3Com 3C421600A Management Manual

Other manuals for 3C421600A: Installation Manual, Quick Setup Manual, Reference Manual, Release Note

Manual is about: SuperStack II Remote Access System

Page of 300

Download

Print this page

Bookmark us

http://www.3com.com/

SuperStack

Remote Access System 1500

System Management Guide

Release 2.0

Part No. 1.024.1797 Rev 2.00

December, 1999

1 2 3 4 5 6 7 Next › »

Summary of 3C421600A

Page 1
® http://www.3com.Com/ superstack ® ii remote access system 1500 system management guide release 2.0 part no. 1.024.1797 rev 2.00 december, 1999.
Page 2
3com corporation 5400 bayfront plaza santa clara, california 95052-8145 copyright © 1999, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) withou...
Page 3: Ontents
C ontents a bout t his g uide finding specific information in this guide 13 conventions 14 related documentation 15 year 2000 compliance 16 1 o verview overview 18 basic configuration 18 port expansion module configuration 18 primary access unit 18 applications 18 dial-in 18 shared isp 19 lan-to-lan...
Page 4: Ras 1500
Configuration with the cli 25 step one: power on the ras 1500 25 step two: configure the ras 1500 basics 25 step three: configure ip 26 step four: configure ipx 27 step five: configure dns - optional 30 step six: configure snmp - optional 31 step seven: save your work 31 64 character limit 32 config...
Page 5
Dialout ip verses telnet 49 before you begin 50 required information 50 optional information 50 configuring your system for dialout/ip software 50 configure the ras 1500 51 configure client workstations 54 5 c onfiguring t elnet n etwork d ial -o ut overview 58 using telnet network dial-out 58 dialo...
Page 6: Lan-
Requirements 71 communications software 71 communication parameters 71 ip addresses 72 configuring ras 1500 72 ip address pool overview 72 step one: configure an ip address pool 73 step two: configure ip network users 74 step three: configure ppp parameters 76 step four: configure additional paramet...
Page 7: Ras 1500
Routing overview 93 ip routing overview 94 dynamic, static, and default routes 95 how the ras 1500 routes packets 95 establishing connections to remote gateways 96 spoofing 96 authentication 96 before you begin 97 required information 97 configuring lan-to-lan routing 98 step one: add the lan-to-lan...
Page 8: Cli/at
Configuring remote computers 119 setting communication parameters 120 configuring the ras 1500 login hosts 120 host name 120 address 120 preference 120 rlogin, telnet and cleartcp ports 121 configuring login users 121 case studies 124 case study a 124 case study b 126 10 a dvanced m odem c onfigurat...
Page 9: Ras 1500
Configuring 56 kbps technology 151 factory-enabled protocol 151 controlling server x2 151 disabling v.34 connections 152 configuring isdn 152 enabling x.75 152 frame size 152 window size 152 selecting frame and window size 152 relationships between frames and windows 153 viewing current frame and wi...
Page 10
12 u sing s ecurity and a ccounting authentication overview 177 local authentication 178 radius authentication 178 overview 178 radius authentication process 179 configuring radius authentication on the ras 1500 180 nos authentication 182 overview 182 nos authentication process 183 installation over...
Page 11
Monitoring and troubleshooting 211 show the settings at the interface level 211 show the settings at the pvc level 211 list pvc statistics 211 list the status of all frame relay pvcs 211 case study 211 goal 211 assumptions 211 strategies 211 14 h andling p acket f ilters filtering overview 218 filte...
Page 12: Ppp O
Filter examples 234 ip packet filter rule examples 234 ras 1500 global filtering 241 keywords 242 15 c onfiguring d ynamic h ost c onfiguration p rotocol overview 245 scenario 1 246 scenario 2 247 scenario 3 247 scenario 4 248 scenario 5 249 configuring the ras 1500 for dynamic host configuration pr...
Page 13: Gmt T
Goals 267 assumptions 267 process 267 disabling leased-line ppp on the ras 1500 270 viewing the status of the connection 270 troubleshooting 270 a gmt t ime z ones b t echnical specifications certification 279 united states 279 for more information 280 analog v.34 model: fcc part 68 compliance state...
Page 15: Bout
A bout t his g uide this guide describes how to configure the superstack ® ii remote access system (ras) 1500 with at commands and router commands. You can also configure the ras 1500 with the web configuration interface. See chapter 3 or web configuration online help for more information. If the in...
Page 16
14 a bout t his g uide conventions table 1 and table 2 list conventions that are used throughout this guide. Table 1 notice icons icon notice type description information note information that describes important features or instructions caution information that alerts you to potential loss of data ...
Page 17
Related documentation 15 related documentation the ras 1500 documentation set includes the following documents. All 3com documentation is available on the 3com web site: http://www.3com.Com ■ base unit memory upgrade superstack ® ii remote access system 1500 this document describes how to perform th...
Page 18
16 a bout t his g uide documentation. The release notes are enclosed in the ras 1500 package and are available at http://www.3com.Com/ras1500.Htm . ■ superstack ® ii remote access system 1500 quick setup guide this guide describes the installation and initial configuration of the ras 1500 system. ■ ...
Page 19: Verview
1 o verview this chapter contains the following information: ■ overview ■ applications ■ configuration options this guide provides the most commonly used command line interface (cli) parameters..
Page 20
18 c hapter 1: o verview overview the superstack ® ii remote access system (ras) 1500 is a powerful data communications platform that supports a broad variety of applications. Basic configuration the basic configuration of a ras 1500 consists of one router unit with the following options: ■ two basi...
Page 21
Applications 19 ■ serial line ip protocol (slip) ■ 3com fast connect protocol (fcp) the ras 1500 offers access extensive security, dial-back, and substantial configurability for dial-in network connections. Shared isp the ras 1500 can be configured for shared internet service provider (isp) access. ...
Page 22
20 c hapter 1: o verview comprehensive security options ras 1500 supports the following security options: firewall protection in the form of ip packet filtering in both the inbound and the outbound directions of ports, users, and dial-out locations. ■ remote authentication dial-in user service (radi...
Page 23: Sing
2 u sing the c ommand l ine i nterface this chapter contains the following information: ■ cli overview ■ obtaining registered ip addresses ■ accessing the cli ■ using cli quick setup ■ configuration with the cli ■ configuring a manage user ■ configuration with the cli ■ configuring expansion units ■...
Page 24
22 c hapter 2: u sing the c ommand l ine i nterface cli overview although 3com recommends using web configuration interface to configure the superstack ii remote access system (ras) 1500, you can use the ras 1500 command line interface (cli) to configure all ras 1500 parameters. You can also manage ...
Page 25
Obtaining registered ip addresses 23 obtaining registered ip addresses each computer or network that attaches to the internet must have a registered ip address. Obtain registered addresses from the internet network information center (internic) for ip machines and networks that are attached to the i...
Page 26
24 c hapter 2: u sing the c ommand l ine i nterface 9 on the port settings tab, click ok to return to the cli. 10 press enter. The ras 1500 displays the ras 1500> prompt. Ibm computer-compatible computers windows terminal (included with microsoft windows) and procomm plus are popular communications ...
Page 27
Configuration with the cli 25 configuration with the cli this section describes how to set up your ras 1500 with the full cli. To configure the ras 1500 with cli quick setup, see “using cli quick setup”. Step one: power on the ras 1500 to begin manual configuration, power on your ras 1500. After a f...
Page 28
26 c hapter 2: u sing the c ommand l ine i nterface step three: configure ip use the following steps to configure the ras 1500 interface (rm0/eth:1) for ip networks. The ip network information is required for proper operation. 1 enter ip networkinformation. The network address consists of the statio...
Page 29
Configuration with the cli 27 2 set a default gateway. Default gateways must be on the same subnet. You also need to supply a metric (hop count) for each type of default gateway. Possible values range from 1 (default) to 15. Since the actual metric of a default gateway is only one hop, the value ent...
Page 30
28 c hapter 2: u sing the c ommand l ine i nterface 3 type the following: config a display similar to the one shown below appears: file server name: usr_server_one ipx internal network number: 0000000a western digital star ethercard plus driver v2.05 (910424) hardware setting: i/o port 300h to 31fh,...
Page 31
Configuration with the cli 29 3 type the following: config the ras 1500 displays information similar to the display below: lan a configuration information: network address: [0788] [002608c0d53f4z] hardware type: [3com 3c505 etherlink plus (assy 2012 only) v2.30ec (880813)] hardware setting: irq=5, i...
Page 32
30 c hapter 2: u sing the c ommand l ine i nterface step five: configure dns - optional this section sets a domain name server (dns). If you do not wish to use dns, skip to “step six: configure snmp - optional”. 1 specify the ip address of the server you want to function as the dns server, which, wh...
Page 33
Configuration with the cli 31 step six: configure snmp - optional the following section configures snmp service. If you do not wish to set up snmp, skip to “step seven: save your work”. If you plan to use an snmp application to configure and manage the ras 1500, you must specify snmp community value...
Page 34
32 c hapter 2: u sing the c ommand l ine i nterface 64 character limit the cli has a 64 character limitation for each field. When you attempt to add more than three interfaces with the interface command, 3com recommends the following: 1 assign the first three interfaces. Add modem_group test interfa...
Page 35
Configuring specific modems 33 network example: add user predator type manage,network login example: add user predator type manage,login 2 save your work. Save all configuring specific modems when connected to the router unit console port, you can configure all devices in your stack with the cli. Ea...
Page 36
34 c hapter 2: u sing the c ommand l ine i nterface configuring expansion units the ras 1500 requires minimal configuration. However, several unique situations require additional port expansion unit or primary access unit configuration. Reconfiguring the private ip network the router unit that suppo...
Page 37
Configuring expansion units 35 replacing i/o modules in the port expansion unit the slot in each port expansion unit retains configurations of specific i/o modules that are installed. As a result, the port expansion unit uses the following rules when you replace i/o modules (analog modems, u interfa...
Page 38
36 c hapter 2: u sing the c ommand l ine i nterface configuring the wan interface protocols are set up over the wan by creating and editing a user profile. A user profile specifies the call type, protocols, addresses, and bandwidth management parameters that determine how you connect and communicate...
Page 39
Configuring static routes 37 example: add ip route 145.122.231.43/h gateway 145.122.232.28 metric 1 the list ip routes command displays all currently defined routes including the route just configured but only if you have specified a gateway. Static routes are installed but not visible via the list ...
Page 41: Based
3 w eb - based c onfiguration of the ras 1500 this chapter contains the following information about web-based configuration of the ras 1500: ■ overview ■ preparing the ras 1500 for web-based management ■ accessing the ras 1500 for web-based management ■ web-based management of the ras 1500 overview ...
Page 42
40 c hapter 3: w eb - based c onfiguration of the ras 1500 after you set up the ras 1500 using the setup wizard, use other web pages in the web configuration interface to configure the following: ■ basic system information, such as the ras 1500 name and location ■ date and time settings, including d...
Page 43
Preparing the ras 1500 for web-based management 41 preparing the ras 1500 for web-based management before you can manage a ras 1500 using the web management interface, the ras 1500 must have an ip address assigned to it. Out of the box, the ras 1500 does not have an ip address. This procedure lets y...
Page 44
42 c hapter 3: w eb - based c onfiguration of the ras 1500 figure 1 ras 1500 resource cd splash screen 2 at the ras 1500 setup screen, click configure ras 1500. The ip address configuration wizard appears as shown in figure 2. Figure 2 ip address configuration wizard 3 in the discovered mac address ...
Page 45
Accessing the ras 1500 for web-based management 43 accessing the ras 1500 for web-based management to access the ras 1500 web management interface, perform the following steps: 1 launch your preferred internet browser. To properly view the web management interface, your browser must meet the followi...
Page 46
44 c hapter 3: w eb - based c onfiguration of the ras 1500 figure 3 web configuration interface, initial screen b c a d e.
Page 47
Web-based management of the ras 1500 45 setup wizard the web configuration interface setup wizard allows you to quickly configure the ras 1500 for basic functionality. To launch the setup wizard, either click the “setup wizard” link in the text of the initial screen or click the “setup wizard” icon ...
Page 48
46 c hapter 3: w eb - based c onfiguration of the ras 1500 after entering admin and password , you are prompted to setup a manager user as shown in figure 5. Once this is done you may setup the ras 1500. Figure 5 setting manager user username and password configuration pages figure 6 shows a configu...
Page 49
Web-based management of the ras 1500 47 figure 6 web configuration interface, configuration page table 5 web management interface, configuration page callout description a configuration fields. B navigation buttons. B a.
Page 50
48 c hapter 3: w eb - based c onfiguration of the ras 1500 accessing help the web configuration interface offers three types of help: ■ status bar help. In a configuration page, place the cursor over a field label. Help text appears in the status bar of the browser. ■ field-specific help. In a confi...
Page 51: Onfiguring
4 c onfiguring d ial o ut /ip this chapter contains the following information: ■ overview ■ before you begin ■ configuring your system for dialout/ip software overview dialout/ip ™ allows computers connected to the local area network to access modems on the superstack ii remote access system (ras) 1...
Page 52
50 c hapter 4: c onfiguring d ial o ut /ip before you begin before you configure dialout/ip, you need to obtain some system information and confirm some basic configuration of the ras 1500 and the network computers. Required information the following information is required: ■ system name of the ras...
Page 53
Configuring your system for dialout/ip software 51 configure the ras 1500 complete the following steps to enable dial-out through the ras 1500. Unless otherwise noted, all of the commands in these steps are issued through the command-line interface (cli) of the ras 1500. Press the enter key to issue...
Page 54
52 c hapter 4: c onfiguring d ial o ut /ip the is the name to assign the network service, for example, dialout-service. The is the tcp port number where the service is accessible. Dialout/ip expects the tcp port number for the ras 1500 to be 6000 (and above). Therefore, 6000 is a logical value to us...
Page 55
Configuring your system for dialout/ip software 53 3 click ok. A telnet session starts. 4 in the telnet window, type at, then press enter. ■ if the response is “ok,” the port is configured correctly for dial-out using dialout/ip. ■ if the connection is unsuccessful, or if a “login” prompt appears, t...
Page 56
54 c hapter 4: c onfiguring d ial o ut /ip configure client workstations complete the following steps to install and configure dialout/ip software on each of the client workstations from which you plan to dial out. Step 1: install dialout/ip software 1 insert the resource cd into the workstation. 2 ...
Page 57
Configuring your system for dialout/ip software 55 5 in the presets drop-down list, select “3com ras-1500.” (you might need to scroll down the list.) the default tcp port number for the ras 1500, 6000, is entered in the port number text box. 6 in the ip address of server text box, type the ip addres...
Page 59: Onfiguring
5 c onfiguring t elnet n etwork d ial -o ut this chapter contains the following information: ■ overview ■ before you begin ■ configuring the ras 1500 ■ configuring network computers ■ dialing out from a network computer ■ case study.
Page 60
58 c hapter 5: c onfiguring t elnet n etwork d ial -o ut overview you can access modem ports on the superstack ii remote access system (ras) 1500 from computers on the network to provide dial-out services. Using telnet network dial-out network dial-out allows computers connected to the local area ne...
Page 61
Before you begin 59 dialout/ip versus telnet network computers communicate with the ras 1500 over the lan using either dialout/ip or telnet. A difference between dialout/ip network dial-out and telnet network dial-out is that dialout/ip supports windows dial-up networking, and telnet does not. So, i...
Page 62
60 c hapter 5: c onfiguring t elnet n etwork d ial -o ut optional information the following information is optional: ■ modem group name ■ modems to include in the modem group ■ idle timeout ■ recovery timeout ■ login banner ■ login prompt ras 1500 configuration before you begin, confirm the followin...
Page 63
Configuring the ras 1500 61 configuring the ras 1500 to configure the ras 1500 for telnet network dial-out service, follow these steps. Each of these steps is detailed in this section. ■ step one: add a system name ■ step two: add an ip network ■ step three: add a modem group (optional) ■ step four:...
Page 64
62 c hapter 5: c onfiguring t elnet n etwork d ial -o ut step two: add an ip network essentially, this step gives an ip address to the ras 1500, so it can be found on the lan. Use the following command: add ip network address example: add ip network ipnet address 192.112.227.115 step three: add a mo...
Page 65
Configuring the ras 1500 63 for example, to add a modem group called telnet_users with three modems assigned to it: add modem_group telnet_users interface rm0/slot:1/mod:1,rm0/slot:1/mod:2,rm0/slot:1/mod:3 after you create the modem group, you assign it to the dial-out service (in step four). The mo...
Page 66
64 c hapter 5: c onfiguring t elnet n etwork d ial -o ut example: add network service telnet_lab server_type telnetd socket 6666 data “service_type=dialout this example makes available modem ports assigned to the modem group telnet_users (modems 1-3). 2 confirm the dial-out service is enabled. Use t...
Page 67
Configuring the ras 1500 65 changing a dial-out service to change dial-out service settings: 1 disable the dial-out service. Disable network service 2 make the changes to the dial-out service. Set network service data all data parameters are lost when you issue the set network service command. So yo...
Page 68
66 c hapter 5: c onfiguring t elnet n etwork d ial -o ut example: add user gil password fish type dial_out set user gil modem_group telnet_users step six: save your work use the following command: save all configuring network computers confirm telnet is installed on each of the network computers (as...
Page 69
Dialing out from a network computer 67 dialing out from a network computer 1 from the windows 95 or nt desktop, click start, then run. The run dialog box appears. 2 in the open text box, enter the following: telnet example: telnet 192.112.227.115 6666 3 click ok. The telnet application is launched. ...
Page 70
68 c hapter 5: c onfiguring t elnet n etwork d ial -o ut add modem_group telnet_lan interface rm0/slot:1/mod:1,rm0/slot:1/mod:2 5 add a dial-out user named “eddie” with a password “panama.” use the following command: add user eddie password panama type dial_out 6 add a telnet network dial-out servic...
Page 71: Onfiguring
6 c onfiguring n etwork d ial -i n this chapter contains the following information: ■ overview ■ before you begin ■ configuring the remote computer ■ configuring ras 1500 ■ using callback and roaming callback ■ calling line identification callback ■ network callback user case study ■ network user ca...
Page 72
70 c hapter 6: c onfiguring n etwork d ial -i n overview superstack ii remote access system (ras) 1500 allows remote computer and macintosh users to dial in over isdn or analog lines and connect to the local network via novell ipx, internet protocol (ip), or appletalk. Using network dial-in use netw...
Page 73
Before you begin 71 before you begin before you begin configuring ras 1500 for network dial-in, follow all the configuration steps in the superstack ii remote access system getting started guide. Required information obtain the following information for network dial-in: ■ dial-in phone numbers ■ use...
Page 74
72 c hapter 6: c onfiguring n etwork d ial -i n ip addresses you may specify an ip address for your remote computer during the session. If ras 1500 is configured to negotiate an ip address with the remote computer, ras 1500 automatically detects this address. If the remote computer does not have an ...
Page 75
Configuring ras 1500 73 step one: configure an ip address pool use the following steps to configure an ip address pool: 1 designate an ip address pool name and initial pool address. Use the following command: add ip pool initial_pool_address example: add ip pool kurtspool initial_pool_address 172.32...
Page 76
74 c hapter 6: c onfiguring n etwork d ial -i n step two: configure ip network users a remote access user is as a network user. When you create a network user, the software builds a user profile that includes many default parameters. These defaults reflect most common types of user configurations. A...
Page 77
Configuring ras 1500 75 2 specify a remote address. If you want the remote ip address to be selected from a pool or negotiated, go to step 3. When adding a remote ip address, ras 1500 automatically chooses the specified address selection method, so you do not need to configure the parameter in the c...
Page 78
76 c hapter 6: c onfiguring n etwork d ial -i n step three: configure ppp parameters if your remote users connect using ppp, you can also define several optional ppp parameters that control how ras 1500 handles the remote access session. This section describes parameters that are applicable for netw...
Page 79
Configuring ras 1500 77 4 configure if ras 1500 uses the asynchronous control character map to filter incoming data. Use the following command: set network user ppp receive_acc_map [hex_number - array of 4 bits] example: set network user tom ppp receive_acc_map 0 5 configure if ras 1500 uses the asy...
Page 80
78 c hapter 6: c onfiguring n etwork d ial -i n save all step four: configure additional parameters you can configure several additional network user parameters. Use the following steps to configure additional parameters: 1 configure the maximum transmission unit (mtu). Mtu is the largest packet siz...
Page 81
Using callback and roaming callback 79 4 configure idle and session timeouts to limit a user’s time on the line or end a call after a specified idle period: set user idle_timeout session_timeout example: set user tom idle_timeout 60000 session_timeout 60000 5 save your work. Save all using callback ...
Page 82
80 c hapter 6: c onfiguring n etwork d ial -i n configuring a roaming callback user (dynamic) use the following steps to configure a roaming callback user: 1 add the roaming callback user. Add user [ username ] password [ password ] type network,callback 2 set the roaming callback user as “dynamic.”...
Page 83
Calling line identification callback 81 restrictions of clid callback: ■ clid callback only works with the ras 1500 for lan-to-lan connections. ■ clid callback does not provide “roaming” callback; ppp callback does. ■ the ras 1500 supports only clid callback for isdn users, not analog users. ■ the r...
Page 84
82 c hapter 6: c onfiguring n etwork d ial -i n call handling figure 9 details the clid callback/security process. Figure 9 clid callback process yes n o yes yes n o the ras 1500 drops the incoming call and prepares to dial back the user the ras 1500 waits the time specified in the callback delay se...
Page 85
Calling line identification callback 83 after the system determines whether the incoming call ani matches a user clid, the handling of an incoming call is determined by two settings: the status of clid security (a modem-level setting) and the incoming user type (a user-level setting). These two sett...
Page 86
84 c hapter 6: c onfiguring n etwork d ial -i n configuring clid callback for most clid-callback setups, three general steps must be completed to prepare the ras 1500: step one: add a clid user. Step two: configure the user clid-callback settings. Step three: configure clid security. Each of these s...
Page 87
Calling line identification callback 85 1 set the user clid numbers. Use the following command: set user [name] caller_id1 [number 1] caller_id2 [number 2] for example, set user schmidt caller_id1 8475552100 caller_id2 8475552101 the parameter caller_id2 is optional. Each clid number must be unique,...
Page 88
86 c hapter 6: c onfiguring n etwork d ial -i n set user default callback_delay [seconds of delay] clid callback and ppp callback use the same callback delay. Step three: configure clid security clid security provides an additional layer of security by rejecting calls from remote users whose ani doe...
Page 89
Calling line identification callback 87 troubleshooting clid callback follow this procedure to obtain more information from the ras 1500 about the clid-callback process: 1 set the log level of the ras 1500: set facility “call initiation process” loglevel verbose 2 enable clid security for one of the...
Page 90
88 c hapter 6: c onfiguring n etwork d ial -i n case study a small office satellite provides dial-up connections to its at-home workers using the ras1500. All the modems have clid security enabled, and the user records have the caller id fields set. This ensures the workers can dial in only from hom...
Page 91
Network user case study 89 5 save your work. Save all how it works gina dials in to ras 1500 using ppp (dial-up networking) with the username and phone number supplied by the administrator. After gina is authenticated, the call is disconnected and ras 1500 dials gina back at the phone or alternate p...
Page 92
90 c hapter 6: c onfiguring n etwork d ial -i n ■ all other settings remain at factory defaults. How to configure this user use the following commands to configure the user: 1 create a network user “bridgett” of the network user type . Use the following command: add user bridgett password 1234 type ...
Page 93: Lan-
7 lan- to -lan r outing this chapter contains the following information: ■ overview ■ before you begin ■ configuring lan-to-lan routing ■ lan-to-lan routing case study ■ configuring ip on demand this chapter assumes that all routing devices have been installed and that both local area networks (lans...
Page 94
92 c hapter 7: lan- to -lan r outing overview the superstack ii remote access system (ras) 1500 can perform ip routing with a remote ras 1500 or third-party router over analog or integrated services digital network (isdn) digital lines (figure 11). Figure 11 lan-to-lan routing with the ras 1500 the ...
Page 95
Overview 93 routing overview configuring a lan-to-lan routing connection is very similar to configuring a network user, with some additional dial-out and routing parameters such as: ■ types of lan-to-lan connection ■ routing configuration ■ dial-out scripts used to connect to the remote location ■ b...
Page 96
94 c hapter 7: lan- to -lan r outing dial-out scripts all dial-out users can have dial-out scripts defined in the user profile. The dial-out script can consist of up to six send/receive pairs. The script can contain at commands and other login commands needed to access the remote location. The comma...
Page 97
Overview 95 dynamic, static, and default routes you can configure the ras 1500 to use constantly updated routing tables (dynamic routes that use protocols such as ip ripv1 or ripv2) or to use only your pre-configured routing tables (static routes). Dynamic routes network devices running ripv1 or rip...
Page 98
96 c hapter 7: lan- to -lan r outing establishing connections to remote gateways the ras 1500 forwards a packet to a gateway for which there is an established connection, such as a gateway on the same segment of the local lan or at the other end of an active dial-up connection. All the ras 1500 does...
Page 99
Before you begin 97 chap authentication instead of actually sending a clear text password over the link, chap relies on a “shared secret,” a password that both sides of the connection know, but never send. When a remote system requests chap authentication, the authenticating host replies with a chal...
Page 100
98 c hapter 7: lan- to -lan r outing ■ local and remote lan ■ wan link between the two devices ■ telephone numbers of each side of the connection ■ usernames and passwords used to identify each side to the other configuring lan-to-lan routing connecting to a remote lan is similar to connecting to a ...
Page 103
Configuring lan-to-lan routing 101 example: set dial_out user main_office local_ip_address 123.123.123.5 site type on demand configure the local ip address if a you are going to use a numbered ip link. If you are using an unnumbered ip link, do not configure the local ip address. 2 (optional) set th...
Page 104
102 c hapter 7: lan- to -lan r outing step four: configure the user routing parameters use the following command to configure the user routing parameters: set network user ip_routing rip ■ set general ip routing parameters. Set network user ip_routing rip example: set network user main_office ip_rou...
Page 105
Configuring lan-to-lan routing 103 step five: configure the user ppp parameters use the following command to configure the user ppp parameters: set network user ppp compression_algorithm max_channels channel_expansion channel_decrement expansion_algorithm min_size_compression reset_mode_compression ...
Page 106
104 c hapter 7: lan- to -lan r outing the ppp channel_expansion and ppp channel_decrement parameters are associated with mlppp operation. When the utilization of the link reaches these values, either more links are made available (channel expansion) or links are removed (channel decrement). When mlp...
Page 107
Lan-to-lan routing case study 105 example: set user main_office phone_number 8715552020 alternate_phone_number 5088712022 step seven: configure authentication use the following command to configure authentication settings: set ppp receive_authentications set system transmit_authentication_name the p...
Page 108
106 c hapter 7: lan- to -lan r outing strategies the goals can be achieved in two ways: either a numbered ip link between the sites (see “strategy 1 (numbered link)”), or an unnumbered ip link between the sites (see“strategy 2 (unnumbered link)” on page 108). Strategy 1 (numbered link) configuring t...
Page 109
Lan-to-lan routing case study 107 6 configure the user ppp parameters. Set network user branch_office ppp max_channels 2 set network user branch_office ppp channel_expansion 60 channel_decrement 20 7 configure phone numbers. Set user branch_office phone_number 5085555555 8 configure authentication. ...
Page 110
108 c hapter 7: lan- to -lan r outing 7 configure phone numbers. Set user main _office phone_number 5085556666 8 configure authentication. Set ppp receive_authentication pap set system transmit_authentication_name branch_office 9 save your work. Save all strategy 2 (unnumbered link) configuring the ...
Page 111
Lan-to-lan routing case study 109 6 configure the user ppp parameters. Set network user branch_office ppp max_channels 2 set network user branch_office ppp channel_expansion 60 channel_decrement 20 7 configure phone numbers. Set user branch_office phone_number 5085555555 8 configure authentication. ...
Page 112
110 c hapter 7: lan- to -lan r outing set user main _office phone_number 5085556666 8 configure authentication. Set ppp receive_authentication pap set system transmit_authentication_name branch_office 9 save your work. Save all configuring ip on demand using ip on demand, the ras 1500 sends ip packe...
Page 113: Ridging
8 b ridging with the ras 1500 this chapter contains the following information: ■ overview ■ enabling bridging over the lan ■ using fcp to bridge with officeconnect routers.
Page 114
112 c hapter 8: b ridging with the ras 1500 overview the superstack ii remote access system (ras) 1500 uses bridging to allow you to link two separate locations as if they were the same network. How the ras 1500 acts as a bridge when the ras 1500 receives a frame, it inspects the frame and determine...
Page 115
Enabling bridging over the lan 113 if the bridge does not find the destination hardware address in its bridging table, the ras 1500 transmits the frame across the bridge. If the bridge finds the destination hardware address in its bridging table, the ras 1500 transmits the packet across bridge links...
Page 117
Using fcp to bridge with officeconnect routers 115 fcp supports the following features: ■ data compression ■ multilink line aggregation (multilink fcp) ppp versus fcp ppp is used widely throughout the ip community to connect routers from different manufacturers. It is recognized as the de facto stan...
Page 118
116 c hapter 8: b ridging with the ras 1500 b disable all protocols not used on your network: set network user [username] ipx disable appletalk disable bridging ip does not work if you add an ip network to the ethernet interface. C enable bridging for the fcp user: set dial_out user [username] site ...
Page 119
Using fcp to bridge with officeconnect routers 117 on-demand bridging when the ras 1500 receives a frame that needs to be bridged, it checks the learned mac address table to see if it knows where to send the frame. (maybe a dial-up link is still available where that can be forwarded.) if it does not...
Page 121: Onfiguring
9 c onfiguring an ip t erminal s erver this chapter contains the following information: ■ overview ■ before you begin ■ configuring the ras 1500 login hosts ■ configuring login users ■ case studies overview remote users can dial in to the superstack ii remote access system (ras) 1500 to establish a ...
Page 122
120 c hapter 9: c onfiguring an ip t erminal s erver setting communication parameters the remote computer should be configured for the following communications parameters: ■ 8 bits, no parity, and 1 stop bit ■ hardware (rts/cts) flow control ■ normal carrier detect these settings are the defaults. I...
Page 123
Configuring login users 121 rlogin, telnet and cleartcp ports optional. The rlogin, telnet and cleartcp port numbers of the host. 1 to add a login host, use the following command: add login_host detroit address 236.135.221.167 preference 1 2 check your work with the following command. List login_hos...
Page 124
122 c hapter 9: c onfiguring an ip t erminal s erver ■ rlogin — although rlogin was originally a unix protocol, it is now supported by some non-unix machines as well. Unlike telnet, rlogin allows a user logged into a host to access their accounts on other (trusted) hosts without re-entering a passwo...
Page 125
Configuring login users 123 ■ select — (default)the user is automatically connected to a host selected from the login hosts table. The method of choosing the host is set using the set connection command by random or round robin (default) fashion. ■ example: set connection host_select random ■ specif...
Page 126
124 c hapter 9: c onfiguring an ip t erminal s erver case studies this section provides examples of how to configure a login user to dial-in to the ras 1500 and establish a telnet session with hosts on the network. ■ in case study a, the user is prompted for the login service and host address desire...
Page 127
Case studies 125 when jack dials in, he is prompted for his login name as shown below: welcome to 3com ras 1500 (tm) login: after jack is successfully authenticated, the system prompt appears. At this point, jack can connect to either host by using the following command: telnet quartz or telnet gran...
Page 128
126 c hapter 9: c onfiguring an ip t erminal s erver case study b this case study assumes the following: ■ the user has set up a terminal emulation session such as the windows hyperterminal with a phone number and standard communications parameters. ■ the ip network is configured. ■ all other settin...
Page 129
Case studies 127 after system authentication, jill is up and running on the host. When jill logs out of her host session, she exits from the ras 1500 as well. Example: granite:\> logout no carrier microsoft(r) windows 95 (c)copyright microsoft corp 1981-1995. Granite:\>.
Page 131: Dvanced
10 a dvanced m odem c onfiguration with cli/at commands this chapter contains the following information: ■ overview ■ configuring data compression settings ■ configuring error control options ■ configuring link option settings ■ obtaining modem call information ■ working with modem memory ■ configur...
Page 132
130 c hapter 10: a dvanced m odem c onfiguration with cli/at commands overview before you begin before you access the console interface, perform the following actions: 1 connect the superstack ii remote access concentrator (ras) 1500 console port. 2 access the console interface with terminal softwar...
Page 133
Overview 131 obtaining at command help there are five types of at command help. See the table 25 for the commands associated with the five types of at command help. Table 25 at command help commonly used at commands there are certain at commands that are used more often than others, such as dial com...
Page 134
132 c hapter 10: a dvanced m odem c onfiguration with cli/at commands dial command options include optional dial commands (table 27) after the d command and before the number to be dialed unless indicated otherwise. To cancel dial command execution, press any key. Table 27 dial command options actio...
Page 135
Overview 133 using stored telephone numbers each modem in an ras 1500 can store up to four dial strings in nvram, store the last dialed number, and do an inquiry of stored phone numbers. A dial string may be up to 40 characters long. The string may include any valid dial command options (table 28), ...
Page 136
134 c hapter 10: a dvanced m odem c onfiguration with cli/at commands configuring data compression settings data compression is a method by which the modem sending (transmitting) compresses the data being sent as it transmits, and the receiving modem decompresses the data as it is received. V.42 bis...
Page 137
Configuring data compression settings 135 data compression tables a data compression table describes a table of values assigned for each character during a call using data compression techniques. The default values in the table are constantly being changed to ensure the most efficient throughput pos...
Page 138
136 c hapter 10: a dvanced m odem c onfiguration with cli/at commands configuring error control options error control can be accomplished in different ways. Error control is available for calls at 1200 bps and above. It can be disabled, although high speed calls (above 2400 bps) should always be und...
Page 139
Configuring error control options 137 microcom networking protocol error control microcom networking protocol (mnp) is supported by the itu-t v.42 recommendation. It was originally developed by microcom®, inc. And is now in the public domain. Mnp is based on special protocol frames. If the remote de...
Page 140
138 c hapter 10: a dvanced m odem c onfiguration with cli/at commands establishing error control-only connections use this setting to guard against the transfer of data at high speeds without the reliability of error control. Modem disconnects (hang up on call) if arq connection cannot be made. V.42...
Page 141
Configuring error control options 139 modifying carrier receive delay table 33 provides the carrier receive delay commands. Table 33 carrier receive delay setting command parameters default the duration (tenths of a second) of the remote modem carrier signal before the local modem recognizes the sig...
Page 142
140 c hapter 10: a dvanced m odem c onfiguration with cli/at commands configuring link option settings this section explains how to change the settings that affect link options between the ras 1500 module and the modems it connects to. Link speed index the following table shows the index number used...
Page 143
Configuring link option settings 141 setting the lowest possible connect speed the &u command allows you to set the lowest possible connect speed. When a remote modem connects to an ras 1500, it limits the minimum speed of the connection based on the value specified with &u. If the &u argument is ze...
Page 144
142 c hapter 10: a dvanced m odem c onfiguration with cli/at commands understanding base rates and true rates the x2 speeds listed in the &u and &n table are base rates. From each base rate an additional 6 true rates can be derived. There are 30 true rates. The same x2 true rate could be derived fro...
Page 145
Configuring link option settings 143 controlling the maximum low-speed direction low-speed direction speed is the send/receive baud rate of the slowest end of a connection. Use the s75 settings in table 37 to control the maximum low-speed direction speed: table 37 s75 upper limit link speeds upper l...
Page 146
144 c hapter 10: a dvanced m odem c onfiguration with cli/at commands obtaining modem call information at commands allow you to obtain and view both configuration and statistical information for a specific modem port. This section lists the at commands used to obtain call information, and modem char...
Page 147
Obtaining modem call information 145 understanding link diagnostic results link diagnostic result parameters are displayed by the ati6 command. Table 39 explains each parameter. Table 39 link diagnostic results . Result indication octets compressed characters; may be greater than the number of chara...
Page 148
146 c hapter 10: a dvanced m odem c onfiguration with cli/at commands the possible reasons for disconnect are explained in table 40. Table 40 disconnect reasons . Disconnect reason indication keypress abort the modem detected a keypress while training. Escape code the operator sent the modem the (++...
Page 149
Working with modem memory 147 working with modem memory modems inside an ras 1500 module have a user-configurable memory type known as flash memory. You can store, retrieve, and change settings in flash. Each modem also uses random access memory (ram) to store current settings, however modem configu...
Page 150
148 c hapter 10: a dvanced m odem c onfiguration with cli/at commands saving a phone number to flash memory each modem in an ras 1500 can store up to four different telephone numbers. Table 41 explains how to store these numbers in modem flash memory. Table 41 saving a phone number to flash memory c...
Page 151
Configuring modem call control settings 149 changing settings temporarily any setting can be changed just for the current session. You may want to use this feature for experimentation if you are experiencing performance difficulties. If the change does not achieve the desired effect, reset the modem...
Page 152
150 c hapter 10: a dvanced m odem c onfiguration with cli/at commands use error correction and hangs up if the remote modem is not using error correction. Setting carrier wait time after dialing setting idle time before disconnect setting mnp/v.42 link request timeout setting command none (normal) a...
Page 153
Configuring 56 kbps technology 151 setting v.32 300/600 hz tone times setting the number of rings for auto answer setting time to start dialing configuring 56 kbps technology v.90 and x2 are ground-breaking technologies that allow servers to send data at speeds up to 56 kbps and clients to send data...
Page 154
152 c hapter 10: a dvanced m odem c onfiguration with cli/at commands disabling v.34 connections the ras 1500 allows the selective disabling of v.34 connections depending on whether or not they are made with an x2 capable modem (table 42). Table 42 disabling v.34 connections s-register s76, bit 3 ca...
Page 155
Configuring isdn 153 table 43 at commands relationships between frames and windows although you can set the frame size on the ras 1500 up to 2048, use table 44 to determine the actual values allowed by the ras 1500. Table 44 frame and windows sizes viewing current frame and window size settings use ...
Page 156
154 c hapter 10: a dvanced m odem c onfiguration with cli/at commands universal connect call flow the ras 1500 tries a number of calls and detection processes (table 45). Table 45 universal connect call flow when you set the ras 1500 to universal connect and make or receive a call, the ras 1500 atte...
Page 157
Configuring isdn 155 originating hdlc 64 kbps and 56 kbps protocols use table 47 to control the originating high-level data link control (hdlc) 64 kbps and 56 kbps protocols: table 47 hdlc 64kbps and 56 kbps protocols originating non-hdlc protocols use the commands in table 48 to control the origina...
Page 159: Onfiguring
11 c onfiguring the ras 1500 router this chapter covers administrative commands used for the following: ■ reconfiguring your system ■ communicating with remote and local sites ■ troubleshooting commands ■ displaying system information reconfiguring your system the commands detailed in this section c...
Page 160
158 c hapter 11: c onfiguring the ras 1500 router idle timeout if you want to make sure that a console login user is using the link constructively — and not leaving the system vulnerable to a security breach — set an idle timeout using the following command: set command idle_timeout example: set com...
Page 161
Reconfiguring your system 159 running script files the do command is a powerful tool to configure multiple users, protocols, or other functionality by running a script file containing cli commands. To use this command, create a file containing the cli commands you want to implement, tftp the file to...
Page 162
160 c hapter 11: c onfiguring the ras 1500 router add dns host wimpy address 157.172.248.40 ;add dns server preference 1 address 157.172.248.40 name louvre ; ; syslog host add; add syslog 157.172.248.54 loglevel verbose ; ; local authentication; enable authentication local ; ; remote authentication;...
Page 163
Communicating with remote and local sites 161 discarding and renaming files there are several delete commands you can use to discard various files. ■ delete configuration — discards all configuration files, reboots the system and restores system configuration to factory defaults ■ delete file — remo...
Page 164
162 c hapter 11: c onfiguring the ras 1500 router disconnect command to disconnect a user (disconnect and leave the user in an inactive state), use the following command: disconnect user reboot command use the reboot command to recycle the system. But first, be sure to use the save all command to pr...
Page 165
Communicating with remote and local sites 163 logout command logout exits the cli and closes the connection, ending a dial-in user or telnet session. Network services to use cleartcp, simple network management protocol (snmp), or dialout and to set values associated with them, add each network servi...
Page 166
164 c hapter 11: c onfiguring the ras 1500 router data ancillary data. Format one or more values with syntax from table 50. Table 50 ancillary data values data value description “auth=on/off” on indicates that login/ password authentication should be performed on incoming connections. Default: on “l...
Page 167
Communicating with remote and local sites 165 using the list services command after typing the example above will display the following (for example): configured network services server admin name type socketclose status tftpd tftpd 69 false enabled data: dialout dialout32773false disabled data: aut...
Page 168
166 c hapter 11: c onfiguring the ras 1500 router using tftp tftp (trivial file transfer protocol) can be used to transfer files to and from the system. Since this network service is enabled by default, set it up by first configuring your computer as a tftp client of the stack by entering this comma...
Page 169
Communicating with remote and local sites 167 for example, to telnet to a host with an ip address of 167.199.76.23, use the following command: telnet 167.199.76.23 when using telnet or rlogin on a tcp connection via a global interface (ras 1500 internal interface), you should run rip. Without rip ru...
Page 170
168 c hapter 11: c onfiguring the ras 1500 router for example, at the host prompt, use the following command: c ] send ayt you can use the set_escape command to change the telnet escape character to a character of your choice. Use a carat ( ^ )to precede another character. Example: set_escape ^x clo...
Page 171
Troubleshooting commands 169 resolving addresses the arp command performs ip address resolution. Use the following command: arp the system will respond with an ip address (and mac [ethernet] address if found on a locally connected network) of the host. Example: arp: 172.122.120.118 -> 08:00:09:cc:58...
Page 173
Troubleshooting commands 171 showing ping settings the show ping row command is an alternative to display ping statistics. Example: ping settings for row: 1 destination: www.Cnn.Com status: active resolved ip address:207.25.71.28 count: 20 interval:1 size: 64 timeout:20 self destroy delay:10 use the...
Page 174
172 c hapter 11: c onfiguring the ras 1500 router viewing ras 1500 system information you can use the show system command to see the firmware revision number, the date, and the time that this revision was compiled as well as other system information that may be useful when consulting 3com technical ...
Page 175
Displaying system information 173 displaying system information list commands you can use list commands to view current configurations for all values stored in tables as well as facilities, files (flash memory configuration), and other data. List critical events the list critical events command disp...
Page 176
174 c hapter 11: c onfiguring the ras 1500 router example: connection settings host selection method:round-robin global user name: default service prompt: login/network user: message prompt: manage: ■ host selection method — means of choosing a host. Choices are round-robin or random . ■ global user...
Page 177
Displaying system information 175 ■ dll — data link layer that the specified dial-in session is connected to: none , ppp , slip , fcp , rlgn , tlnt , ping , admn , cltcp ■ start date — start date of a connection established on the specified interface ■ start time — start time of a connection establi...
Page 179: Sing
12 u sing s ecurity and a ccounting this chapter contains the following: ■ authentication overview ■ local authentication ■ radius authentication ■ nos authentication ■ radius accounting authentication overview you can perform user authentication with either the superstack ii remote access system (r...
Page 180
178 c hapter 12: u sing s ecurity and a ccounting local authentication the ras 1500 provides user authentication locally using a user table defined by the administrator. Local authentication is enabled by default. To enable local authentication, use the following command line interface (cli) command...
Page 181
Radius authentication 179 the ras 1500 integrates the following enhanced radius features: ■ 128 challenge responses up to 128 bytes ■ a filter rule format allowing filter names and rules to be downloaded to the radius client ■ dynamic radius server changes of a user filter rules ■ increased radius s...
Page 182
180 c hapter 12: u sing s ecurity and a ccounting configuring radius authentication on the ras 1500 this section provides procedures to configure radius authentication through the cli. You can also use the web configuration interface to configure radius authentication. Refer to the web configuration...
Page 183
Radius authentication 181 4 set the primary encryption key or secret. Use the following command: this is the first key the ras 1500 uses to encrypt passwords and the radius server uses to decrypt them. The radius server(s) must be set to the same secret (encryption) key. The encryption key is entere...
Page 184
182 c hapter 12: u sing s ecurity and a ccounting enabling and disabling remote authentication remote authentication is enabled by default. To set the type of remote authentication (radius or nos), see the previous procedure, “configuring radius authentication settings.” to enable remote authenticat...
Page 185
Nos authentication 183 nos authentication process when a user dials into the ras 1500 and nos authentication is enabled, the following occurs: in these steps, the terms “security client” and “security server” refer to either a novell netware or windows nt platform. 1 the ras 1500 checks its own user...
Page 186
184 c hapter 12: u sing s ecurity and a ccounting these nlms reside on their respective server. They provide the appropriate agent software to interface between the ras 1500 and the respective security server. Installing the software ■ to install the bindery/nds security client on a netware server, ...
Page 187
Nos authentication 185 \etc\services example # sys:etc\services # # network service mappings. Maps service # names to transport protocol and # transport protocol ports. # echo 7/tcp discard 9/tcp sink null systat 11/tcp daytime 13/tcp netstat 15/tcp ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/t...
Page 188
186 c hapter 12: u sing s ecurity and a ccounting biff 512/udp comsat who 513/udp whod syslog 514/udp talk 517/udp route 520/udp router routed new-rwho 550/udp new-who rmonitor 560/udp rmonitor monitor 561/udp ingreslock 1524/tcp snmp 161/udp snmp-trap 162/udp crsecacc 888/udp you may need to unload...
Page 189
Nos authentication 187 to ensure the security client starts each time the system is rebooted, add the above commands in autoexec.Ncf file: ■ for nds, add the command after tcp/ip, binding ip to an interface, and load dsapi. ■ for bindery, add the command after tcp/ip and binding ip to an interface..
Page 190
188 c hapter 12: u sing s ecurity and a ccounting netware directory example set time zone = pst8pdt set daylight savings time offset = 1:00:00 set start of daylight savings time = (april sunday first 2:00:00 am) set end of daylight savings time = (october sunday last 2:00:00 am) set default time ser...
Page 191
Nos authentication 189 to change the encryption key, follow these steps: 1 unload the security client on the novell server: unload snds or unload sbin “secret” 2 reload the security client on the server with the new secret. Load snds “secret_password(key)”c:\”context_name” debug or load sbindery “se...
Page 192
190 c hapter 12: u sing s ecurity and a ccounting ■ the local user accounts database, if the workstation is setup as a workgroup or as a member of a domain and the user login name matches one of the user account names in the user account database. ■ the user account database on the nt domain control...
Page 193
Nos authentication 191 users must logon locally to allow the user to use windows nt security with the ras 1500. For example, follow these steps: 1 log on to the nt server as administrator. 2 open the administrative tools program group. 3 double-click the user manager for domains program group icon. ...
Page 194
192 c hapter 12: u sing s ecurity and a ccounting configuring nos authentication on the ras 1500 complete the following procedures to configure nos authentication on the ras 1500. You can also use web configuration interface to configure nos authentication. Refer to the web configuration interface o...
Page 195
Nos authentication 193 to enable remote authentication (in this case, nos), use the following cli command: enable authentication remote to disable remote authentication, use the following cli command: disable authentication remote displaying authentication settings to display authentication settings...
Page 196
194 c hapter 12: u sing s ecurity and a ccounting for example, to begin dst on the first sunday of april at 2:00 am and adjust 1 hour: set dst on week_of_month 1 day_of_week sunday month april time_to_correct 02:00:00 amount_to_correct 01:00:00 use the following command to set specify when dst endsa...
Page 197
Radius accounting 195 to display the daylight saving time settings, use the following command: show dst save your work to save your work, use the following command: save all troubleshooting nos authentication if nos authentication does not operate properly, verify the following: ■ the time on the no...
Page 198
196 c hapter 12: u sing s ecurity and a ccounting this section describes: ■ configuring radius accounting settings ■ enabling and disabling radius accounting ■ radius accounting examples configuring radius accounting use the following cli command to configure radius accounting settings: set accounti...
Page 199
Radius accounting 197 4 determine whether accounting information is sent to the primary server only (the secondary server acts as a backup) or whether accounting information is sent to both the primary and secondary servers until a response is received from both servers. Use the following command: s...
Page 200
198 c hapter 12: u sing s ecurity and a ccounting enabling and disabling radius accounting radius accounting is enabled by default. It can be enabled or disabled from the cli. To enable radius accounting, use the following cli command: enable accounting to disable radius accounting, use the followin...
Page 201
Radius accounting 199 if a ppp or slip (framed) user begins a session with the network, a record similar to the one below is sent to the accounting server: thurs jan 16 16:15:53 1999 acct-session-id=“06000004” user-name=harryk client-id=201.123.234.79 client-id-port=5 acct-status-type=start acct-aut...
Page 203: Sing
13 u sing f rame r elay this chapter contains the following information: ■ overview ■ before you begin ■ basic frame relay configuration using the command line interface ■ frame relay data link configuration ■ frame relay pvc configuration ■ monitoring and troubleshooting ■ case study the frame rela...
Page 204
202 c hapter 13: u sing f rame r elay overview the superstack ii remote access system 1500 (ras 1500) supports a frame relay interface to a wide area network (wan). This allows for dedicated high throughput, low error connectivity to remote locations using public or private frame relay. Frame relay ...
Page 205
Overview 203 committed information rate frame relay controls the data throughput rate with the committed information rate (cir) parameter. Cir is the data rate the carrier guarantees without data loss. Cir is determined at the time the frame relay circuit is ordered and typically determines the cost...
Page 206
204 c hapter 13: u sing f rame r elay table 53 frame relay terminology how congestion control works the chart below illustrates the congestion control process. This example assumes that all frames are 4 k bits in size. Figure 13 shows what happens as the number of transmitted bits increases during t...
Page 207
Overview 205 figure 13 frame relay congestion control number of frames/bits cir - 16k bc min - 24k bc max - 40k be - 48k access - 64k 56k 32k b c tc all data between bc and be is sent with the de bit set all data in excess of be is discarded bc is variable between bc_max and bc_min depending on cong...
Page 208
206 c hapter 13: u sing f rame r elay before you begin before you configure the ras 1500 for frame relay you must determine the following information: ■ lmi protocol used: annex a, annex d, or lmi ■ dlcis of all pvcs on the frame relay network ■ cir monitoring support ■ cir of each pvc ■ protocols s...
Page 209
Basic frame relay configuration using the command line interface 207 3 specify additional network parameters for the user. A if you are configuring an unnumbered interface, use the following command: set network user remote_ip_address the remote_ip_address for an unnumbered link may be the ip addres...
Page 210
208 c hapter 13: u sing f rame r elay frame relay data link configuration use the following steps to configure the frame relay data link: 1 add the frame relay data link. Add datalink frame_relay interface rm0/wan:1 enabled yes 2 configure the following interface-level parameters: set frame_relay on...
Page 211
Frame relay pvc configuration 209 frame relay pvc configuration to route over frame relay, users must be mapped to the correct pvc. This ensures that the correct ip and ipx addresses a associated with the correct pvc. On the ras 1500, a user profile defines most aspects of the wan connection across ...
Page 212
210 c hapter 13: u sing f rame r elay table 56 optional pvc parameters parameter term description bc_max maximum committed burst rate when becn monitoring is enabled this value is used as the starting point for bc calculations. Bc is the number of bits a pvc is allowed to burst above cir during a co...
Page 213
Monitoring and troubleshooting 211 monitoring and troubleshooting there are several ways to monitor and troubleshoot your ras 1500. Show the settings at the interface level use the following command to show the setting at the interface level: show frame_relay on interface rm0/wan:1 settings show fra...
Page 214
212 c hapter 13: u sing f rame r elay strategy 1 (unnumbered link) configuring the ras 1500 for site a: if an ip network has been defined, configured, and enabled on the ras 1500, steps 1 through 3 are not necessary. 1 add an ip network. Add ip network sitea interface rm0/eth:1 address 172.16.253.25...
Page 215
Case study 213 10 configure a frame relay pvc and associate a user with it. Add frame_relay pvc atob dlci 101 interface rm0/wan:1 user siteb enabled yes 11 save your work. Save all configuring the ras 1500 for site b: if an ip network has been defined, configured, and enabled on the ras 1500, steps ...
Page 216
214 c hapter 13: u sing f rame r elay save all strategy 2 (numbered link) configuring the ras 1500 for site a: if an ip network has been defined, configured, and enabled on the ras 1500, steps 1 through 3 are not necessary. 1 add an ip network. Add ip network sitea interface rm0/eth:1 address 172.16...
Page 217
Case study 215 8 configure the user dial-out parameters. Set dial_out user siteb local_ip address 192.168.168.1 9 enable the user. Enable user siteb 10 configure the frame relay datalink. Add datalink frame_relay interface rm0/wan:1 enabled yes 11 configure a frame relay pvc and associate a user wit...
Page 218
216 c hapter 13: u sing f rame r elay 8 enable the user. Enable user sitea 9 configure the frame relay datalink. Add datalink frame_relay interface rm0/wan:1 enabled yes 10 configure a frame relay pvc and associate a user with it. Add frame_relay pvc btoa dlci 102 interface rm0/wan:1 user sitea enab...
Page 219: Andling
14 h andling p acket f ilters this chapter describes how to set up packet filters on the superstack ii remote access system (ras) 1500. The following topics are discussed: ■ filtering overview ■ filter types ■ creating filters ■ configuring filters ■ managing filters ■ general filter setup ■ filter ...
Page 220
218 c hapter 14: h andling p acket f ilters filtering overview packet filters are used primarily in networks that cross organizational or corporate boundaries. They control inter-network data transmission by accepting or rejecting the passage of specific packets through network interfaces based on p...
Page 221
Filter types 219 filter types filters can be classified by the following types: ■ data filters — based on protocol-specific packet information ■ advertisement filters — based on broadcast packet information ■ generic filters — based on packet structure ■ call filters — based on outgoing calls data f...
Page 222
220 c hapter 14: h andling p acket f ilters call filters ip-call filters are employed to screen outgoing calls for an ondemand user or a per interface basis. Filtering rules can comb source, destination, and host addresses, port numbers of tcp and udp protocols, and internet control message protocol...
Page 223
Creating filters 221 protocol sections a single filter file can contain protocol sections in any order, but sections cannot be repeated. The following conditions cause errors or prevent filtering: ■ if you do not specify a protocol section in the filter file, no filtering will occur and packets of t...
Page 224
222 c hapter 14: h andling p acket f ilters when a packet is filtered, an ip packet for example, the ras 1500 parses each rule defined in the ip protocol section sequentially according to the line number. Filtering is performed based on the first occurring match. Without a match, the packet is accep...
Page 225
Creating filters 223 generic filter rules generic filter rules are similar in format to protocol filter rules. The following shows the rule syntax. The following is the rule syntax: origin = / offset = /length = /mask = / value = ; table 59 describes each field used in the rule syntax. Table 59 gene...
Page 226
224 c hapter 14: h andling p acket f ilters specifying the filtering action you can specify the filtering action for each protocol section that determines whether a packet is accepted or rejected if no match occurs with any of the rules defined in the section. To do so, enter one of the following va...
Page 227
Creating filters 225 3 enter the protocol rules for the protocol section you are defining. Be sure to perform the following: ■ begin each rule with a unique line number (1-999). ■ arrange rules in increasing order within each protocol section. ■ arrange rules so that the rules you expect to be match...
Page 228
226 c hapter 14: h andling p acket f ilters 8 return to the cli on the ras 1500. The ras 1500 does not recognize a filter file stored in its flash memory until you add it to the managed filter table. Use the following command: add filter when the filter is added, the ras 1500 automatically verifies ...
Page 229
Configuring filters 227 to enable filter access for a specific interface, use the following command: set interface filter_access off filter file changes take effect on an interface immediately when you issue the set interface command . The set switched interface and set modem_group commands can also...
Page 230
228 c hapter 14: h andling p acket f ilters call filters if a call filter is configured on an interface, all transmitted packets are checked against the filtering rules. The filtering rules determine whether the packet can initiate an outgoing call. Call filters are checked only after the packet has...
Page 231
Configuring filters 229 assigning a filter to an interface to configure input or output filters on a specified interface, use the following command. The default filter access setting ( off ) need not be set unless you have previously enabled filtering for a user. Use the following command: set inter...
Page 232
230 c hapter 14: h andling p acket f ilters managing filters this section provides the following information about how to manage filters: ■ displaying the managed filter list ■ adding filters to the managed filter list ■ deleting filters from the managed filter list ■ verifying filter file syntax ■ ...
Page 233
Managing filters 231 to add a filter file to the list of managed filters, use the following command: add filter it is helpful to use list files to see files successfully stored in flash memory. Removing a filter from an interface removing a filter assigned to an interface is mandatory when editing i...
Page 234
232 c hapter 14: h andling p acket f ilters deleting a packet filter to delete a specific packet filter, removing the filter file from the filter list and permanently from flash memory, use the following commands: delete filter delete file verifying filter file syntax the verify filter command is us...
Page 235
General filter setup 233 a description of each parameter follows. ■ all — creates syslog messages globally for all filtered packets. ■ radius — checks the radius profile (filter-log-packet attribute in the access-accept packet) on a per-user basis. ■ none — no syslog messages generated. ■ 0–493 byte...
Page 236
234 c hapter 14: h andling p acket f ilters filter examples this section provides specific filter examples. Ip packet filter rule examples this section briefly describes ip packet filtering options and provides rule examples for each ip packet filtering capability. It includes the following topics: ...
Page 237
Filter examples 235 the following rule example allows forwarding of ip packets with source address 192.077.100.032 and destination address 201.128.011.034: #filter ip: 010 and src-addr = 192.077.100.032; 020 accept dst-addr = 201.128.011.034; the following rule example limits a user to one host with...
Page 238
236 c hapter 14: h andling p acket f ilters the following rule example accepts only tcp packets that have a destination port number that is in the range of 24 to 39: #filter ip: 010 and tcp-dst-port > 23; 020 accept tcp-dst-port 030 deny; the following rule example accepts only udp packets that have...
Page 239
Filter examples 237 standard port numbers table 60 lists standard port numbers for common services. For a complete list, see the most recent “assigned numbers” rfc. Table 60 standard port numbers tcp udp description 20 - file transfer protocol (data) 21 - file transfer protocol (control) 23 - telnet...
Page 240
238 c hapter 14: h andling p acket f ilters ip and ipx-rip packet filtering rip packets identify all attached networks and the number of router hops required to reach them. These responses are used to update a router's routing table. Define ip/ipx-rip filtering rules in the ip-rip and ipx-rip protoc...
Page 241
Filter examples 239 for example, to allow a packet to pass if it is advertised from the server named sales_1 and its socket number is less than 32, enter the following: #filter ipx-sap: 010 accept server sales_1; 020 accept socket when applied to an input filter, the following example will permit sa...
Page 242
240 c hapter 14: h andling p acket f ilters for example, to prevent vandals from changing your routing tables by sending icmp redirects, enter the following: #filter ip: 010 reject icmp-type = 5 ip/ipx-call filtering you define ip/ipx-call filtering rules in the ip-call, ipx-call protocol sections o...
Page 243
Filter examples 241 for example, to filter the host where login users initially connect to, enter the following: #filter login-access: 010 accept dst-addr = 187.243.71.54/24 this filter allows users on network 187.243.71.0 to access the configured host but rejects all others. Ras 1500 global filteri...
Page 244
242 c hapter 14: h andling p acket f ilters global switch to filter out all ip options sometimes ip options may be generated from an outside source in an attempt to get past routing tables in a network. The ras 1500 provides a global feature to filter out all ip packets with ip options. By using the...
Page 245
Keywords 243 ip-rip section ipx and ipx-call section ipx-sap section login-access section appletalk section keyword description operators value network ip network address = or != ddd.Ddd.Ddd.Ddd/mask keyword description operators value src-net source network address = or != xx.Xx.Xx.Xx dst-net desti...
Page 246
244 c hapter 14: h andling p acket f ilters appletalk call section appletalk rtmp section appletalk zip section keyword description operators value src-host source host address = or != 0-65536 dst-host destination host address = or != 0-65536 src-node source node address = or != 0-255 dst-node desti...
Page 247: Onfiguring
15 c onfiguring d ynamic h ost c onfiguration p rotocol this chapter contains the following information: ■ overview ■ configuring the ras 1500 for dynamic host configuration protocol ■ user datagram protocol broadcast forwarding overview dynamic host configuration protocol (dhcp) allows a server to ...
Page 248
246 c hapter 15: c onfiguring d ynamic h ost c onfiguration p rotocol acting as a dhcp server,the ras 1500 receives and processes the requests for ip information and provides the ip information directly back to the client. Acting as a dhcp proxy,the ras 1500 initiates a dhcp request to a dhcp server...
Page 249
Overview 247 scenario 2 in this scenario, when a local user or dial-in user requests ip information, the ras 1500, acting as a dhcp server, provides it. Figure 15 ras 1500 as a dhcp server (local and dial-in users) scenario 3 the following describes this scenario: ■ when a local lan user requests ip...
Page 250
248 c hapter 15: c onfiguring d ynamic h ost c onfiguration p rotocol scenario 4 the following describes this scenario: ■ when a local lan 1 user requests ip information, the ras 1500, acting as a proxy server, relays the request to the router. The router relays the request to the dhcp server on lan...
Page 251
Overview 249 scenario 5 the following describes this scenario: ■ when a local lan 1 user requests ip information, the ras 1500 a, acting as a proxy server, relays the request through the pstn to the ras 1500 b. The ras 1500 b relays the request to the dhcp server on lan 2. The dhcp server processes ...
Page 252
250 c hapter 15: c onfiguring d ynamic h ost c onfiguration p rotocol figure 18 two ras 1500s as proxy servers; each on a separate lan configuring the ras 1500 for dynamic host configuration protocol dhcp server use the following steps to configure ras 1500 to act as a dhcp server: 1 set the ip addr...
Page 253
User datagram protocol broadcast forwarding 251 set dhcp server lease [lease duration] c set the primary and secondary dns servers. Set dhcp server dns1 [ip address] dns2 [ip address] d set the primary and secondary wins servers and default gateway. Set dhcp server wins1 [ip address] wins2 [ip addre...
Page 255: Sing
16 u sing n etwork a ddress t ranslation and p ort a ddress t ranslation this chapter contains the following information: ■ overview ■ configuring nat and pat ■ case studies overview network address translation (nat) and port address translation (pat) act as address translators between public and pr...
Page 256
254 c hapter 16: u sing n etwork a ddress t ranslation and p ort a ddress t ranslation 192.168.111.1), and the packet is routed to the correct user on the private network. ■ the next user is assigned the next free ip address from the pool. For example, 200.1.1.2. When the connection for a user ends,...
Page 257
Overview 255 figure 20 depicts static nat. Figure 20 static nat port address translation pat translates internet protocol (ip) addresses and user datagram protocol (udp) or transmission control protocol (tcp) source port numbers. For example, assume your isp assigns you a public ip address of 200.1....
Page 258
256 c hapter 16: u sing n etwork a ddress t ranslation and p ort a ddress t ranslation pat is either “dynamic” or “static.” the preceding example is dynamic and is depicted in the following diagram. (figure 21 shows fewer addresses in the pool than in the preceding example.) figure 21 dynamic pat fi...
Page 259
Configuring nat and pat 257 configuring nat and pat configuring network address translation enabling and disabling users to enable nat for a user, use the following command: set network user nat_option nat example: set network user nat_user nat_option nat to disable nat for a user, use the following...
Page 260
258 c hapter 16: u sing n etwork a ddress t ranslation and p ort a ddress t ranslation to add a static address assignment, use the following command: add nat static user public_address private_address example: add nat static user nat_user public_address 200.1.1.11 private_address 198.168.111.1 view ...
Page 261
Configuring nat and pat 259 adding dynamic and static address assignments unless you receive incoming connections from the public network, dynamic pat does not need configuration beyond enabling a user and choosing pat option. To add a static address assignment, use one of the following commands: ad...
Page 262
260 c hapter 16: u sing n etwork a ddress t ranslation and p ort a ddress t ranslation to list active pat port mappings, use the following command: list pat user port case studies this section contains one case study for nat and one for pat. Nat case study a private network with a ras 1500 requires ...
Page 263
Case studies 261 static nat is performed for 2 hosts on the private network. A dynamic public ip address translation pool is defined for other machines on the private network to be able to access the public network. 1 set basic system settings. Set system name rascntrl set command prompt rascntrl se...
Page 264
262 c hapter 16: u sing n etwork a ddress t ranslation and p ort a ddress t ranslation 6 configure nat mappings. Add nat dynamic user nat_user public_pool_start 202.55.55.42/29 count 3 add nat static user nat_user private_address 192.168.111.106 public_address 202.55.55.45 add nat static user nat_us...
Page 265
Case studies 263 4 set the username and password for your isp account. Set network user pat_user transmit_authentication betty set network user pat_user send_password fred 5 specify additional user settings. Set network user pat_user ppp compression none set network user pat_user address_selection n...
Page 267: Ppp O
17 ppp o ver s erial wan p ort this chapter contains the following information about configuring the superstack ii remote access system (ras) 1500 to support point-to-point protocol (ppp) over the serial wide area network (wan) port. ■ overview ■ case study ■ troubleshooting ■ properly configured ne...
Page 268
266 c hapter 17: ppp o ver s erial wan p ort figure 23 shows a typical ppp over leased line setup. Figure 23 typical ppp over leased line setup the ras 1500 supports the following protocols through the wan port. There are no settings on the ras 1500, a different cable is used for each protocol. ■ v....
Page 269
Ppp over serial wan port case study 267 ppp over serial wan port case study goals ■ connect the “main_office” ras 1500, to the “branch_office” ras 1500 using a leased line connection ppp link. ■ authenticate using pap. ■ idle timeout should be 300 seconds. Assumptions ■ each office has a functioning...
Page 270
268 c hapter 17: ppp o ver s erial wan p ort figure 25 unnumbered ppp over serial wan port link to configure the ras 1500 in the main office, perform the following: if an ip network has been defined, configured, and enabled on the ras 1500, steps 1 through 3 are not necessary. 1 add an ip network. A...
Page 271
Ppp over serial wan port case study 269 5 configure the user routing parameters. Set network user branch_office ip_routing both rip ripv1 6 add the ppp datalink. Add datalink ppp user interface rm0/wan:1 example: add datalink ppp user test interface rm0/wan:1 7 configure authentication. Set ppp rece...
Page 272
270 c hapter 17: ppp o ver s erial wan p ort 6 configure authentication. Set ppp receive_authentication pap set system transmit_authentication_name branch_office 7 save your work. Save all disabling leased-line ppp on the ras 1500 to bring down the connection, issue the following command: disable da...
Page 273: Gmt T
A gmt t ime z ones table 62provides greenwich mean time (gmt) offset information for locations around the world. Table 62 greenwich mean time offset gmt offset (hours) gmt offset in local summer (hours) dst change (local summer) region -12 0 kwajalein -11 0 american samoa canton enderbury islands mi...
Page 274
272 a ppendix a: gmt t ime z ones -7 -6 1 canada mountain usa mountain -6 0 belize costa rica el salvador guatemala honduras mexico -6 -5 1 canada central easter island nicaragua usa central -5 0 cayman islands colombia ecuador galapagos islands jamaica panama peru usa indiana east -5 -4 1 bahamas c...
Page 275
273 -4 0 anguilla antigua argentina western prov aruba barbados bolivia bonaire british virgin islands curacao dominica dominican republic grenada grenadines guadeloupe leeward islands martinique netherlands antilles nevis montserrat puerto rico saba st christopher st croix st john st kitts nevis st...
Page 276
274 a ppendix a: gmt t ime z ones -1 -2 -1 brazil atlantic islands -1 0 cape verde -1 0 1 azores greenland scoresbysun 0 0 ascension burkina faso cote d'ivoire gambia ghana guinea iceland liberia mali mauritania morocco principe island sao tome e principe senegal sierra leone st helena togo 0 1 1 ca...
Page 277
275 1 2 1 albania algeria andorra austria balearic islands belgium bosnia hercegovina croatia czech republic denmark france germany gibraltar hungary italy luxembourg macedonia mallorca islands malta melilla monaco namibia netherlands norway poland portugal san marino slovakia slovenia spain sweden ...
Page 278
276 a ppendix a: gmt t ime z ones 2 3 1 belarus bulgaria cyprus egypt estonia finland greece israel jordan latvia lebanon lithuania moldova moldovian rep pridnestrovye romania russian federation zone one syria turkey ukraine 3 0 azerbajian bahrain djibouti eritrea ethiopia kenya kuwait madagascar ma...
Page 279
277 5 0 maldives pakistan turkmenistan uzbekistan 5 6 1 kyrgyzstan russian federation zone four 5.5 0 india sri lanka 5.75 0 nepal 6 0 bangladesh bhutan tajikistan 6 7 1 kazakhstan russian federation zone five 6.5 0 myanmar 7 0 cambodia indonesia west laos thailand vietnam 7 8 1 russian federation z...
Page 280
278 a ppendix a: gmt t ime z ones 10 11 1 australia new south wales australia victoria australia australian captial territory australia tasmania russian federation zone nine 10.5 11 0.5 australia lord howe island 11 0 caroline island new caledonia new hebrides ponape island solomon islands 11 12 1 r...
Page 281: Echnical
B t echnical specifications this chapter contains information about technical specifications for the ras 1500. Certification united states fcc part 15 compliance statement this equipment has been tested and found to comply with the limits for a class a digital device, pursuant to part 15 of the fcc ...
Page 282
280 a ppendix b: t echnical specifications for more information if these suggestions do not help, you might consult the following booklet: interference to home electronic entertainment equipment handbook you can order the booklet from the u.S. Government printing office, washington, dc 20402. Ask fo...
Page 283
Certification 281 bri u model this digital apparatus does not exceed the class a limits for radio noise emissions from digital apparatus set out in the radio interference regulations of industry canada (formerly the canadian department of communications). Le present appareil numerique níemet pas de ...
Page 284
282 a ppendix b: t echnical specifications wan interface - cabling specifications ■ wire type: 10 mbps: cat 3 or cat 5 twisted pairs 100 mbps: cat 5 twisted pairs ■ max. Cable distance: 100 meters (328 ft.) suggested maximum. Longer cabling may be used at the expense of reduced receiver squelch leve...
Page 285
Certification 283 power requirements the 5 and 3.3 vdc outputs “power-share.” since the maximum power output of the 12 vdc supply is 30 w, the remaining 40 w is shared between the 3.3 and 5 vdc supplies. If no load in 3.3 v and 12 v limited to 0.6 a, then 5 v can deliver 12 a. Input voltage: 90 - 26...
Page 287: Echnical
C t echnical s upport 3com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the very latest, 3com recommends that you access the 3com corporation ...
Page 288
286 a ppendix c: t echnical s upport to connect to the 3com ftp site, enter the following information into your ftp client: ■ hostname: ftp.3com.Com (or 192.156.136.12 ) ■ username: anonymous ■ password: a user name and password are not needed with web browser software such as netscape navigator and...
Page 289
Support from your network supplier 287 3comfacts automated fax service the 3comfacts automated fax service provides technical articles, diagrams, and troubleshooting instructions on 3com products 24 hours a day, 7 days a week. Call 3comfacts using your touch-tone telephone: 1 408 727 7021 support fr...
Page 290
288 a ppendix c: t echnical s upport below is a list of worldwide technical telephone support numbers: country telephone number country telephone number asia pacific rim australia hong kong india indonesia japan malaysia new zealand pakistan philippines 1 800 678 515 800 933 486 61 2 9937 5085 001 8...
Page 291
Returning products for repair 289 returning products for repair before you send a product directly to 3com for repair, you must first obtain a return materials authorization (rma) number. Products sent to 3com without rma numbers will be returned to the sender unopened, at the sender’s expense. To o...
Page 293: Ndex
I ndex numbers 2100 hz answer tone disable 139 enable 139 3com bulletin board service (3com bbs) 286 3com url 285 3comfacts 287 56 kbps technology 151 a accounting server radius 195 settings 195 adding network services 163 address pools configuring 72 administrative tools adding network services 163...
Page 294
292 i ndex exiting 162 quick setup 24 command line interface. See cli committed burst size 203 committed information rate 203 communicating with remote and local sites 161 configuration frame relay 206 congestion control 203 congestion monitoring period 203 congestion notifications 203 connect speed...
Page 295
I ndex 293 forward explicit congestion notifications 203 frame relay bc 203 becn 203 becn_cmp 203 cir 203 configuration 206 congestion control 203 datalink configuration 208 dcli 202 lmi 203 pvc 202 pvc statistics 211 tc 204 troubleshooting 211 g gmt offset displaying 194 setting 194 gstn clear down...
Page 296
294 i ndex network supplier support 287 o on-demand routing 96 online technical services 285 p pat 253 pause code 138 permanent virtual circuit 202 permanent virtual circuits 202 ping set ping 171 using 169 port address translation. See pat port numbers for common services 237 pvc 202, 206 pvc confi...
Page 297
I ndex 295 v.90 151 w windows 95 dial up networking 89 world wide web (www) 285 x x.75 152.
Page 298
296 i ndex.
Page 299
3c om l imited w arranty superstack ii remote access system 1500 h ardware 3com warrants this hardware product to be free from defects in workmanship and materials, under normal use and service, for the following length of time from the date of purchase from 3com or its authorized reseller: five (5)...
Page 300
3com shall not be responsible for any software, firmware, information, or memory data of customer contained in, stored on, or integrated with any products returned to 3com for repair, whether under warranty or not. Telephone support, with coverage for basic troubleshooting only, will be provided for...