 0 0 0 or your network_number 24 Take appropriate precautions to reduce the risk this configuration creates
306. ll traffic coming into the PortMaster on the Ethernet interface is compared to the input filter rules Only packets permitted by the filter rules are accepted by the PortMaster PortMaster Configuration Guide Setting IP Parameters To apply an input filter to the Ethernet interface use the following command Command set EtherO ifilter Filtername To remove the input filter omit the filter name when entering the command Output Filters When an output filter is used all traffic going out of the PortMaster on the Ethernet interface is compared to the output filter rules Only packets permitted by the filter rules are sent by the PortMaster To apply an output filter to the Ethernet interface use the following command Command set EtherO ofilter Filtername To remove the output filter omit the filter name when entering the command Setting IP Parameters PortMaster products support both the IP and IPX protocols When you select a protocol for the Ethernet interface you must enter certain values appropriate for the selected protocol This section describes the IP commands keywords and values that must be entered if you select IP protocol support Setting the IP Address During the PortMaster installation process you set the IP address for the Ethernet interface To change the IP address of the Ethernet interface use the following command Command set EtherO address Ipaddress Note If you change the IP address
307. llowing message Card Service Starting wancard in slot 0 WANCTL version 0 0 WANCTL sync init found device Use the show alarms command to determine whether the T1 card is not operating for example if the cable is pulled out The PortMaster does not show an alarm if the card is removed Command show alarms Alarm Id Age Severity Alarm Message 2851352 0 0 T1 line 2 down Command show alarm 2851352 Alarm Details Alarm Id 2851352 Alarm Message T1 line 2 down Age in minutes 0 Alarm repeated 1 times Severity 0 Reported SNMP Configuring the PortMaster 3 11 19 Using Multichassis PPP Using Multichassis PPP Multichassis PPP allows the use of Multilink PPP across multiple PortMaster products in a single telephone hunt group and on the same Ethernet Setting Multichassis PPP To enable Multichassis PPP set the end point discriminator on all PortMaster products sharing a hunt group and Ethernet to the same 12 digit hexadecimal number For convenience you can use the Ethernet MAC address of one PortMaster as the end point discriminator for all the PortMaster porducts on that hunt group but any 12 digit hexadecimal number will serve To enable Multichassis PPP use the following commands Command gt set endpoint Hex Command gt save all Command gt reboot Note You must use the save all and reboot commands after issuing the aN set endpoint command for the end
308. llowing settings for the PortMaster 2 in the Paris office a Ethernet interface settings page 17 8 b Dial out port settings page 17 9 c Dial in users page 17 10 d Dial out locations page 17 11 3 Test the configuration page 17 12 4 If necessary configure the console port for multiline load balancing page 17 13 Alternatively you can configure a PortMaster Office Router for ISDN dial on demand connections See page 17 15 for instructions Using Office to Office Connections 17 3 Configuration Steps for an Office to Office Connection Configuring the Office Router in London Configure the following settings on the PortMaster PCMCIA Office Router in the London office to enable London office users to access the main office network in Paris on demand Configuring Global Settings Configure the global settings shown in Table 17 1 The values shown in the table only apply to this example When you are configuring your PortMaster use values appropriate for your network Table 17 1 Global Values Setting Command IP gateway set gateway 192 168 1 1 System name set sysname ondon After you configure the global settings shown in Table 17 1 enter the following command to save the configuration Command gt save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet settings shown in
309. lowing command Command set Ether0 broadcast high low Enabling or Disabling IP Traffic IP traffic is sent and received through the PortMaster Ethernet interface IP is enabled by default on PortMaster Ethernet ports If the setting has been changed you must enable IP on the Ethernet interface of all PortMaster products attached directly to a local Ethernet Disable IP traffic on this port only if the PortMaster is not attached to a local Ethernet network PortMaster Configuration Guide Setting Ethernet IPX Parameters To enable or disable IP traffic use the following command Command set ether0 ip enabled disabled 2 Note This command is currently available only on the EtherO port Setting Ethernet IPX Parameters You must set the following values to send IPX traffic on the Ethernet interface IPX routing is enabled when routing is enabled e Network address e Protocol e Frame type Setting the IPX Network Address You must identify the IPX network of your local Ethernet segment An IPX network address is a number entered in hexadecimal format described in Appendix A Networking Concepts To set the IPX network address use the following command Command set Ether0 ipxnet Ipxnetwork Note If you change the IPX network address of the Ethernet interface you must Ey reboot the PortMaster for the change to take effect Enabling or Disabling IPX Traffic Ethernet IPX traffic is sent and received throu
310. lowing command Command set W1 cd on off PortMaster Configuration Guide Configuring WAN Port Settings Assigning a Port to a Dial Group You can create modem pools for dial out connections by associating ports and dial out locations with dial groups Dial groups can be used to reserve ports for dial out to specific locations or to differentiate among different types of modems that are compatible with the remote location Dial groups are numbered 0 to 99 The default dial group is 0 To assign a port to a dial group use the following command Command gt set W1 group Group Setting Hangup Control You can control whether the data terminal ready DTR signal on the synchronous port is dropped after a user session terminates Hangup is set to on by default In this state DTR is dropped for 500 milliseconds causing a hangup on the line To set the hangup control use the following command Command gt set W1 hangup on off The reset command always drops the DTR signal Setting the Port Idle Timer The idle timer indicates how long the PortMaster waits after activity stops on a synchronous port before disconnecting a dial in or dial out connection You can set the idle time in seconds or minutes to any value from 0 to 240 The default setting is 0 minutes If the value is set to 2 seconds or a longer interval the port is reset after having no traffic for the designated time The idle timer is not reset by RIP keepalive or
311. mber of network dial out ports that the PortMaster can use for this location Command gt set location Locname maxports Number Set the local IP address of the port Use the following command to set the local IP address of the port Command set location Locname local ip address Ipaddress assigned Set the NAT map to use for this location Use the following command to associate a NAT map to the location Command set location Locname nat inmap outmap defaultnapt Mapname Set the idle time for a NAT session Use the following command to set the maximum idle time for a NAT session Command set nat Ether0 SO W1 sessiontimeout Set the default action that the PortMaster takes in the event that a request for a NAT session is refused Use the following command to specify the action the PortMaster takes when a session is refused Command set nat ther0 SO Wl session direction fail action drop icmpreject passthrough Configuring NAT Users By configuring NAT users you can allow them to dial in to a PortMaster doing outsource network address translation Add a NAT user Use the following command to add a user to the user table Command add netuser Username PortMaster Configuration Guide Configuring Ports Locations and Users for NAT 2 Set the user password Use the following command to set a password for the user Command gt set user Username password Password 3 Set the maximum number of ports Use the follo
312. mber that is different from the one on the Ethernet at either end set user london rip on set user london mtu 1500 set user ondon compression on After you configure the user table as shown in Table 17 8 enter the following command to save the configuration Command save all For more information about configuring user table settings refer to Chapter 7 Configuring Dial In Users 17 10 PortMaster Configuration Guide Configuration Steps for an Office to Office Connection Configuring Dial Out Location Settings You must create a location entry on the PortMaster 2 in Paris for the London office This entry allows the PortMaster in Paris to call the Office Router in the London office when network traffic is queued Configure a new location london with the values shown in Table 17 9 Table 17 9 Location Table Values Setting Command Location name Type Protocol IP destination Netmask IPX network RIP routing MTU Compression Idle timer High water mark Dial group Telephone number Username Password Maximum ports add location ondon set location london manual set location ondon protocol ppp set location ondon destination 192 168 200 1 set location ondon netmask 255 255 255 0 set location ondon ipxnet F2 When configuring the IPX network number for the location you must set a number that is different from the one on the Ethernet at either end set location ondon
313. md 1642 TCP PortMaster daemon in pmd pmconsole 1643 TCP PortMaster Console Protocol radius 1645 UDP Remote Authentication Dial In User Service RADIUS radacct 1646 UDP RADIUS accounting choicenet 1647 UDP ChoiceNet 12tp 1701 UDP Layer 2 Tunneling Protocol L2TP TCP and UDP Ports and Services B 3 PortMaster Configuration Guide Glossary Numerics 3DES 10Base2 10Base5 10BaseF 10BaseT Triple data encryption standard A strengthened version of the data encryption standard DES documented in RFC 1851 Also known as triple DES this standard is based on the existing DES but has a key three times as long Physical specification for a type of Ethernet that transmits 10Mbps signals over thin 50 ohm baseband coaxial cable and has a cable length limit of 607 feet 185m per segment A 10Base2 Ethernet network is the least expensive Ethernet This version of Ethernet is also known as thin Ethernet or Cheapernet Physical specification for a type of Ethernet that transmits 10Mbps signals over standard thick 50 ohm baseband coaxial cable and has a cable length limit of 1640 feet 500m per segment A 10Base5 Ethernet network provides a low cost alternative to fiber optic cable for use as a backbone within one building This version of Ethernet is also known as thick Ethernet Physical specification for a type of Ethernet that transmits 10Mbps signals over fiber optic cable and has a cable length limit of from 1640 fee
314. me set location boston username boston Telephone set location boston telephone 5551212 number Password set location boston password anypasswd Using Synchronous V 25bis Connections 16 11 Configuration Steps for a Synchronous V 25bis Connection 16 12 Testing the Configuration The configuration must be tested before the location boston is set for continuous dialing To test the configuration follow these steps 1 Enter the following commands to connect from the office in Miami to location boston Command gt set console wl Command gt set debug 0x51 Command gt dial boston Monitor the dial and connect sequence between the two locations If everything connects as expected do the following a Turn off debugging on the console Command gt set debug off Command gt reset console b Reset the port on the PortMaster in Miami and change the location type of location boston to on demand Command gt reset wl Command gt set location boston on_demand If you notice a problem do the following a Reset the port b Check your configuration c Dial Boston again d Repeat this procedure until the connection is made correctly When you have configured the PortMaster correctly reset the port and save the configuration Command reset wl Command save all PortMaster Configuration Guide Troubleshooting a Synchronous V 25bis Connection Troubleshooting a Synchronous V 25bis Connection Most
315. mer in advance Asynchronous Transfer Mode ATM technology supports QoS levels quality of service See QoS query language A set of rules for constructing queries to a database R RADIUS Remote Authentication Dial In User Service A client server security protocol invented by the business unit of Lucent Technologies formerly known as Livingston Enterprises Inc RADIUS accounting The server component of RADIUS that monitors and records attempted and successful user connections RADIUS accounting data includes RADIUS usernames start and stop times connection status IP address of the network access server network access server port and IP address of the user framed IP address RADIUS authentication The process by which the server determines whether a user requesting access is legitimate If a user is authenticated his access request is forwarded for authorization RADIUS authorization The process by which the RADIUS server handles an access request made by an authenticated user RADIUS determines whether the user is authorized to receive the service s requested RADIUS dictionary A RADIUS file used to parse access requests and generate responses The dictionary lists all valid attribute value pairs and specifies the data type required for the values Glossary 58 PortMaster Configuration Guide RADIUS user RAO RARP RAS RBHC RBOC Glossary A person to whom a RADIUS service is provided after his or
316. mic enter an appropriate rule number and specify the addresses or ranges of addresses Use the following command to define the map Command set map Mapname Rulenumber addressmap staticaddressmap Ipaddrxfrom Ipaddrxto If you want the map to provide inbound access to particular services such as FIP or HTTP use the following command to define the map Command set map Mapname static tcp udp portmap Ipaddrxfrom Tport1 Portname Ipaddrxto Tport2 Portname Associate the map to the port as inbound outbound or default NAPT Use the following command to apply an inbound or outbound map to a port Command set Ether0 SO W1 nat inmap outmap defaultnapt Mapname When you use defaultnapt as the map you do not need to indicate whether the map is static or dynamic or specify addresses Set the idle time for a NAT session Use the following command to set the maximum idle time for a NAT session Command set nat Ether0 SO W1 sessiontimeout Set the default action that the PortMaster takes in the event that a request for a NAT session is refused Use the following command to specify the action the PortMaster takes when a session is refused Command set nat ther0 SO Wl session direction fail action drop icmpreject passthrough Reset the port Use the following command to reset NAT on the port Command reset nat Ether0 SO W1 PortMaster Configuration Guide Configuring Ports Locations and Users for NAT Configurin
317. mic address maps are well suited for all situations that do not require specific mappings of private to global addresses and in situations where you have more internal hosts than available global addresses Configuring NAT 13 9 NAT Maps How NAT Maps Work NAT maps define the translations between global IP addresses and private IP addresses ComOS evaluates address mappings from left to right with the address of the source whether internal or external appearing to the left of the address of the destination When you are viewing a NAT map table or examining an address map you are creating at the PortMaster prompt the source address whether local outbound or remote inbound always appears on the left For example an outbound map called isp out that translates the private IP address 10 5 3 6 of an internal host to the global IP address 192 168 5 3 is entered as follows Command gt set map isp out 1 addressmap 10 5 3 6 192 168 5 3 The private address 10 5 3 6 which is the address being translated appears to the left of the global address 192 168 5 3 In contrast an inbound map called isp in that translates global IP address 192 168 5 3 to private IP address 10 5 3 6 of an internal host is entered as follows Command gt set map isp in 1 addressmap 192 168 5 3 10 5 3 6 The global address 192 168 5 3 which is the address being translated now appears to the left of the private address 10 5 3 6 Creating Maps for
318. mpare confederation An identifier in dotted decimal format that uniquely identifies a BGP route reflection cluster within an autonomous system All route reflectors within the cluster must be configured with the same cluster ID Internal peers that are not reflectors within the cluster must not be configured with a cluster ID The cluster ID is typically set to the BGP router ID of one of the route reflectors within the cluster See also cluster route reflection route reflector Confederation member autonomous system A subdivision of an autonomous system that is recognized only by other peers within the confederation Within the confederation each BGP peer treats only the peers in its own CMAS as internal peers Peers in different CMASs are treated as external peers Central office A local telephone company office where customer lines in a given area terminate and where subscriber lines are circuit switched command line interface The visual appearance and command input conventions that enable system administrators and system operators to configure monitor and manage the connected nodes in a data network This type of direct command entry screen interface is distinguishable from graphical user interfaces GUIs Compare GUI Glossary 13 Glossary committed information rate See CIR common gateway interface See CGI communications server community A remote access device with one or more asynchronous ports that prov
319. multiline load balancing 10 7 example 17 13 in the location table 8 11 port limits 10 8 user table 7 8 Multilink PPP 7 8 10 7 10 8 Multilink V 120 7 8 10 8 multiple subscriber network 10 8 N name resolution 3 4 name service A 8 disabling 3 5 setting 3 4 NAPT default 13 16 defined 13 2 example outbound 13 32 NAT addressing 13 2 13 6 concepts 13 2 configuration tasks 13 5 examples 13 31 outsource defined 13 2 restrictions 13 4 NAT maps defined 13 3 dynamic address example 13 40 dynamic and static example 13 42 example outbound 13 40 explained 13 9 for inbound sessions 13 12 for outbound sessions 13 10 modifying deleting 13 14 using ipaddr 13 15 using defaultnapt 13 16 NavisRadius A 10 negotiating IP addresses 5 22 6 8 NetBIOS setting 3 26 NetbootServer 1 2 Subject Index 8 netdata device service 5 15 login service 5 10 7 13 netmask table accessing 3 24 configuring 3 23 example of static netmask 3 23 IP address pools 3 24 netmasks 8 6 A 7 network address translator See NAT network device configuration 5 14 20 2 Network Information Service See NIS network management applications FilterEditor 1 2 LocationWizard 1 2 NetbootServer 1 2 ORWizard 1 2 PMTools 1 2 PMWizard 1 2 PPPDecoder 1 2 PPPSmartAgent 1 2 network security description of A 9 RADIUS A 10 network users adding to user table 7 2 callback 7 10 description 7 3 protocol 7 5 NetworkCare contacting xxviii training xxix NFAS debuggin
320. n Description mdp status mdp events mcppp event Set on to display the status of the digital modems Set on to display the progress of the digital modems as they initialize Set on to display all the information related to the Multichassis PPP events Configuring the PortMaster 3 11 21 Troubleshooting the PortMaster 3 11 22 PortMaster Configuration Guide Configuring Filters 12 This chapter describes how to configure input and output packet filters IP IPX and Service Advertising Protocol SAP rules are reviewed and filter examples are given You can also use the ChoiceNet application to filter IP packets by lists of sites rather than by individual IP addresses For more information on ChoiceNet see the ChoiceNet Administrator s Guide This chapter discusses the following topics e Overview of PortMaster Filtering on page 12 1 e Creating Filters on page 12 5 e Displaying Filters on page 12 8 e Deleting Filters on page 12 8 e Example Filters on page 12 9 e Restricting User Access on page 12 14 Each topic in this chapter includes examples of filters used to accomplish the goal described See the PortMaster Command Line Reference for more detailed command descriptions and instructions In addition to configuring filters at the command line you can use the Java based FilterEditor available at http www livingston com forms one click dnload cgi to create edit and
321. n a regular telephone connection even though the customer connection is the same copper wires used for regular telephone service Because an ADSL circuit must be configured to connect two specific locations it is similar to a leased line advertisement policy A set of rules that determines the path and route information the PortMaster advertises to a BGP peer See also policy agent A software program installed in a managed network device An agent stores management information and responds to the manager s request for this information Glossary 3 Glossary aggregation Annex D API applet The process of combining multiple prefixes from one or several routes so that a single prefix and route can be advertised Route aggregation reduces the amount of information that a device running BGP must store and exchange with its BGP peers See also summarization The American National Standards Institute ANSI T1 617 Frame Relay Annex D version of the Local Management Interface LMI protocol The Annex D protocol has a more robust feature set than the proprietary Cisco Stratacom LMI but was developed later Recent versions of the PortMaster software support either type of LMI Earlier versions supported only the Cisco Stratacom version See also LMI Application program interface or application programming interface An interface between an operating system and application programs that includes the calling convention used for thei
322. n a table called a map table You use the IPaddrxfrom and IPaddrxto parameters of the set map command to configure one to one mappings of a private IP address to a global IP PortMaster Configuration Guide NAT Addressing address These parameters also allow for configuration of the IP address allocation pools from which global IP addresses can be dynamically or statically allocated for outbound sessions You can use static or dynamic address maps for outbound NAT however you can use only static address maps for inbound NAT Configuring Dynamic Address Pools for Outbound NAT Dynamic address pools are useful when you have fewer global IP addresses than privately addressed internal hosts provided that all internal hosts do not need a global address at the same time After you create a NAT map using the add map command you use the set map Mapname addressmap Ipaddrxfrom Ipaddrxto command to set the map as dynamic and define the private address range and the pool of global addresses to which private addresses are translated as needed For example to create an outbound address map called dynamo out that gives the hosts on the private network 10 9 9 0 27 access to the global IP address block 192 168 9 0 28 use the following command Command gt set map dynamo out 1 addressmap 10 9 9 0 27 192 168 9 0 28 Although with dynamic address pools you can map private address blocks to relatively smaller global address blocks the two to one ra
323. n or device service the workstation user must install the PortMaster daemon in pmd in the usr etc directory She must also modify the etc services and etc inetd conf files to tell the workstation where to find in pmd She must also add dev ttyrf to the etc remote file and dev ttyre to the etc printcap file Accessing Shared Devices 20 3 Configuration Steps for Shared Device Access Configuration Steps for Shared Device Access 20 4 To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of the installation guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps 1 Attach the modem to port S2 with a straight through cable 2 Attach the printer to port S9 with a null modem cable if the printer is a DTE device Pinouts for both cables are given in your hardware installation guide 3 Configure global settings page 20 4 4 Configure Ethernet port settings page 20 5 5 Configure two way serial port S2 settings page 20 5 6 Configure serial printer port S9 settings page 20 7 7 Configure parallel port PO settings page 20 8 8 If necessary configure network devices for Telnet access page 20 8 Configuring Global Settings Configure the global settings to the value
324. n prompt for a port use the following command Command gt set SO prompt String For example Command set s1 prompt marketing Configuring an Asynchronous Port 5 5 General Asynchronous Port Settings 5 6 Setting the Login Message The PortMaster allows you to specify a message for each port up to 240 characters long that is displayed to the user before login To insert a new line use a caret Do not include double quotation marks within the message To set a login message for a port use the following command Command set SO message String For example Command set s1 message Welcome to the FTP Server Setting an Optional Access Filter An access filter can provide additional login security To enable access security you must define an access filter as described in Chapter 12 Configuring Filters Setting Port Security Port security requires that each username be found in the user table or in the RADIUS database If port security is on all users who log in must have their usernames verified before they are allowed to connect to the specified host If security is turned off any user not found in the user table is passed through to the host for authentication If you are using RADIUS authentication security must be turned on To turn security for a port on or off use the following command Command set SO security on off Allowing Users to Connect Directly to a Host With the automatic login feature
325. n technique that derives a binary number by reading an incoming block of data and comparing it with a number transmitted with the data If the numbers do not match an error exists See also CRC error Cyclic redundancy check error An error that indicates problems with source station hardware receivers retiming modules and or repeaters bridges cables or transceivers Channel service unit An ancillary device needed to adapt the V 35 interface to a port on a telephone carrier switch The CSU is placed between the data terminal equipment DTE and the switch customer premises equipment See CPE cyclic redundancy check Glossary 16 See CRC PortMaster Configuration Guide Glossary D database A large collection of data organized for rapid search and retrieval relatively simple management and ease of updating Traditional databases are organized by fields records and files A field is a single piece of information a record is one complete set of fields and a file is a collection of records The most prevalent type of database is the relational database A database management system DBMS is required to access information from a database See also DBMS distributed database object oriented database RDBMS relational database database management system See DBMS database table A set of data arranged in rows and columns a collection of records in a database data circuit terminating equipment See DCE data commun
326. nal routes learned from an NSSA are translated into Type 1 and Type 2 external routes for the backbone area or other areas that accept external routes Like stub areas NSSAs can have default costs set for them but cannot have external routes advertised into them Network termination 1 device The device that provides an interface between the ISDN Basic Rate Interface BRI line used by the telephone company and a customer s terminal equipment The NTI also provides power for the terminal equipment if necessary In North America where ISDN BRI is a U loop the customer must supply the NTI device in Japan and the European countries where BRI is an S T bus the telephone company supplies the NT1 The PortMaster integrates the NT1 device into its ISDN BRI ports that are U interfaces null modem cable A cable that joins computing devices directly to each other instead of over a network You use a null modem cable to connect the console port or any asynchronous data terminal equipment DTE port on a PortMaster device to a terminal or other DTE Glossary 49 Glossary NVRAM object Nonvolatile random access memory Nonvolatile storage that can be erased and reprogrammed electronically allowing software images to be stored booted and rewritten as necessary In a database management system DBMS a specific instance of a class An object contains real values instead of variables Compare class object oriented database ODBC ODI
327. naling r2generic mfr2 Profile PortMaster Configuration Guide Configuring ISDN PRI Settings Table 11 5 explains the inband signaling protocol options and profiles Table 11 5 El Inband Signaling Protocol Options Option Profile Description LineO LineO or Linel mfr2 Accept caller ID and dial digit tones 0 ITU standard Argentina and Chile This is the default Mexico Brazil Venezuela A Ww N Mexico r2gen Generic R2 the default no caller ID and dial digit tones are exchanged Configuring ISDN PRI Settings Use the following settings to configure ISDN PRI on the PortMaster 3 Setting the ISDN PRI Switch The switch type information is available from your ISDN PRI service provider To set the switch type for ISDN connections to the PortMaster ISDN PRI ports use the following command entered on one line Table 11 6 explains the ISDN switch options Command set isdn switch ni 2 dms 100 4ess att 5ess net5 vn2 vn3 1tr6 ntt kdd ts014 Table 11 6 ISDN Switch Options ISDN Switch Description ni 2 National ISDN 2 NI 2 compliant This is the default dms 100 Northern Telecom DMS 100 Custom 4ess ATST 4ESS Configuring the PortMaster 3 11 5 Configuring ISDN PRI Settings Table 11 6 ISDN Switch Options Continued ISDN Switch Description att 5ess ATST 5ESS net5 European ISDN PRI standard vn2 France older switch vn3 France older switch
328. nd show Lined Enter the following command to display a list of members called neighbors in an NFAS group Command gt show nfas Enter the following command to display the last 40 significant messages exchanged between a PortMaster and its neighbors Command gt show nfas history Configuring the PortMaster 3 11 11 Using Non Facility Associated Signaling NFAS 11 12 Enter the following command to display NFAS statistics Command show nfas stat Debugging NFAS To turn on or off print debugging statements for NFAS use the following command Command set debug nfas on off Refer to the PortMaster Command Line Reference for more information about NFAS commands Example NFAS Configuration This section shows how to derive the maximum benefit from NFAS by stacking 10 PortMaster 3s in a single group see Figure 11 1 Because two D channels carry message signaling for the entire group you gain 18 D channels for data transfer Figure 11 1 Optimal NFAS Configuration oO N eo 11820023 Sample Configuration The convention when configuring NFAS is to set interface 0 as the primary To configure NFAS on the PortMaster 3s illustrated in Figure 11 1 enter the following commands Command set lineO nfas pri 0 5 Command set lineO nfas sla 1 5 Command set lineO nfas sec 2 5 PortMaster Configuration Guide Using True Digital Modems Command set lineO nfas sla Command set
329. nd ISP connections do not allow Internet users access to your site when the dial up connection is not established Configuration Steps for an Internet Connection The example described in this chapter connects a PortMaster router located in an office office with an ISP isp1 using Frame Relay on a synchronous interface To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of the installation guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps l Configure the following settings for the PortMaster in Office 1 a Global settings page 18 4 b Ethernet interface settings page 18 4 Using Internet Connections 18 3 Configuration Steps for an Internet Connection c Serial port settings page 18 5 or page 18 6 d Dial out location page 18 7 2 Test the configuration page 18 8 or page 18 9 3 Set network filtering page 18 10 Alternatively you can configure a PortMaster with an ISDN port for an Internet connection See Using ISDN for Internet Connections on page 18 11 Configuring Global Settings Configure the global settings to the values shown in Table 18 1 Table 18 1 Global Settings Value Setting Command Default IP gateway set gateway 192 168
330. nd the line provisioning Command set LineO signaling wink fxs immediate 3 Set the framing format for the line Command set Line0 framing esf d4 crc4 fas 4 Set the encoding method for the line Command set LineO encoding b8zs ami 5 Save the configuration changes and reboot Command save all Command reboot 6 Use the following command to display the line configuration Command show Lined Example Channelized T1 Configuration To configure the Linel port on a PortMaster 3 for inband channelized TI for inbound calls using E amp M wink start extended superframe format and bipolar 8 zero substitution use the following commands Command gt set linel inband Command gt set linel signaling wink immediate Command gt set linel framing esf Command gt set linel encoding b8zs Command gt save all Command gt reboot 11 16 PortMaster Configuration Guide Using the T1 Expansion Card To display the line configuration for Linel for example enter the following command Command show linel linel T1 Inband DSO Status UP Framing ESF Encoding 8ZS PCM u law Signaling Trunk E amp M wink start Options inbound calls only Receive Level 2dB to 7 5dB Alarms Violations Blue 0 Bipolar 0 Yellow 1 CRC Errors 0 Receive Carrier Loss 0 Multiframe Sync 0 Loss of Sync 0 Using the T1 Expansion Card The T1 expansion card is identified as line2 on the PortMaster and h
331. nection For a hardwired connection you attach an input filter to the hardwired port Note This section describes an example filter that might not protect your network from all forms of attack For more information about filters refer to Additional References in the preface and Chapter 12 Configuring Filters Refer to the ChoiceNet Administrator s Guide and RADIUS for UNIX Administrator s Guide for more information on network security The filter named internet in contains the following rules deny 192 168 200 0 24 0 0 0 0 0 log permit tcp estab permit 0 0 0 0 0 mail edu com 32 tcp dst eq 25 permit 0 0 0 0 0 ftp edu com 32 tcp dst eq 21 permit 0 0 0 0 0 www edu com 32 tcp dst eq 80 permit tcp src eq 20 dst gt 1023 permit udp dst eq 53 permit tcp dst eq 53 permit icmp If you have not configured a name server for the PortMaster use IP addresses instead of hostnames when creating filters Table 18 6 provides a line by line description the filter Table 18 6 Description of Internet Filter Rule Description 1 Denies any incoming packets claiming to be from your own network 192 168 200 0 This rule blocks IP spoofing attacks and logs the spoofing attempt Permits already established TCP connections Permits SMTP connections to the mail server mail edu com Permits FTP connections to the host ftp edu com Mi de SUIS Permits WWW HTTP connections to the Web server ww w edu com PortMaster Configura
332. nfiguration llle 8 14 9 Using Modems Null Modem Cable and Signals 0 0 es 9 1 Modem Functions sri fidlfk aogednnienad doe RP eee ree eee ee oka cies 9 2 Using Automatic Modem Configuration llle eee 9 2 Displaying Modem Settings and Status llle eee eee 9 2 Adding a Modem to the Modem Table 0 0 0 ce eee eee 9 3 Associating a Modem with a Port ll lese eee 9 6 Contents ix Contents Configuring Ports for Modem Use Setting the Port Speed Setting Modem Control Setting Parity scsi iier itive A eos Setting the Flow Control Hanging UpaLine 10 Using ISDN BRI Overview of ISDN BRI Connections Provisioning 00 eee eee ee Configuring ISDN 000 00 ISDN BRI Switch Types Setting the Switch Type Service Profile Identifier SPID for ISDN BRI Terminal Identifier TID for ISDN BRI Directory Number Information Elements IEs Multilink PPP 0 Multiple Subscriber Network for an S T Interface Port Lise 222320338323995899 05x Data over Voice 002 0 eee ISDN Port Configuration Tips ISDN BRI Unnumbered IP Configuration Example Configuration Steps Configuring the PortMaster in Denver Configuring the PortMaster in San Francisco Testing the Setup ee ee a eee ee eee ee ee 9 6 SEE
333. nfiguration Steps 1 6 10 11 12 Configure the global settings PortMaster global settings are described in Chapter 3 Configuring Global Settings Configure the Ethernet settings and configure the IP and IPX protocol settings for your network PortMaster Ethernet settings are described in Chapter 4 Configuring the Ethernet Interface Configure the asynchronous port s PortMaster asynchronous port settings are described in Chapter 5 Configuring an Asynchronous Port Configure the synchronous port s if available PortMaster synchronous port settings are described in Chapter 6 Configuring a Synchronous WAN Port Configure ISDN T1 or El connection s if available ISDN PRI T1 and El connection configuration is described in Chapter 11 Configuring the PortMaster 3 ISDN BRI connection configuration is covered in Chapter 10 Using ISDN BRI Configure dial in users in the user table or configure RADIUS The user table is described in Chapter 7 Configuring Dial In Users If you are using RADIUS security instead of the user table see the RADIUS for UNIX Administrator s Guide or the RADIUS for Windows NT Administrator s Guide Configure ChoiceNet if you are using it ChoiceNet is a traffic filtering mechanism for networks using dial up remote access synchronous leased line or Ethernet Refer to the ChoiceNet Administrator s Guide for more information Conf
334. ng ISDN ports are available as either a U or S T interface ISDN ports are easier to configure than asynchronous or synchronous ports Because the ISDN U interface has the NTI device integrated in the port no modem CSU DSU or external terminal adapter is required 10 1 Overview of ISDN BRI Connections 10 2 For the ISDN S T interface a PortMaster requires an external terminal adapter to connect from the PortMaster synchronous port to the ISDN link For terminal adapters that do not have automatic dialing or for administrators who want to manually connect with the terminal adapter the PortMaster supports automatic location table scripting For more information see Chapter 8 Configuring Dial Out Connections For more information about configuring the PortMaster for ISDN with an external terminal adapter and automatic location table scripting refer to Chapter 16 Using Synchronous V 25bis Connections ISDN BRI ports can provide the same services that an asynchronous port provides except for direct network hardwired connections The PortMaster automatically detects whether the port is providing asynchronous or synchronous 56Kbps or 64Kbps service ISDN BRI connections can be initiated as needed or they can remain active continuously A dial out location must be specified in the location table for dial out connections and a dial in user must be specified in the user table or RADIUS for dial in connections Figure 10 1
335. ng Settings for Network and Login Users 2 0 0 0 eee eeeeeeee 7 4 Setting ac PassWOId oce RN ER RR RI IN MM 7 4 Setting the Idle Timer iiid m b Se OSES EE EEE ewe es 7 4 Setting th Session Ez sss cR RANE SARA RA ORS Cees EO S eS 7 4 Configuring Network Users 0 lle lees 7 4 Setting the Protocol o one e Ss See XO E WO Y YR YMO S 7 5 Setting tbe User IP AddresS T ated feds BaRe PSM DSR 2S SPS fa 7 5 Setting the Subnet Mask 0 0c nes 7 6 Setting the IPX Network Number sese 7 6 Configuring RIP Routing 2 2 eheto babe hake nee ee eee 7 6 Setting the Asynchronous Character Map 0 0 eee eee eee eee 7 7 Setting the MTU Size 4 24 v I eh ae ee ee a ee e oe 7 7 Setting the Maximum Number of Dial In Ports llle ees 7 8 Setting COmpressioni o3 aes Uw WA AA AAR AR NARA AMA RN qU E ad ege 7 8 Setting Filters n aa a ek eee SA DS AO Ah OW SA a apt ae aa a referet s 7 9 Specifying a Callback Location 0 0 0c cece eens 7 10 Configuring Login Users asne hueva osd diii nent eee teens 7 10 Setting the Login Host 0 0 cee eee nets 7 11 Applying an Optional Access Filter 0 0 cee eee 7 11 Setting the Login Service Type lees 7 12 Specifying a Callback Telephone Number l l 7 13 8 Configuring Dial Out Connections Configuring the Location Table 0 0 cece eee eee 8 1 Creating a LOCation zie ge x Sale aan RT WR GR WAAR GR GA AD GR H
336. ng command Command gt set isdn msn on Port Limits You can set port limits on a per user basis for Multilink V 120 Multilink PPP and asynchronous multiline load balancing users If a port limit is set the user is limited to that number of ports on the PortMaster If the number of dial in ports is left unconfigured port limits are not imposed and PortMaster multiline load balancing Multilink V 120 and Multilink PPP sessions are allowed You can also configure this setting using the RADIUS Port Limit attribute To set port limits use the following command Command gt set user Username maxports Number Data over Voice Data over voice is supported for inbound and outbound ISDN connections The PortMaster accepts inbound voice calls and treats them as data calls To force a data over voice call for an outbound ISDN connection use the following command Command set location Locname voice on off 10 8 PortMaster Configuration Guide ISDN Port Configuration Tips ISDN Port Configuration Tips Use the following tips to help you configure your ISDN BRI port e Modem control carrier detect flow control and speed are not set on an ISDN port The PortMaster automatically detects the speed and sets the port to 64000bps or 56000bps accordingly Flow control is not set on a synchronous line because the external clock speed is provided by the telephone company and carrier detect is always used e Refer to your hardware ins
337. ng multiple PortMaster Communication Servers to handle more than a few dozen users each This example assumes the use of RADIUS If you are not using RADIUS configure dial in and network users in the user table RADIUS Settings Table 19 5 lists the RADIUS setting for the first PortMaster For information about RADIUS parameters refer to the RADIUS for UNIX Administrator s Guide or access the information via FTP from ftp ftp livingston com pub le radius radius install Table 19 5 RADIUS Values Setting Command Secret Authentication server Alternate authentication server Accounting server Alternate accounting server set secret anyvalue set authentication server 192 168 1 2 set alternate auth server 198 168 1 3 This setting is optional This secondary server must have a RADIUS database identical to that on the primary authentication server set accounting 192 168 1 2 set accounting 2 192 168 1 3 This setting is optional 19 8 PortMaster Configuration Guide Configuration Steps for Dial In Access After configuring RADIUS settings as shown in Table 19 5 use the following command to save the configuration Command gt save all Dial In Login Users Note Use the instructions in this section only if you are not using RADIUS and you y are not using passthrough logins A user account must be set up on the PortMaster for each authorized user Configure each new user userl user2
338. nication authenticates the origin and checks for timeliness The PortMaster ComOS uses the RSA Data Security Inc MD5 Message Digest Algorithm See also SHA 1 mean time to recovery See MTTR mean time to repair See MTTR media access control address megabit See MAC address See Mb Glossary 43 Glossary megabits per second megabyte menu See Mbps See MB A list of options displayed on a user s computer screen from which the user can choose For example a menu might provide a list of servers message authentication code See MAC message digest algorithm 5 MIB MIME modem modem table MTTR Glossary 44 See MD5 Management Information Base A set of variables that a Simple Network Management Protocol SNMP based management station can query from the SNMP agent of a network device Multipurpose Internet Mail Extensions The standard documented in RFC 1522 and RFC 1523 for attaching non ASCII files to standard Internet mail messages These files include graphics spreadsheets formatted word processor documents audio files and other binary data Modulator demodulator A device that converts the digital signals used by computers to analog signals that can be transmitted over telephone lines A database resident on the PortMaster containing configuration information for commonly used modems 1 Mean time to recovery The average amount of time a device will spend in correct
339. nomous systems plus any path attributes to a single destination autonomous system that contains particular IP address prefixes and associated netmasks Packets whose targets fall within the networks identified by these prefixes and netmasks can use this BGP route BGP peers advertise routes to each other in update messages A network layer device that links one network to another Routers forward packets between networks along optimal paths The Internet is made up of thousands of routers sending and receiving packets to and from one another In contrast to servers which also run routing services routers provide service to networks rather than to client devices or software See also access router routing table PortMaster Configuration Guide Glossary route reflection In BGP a method for maintaining path and attribute information across an autonomous system while avoiding the overhead of having all peers within an autonomous system fully communicate to be fully meshed with each other To reduce the number of links all internal peers are divided into clusters each of which has one or more route reflectors A route received by a route reflector from an internal peer is transmitted to its clients which are the other peers in the cluster that are not route reflectors Route reflection requires that all internal peers use identical policies See also cluster cluster ID confederation route reflector route reflector router ID
340. not routed by a more specific route Command gt set ipxgateway Network Node Metric Note You can delete only static routes Modifying the Static Netmask Table The netmask table is provided to allow routes advertised by RIP to remain uncollapsed on network boundaries in cases where you want to break a network into noncontiguous subnets The PortMaster normally collapses routes on network boundaries as described in RFC 1058 However in certain circumstances where you do not want to collapse routes the netmask table is available its function In most circumstances its use is not necessary Very large routing updates can result from too much use of the netmask table adversely affecting performance In most cases it is easier to use OSPF instead of using the netmask table and RIP Lucent strongly recommends you use OSPF if you require noncontiguous subnets or variable length subnet masks VLSMs Note Do not use the static netmask table unless you thoroughly understand and need For example suppose the address of EtherO is 172 16 1 1 with a 255 255 255 0 subnet mask a class B address subnetted on 24 bits and the destination of ptpl is 192 168 9 65 with a 255 255 255 240 subnet mask a class C address subnetted on 28 bits If routing broadcast is on the PortMaster routing broadcast on EtherO claims a route to the entire 192 168 9 0 network Additionally the broadcast on ptpl claims a route to 172 16 0 0 Sometimes however y
341. nous configurations come up with very little trouble if you have configured the PortMaster using information from your carrier If you are having problems use the information in this section to debug your configuration If you are having trouble with a Frame Relay connection do the following e Wait a few moments The process of establishing a Frame Relay link learning the DLCI list and learning the IP address through Inverse ARP can sometimes take a few moments e The error counters should be 0 except for abort errors If your counters are nonzero the problem is external to the PortMaster Using Frame Relay 15 11 Frame Relay Subinterfaces Verify that you are using the correct cables and that they are attached securely to the correct port Not all WAN ports are capable of the same speeds Verify that the DIP switch is set to V 35 for Lucent cables and that you are plugged into the correct V 35 interface on your CSU DSU Verify that the CSU DSU is providing the clock signal to the PortMaster The CSU DSU can generate the clock signal or receive it from the carrier Verify that the CSU DSU is configured properly Enter the following two commands to view the LMI or Annex D keepalives Command gt set console wl Command gt set debug 0x51 After you verify that the proper keepalives are being received enter the following commands to turn off the debug utility Command gt set debug off Command gt reset console If you hav
342. ns supported include any TCP UDP based applications that do not try to embed the IP source and or IP destination address in their payload Unless otherwise noted the following applications have been tested and work for both inbound and outbound service Telnet FIP TFTP HTTP Secure HTTP HTTPS and Secure Sockets Layer SSL protocol SMTP and rlogin inbound only X Windows ping traceroute and DNS Secure Shell SSH Unfriendly Applications Configuring NAT The following applications are considered NAT unfriendly either because they embed the IP source and or destination address in the payload are multicast or broadcast based or rely on end to end node security Multicast based applications Routing protocols RIP and OSPF DNS zone transfers End to end VPN Any application that embeds the IP source and or destination address es into the payload 13 43 Debugging and Troubleshooting NAT Debugging and Troubleshooting NAT 13 44 When debugging and troubleshooting NAT use the following points as guidelines Verify that IP addresses are correct in map entries and that your maps match the flow of the session inbound or outbound Monitor the output of the show nat sessions command to verify that the correct translations are taking place Make sure you entered a valid NAT map Use show nat mapusage if no NAT maps are listed in case you entered the map name incorrectly Monitor the output of the show nat statistic
343. ntains the following items Destination The number of the IPX network to which the PortMaster will be routing e Gateway The address of a locally attached router where packets are sent for forwarding to the destination For IPX networks the gateway address consists of 8 hexadecimal digits for the network address a colon and the node address of the gateway router expressed as 12 hexadecimal digits for example 00000002 A0B1C2D3EAF5 The IPX node address is usually the media access control MAC address on a PortMaster e Metric The number of routers or hops a packet must cross to reach its destination The metric represents the cost of sending the packet through the gateway to the specified destination e Ticks The time required to send the packet to its destination Ticks are measured in 50ms increments The ticks metric is used in addition to the hops metric only on IPX networks Note Never set the gateway for the PortMaster to an address on the same PortMaster y the gateway must be on another router Use the following commands to add a static route for IPX Command add ipxroute Ipxnetwork Ipxaddress Metric Ticks Command save all Use the following commands to delete a static route for IPX Command delete ipxroute Ipxnetwork Ipxaddress Command save all 3 22 PortMaster Configuration Guide Setting Static Routes Use the following command to set a static default route for all IPX packets
344. ntrol Using Modems Set modem control on if you want to use the DCD signal for modem connections When modem control is on the PortMaster uses the condition of the carrier detect line to determine whether the line is in use Modem control must be on for PortMaster outbound traffic If modem control is off the PortMaster assumes the carrier detect line is always asserted As a result the PortMaster cannot attach to the modem for outbound traffic because it regards the line as busy To set modem control use the following command Command set SO cd on off 9 7 Configuring Ports for Modem Use 9 8 Setting Parity The parity setting must be configured to match the parity setting on the attached modem The parity default value is none and must be used for ports configured for network dial in or dial out operation Table 9 2 describes the parity options Table 9 2 Parity Options Option Description none Assumes 8 databits 1 stop bit and no parity bit This is the default even Assumes 7 databits 1 stop bit and even parity odd Assumes 7 databits 1 stop bit and odd parity strip Assumes 8 databits and 1 stop bit The parity bit is stripped from the data stream when it is received by the PortMaster To set the parity for a modem and its port use the following command Command gt set SO parity even none odd strip Setting the Flow Control The PortMaster supports both software flow control and hardwar
345. nverters or Frame Relay asynchronous devices FRADs Hardwired connections can use SLIP or PPP with IP and IPX Note This type of configuration creates a continuous uninterrupted connection on ay this port If the port is configured for a hardwired connection it cannot be used for any other purpose Figure 5 6 illustrates an example of a hardwired connection Figure 5 6 Hardwired Port Configuration analog leased line leased line modem PortMaster workstation 1 E 11820019 Hardwired connections on asynchronous ports provide the continuous connection advantage of a synchronous port at lower bandwidth but without the cost of TI line connection 5 20 PortMaster Configuration Guide Configuring a Port for a Dedicated Connection To configure a port for a hardwired connection follow this procedure 1 10 11 Set the port for network hardwired Command set SO network hardwired Set the protocol Command set SO protocol slip ppp Set the maximum transmission unit MTU size Command set SO mtu MTU Set the destination IP address Command set SO destination Ipaddress Ipmask Set the IPX network number if you are using IPX Command set SO ipxnet Ipxnetwork Enable RIP routing Command set SO rip on off broadcast listen Set compression Command set SO compression on off stac vj Set the PPP asynchronous m
346. o determine user access ChoiceNet can use filter names specified by the RADIUS user record For more information about ChoiceNet refer to the ChoiceNet Administrator s Guide A 10 PortMaster Configuration Guide TCP and UDP Ports and Services B Table B 1 lists common port numbers well known ports assigned to TCP and UDP services well known services by the Internet Assigned Numbers Authority IANA A more complete list is available in RFC 1700 Assigned Numbers Note If you are configuring a filter on a PortMaster from the command line interface you must use the port number The PortMaster does not have the etc services file and cannot use NIS to get the equivalent information Table B 1 TCP and UDP Port Services Service Port Protocol Description ftp data 20 TCP File Transfer Protocol FTP default data ftp 21 TCP FTP control telnet 23 TCP Telnet smtp 25 TCP Simple Mail Transfer Protocol SMTP email nicname 43 TCP whois Internet directory service nicname 43 UDP whois Internet directory service domain 53 TCP Domain Name System DNS domain 53 UDP DNS tftp 69 UDP Trivial File Transfer Protocol TFTP gopher 70 TCP Gopher gopher 70 UDP Gopher finger 79 TCP Finger Protocol finger 79 UDP Finger Protocol www http 80 TCP World Wide Web Hypertext Transfer Protocol HTTP https 443 TCP HTTP with SSL secure HTTP B 1 B 2 Table B 1 TCP and UDP Port Services Continued
347. o the other Use Telnet service in networks where a variety of hardware devices with different operating systems must use the selected port In this configuration the device name must be set to dev network The default TCP port number for Telnet is 23 however another TCP port can be specified on a per port basis All ports with a common Telnet port number form a pool similar to the rlogin pool Note If you use Telnet to administer the PortMaster select a TCP port number for fay your shared device port that is different from your administrative Telnet port Netdata Device Service The netdata device service provides a TCP clear channel on which 8 bit data is passed without interpretation This service can be used to connect to the selected port from another serial port on a different PortMaster This configuration can provide network connections between hosts on different networks The netdata service is most commonly used for special applications that require the use of TCP CLEAR channel access to a network socket This device service provides a direct data link from the application to the device connected to the PortMaster port With the socket connection no special option negotiation or protocol is required The default TCP port number for the netdata service is 6000 but you can specify another port In this configuration the device name must be set to dev network Configuring a Port for Network Access You can configure PortMa
348. ocally on the PortMaster To set a password on the PortMaster use the following command Command set 12tp secret Password none Use the none keyword to disable the password This is the default After you set the L2TP password use the following command to set remote tunnel authentication Command set 12tp authenticate remote on off Enter the reset 12tp command to make your changes take effect then enter the save all command so the changes remain in effect after you reboot the PortMaster If you set remote authentication on the LAC the LAC initiates authentication and the LNS authenticates If you set remote authentication on the LNS the LNS initiates authentication and the LAC authenticates If you set tunnel authentication on both the LAC and the LNS the LAC and the LNS authenticate each other If no tunnel exists a tunnel is established for the first L2TP session and tunnel authentication takes place before the session terminates Note Because tunnels remain established until the PortMaster is rebooted empty tunnels can exist PortMaster Configuration Guide Overview of Call Check Overview of Call Check The call check feature allows an outsourcer ISP or telephone company providing Internet service to get the calling number of a dial in user without accepting the call A typical application for call check is to hang up on a user attempting to dial in and then to call the user back with no charge incurred for the
349. ocated at separate sites Figure 21 1 shows an example of the leased line connection Overview of Leased Line Connections 21 2 Figure 21 1 Leased Line Configuration workstation 1 workstation 3 o IRX Router IRX Router CSU DSU 3 workstation 2 Florence CSU DSU workstation 1 AHUELLLLLL LL LUE LLL ANT OOTY HELLE LUE LLL HEEL LUE ILLE LLL LAE IRX Router IRX Router workstation 2 workstation 3 J 11820012 If you are connecting two networks together for the first time make sure first that the two networks are not overlapping subnets For more information on network numbers and subnetting see Appendix A Networking Concepts In the leased line configuration described in this chapter the Ethernet address of the PortMaster routers is used as the address for the serial link in a point to point unnumbered serial connection Because the PortMaster relies on an external clock PortMaster Configuration Guide Configuration Steps for Leased Line Connections signal you do not need to set the speed on the synchronous port The port speed is whatever the carrier sends If you choose to set a speed it is used for administrative notation only and does not affect the operation of the port PortMaster synchronous ports support leased line connections from 9600bps to T1 1 544Mbps or El 2 048Mbps speeds Synchronou
350. ocation Use the following command to define the map as inbound or outbound associate it with an interface user or location and optionally enable the NAT outsource function Command set Ether0 SO W1 location Locname user Username nat inmap outmap outsource See Configuring Ports Locations and Users for NAT on page 13 18 for information about associating a map with an interface user or location If you are configuring a PortMaster to do outsource NAT for a client see Configuring Outsource NAT on page 13 24 Reset active NAT sessions on all interfaces on the PortMaster Use the following command to reset active NAT sessions on an interface Command reset nat EtherO SO W1 Refer to NAT Session Management on page 13 28 for additional configuration tasks NAT Addressing 13 6 In network address translation maps and addressing are closely linked To distinguish addressing from mapping this chapter uses the term pool to refer to groups or ranges of private and global IP addresses The term map refers to the association of a private address or group of addresses with a global address or group of addresses This section discusses inbound and outbound NAT using static and dynamic addressing schemes The emphasis here is on addressing The section NAT Maps on page 13 9 covers similar ground but with the emphasis on maps and mapping A NAT map is an association of private and global addresses that is stored i
351. ocation Use the following tips to determine how to configure your PortMaster If You Are Configuring Then Configure Settings on A network hardwired port or The port hardwired multiline load balancing One or more ports for dial out Dial out locations using the location table operation One or more ports for dial in Dial in users using the user table or RADIUS operation A callback network user The callback location in the location table and refer to the location name in the user table Basic Configuration Steps The exact PortMaster configuration steps you follow depend upon the hardware you are installing and your network configuration However the following general configuration steps are the same for all PortMaster products 1 Install the PortMaster hardware and assign an IP address and a password as described in the installation guide shipped with your PortMaster Note This guide assumes that you have completed Step 1 and does not give details on n hardware installation or IP address assignment 2 Boot the system and log in with the administrative password You can configure the PortMaster from a terminal attached to the console port by an administrative Telnet session or by a network connection 3 If you want to use PMVision software to configure your PortMaster install it on a workstation anywhere on your network See the PMVision User s Guide for more information Introduction 1 5 Basic Co
352. ollowing command Command gt set location Locname maxports Number Setting Bandwidth on Demand Bandwidth on demand determines when an additional line to this location is established The PortMaster uses the high water mark setting to configure bandwidth on demand The high water mark specifies the number of bytes of network traffic that must be queued before the PortMaster opens an additional connection The PortMaster examines the queue several times a minute to determine if the high water mark has been reached If you set a very small threshold number the PortMaster quickly opens the maximum number of ports you specified for this location When you are deciding on a threshold keep in mind that interactive traffic from login users queues a relatively small number of bytes only several hundred However network users doing file transfers can queue several thousand bytes of traffic Consider these activities before you set your dial out threshold PortMaster Configuration Guide Setting Filters This value is used only when the maximum number of ports is greater than one The default high water mark is zero To set the high water mark in bytes for a location use the following command Command gt set location Locname high water Number Setting Filters You can attach input and output filters to each location Filters must be defined in the filter table before they can be added to the location table For more information about
353. ollowing command Command gt set location Locname on_demand Automatic To establish an automatic dial out connection you must set the location type to automatic In this configuration the PortMaster dials out after it boots and establishes a network connection to the specified location If the connection is dropped for any reason the PortMaster dials out again and establishes the connection again after a 30 second wait To configure a location to support an automatic connection use the following command Command gt set location Locname automatic Manual Dial Out Use manual dial out to test the connection or if you want the connection to be established only when you or a network callback user requests You should test any connection before configuring it as an automatic or on demand location PortMaster Configuration Guide Configuring the Location Table To configure a location to support a manual connection use the following command Command gt set location Locname manual Note Disconnect dial out connections by resetting the port before switching a By connection type from manual to on_demand Setting the Telephone Number The telephone number setting is used to dial out to the remote location To set the telephone number of the remote location use the following command Command gt set location Locname telephone String Setting the Username and Password The username and password are what the PortMaster u
354. om 28 8 115200 AT amp F amp C1 amp D2 B115200 Q3 U1 amp T5S0 1S10 20 W0 amp SY0 mot uds Motorola UDS V 34 115200 AT amp F amp C1 amp D2 Q3S0 1S10 20S80 18 amp W mot bit Motorola Bitsurfr 115200 ATSF amp SC1 amp ED2 A4 1 A2 95SM0 P2 11520 0 P1 a amp W mot pwr p Motorola Power 57600 AT amp SF amp CIST5 amp 5C1ED26W 14 4 PCMCIA mot life p Motorola Lifestyle 57600 AT amp FS0 1 amp C1 amp D2 Q35T5S5W OK 14 4 PCMCIA 9 4 PortMaster Configuration Guide Using Automatic Modem Configuration Table 9 1 Factory Default Modem Table Entries Continued Modem Name Modem Name DTE Short Long Rate Initialization String multizdx MultiTech Z DX 115200 AT amp FAATMOSE1 amp C1 amp D3 SB115200S0 1S10 fax data v 32 2096E08 amp WO multi v34 MultiTech MT2834 115200 ATS amp F AT amp CI amp D3S0z18WO0 28 8k multi v34 MultiTech MT2834 115200 ATSF AT amp CI amp D3S0z18W0 28 8k pp v32 Practical Peripherals 57600 ATSF amp C1 amp D3S0 1S2 1295W PP9600SA pp v34 Practical Peripherals 115200 AT amp FOMO0S0 1V1 amp C1 amp D35K3 amp 5W0 amp EW1 PM288T II para3811 Paradyne 3811 115200 AT amp FS0 1 amp W ppi v34 p PPI ProClass V 34 115200 ATSF amp C1 amp D3 amp K3S0 15WEW1 PCMCIA premax v32 p Premax V 32bis 115200 AT amp F amp C1 amp D3S0 15WEW1 PCMCIA scout v32 p DSI Scout V 32bis 115200 AT amp F amp C1 amp D3S0 1 amp W PCMCIA supra 288 Supra V 34 115200 AT amp F2S0 1 amp W supra fax 288 SupraFax 28 8 115200 AT amp F2 amp C1 amp D3S0 1S2 1
355. ompression Compression is on by default Compression cannot be used with multiline load balancing but can be used with Multilink PPP Compression must be enabled on both ends of the connection if you are using SLIP With SLIP TCP packets are not passed if only one side of the connection has compression enabled For PPP connections the PortMaster supports both bidirectional and unidirectional compression Refer to RFC 1144 for more information about header compression PortMaster Configuration Guide Configuring Network Users The PortMaster supports Stac LZS data compression only for PPP connections with bidirectional compression Stac LZS data compression cannot be used for SLIP connections To set header compression for a network user use the following command Command gt set user Username compression on off Table 7 3 describes the results of using each keyword Table 7 3 keywords for Configuring Compression on Enables compression The PortMaster tries to negotiate both Van Jacobson and Stac LZS compression on PortMaster 3 and on leased lines on Office Router products or Van Jacobson compression only on other PortMaster products This is the default off Disables compression To find out what type of compression was negotiated for the user enter the following command Command show S0 Setting Filters Input and output packet filters can be applied to each network user If an input filter is applied
356. on his network and have it globally accessible you must add the following additional commands to the PortMaster 3 configuration Command gt add map tesla inmap Command gt set map tesla inmap 1 stupm 192 168 129 130 ftp 172 16 5 1 ftp Command gt set user tesla nat inmap tesla inmap outsource The static tcp udp portmap keyword can be abbreviated to stupm Dial Out Location Using a Dynamic Address Basic NAT Map In this example the company Dogheaven has outgrown the original address block of six IP addresses 192 168 129 128 29 it received from its ISP The company can request more IP addresses but they decide that the cost of additional IP addresses is not justifiable because all internal hosts on their company network do not need guaranteed access to external networks or to the Internet at all times Previously the company statically mapped each internal host to a global IP address To give the two new hosts access to a global IP address they implement an IP address map that dynamically maps all hosts in the 10 1 1 0 24 network to the 192 168 129 128 29 address block 13 40 PortMaster Configuration Guide NAT and NAPT Examples Figure 13 10 Dial Out Location Using a Dynamic Address Pool 192 168 129 129 ee Dogheaven PortMaster 10 1 1 1 10 1 1 2 10 1 1 3 10 1 1 4 10 1 1 5 10 1 1 6 10 1 1 7 10 1 8 11820035 To set
357. ond waiting period manual This type of connection is started when you request a connection You can use this configuration to test a connection or for network callback users This is the default To configure the connection type use the following command Command set location Locname on demand automatic manual Configuring Dial Out Connections 8 3 Configuring the Location Table On Demand Dial on demand connections to selected locations can save money because the telephone line is used only when traffic needs to be transmitted The dial on demand configuration can also be used as a backup for other types of connections such as those using high speed synchronous lines A dial on demand connection usually has the idle timer set so that the connection is closed when no longer needed Note When configuring a dial on demand location be careful not to have the on demand location be the route to the loghost RADIUS server RADIUS accounting server or any host for a port using the PortMaster login or device service unless you understand the effect of these services upon dial on demand If routing for a dial on demand location is set to on listen or broadcast the PortMaster dials out to that location when it boots to update routing information The PortMaster hangs up when the idle timer expires because RIP traffic does not reset the idle timer To configure a location to support a dial on demand connection use the f
358. ontrol to on To set software flow control to off use the following command Command set S0 all xon xoff off To set hardware flow control to on use the following command Command set SO all rts cts on 5 4 PortMaster Configuration Guide General Asynchronous Port Settings Setting the Dial Group You can create modem pools for dial out connections by associating ports and dial out locations with dial groups Dial groups can be used to reserve ports for dial out to specific locations or to differentiate among different types of modems that are compatible with the remote location Dial groups are numbered 0 to 99 The default dial group is 0 To assign a port to a dial group use the following command Command set SO group Group Displaying Extended Port Information The PortMaster can display port information in brief or extended modes The default setting is off To enable or disable extended information for a port use the following command Command set SO extended on off Note This command affects only the display of port information It does not affect port fay behavior Setting the Login Prompt You can set a custom login prompt for each port using any valid ASCII characters The default login prompt is hostname login For example on a host named marketing the login prompt is marketing login Double quotation marks and control characters must not be used inside the login prompt To set a logi
359. op count for the packet will be 6 when it arrives at its destination node A single addressable device on a network that is a repository for services made available to other computers on a network Computers networked printers and routers are examples of hosts A World Wide Web browser from Sun Microsystems that can run Java applets hot swappable Able to be removed and replaced while the power is on and the system is operating Hot swapping components might disrupt service however For example the line boards on a PortMaster 4 are hot swappable because they can be replaced while ComOS is operating in a unit that is plugged in and turned on Although you must turn off the line board and thereby terminate any services it is actively providing the PortMaster 4 retains the board s settings so that the new board requires no reconfiguration after the swap Compare redundant Glossary 29 Glossary HTML HTTP hunt group hunt order HyperText Markup Language The authoring language used to create hypertext documents for the World Wide Web Like the Standard Generalized Markup Language SGML on which it is based HTML identifies the types of information in a document rather than the exact way it is to be presented The presentation is left to the software that converts the contents to a suitable format for viewing HTML also provides a way to link a word or block of text on a website to another file on the same or another website S
360. or applications on any host in the network with a single username and password NIS is similar to the Domain Name System DNS used on the Internet only simpler See also DNS NIS A later version of the Network Information Service NIS that provides additional security hierarchical name spaces and other improvements See also NIS Network layer reachability information The part of a BGP route containing the IP address prefixes and associated netmask lengths that are reachable via the path described in the route The networks indicated by these prefixes and netmasks reside in the destination autonomous system the final one listed in the path A device such as a PC server switching point bridge or gateway connected to a network at a single location A node can also be called a station See also host PortMaster Configuration Guide Glossary non facility associated signaling See NFAS nonvolatile RAM See NVRAM nonvolatile random access memory See NVRAM notification message A message sent between BGP peers to inform the receiving peer that the sending peer must terminate the BGP session because an error occurred The message contains information that explains the error See also keepalive message open message update message not so stubby area NSSA NTI See NSSA Not so stubby area In OSPE an area similar to a stub area except that Type 1 and Type 2 external routes can be learned from it Any exter
361. or your authorized sales channel partner New releases and upgrades of PortMaster software are available at http www livingston com forms one click dnload cgi or by anonymous FIP from ftp ftp livingston com pub le For the EMEA Region If you are an Internet service provider ISP or other end user in Europe the Middle East Africa India or Pakistan contact your local Lucent sales channel partner For a list of authorized sales channel partners see the World Wide Web at http www livingston com International EMEA distributors html If you are an authorized Lucent sales channel partner in this region contact the Lucent NetworkCare EMEA Support Center Monday through Friday 24 hours a day e By voice dial 33 4 92 38 33 33 e By fax dial 33 4 92 38 31 88 e By electronic mail email send mail to emeacallcenter lucent com PortMaster Configuration Guide PortMaster Training Courses For North America CALA and the Asia Pacific Region Contact Lucent NetworkCare Monday through Friday between the hours of 7 a m and 5 p m GMT 8 By voice dial 800 458 9966 within the United States including Alaska and Hawaii Canada and the Caribbean and Latin America CALA or 1 925 737 2100 from elsewhere By email send mail as follows From North America and CALA to support livingston com From the Asia Pacific Region to asia support livingston com Using the World Wide Web see http www w livingston com
362. ored in the location table The PortMaster always calls back using the same port on which the user called in Network users have PPP or SLIP sessions started for them as defined in the user table To specify the callback location for a network user use the following command Command set user Username dialback callback Locname none The dialback and callback keywords are synonyms To disable callback connections for the user use the none keyword For more information about configuring locations refer to Chapter 8 Configuring Dial Out Connections Configuring Login Users Login users establish connections with hosts using one of the login services dial in dial out or two way described in Chapter 5 Configuring an Asynchronous Port 7 10 PortMaster Configuration Guide Configuring Login Users Setting the Login Host You must define the host to which the user is connected The login host can be defined in one of three ways Table 7 4 shows the login host options Table 7 4 Login Host Options Host Option Description default prompt Ipaddress This option allows the user to log in to the default or alternate host specified for this PortMaster You can specify the default host with the set host command shown on page 19 5 This option allows the user to log in to a host by IP address or hostname at the time the login session is established This option allows the user to connect only to the ho
363. ork is restricted Chapter 18 Using Internet Connections gives an example of an asynchronous continuous dial out connection to the Internet Logging in to Remote Hosts Communication servers are most commonly used to allow remote users to dial in to a network location and access a host with their local account This configuration is also used by ISPs that provide many users access to shell accounts PortMaster asynchronous ports can be configured for login by dial in users When users dial in they are connected to a modem are allowed to log in and are then connected to a specified host for the current session Chapter 19 Providing User Dial In Access gives an example of an asynchronous remote log in connection Dial In Network Connectivity A PortMaster asynchronous port can provide PPP or SLIP service to a dial in user allowing the user to route TCP IP traffic across a modem to access the local network or the entire Internet If the port is running PPP the user can also route IPX traffic in this way This configuration is very heavily used by ISPs and by corporations with remote users running client server applications that require access to central hosts from home field offices or on the road Chapter 19 Providing User Dial In Access gives an example of an asynchronous dia in connection Sharing Devices across the Network PortMaster asynchronous ports can be configured to allow network hosts access to shared de
364. orks Glossary 35 Glossary Java A cross platform object oriented programming language invented by Sun Microsystems Java programs can be easily downloaded to a computer from the Internet Small Java programs called applets add special features to World Wide Web pages including animation and interactive tools like calculators See also applet Java database connectivity See JDBC Java development kit See JDK Java Runtime Environment See JRE Java Virtual Machine See JVM JDBC Sometimes known as Java database connectivity A Java application programming interface API for carrying out structured query language SQL statements JDBC consists of a set of classes and interfaces written in the Java programming language It provides a standard API for tool and database developers to write database applications in pure Java JDK Java development kit A suite of software than enables programmers to write applets and applications conforming to the Java 1 1 core application programming interface API Applets written with the JDK can be run by browsers supporting Java JRE Java Runtime Environment The smallest set of executable programs and files that constitute the standard Java platform The JRE consists of the Java Virtual Machine JVM the Java platform core classes and supporting files Because it is the runtime part of the Java development kit JDK the JRE includes no compiler debugger or tools Joint Photographic Ex
365. other office using a dedicated leased line The following topics are described e Overview of Leased Line Connections on page 21 1 e Configuration Steps for Leased Line Connections on page 21 3 e Troubleshooting a Leased Line Connection on page 21 8 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Leased Line Connections Leased line connections use leased or dedicated lines to establish a permanent connection between two routers Once the connection is established it remains available on a continuous basis whether there is network traffic between the two locations or not Leased line connections require a digital service unit channel service unit DSU CSU connected between the router and the dedicated line The DSU CSU takes digital data in the format used by the router and translates it into the digital format used by the leased line Leased line connections also require a carrier that provides an external clock signal PortMaster routers support leased line connections using synchronous ports and the PPP protocol In this configuration one PortMaster is usually connected to another PortMaster or other router over a leased line where each router uses its own Ethernet address for the serial link known as IP unnumbered and the address of the other end is discovered dynamically In this way a dedicated high speed connection is established between two routers l
366. ou want the PortMaster to collapse routes to some bit boundary other than the network boundary In this case you can use the static netmask table However RIP supports only host and network routes because it has no provision to include a netmask Therefore if you set a static netmask in the netmask table the PortMaster collapses the route to that boundary instead and broadcasts a host route with that value Other PortMaster routers with the same static netmask table entry convert the host route back into a subnet route when they receive the RIP packet Configuring Global Settings 3 23 Setting Static Routes 3 24 This workaround works only if all the products involved are PortMaster products with the following two exceptions e If you use a netmask table entry of 255 255 255 255 In this case the routes broadcast as host routes really are host routes so third party routers can use them Keep in mind that not all routers accept host routes e Ifthe third party router can convert host routes into subnet routes through some mechanism of its own Uses for Static Netmasks The most common use for the static netmask table is to split a single class C network into eight 30 host subnets for use in assigned pools Subnetting allows each PortMaster to broadcast a route to the subnet instead of claiming a route to the entire class C network An example of that use is provided in Example of Applying Static Netmasks on page 3 24 Th
367. ough 254 seventh PortMaster You can set the assigned pool numbers a little closer together as long as they do not overlap however having the pools fall within bit boundaries makes packet filters easier to write Note This example uses a PortMaster 2E Communications Server If you are using a PortMaster 25 the numbers of assigned pools can be moved closer together Configuration Steps for Dial In Access 19 4 To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of your installation guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the first PortMaster continue with the following steps l Connect modems to the PortMaster 2E page 19 5 2 Configure global settings page 19 5 3 Configure Ethernet interface settings page 19 6 4 Configure asynchronous port settings page 19 6 5 Configure modems for the asynchronous ports page 19 6 6 Configure users via RADIUS settings if you have more than one hundred users page 19 8 7 Configure login users if you are not using RADIUS page 19 9 PortMaster Configuration Guide Configuration Steps for Dial In Access 8 Configure network users if you are not using RADIUS page 19 9 9 Repeat Steps 1 through 8 for each additional PortMaster in your topology
368. ous Port 5 25 Connecting without TCP IP Support Note The PortMaster ignores the Data Set Ready DSR signal Some PCs might require DSR high but they do not tie DSR to DTR 5 26 PortMaster Configuration Guide Configuring a Synchronous WAN Port 6 This chapter describes the steps required to configure a PortMaster synchronous wide area network WAN port This chapter discusses the following topics e Synchronous Port Uses on page 6 1 e Configuring WAN Port Settings on page 6 4 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Synchronous Port Uses Synchronous WAN ports are used for high speed dedicated connections between two remote local area networks LANs Once a connection is established between two remote sites a wide area network WAN is achieved Synchronous WAN connections can be achieved through the use of dedicated leased lines Frame Relay connections switched 56Kbps lines or ISDN lines Connection rates can range from 9600bps to 2 048Mbps El PortMaster products support any of these connection types using one or more synchronous ports All WAN port connections are similar and are represented in Figure 6 1 on page 6 3 For most applications a dedicated line connects two PortMaster routers each located on a separate remote network The following examples describe various uses for synchronous ports Routing over Leased Lines A synchronous port
369. ous office to office connection Chapter 10 Using ISDN BRI gives an example of a dial up synchronous office to office connection Once a PortMaster is installed in each office and connected to the local Ethernet with an AUI 10Base2 or 10BaseT connector one or more asynchronous serial ports can be configured to dial another office or a set of offices when network traffic for the specified location exists The two most common configurations are a star where multiple branch 5 1 Asynchronous Port Uses offices dial into a central hub that routes among them and a mesh where every office can speak to any other office on demand Intermediate configurations between star and mesh are also possible To add network bandwidth on demand additional ports can be configured for load balancing These ports can be configured to connect to a location when the network traffic exceeds a specific level In this configuration multiple ports are connected during times of heavy traffic thereby adding bandwidth as needed and are disconnected when traffic drops Connections to the Internet You can set an asynchronous port for a continuous connection to an Internet service provider ISP by configuring it for continuous dial out In this configuration if the dial out line is dropped the PortMaster automatically reestablishes the connection When connecting to the Internet include packet filtering and security to ensure that access to the local netw
370. page 13 34 you can simply configure network address translation on strategically located PortMaster products 13 24 PortMaster Configuration Guide Configuring Outsource NAT Figure 13 4 Outsource NAT Scenario jm tesla Fa ISDN Router i N 10 1 1 0 24 m 192 168 96 162 30 N a inten a 192 168 96 163 30 T edison o o ISDN Router i w 10 1 1 0 24 iv 11820036 Configuration for tesla To configure outsource NAT for user tesla as illustrated in Figure 13 4 follow this procedure l Create user tesla Command add netuser tesla Configuring NAT 13 25 Configuring Outsource NAT 13 26 Set a password for user tesla Command gt set user tesla password ACpower Set the maximum network dial out ports for this user Command gt set user tesla maxports 2 Set the protocol to ppp Command gt set user tesla protocol ppp Set the destination address Command gt set user tesla destination 192 168 129 130 Set the local IP address of the port Command gt set user tesla local ip address 192 168 96 162 Set the map to defaultnapt outsource Command gt set user tesla nat outmap defaultnapt outsource No NAT configuration is needed on the dial up router side FTP Configuration for tesla If you want user tesla to be able to run an FIP server with private IP address
371. perts Group See JPEG Glossary 36 PortMaster Configuration Guide JPEG JVM K K56flex Kb KB Kbps Glossary Joint Photographic Experts Group A bitmapped format for image files JPEG provides lossy compression by segmenting the picture into small blocks which are divided to get the desired ratio the process is reversed to decompress the image JPEG format is preferred over GIF files for the storage and transmission of color and grayscale photographs See also GIF Java Virtual Machine Software that acts like a mini PC interpreting the Java code so that the PC itself does not have to A single Java applet or application can run unmodified on any operating system that has a virtual machine or VM Sun Microsystems writes a virtual machine that it licences to other companies but operating system vendors generally write their own A technology developed by Lucent Technologies and Rockwell International for delivering data rates up to 56Kpbs over standard telephone lines K56flex sends digital data downstream to a modem at a home or business but not from it Data transmission in the upstream direction takes place at speeds of up to only 33Kbps K56flex technology conforms to the ITU T approved V 90 standard for 56Kbps modems Kilobit s 1024 bits Kilobyte s 1024 bytes Kilobits per second keepalive message A periodic message sent between BGP peers to keep their BGP sessions open If a preset amount of time el
372. ples use the 192 168 1 0 network as the public network Substitute the number of your network or subnetwork if you use these examples Note Any packet that is not explicitly permitted by a filter is denied except for the fay special case of a filter with no rules which permits everything Simple Filter A simple filter can consist of the following rules Command gt Command gt Command gt Command gt Command gt set filter set filter set filter set filter set filter simple 1 permit udp dst eq 53 simple 2 permit tcp dst eq 25 simple 3 permit icmp simple 4 permit 0 0 0 0 0 192 168 1 3 32 tcp dst eq 21 simple 5 permit tcp src eq 20 dst gt 1023 Table 12 2 describes line by line each rule in the filter Table 12 2 Description of Simple Filter Rule Description l i An a 9 Permits Domain Name Service DNS UDP packets from any host to any host Permits SMTP mail packets Permits ICMP packets Permits FIP from any host but only to the host 192 168 1 3 Permits FTP data to return to the requesting host This rule is required to provide a reverse channel for the data portion of FTP Configuring Filters 12 9 Example Filters 12 10 Input Filter for an Internet Connection The filter in this example is designed as an input filter for a network hardwired port that connects to the Internet You can use this filter for a dial on demand connection by attaching it to the loc
373. plete list see RFC 1700 To create a TCP filter rule use the following command entered on one line Command set filter Filtername RuleNumber permit deny Ipaddress NM Ipaddress dest NM tcp src eq lt gt 7port dst eq lt gt Tport established log notify UDP Packets You can filter UDP packets by source and destination IP address or by UDP port number Appendix B TCP and UDP Ports and Services lists port numbers commonly used for UDP and TCP port services For a more complete list see RFC 1700 To create a UDP filter rule use the following command entered on one line Command set filter Filtername RuleNumber permit deny Ipaddress NM Ipaddress dest NM udp src eq lt gt 7port dst eq lt gt Tport established log notify Note ICMP and UDP packets generated by the PortMaster are not blocked by output by filters You must explicitly deny ICMP and UDP packets Creating IPX Filters You can filter IPX packets in the following ways e Source and or destination IPX network number e Source and or destination IPX node address e Source and or destination IPX socket number Configuring Filters 12 7 Displaying Filters To create an IPX filter rule use the following command entered on one line Command set ipxfilter Filtername RuleNumber permit deny srcnet Ipxnetwork srchost Ipxnode srcsocket eq gt 1t Ipxsock dstnet Ipxnetwork dsthost Ipxnode dstsocket eq gt lt Ipxsock Creating SA
374. point discriminator to take effect Displaying Multichassis PPP Addresses To display the addresses of the neighboring PortMaster products in the same Multichassis PPP group and a list of connections to virtual and physical ports on the PortMaster use the following command Command show mcppp Disconnecting a User from a Virtual Port To disconnect a user attached to a virtual port you must reset the port Because the virtual port has a corresponding physical port on the slave unit once the virtual port is reset on the master its corresponding physical port is also reset on the slave When using Multichassis PPP use the following command on the master unit to reset a virtual port Command reset VO 11 20 PortMaster Configuration Guide Troubleshooting the PortMaster 3 Troubleshooting the PortMaster 3 The debug command is useful for troubleshooting the digital modems and Multichassis PPP events Output is sent to the system console set by the set console command After completing the debugging process disable the debug commands by using the correct set debug off command and reset the console with the reset console command Debug information is displayed to the console To set debug flags used for troubleshooting use the following command Command set debug mdp status mdp events mcppp event on off Table 11 13 explains the debug options for the PortMaster 3 Table 11 13 Debug Options for the PortMaster 3 Optio
375. ponse packets with a destination IP address of 192 168 38 x to the PortMaster 3 running outsource NAT Ethernet ARP NAT does not provide Ethernet ARP services for the global IP addresses it uses For this reason Lucent recommends that NAT be configured on WAN interfaces If you choose to configure basic NAT on a LAN interface however be sure to select a global IP address block for use in conjunction with NAT that does not fall within the same network prefix of the LAN interface itself NAT Security Security is viewed differently in different environments Because NAT provides a one way session traffic filter that restricts sessions from external hosts into your network NAT provides a certain degree of security In addition because address assignment in NAT is often done dynamically an attacker has more difficulty pointing to a specific host in the NAT domain as a potential target Partial privacy is gained because an individual connection is harder to trace to a particular user You can use firewalls in conjunction with NATs to provide additional filtering of unwanted traffic However NATs cannot by themselves transparently support all applications and often must coexist with application level gateways ALGs such as 13 30 PortMaster Configuration Guide NAT and NAPT Examples DNS SOCKS Customers looking to deploy NAT must determine their application requirements before they can assess any possible security that the extens
376. r multimedia data over low bit rate networks such as the public switched telephone network PSTN H 324 terminals can be integrated into PCs or implemented in stand alone devices such as videotelephones Pertaining to a continuous connection between two sites A port on a PortMaster that is configured for hardwired use cannot be simultaneously used for any other type of connection High speed channel A full duplex ISDN Primary Rate Interface PRI channel operating at 384Kbps A protocol used by OSPF routers to acquire neighbors and to synchronize their topological databases high water mark Glossary 28 The number of bytes of queued network traffic required to open an additional dial out line to a remote location PortMaster Configuration Guide HMAC hop hop count host HotJava Glossary Keyed hashing message authentication code A message authentication mechanism that uses cryptographic hash functions HMAC can be used with any iterative cryptographic hash function for example MD5 or SHA 1 in combination with a secret shared key The effectiveness of HMAC depends on the properties of the underlying hash function See also MD5 SHA 1 The transmission of a data packet between two network nodes for example between two routers Measurement of the distance between a source and destination that is used as a metric to compare routes If a packet traverses six routers between source and destination nodes the h
377. r you must also define a default route on each router in your autonomous system to point them to destinations more distant than two hops See also multihome routing policy Exterior BGP The BGP used between peers in different autonomous systems or when confederations are in use between peers in different confederation member autonomous systems CMASs Unlike internal BGP peers EBGP peers need not have full connectivity with one another A diagnostic test used to check network reachability in which an Internet Control Message Protocol ICMP Echo Request packet or Simple Network Management Protocol SNMP test packet is sent to elicit a standard response Glossary 23 Glossary email Electronic mail Electronic messages usually text sent from one person s computer to another s Email can also be broadcast automatically to a large number of addresses or mail list Encapsulating Security Payload See ESP endpoint discriminator ESP Ethernet Exterior BGP external peer extranet Glossary 24 A 12 digit identifier used to associate multiple chassis in a Multichassis PPP domain Encapsulating Security Payload A mechanism documented in RFC 1827 for providing integrity and confidentiality to IP datagrams by means of encryption See also IPSec A network communications system developed and standardized by Digital Equipment Corporation Intel and Xerox using baseband transmission carrier sense multiple acce
378. r can telnet to each modem connected to a PortMaster Configuration Guide Overview of Shared Device Access Methods PortMaster port for configuration purposes In this application each port is identified by a unique port number assigned during the configuration process You can also configure a pool of ports at a single TCP port number The netdata TCP clear channel device service is most often used when you want to have a custom application open a TCP connection to an RS 232 device or to connect two serial devices across a network Figure 20 2 Network Device Configuration user 2 A A KA EE CL i modems 1 host dev network i O PortMaster VEELEELEEEEEEELEELEEEEEEE LEE LEE LEE L L FEEL ELLE LEE I i H Telnet rlogin netdata H Na as ala lal ir I eewmwmwmewewmewwmewewwmewmeweweweeweeeee 1 11820003 user 1 The example described in this chapter allows a user to dial in to port S2 on the PortMaster log in to a workstation and access a serial printer attached to port S9 as dev ttyre using the PortMaster device service The workstation user can also access port S2 as dev ttyrf when it is not being used for login service The modem attached to port S2 is connected with a straight through cable and uses hardware flow control and carrier detect The DTE rate between the modem and the PortMaster is locked To use the PortMaster logi
379. r communication and the services that the operating system makes available to the programs An API provides a set of routines protocols and tools for building software applications and specifies the standard software interrupts calls functions and data formats that an application must use to initiate contact with hardware or network services Programmers can use the API to write applications consistent with the operating environment without having to know all about it In contrast to an API a graphical user interface GUI and command interface are direct user interfaces to either the application or the operating system 1 A small application such as a utility or other small program that does not run on its own but is embedded and run from within another application Applets often cannot access certain resources on the local computer such as files and serial devices and cannot communicate with most other computers across a network 2 A small distributed application created with the Sun Microsystems Java programming language Java applets are often embedded in HTML pages and can be downloaded and used by any computer equipped with a Java capable browser See also HTML Java AppleTalk Remote Access See ARA application program interface Glossary 4 See API PortMaster Configuration Guide Glossary application programming interface ARA Archie area See API AppleTalk Remote Access A protocol that provides Macinto
380. r modem A list of modems and their initialization strings appears in Chapter 9 Using Modems The recommended configuration for this example has the following features e Raises carrier when a call comes in e Resets itself when DTR is dropped e Locks the DTE rate e Uses hardware flow control RTS CTS e Automatically answers on the first ring If you have already configured your modems on another machine connect to each modem through the PortMaster and set the modem back to the factory default Then use the recommended modem string to properly configure each modem Table 19 4 Serial Port Values for All Ports Setting Command Port type set all login network dialin Security set all security on Modem type set all modem usr v34 Speed 1 set all speed 1 115200 Speed 2 set all speed 2 115200 Speed 3 set all speed 3 115200 Modem control Hardware flow control Software flow control set all cd on set all rts cts on set all xon xoff off Providing User Dial In Access 19 7 Configuration Steps for Dial In Access After you configure the ports as shown in Table 19 4 enter the following commands to reset the ports and save the configuration Command gt reset all Command gt save all Configuring Users Because no more than approximately one hundred users can be configured in the user table and stored in nonvolatile memory on the PortMaster you should use RADIUS for user authentication when configuri
381. r routers running NAT software receive IP packets destined for global IP addresses that they maintain in their NAT map tables they translate the global address to the associated private IP address External hosts do not recognize the private IP addresses of internal hosts Private IP addresses are usually contained within one of several ranges reserved for this purpose Reserved IP address ranges currently include the following e 10 0 0 0 through 10 255 255 255 10 0 0 0 8 e 172 16 0 0 through 172 31 255 255 172 16 0 0 12 e 192 168 0 0 through 192 168 255 255 192 168 0 0 16 Lucent strongly recommends that you number your private IP networks with IP addresses from one of these ranges Note The 192 168 0 0 16 address range is used in this chapter to represent global y addresses in example configurations Address Mapping In the context of NAT the term mapping refers to the association of private IP addresses with global IP addresses A NAT map is essentially a table where the ComOS stores these associated addresses The NAT software refers to this table when translating addresses NAT maps can be static or dynamic With a static address map a particular private address is always translated to a particular global address the same private to global translation is performed each time address translation is needed In dynamic address mapping a private address is translated to the next available global address Sessions Inbound
382. r table finger firewall See FTP Generally a process or device that screens network traffic for certain characteristics such as source address destination address or protocol and determines whether to forward or discard that traffic based on the established criteria A database used to store filters A command used to gather information about a network user such as name login name office location telephone number email address and account activity A way to restrict access between the Internet and an internal network Most often a firewall is a set of hardware components with appropriate filtering software that can guard an internal network against known problems or intruders or isolate less secure parts of the internal network from other parts Glossary 25 Glossary FireWall IRX Flash RAM flow control A PortMaster IRX router with two Ethernet ports that provides two networks a public network accessible to the Internet via World Wide Web and File Transfer Protocol FTP servers and a private internal network protected from Internet traffic and potential intruders See NVRAM A technique for ensuring that a transmitting entity such as a modem does not overwhelm a receiving entity with data When the buffers on the receiving device are full a message is sent to the sending device to suspend the transmission until the data in the buffers has been processed Flow control can be software based or hardwa
383. ransmission between two parties Password Authentication Protocol An authentication protocol that allows the network access server to authenticate the user The remote router attempting to connect to the local router is required to send an authentication request Unlike the Challenge Handshake Authentication Protocol CHAP PAP passes unencrypted passwords PAP does not itself prevent unauthorized access but it identifies the remote end of the connection The router or access server then determines if that user is allowed access See also CHAP A process for checking the integrity of a character A parity check appends a bit to a character or word to make the total number of binary 1 digits in the character or word excluding the parity bit either odd for odd parity or even for even parity PortMaster Configuration Guide parse partition Glossary To divide character strings into components based on punctuation and other characteristics for further analysis Electronic isolation of an Ethernet device from network communications Password Authentication Protocol path PCMCIA peer Perl See PAP In BGP a autonomous system path list and a collection of attributes that provide descriptions of and explain how to reach a given collection of IP address destinations in a single autonomous system A path and its destination comprise a BGP route See also autonomous system path list destination route Personal Computer
384. rated by a modem indicating that a call has been connected central office See CO Glossary 10 PortMaster Configuration Guide CGI Glossary Common gateway interface A standard set of rules for transferring information between a World Wide Web server and a CGI program any program designed to accept and return data that conforms to the CGI specification For example a CGI program can put the content of a form into an email message or transform data into a database query The program can be written in any programming language including C Perl Java or Visual Basic Challenge Handshake Authentication Protocol See CHAP channelized T1 An access link operating at 1 544Mbps that is subdivided into 24 channels of 56Kbps each for dial in use channel service unit CHAP chat check item ChoiceNet See CSU Challenge Handshake Authentication Protocol A Point to Point Protocol PPP authentication method for identifying a dial in user The user is given an unpredictable number and challenged to respond with an encrypted version CHAP does not itself prevent unauthorized access it merely identifies the remote end See also PAP Real time communication between two users on the Internet via computer See also IRC A component of a RADIUS user profile one or more of which must be matched in an access request for the access to succeed See also address reply item A packet filtering application that enables centra
385. rce and on source and destination addresses of a packet against a rule list The destination address number of significant bits used in IP address comparisons can be set allowing filtering by host subnet network number or group of hosts whose addresses are within a given bit aligned boundary Restricting access to Packets of certain protocols can be permitted or denied particular protocols by a filter including IPX SAP TCP UDP and ICMP packets Restricting access to You can create filters that use the source and destination network services port numbers to control access to certain network services The evaluation can be based upon whether the port number is less than equal to or greater than a specified value Restricting access based You can create filters that use the status of TCP on TCP status connections as part of the rule set This feature can allow network users to open connections to external networks without allowing external users access to the local network Filter Organization Filters are stored in a filter table in the PortMaster nonvolatile configuration memory Filters can be created or modified at any time and the changes are not applied to an active use of the filter Filter names must be between 1 and 15 characters Each packet filter can contain three sets of rules IP IPX and SAP Within each set the rules are numbered starting at one Newly created packet filters contain zero rules or an
386. rding server in a proxy confederation that stores the addresses of all remote servers so that the other forwarding servers need to store only its address The clearing house server forwards requests from forwarding servers to remote servers and passes information back from the remote servers to the forwarding servers Competitive local exchange carrier A company that provides local dial tone services as well as long distance data and Internet services usually to corporate markets in metropolitan areas Many CLECs can compete with established regional Bell operating companies RBOCs because they use more current technology See also CAP PortMaster Configuration Guide client Glossary A software program on one computer that contacts and obtains data from a server software program running on another computer Each client program is designed to work with one or more specific kinds of server programs and each server requires a specific kind of client a World Wide Web browser for example client server environment cluster cluster ID CMAS CO An environment where a computer system or process requests a service from another computer system For example a workstation can request services from a file server across a network The ChoiceNet product for example runs in a client server environment A group of internal BGP peers that share a common set of route reflectors See also cluster ID route reflection route reflector Co
387. re based forwarding server FRAD frame Frame Relay A server running a version of RADIUS that supports proxy service The forwarding server passes a request for service from a proxy user to a remote server or another forwarding server for authentication Frame Relay access device A network device that links any non Frame Relay connection to a Frame Relay WAN A packaging structure for network data and control information A frame consists of an opening flag address control protocol data padding frame check sequence and closing flag The 802 3 standard for Ethernet specifies that the minimum size data frame is 64 bytes and the maximum size data frame is 1518 bytes An industry standard switched data link layer protocol that handles multiple virtual circuits using high level data link layer control HDLC encapsulation between connected devices It is used across the interface between user devices for example hosts and routers and network equipment for example switching nodes Frame Relay is more efficient than X 25 the protocol it replaced Frame Relay Access Device Glossary 26 See FRAD PortMaster Configuration Guide Glossary frequently asked questions See FAQ File Transfer Protocol A TCP IP protocol used to transfer files between network hosts or two Internet sites Many Internet sites can be publicly accessed through the use of FIP Users can log in with the account name anonymous These sites a
388. re called anonymous FTP servers G gateway A combination of hardware and software linking two or more networks that use different protocols Gateways between email systems for example allow users on different email systems to exchange messages Gateways provide address translation services but do not translate data Generic Routing Encapsulation See GRE GIF Graphics interchange format A common format for image files on the World Wide Web and elsewhere on the Internet especially suitable for images containing large areas of the same color GIF is a bit mapped format that also includes data compression See also JPEG gigabyte A data measurement unit equal to 1 073 741 824 bytes or 1 024 megabytes graphical user interface See GUI graphics interchange format See GIF Glossary 27 Glossary GRE GUI H 324 hardwired H channel hello Generic Routing Encapsulation A protocol documented in RFC 1701 that allows one network protocol to be transmitted over another by encapsulating its packets called payload packets within GRE packets which in turn are contained within packets of the outer or delivery protocol RFC 1702 describes the use of GRE when the delivery protocol is IP Graphical user interface A software interface based on pictorial representations and menus of operations and files Compare command line interface The ITU T recommendation describing terminals that send video audio and compute
389. re sent and accepted as part of the messages To configure default routing use the following command Command set default on off broadcast listen Table 3 1 describes the results of using each keyword Table3 1 Default Routing Keywords Keyword Description on The PortMaster broadcasts and listens for default route information off The PortMaster neither broadcasts nor listens for default route information This is the default broadcast The PortMaster broadcasts default route information if it has a default route listen The PortMaster listens for default route information Configuring Global Settings 3 3 Configuring Name Resolution Configuring Name Resolution You can use either a network name service or the host table on the PortMaster to map hostnames to IP addresses Using the Host Table Each host attached to an IP network is assigned a unique IP address Every PortMaster supports a local host table to map hostnames to IP addresses If your network lacks a computer that can perform hostname resolution the PortMaster allows entries in a local host table Hostnames are used by the PortMaster only for your convenience when using the command line interface or if you require users to enter hostnames at the host prompt To avoid confusion and reduce administrative overhead Lucent recommends using the Domain Name System DNS or Network Information Service NIS for hostname resolution rather than the
390. rip on set location ondon mtu 1500 set location london compression on set location ondon idletime 5 set location london high water 0 set location london group 0 set location london telephone 5551212 set location london username paris set location ondon password anything set location ondon maxports Using Office to Office Connections 17 11 Configuration Steps for an Office to Office Connection Note Configuring the maximum ports setting to a value higher than 0 causes the PortMaster to dial out to a continuous location or become available for dial out to an Can on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location After you configure the location table as shown in Table 17 9 enter the following command to save the configuration Command gt save all For more information about configuring location table settings refer to Chapter 8 Configuring Dial Out Connections Testing the Setup You must test the configuration before setting either of the locations for on demand dialing To test the configuration follow these steps 1 Enter the following commands to connect from the Paris office to the London office Command gt set console sl Command gt set debug 0x51 Command gt dial london 2 Monitor the dial and connect sequence between t
391. rmits DNS Permits DNS zone transfers You can write this rule to allow only connections to your name servers Permits ICMP packets PortMaster Configuration Guide Example Filters Input and Output Filters for FTP Packets Filters can be used to either permit or deny File Transfer Protocol FTP packets You must understand how this protocol works before you develop FIP filters FIP uses TCP port 21 as a control channel but it transfers data on another channel initiated by the FIP server from TCP port 20 FIP data Therefore if you want to allow your internal hosts to send out packets with FIP you must allow external hosts to open an incoming connection from TCP port 20 to a destination port above 1023 Allowing this type of access to your network can be very risky if you are running Remote Procedure Call RPC or X Windows on the host from which you are transmitting FIP packets As a result many sites use FIP proxies or passive FTP neither of which is discussed in this guide Consult Firewalls and Internet Security Repelling the Wily Hacker by Cheswick and Bellovin and Building Internet Firewalls by Chapman and Zwicky for information on FIP proxies and passive FIP Likewise if you want to allow external hosts to connect to your FIP server and transfer files you must allow incoming connections to TCP port 21 on your FIP server and allow outgoing connections from TCP port 20 of your FIP server In the following examp
392. rn override on for a particular parameter use the following command Command set S0 all override xon rts speed parity databits on off Setting the Port Speed Modern modems must be set to run at a fixed rate To define a fixed rate lock the data terminal equipment DTE rate by setting all three speeds to the same value You can set the speed for all the asynchronous ports simultaneously by using the set all speed command Configuring an Asynchronous Port 5 3 General Asynchronous Port Settings To set the port speed use the following command entered on one line Command set S0 all speed 1 2 3 Speed You can set speed to any of the following standard modem speed settings 300 1200 4800 19200 57600 115200 600 2400 9600 38400 76800 Parity Checking Parity checking is off by default Setting Databits You can set the number of databits per byte for a single asynchronous port or all asynchronous ports The default 8 is the most common You can set the databits for all the asynchronous ports simultaneously by using the set all databits command To set databits use the following command Command set SO all databits 5 6 7 8 Setting Flow Control The PortMaster can use either software or hardware flow control to communicate with the attached device to start and stop the flow of data Because hardware flow control is more reliable Lucent recommends that you set software flow control to off and hardware flow c
393. rname nat include the following e sessiontimeout tcp other Number minutes seconds e log sessionfail sessionsuccess syslog console on off e session direction fail action drop icmpreject passthrough e inmap Mapname outsource e outmap Mapname outsource Configuring Ports for NAT Configuring NAT NAT port configuration varies according to the use you intend for the port You can configure a port for inbound service outbound service or both You can apply static address maps or dynamic address maps to the port Or you can use the reserved map name defaultnapt or the special macro Gipaddr This section offers general guidelines and discusses options for NAT port configuration See defaultnapt Providing Inbound HTTP Service on page 13 37 for an example of NAT port configuration Refer to the PortMaster Command Line Reference for command details To configure a port for NAT service follow these steps 1 Set the address of the port Use the following command to set the local IP address of the port Command set Ether0 SO W1 Ipaddress 2 Createa NAT map You must create a NAT map for address translation If the port will be used for both inbound and outbound NAT you must create two maps Use the following command to add a map to the map table Command add map Mapname 13 19 Configuring Ports Locations and Users for NAT 13 20 Define the map You must define the map as static or dyna
394. rname nat log sessionfail console To log to syslog substitute the syslog keyword for console PortMaster Configuration Guide Debugging and Troubleshooting NAT syslog logging runs at the priority level displayed by the show syslog command If you do not have a NAT syslog priority set syslog logging does not take place Lucent recommends that you log NAT events at the auth notice priority the same priority as for packet filters To set NAT logging at the recommended priority enter the following command Command gt set syslog nat auth notice You can log more selectively by appending the log keyword to the end of a map entry For example to have a syslog message sent to your log host whenever a session from 172 168 3 1 successfully translates outbound to the global IP address 192 198 247 6 enter the following command Command gt set map Mapname 1 addressmap 172 16 3 1 192 168 247 6 log The following example shows output from this command The first four lines show translation errors the remaining lines show successful translations Mar 24 17 28 11 nat or NAT ptp3 Out TCP 172 16 3 1 34172 192 168 247 6 80 Xlation failed Session may have prematurely timed out Mar 24 17 28 40 nat or NAT ptp3 Out TCP 172 16 3 1 34172 192 168 247 6 80 Xlation failed Session may have prematurely timed out Mar 24 17 28 57 nat or NAT ptp3 Out TCP 172 16 3 1 34177 192 168 247 6 80 translated to 192 168 129 129 200
395. rom non OSPF attached interfaces autonomous system path list In BGP the list of autonomous systems that a packet must traverse to reach a given set of IP address destinations located within a single autonomous system destination The list can consist of sequences which are series of autonomous systems that must be traversed in the order specified and sets which are collections of autonomous systems one of more of which must be traversed in any order to the destination For example an autonomous system path list might consist of Sequence 1 2 3 Set 4 5 Sequence 6 7 This list indicates that a packet traverses autonomous systems 1 2 and 3 in order then one or both of autonomous systems 4 and 5 in any order and finally autonomous systems 6 and 7 in order Autonomous system 7 is the destination autonomous system B backbone A network topology consisting of a single high speed line or series of connections that forms a major pathway within a network backbone area In OSPF an area consisting of networks and routers not contained in any area and autonomous system border routers The backbone area is responsible for distributing routing information between areas This backbone area must be contiguous either physically or through a virtual link The number reserved for the backbone area is 0 0 0 0 Glossary 7 Glossary backbone router bandwidth In OSPF a router that has an interface into the backbone area by a direct at
396. rotocol ppp IP destination set location miami destination 192 168 1 1 Netmask set location miami netmask 255 255 255 0 IPX network set location miami ipxnet F3 RIP routing set location miami rip on MTU set location miami mtu 1500 PortMaster Configuration Guide Configuration Steps for a Synchronous V 25bis Connection Table 16 5 Location Table Values Continued Telephone number Password High water mark Maximum ports Setting Command Idle timer set location miami idletime 5 Dial group set location miami group 1 Username set location miami username miami set location miami telephone 5551212 set location miami password anypasswd set location miami high_water 0 set location miami maxports 1 PortMaster to dial out to a continuous location or become available for dial out to an Note Configuring the maximum ports setting to a value higher than 0 causes the on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location After you configure location table settings as shown in Table 16 5 enter the following command to save the configuration Command save all For more information about configuring location table settings refer to Chapter 8 Configuring Dial Out Connections Configuring the PortMaster in Miami The PortMaster in Miami
397. rule 1 and rule 2 in the second and third lines of the configuration The remaining internal hosts in the 10 1 0 0 16 network map to addresses in the address pool 192 168 130 3 192 168 130 254 receiving any available address each time they need one To statically map two hosts to specific addresses and dynamically map the rest configure the PortMaster as follows Command gt add map isp outmap Command gt set map isp outmap 1 addressmap 10 1 1 1 192 168 130 1 Command gt set map isp outmap 2 addressmap 10 1 1 2 192 168 130 2 Command gt set map isp outmap 3 addressmap 10 1 0 0 16 192 168 130 3 192 168 130 254 Command gt add location isp Command gt set location isp telephone 5558583 Command gt set location isp username Koolstuff Command gt set location isp password 2cool Command gt set location isp destination negotiated Command gt set location bigcomp maxports 2 Command gt set location bigcomp continuous Command gt set location bigcomp local ip address assigned Command gt set location bigcomp nat outmap isp outmap Network Application Compatibility Because of the nature of the operation of NAT some applications that work under basic NAT might not work with NAPT If you are using a particular application under NAPT and it is not working try using basic NAT and see if the situation improves 13 42 PortMaster Configuration Guide Network Application Compatibility NAT Friendly Applications NAT friendly applicatio
398. rules per filter is allowed for the PortMaster 3 and IRX For other PortMaster products the maximum number of filter rules allowed is 100 The PortMaster generates an error message when the number of filter rules exceeds the limit If a packet is discarded by a filter an appropriate ICMP unreachable message is returned to the source address This message provides immediate feedback to the user attempting the unauthorized access Packets permitted or denied can optionally be logged to a host Filters can also be used for packet selection for example you can use a packet trace filter to do troubleshooting The packets permitted by the ptrace filter are displayed while packets not permitted by the filter are not displayed For more information about the ptrace facility see the PortMaster Troubleshooting Guide Filter Options Table 12 1 shows different ways to use filters Table 12 1 Filter Options Option Description Restricting packet traffic Each user location entry and network hardwired port can be assigned both an input packet filter and an output packet filter Having both input and output filters can decrease the number of rules needed and can provide better tuning of your security policy 12 2 PortMaster Configuration Guide Overview of PortMaster Filtering Table 12 1 Filter Options Continued Option Description Restricting access based You can create filters that evaluate both the sou
399. rver It is periodically necessary to take a server offline for maintenance or to install or update software This example shows how to use a NAT map to redirect traffic to a backup server In this example the following two servers are connected on the Ether port of a PortMaster IRX 211 providing inbound FIP and Web service e primary web com 192 168 2 1 e backup web com 192 168 2 2 All routers and hosts in this example have global IP addresses To redirect inbound traffic to the backup server as illustrated in Figure 13 7 add the following lines to the IRX 211 configuration Command add map ether0 inmap Command set map ether0 inmap 1 addressmap 192 168 2 1 192 168 2 2 Command set ether0 nat inmap ether0 inmap Command reset nat The backup server can now take over the services of the primary server You can optionally set the NAT session direction fail action sdfa keyword to passthrough This is useful if after you bring up primary server you want to run a Telnet or FIP session from the primary server after you enable it Under the current configuration NAT intercepts outbound packets from the remapped host To allow outbound sessions from the primary server enter the following command Command set ether0 nat sdfa passthrough 13 36 PortMaster Configuration Guide NAT and NAPT Examples Figure 13 7 Redirect Traffic to a Backup Server Internet I Internet router 192 168 5 254 192 1
400. s General Synchronous Settings The following settings can be used on synchronous ports configured for all connection types Displaying Extended Port Information The PortMaster can display synchronous port information in brief or extended modes The default setting is off To enable or disable extended information for a port use the following command Command set W1 extended on off Note This command affects only the display of port information It does not affect port behavior Setting the Port Type and Connection Type The port type for synchronous ports is always network but you must explicitly set it You also must specify the kind of connection to use on the synchronous port To set the port type and the connection type use the following command Command set W1 network dialin dialout twoway hardwired Note Some PortMaster products use S1 through S4 for the synchronous ports Others use W1 or WO through W59 Refer to your hardware installation guide for information on port numbering PortMaster Configuration Guide Configuring WAN Port Settings Table 6 1 describes the four connection types available on synchronous ports Table 6 1 Port and Network Types Type Description hardwired Allows you to establish a dedicated network connection between two sites without modem dialing or authentication In this mode the port immediately begins running the specified protocol If the port is set for a har
401. s IP Address Classes IP addresses are generally divided into different classes of addresses based on the number of hosts and subnetworks required to support the hosts As described in RFC 1166 IP addresses are 32 bit quantities divided into five classes Each class has a different number of bits allocated to the network and host portions of the address For this discussion consider a network to be a collection of computers hosts that have the same network field values in their IP addresses The concept of classes is being made obsolete by classless interdomain routing CIDR Instead of dividing networks by class CIDR groups them into address ranges A network range consists of an IP address prefix and a netmask length The address prefix specifies the high order bits of the IP network address The netmask length specifies the number of high order bits in the prefix that an IP address must match to fall within the range indicated by the prefix For example 192 168 42 x describes a Class C network with addresses ranging from 192 168 42 0 through 192 168 42 255 CIDR uses 192 168 42 0 24 to describe the same range of addresses RIP 1 is an example of a protocol that uses address classes OSPF and BGP 4 are examples of protocols that do not use address classes PortMaster Configuration Guide Networking Concepts Network Addressing Class A Addresses The class A IP address format allocates the highest 8 bits to the network field an
402. s You must configure the primary Ethernet interface before adding subinterfaces See Setting General Ethernet Parameters on page 4 1 for details After you configure the primary Ethernet interface follow this procedure to add a subinterface 1 Create a subinterface Command gt add subinterface name This command adds an entry to the subinterface table which you c0000000000000an then view with the show subinterface command Remove a subinterface from the subinterface table with the delete subinterface command 2 Associate the subinterface with a physical port Command gt set subinterface Name port Portlabel 3 Assign an IP address or an IP address and netmask to the subinterface Command set subinterface Name address Ipaddress NM Netmask You can specify the netmask in the NM or dotted decimal format You can also configure the IP address and netmask separately See the PortMaster Command Line Reference for details 4 Set the broadcast for the interface Command set subinterface Name broadcast high low Configuring the Ethernet Interface 4 7 Setting OSPF on the Ethernet Interface You can view or modify a subinterface with the ifconfig command see the PortMaster Command Line Reference If you modify the interface with the ifconfig command you must reboot the PortMaster for the changes to take effect Setting OSPF on the Ethernet Interface 4 8 You can enable or disable Open Shortest Path First
403. s PortMaster Configuration Guide Configuration Steps for an Internet Connection 4 If you notice a problem do the following a Reset the port b Check your configuration c Dial the ISP again d Repeat this procedure until the connection is made correctly Contact your ISP if you are unable to connect as expected The ISP might be able to provide additional information 5 When you have configured the PortMaster correctly enter the following commands to reset the port and save the configuration Command reset s1 Command gt save all Testing the Network Hardwired Setup To test a network hardwired connection follow these steps 1 Reset the newly configured serial port Command reset s1 The network hardwired connection is normally established within a few seconds 2 Verify that the port status is ESTABLISHED by entering the following command Command show s1 3 Ifthere is a problem check your configuration Contact your ISP if you are unable to connect as expected 4 When you have configured the PortMaster correctly reset the port and save the configuration Command reset s1 Command save all Using Internet Connections 18 9 Providing Network Filtering Providing Network Filtering 18 10 Your connection to the Internet can be vulnerable to attack from other Internet users Therefore Lucent recommends that you add an input filter to the location isp1 for the continuous dial out con
404. s Novell s proprietary Service Advertising Protocol SAP to advertise special services such as print and file servers IP Addressing IP address descriptions are found in RFC 1166 Internet Numbers Refer to Additional References in the preface for more information The Internet Network Information Center InterNIC maintains and distributes the RFC documents The InterNIC also assigns IP addresses and network numbers to Internet service providers ISPs who in turn provide to their customers a range of addresses appropriate to the number of host devices on their network The sections that follow describe the various types of IP addresses how addresses are given and routing issues related to IP A I Network Addressing A 2 IP Address Notation IP addresses are written in dotted decimal notation consisting of four numbers separated by dots periods Each number written in decimal represents an 8 bit octet sometimes informally referred to as a byte giving each number a range of 0 through 255 inclusive When strung together the four octets form the 32 bit IP address Table A 1 shows 32 bit values expressed as IP addresses Table A 1 IP Address Notation 32 Bit Value Dotted Decimal Notation 01100100 01100100 01100100 00001010 100 100 100 10 11000011 00100000 00000100 11001000 195 32 4 200 The largest possible value of a field in dotted decimal notation is 255 which represents an octet where all the bits are 1
405. s are better for multiline load balancing Setting the Destination IP Address and Netmask The IP address or hostname of the machine on the other end of the hardwired connection must be entered to identify the port destination For PPP the IP destination can be set to negotiated 255 255 255 255 You can optionally specify the netmask of the system on the other end of the hardwired connection Setting the IPX Network Number IPX traffic can be passed through a port if you assign an IPX network number to the hardwired network connection Note The IPX network number must be different from the IPX networks used on the n Ethernets on either end of the connection 5 22 PortMaster Configuration Guide Configuring a Port for a Dedicated Connection Configuring RIP Routing As described in the PortMaster Routing Guide PortMaster products automatically send and accept route information as part of RIP messages if RIP routing is turned on To configure RIP routing for a network hardwired asynchronous port use the following command Command set SO rip on broadcast listen off Note Releases earlier than ComOS 3 5 use routing instead of the rip keyword Table 5 3 describes the results of using each keyword Table 5 3 Keywords for Configuring RIP Routing Keyword Description on The PortMaster broadcasts and listens for RIP information from other routers on this interface This is the default off The PortMaster neither
406. s command for failed translations which can indicate incorrect session flow direction and possibly incomplete maps For more information about using the show nat commands see NAT Session Management on page 13 28 Monitor the source and destination IP addresses of packets passing through the PortMaster See the Tracing Packets section in the PortMaster Troubleshooting Guide for examples of simple ptrace debug filters If you are trying to run NAT on your WAN link verify that private IP addresses are not going out the ptpmn interface untranslated If translation is not taking place either your NAT maps are not configured correctly or NAT is not active on the port You must reset an active port before a NAT configuration takes effect On an Ethernet interface you must globally reset the NAT subsystem Resetting NAT Sessions on page 13 28 If a location is set to dial on demand you must reboot the PortMaster for configuration changes to take effect If a port loses network connectivity because for example the modem loses the carrier signal NAT maintains the existing session state only if the IP address assigned to the port remains the same Logging Control You can activate syslog and console logging on a per port basis to help track configuration errors and for auditing To log to the PortMaster console all NAT sessions that fail for any reason use the following command Command set Fther0 SO W1 location Locname user Use
407. s have ports with numbers preassigned by the Internet Assigned Numbers Authority IANA for example HTTP is assigned port 80 and RADIUS is assigned port 1645 These well known ports are listed in RFC 1700 Assigned Numbers The number of ports to which a RADIUS user is permitted to be concurrently connected The name of a family of remote access server and router products designed and manufactured by Lucent Technologies Glossary 55 Glossary port speed The rate at which data is accepted by the port at the end of the wire For example when a T1 line exists between a site and a telecommunications provider the telecommunications provider accepts only the number of bits per second ordered by the customer into the port on its equipment Upgrading port speed is generally a software change Post Office Protocol POTS PPP PPTP PRI See POP Plain old telephone service The analog dial tone type telephone networks and services in place worldwide with transmission rates up to 52Kbps In contrast telephone services based on digital communications lines such as ISDN and Fiber Distributed Data Interface FDDI have higher speeds and bandwidths The POTS network is also called the public switched telephone network PSTN Point to Point Protocol A protocol that provides connections between routers and between hosts and networks over synchronous and asynchronous circuits PPP was designed to work with network layer proto
408. s is a member This setting is used on network hardwired ports only To set the subnet mask use the following command Command gt set W1 netmask Ipmask See Appendix A Networking Concepts for more information about using subnet masks Setting the IPX Network Address When using IPX you must identify an IPX network number of the serial link that is unique from every other IPX number on the network An IPX network address is entered in hexadecimal format as described in Appendix A Networking Concepts Note The serial link itself must have an IPX network number that is different from fan those at either end of the connection To set the IPX network address use the following command Command gt set W1 ipxnet Ipxnetwork Configuring RIP Routing As described in the PortMaster Routing Guide PortMaster products automatically send and accept route information as RIP messages Turn on RIP routing for the port for only network hardwired connections such as leased lines or Frame Relay Routing is set in the user table for dial in connections and in the location table for dial out connections Configuring a Synchronous WAN Port 6 9 Configuring WAN Port Settings 6 10 To configure RIP routing use the following command Command set WI rip on broadcast listen off Note Releases earlier than ComOS 3 5 used the keyword routing instead of the rip keyword Table 6 3 describes the results of using each keyword
409. s not provide guaranteed delivery The ISDN interface defined as the connection between the network termination 1 device NT1 and the telephone company local loop The U interface standard is set by each country The U interface described in PortMaster documentation refers to the U S definition See also S T interface User Network Interface 1 An interface point between Asynchronous Transfer Mode ATM end users and a private ATM switch or between a private ATM switch and the public carrier ATM network defined by physical and protocol specifications in ATM Forum UNI documents 2 A similar connection in a Frame Relay network 3 The interoperability standard adopted by the ATM Forum to define connections between users or end stations and a local switch See also ATM ATM Forum PortMaster Configuration Guide Glossary uniform resource locator UNIX See URL A multiuser multitasking operating system originally developed by AT amp T that runs on a wide variety of computer systems UNIX to UNIX Copy Program See UUCP unshielded twisted pair See UTP update message URL user A message sent between BGP peers to convey network reachability information in two parts The first part lists the IP address prefixes and associated netmasks for one or more routes that the PortMaster is withdrawing from service because it can no longer reach them The second part of an update message consists of a single BGP route See also ke
410. s ports used for leased line connections are configured for PPP operation and can have input and output filters for network security Note The PortMaster also supports numbered IP interfaces on leased lines but Lucent y does not recommended this method because it wastes IP address space Configuration Steps for Leased Line Connections This example connects a PortMaster Office Router in Rome with a PortMaster Office Router in Florence using a leased line connection To install your PortMaster follow the instructions in your hardware installation guide If you need additional help refer to the troubleshooting chapter of your installation guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps l Configure the following settings for the PortMaster in Rome a Global settings page 21 4 b Ethernet interface settings page 21 4 c Synchronous WAN port settings page 21 5 2 Configure the following settings for the PortMaster in Florence a Global settings page 21 6 b Ethernet interface settings page 21 6 c Synchronous WAN port settings page 21 7 3 Troubleshoot the configuration if necessary page 21 8 Using Synchronous Leased Lines 21 3 Configuration Steps for Leased Line Connections Configuring the PortMaster Office Router in Rome Configure the settings for the
411. s significantly simpler and supports TCP IP Glossary 39 Glossary leased line LEC LED A permanent telephone connection between two points that is rented for exclusive use from a telecommunications common carrier In contrast to a normal dial up connection a leased line is always active Typically the highest speed data connections require a leased line connection For example a T1 channel is a type of leased line that provides a maximum transmission speed of 1 544Mbps Local exchange carrier An organization that provides telephone exchange service or exchange access An LEC is a U S local telephone company which can be either a regional Bell operating company RBOC or an independent See also RBOC Light emitting diode Lightweight Directory Access Protocol line speed See LDAP The speed of the physical wire attached to the interface or interface hardware The line speed is 10Mbps for Ethernet and 1 544Mbps for T1 Fractional T1 is often implemented with a wire speed of T1 1 544Mbps and a lower port speed Upgrading line speed is generally a hardware change See also port speed Link Control Protocol See LCP link state advertisement LMI Glossary 40 See LSA Local Management Interface A protocol used to communicate link status and permanent virtual circuit PVC status in Frame Relay Two types of LMI are available on Frame Relay the original proprietary Cisco Systems Stratacom LMI and the American
412. s support Frame Relay over synchronous ports This chapter uses an example to demonstrate how to configure the PortMaster to connect to a synchronous line using Frame Relay This chapter also explains how to configure Frame Relay subinterfaces The following topics are discussed e Overview of Frame Relay on page 15 1 e Frame Relay Configuration on the PortMaster on page 15 4 e Configuration Steps for a Frame Relay Connection on page 15 7 e Troubleshooting a Frame Relay Configuration on page 15 11 e Frame Relay Subinterfaces on page 15 12 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Frame Relay Synchronous ports on PortMaster products can be configured to support Frame Relay connections As opposed to a dedicated or leased line a Frame Relay connection can be thought of as a virtual switch Frame Relay is a switched digital service that supports multiple virtual circuits simultaneously connected to a site by a single physical circuit Each site requires only one physical circuit into the Frame Relay network usually referred to as a cloud but can have several virtual circuits to reach other sites attached to the cloud 15 1 Overview of Frame Relay 15 2 PVCs and DLCIs PortMaster products support permanent virtual circuits PVCs PVCs are used to form a connection between any two devices attached to a Frame Relay cloud Each PVC
413. s variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps 1 Configure the following settings for the PortMaster in Bangkok a Configure global settings page 15 8 b Configure Ethernet interface settings page 15 8 c Configure synchronous port settings page 15 9 2 Configure the following settings for the PortMaster in New York a Configure Ethernet interface settings page 15 10 b Configure synchronous port settings page 15 10 3 Troubleshoot the configuration page 15 11 You can additionally configure Frame Relay subinterfaces For information on Frame Relay subinterfaces see Frame Relay Subinterfaces on page 15 12 Note You must configure the Ethernet interface before configuring the PortMaster for a Frame Relay connection Refer to Chapter 4 Configuring the Ethernet Interface for more information Using Frame Relay 15 7 Configuration Steps for a Frame Relay Connection 15 8 Configuring the PortMaster in Bangkok Configure the settings for the PortMaster in Bangkok with the values in the following sections Configuring Global Settings Configure the global settings on the PortMaster in Bangkok to the values shown in Table 15 1 Table 15 1 Global Values Parameter Command Gateway set gateway 192 168 20 2 After you configure the global settings shown in Table 15 1 enter
414. se code modulation for PRI line 11 7 SPID 10 5 supported PRI switches 11 5 switch type 10 4 TID 10 6 troubleshooting 10 21 ISP provided dial in access 19 1 K keepalive timer Annex D 15 6 LMI 15 5 L L2TP access concentrator See LAC administering 14 12 configuring 14 4 debugging 14 13 displaying information 14 13 network server See LNS overview 14 1 Subject Index 6 partial user based tunneling 14 9 RADIUS 14 7 troubleshooting 14 13 LAC configuration 14 4 overview 14 2 Layer 2 Tunneling Protocol See L2TP leased line connections 21 1 troubleshooting 21 8 line hangup 9 9 line speed Frame Relay 15 2 LMI enabling 15 5 keepalives 15 5 types 15 3 use with DLCI 15 11 LNS configuration 14 5 overview 14 2 load balancing for L2TP 14 5 local IP address 1 5 Local Management Interface See LMI location table adding a location 8 3 CHAP 8 10 compression 8 8 connection types 8 3 destination IP address 8 6 dial groups 5 5 6 7 8 8 displaying 8 2 filters 8 13 high water mark 8 11 idle timer 8 10 IPX network number 8 6 LocationWizard 1 2 maximum dial out ports 8 12 MTU 8 8 multiline load balancing 8 11 netmask 8 6 password 8 5 protocol 8 5 routing 8 7 PortMaster Configuration Guide Subject Index TCP IP header compression 8 8 username 8 5 locations configuring for NAT 13 21 defining 8 1 10 14 16 6 17 7 18 7 example dial out using NAT 13 40 LocationWizard 1 2 logging in to a remote host 5 2 loghos
415. se workstation has a private IP address is assigned the destination address of the port on the local non NAT router that connects to the PortMaster doing network address translation for it Set the netmask for user superfly Command gt set user superfly netmask 255 255 255 255 Set the IP address of the network user Command gt set user superfly address destination 192 168 200 112 The set user address and set user destination commands are synonyms for each other Note that the IP address is the address of the local router PortMaster Configuration Guide NAT Maps 5 Set the IP address of the PortMaster serial port to the IP address of the network user Command gt set user superfly local ip address 192 168 24 65 This command creates a dial out point to point network connection when both ends require an IP address The IP address is the address of the PortMaster doing network address translation for this workstation see Figure 13 3 Figure 13 3 Default NAPT Outsource a PortMaster 192 168 200 112 non NAT router private network 11820029 Note In this release of NAT inbound maps are restricted and can contain static address maps and or static TCP UDP port maps only Outbound maps do not have this limitation When configuring NAT for a specific port user or location you need not translate all the hosts behind the NAT By configuring address maps carefully you can be highly selective about which hos
416. sed in uniform resource locators URLs to identify particular World Wide Web pages Domain names always have two or more parts the part to the left is the most specific and the part to the right is the most general as for example Lucent com A given machine can have more than one domain name but a given domain name points only to one machine Because the Internet is based on IP addresses not domain names every Web server requires a Domain Name System DNS server to translate domain names into IP addresses Domain Name System See DNS dotted decimal notation DRAM DS 0 DS 1 DSL Common 7 7 5 1 notation for IP addresses Each number n represents in decimal 1 byte of the 4 byte IP address Dotted decimal notation is also known as dot address dotted notation dotted quad notation or four part notation Dynamic random access memory A type of semiconductor random access memory RAM that stores information in integrated circuits containing capacitors Digital signal level 0 A single 64Kbps digital telephone channel Digital signal level 1 See T1 Digital subscriber line A technology that uses sophisticated modulation schemes to pack data onto copper wires for connections from a telephone switching station to a home or office DSL is similar to ISDN because both operate over existing copper telephone lines and require runs of usually less than 20 000 feet to a central telephone office However DSL offers much higher
417. sername add netuser miami Password set user miami password anypasswd Protocol set user miami protocol ppp User IP address set user miami destination 192 168 1 1 Netmask set user miami netmask 255 255 255 0 Using Synchronous V 25bis Connections 16 5 Configuration Steps for a Synchronous V 25bis Connection 16 6 Table 16 4 User Table Values Continued Setting Command IPX network set user miami ipxnet F3 RIP routing set user miami rip on MTU set user miami mtu 1500 After you configure user table settings as shown in Table 16 4 enter the following command to save the configuration Command gt save all No compression is used on synchronous lines For more information about configuring user table settings refer to Chapter 7 Configuring Dial In Users Configuring a Dial Out Location A location entry on the PortMaster in Boston must be created for the location identified as miami This allows the PortMaster in Boston to call the PortMaster in Miami when network traffic is queued The new location miami should be configured on the router in Boston with the values shown in Table 16 5 Table 16 5 Location Table Values Setting Command Location name add location miami Type set location miami manual Set the location for manual dialing until after the configuration has been tested Once the configuration is verified change the connection type to on demand Protocol set location miami p
418. ses to authenticate itself to the remote host Note that the username and password you enter here must also be resident on the remote host in the user table RADIUS or other authentication mechanism To set the username and password use the following commands Command gt set location Locname username Username Command gt set location Locname password Password Setting the Protocol The network protocol for a dial out location can be set for PPP packet encapsulation SLIP encapsulation or a Frame Relay subinterface PPP can be used with either or both IP and IPX packet routing Select a protocol that is compatible with the remote location Note New location table entries default to PPP To set the protocol for a location use the following command Command set location Locname protocol slip ppp frame x75 sync For more information about setting the location protocol to a Frame Relay subinterface see Frame Relay Subinterfaces on page 15 12 Configuring Dial Out Connections 8 5 Configuring the Location Table 8 6 Setting the Destination IP Address The destination IP address is the IP address expected on the system at the remote end of the dial out connection For PPP connections you can either specify an IP address or have it negotiated If you enter 255 255 255 255 negotiated for the destination IP address the PortMaster learns the IP address of the remote system during PPP IPCP negotiation For SLIP conn
419. sessions to a group of internal hosts with private IP addresses you can create an inbound map and apply it to the port After you create a NAT map using the add map command you use the set map Mapname staticaddressmap Ipaddrxfrom Ipaddrxto command to set the map as static and define the pool of global addresses and the private addresses to which global addresses are translated For example to create an inbound map called isp in to allow inbound sessions from the external 192 168 65 0 24 network to the private 10 1 1 0 24 network enter the following command Command gt set map isp in 1 staticaddressmap 192 168 65 0 24 10 1 1 0 24 With this address map the public IP address 192 168 65 1 is always mapped to the private IP address 10 1 1 1 public IP address 192 168 65 2 is always mapped to private IP address 10 1 1 2 and so on Mixing IP Address Notations Although private and global address ranges in a static address pool must be of equal size they need not be represented in the same notation You can use a hyphen to separate the two addresses that define a range use the classless interdomain routing CIDR notation or mix hyphen separated ranges with CIDR notation PortMaster Configuration Guide NAT Maps For example you can create an inbound map that statically maps 14 private addresses 10 1 1 1 10 1 1 14 to 14 global addresses 192 168 65 1 192 168 65 14 by using the following command Command gt set map Mapname
420. set sysname office2 After you configure the global settings shown in Table 21 4 enter the following command to save the configuration Command gt save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet settings to the values shown in Table 21 5 Table 21 5 Ethernet Values Setting Command IP address set ether0 address 192 168 1 1 Netmask set ether0 netmask 255 255 255 0 IPX network set ether0 ipxnet FI IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on PortMaster Configuration Guide Configuration Steps for Leased Line Connections After you configure the Ethernet interface as shown in Table 21 5 enter the following command to save the configuration Command gt save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Parameters Configure the synchronous WAN port with the values shown in Table 21 6 The IP address for the port is left unconfigured accepting the default IP address value of 0 0 0 0 Table 21 6 WAN Port Values Setting Command Port type set s network hardwired Transport protocol set sl protocol ppp IP destination set sl destination 192 168 200 1 Netmask set s netmask 255 255 255 0
421. set the network dial access for two way use The specified port operates in user login mode if DCD is detected on pin 8 of the RS 232 connector Otherwise it can be accessed as a host device on the computer through in pmd or a Telnet session As mentioned in Network Dial In Only Access on page 5 16 SLIP or PPP is used to define the method for sending IP packets over standard asynchronous lines with a minimum line speed of 1200bps These encapsulation methods allow you to establish connections on an as needed basis to reduce telephone costs PortMaster Configuration Guide Configuring a Port for Network Access To set a port for network two way access use the following commands Command gt set SO network twoway Command gt save all PPP and SLIP Connections The Serial Line Internet Protocol SLIP is an older protocol than PPP and not as robust However some hosts support only SLIP The type of protocol allowed is specified for each dial in user dial out location or network hardwired port PPP is a method of encapsulating network layer IP protocol information on asynchronous point to point links PPP is described in RFC 1331 and RFC 1332 Lucent s implementation of PPP provides PPP autodetection support for the Challenge Handshake Authentication Protocol CHAP and Password Authentication Protocol PAP on serial ports running PPP ComOS 3 3 and later releases support Multilink PPP as described in RFC 1717 on ISDN BRI ports an
422. sh network Bigfish has assigned Smallfry the IP address range 192 168 33 0 24 PortMaster Configuration Guide NAT and NAPT Examples Figure 13 6 Address Renumbering IB RR PortMaster Bigfish router 192 168 7 1 o o PortMaster Smallfry router 10 1 1 254 10 1 1 0 24 10 1 1 8 Ein 11820031 To use basic NAT to avoid address renumbering as illustrated in Figure 13 6 add the following commands to the Smallfry PortMaster Command add map smallfry outmap Command set map smallfry outmap 1 addressmap 10 1 1 0 24 192 168 33 0 24 Command add location bigfish Command set location bigfish telephone 5558583 Command set location bigfish username smallfry Command set location bigfish password bigsecret Command set location bigfish destination 192 168 7 1 Command set location bigfish maxports 2 Command set location bigfish idletime 15 minutes Command set location bigfish on demand Command set location bigfish local ip address 192 168 33 254 Command set location bigfish nat outmap smallfry outmap The above smallfry outmap NAT map dynamically assigns IP addresses on an as needed basis If you want to statically map IP address translations change the smallfry outmap as follows Command set map smallfry outmap 1 staticaddressmap 10 1 1 0 24 192 168 33 0 24 Configuring NAT 13 35 NAT and NAPT Examples Redirecting Traffic to a Backup Se
423. sh users with direct access to information and resources at a remote AppleTalk site ARCHIVE An Internet utility for finding files stored on anonymous FIP sites To find a file with Archie you must know the exact filename or a substring of it See also FIP In OSPF a contiguous collection of networks and hosts Each area runs a separate copy of the shortest path first SPF algorithm and has its own topological database area border router ARP ASCII In OSPF a router that attaches to the backbone and one other area An area border router runs separate copies of the shortest path first SPF algorithm for each area it attaches to Area border routers condense the topological information of their attached areas and distribute it over the backbone to the other areas Address Resolution Protocol A protocol that discovers the unique physical hardware address of a node or a LAN from its IP address When an ARP request is sent to the network naming the IP address the machine with that IP address returns its physical address so that it can receive the transmission American Standard Code for Information Interchange A standard 8 bit code commonly used by computers and communications equipment asymmetric digital subscriber line asynchronous See ADSL Not synchronized by a shared signal and therefore proceeding independently not occurring at predetermined or regular intervals In asynchronous communication data is transmitted charac
424. shows an example of an ISDN connection You can use PAP and CHAP for dial in and dial out authentication Contact your service provider for specific information about your ISDN switch type and service profile identifier SPID The following ISDN specific settings need to be configured for each ISDN BRI port on the PortMaster to permit ISDN service e ISDN switch type e SPID U S ISDN only e Directory number optional PortMaster Configuration Guide Overview of ISDN BRI Connections Figure 10 1 Example of an ISDN Connection Bangkok workstation 1 sae O PortMaster 2e A PortMaster PM 2E with BRI module workstation 3 New York workstation 1 workstation 2 workstation 3 11820006 Provisioning To help you determine the kind of provisioning you require for your ISDN setup refer to the information in the hardware installation guide and on the Lucent website at http www livingston com Using ISDN BRI 10 3 Configuring ISDN Configuring ISDN 10 4 This section describes the commands that you need to configure a PortMaster for ISDN BRI service ISDN BRI Switch Types The North American ISDN U interface and international S T interface require different switch type settings on your PortMaster North American ISDN BRI Switch Types The ISDN switch type for North American ISDN connections U interface can be s
425. sk 5 22 device service 5 14 dial groups 5 5 DTR idle 5 25 extended information 5 5 flow control 9 8 input and output filters 5 25 IPX network number 5 22 line hangup 9 9 login host 5 11 login message 5 6 login prompt 5 5 login service 5 9 modem control 9 7 MTU 5 22 overriding settings 5 3 parity checking 5 4 9 8 port type 5 9 PPP asynchronous map 5 24 protocol 5 22 routing 5 23 security 5 6 speed 5 3 9 7 terminal type 5 11 uses of 5 1 using as console port 5 7 authentication 1 3 by RADIUS 14 3 on the PortMaster 14 6 process 2 4 tunnels 14 6 user 14 6 See also RADIUS automatic login 5 6 B bandwidth on demand 8 11 8 12 Basic Rate Interface See ISDN bidirectional communications 5 25 boot process 2 1 NetbootServer 1 2 boundaries of routes 3 25 BRI See ISDN broadcast packets type 20 3 26 broadcast hight and low 4 4 burst speed 15 2 Subject Index 1 Subject Index C callback configuration tip 1 5 login users 7 13 manual dial out 8 4 network users 7 10 call check enabling 14 7 L2TP 14 9 operation 14 7 overview 14 7 RADIUS 14 9 setting 3 27 carrier detect See DCD caution icon xxviii Challenge Handshake Authentication Protocol See CHAP authentication channel rate 11 3 channelized E1 in band signaling 11 2 channelized T1 11 4 example configuration 11 16 questions to ask the telephone company 11 15 CHAP authentication 3 26 5 19 8 10 18 8 ChoiceNet 1 3 A 10 C
426. slog message is queued for the syslog host Setting the loghost s IP address to 0 0 0 0 disables syslog from the PortMaster This change requires a reboot to become effective RADIUS accounting provides a more complete method for logging usage information Refer to the RADIUS for UNIX Administrator s Guide for more information on accounting Disabling and Redirecting Syslog Messages By default the PortMaster logs five types of events at the informational info priority level using the authorization auth facility on the log host You can disable logging of one or more types of events and change the facility and or priority of log messages To disable logging of a type of event use the following command Command gt set syslog Logtype disabled Use the Logtype keyword described in Table 3 2 to identify the type of event you want to disable or enable again Table 3 2 Logtype Keywords Logtype Keyword Description admin logins root and administrative logins user logins Nonadministrative logins you might want to disable this logtype if you are using RADIUS accounting packet filters Packets that match rules with the log keyword commands Every command entered at the command line interface termination More detailed information on how user sessions terminate nat Packets that match NAT filter rules with the log keyword You can change the facility the priority or both of log messages Configuring Global
427. speeds than ISDN Types of DSL include asymmetric DSL ADSL symmetric DSL SDSL high data rate DSL HDSL and single line DSL SDSL See also ADSL Glossary 21 Glossary DSP DSR DSU DTE DTR dual homing Digital signal processor A specialized digital microprocessor that performs calculations on digital signals that were originally analog to improve their accuracy and reliability Most DSPs are programmable and can manipulate different types of information including sound images and video Data Set Ready The circuit that is activated when data communications equipment DCE is started up and ready for use See also DCE Digital service unit or data service unit An ancillary device needed to adapt the physical interface on a data terminal equipment DTE device such as a V 35 interface on a port to a transmission facility such as leased line or a Frame Relay switch If the DTE lacks complete digital line interface capability the DSU can be located with the channel service unit CSU on the customer s site and known as a CSU DSU See also CSU Data terminal equipment A device at the user end of the interface between the network and the user The DTE connects to a data network through data communications equipment DCE such as a modem or an interface card DTEs convert user information into data signals for transmission and reconvert received data signals into user information Compare DCE Data Terminal Rea
428. ss carrier detect CSMA CD access logical bus topology and coaxial cable The successor IEEE 802 3 standard provides for integration of Ethernet into the Open System Interconnection OSI model and extends the physical layer and media with repeaters and implementations that operate on fiber optic cable broadband and unshielded twisted pair UTP See EBGP A peer that resides in a different autonomous system or when confederations are in use in a different confederation member autonomous system CMAS from the current PortMaster An intranet that is accessible to authorized outsiders You can access an extranet only if you have a valid username and password and your identity determines which parts of the extranet you can view Extranets are a popular means for business partners to exchange information Compare intranet PortMaster Configuration Guide FAQ FDDI Glossary Frequently asked questions Documents that list and answer the questions most often asked about a particular subject The World Wide Web contains thousands of FAQs on subjects as diverse as pet grooming and cryptography Fiber Distributed Data Interface A standard for transmitting data on fiber optic cable at rates of up to 100 million bits per second 10 times as fast as Ethernet and about twice as fast as T3 FDDI networks are typically used as backbones for WANs Fiber Distributed Data Interface See FDDI File Transfer Protocol filter filte
429. st sales workstation 1 workstation 2 11820001 In Figure 5 1 the user named susan is verified as an authorized user and is connected to the host named sales which has been specified as the host for this port 5 8 PortMaster Configuration Guide Configuring a PortMaster for Login Users To configure a PortMaster for user login use the following steps These steps are described in more detail in later sections 1 Set the port type to login Command gt set SO login Set the login service Command set SO service login portmaster rlogin telnet netdata Tport Set the login host Command set SO host 1 2 3 4 default prompt Ipaddress Specify the terminal type Command set SO all termtype String Reset the port and save the settings Command reset S0 Command save all Setting the Port Type If you use the set SO login command the port is set for user login After being verified or authenticated a login session is established to the host computer You can set the port type to login for all asynchronous ports simultaneously by using the set all command as shown in the following example Command set all login Setting the Login Service The login service specifies how login sessions are established Table 5 1 describes the four types of login services available Configuring an Asynchronous Port 5 9 Configuring a PortMaster for Login Users Table 5 1 Types of Login Service Login Service Fun
430. st specifically named A valid hostname or IP address must be entered This configuration is used when you want to allow a user to access a specific host For example this configuration can be used to allow the user carmela to always be connected with the host sales To set the login host for a login user use the following command Command set user Username host default prompt Ipaddress Applying an Optional Access Filter An access filter is an input filter that restricts which hosts users can log in to Access filters work as follows e The user logs in and specifies a host e The host address is compared against the access filter e Ifthe address is permitted by the filter the connection is established e If the address is not permitted the connection is denied Configuring Dial In Users 7 11 Configuring Login Users To apply an access filter to a login user use the following command Command gt set user Username ifilter Filtername information about filters see Chapter 12 Configuring Filters Note You must define a filter in the filter table before you can apply it For more Setting the Login Service Type AII login users must have an associated login service that determines the nature of their connection with the host The login service specifies how login sessions are established Four types of login service are available as described in Table 7 5 Table 7 5 Types of Login Ser
431. ster asynchronous ports for network dial in only access dial out only access or both dial in and out access also known as two way access You can combine dial in and dial out access with the login and device services discussed in the previous sections Configuring an Asynchronous Port 5 15 Configuring a Port for Network Access When you configure a port for network dial in dial out or two way access the port becomes available for connections to and from remote sites using modems and the Serial Line Internet Protocol SLIP or the Point to Point Protocol PPP To configure a port for network access follow these steps 1 Set the port to network and choose the access type Command set SO network dialin dialout twoway 2 Save the configuration Command gt save all Note In any of these dial modes dial in dial out and two way you can also fay configure the port for other concurrent port types Network Dial In Only Access Network dial in only access can be set on ports dedicated to answering requests from mobile or home users In this configuration the selected port allows an authorized user to connect to the network for mail file and other services through SLIP or PPP encapsulation Figure 5 4 shows how the PortMaster provides network connectivity for remote users PortMaster Configuration Guide Configuring a Port for Network Access Figure 5 4 Dial In Only Port Access mobile or at home user
432. ster in Bangkok 0 0 0 0 eee eee eee eee 15 8 Configuring the PortMaster in New York 2 2 2 00 eee 15 9 Troubleshooting a Frame Relay Configuration llle eee 15 11 xvi PortMaster Configuration Guide Contents 16 17 18 Contents Frame Relay Subinterfac s epu iie ir c or 3 c c o9 p Ere HE EE HEE PEED 15 12 Configuring Subinterfaces lle sees eee 15 12 Troubleshooting Subinterfaces llle eese eee 15 14 Example Configuring a Frame Relay Subinterface llle 15 15 Using Synchronous V 25bis Connections Overview of Synchronous V 25bis Dial Up Connections 00005 16 1 Configuration Steps for a Synchronous V 25bis Connection 16 3 Configuring the PortMaster in Boston slseeeee ee eee 16 3 Configuring the PortMaster in Miami 20 0 eee eee ee eee 16 7 Testing the Configuration 0 0 0 cee eee eens 16 12 Troubleshooting a Synchronous V 25bis Connection 0 0 00 eee eee 16 13 Using Office to Office Connections Overview of Example Configuration 0 00 eee 17 1 Configuration Steps for an Office to Office Connection 0000 17 3 Configuring the Office Router in London 0 0 eee eee ees 17 4 Configuring the PortMaster 2 in Paris 0 eee eee eee 17 8 Testing the Setup ssa bet fare Meee eee aaa edu ees 17 12 Setting the Console Port for Multiline Loa
433. synchronous configurations come up with very little trouble if you have configured the PortMaster using information from your carrier If you have problems use the information in this section to debug your configuration If you are having trouble with a V 25bis dial up connection to location Locname verify the following The error counters are 0 except for a small number of abnormal termination errors resulting from plugging and unplugging cables If your error counters are nonzero the problem is external to the PortMaster Verify that you are using the correct cables and that they are attached securely to the correct port Not all WAN ports are capable of the same speeds Verify that the DIP switch is set to V 35 for Lucent cables and that you are plugged into the correct V 35 interface on your CSU DSU Verify that the CSU DSU or synchronous terminal adapter is providing the clock signal to the PortMaster The CSU DSU or terminal adapter can generate the clock signal or receive it from the carrier Verify that the CSU DSU or synchronous terminal adapter is configured properly To view the PPP negotiation use the following commands Command gt set console wl Command gt set debug 0x51 Command gt dial Locname For more information about the interpreting the results of the debug command refer to the PortMaster Troubleshooting Guide After you verify that the PPP negotiation is correct enter the following commands to turn off the d
434. synchronous serial ports most often use 10 bits for a character of data including 1 start bit 8 data bits and 1 stop bit A computer or software program that provides one or more services to a client computer or software Service Advertisement Protocol See SAP service profile identifier SHA 1 shared secret See SPID Secure hash algorithm An iterative cryptographic hash function for message authentication See also MD5 A character string specified on both a server and another device or server that establishes mutual identification A shared secret is required for RADIUS and ChoiceNet clients as well as for proxy or remote servers The shared secret is used to encrypt the user s password so it does not travel across the network in clear text The server in turn uses the shared secret to decrypt the password upon receipt shielded twisted pair See STP Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP Glossary 65 Glossary site list slave SLIP A list of sites each specified by its IP address or fully qualified domain name used by a ChoiceNet filter instead of individual source or destination host addresses to permit or deny access by users In Multichassis PPP a PortMaster through which a subsequent connection for a particular user is made The port through which the connection is made is called the slave port Every slave has a corresponding master Slav
435. t setting 3 6 login host 5 11 7 11 default 5 11 prompt 5 11 specifying 5 11 login message 5 6 login prompt 5 5 login service 5 9 netdata 5 10 PortMaster 5 10 rlogin 5 10 Telnet 5 10 using with in pmd daemon 20 3 login users description of 7 3 example 19 1 loopback enabling on T1 or El lines 11 8 M mailing lists subscribing to xxix Management Information Base See MIB manual connections 8 3 8 4 maximum transmission unit See MTU mesh configuration 5 2 metrics hop count 3 21 3 22 ticks 3 22 MIB description of 3 10 modem connections L2TP monitoring 14 13 See also modems modem switch 11 13 modems adding to modem table 9 3 automatic configuration 9 2 configuring for login 19 7 control signal 6 6 9 2 9 7 digital 11 13 digital to analog 11 14 DSR value 5 26 DTR idle 5 25 hardware flow control 9 2 9 8 hot swapping 11 14 initialization strings 9 4 line hangup 9 9 null modem cable 9 1 outbound traffic 9 7 parity checking 9 8 port speed 9 7 RTS CTS 9 2 9 8 setting speed 5 3 synchronizing speed 9 7 table 9 3 monitoring L2TP 14 12 NAT 13 44 PMVision as a monitoring tool 1 1 SNMP 3 18 SNMP alarms 3 20 See also filters RADIUS MSN 10 8 MTU asynchronous ports 5 22 dial out locations 8 8 frame size 8 8 network users 7 7 packet size 8 8 Multichassis NFAS 11 10 Multichassis PPP displaying addresses 11 20 enabling on a PortMaster 3 11 20 Subject Index 7 Subject Index
436. t a static route table manually on a PortMaster by adding and deleting static routes as described in the following sections Refer to the PortMaster Routing Guide for information about routing and static routes Adding and Deleting a Static Route for IP A static route for IP contains the following items e Destination The IP address prefix of the host or the number of the IPX network to which the PortMaster will be routing e Netmask The static netmask in use at the destination See Modifying the Static Netmask Table on page 3 23 for more information about netmasks e Gateway The address of a locally attached router where packets are sent for forwarding to the destination e Metric The number of routers or hops a packet must cross to reach its destination The metric represents the cost of sending the packet through the gateway to the specified destination Note Never set the gateway for the PortMaster to an address on the same PortMaster the gateway must be on another router Use the following commands to add a static route for IP Command add route Ipaddress NM Ipaddress gw Metric Command save all Configuring Global Settings 3 21 Setting Static Routes Use the following commands to delete a static route for IP Command delete route Ipaddress NM Ipaddress gw Command gt save all You can delete only static routes Adding and Deleting a Static Route for IPX A static route for IPX co
437. t network traffic If an input filter is attached all incoming packets on that port are evaluated against the rule set for the attached filter Only packets permitted by the filter are passed through the PortMaster If an output filter is attached packets going to the interface are evaluated against the rule set in the filter and only packets permitted by the filter are sent to the interface For more information about filters see Chapter 12 Configuring Filters Connecting without TCP IP Support You can configure the PortMaster to connect to bulletin board service BBS systems or other hosts that have serial ports and allow bidirectional communications but do not support TCP IP This connection requires that you connect the PortMaster to the host with a null modem cable For more information about null modem cables refer to your hardware installation guide The default setting is on which sets the DTR drop time to 500 milliseconds ms Setting the Data Terminal Ready DTR signal to off changes the behavior of the port to better accommodate the connection To turn DTR on or off use the following command Command set SO dtr idle on off The following example shows how to configure this feature on port S1 Command set Telnet 24 Command set sl dtr idle off Command set s1 cd on Command set s1 twoway dev network Command set sl service device telnet Command reset s1 Command save all Configuring an Asynchron
438. t to 6560 feet 500m to 2000m per segment Use a 10BaseF Ethernet network to link users in different buildings Physical specification for a type of Ethernet that transmits 10Mbps signals over unshielded twisted pair cable and has a cable length limit of 330 feet 100m per segment A 10BaseT Ethernet network is the most flexible topology for LANs and is generally the best choice for most network installations Glossary 1 Glossary A AAA Authentication authorization and accounting A remote access security approach that controls network access by requiring user identification and restricting access to only particular resources AAA also known as triple A maintains records of use for billing and network audit abort error An error indicating an attempted and failed connection acceptance policy A set of rules that determine the path and route information the PortMaster accepts from a BGP peer for further processing See also policy access concentrator See remote access server access request A packet sent by a network access server to a RADIUS server when a user logs in to the network access server The access request packet includes the user s login name and password and information about the connection made by the user to the network access server RADIUS uses the access request to authenticate the user and authorize services to the authenticated user access router A type of router used to link a LAN across a WAN
439. tachment or a virtual link 1 The amount of data usually measured in bits per second that can be sent through a connection 2 The range of frequencies available for network transmission Basic Rate Interface baud BBS B channel BGP BGP 4 Glossary 8 See BRI The number of discrete signal events per second occurring on a communications channel Although not technically accurate baud is commonly used to mean bit rate Bulletin board system A computer service reached via modem or Telnet that allows users to conduct discussions upload or download files and post announcements Some BBSs are devoted to specific interests others offer a more general service The World Wide Web is superseding most BBSs because it provides wider cheaper access to information Bearer channel The ISDN channel that is the primary carrier of data voice and other services An ISDN Basic Rate Interface BRI has a single 64Kbps B channel and an ISDN Primary Rate Interface PRI has either 23 B channels in the United States or 30 B channels in Europe Border Gateway Protocol A routing protocol for exchanging network reachability information among autonomous systems A routing device can use this information to construct a map of autonomous system connectivity Version 4 of this protocol BGP 4 which supports classless interdomain routing CIDR and route aggregation is the predominant routing protocol used to propagate routes betw
440. tallation guide for information on ISDN LED activity e The ISDN ports support synchronous PPP and asynchronous V 120 PPP or SLIP The show S0 command displays 64000 async if the port is in use for an asynchronous V 120 connection e When using the ISDN port for network dial out use the set location telephone set location username and set location password commands as described in Chapter 8 Configuring Dial Out Connections ISDN BRI Unnumbered IP Configuration Example This example illustrates how to connect a PortMaster located in one office Denver with a PortMaster located in another office San Francisco using an on demand ISDN connection Configuration Steps N Using ISDN BRI To install your PortMaster follow the instructions in the hardware installation guide If you need additional help refer to the troubleshooting chapter of the guide The example in this chapter shows variables in italics Change these values to reflect your network Once you have assigned an IP address to the PortMaster continue with the following steps 1 Use a cable with RJ 45 connectors to connect the BRI port to the ISDN telephone line Warning Do not plug an analog telephone line into the PortMaster BRI port The PortMaster could be damaged ISDN BRI Unnumbered IP Configuration Example 2 Configure the following settings for the PortMaster in Denver a b C d e Configure global settings page 10 11
441. tbound mode 13 46 PortMaster Configuration Guide Configuring L2TP 14 This chapter describes how to set up a Layer 2 Tunneling Protocol L2TP tunnel between two PortMaster 3s or between a PortMaster 3 and another L2TP compatible router This chapter includes the following topics e Overview of L2TP on page 14 1 e Configuring L2TP on the PortMaster 3 on page 14 4 e Overview of Call Check on page 14 7 e Configuring L2TP on the RADIUS Server on page 14 8 e Administering L2TP on the PortMaster on page 14 12 e Troubleshooting L2TP on page 14 13 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Note You must be running RADIUS 2 1 or later to configure L2TP len Overview of L2TP The Layer 2 Tunneling Protocol L2TP allows PPP frames to tunnel across the Internet Tunneling is the encapsulation of one type of protocol within another protocol In L2TP PPP frames are encapsulated in IP UDP packets The ComOS implementation of L2TP currently has no built in encryption capability L2TP Components This section describes the fundamental components of L2TP and how they work together to tunnel data across the Internet 14 1 Overview of L2TP L2TP allows PPP frames to be tunneled from a PortMaster answering dial in calls to another PortMaster or any L2TP capable router that processes the PPP frames With L2TP the functionality normally provided by one
442. ted login service In this situation the specified host is expected to authenticate the user If port security is on and the user was not found in the user table the PortMaster queries the RADIUS server if one has been configured If the username is not found in the user table port security is on and no RADIUS server is configured in the global configuration of the PortMaster access is denied with an Invalid Login message If the RADIUS server is queried and does not respond within 30 seconds and neither does the alternate RADIUS server access is denied with an Invalid Login message If security is set to off any username that is not found in the user table is sent to the port s host for authentication and login If security is set to on the user table is checked first If the username is not found and a RADIUS server is configured RADIUS is consulted When you are using RADIUS security you must use the set SO security command to set security to on PortMaster Configuration Guide Port Status and Configuration Access can also be denied if the specified login service is unavailable for example if the PortMaster login service has been selected for the user but the selected host does not have the in pmd PortMaster daemon installed Access is denied with the Host Is Currently Unavailable message if the host is down or otherwise not responding to the login request If an access filter is configured on the port and
443. ter Configuration Guide Configuring Network Users Table 7 2 describes the results of using each keyword Table 7 2 Keywords for Configuring RIP Routing Keyword Description on The PortMaster broadcasts and listens for RIP information off The PortMaster neither broadcasts nor listens for RIP information from the local Ethernet This is the default broadcast The PortMaster broadcasts RIP information to the host at the other end of the connection listen The PortMaster listens for RIP information from the host or other router Setting the Asynchronous Character Map The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream These characters are not sent through the line but instead are replaced by a special set of characters that the remote site interprets as the original characters The PPP asynchronous map is a bit map of characters that are replaced The lowest order bit corresponds to the first ASCII character NUL and so on In most environments the asynchronous map is set to zero to achieve maximum throughput To set the PPP asynchronous character map use the following command Command gt set user Username map Hex Setting the MTU Size The maximum transmission unit MTU defines the largest frame or packet that can be sent without fragmentation A packet that exceeds this value is fragmented if IP or discarded if IPX PPP connections can have a maximum MTU of 1520 bytes SL
444. ter by character intermittently rather than in a steady stream Transmission can start and stop at any time The beginning of a character of asynchronous data is indicated by a start bit and the end is indicated by a stop bit Glossary 5 Glossary Asynchronous communication is slower and less efficient than synchronous communication but usually simpler and cheaper All PortMaster products have at least one asynchronous port for connection to a console or to connect an external modem mainframe computer or other peripheral device to the local network Compare synchronous Asynchronous Transfer Mode ATM ATM Forum attribute See ATM Asynchronous Transfer Mode A packet switching network technology that organizes digital data into 53 byte cells or packets and transmits them via digital signal technology ATM creates a fixed channel or route between two points whenever data transfer begins The short standardized ATM cells can be processed through a digital ATM switch and transmitted at speeds of 600Mbps or more ATM supports multiple services including voice graphics data and video and allows telephone and cable TV companies to dynamically assign bandwidth to individual customers An international nonprofit organization formed to accelerate the use of Asynchronous Transfer Mode ATM products and services through a rapid convergence of interoperability specifications In addition the Forum promotes industry cooperation an
445. the DLCI list manually The DLCI list is a list of DLCIs that are accessible through the Frame Relay network by this interface The PortMaster uses Inverse ARP to learn the IP addresses of routers attached to the PVCs represented by the specified DLCIs if those routers support Inverse ARP Alternatively you can specify IP addresses by appending a colon and IP address after the DLCI The DLCI list can be provided by your Frame Relay carrier For dynamically learned lists 32 PVCs are allowed Only 16 PVCs can be specified if the DLCI and IP address are entered If you specify only DLCIs you can list 24 When the PVC and IP address are specified the PortMaster statically configures these entries into its ARP table To enter the DLCI list manually use the following command Command set W1 dlcilist Dici list For information on Frame Relay subinterfaces see Frame Relay Subinterfaces on page 15 12 PortMaster Configuration Guide Configuration Steps for a Frame Relay Connection Configuration Steps for a Frame Relay Connection The example described in this chapter connects a PortMaster router located in a main office Bangkok with a PortMaster router located in a branch office New York using Frame Relay on a synchronous interface To install your PortMaster follow the instructions in the hardware installation guide If you need additional help refer to the troubleshooting chapter of the guide The example in this chapter show
446. the following command to save the configuration Command gt save all For more information about global parameters refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet interface settings on the PortMaster in Bangkok to the values shown in Table 15 2 Table 15 2 Ethernet Values Parameter Command IP address set etherO address 192 168 200 1 Netmask set ether netmask 255 255 255 0 After you configure the Ethernet interface as shown in Table 15 2 enter the following command to save the configuration Command gt save all PortMaster Configuration Guide Configuration Steps for a Frame Relay Connection For more information on Ethernet parameters refer to Chapter 4 Configuring the Ethernet Interface Configuring Synchronous WAN Port Parameters Configure the synchronous WAN port W1 to the values shown in Table 15 3 Table 15 3 Synchronous WAN Port Values Setting Command Port type set wl network hardwired Protocol set w protocol frame Port IP address set wl address 192 168 20 1 Netmask set w netmask 255 255 255 0 Modem control set wl cd on RIP routing set wl rip broadcast Annex D set wl annex d 10 LMI can be used instead of Annex D DLCI add dlci w1 16 192 168 20 2 You do not need to set a DLCI list if the remote router supports Inverse ARP After you configure the synchronous WAN port as shown in
447. tichassis PPP on page 11 20 e Troubleshooting the PortMaster 3 on page 11 21 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Configuring General Settings Use the following general settings to configure the PortMaster 3 11 1 Configuring General Settings Displaying Line Status To display the status of a El or TI line use the following command Command gt show Lined Configuring Line Use You can use a line as a single El or TI line as PRI B channels as fractional El or TI lines divided into channel groups or for inband signaling for channelized T1 or El Note T1 and EI lines require an external clock signal provided by the device to which yy the PortMaster is connected or by the telephone company network To configure a line use the following command Table 11 1 explains the line use options Command set LineO isdn t1 e1 fractional isdn fractional inband Table 11 1 Line Use Options Options Descriptions isdn Configures the line as ISDN B channels This is the default tl Configures the entire line as a T1 line el Configures the entire line as an EI line fractional Allows a channelized T1 or El line to be divided into groups isdn fractional Allows an ISDN PRI line to be divided into groups inband Sets the channelized T1 or EI line for inband signaling You use the fractional keyword in this command to break up a channelize
448. ting the idle time to 1 second turns off the idle timer after the user logs in have modem control turned on with the set 0 cd on command Ports that are in the command state with an administrator logged on are not timed out with the special value of 1 second In ComOS releases earlier than 3 5 the idle time special value is 1 minute Note The idle time special value of 1 second applies only to asynchronous ports that hen You can set the idle time of all the ports simultaneously by using the set all idletime command Configuring an Asynchronous Port 5 7 Configuring a PortMaster for Login Users To enable the idle timer and set a timeout value use the following command Command set SO all idletime Number minutes seconds To disable the idle timer set it to 0 Configuring a PortMaster for Login Users A PortMaster can be configured to allow dial in users to log in to a specified host This configuration is called user login In user login mode the user is prompted for his or her login name after the attached modem answers and completes rate negotiation Once the user is identified as a valid user through the user table or RADIUS security a login session is established on the host specified for the asynchronous port Figure 5 1 User Login Configuration serial cap a connection L user susan idi oO PortMaster ho
449. tio in this example the netmask 27 provides 30 hosts while the netmask 28 provides 14 hosts might be extreme in most cases You must also configure a user location or port for this map See Configuring Ports Locations and Users for NAT on page 13 18 Configuring Static Address Pools for Outbound NAT For outbound NAT you can create an address map that statically maps the private addresses of hosts on an internal network to a pool of global IP addresses After you create a NAT map using the add map command you use the set map Mapname staticaddressmap Ipaddrxfrom Ipaddrxto command to set the map as static and define the private address range and the pool of global addresses to which private addresses are translated Configuring NAT 13 7 NAT Addressing For example to create one to one mappings for hosts on a private network with IP addresses in the range 10 1 1 0 24 to global IP addresses in the range 192 168 65 0 24 enter the following command Command gt set map Mapname 1 staticaddressmap 10 1 1 0 24 192 168 65 0 24 With this mapping the host with private IP address 10 1 1 1 is translated to global IP address 192 168 65 1 10 1 1 2 is translated to global IP address 192 168 65 2 and so on When configuring static address maps make sure that the number of global IP addresses in the pool is equal to the number of private IP addresses Configuring Static Address Pools for Inbound NAT If you want to allow inbound
450. tion Guide Using ISDN for Internet Connections Table 18 6 Description of Internet Filter Continued Rule Description 6 Permits an FIP data channel back to outgoing FIP requests 7 Permits the Domain Name Service DNS 8 Permits DNS zone transfers You might want to restrict this rule to allow only connections to your name servers 9 Permits ICMP packets If your domain name server is outside your local network refer to Input and Output Filters for FIP Packets on page 12 11 Using ISDN for Internet Connections Using the ISDN port on a PortMaster is very similar to using the serial port except that you must do the following Configure the ISDN switch type as a global setting Set the SPID on the port Do not set the port speed flow control or modem control Set the telephone number with the set location telephone command Set the username with the set location username command Set the password with the set location password command For more information see Chapter 10 Using ISDN BRI and Chapter 8 Configuring Dial Out Connections See also Chapter 11 Configuring the PortMaster 3 Using Internet Connections 18 11 Using ISDN for Internet Connections 18 12 PortMaster Configuration Guide Providing User Dial In Access 19 This chapter uses an example to demonstrate how to configure a PortMaster for remote dial in access to local hosts and networks Although the e
451. tly connected To reset the port on which the NAT map has been configured enter the following command Command reset S0O W1 Note You must reset the port whenever you add delete or modify a map You then connect as you would normally If myisp is a dial on demand location for which you are configuring NAT for the first time you must also either reboot the router or enter the following commands Command set location myisp maxports 0 Command set location myisp manual Command reset dialer PortMaster Configuration Guide NAT and NAPT Examples Command gt set location myisp on demand Command gt set location myisp maxports 1 Command gt reset dialer With the defaultnapt configuration the addresses of all hosts behind the PortMaster are translated to the IP address of the interface that is assigned to the location see Using the Default NAPT Map on page 13 16 If the hosts behind the PortMaster have not yet been configured with IP addresses see Private and Global Addressing on page 13 2 Setting Up a Dial Out Location Using defaultnapt In this example Figure 13 5 location corporate power is configured on a PortMaster for user tesla to dial in to the corporate network s PortMaster 3 192 168 2 5 The PortMaster 3 has one IP address dynamically assigned for the PortMaster of user tesla in a NAPT configuration Everything behind this PortMaster is subject to NAPT Figure 13 5 Dial Up Using NAPT
452. to off USERNAME status indicates that the login prompt has been sent to the port and should be displayed on the terminal The PortMaster is waiting for a login request The host prompt has been sent to the port The PortMaster is waiting for a reply The Password prompt has been sent to the port The PortMaster is waiting for a reply A network connection is attempting to become established on the port A connection is active on the port The connection has just ended and the port is returning to the IDLE state The modem attached to the port is being initialized by the modem table The command line interface or PMVision GUI is being used on the port An ISDN port is not receiving service from the telephone company PortMaster Configuration Guide Configuring Global Settings 3 This chapter describes how to configure settings that the PortMaster uses across all its ports and interfaces This chapter discusses the following topics Setting the System Name on page 3 2 Setting the Administrative Password on page 3 2 Setting the Default Route Gateway on page 3 2 Configuring Default Routing on page 3 3 Configuring Name Resolution on page 3 4 Setting the Telnet Port on page 3 5 Setting the Number of Management Application Connections on page 3 6 Setting System Logging on page 3 6 Setting Administrative Logins to Serial Ports on page 3 9 Configuring an
453. ton rip on MTU set user boston mtu 1500 No compression is used on synchronous lines After you configure user table settings as shown in Table 16 9 enter the following command to save the configuration Command save all For more information about configuring user table parameters refer to Chapter 7 Configuring Dial In Users 16 10 PortMaster Configuration Guide Configuration Steps for a Synchronous V 25bis Connection Configuring a Dial Out Location A location entry on the PortMaster in Miami must be created for the location identified as boston This allows the PortMaster router in Miami to call the PortMaster router in Boston when network traffic is queued The new location boston should be configured on the PortMaster in Miami with the values shown in Table 16 10 Table 16 10 Location Table Values Parameter Command Location name add location boston Type set location boston manual Set the location for manual dialing until after the configuration has been tested Once the configuration is verified change the connection type to on demand Protocol set location boston protocol ppp IP destination set location boston destination 192 168 200 1 Netmask set location boston netmask 255 255 255 0 IPX network set location boston ipxnet F3 RIP routing set location boston rip on MTU set location boston mtu 1500 Idle timer set location boston idletime 5 Dial group set location boston group 1 Userna
454. tries for each defined dial in user along with the characteristics for the user The user table provides login security for users to establish login sessions or network dial in connections If you want to allow a network dial in connection from another router the router must have an entry in the user table or in RADIUS PortMaster products allow you to configure two types of users network users and login users Network Users Network users dial in to an asynchronous serial synchronous serial or ISDN port on the PortMaster A connection is established as soon as the user logs in A PPP or SLIP on asynchronous ports session is started This type of connection can be used for dial in users or for other routers that need to access and transfer data from the network Define this type of user when network packets must be sent through the connection Login Users Login users are allowed to establish PortMaster in pmd rlogin telnet or netdata TCP clear connections through an asynchronous serial or ISDN port A connection is established to the specified host as soon as the user logs in This type of connection is useful for users who need to access an account on a host running TCP IP Configuring Dial In Users 7 3 Configuring Settings for Network and Login Users Configuring Settings for Network and Login Users The following settings can be configured for either network or login users Setting a Password To set a password for
455. ts use NAT processing Configuring NAT 13 17 Configuring Ports Locations and Users for NAT Using TCP UDP Maps The Portname variable in the set map command can be a port name or a decimal value between 1 and 65535 Table 13 1 lists common TCP UDP port names and associated decimal values See Appendix B TCP and UDP Ports and Services for a complete list of well known services Table 13 1 TCP UDP Ports Port Name Decimal Value Telnet TCP 23 FIP TCP 20 21 TFTP UDP 69 HTTP TCP 80 DNS TCP UDP 53 SMTP TCP 25 RADIUS UDP 1645 By using the Ipaddrxfrom Tport1 Portname Ipaddrxto Tport2 Portname syntax you can define ports or a range of ports for a static map This approach obviates the need to set up a number of map rules For example you can statically map an internal web server with private IP address 10 1 1 10 to global IP address 192 168 1 10 in either of the following ways Command gt set map Mapname static tcp udp portmap 192 168 1 10 http 10 1 1 10 http Command gt set map Mapname static tcp udp portmap 192 168 1 10 80 10 1 1 10 80 Configuring Ports Locations and Users for NAT When you apply NAT to a port location or user think of NAT as just another parameter to the set command 13 18 PortMaster Configuration Guide Configuring Ports Locations and Users for NAT NAT parameters that must be preceded with set Ether0 S0 WI nat set location Locname nat or set user Use
456. twork For example if Network 1 trusts Network 2 and Network 2 trusts Network 3 then Network 1 trusts Network 3 Caution Beware of associative trust If you allow a network complete access to your Restrictive Internet Filter This example filter allows any kind of outgoing connection from the server but blocks all incoming traffic to any host except your designated Internet server This filter also limits incoming traffic on your Internet server to SMTP Network News Transfer Protocol NNTP DNS FIP and ICMP services Note Even if you have the latest versions of the daemons ftpd httpd and sendmail fan you might be vulnerable to attacks through these services Check the latest CERT Coordination Center advisories available on ftp cert org for the vulnerabilities of these services Command gt set filter restrict in 1 deny 192 168 1 0 24 0 0 0 0 0 log Command gt set filter restrict in 2 permit 0 0 0 0 0 10 0 0 3 32 tcp estab Command gt set filter restrict in 3 permit 0 0 0 0 0 10 0 0 3 32 tcp dst eq 21 Command gt set filter restrict in 4 permit 0 0 0 0 0 10 0 0 3 32 tcp src eq 20 dst gt 1023 Command gt set filter restrict in 5 permit 0 0 0 0 0 10 0 0 3 32 tcp dst eq 119 Command gt set filter restrict in 6 permit 0 0 0 0 0 10 0 0 3 32 tcp dst eq 25 Command gt set filter restrict in 7 permit 0 0 0 0 0 10 0 0 3 32 tcp dst eq 80 Command gt set filter restrict in 8 permit 0 0 0 0 0 10 0 0 3 32 udp dst eq 53 Command gt set filt
457. twork ISDN provides fast dial up connectivity for applications where the expense of a dedicated Frame Relay or leased line connection is not appropriate for the amount and nature of the traffic For more information about ISDN Basic Rate Interface BRI connections see Chapter 10 Using ISDN BRI For information about ISDN Primary Rate Interface PRI connections see Chapter 11 Configuring the PortMaster 3 PortMaster Configuration Guide Synchronous Port Uses Figure 6 1 workstation 1 O AVULEELLLMLHLEELLLLLL OUTTA IRX Router IRX Router CSU DSU Synchronous WAN Connection Bangkok workstation 2 workstation 3 New York C CSU DSU IRX Router workstation 2 IRX Router workstation 3 11820004 Once you have determined the type of synchronous connection to use between your remote locations the synchronous port on each end of the connection must be configured Configuring a Synchronous WAN Port 6 3 Configuring WAN Port Settings Configuring WAN Port Settings 6 4 The WAN port settings described in this section enable you to configure your synchronous port for you needs General Synchronous Settings on page 6 4 includes settings that are available for all connection types The settings in Settings for Hardwired Connections on page 6 7 are available only for network hardwired connection
458. tworthy 1 addrmap 10 0 0 0 8 ipaddr Note that rule 2 has now become rule 1 To add the address map 172 16 0 0 12 ipaddr to trustworthy enter the following command Command set map trustworthy 2 172 16 0 0 12 ipaddr 13 14 PortMaster Configuration Guide NAT Maps Note that what was originally rule 2 now becomes rule 1 Command gt show map trustworthy 1 addrmap 10 0 0 0 8 ipaddr 2 addrmap 172 16 0 0 12 ipaddr Note To more easily reassign rule numbers to maps and reorganize rule priority use an PMVision To delete a map use the following command Command gt delete map Mapname Using the ipaddr Macro The ipaddr macro causes ComOS to use the IP address assigned to the port for which the address map is being used If you want to use the address map for outbound sessions or outbound outsource sessions you can set the Ipaddrxto argument for the set map addressmap command to the special macro ipaddr For example to use the special macro ipaddr enter the following command Command set map addressmap 1 0 0 0 0 0 Gipaddr log The resulting map is equivalent to the defaultnapt map You can also use the ipaddr macro to statically map a global address to a TCP or UDP port service such as FIP or SMTP With that usage you must specify an IP address For example to use the special macro ipaddr to add a rule to a map for FIP service at host address 10 1 1 1 enter the following command Command set map
459. u are using for dial in on the first PortMaster plus its attached modem Configuring Ethernet Port Settings Set the Ethernet port on the first PortMaster to the values shown in Table 19 3 Table 19 3 Ethernet Values Setting Command IP address set ether0 address 192 168 1 16 Netmask set ether netmask 255 255 255 0 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on After you configure the Ethernet interface as shown in Table 19 3 enter the following command to save the configuration Command save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring Serial Modem Port Settings The serial modem ports are designated SO through S29 on the PortMaster Use the set all command to set the same values for each serial port The port values shown in Table 19 4 can be set on all asynchronous ports on the first PortMaster Use the modem 19 6 PortMaster Configuration Guide Configuration Steps for Dial In Access table described in Chapter 9 Using Modems to configure the attached modems or set each port as a host device as described in Chapter 20 Accessing Shared Devices and configure each modem individually instructs otherwise On V 32bis modems lock the DTE rate at 57600bps Use the fastest Note On V 34 modems lock the DTE rate at 115200bps unless your modem manual n DTE interface speed supported by you
460. ues Continued Setting Command Password set location isp password passwd This value is provided by your ISP Maximum ports set location isp maxports 1 Note Configuring the maximum ports setting to a value higher than 0 causes the PortMaster to dial out to a continuous location or become available for dial out to an on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location You can also authenticate using CHAP if it is supported by the ISP After configuring the location table settings enter the following command to save the configuration Command save all For more information about configuring locations see Chapter 8 Configuring Dial Out Connections Testing the Continuous Dial Out Setup 18 8 The configuration must be tested before the location isp1 is set for continuous dialing To test the configuration follow these steps l Enter the following commands to connect from your office to location isp Command set console Command set debug 0x51 Command dial ispl x 2 Monitor the dial and connect sequence between the two locations 3 If everything connects as expected reset the port turn off debugging and change the location type to continuous Command reset s1 Command set debug off Command set location ispi continuou
461. ult off System name set sysname sf ISDN switch set isdn switch ni l After you configure the global settings shown in Table 10 8 enter the following command to save the configuration Command save all For more information about global settings refer to Chapter 3 Configuring Global Settings Configuring Ethernet Interface Settings Configure the Ethernet settings to the values shown in Table 10 9 Table 10 9 Ethernet Values Setting Command Protocol set ether0 ipx enable IP address set ether0 address 192 168 100 1 Netmask set ether netmask 255 255 255 0 IPX network set ether0 ipxnet F2 IPX frame type set ether0 ipxframe ethernet 802 2 Broadcast address set ether0 broadcast high RIP routing set ether0 rip on 10 16 PortMaster Configuration Guide ISDN BRI Unnumbered IP Configuration Example Using ISDN BRI After you configure the Ethernet interface as shown in Table 10 9 enter the following command to save the configuration Command gt save all For more information on Ethernet settings refer to Chapter 4 Configuring the Ethernet Interface Configuring ISDN Port Settings Configure the ISDN port with the values shown in Table 10 10 for the example in this chapter This example assumes that the BRI used is port S1 S2 on a PortMaster ISDN Office Router OR U If your application uses ports 10 through S29 on a PortMaster 2E adjust these values accordingly Table 10 10 IS
462. um ports set location sf ipxnet F3 set location sf rip on set location sf mtu 1500 set location sf idletime 2 set location sf group 2 set location sf username sf set location sf telephone 5551212 set location sf password anypasswd set location sf high water 0 set location sf maxports 1 Note Configuring the maximum ports setting to a value higher than 0 causes the PortMaster to dial out to a continuous location or become available for dial out to an on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location After you configure location table settings as shown in Table 10 7 enter the following command to save the configuration Command save all For more information about configuring location table parameters refer to Chapter 8 Configuring Dial Out Connections Configuring the PortMaster in San Francisco The PortMaster in San Francisco is being configured for an ISDN dial up connection to the PortMaster in Denver Using ISDN BRI 10 15 ISDN BRI Unnumbered IP Configuration Example Configuring Global Settings Configure the global settings to the values shown in Table 10 8 Table 10 8 Global Values Setting Command IP gateway set gateway 192 168 1 2 This is the address of the next upstream router Default routing set defa
463. up an address map that dynamically maps a group of private hosts to a smaller group of global IP addresses as illustrated in Figure 13 10 add the following commands to the PortMaster configuration Command add map isp outmap Command set map isp outmap 1 addressmap 10 1 1 0 24 192 168 129 128 29 Command add location isp Command set location isp telephone 5551234 Command set location isp username dogheaven Command set location isp password k9 Command set location isp destination negotiated Command set location isp maxports 2 Command set location isp continuous Command set location isp local ip address assigned Command set location isp nat outmap isp outmap See Configuring Dynamic Address Pools for Outbound NAT on page 13 7 for more information Configuring NAT 13 41 Network Application Compatibility Dial Out Location Mixing Static and Dynamic Address Maps In this example a company Koolstuff receives the address block 192 198 130 0 24 from its ISP Because all workstations at Koolstuff do not need to access the Internet at the same time Koolstuff can use a dynamic address pool For security reasons however the company must give two of their trusted systems static IP addresses by adding rules to the address map In this configuration trusted hosts with private addresses 10 1 1 1 and 10 1 1 2 always map to global IP addresses 192 168 130 1 and 192 168 130 2 respectively This mapping is determined by
464. up of thousands of HTTP servers that enable text graphics and sound files to be mixed together and provided to users requesting access and download capability via connections to the Internet WWW See World Wide Web Glossary 77 Glossary Glossary 78 PortMaster Configuration Guide Command Index A add dlci 15 15 add dlci W1 15 9 15 11 add filter 12 5 add location 8 3 10 14 10 19 15 15 16 6 16 11 17 7 17 11 18 7 add location subinterface 15 13 add map 13 5 13 12 add modem 9 3 add netmask 3 25 add netuser 7 2 10 13 10 18 16 5 16 10 17 6 17 10 19 10 add route Ipaddress 3 21 add route Ipxnetwork 3 22 add subinterface 4 7 add user 7 2 19 9 C create I2tp tunnel udp 14 12 D delete filter 12 8 delete map 13 15 delete route Ipaddress 3 22 delete route Ipxnetwork 3 22 delete user 7 3 dial 8 14 10 20 16 12 16 13 17 12 18 8 M monitoring NAT 13 44 R reboot 11 16 reset 6 7 reset all 9 6 reset console 10 20 10 21 10 22 11 21 15 12 15 14 16 12 16 13 21 8 reset I2tp 14 13 reset nat 13 6 reset SO 5 9 5 21 5 25 9 6 10 13 10 20 reset VO 11 20 reset W1 6 11 S save all 5 9 5 13 5 16 5 19 5 21 5 25 6 11 10 5 10 6 11 16 15 15 save map 13 6 save route 3 22 set accounting 19 8 set all 19 6 set all cd 19 7 set all databits 5 4 set all idletime 5 8 set all login 5 9 set all login network dialin 19 7 set all modem 9 6 19 7 set all
465. ure NFAS on one PortMaster 3 TI interface the other T1 interface cannot run in standard PRI mode NFAS without a Backup D Channel Because the PortMaster 3 has two TI interfaces you can run full NFAS on a single PortMaster 3 by configuring one interface as the primary and the other as the secondary You gain no bandwidth with this configuration however because the D channel on each interface is still required for signaling even though one of the D channels remains in standby mode PortMaster Configuration Guide Using Non Facility Associated Signaling NFAS If you do not configure a backup D channel and use a single D channel marked primary you gain one B channel the drawback is that if the primary interface fails you have no backup D channel and no calls are possible on the PortMaster 3 until the primary interface reactivates A single D channel can be an acceptable solution if you have only one PortMaster 3 available If two or more PortMaster 3s are available a backup D channel on a PortMaster other than the one configured with the primary interface is recommended Configuring NFAS Use the following command to configure NFAS Command set LineO nfas pri sec sla dis Identifier Group You must reboot the PortMaster for the configuration to take effect Configure each interface on each PortMaster Displaying Information About NFAS Configurations Use the following command to display NFAS parameters on an interface Comma
466. ust create a location entry on the PortMaster Office Router in the London office for the Paris office This entry allows the Office Router in the London office to call the PortMaster 2 in the Paris office when network traffic is queued The new location paris must be configured with the values shown in Table 17 5 Table 17 5 Location Table Values Setting Command Location name add location paris Type set location paris manual Protocol set location paris protocol ppp IP destination set location paris destination 192 168 1 1 Netmask set location paris netmask 255 255 255 0 IPX network set location paris ipxnet F2 RIP routing set location paris rip on MTU set location paris mtu 1500 Compression set location paris compression on Idle timer set location paris idletime 5 High water mark set location paris high_water 0 Dial group set location paris group 1 Telephone set location paris telephone 5551212 Username set location paris username London Password set location paris password anypasswd Maximum ports set location paris maxports 1 PortMaster to dial out to a continuous location or become available for dial out to an on demand location By configuring the maximum ports setting last you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location Note Configuring the maximum ports setting to a value higher than 0 causes the Using Offi
467. vice Login Service Function portmaster rlogin telnet PortMaster is the default login service and can be used to access any host that has the PortMaster in pmd daemon installed This type of login service is preferred because it makes the PortMaster port operate like a serial port attached to the host This service is the most cost effective in terms of host resources The remote login service rlogin uses the rlogin protocol to establish a login session to the specified host Generally rlogin is used on mixed UNIX networks where the PortMaster login service is impractical to use Telnet is supported on most TCP IP hosts This login service should be selected when the PortMaster and rlogin protocols are not available The default port number is 23 but you can enter another number 7 12 PortMaster Configuration Guide Configuring Login Users Table 7 5 Types of Login Service Continued Login Service Function netdata The netdata login service creates a virtual connection between the PortMaster port and another serial port on another PortMaster or between the PortMaster port and a host This login service creates a clear channel TCP connection To connect to another PortMaster port using netdata you must configure that port as dev network with the netdata device service and the same TCP port number The default netdata port is 6000 however you can specify any TCP port number between 1
468. vice profile identifier SPID is a unique number assigned by the telephone company that identifies your ISDN equipment to the telephone company s switch SPIDs are used with BRI ports only and only in the United States A SPID can have up to 20 digits If you are connecting to a 5ESS point to point switch a SPID is not required To set the SPID and save the configuration to nonvolatile RAM use the following commands Command set S10 spid Number Command gt save all The set debug isdn on command shows any invalid SPIDs Using ISDN BRI 10 5 Configuring ISDN 10 6 Terminal Identifier TID for ISDN BRI The terminal identifier TID is a numeric value used by some telephone switches for additional identification Some telephone companies require the SPID while others require a TID as well When configuring the PortMaster append the TID to the SPID if required by your carrier Directory Number The optional directory number is a 10 digit phone number provided by the telephone company If it is set an incoming call must match this number to determine which port the call should be taken on Use either of the following commands to set the directory number Command set S10 dn Number Command set S10 directory Number Enter the following command to save the configuration to nonvolatile RAM Command save all Information Elements IEs Number plan and number type are values that relate to attributes asso
469. vices connected directly to the PortMaster If the network host is running the PortMaster in pmd daemon a PortMaster Configuration Guide General Asynchronous Port Settings connection can be established to a specified port on the PortMaster Once the connection is established the connected device such as a printer or modem can be accessed as if it were connected directly to the host Ports can also be configured for access to programs via TCP IP sockets or by Telnet from the network Chapter 20 Accessing Shared Devices gives an example of sharing devices across a network General Asynchronous Port Settings Certain settings must be configured for every asynchronous port regardless of the port type and configuration you select Overriding Certain Port Settings If you configure a port as a host device you can specify that the host device can override certain port settings This feature allows the host running in pmd to alter the active parameters through software control by using operating system I O calls ioctl calls in UNIX The settings that the host can override are speed parity databits and flow control These settings can be changed by the host using an ioctl system call All overrides are turned off by default If you want to allow a host to override a port setting turn override for the parameter on You can override the settings for all asynchronous commands by using the set all override command To tu
470. vides the physical connection usually a modem or ISDN port between the dial in user and the outsourcer On a PortMaster 4 a LAC can be a single line board or the entire device See also LNS outsourcer Local area network A local collection usually within a single building or several buildings of PCs and other devices connected by cable to a common transmission medium allowing users to share resources and exchange files Compare WAN 1 The delay between the time a device requests access to a network and the time it is granted permission to transmit 2 The delay between the time when a device receives a frame and the time that frame is forwarded out the destination port Layer 2 Forwarding See L2F Layer 2 Tunneling Protocol LCP LDAP See L2TP Link Control Protocol The protocol used by the Point to Point Protocol PPP for establishing configuring and testing the data link connection Lightweight Directory Access Protocol A proposed open standard for directory services that enables anyone to locate organizations individuals and other resources such as files and devices in a network whether on the Internet or on a corporate intranet Endorsed by more than 40 companies LDAP allows corporate directory entries to be arranged in a hierarchical structure that reflects geographical and organizational boundaries rather than according to arbitrary codes LDAP is based on the standards contained within the X 500 standard but i
471. wing command to set the maximum number of network dial out ports for this user Command gt set user Username maxports Number 4 Set the protocol User the following command to set the transport protocol for this user Command set user Username protocol slip ppp x75 sync 5 Set the destination address Use the following command to set the IP address of the user Command set user Username address Ipaddress 6 Set the local IP address Use the following command to set the local IP address on the PortMaster that the user dials in to Command set user Username local ip address Ipaddress 7 Associate the user with a NAT map Use the following command to associate the user with a NAT map Command set user Username nat inmap outmap defaultnapt Mapname 8 Set the idle time for a NAT session Use the following command to set the maximum idle time for a NAT session Command set nat Ether0 SO W1 sessiontimeout Configuring NAT 13 23 Configuring Outsource NAT 9 Set the default action that the PortMaster takes in the event that a request for a NAT session is refused Use the following command to specify the action the PortMaster takes when a session is refused Command set nat Ether0 SO W1 session direction fail action drop icmpreject passthrough Configuring Outsource NAT In an outsource NAT configuration address translation is done on a PortMaster typically at an ISP for clients who do not have the capability to run
472. xample shows how Internet service providers ISPs can provide dial in access to their users this application can be used by academic environments corporate telecommuters or anyone else needing remote access to a host or network In this example multiple asynchronous ports are configured with modems for answering incoming calls from users who then access a networked host connected via Ethernet to a PortMaster 2E Communications Server The following topics are described e Overview of Dial In Configuration on page 19 1 e Configuration Steps for Dial In Access on page 19 4 See the PortMaster Command Line Reference for more detailed command descriptions and instructions Overview of Dial In Configuration The PortMaster configuration described in this example Figure 19 1 allows up to seven 30 port PortMaster Communications Servers to be connected together to provide up to 210 dial in asynchronous ports The PortMaster Communications Server allows dial in users to access a host for shell accounts and or PPP SLIP or Compressed SLIP CSLIP connections ISPs can use this example to configure their PortMaster products to allow dial in users to access hosts and networks The number of ports used is a function of the number of expected subscribers One port per 10 subscribers is the typical ratio but peak usage and average usage per port must be monitored closely to determine the need for additional ports RADIUS accounting can help
473. y DSR signal Note When the console port is connected to a terminal it uses software flow control and therefore requires pins 2 3 and 7 only Null modem cables can be obtained from most suppliers of computer equipment 9 Modem Functions Dial up modems that operate over normal telephone lines at speeds of 28 800bps or higher are now available These modems do not operate at a guaranteed throughput but rather at a speed dependent on the quality of the line the effectiveness of data compression and other variables These modems use hardware flow control to stop the data from the host by raising and lowering the Clear to Send CTS signal PortMaster products support hardware flow control using the RTS output signal and the CTS input signal which is also used by the normal modem handshake Modem Functions Configure a modem to do the following for use with the PortMaster e Raise DCD when a call comes in e Reset itself when DTR is dropped e Lock the DTE speed e Use hardware flow control RTS CTS Using Automatic Modem Configuration PortMaster products use a modem table to automate the modem configuration process The modem table is user configurable and includes long and short modem names preferred DTE rate and the modem initialization string For convenience the table is preconfigured by Lucent for many common modems When you specify the name of the modem and the attached port the PortMaster automatically con
474. y allows only authorized SNMP managers to access or change sensitive MIB information You can also specify a list of hosts allowed to read or write SNMP information You can permit all hosts or you can deny all hosts Note Permitting all hosts to read and write SNMP information can compromise by security and is not recommended To add SNMP read and write hosts use the following command Command add snmphost reader writer any none Ipaddress To delete read and write hosts use the following command Command delete snmphost reader writer Ipaddress Viewing SNMP Settings Settings for SNMP monitoring read and write community strings and read and write hosts are stored in the SNMP table To display the SNMP table enter the following command Command show table snmp Configuring Global Settings 3 19 Displaying the Routing Table Monitoring SNMP Alarms When an interface or modem fails the SNMP agent traps the error message generated by the failure and sends it to the SNMP Manager To view the status of failed modems or interfaces from the command line interface enter the following command Command gt show alarms The output of this command lists alarm messages and associated alarm identification numbers For details about a specific alarm enter the following command Command show alarms Alarm id To clear alarms from the SNMP alarm table enter the following command Command clear alarms Alarm id all
475. you can set up users so that they connect directly to a specified host without receiving a login prompt When you set String to a username with the set autolog command the PortMaster product automatically substitutes that username for the login prompt and starts the host session PortMaster Configuration Guide General Asynchronous Port Settings To enable automatic login for a particular user on a particular port use the following command Command gt set SO username autolog String Setting a Port as the Console You can set any asynchronous port to be the console for administrative functions such as configuring the PortMaster The set console command takes effect immediately If you use the save console command the port remains the console even after the current session is ended To set a port as the console port use the following command Command set console S0 Setting the Port Idle Timer The idle timer is used to control how long the PortMaster waits after activity stops on a port before disconnecting a dial in connection and how long the PortMaster waits for a response to a login password or host prompt You can set the idle time in seconds or minutes to any value from 0 to 240 The default setting is 0 minutes If set to the special value of 1 second a dial in user has 5 minutes to respond to a login password or host prompt If the user does not respond the port resets making it available to another user Set
476. you configure the user table as shown in Table 10 11 enter the following command to save the configuration Command gt save all For more information about configuring user table parameters refer to Chapter 7 Configuring Dial In Users 10 18 PortMaster Configuration Guide ISDN BRI Unnumbered IP Configuration Example Configuring a Dial Out Location A location entry on the PortMaster in San Francisco must be created for the location identified as denver This allows the PortMaster router in San Francisco to call the PortMaster in Denver when network traffic is queued The new location denver should be configured with the values shown in Table 10 12 Table 10 12 Location Table Values Setting Command Location name add location denver Type set location denver manual Set the location for manual dialing until after the configuration has been tested Once the configuration is verified change the connection type to on demand Protocol set location denver protocol ppp IP destination Netmask IPX network RIP routing set location denver destination 192 168 200 1 set location denver netmask 255 255 255 0 set location denver ipxnet F3 set location denver rip on MTU set location denver mtu 1500 Idle timer set location denver idletime 2 Dial group set location denver group 2 Username set location denver username sf Telephone number Password High water mark Maximum ports set location denver te
477. you to evaluate port usage See the RADIUS for UNIX Administrator s Guide for more information 19 1 Overview of Dial In Configuration 19 2 The same application can be used by companies to allow remote users to access their own accounts on the corporate network Once the PortMaster authenticates users they can access network resources as if they were connected to the corporate network directly Although this example uses seven PortMaster 2E Communications Servers many more can be used With more than seven PortMaster Communications Servers the configuration is the same except that the assigned pools must be arranged differently Figure 19 1 Dial In User Configuration dial in connection Internet MENEN oO PortMaster PortMaster 2E IRX Router O IRX Router i i i i i i i i i i i i i AIIEILHALLLELLTALLLLELLHTLLALLLTELTHTELLE OE host computer workstation 1 workstation 2 11820011 PortMaster Configuration Guide Overview of Dial In Configuration Example Configuration The example described in this chapter uses the values shown in Table 19 1 Change variable values to values that reflect your network Table 19 1 Example Configuration Variables Variable Description Value Address type Network IP address IP address and name of router connecting to the Intern
Download Pdf Manuals
Related Search
Related Contents
Instruction Sheet Product Owner`s Manual Zanussi DP500 Use & Care Manual Samsung Galaxy Note 2014 Edition (10.1, LTE) Priručnik za korisnike(Kitkat) ICC IC107DI4WH Franklin Sports 5650 Models 1860, 1862, 1862E, 1864 PowerLuber 964 Carrera 4 - Speed Star Spécialiste Porsche Occasion Paris PDF KNOPPIX HACKS- https://telegra.ph/DC-Voltage-Drop-Calculator-bca89720-11-16
- https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-89f74388-11-16
- https://telegra.ph/Calculate-Length-from-Voltage-Drop-8b532014-11-16
- https://telegra.ph/DC-Voltage-Drop-Calculator-459327ae-11-16
- https://telegra.ph/Footer-Concrete-Volume-Calculator-46d8ad20-11-17
- https://telegra.ph/Concrete-Volume-Calculator-for-Curbs-Gutters-82f4a7b8-11-13
- https://telegra.ph/round-bar-weight-calculator-6babe908-11-07
- https://telegra.ph/AC-Single-phase-Voltage-Drop-Calculator-8608122c-11-18
- https://telegra.ph/DC-Voltage-Drop-Calculator-495f0bb0-11-18
- https://telegra.ph/Calculate-Length-from-Voltage-Drop-a3a0dd1c-11-18