®
PortMaster
ConfigurationGuide
LucentTechnologies
RemoteAccessBusinessUnit
4464WillowRoad
Pleasanton,CA94588
925-737-2100
800-458-9966
May1998
950-1182D
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PortMaster Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ITU-T Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Document Advisories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Contacting Lucent Remote Access Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
For the EMEA Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
For North America, Latin America, and the Asia Pacific Region . . . . . . . . . . . . . . xxiv
PortMaster Training Courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Subscribing to PortMaster Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxv
PortMaster Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preconfiguration Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-1
1-2
1-3
1-4
2. How the PortMaster Works
Booting the PortMaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PortMaster Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-1
2-3
iii
Contents
On-Demand Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PortMaster Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Status and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-4
2-4
2-5
Setting the System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Administrative Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Host Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Telnet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Telnet Port as a Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Loghost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Disabling and Redirecting Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Setting Administrative Logins to Serial Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Configuring an IP Address Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Setting the Reported IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
About the livingston.mib Definition File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Examining the MIB Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
iv
Configuration Guide for PortMaster Products
Contents
PortMaster Modem Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Setting SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Setting SNMP Read and Write Community Strings . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Adding SNMP Read and Write Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Viewing SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Monitoring SNMP Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Displaying the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Setting Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Adding and Deleting a Static Route for IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Adding and Deleting a Static Route for IPX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Modifying the Static Netmask Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Enabling NetBIOS Broadcast Packet Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Setting Authentication for Dial-In Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Setting Call-Check Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Setting the ISDN Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Setting General Ethernet Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RIP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Applying Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Broadcast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling or Disabling IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Ethernet IPX Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-5
Setting the IPX Network Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling or Disabling IPX Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the IPX Frame Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-5
4-5
4-6
v
Contents
Configuring Ethernet Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting OSPF on the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-7
4-8
Asynchronous Port Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Asynchronous Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overriding Certain Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Port Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Parity Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Databits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying Extended Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Login Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting an Optional Access Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Allowing Users to Connect Directly to a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting a Port as the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Port Idle Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a PortMaster for Login Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Port Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Setting the Terminal Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Port for Access to Shared Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-11
Setting the Device Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Configuring a Port for Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Network Dial-In-Only Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
vi
Configuration Guide for PortMaster Products
Contents
Network Dial-Out-Only Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Network Dial-In-and-Out (Two-Way) Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Configuring a Port for a Dedicated Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Setting the Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Setting the MTU Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Setting the Destination IP Address and Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Setting the IPX Network Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Configuring RIP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
Configuring Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
Setting the PPP Asynchronous Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Setting Input and Output Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Connecting without TCP/IP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Synchronous Port Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring WAN Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-1
6-4
General Synchronous Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Settings for Hardwired Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-4
6-7
Configuring the User Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Users to the User Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting Users from the User Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Login Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Settings for Network and Login Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-3
7-3
7-4
Setting a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-4
vii
Contents
Setting the Session Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the User IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the IPX Network Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RIP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Asynchronous Character Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the MTU Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Maximum Number of Dial-In Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying a Callback Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Configuring Login Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Setting the Login Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Applying an Optional Access Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-11
Setting the Login Service Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Specifying a Callback Telephone Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Configuring the Location Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Telephone Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Username and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Destination IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Destination Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the IPX Network Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-5
8-6
8-6
8-6
viii
Configuration Guide for PortMaster Products
Contents
Setting RIP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the MTU Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Idle Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
Setting Data over Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
Setting CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
Setting the Asynchronous Character Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Multiline Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Maximum Number of Dial-Out Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Setting Bandwidth-on-Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Setting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Input Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Output Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Testing Your Location Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
Overview of PortMaster Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Filters Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating IP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filtering TCP and UDP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating IPX Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-8
9-9
9-9
ix
Contents
Input Filter for an Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Input and Output Filters for FTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Rule to Permit DNS into Your Local Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Rule to Listen to RIP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Rule to Allow Authentication Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Rule to Allow Networks Full Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Restrictive Internet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Restricting User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15
Null Modem Cable and Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Modem Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Using Automatic Modem Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Displaying Modem Settings and Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Adding a Modem to the Modem Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Associating a Modem with a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Configuring Ports for Modem Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Setting the Port Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Setting Modem Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Setting Parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Setting the Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Hanging Up a Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Configuring General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-1
Configuring Line Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Channel Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Channel Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Inband Signaling Protocol for T1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2
11-2
11-3
11-3
x
Configuration Guide for PortMaster Products
Contents
Setting the Framing Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Encoding Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Pulse Code Modulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Directory Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using True Digital Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hot-Swapping Digital Modem Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Digital Modems to Analog Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Channelized T1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Why Use Channelized T1? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Configuring the PortMaster 3 for Channelized T1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Example Channelized T1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Using the T1 Expansion Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Clocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Configuring the T1 Expansion Card for Fractional T1 . . . . . . . . . . . . . . . . . . . . . . . 11-13
Troubleshooting the T1 Expansion Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
Using Multichassis PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Setting Multichassis PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Displaying Multichassis PPP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Disconnecting a User from a Virtual Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Troubleshooting the PortMaster 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
12. Using ISDN BRI
Overview of ISDN BRI Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
xi
Contents
Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Configuring ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
ISDN BRI Switch Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
Setting the Switch Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Service Profile Identifier (SPID) for ISDN BRI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Terminal Identifier (TID) for ISDN BRI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Directory Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Information Elements (IEs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Multilink PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
Multiple Subscriber Network for an S/T Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Port Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Data over Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
ISDN Port Configuration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
ISDN BRI Unnumbered IP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Configuring the PortMaster in Denver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Configuring the PortMaster in San Francisco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
Testing the Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
Troubleshooting an ISDN BRI Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
Interpreting ISDN BRI Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22
Overview of Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
PVCs and DLCIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Line Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Port Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
CIR and Burst Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Discarding Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Ordering Frame Relay Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
xii
Configuration Guide for PortMaster Products
Contents
LMI Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Frame Relay Configuration on the PortMaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Enabling LMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Enabling Annex-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Listing DLCIs for Frame Relay Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configuration Steps for a Frame Relay Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Configuring the PortMaster in Bangkok . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8
Configuring the PortMaster in New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Troubleshooting a Frame Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11
Frame Relay Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12
Configuring Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12
Troubleshooting Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-14
Example: Configuring a Frame Relay Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Overview of Synchronous V.25bis Dial-Up Connections . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Configuration Steps for a Synchronous V.25bis Connection . . . . . . . . . . . . . . . . . . . . . . 14-3
Configuring the PortMaster in Boston . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Configuring the PortMaster in Miami . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
Testing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12
Troubleshooting a Synchronous V.25bis Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
Overview of Example Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
Configuration Steps for an Office-to-Office Connection . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
Configuring the Office Router in London . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
Configuring the PortMaster in Paris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8
Testing the Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-12
Setting the Console Port for Multiline Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . 15-13
xiii
Using ISDN for On-Demand Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15
Overview of Continuous Internet Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Configuration Steps for an Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Configuring Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Configuring a Dial-Out Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7
Testing the Continuous Dial-Out Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8
Testing the Network Hardwired Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Providing Network Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-10
Using ISDN for Internet Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11
Overview of Dial-In Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Example Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
Configuration Steps for Dial-In Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-4
Connecting Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5
Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5
Configuring Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
Configuring Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-8
Dial-In Login Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9
Dial-In Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9
Testing the User Dial-In Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10
Overview of Shared Device Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Host Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Network Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Configuration Steps for Shared Device Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
xiv
Configuration Guide for PortMaster Products
Contents
Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
Configuring Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Configuring a Network Device for Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8
Overview of Leased Line Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Configuration Steps for Leased Line Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Configuring the PortMaster Office Router in Rome . . . . . . . . . . . . . . . . . . . . . . . . . 19-4
Configuring the PortMaster Office Router in Florence . . . . . . . . . . . . . . . . . . . . . . . 19-6
Troubleshooting a Leased Line Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-8
Network Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reserved IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Address Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Naming Services and the Host Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A-8
Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A-9
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10
ChoiceNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10
Glossary
Command Index
Subject Index
xv
Contents
xvi
Configuration Guide for PortMaster Products
About This Guide
The PortMaster® Configuration Guide provides general information about networking and
network configuration as well as specific information needed to configure PortMaster
products. Review this guide thoroughly before configuring your PortMaster. This guide
provides the settings required for the most commonly used PortMaster configurations.
To use this guide you must have successfully installed your PortMaster according to the
instructions provided in the relevant installation guide. This guide provides
configuration information only.
You can use either of two interfaces to configure the PortMaster:
•
Command line interface—use this guide and the PortMaster Command Line
Reference for more detailed command descriptions and instructions.
•
PMVision™ graphical user interface (GUI).
This guide assumes you are using the command line interface and provides examples of
Audience
for persons with a working knowledge of networking and routing. Appendix A,
“Networking Concepts,” provides an overview of network address conventions but is
intended as a quick refresher and should not be used as a substitute for careful study of
these principles.
Refer to “Additional References” in this Preface for appropriate RFCs and other
suggested reading. See the PortMaster Routing Guide for advanced information on routing
protocols and routing with PortMaster products.
PortMaster Documentation
The following manuals are available from Lucent Technologies. The hardware
installation guides are included with most PortMaster products; other manuals can be
ordered through your PortMaster distributor or directly from Lucent.
xvii
PortMaster Documentation
The manuals are also provided as PDF and PostScript files on the PortMaster Software CD
shipped with your PortMaster.
In addition, you can download PortMaster information and documentation from
http://www.livingston.com.
•
•
•
•
ChoiceNet® Administrator’s Guide
This guide provides complete installation and configuration instructions for
ChoiceNet server software.
PortMaster Command Line Reference
This guide provides the complete description and syntax of each command in the
ComOS command set.
PortMaster Configuration Guide
This guide provides a comprehensive overview of networking and configuration
issues related to PortMaster products.
PortMaster hardware installation guides
These guides contain complete hardware installation instructions. An installation
guide is available for each PortMaster product line—IRX™, Office Router,
Communications Server, and Integrated Access Server.
•
•
PMconsole™ for Windows Administrator’s Guide
This guide covers PMconsole Administration Software for Microsoft Windows, a
graphical tool for configuring the PortMaster. The majority of the material in this
guide also applies to the UNIX version of PMconsole. Lucent recommends that you
use the Java GUI PMVision rather than PMconsole to configure and manage a
PortMaster.
PortMaster Routing Guide
This guide describes routing protocols supported by PortMaster products, and how
to use them for a wide range of routing applications.
xviii
PortMaster Configuration Guide
Additional References
•
•
PortMaster Troubleshooting Guide
This guide can be used to identify and solve software and hardware problems in the
PortMaster family of products.
RADIUS Administrator’s Guide
This guide provides complete installation and configuration instructions for Lucent
Remote Authentication Dial-In User Service (RADIUS) software.
Additional References
RFCs
Use any World Wide Web browser to find a Request for Comments (RFC) online.
RFC 768, User Datagram Protocol
RFC 791, Internet Protocol
RFC 792, Internet Control Message Protocol
RFC 793, Transmission Control Protocol
RFC 854, Telnet Protocol Specification
RFC 950, Internet Standard Subnetting Procedure
RFC 1058, Routing Information Protocol
RFC 1112, Host Extensions for IP Multicasting
RFC 1144, Compressing TCP/IP Headers for Low-Speed Serial Links
RFC 1157, A Simple Network Management Protocol (SNMP)
RFC 1166, Internet Numbers
RFC 1213, Management Information Base for Network Management of TCP/IP-based Internets:
MIB-II
RFC 1256, ICMP Router Discovery Messages
RFC 1321, The MD5 Message-Digest Algorithm
RFC 1331, The Point-to-Point Protocol (PPP) for the Transmission of Multiprotocol Datagrams
over Point-to-Point Links
RFC 1332, The PPP Internet Protocol Control Protocol (IPCP)
RFC 1334, PPP Authentication Protocols
RFC 1349, Type of Service in the Internet Protocol Suite
RFC 1413, Identification Protocol
RFC 1490, Multiprotocol Interconnect Over Frame Relay
RFC 1541, Dynamic Host Configuration Protocol
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
RFC 1552, The PPP Internet Packet Exchange Control Protocol (IPXCP)
About This Guide
xix
Additional References
RFC 1587, OSPF NSSA Options
RFC 1597, Address Allocations for Private Internets
RFC 1627, Network 10 Considered Harmful (Some Practices Shouldn’t be Codified)
RFC 1634, Novell IPX Over Various WAN Media (IPXWAN)
RFC 1661, The Point-to-Point Protocol (PPP)
RFC 1700, Assigned Numbers
RFC 1771, A Border Gateway Protocol 4 (BGP-4)
RFC 1812, Requirements for IP Version 4 Routers
RFC 1814, Unique Addresses are Good
RFC 1818, Best Current Practices
RFC 1824, Requirements for IP Version 4 Routers
RFC 1825, Security Architecture for the Internet Protocol
RFC 1826, IP Authentication Header
RFC 1827, IP Encapsulating Payload
RFC 1828, IP Authentication Using Keyed MD5
RFC 1829, The ESP DES-CBC Transform
RFC 1877, PPP Internet Protocol Control Protocol Extensions for Name Server Addresses
RFC 1878, Variable Length Subnet Table for IPv4
RFC 1918, Address Allocation for Private Internets
RFC 1965, Autonomous System Confederations for BGP
RFC 1966, BGP Route Reflection, An Alternative to Full Mesh IBGP
RFC 1974, PPP Stac LZS Compression Protocol
RFC 1990, The PPP Multilink Protocol (MP)
RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP)
RFC 1997, BGP Communities Attribute
RFC 2003, IP Encapsulation within IP
RFC 2104, HMAC: Keyed-Hashing for Message Authentication
RFC 2125, The PPP Bandwidth Allocation Protocol (BAP), The PPP Bandwidth Allocation
Control Protocol (BACP)
RFC 2138, Remote Authentication Dial In User Service (RADIUS)
RFC 2139, RADIUS Accounting
RFC 2178, OSPF Version 2
xx
PortMaster Configuration Guide
Additional References
ITU-T Recommendations
The following documents are recommendations of the International Telecommunication
Union Telecommunication Standardization Sector (ITU-T), formerly known as CCITT:
•
Recommendation V.25bis (1988)—Automatic calling and/or answering equipment on the
general switched telephone network (GSTN) using the 100-series interchange circuits
•
Recommendation V.120 (09/92)—Support by an ISDN of data terminal equipment with
V-series type interfaces for statistical multiplexing
Books
The Basics Book of ISDN. Motorola Codex. Reading, MA: Addison-Wesley Publishing
Company, 1991. (ISBN 0-201-56368-1)
Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. Sebastopol, CA:
O’Reilly & Associates, Inc., 1995. (ISBN 1-56592-124-0)
DNS and BIND, 2nd ed. Paul Albitz and Cricket Liu. Sebastopol, CA: O’Reilly &
Associates, Inc., 1992. (ISBN 1-56592-236-0)
Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick and Steven
M. Bellovin. Reading, MA: Addison-Wesley Publishing Company, 1994. (ISBN 0-201-
63357-4) Japanese translation is available (ISBN 4-89052-672-2). Errata are available
from ftp://ftp.research.att.com/dist/internet_security/firewall.book.
Internetworking with TCP/IP Volume 1: Principles, Protocols, and Architecture, 3rd ed. Douglas
E. Comer. Englewood Cliffs, NJ: Prentice-Hall, Inc., 1995. (ISBN 0-13-216987-8)
The ISDN Consultant. Robert E. Lee. Upper Saddle River, NJ: Prentice-Hall, Inc. 1996.
(ISBN 0-13-259052-2)
ISDN: How to Get a High-Speed Connection to the Internet. Charles Summers and Bryant
Dunetz. New York, NY: John Wiley and Sons, Inc. 1996. (ISBN 0-47-113326-4)
TCP/IP Network Administration. Craig Hunt. Sebastopol, CA: O’Reilly & Associates, Inc.,
1992. (ISBN 0-937175-82-X)
About This Guide
xxi
Document Conventions
Routing in the Internet. Christian Huitema. Prentice Hall PTR, 1995.
(ISBN 0-13-132192-7)
TCP/IP Illustrated, Volume 1: The Protocols. W. Richard Stevens. Addison-Wesley Publishing
Company. 1994. (ISBN 0-201-63346-9)
Internet Routing Architectures. Bassam Halabi. Cisco Press, 1997.
Document Conventions
The following conventions are used in this guide:
Convention
Bold font
Use
Examples
Indicates a user
entry—a
• Enter version to display the version
number.
command, menu
option, button, or
key—or the name
of a file, directory,
or utility, except
in code samples.
• Press Enter.
• Open the permit_list file.
Italic font
Identifies a
command-line
placeholder.
Replace with a
real name or
value.
• set Ether0 address Ipaddress
• Replace Area with the name of the
OSPF area.
Square brackets ([ ])
Curly braces ({ })
Enclose optional
keywords and
values in
• set nameserver [2] Ipaddress
• set S0 destination Ipaddress
[Ipmask]
command syntax.
Enclose a
set syslog Logtype {[disabled]
required choice
between
[Facility.Priority]}
keywords and/or
values in
command syntax.
xxii
PortMaster Configuration Guide
Document Advisories
Convention
Use
Examples
Vertical bar (|)
Separates two or
more possible
options in
• set S0|W1 ospf on|off
• set S0 host
default|prompt|Ipaddress
command syntax.
Document Advisories
Note – means take note. Notes contain information of importance or special interest.
✍
Caution – means be careful. You might do something—or fail to do something—that
results in equipment failure or loss of data.
!
Warning – means danger. You might do something—or fail to do something—that
results in personal injury or equipment damage.
Contacting Lucent Remote Access Technical Support
The PortMaster comes with a 1-year hardware warranty.
For all technical support requests, record your PortMaster ComOS version number and
report it to the technical support staff or your authorized sales channel partner.
New releases and upgrades of PortMaster software are available by anonymous FTP from
ftp://ftp.livingston.com.pub/le/.
In North America you can schedule a 1-hour software installation appointment by
calling the technical support telephone number listed below. Appointments must be
scheduled at least one business day in advance.
About This Guide
xxiii
PortMaster Training Courses
For the EMEA Region
If you are an Internet service provider (ISP) or other end user in Europe, the Middle
East, Africa, India, or Pakistan, contact your local Lucent Remote Access sales channel
partner. For a list of authorized sales channel partners, see the World Wide Web at
http://www.livingston.com/International/EMEA/distributors.html.
If you are an authorized Lucent Remote Access sales channel partner in this region,
contact the Lucent Remote Access EMEA Support Center Monday through Friday
between the hours of 8 a.m. and 8 p.m. (GMT+1), excluding French public holidays.
•
•
•
By voice, dial +33-4-92-92-48-88.
By fax, dial +33-4-92-92-48-40.
By electronic mail (email) send mail to [email protected]
For North America, Latin America, and the Asia Pacific Region
Contact Lucent Remote Access Monday through Friday between the hours of 6 a.m.
and 6 p.m. (GMT –8).
•
By voice, dial 800-458-9966 within the United States (including Alaska and
Hawaii), Canada, and the Caribbean, or +1-925-737-2100 from elsewhere.
•
•
By fax, dial +1-925-737-2110.
By email, send mail as follows:
–
–
•
Using the World Wide Web, see http://www.livingston.com/.
PortMaster Training Courses
Lucent Remote Access offers hands-on, technical training courses on PortMaster
products and their applications. For course information, schedules, and pricing, visit the
Lucent Remote Access website at http://www.livingston.com, click Services, and
then click Training.
xxiv
PortMaster Configuration Guide
Subscribing to PortMaster Mailing Lists
Subscribing to PortMaster Mailing Lists
Lucent maintains the following Internet mailing lists for PortMaster users:
•
•
•
portmaster-users—a discussion of general and specific PortMaster issues, including
configuration and troubleshooting suggestions. To subscribe, send email to
the message.
The mailing list is also available in a daily digest format. To receive the digest, send
in the body of the message.
portmaster-radius—a discussion of general and specific RADIUS issues, including
configuration and troubleshooting suggestions. To subscribe, send email to
the message.
The mailing list is also available in a daily digest format. To receive the digest, send
portmaster-radius-digest in the body of the message.
portmaster-announce—announcements of new PortMaster products and software
portmaster-announce in the body of the message. All announcements to this list
also go to the portmaster-users list. You do not need to subscribe to both lists.
About This Guide
xxv
Subscribing to PortMaster Mailing Lists
xxvi
PortMaster Configuration Guide
Introduction
1
This chapter discusses the following topics:
•
•
•
•
“PortMaster Software” on page 1-1
“Preconfiguration Planning” on page 1-2
“Configuration Tips” on page 1-3
“Basic Configuration Steps” on page 1-4
PortMaster Software
All PortMasters are shipped with the following software:
•
ComOS®—The communication software operating system already loaded in Flash
RAM on each PortMaster. You can use the ComOS command line interface to
configure your PortMaster through a console.
•
PMVision—A GUI companion to the ComOS command line interface for Microsoft
Windows, UNIX, and other platforms that support the Java Virtual Machine (JVM).
Because PMVision also supports command entry, you can use a combination of GUI
panels and ComOS commands to configure, monitor, and debug a PortMaster.
When connected to one or more PortMaster products, PMVision allows you to
monitor activity and edit existing configurations. PMVision replaces the PMConsole
interface to ComOS.
•
pmd or in.pmd—The optional PortMaster daemon software that can be installed
on UNIX hosts to allow the host to connect to printers or modems attached to a
PortMaster. The daemon also allows the PortMaster to multiplex incoming users
onto the host using one TCP stream instead of multiple streams like rlogin. The
daemon is available for SunOS, Solaris, AIX, HP-UX, and other platforms.
For installation and configuration instructions, copy the PortMaster software to the
UNIX host as described in the PortMaster Software CD booklet.
1-1
Preconfiguration Planning
•
•
RADIUS—The RADIUS server, radiusd, runs as a daemon on UNIX systems,
providing centralized authentication for dial-in users. The radiusd daemon is
provided to customers in binary and source form for SunOS, Solaris, Solaris/X8.6,
AIX, HP-UX, IRIX, Alpha OSF/1, Linux, and BSD/OS platforms.
For installation and configuration instructions, see the RADIUS Administrator’s Guide.
ChoiceNet—ChoiceNet is a security technology invented by Lucent to provide a
traffic filtering mechanism for networks using dial-up remote access, synchronous
leased-line, or Ethernet connections. When used with RADIUS, ChoiceNet provides
exceptional flexibility in fine-tuning the level of access provided to users.
For installation and configuration instructions, see the ChoiceNet Administrator’s
Guide.
Preconfiguration Planning
Before the PortMaster can be used to connect wide area networks (WANs), you must
install the hardware using the instructions in the installation guide for your system.
This configuration guide is designed to introduce the most common configuration
options available for PortMaster products. Review this material before you configure
your PortMaster and, if possible, answer the following questions:
•
•
•
•
•
•
•
•
•
•
•
What general configuration do you want to implement?
Do you want to use a synchronous connection to a high-speed line?
Will your high-speed lines use Frame Relay, ISDN, switched 56Kbps, or PPP?
If you want dial-on-demand routing, do you want multiline load-balancing?
Do you want multilink PPP (RFC 1717)?
Do you want packet filtering for Internet connections?
Do you want packet filtering for connections to other offices?
Do you want dial-in users to use SLIP, PPP, or both?
If you use PPP, do you want PAP or CHAP authentication?
Are you using a name service—DNS or NIS?
Have you obtained the necessary network addresses?
1-2
PortMaster Configuration Guide
Configuration Tips
•
•
•
•
•
•
Are you running IP, IPX, or both?
Do you want to enable SNMP for network monitoring?
Do you want dial-in only, dial-out only, or two-way communication on each port?
What characteristics do you want to assign to the dial-out locations?
How do you want to configure dial-in users?
Do you want to use RADIUS to authenticate dial-in users, or the internal user table
on the PortMaster?
•
•
Do you want to use ChoiceNet to filter network traffic?
Do you want to use the console port for administration functions, or do you want to
attach an external modem to the port?
•
For dial-in uses, do you receive service on analog lines, ISDN BRI, ISDN PRI,
channelized T1, or E1?
Many other decisions must be made during the configuration process. This guide
discusses the various configuration options and their implications.
Configuration Tips
PortMaster configuration can be confusing because settings can be configured for a port,
a user, or a remote location. Use the following tips to determine how to configure your
PortMaster:
If You Are Configuring...
Then Configure Settings on...
A network hardwired port or
hardwired multiline load
balancing
The port
One or more ports for dial-out
operation
Dial-out locations using the location table
Dial-in users using the user table or RADIUS
One or more ports for dial-in
operation
A callback network user
The callback location in the location table, and
refer to the location name in the user table
Introduction
1-3
Basic Configuration Steps
Basic Configuration Steps
The exact PortMaster configuration steps you follow depend upon the hardware you are
installing and your network configuration. However, the following general configuration
steps are the same for all PortMaster products:
1. Install the PortMaster hardware and assign an IP address and a password
as described in the installation guide shipped with your PortMaster.
Note – This guide assumes that you have completed Step 1 and does not give details on
hardware installation or IP address assignment.
✍
2. Boot the system and log in with the administrative password.
You can configure the PortMaster from a terminal attached to the console port, by
an administrative Telnet session, or by a network connection.
it on a workstation anywhere on your network.
See the PMVision online help for more information.
4. Configure the global settings.
PortMaster global settings are described in Chapter 3, “Configuring Global Settings.”
5. Configure the Ethernet settings, and configure the IP and IPX protocol
settings for your network.
PortMaster Ethernet settings are described in Chapter 4, “Configuring the Ethernet
Interface.”
6. Configure the asynchronous port(s).
PortMaster asynchronous port settings are described in Chapter 6, “Configuring a
Synchronous WAN Port.”
7. Configure the synchronous port(s), if available.
PortMaster synchronous port settings are described in Chapter 6, “Configuring a
Synchronous WAN Port.”
8. Configure ISDN BRI connection(s), if available.
1-4
PortMaster Configuration Guide
Basic Configuration Steps
ISDN PRI connection configuration is described in Chapter 11, “Configuring the
PortMaster 3.” ISDN BRI connection configuration is covered in Chapter 12, “Using
ISDN BRI.”
9. Configure dial-in users in the user table, or configure RADIUS.
The user table is described in Chapter 7, “Configuring Dial-In Users.” If you are
using RADIUS security instead of the user table, see the RADIUS Administrator’s
Guide.
10. Configure ChoiceNet, if you are using it.
ChoiceNet is a traffic filtering mechanism for networks using dial-up remote access,
synchronous leased-line, or Ethernet. Refer to the ChoiceNet Administrator’s Guide for
more information.
11. Configure dial-out locations in the location table.
The location table is described in Chapter 8, “Configuring Dial-Out Connections.”
12. Configure filters in the filter table.
Once the filters are created, they can be assigned as input or output filters for the
Ethernet interface, users, locations, or hardwired ports. Filters are described in
Chapter 9, “Configuring Filters.”
13. Configure OSPF, if you are using this protocol.
OSPF is described in the PortMaster Routing Guide.
14. Configure BGP, if you are using this protocol.
BGP is described in the PortMaster Routing Guide.
15. Troubleshoot your configuration, if necessary, and back it up.
See the PortMaster Troubleshooting Guide for instructions.
Once you have correctly configured all the settings necessary for your circumstances,
your PortMaster is ready to provide communication service and routing for your
network.
Introduction
1-5
Basic Configuration Steps
1-6
PortMaster Configuration Guide
How the PortMaster Works
2
to configure your system. Consult the glossary for definitions of unfamiliar terms.
This chapter discusses the following topics:
•
•
•
•
•
“Booting the PortMaster” on page 2-1
“PortMaster Initialization” on page 2-3
“On-Demand Connections” on page 2-4
“PortMaster Security Management” on page 2-4
“Port Status and Configuration” on page 2-5
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Booting the PortMaster
When you start up the PortMaster, it carries out the following functions during the
booting process:
1. Self-diagnostics are performed. The results are displayed to asynchronous console
port C0 or S0 if the console DIP switch (first from the left, also known as DIP 1) is
up.
2. ComOS is loaded.
–
–
If the netboot DIP switch (second from the left, also known as DIP 2) is down,
the PortMaster boots from the ComOS stored in nonvolatile Flash RAM. The
PortMaster uncompresses and loads the ComOS into dynamic RAM (DRAM). If
a valid ComOS is not found in Flash, the PortMaster attempts to boot from the
network as described in the next paragraph.
If the netboot DIP switch is up, or if a valid ComOS is not found in Flash, the
PortMaster sends a Reserve Address Resolution Protocol (RARP) message to the
Ether0 Ethernet interface to find its IP address. If it gets a reply, the PortMaster
2-1
Booting the PortMaster
then attempts to boot itself across the network using the Trivial File Transfer
replied to the RARP.
The TFTP process begins by transferring the /tftpboot/address.typ file, replacing
address with the uppercase 8-character hexadecimal expression of the IP address
of the PortMaster and typ with the 3-character boot extension describing the
model of PortMaster, as shown in Table 2-1. If /tftpboot/address.typ is not
found, the PortMaster requests /tftpboot/GENERIC.OS.
Table 2-1
Boot Extensions
Boot Extension
PortMaster Model
PM3
PM2
IRX
P25
PM3
PM-2, PM-2E, PM-2R, PM-2ER, PM-2i, PM-2Ei
IRX, any model
PM-25
PMO
PortMaster Office Router, any model
The netbootable ComOS can also be downloaded via serial cable through the
console port. Refer to the PortMaster Troubleshooting Guide for details.
3. The user configuration is loaded from Flash RAM.
4. The IP address is located.
If no address is configured for the Ethernet interface and no address was obtained
from netbooting, the PortMaster sends a RARP message to discover its IP address. If
the PortMaster receives a reply to the RARP message, its IP address is set in dynamic
memory.
At this point the PortMaster is fully booted with its configuration loaded into DRAM.
This process takes less than a minute. After the PortMaster boots successfully, the status
LED is on, blinking off once every 5 seconds. Refer to the hardware installation guide
for your PortMaster for the location of the status LED and for troubleshooting
procedures if the LED is not behaving as described.
2-2
PortMaster Configuration Guide
PortMaster Initialization
PortMaster Initialization
Once the PortMaster has successfully booted, it does the following:
1. Ethernet interfaces are started.
2. Modem initialization strings are sent to asynchronous ports that have modem table
entries defined.
3. Network hardwired ports are initiated.
4. Continuous dial-out connections are initiated.
5. On-demand dial-out connections for locations that have routing enabled are
initiated, and routing information is exchanged between the PortMaster and those
locations.
6. Broadcasting and listening for routing packets are initiated on interfaces configured
for routing.
7. TCP connections to PortMaster hosts are established.
8. TCP connections are established to ports configured as host devices by means of the
PortMaster device service.
9. The PortMaster listens for TCP connections to any ports configured as network
devices.
10. The PortMaster listens for activity on TCP and UDP ports, such as for administrative
Telnet sessions on TCP port 23, PMconsole connections on TCP port 1643, and
SNMP requests on UDP port 161.
11. Syslog starts, if configured.
12. RADIUS starts, if configured.
13. ChoiceNet starts, if configured.
The PortMaster is now ready to begin providing service.
How the PortMaster Works
2-3
On-Demand Connections
On-Demand Connections
The PortMaster establishes on-demand connections in the following way:
•
•
•
When the PortMaster receives packets going to an on-demand location that is
suspended (not currently active), it dials out to that location if a line is available.
If idle timers expire on a connection, the connection is brought down, freeing the
port for other uses.
At regular intervals, packet queues are checked for dial-out locations configured for
multiline load balancing to determine if more bandwidth is needed. If it needs more
bandwidth, the PortMaster dials out on an additional port and adds that port to the
existing interface.
•
When users dial in, they are authenticated and provided with their configured
service.
PortMaster Security Management
The PortMaster provides security through the user table, or if configured, RADIUS
security. When a dial-in user attempts to authenticate at the login prompt, or via PAP or
CHAP authentication, the PortMaster refers to the entry in the user table that
corresponds to the user. If the password entered by the user does not match, the
PortMaster denies access with an “Invalid Login” message. If no user table entry exists
for the user and port security is off, the PortMaster passes the user on to the host
defined for that port using the selected login service. In this situation, the specified host
is expected to authenticate the user.
If port security is on and the user was not found in the user table, the PortMaster
queries the RADIUS server if one has been configured. If the username is not found in
the user table, port security is on, and no RADIUS server is configured in the global
configuration of the PortMaster, access is denied with an “Invalid Login” message. If the
RADIUS server is queried and does not respond within 30 seconds (and neither does the
alternate RADIUS server), access is denied with an “Invalid Login” message.
If security is set to off, any username that is not found in the user table is sent to the
port’s host for authentication and login. If security is set to on, the user table is checked
first. If the username is not found and a RADIUS server is configured, RADIUS is
consulted. When you are using RADIUS security, you must use the
set security S0 command to set security to on.
2-4
PortMaster Configuration Guide
Port Status and Configuration
Access can also be denied if the specified login service is unavailable—for example, if the
PortMaster Login Service has been selected for the user but the selected host does not
have the in.pmd PortMaster daemon installed. Access is denied with the “Host Is
Currently Unavailable” message if the host is down or otherwise not responding to the
login request.
If an access filter is configured on the port and the login host for the user is not
permitted by the access filter, the PortMaster refuses service with an “Access Denied”
message. If the access override parameter is set on the port, the PortMaster instructs the
user to authenticate himself, even though the default access filter is set to deny access.
Refer to the RADIUS Administrator's Guide for more information about RADIUS.
Use the following command to display the current status, active configuration, and
default configuration of each port:
Command> show s0|W1|P0
Table 2-2 describes each possible status. Refer to the PortMaster Troubleshooting Guide
for verification information.
How the PortMaster Works
2-5
Port Status and Configuration
Table 2-2
PortMaster Port Status
Description
Status
IDLE
The port is not in use.
USERNAME
The data carrier detect (DCD) signal has been asserted and
observed on the port.
• On older PortMaster expansion cards (ports S10 through
S29) and system cards (ports S0 through S9), DCD floats
high when nothing is attached to the port.
• On newer cards, in two-way and device environments,
DCD is high when the device is busy. When terminals are
attached to the device port and modem control is set to
off, USERNAME status indicates that the login: prompt
has been sent to the port and should be displayed on the
terminal. The PortMaster is waiting for a login request.
HOSTNAME
PASSWORD
CONNECTING
The host: prompt has been sent to the port. The PortMaster
is waiting for a reply.
The Password: prompt has been sent to the port. The
PortMaster is waiting for a reply.
A network connection is attempting to become established
on the port.
ESTABLISHED
A connection is active on the port.
DISCONNECTING
The connection has just ended, and the port is returning to
the IDLE state.
INITIALIZING
The modem attached to the port is being initialized by the
modem table.
COMMAND
NO-SERVICE
The command line interface is being used on the port.
An ISDN port is not receiving service from the telephone
company.
2-6
PortMaster Configuration Guide
Configuring Global Settings
3
ports and interfaces.
This chapter discusses the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
“Setting the System Name” on page 3-2
“Setting the Administrative Password” on page 3-2
“Setting the Dynamic Host Control Protocol (DHCP) Server” on page 3-2
“Setting the Default Route Gateway” on page 3-5
“Configuring Default Routing” on page 3-6
“Configuring Name Resolution” on page 3-6
“Setting the Telnet Port” on page 3-9
“Setting the Number of Management Application Connections” on page 3-9
“Setting System Logging” on page 3-9
“Setting Administrative Logins to Serial Ports” on page 3-12
“Configuring an IP Address Pool” on page 3-12
“Setting the Reported IP Address” on page 3-13
“Configuring SNMP” on page 3-13
“Displaying the Routing Table” on page 3-23
“Setting Static Routes” on page 3-24
“Enabling NetBIOS Broadcast Packet Propagation” on page 3-29
“Setting Authentication for Dial-In Users” on page 3-29
“Setting Call-Check Authentication” on page 3-30
“Setting the ISDN Switch” on page 3-30
3-1
Setting the System Name
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Setting the System Name
The system name is the name that identifies the PortMaster for SNMP queries, IPX
protocol routing, and CHAP authentication. Enter a name that is valid for your network.
The system name can have up to 16 characters, and appears in place of the Command>
prompt on PortMaster products that have it set.
To set the system name, use the following command:
Command> set sysname String
Setting the Administrative Password
The PortMaster is shipped without a password. Press Enter at the password prompt
when accessing the PortMaster for the first time. The password is an ASCII printable
string of up to 16 characters used to access the PortMaster administration features. Only
the administrator can change the password.
To set the password, use the following command
Command> set password [Password]
Using the set password command and pressing Enter resets the password to the
default value, which is no password.
Setting the Dynamic Host Control Protocol (DHCP) Server
The set dhcp server command supports the Cable Modem Telephone Return Interface
Specification (CMTRIS) developed by the Multimedia Cable Network System (MCNS)
Partners Limited. The CMTRIS solves the problem of limited upstream bandwidth in a
cable modem system by providing for the use of a standard telephone interface for
upstream traffic. Downstream traffic travels on the coaxial cable.
The specification requires that a cable modem be able to use the telephone interface to
request and receive the cable interface address and configuration information via a
dynamic host control protocol (DHCP) request.
3-2
PortMaster Configuration Guide
Setting the Dynamic Host Control Protocol (DHCP) Server
Use the following command to configure a PortMaster product to forward a DHCP
request from a cable modem to the DHCP server:
Command> set dhcp server address
Note – The ComOS does not support DHCP requests over Ethernet (nor requests from
PortMaster OR-U dial-up routers).
✍
How the Cable Modem Telephone Return System Works
After you set the IP address of the DHCP server on the PortMaster product, the cable
modem dynamically configures itself so that all subsequent data travels upstream via the
telephone interface, and downstream on the coaxial cable.
Figure 3-1, using sample IP addresses, illustrates the series of events that begin upon
startup and culminate in the dynamic configuration of the cable modem.
Configuring Global Settings
3-3
Setting the Dynamic Host Control Protocol (DHCP) Server
Figure 3-1 Cable Modem Telephone Return Interface Startup
4
IP Packet
DST 192.168.33.10
SRC 10.66.98.96
DHCP Response
Coaxial cable interface
address = 172.16.98.67
Configuration info.
10.66.98.96
Internet
DHCP server
3
IP Packet
N
DST 10.66.98.96
W A
SRC 192.168.33.10
DHCP Request
PM3
WA
N
asynchronous
2
IP Packet
DST 255.255.255.255
SRC 192.168.33.10
1
DHCP Request
connTecteionlephone interface
PPP
192.168.33.10
Cable
Headend
172.16.98.67
Cable modem
Coaxial cable
router
interface
5
Dynamic configuration
11820024
3-4
PortMaster Configuration Guide
Setting the Default Route Gateway
1. Using the telephone interface, the cable modem dials the PortMaster and establishes
a PPP connection. The PortMaster assigns IP address 192.168.33.10 to the telephone
interface of the cable modem.
2. Using the telephone interface, the cable modem broadcasts a DHCP request. The
destination of the request is 255.255.255.255 and the source is 192.168.33.10.
3. The PortMaster forwards the request to the DHCP server by substituting the IP
address of the DHCP server (10.66.98.96) for the broadcast destination address.
4. The DHCP server responds with configuration information for the cable modem and
an IP address (172.16.98.67) for the coaxial cable interface on the cable modem.
5. Using the configuration information received from the DHCP server, the cable
modem dynamically assigns 172.16.98.67 to the cable interface, and configures the
cable modem so that upstream IP packets leave the cable modem via the telephone
interface with the IP address of the cable interface (172.16.98.67) as the source
address. Because packets now carry the source address of the cable interface,
response to these packets travels via the coaxial cable.
The ComOS does not add routes to its table when forwarding or returning DHCP
requests. It transparently forwards and returns DHCP requests from dial-in clients to the
specified server.
To view DHCP relaying information, use the set console command followed by the set
debug 0x81 command. See the PortMaster Troubleshooting Guide for debugging
information.
To disable DHCP reply information, enter the following command:
Command> set dhcp server 0.0.0.0.
The PortMaster does not forward packets to the address 255.255.255.255.
Setting the Default Route Gateway
The default route gateway is the address of a router of last resort to which packets are
sent when the PortMaster has no routing information for a packet. The default route
gateway is also the destination address the PortMaster selects when it cannot locate the
destination of a packet on the local Ethernet segment. You identify the default gateway
by its IP address entered in dotted decimal notation. A PortMaster can never be its own
default gateway.
Configuring Global Settings
3-5
Configuring Default Routing
You can set a metric between 1 and 15 for the IP and IPX gateways to indicate the hop
count associated with the gateway route. The PortMaster uses the hop count value for
comparisons if the PortMaster is set to listen for default routes from other routers.
Refer to Appendix A, “Networking Concepts,” for more information about address
formats. Refer to the PortMaster Routing Guide for more information about routing.
To set the default gateway, use the following command:
Command> set gateway Ipaddress [Metric]
If you do not specify a value for Metric, the PortMaster assumes a default value of 1.
Configuring Default Routing
As described in the PortMaster Routing Guide, PortMaster products can automatically send
and accept route information as part of RIP messages if routing is turned on. If default
routing is on, default routes are sent and accepted as part of the messages.
To configure default routing, use the following command:
Command> set default on|off|broadcast|listen
Table 3-1 describes the results of using each keyword.
Table 3-1
Default Routing Keywords
Keyword
Description
on
The PortMaster broadcasts and listens for default route
information.
off
The PortMaster neither broadcasts nor listens for default route
information. This is the default.
broadcast
listen
The PortMaster broadcasts default route information, if it has a
default route.
The PortMaster listens for default route information.
Configuring Name Resolution
You can use either a network name service or the host table on the PortMaster to map
hostnames to IP addresses.
3-6
PortMaster Configuration Guide
Configuring Name Resolution
Using the Host Table
Each host attached to an IP network is assigned a unique IP address. Every PortMaster
supports a local host table to map hostnames to IP addresses. If your network lacks a
computer that can perform hostname resolution, the PortMaster allows entries in a local
host table. Hostnames are used by the PortMaster only for your convenience when
using the command line interface, or if you require users to enter hostnames at the host
prompt.
To avoid confusion and reduce administrative overhead, Lucent recommends using the
Domain Name System (DNS) or Network Information Service (NIS) for hostname
resolution rather than the local host table. The PortMaster always checks the local host
table before using DNS or NIS. For information on setting the NIS or DNS name service,
refer to “Setting the Name Service” on page 3-7.
Setting the Name Service
The PortMaster can work with network name services such as the Network Information
Service (NIS) or the Domain Name System (DNS). Appendix A, “Networking Concepts,”
describes these name services. You must explicitly identify any name service used on
your network.
The PortMaster stores all information by address rather than name. As a result,
configuring the name server is useful only if you are using the command line interface
for administration or if you prompt a login user for a host. If you are not using either of
these features, you do not need to set the name service.
Configuring Global Settings
3-7
Configuring Name Resolution
To set the name service, use the following command:
Command> set namesvc dns|nis
Once the name service is set, you must set the address of your NIS or DNS name server
and enter the domain name of your network. See “Setting the Name Server” on page
3-8 for instructions.
Setting the Name Server
The PortMaster supports RFC 1877, which allows remote hosts also supporting
RFC 1877 to learn a name server through PPP negotiation. You must provide the IP
address of the name server if you use a name service.
You must set a name service before you set a name server. See “Setting the Name
Service” on page 3-7. If you are not using a name service, you do not need a name
server.
To set the name server, use the following command:
You can set an alternate name server with the following command:
Command> set nameserver 2 Ipaddress
You must set a domain name for your network after you set a name server. See “Setting
the Domain Name” on page 3-8.
You can disable the use of a name service by setting the name server’s IP address to
0.0.0.0.
Setting the Domain Name
The domain name is used for hostname resolution. If you are using DNS or NIS, you
must set a domain name for your network.
To set the domain name of your network, use the following command:
Command> set domain String
3-8
PortMaster Configuration Guide
Setting the Telnet Port
Setting the Telnet Port
The Telnet access port can be set to any number between 0 and 65535. The Telnet port
enables you to access and maintain the PortMaster using a Telnet connection to this TCP
port. If 0 (zero) is used, Telnet administration is disabled. The default value is 23. Ports
numbered 10000 through 10100 are reserved and should not be used for this function.
Up to four administrative Telnet sessions at a time can be used.
To set the Telnet access port to port number Tport, use the following command:
Command> set telnet Tport
Using the Telnet Port as a Console Port
If the console port is set from a Telnet session, the current connection becomes the
console. This feature is useful for administrators who log in to a port using Telnet and
need to access the console for debugging purposes.
Note – Only one Telnet session can receive console messages at a time.
✍
To set the current Telnet access port as a console port, enter the following command:
Command> set console
Setting the Number of Management Application Connections
PMVision, ChoiceNet, and the ComOS utilities pmdial, pmcommand, pminstall,
pmreadconf, pmreadpass, and pmreset all use port 1643. In order for more than
one of these applications to connect at the same time, you must set the maximum
number of connections to two or higher. The maximum is 10 connections.
To set the maximum number of concurrent connections for management applications
into the PortMaster, use the following command:
Command> set maximum pmconsole Number
Setting System Logging
PortMaster products enable you to log authentication information to a system log file for
network accounting purposes.
Configuring Global Settings
3-9
Setting System Logging
Setting the Loghost
To set the IP address of the loghost—the host to which the PortMaster sends syslog
messages—use the following command:
Command> set loghost Ipaddress
Note – Do not set a loghost at a location configured for on-demand connections,
because doing so keeps the connection up or brings up the connection each time a
syslog message is queued for the syslog host.
✍
Setting the loghost’s IP address to 0.0.0.0 disables syslog from the PortMaster. This
change requires a reboot to become effective.
RADIUS accounting provides a more complete method for logging usage information.
Refer to the RADIUS Administrator’s Guide for more information on accounting.
Disabling and Redirecting Syslog Messages
By default, the PortMaster logs five types of events at the informational (info) priority
one or more types of events and change the facility and/or priority of log messages.
To disable logging of a type of event, use the following command:
Command> set syslog Logtype disabled
Use the Logtype keyword described in Table 3-2 to identify the type of event you want to
disable—or enable again:
Table 3-2
Logtype Keywords
Logtype
Keyword
Description
admin-logins
user-logins
!root and administrative logins.
Nonadministrative logins; you might want to disable this
logtype if you are using RADIUS accounting.
packet-filters
commands
Packets that match rules with the log keyword.
Every command entered at the command line interface.
More detailed information on how user sessions terminate.
termination
3-10
PortMaster Configuration Guide
Setting System Logging
You can change the facility, the priority, or both, of log messages.
To change the facility or priority of log messages, use the following command. Be sure to
Command> set syslog Logtype Facility.Priority
The facility and priority can be set for each of the five types of logged events listed in
Table 3-2.
Table 3-3 and Table 3-4 show the keywords used to identify facilities and priorities.
Lucent recommends that you use the auth facility or the local0 through local7
facilities to receive syslog messages from PortMaster products, but all the facilities are
provided. See your operating system documentation for information on configuring
syslog on your host.
Table 3-3
Syslog Facility Keywords
Facility
kern
Facility Number
Facility
cron
Facility Number
0
1
2
3
4
5
6
7
8
15
16
17
18
19
20
21
22
23
user
local0
local1
local2
local3
local4
local5
local6
local7
mail
daemon
auth
syslog
lpr
news
uucp
Table 3-4
Syslog Priority Keywords
Priority
emerg
alert
crit
Number
Typically Used for
System is unusable
0
1
2
3
Action must be taken immediately
Critical messages
err
Error messages
Configuring Global Settings
3-11
Setting Administrative Logins to Serial Ports
Table 3-4
Syslog Priority Keywords (Continued)
Priority
warning
notice
info
Number
Typically Used for
4
5
6
7
Warning messages
Normal but significant messages
Informational messages
Debug-level messages
debug
To determine current syslog settings, enter the following command:
Command> show syslog
Setting Administrative Logins to Serial Ports
When you log in using !root, administrative logins to the serial ports are enabled by
default. You can disable or enable them by using the following command:
Command> set serial-admin on|off
If administrative login is disabled, you can still use port S0 (or C0) by setting the console
DIP switch (first from the left, also known as DIP 1) to the up position.
Configuring an IP Address Pool
You can dynamically assign IP addresses to PPP or SLIP dial-in users. By assigning
addresses as needed from a pool, the PortMaster requires fewer addresses than if each
user is assigned a specific address. When a dial-in connection is closed, the address goes
back into the pool and can be reused.
When creating an address pool, you explicitly identify the first address in the sequence
of addresses available for temporary assignment. The PortMaster allocates one address in
the pool of addresses for each port configured for network dial-in.
To set the value of the first IP address to assign for dial-in ports, use the following
command:
Command> set assigned_address Ipaddress
3-12
PortMaster Configuration Guide
Setting the Reported IP Address
The default number of addresses available for the address pool is equal to the number of
ports configured for network dial-in. The address pool size is determined during the boot
process. You can instead set the number of IP addresses assigned to the pool with the
set pool command.
To limit the size of the IP address pool, use the following command:
Command> set pool Number
Note – If you decrease the number of addresses in the pool, you must reboot the
PortMaster for the change to take effect.
✍
Setting the Reported IP Address
Some sites require a number of different PortMaster devices to appear as a single IP
address to other networks. You can set a reported address different from the Ether0
address. For PPP connections, this address is reported to the outside and placed in the
PPP startup message during PPP negotiation. For SLIP connections, this address is
reported and placed in the SLIP startup message during SLIP startup.
To set a reported IP address, use the following command:
Command> set reported_ip Ipaddress
Configuring SNMP
The simple network management protocol (SNMP) is an application-layer protocol that
allows devices to communicate management information. You can configure the
PortMaster to provide network and device information via SNMP to a network
management system (NMS). You must have NMS software to use SNMP.
SNMP consists of the following parts:
•
•
•
SNMP agent (provided in ComOS)
SNMP manager (not provided)
Management Information Base (MIB)
SNMP specifies the message format for exchanging information between the SNMP
manager and an SNMP agent.
Configuring Global Settings
3-13
Configuring SNMP
The SNMP agent returns values for management information base (MIB) variables that
can be changed or queried by the SNMP manager. The agent gathers information from
the MIB, which resides on the target device. MIB information can include device
parameters and network status. The agent is capable of responding to requests to get or
set data from the manager.
PortMaster products support MIB II variables as specified in RFC 1213, along with a
MIB specific to PortMaster products. SNMP management can be enabled for any
PortMaster. Lucent Remote Access ships configuration files compatible with various
network management packages along with the PMconsole software.
About the livingston.mib Definition File
livingston.mib is the MIB definitions file that SNMP tools can read and use to query
SNMP agents for information about PortMaster products. The PortMaster extensions to
the MIB are located in the latter part of this file under Livingston Extensions.
The livingston.mib file can be found in the SNMP directory of the ComOS software, or
on the World Wide Web at: http://www.livingston.com/Forms/one-click-
dnload.cgi. To view the file with a browser, scroll down to the Miscellaneous drop-
down menu, select SNMP—Livingston MIB, and then click the Download button.
When the Download page appears, click the livingston.mib link.
Examining the MIB Structure
The entire management information base (MIB) hierarchy can be represented by a tree
structure. In this representation, the unnamed “root” of the tree divides into the
following main branches:
•
•
•
Consultative Committee for International Telegraph and Telephone (CCITT)
International Organization for Standardization (ISO)
ISO/CCITT
Each branch and sub-branch in the tree structure is known as an object, and each
object is represented by an object name and an object identifier (OID). Figure 3-2
traces the “path” from the ISO branch of the MIB to the Livingston MIB.
OIDs provide compact representations of object names. An OID shows the position of an
object in the MIB hierarchy. As shown in Figure 3-2, the OID for the Livingston MIB is
1.3.6.1.4.1.307.
3-14
PortMaster Configuration Guide
Configuring SNMP
Figure 3-3 shows the tree structure of the private Livingston portion of the MIB.
Figure 3-3 Part of MIB Structure showing PortMaster Port S0.
Livingston Enterprise
305
306
307
308
1. (not used)
2. products
3. livingstonMib
1. livingstonSystem
2. livingstonInterfaces
1. livingstonSerial
2. livingstonT1E1
1. livingstonSerialTable
1. livingstonSerialEntry
1. Index
2. PortName
3. PhysType
4. User
...
11820020
Reading from the top down, the object identifier (OID) in Figure 3-3 (307.3.2.1.1.1.2)
breaks out as follows:
•
•
•
•
•
•
•
307 refers to the Livingston namespace
3 refers to the MIB
2 refers to interfaces
1 refers to serial interfaces
1 refers to the serial interfaces table
1 refers to an entry in the serial interfaces table
2 refers to the PortName variable
3-16
PortMaster Configuration Guide
The SNMP manager queries the agents by means of OIDs. Each OID uniquely identifies
a single MIB variable. For example, the OID 307.3.2.1.1.1.2.0, returns the portname for
port S0, and the OID 307.3.2.1.1.1.2.1 returns the port name for port S1 (see Table 3-5).
Table 3-5
Partial View of the Livingston Serial Table.
OID
S0 (0)
S1 (1)
S2 (2)
S3 (3)
S4 (4)
...307.3.2.1.1.1.1
...307.3.2.1.1.1.2
...307.3.2.1.1.1.3
...307.3.2.1.1.1.4
...307.3.2.1.1.1.5
...307.3.2.1.1.1.7
Index
Index
Index
Index
Index
PortName
PhysType
User
PortName
PhysType
User
PortName
PhysType
User
PortName
PhysType
User
PortName
PhysType
User
SessionId
Type
SessionId
Type
SessionId
Type
SessionId
Type
SessionId
Type
Direction
Direction
Direction
Direction
Direction
PortMaster Serial Interfaces
Table 3-6 lists the objects in the serial interface table from the Livingston Extensions
section of the MIB. Modem-specific objects apply to the PortMaster 3 only.
Table 3-6
Serial Interfaces Table
Object
Definition
Index
Unique value for each serial interface.
PortName
Text string containing the name of the serial interface (for
example, S0, W1, and so on).
PhysType
Type of physical serial interface, distinguished according to
the physical or link protocol(s) currently being used on the
interface.
User
Name of the active user. Blank if not active.
SessionId
Unique session identifier that matches the RADIUS session
ID.
Type
Active type of service being provided by the serial interface.
Configuring Global Settings
3-17
Configuring SNMP
Table 3-6
Serial Interfaces Table (Continued)
Object
Definition
Direction
PortStatus
Started
Idle
Direction in which the active session was initiated.
Status of the serial interface.
Amount of time this session has been active.
Amount of time this session has been idle.
InSpeed
Estimate of the current inbound bandwidth in bits per
second of the serial interface.
OutSpeed
Estimate of the current outbound bandwidth in bits per
second of the serial interface.
ModemName
(PortMaster 3 only)
Text string containing the name of the digital modem in use
by the serial interface.
IpAddress
IP address associated with the serial interface. When
characterizing a network port, this value is the IP address of
the remote user. When characterizing a device or login port,
this value is the IP address of the host to which the user is
connected.
ifDescr
Text string containing information about the network
interface bound to the serial interface.
InOctets
Total number of octets received on the serial interface.
Total number of octets transmitted on the serial interface.
Total number of octets queued on the serial interface.
Status of the modem used by the serial interface.
OutOctets
QOctets
ModemStatus
ModemCompression
(PM-3 only)
Compression being used in the modem or by the serial
interface.
ModemProtocol
(PortMaster 3 only)
Error correcting protocol being used in the modem or by the
serial interface.
ModemRetrains
(PortMaster 3 only)
Number of retrains attempted by the modem attached to
the serial interface.
ModemRenegotiates
(PortMaster 3 only)
Number of renegotiates attempted by the modem attached
to the serial interface.
3-18
PortMaster Configuration Guide
Configuring SNMP
PortMaster T1/E1 Interfaces
Table 3-7 lists the objects in the T1/E1 interfaces from the Livingston Extensions section
of the MIB. T1/E1 interfaces are supported on the PortMaster 3 only.
Table 3-7
T1/E1 Interfaces Table
Object
Index
Definition
Unique value for each T1/E1 interface
Type of interface (T1 or E1)
PhysType
Function
Status
Configured function of the interface
Current operational state of the interface. Operational states
include the following:
• up (1)
• down (2)
• loopback (3)
Framing
Configured line framing. Line framing types include the
following:
• esf (1)
• d4 (2)
• crc4 (3)
• fas (4)
Encoding
PCM
Configured line signal encoding
Configured voice modulation
Amount of time this interface has been up or down
ChangeTime
RecvLevel
Estimate of the current receive signal level, in decibels, of
the interface
BlueAlarms
Total number of blue alarms on the interface
Total number of yellow alarms on the interface
YellowAlarms
Configuring Global Settings
3-19
Configuring SNMP
Table 3-7
Object
T1/E1 Interfaces Table (Continued)
Definition
CarrierLoss
Total number of times the interface has lost the carrier
signal
SyncLoss
Total number of times the interface has lost frame
synchronizations
BipolarErrors
CRCErrors
SyncErrors
Total number of frame-level CRC errors detected on the
interface
Total number of frame-level CRC errors detected on the
interface
Total number of frame synchronization errors detected on
the interface
PortMaster Modem Table
Table 3-8, lists the objects in the modem table from the Livingston Extensions section of
the MIB. Modem objects are supported only on the PortMaster 3 Integrated Access
Server.
Table 3-8
Modem Table
Object Type
Definition
livingstonModemIndex
livingstonModemPortName
Unique value for each modem interface
Textual string containing the name of the serial
interface (for example, S0, S1, and so on)
livingstonModemStatus
livingstonModemProtocol
Current state of the modem
Error-correcting protocol being used in the
modem
livingstonModemCompression
livingstonModemInSpeed
livingstonModemOutSpeed
Compression being used in the modem
interface
Estimate of the modem interface’s current
inbound bandwidth in bits per second
Estimate of the modem interface’s current
outbound bandwidth in bits per second
3-20
PortMaster Configuration Guide
Configuring SNMP
Table 3-8
Modem Table (Continued)
Object Type
Definition
livingstonModemInByteCount
livingstonModemOutByteCount
Total number of bytes received by the modem
Total number of bytes transmitted by the
modem
livingstonModemRetrains
Number of retrains attempted by the modem
livingstonModemRenegotiates
Number of renegotiates attempted by the
modem
livingstonModemCalls
livingstonModemDetects
livingstonModemConnects
Number of times a call received by the modem
Number of analog calls received by the modem
Number of successful calls received by the
modem
Setting SNMP Monitoring
Simple network management protocol (SNMP) monitoring is used to set and collect
information on SNMP-capable devices. This feature is most often used to monitor
network statistics such as usage and error rate.
If SNMP monitoring is on, the PortMaster accepts SNMP queries. If SNMP monitoring is
off, all SNMP queries are ignored.
To turn SNMP monitoring on or off, use the following commands:
Command> set snmp on|off
Command> save all
Command> reboot
Setting SNMP Read and Write Community Strings
Community strings allow you to control access to the MIB information on selected
SNMP devices. The read and write community strings act like passwords to permit access
to the SNMP agent information. The read community string must be known by any
device allowed to access or read the MIB information. The default read community
string is public. The write community string must be known by any device before
Configuring Global Settings
3-21
Configuring SNMP
information can be set on the SNMP agent. The default write community string is
private. Community strings must be set on SNMP agents so that configuration
information is not changed by unauthorized users.
To use this feature, you must set both a read community string and a write community
string for your network.
To set SNMP read and write community strings, use the following command:
Command> set snmp readcommunity|writecommunity String
Note – Use of the default write community string—private—is strongly discouraged.
Because it is the default, it is known to all users and therefore provides no security. Use
another value for the write community string.
✍
Adding SNMP Read and Write Hosts
PortMaster products allow you to control SNMP security by specifying the IP addresses
of the hosts that are allowed to access SNMP information. The specification of read and
write hosts allows another level of security beyond the community strings. If SNMP
hosts are specified, each host attempting to access SNMP information must not only
possess the correct community string, it must also be on the read or write host list. This
additional level of security allows only authorized SNMP managers to access or change
sensitive MIB information.
You can also specify a list of hosts allowed to read or write SNMP information. You can
permit all hosts or you can deny all hosts.
Note – Permitting all hosts to read and write SNMP information can compromise
security and is not recommended.
✍
To add SNMP read and write hosts, use the following command:
Command> add snmphost reader|writer any|none|Ipaddress
To delete read and write hosts, use the following command:
Command> delete snmphost reader|writer Ipaddress
3-22
PortMaster Configuration Guide
Displaying the Routing Table
Viewing SNMP Settings
Settings for SNMP monitoring, read and write community strings, and read and write
hosts are stored in the SNMP table.
To display the SNMP table, enter the following command:
Command> show table snmp
Monitoring SNMP Alarms
When an interface or modem fails, the SNMP agent traps the error message generated
by the failure and sends it to the SNMP Manager.
To view the status of failed modems or interfaces from the command line interface,
enter the following command:
Command> show alarm
The output of this command lists alarm messages and associated alarm identification
numbers. For details about a specific alarm, enter the following command:
Command> show alarm [alarm-id]
To clear alarms from the SNMP alarm table, enter the following command:
Command> clear alarm alarm-id|all
Refer to the PortMaster Command Line Reference for more information.
Displaying the Routing Table
Use the following command to display the IP routing table entries:
Command> show routes [String|Prefix/NM]
You can replace String with ospf or bgp to display only OSPF or BGP routes. Replacing
Prefix/NM with an IP address prefix and netmask displays only routes to that destination.
Enter the IP address prefix in dotted decimal format and the netmask as a number from
1 to 32, preceded by a slash—for example, /24. The netmask indicates the number of
high-order bits in the IP prefix.
Configuring Global Settings
3-23
Setting Static Routes
To display the IPX routing table entries, enter the following command:
Command> show ipxroutes
The routes appear in the following order:
1. Default route
2. Host routes
3. Network routes
4. Expired routes that are no longer being advertised
Setting Static Routes
Static routes provide routing information unavailable from the Routing Information
Protocol (RIP), Open Shortest Path First (OSPF) protocol, or Border Gateway Protocol
(BGP). RIP, OSPF, or BGP might not be running for one of the following two reasons.
•
•
Network administrators choose not to run RIP, OSPF, or BGP.
Hosts connected to the PortMaster do not support RIP, OSPF, or BGP.
Separate static routes tables are maintained for IP and for IPX, which you display with
the show routes and show ipxroutes commands.
You construct a static route table manually on a PortMaster by adding and deleting static
routes as described in the following sections. Refer to the PortMaster Routing Guide for
information about routing and static routes.
Adding and Deleting a Static Route for IP
A static route for IP contains the following items:
•
Destination—The IP address prefix of the host or the number of the IPX network
to which the PortMaster will be routing.
•
Netmask —The static netmask in use at the destination. See “Modifying the Static
Netmask Table” on page 3-26 for more information about netmasks.
3-24
PortMaster Configuration Guide
Setting Static Routes
•
•
Gateway—The address of a locally attached router where packets are sent for
forwarding to the destination.
Metric—The number of routers (or hops) a packet must cross to reach its
destination. The metric represents the cost of sending the packet through the
gateway to the specified destination.
Note – Never set the gateway for the PortMaster to an address on the same PortMaster;
the gateway must be on another router.
✍
Use the following commands to add a static route for IP:
Command> add route Ipaddress[/NM] Ipaddress(gw) Metric
Command> save all
Use the following commands to delete a static route for IP:
Command> delete route Ipaddress[/NM] Ipaddress(gw)
Command> save all
You can delete only static routes.
Adding and Deleting a Static Route for IPX
A static route for IPX contains the following items:
•
Destination—The number of the IPX network to which the PortMaster will be
routing.
•
Gateway—The address of a locally attached router where packets are sent for
forwarding to the destination.
For IPX networks, the gateway address consists of 8 hexadecimal digits for the
network address, a colon (:) and the node address of the gateway router expressed
as 12 hexadecimal digits—for example, 00000002:A0B1C2D3E4F5.
The IPX node address is usually the media access control (MAC) address on a
PortMaster.
•
Metric—The number of routers (or hops) a packet must cross to reach its
destination. The metric represents the cost of sending the packet through the
gateway to the specified destination.
Configuring Global Settings
3-25
Setting Static Routes
•
Ticks—The time required to send the packet to its destination. Ticks are measured
in 50ms increments.The ticks metric is used in addition to the hops metric only on
IPX networks.
Note – Never set the gateway for the PortMaster to an address on the same PortMaster;
the gateway must be on another router.
✍
Use the following commands to add a static route for IPX:
Command> add route Ipxnetwork Ipxaddress Metric Ticks
Command> save all
Use the following commands to delete a static route for IPX:
Command> delete route Ipxnetwork Ipxaddress
Command> save all
Use the following command to set a static default route for all IPX packets not routed by
a more specific route:
Command> set ipxgateway Network|Node Metric
Note – You can delete only static routes.
✍
Modifying the Static Netmask Table
The netmask table is provided to allow routes advertised by RIP to remain uncollapsed
on network boundaries in cases where you want to break a network into noncontiguous
subnets. The PortMaster normally collapses routes on network boundaries as described
in RFC 1058. However, in certain circumstances where you do not want to collapse
routes, the netmask table is available.
Note – Do not use the static netmask table unless you thoroughly understand and need
its function. In most circumstances its use is not necessary. Very large routing updates
✍
can result from too much use of the netmask table, adversely affecting performance. In
most cases it is easier to use OSPF instead of using the netmask table and RIP. Lucent
strongly recommends you use OSPF if you require noncontiguous subnets or variable-
length subnet masks (VLSMs).
3-26
PortMaster Configuration Guide
Setting Static Routes
For example, suppose the address of Ether0 is 172.16.1.1 with a 255.255.255.0 subnet
mask (a class B address subnetted on 24 bits) and the destination of ptp1 is 192.168.9.65
with a 255.255.255.240 subnet mask (a class C address subnetted on 28 bits). If routing
broadcast is on, the PortMaster routing broadcast on Ether0 claims a route to the entire
192.168.9.0 network. Additionally, the broadcast on ptp1 claims a route to 172.16.0.0.
Sometimes, however, you want the PortMaster to collapse routes to some bit boundary,
other than the network boundary. In this case, you can use the static netmask table.
However, RIP supports only host and network routes, because it has no provision to
include a netmask. Therefore, if you set a static netmask in the netmask table, the
PortMaster collapses the route to that boundary instead, and broadcasts a host route
with that value. Other PortMaster routers with the same static netmask table entry
convert the host route back into a subnet route when they receive the RIP packet.
This work-around works only if all the products involved are from PortMaster products,
with the following two exceptions:
•
If you use a netmask table entry of 255.255.255.255. In this case, the routes
broadcast as host routes really are host routes, so non-PortMaster routers can use
them. Keep in mind that not all routers accept host routes.
•
If the non-PortMaster router can convert host routes into subnet routes through
some mechanism of its own.
Uses for Static Netmasks
The most common use for the static netmask table is to split a single class C network
into eight 30-host subnets for use in assigned pools. Subnetting allows each PortMaster
to broadcast a route to the subnet instead of claiming a route to the entire class C
network. An example of that use is provided below.
The next most common use for the static netmask table is to allow dial-in users to use
specified IP addresses across multiple PortMasters in situations where assigned IP
addresses are not sufficient. This use can result in very large routing tables and is not
recommended except where no other alternative is possible.
The netmask table can be accessed only through the command line interface. To add a
static netmask, use the add netmask command. To delete a static netmask, use the
delete netmask command. The show table netmask command shows both dynamic
netmasks and static netmasks, marking them accordingly.
Configuring Global Settings
3-27
Setting Static Routes
Note – Static routes use the netmask table entries that are in effect when the routes are
added. If the netmask table is changed, the static route must be deleted from the route
table and added again.
✍
Example of Applying Static Netmasks
Note – Lucent recommends that you use OSPF in this circumstance instead of static
routes.
This static netmask example assumes the following:
•
•
You have anywhere between 8 and 250 PortMaster routers.
You assign all the user addresses from the dynamic address assignment pools on the
PortMaster routers.
•
You are using 27-bit subnets of these three class C networks 192.168.207.0,
192.168.208.0, and 192.168.209.0.
•
•
•
You are using the 192.168.206.0 network for your Ethernet.
All PortMaster routers involved are running ComOS 3.1.2 or later.
You do not use proxy ARP. Instead, you use your 192.168.206.0 network for the
Ethernet, and divide your other networks up among the PortMaster routers.
•
Each network provides 30 addresses for the assigned pool of each PortMaster.
To create the subnets defined in this example, enter the following commands on all the
PortMaster routers:
Command> set Ether0 address 192.168.206.X (for some value of X)
Command> set gateway 192.168.206.Y (where Y points at your gateway)
Command> add netmask 192.168.207.0 255.255.255.224
Command> add netmask 192.168.207.0 255.255.255.224
Command> add netmask 192.168.207.0 255.255.255.224
Command> set Ether0 rip on
Command> save all
The netmask table collapses routes on the boundaries specified. As a result, if one
PortMaster has an assigned pool starting at 192.168.207.33, it broadcasts a host route to
192.168.207.32 instead of broadcasting a route to the 192.168.207.0 network. The other
PortMaster routers consult their own netmask tables and convert that route back into a
subnet route to 192.168.207.33 through 192.168.207.32.
3-28
PortMaster Configuration Guide
Enabling NetBIOS Broadcast Packet Propagation
If your gateway on the Ethernet is not a PortMaster product, the netmask table is not
supported. However, you can set a static route on the gateway for each of the three
destination networks for your assigned pools (192.168.207.0, 192.168.208.0, and
192.168.209.0), pointing at one of the PortMaster routers. The identified PortMaster
then forwards packets to the proper PortMaster.
If you are using an IRX running ComOS 3.2R or later as your gateway, you can
configure the netmask table on the router also. This allows your PortMaster to listen to
RIP messages from the other PortMaster routers and route directly to each of them.
Enabling NetBIOS Broadcast Packet Propagation
NetBIOS is a programmable entry into the network that enables systems to
communicate over multiple media. NetBIOS over IPX uses type 20 broadcast packets
propagated to all networks to get and forward information about the named nodes on
the network.
NetBIOS uses a broadcast mechanism to get this information because it does not
implement a network layer protocol. Before forwarding the packets, the PortMaster
performs loop detection as described by the IPX Router Specification available from
Novell.
Full NetBIOS protocol compliance requires that the PortMaster be set to propagate and
forward type 20 broadcast packets across your IPX network router. When the NetBIOS
parameter is on, the PortMaster broadcasts type 20 packets. When the NetBIOS
parameter is off, the type 20 packets are not broadcast across the router. The default is
off.
To turn NetBIOS on or off, use the following command:
Command> set netbios on|off
Setting Authentication for Dial-In Users
You can configure the PortMaster for three authentication methods, PAP, CHAP, and
username/password login.
By default, PAP and CHAP are set to on. Dial-in users are asked to authenticate with
PAP when PPP is detected. If users refuse, they are asked to authenticate with CHAP.
Configuring Global Settings
3-29
Setting Call-Check Authentication
If you set PAP to off, and CHAP to on, dial-in users are asked to authenticate with
CHAP. PAP authentication is neither requested nor accepted. If you set both PAP and
CHAP to off, dial-in users must authenticate with a username/password login.
To set PAP authentication, use the following command:
Command> set pap on|off
To set CHAP authentication, use the following command:
Command> set chap on|off
Setting Call-Check Authentication
You can enable services without authenticating the user at the point of entry on
PortMaster products that support PRI or in-band signaling. To enable the call-check
feature in the ComOS, you must first configure call-check user entries on the RADIUS
server.
To enable call checking on the PortMaster, use the following command:
Command> set call-check on|off
Note – The call-check feature is off by default.
✍
For more information about enabling RADIUS call checking, refer to the ComOS 3.8
Release Notes.
Setting the ISDN Switch
You can configure the switch provisioning for ISDN PRI and BRI connections to
PortMaster ISDN ports. See Chapter 11, “Configuring the PortMaster 3,” for details on
PRI connections. See Chapter 12, “Using ISDN BRI,” for details on BRI connections.
3-30
PortMaster Configuration Guide
Configuring the Ethernet Interface
4
subinterfaces, and includes the following topics:
•
•
•
•
•
“Setting General Ethernet Parameters” on page 4-1
“Setting IP Parameters” on page 4-3
“Setting Ethernet IPX Parameters” on page 4-5
“Configuring Ethernet Subinterfaces” on page 4-7
“Setting OSPF on the Ethernet Interface” on page 4-8
Before configuring the Ethernet interface, you must make the appropriate Ethernet
connection for your needs. Refer to the relevant installation guide for your PortMaster
product for information on making the Ethernet connection.
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Setting General Ethernet Parameters
The commands described in this section allow you to configure your Ethernet interface.
In addition to specifying the protocol type (IP, IPX, or both) and address, you must
specify any routing and filtering you want on the Ethernet interface.
This subsection describes the general Ethernet settings that apply to your network
regardless of the protocol you use.
Configuring RIP Routing
As described in the PortMaster Routing Guide, PortMaster products automatically send and
accept route information as RIP messages.
To configure RIP routing, use the following command:
Command> set Ether0 rip on|broadcast|listen|off
4-1
Setting General Ethernet Parameters
Note – ComOS releases prior to 3.5 use the keyword routing instead of the rip
keyword.
✍
Table 4-1 describes the results of using each keyword.
Table 4-1
Keywords for Configuring RIP Routing
Keyword
on
Description
The PortMaster broadcasts and listens for RIP information
from other routers on the local Ethernet. This is the default.
off
The PortMaster neither broadcasts nor listens for RIP
information from the local Ethernet.
broadcast
listen
The PortMaster broadcasts RIP information to the local
Ethernet.
The PortMaster listens for RIP information from the local
Ethernet.
See the PortMaster Routing Guide for OSPF and BGP routing configuration instructions.
Applying Filters
Filters enable you to control network traffic. After you have created filters in the filter
table, you can apply them to the Ethernet interface as either input or output filters. For
more information about filters, see Chapter 9, “Configuring Filters.”
Filters applied to the Ethernet interface take effect immediately. If you change the filter,
the change will not take effect until you set the filter on the interface again or you
reboot the PortMaster.
Input Filters
When an input filter is used, all traffic coming into the PortMaster on the Ethernet
interface is compared to the input filter rules. Only packets permitted by the filter rules
are accepted by the PortMaster.
4-2
PortMaster Configuration Guide
Setting IP Parameters
To apply an input filter to the Ethernet interface, use the following command:
Command> set Ether0 ifilter Filtername
To remove the input filter, omit the filter name when entering the command.
Output Filters
When an output filter is used, all traffic going out of the PortMaster on the Ethernet
interface is compared to the output filter rules. Only packets permitted by the filter rules
are sent by the PortMaster.
Note – ICMP and UDP packets generated by the PortMaster are never blocked by the
output filter.
✍
To apply an output filter to the Ethernet interface, use the following command:
Command> set Ether0 ofilter Filtername
To remove the output filter, omit the filter name when entering the command.
Setting IP Parameters
PortMaster products support both the IP and IPX protocols. When you select a protocol
for the Ethernet interface, you must enter certain values appropriate for the selected
protocol.
This section describes the IP commands, keywords, and values that must be entered if
you select IP protocol support.
Setting the IP Address
During the PortMaster installation process, you set the IP address for the Ethernet
interface.
To change the IP address of the Ethernet interface, use the following command:
Command> set Ether0 address Ipaddress
Note – If you change the IP address of the Ethernet interface, you must reboot the
PortMaster for the change to take effect.
✍
Configuring the Ethernet Interface
4-3
Setting IP Parameters
Setting the Subnet Mask
The default subnet mask is 255.255.255.0. If you have divided your network into
between the network portion and the host portion.
To set the subnet mask, use the following command:
Command> set Ether0 netmask Ipmask
See Appendix A, “Networking Concepts,” for more information about using subnet
masks.
Setting the Broadcast Address
You can define the IP address used as the local broadcast address. The RIP routing
protocol uses this address to send information to other hosts on the local Ethernet
network. The actual broadcast address is constructed from the IP address of the Ethernet
interface and the netmask. The two valid values are high, where the host part of the
address is all 1s (such as 192.168.1.255) or low, where the host part of the address is all
0s (such as 192.168.1.0). The PortMaster default is low. The standard for hosts is to
broadcast high, but some hosts still use the low broadcast address, including hosts
running SunOS 4.x (Solaris 1.x) and earlier.
The broadcast address you set for the Ethernet interface on the PortMaster must match
the broadcast address set for other hosts on your local Ethernet segment.
To set the broadcast address, use the following command:
Command> set Ether0 broadcast high|low
Enabling or Disabling IP Traffic
IP traffic is sent and received through the PortMaster Ethernet interface. IP is enabled by
default on PortMaster Ethernet ports. If the setting has been changed, you must enable
IP on the Ethernet interface of all PortMaster products attached directly to a local
Ethernet. Disable IP traffic on this port only if the PortMaster is not attached to a local
Ethernet network.
4-4
PortMaster Configuration Guide
Setting Ethernet IPX Parameters
To enable or disable IP traffic, use the following command:
Command> set ether0 ip enable|disable
Note – This command is currently available only on the Ether0 port.
✍
Setting Ethernet IPX Parameters
You must set the following values to send IPX traffic on the Ethernet interface. IPX
routing is enabled when routing is enabled.
•
•
•
Network address
Protocol
Frame type
Setting the IPX Network Address
You must identify the IPX network of your local Ethernet segment. An IPX network
address is a number entered in hexadecimal format, described in Appendix A,
“Networking Concepts.”
To set the IPX network address, use the following command:
Command> set Ether0 ipxnet Ipxnetwork
Note – If you change the IPX network address of the Ethernet interface, you must
reboot the PortMaster for the change to take effect.
✍
Enabling or Disabling IPX Traffic
Ethernet IPX traffic is sent and received through the PortMaster Ethernet interface. You
may enable IPX on the Ethernet interface on any PortMaster products attached directly
to a local Ethernet. Disable IPX traffic on this port only if the PortMaster is not attached
to a local Ethernet network.
Configuring the Ethernet Interface
4-5
Setting Ethernet IPX Parameters
To enable or disable IPX traffic, use the following command:
Command> set ether0 ipx enable|disable
Note – This command is available only on the Ether0 port.
✍
Setting the IPX Frame Type
The IPX frame type must be identified and set to the value used on the local IPX
network. The frame type identifies the encapsulation method used on your IPX ports.
The IPX protocol can be implemented with one of the four commonly used IPX
encapsulation and frame types shown in Table 4-2.
Table 4-2
Novell IPX Encapsulation and Frame Types
IPX Frame Type
Encapsulation
Ethernet_802.2
Consists of a standard 802.3 media access control (MAC)
header followed by an 802.2 Logical Link Control (LLC)
header. This is the default encapsulation used by Novell
NetWare 4.0.
Ethernet_802.2_II
Ethernet_802.3
Not commonly used.
Consists of a standard 802.3 MAC header followed
directly by the IPX header with a checksum of FFFF. This
is the default encapsulation used by Novell NetWare
3.11.
Ethernet_II
Uses Novell’s Ethernet_II and is sometimes used for
networks that handle both TCP/IP and IPX traffic.
The encapsulation method and frame type were selected when your IPX network
servers were installed. The IPX frame type you set on the PortMaster must match the
frame type set for your network. Contact your IPX network administrator for
information about the frame type used on your network.
To set the IPX frame type, use the following command—entered on one line:
Command> set Ether0 ipxframe
ethernet_802.2|ethernet_802.2_ii|ethernet_802.3|ethernet_ii
4-6
PortMaster Configuration Guide
Configuring Ethernet Subinterfaces
Configuring Ethernet Subinterfaces
With the subinterface feature of the ComOS, you can create up to 512 subinterfaces (the
total number of interfaces available on a PortMaster) on a single primary Ethernet
interface. Because you have the bandwidth of only a single Ethernet interface, however,
efficiency begins to degrade significantly when you add more than 8 subinterfaces.
Subinterfacing is essentially the segmenting of a single wire, or port, into multiple IP
networks. Instead of subnetting and routing, you can create a subinterface and then set
it up as you would a standard Ethernet interface. To avoid routing loops, however, you
must be sure not to create two subinterfaces in the same TCP/IP network on the same
port. Each Ethernet subinterface must have a unique network.
A drawback to subinterfacing is that it supports static routing only; IPX, RIP, OSPF,
packet filtering, and route propagation are not supported on subinterfaces.
You must configure the primary Ethernet interface before adding subinterfaces (see
“Setting General Ethernet Parameters” on page 4-1 for details). After you configure the
primary Ethernet interface, follow this procedure to add a subinterface.
1. Create a subinterface.
Command> add subinterface name
This command adds an entry to the subinterface table, which you can then view
with the show subi command. Remove a subinterface from the subinterface table
with the del subi command.
2. Associate the subinterface with a physical port.
Command> set subinterface name port-name portlabel
3. Assign an IP address or and IP address and net mask to the subinterface.
Command> set subinterface name Ipaddress [/NM]|[Ipaddress/NM]
You can specify the netmask in the /NM or dotted decimal format. You can also
configure the IP address and netmask separately (see the PortMaster Command Line
Reference for details).
4. Set the broadcast for the interface.
Command> set subinterface name broadcast high|low
Configuring the Ethernet Interface
4-7
Setting OSPF on the Ethernet Interface
You can view or modify a subinterface with the ifconfig command (see the PortMaster
Command Line Reference). If you modify the interface with the ifconfig command, you
must reboot the PortMaster for the changes to take effect.
Setting OSPF on the Ethernet Interface
You can enable or disable Open Shortest Path First (OSPF) routing protocol on an
Ethernet interface.
To set OSPF on the interface, use the following command—entered all on one line:
Command> set Ether0 ospf on|off [cost Number] [hello-interval Seconds]
[dead-time Seconds]
The on keyword enables OSPF on the specified Ethernet interface; off disables OSPF on
that interface.
You can specify the cost of sending a packet on the interface with a link state metric by
using the cost Number keyword and value. The Number metric is a 16-bit number
between 1 and 65535; the default is 1.
Routers in OSPF networks continually exchange hello packets with their neighbor
routers. You can set the interval that elapses between the transmission of hello packets
on the interface by using the hello-interval Seconds keyword and value. Seconds can
range from 10 to 120 seconds; the default is 10 seconds.
If the PortMaster stops receiving hello packets from a neighbor, it treats that router as
inactive, or down. You can specify how long the PortMaster waits for hello packets from
neighbors by using the dead-time Seconds keyword and value. Seconds can range from
40 to 1200 seconds; the default is 40 seconds.
Note – You must set the same cost value, the same hello-interval value, and the same
dead-time value on all routers attached to a common network.
✍
To enable acceptance of RIP packets on the OSPF network, use the following command:
Command> set Ether0 ospf accept-rip on|off
See the PortMaster Routing Guide for more information about OSPF.
4-8
PortMaster Configuration Guide
Configuring an Asynchronous Port
5
Each asynchronous port can be configured for several different functions, giving the
function at a time. For example, if a port receives a dial-in user login request, this port
available for dial-out use or any other purpose specified when the port was configured.
This chapter discusses the following topics:
•
•
•
•
•
•
•
“Asynchronous Port Uses” on page 5-1
“General Asynchronous Port Settings” on page 5-3
“Configuring a PortMaster for Login Users” on page 5-8
“Configuring a Port for Access to Shared Devices” on page 5-11
“Configuring a Port for Network Access” on page 5-15
“Configuring a Port for a Dedicated Connection” on page 5-20
“Connecting without TCP/IP Support” on page 5-25
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Asynchronous Port Uses
The following examples describe various uses for asynchronous ports.
Connections between Offices. Office-to-office connections can be achieved with
either dial-up asynchronous connections or dial-up synchronous connections,
depending on your application. Chapter 15, “Using Office-to-Office Connections,” gives
an example of a dial-up asynchronous office-to-office connection. Chapter 12, “Using
ISDN BRI,” gives an example of a dial-up synchronous office-to-office connection.
Once a PortMaster is installed in each office and connected to the local Ethernet with an
AUI, 10Base2, or 10BaseT connector, one or more asynchronous serial ports can be
configured to dial another office or a set of offices when network traffic for the specified
location exists. The two most common configurations are a star where multiple branch
5-1
Asynchronous Port Uses
offices dial into a central hub that routes among them, and a mesh where every office
can speak to any other office on demand. Intermediate configurations between star and
mesh are also possible.
To add network bandwidth on-demand, additional ports can be configured for load-
balancing. These ports can be configured to connect to a location when the network
traffic exceeds a specific level. In this configuration, multiple ports are connected during
times of heavy traffic, thereby adding bandwidth as needed, and are disconnected when
traffic drops.
Connections to the Internet. You can set an asynchronous port for a continuous
connection to an Internet service provider (ISP) by configuring it for continuous dial-
out. In this configuration if the dial-out line is dropped, the PortMaster automatically
reestablishes the connection.
Connecting to the Internet should include packet filtering and security to ensure that
access to the local network is restricted.
Chapter 16, “Using Internet Connections,” gives an example of an asynchronous
continuous dial-out connection to the Internet.
Logging in to Remote Hosts. Communication servers are most commonly used to
allow remote users to dial in to a network location and access a host with their local
account. This configuration is also used by ISPs that provide many users access to shell
accounts. PortMaster asynchronous ports can be configured for login by dial-in users.
When users dial in, they are connected to a modem, are allowed to log in, and are then
connected to a specified host for the current session.
Chapter 17, “Providing User Dial-In Access,” gives an example of an asynchronous
remote log-in connection.
Dial-In Network Connectivity. A PortMaster asynchronous port can provide PPP or
SLIP service to a dial-in user, allowing the user to route TCP/IP traffic across a modem
to access the local network or the entire Internet. If the port is running PPP, the user can
also route IPX traffic in this way. This configuration is very heavily used by ISPs and by
corporations with remote users running client/server applications that require to access
central hosts from home, field offices, or on the road.
Chapter 17, “Providing User Dial-In Access,” gives an example of an asynchronous dial-
in connection.
Sharing Devices across the Network. PortMaster asynchronous ports can be
configured to allow network hosts access to shared devices connected directly to the
PortMaster. If the network host is running the PortMaster in.pmd daemon, a
5-2
PortMaster Configuration Guide
General Asynchronous Port Settings
connection can be established to a specified port on the PortMaster. Once the
connection is established, the connected device such as a printer or modem can be
accessed as if it were connected directly to the host.
Ports can also be configured to be accessed by programs using TCP/IP sockets, or by
Telnet from the network.
Chapter 18, “Accessing Shared Devices,” gives an example of sharing devices across a
network.
General Asynchronous Port Settings
Certain settings must be configured for every asynchronous port, regardless of the port
type and configuration you select.
Overriding Certain Port Settings
If you configure a port as a host device, you can specify that the host device can
override certain port settings. This feature allows the host running in.pmd to alter the
active parameters through software control, by using operating system I/O calls (ioctl
calls in UNIX). The settings that the host can override are speed, parity, databits, and
flow control. These settings can be changed by the host using an ioctl() system call. All
overrides are turned off by default. If you want to allow a host to override a port setting,
turn override for the parameter on.
You can override the settings for all asynchronous commands by using the set all
override command.
To turn override on for a particular parameter, use the following command:
Command> set S0|all override xon|rts|speed|parity|databits on|off
Setting the Port Speed
Modern modems should be set to run at a fixed rate. To define a fixed rate, lock the data
terminal equipment (DTE) rate by setting all three speeds to the same value.
You can set the speed for all the asynchronous ports simultaneously by using the set all
speed command.
Configuring an Asynchronous Port
5-3
General Asynchronous Port Settings
To set the port speed, use the following command—entered on one line:
Command> set S0|all speed [1|2|3] Speed
You can set speed to any of the following standard modem speed settings:
300
600
1200
2400
4800
9600
19200
38400
57600
76800
115200
Parity Checking
Parity checking is off by default.
Setting Databits
You can set the number of databits per byte for a single asynchronous port or all
asynchronous ports. The default (8) is the most common.
You can set the databits for all the asynchronous ports simultaneously by using the set
all databits command.
To set databits, use the following command:
Command> set S0|all databits 5|6|7|8
Setting Flow Control
The PortMaster can use either software or hardware flow control to communicate with
the attached device to start and stop the flow of data. Because hardware flow control is
more reliable, Lucent recommends that you set software flow control to off and
hardware flow control to on.
To set software flow control to off, use the following command:
Command> set S0|all xon/xoff off
To set hardware flow control to on, use the following command:
Command> set S0|all rts/cts on
5-4
PortMaster Configuration Guide
General Asynchronous Port Settings
Setting the Dial Group
You can create modem pools for dial-out connections by associating ports and dial-out
locations with dial groups. Dial groups can be used to reserve ports for dial-out to
specific locations, or to differentiate among different types of modems that are
compatible with the remote location. Dial groups are numbered 0 to 99. The default dial
group is 0.
To assign a port to a dial group, use the following command:
Command> set S0 group Group
Displaying Extended Port Information
The PortMaster can display port information in brief or extended modes. The default
setting is off.
To enable or disable extended information for a port, use the following command:
Command> set S0 extended on|off
Note – This command only affects the display of port information. It does not affect port
behavior.
✍
Setting the Login Prompt
You can set a custom login prompt for each port using any valid ASCII characters. The
default login prompt is $hostname login:. For example, on a host named marketing, the
login prompt is marketing login:. Double quotation marks and control characters must
not be used inside the login prompt.
To set a login prompt for a port, use the following command:
Command> set S0 prompt String
For example:
Command> set s1 prompt marketing
Configuring an Asynchronous Port
5-5
General Asynchronous Port Settings
Setting the Login Message
The PortMaster allows you to specify a message for each port, up to 240 characters long,
that is displayed to the user before login. To insert a new line, use a caret (^). Do not
include double quotation marks within the message.
To set a login message for a port, use the following command:
Command> set S0 message String
For example:
Setting an Optional Access Filter
An access filter can provide additional login security. To enable access security, you must
define an access filter as described in Chapter 9, “Configuring Filters.”
Setting Port Security
Port security requires that each username be found in the user table or in the RADIUS
database. If port security is on, all users who log in must have their usernames verified
before they are allowed to connect to the specified host.
If security is turned off, any user not found in the user table is passed through to the
host for authentication. If you are using RADIUS authentication, security must be
turned on.
To turn security for a port on or off, use the following command:
Command> set S0 security on|off
Allowing Users to Connect Directly to a Host
With the automatic login feature, you can set up users so that they connect directly to a
specified host without receiving a login prompt. When you set String to a username with
the set autolog command, the PortMaster product automatically substitutes that
username for the login prompt and starts the host session.
5-6
PortMaster Configuration Guide
General Asynchronous Port Settings
To enable automatic login for a particular user on a particular port, use the following
command:
Command> set S0 username|autolog String
Setting a Port as the Console
You can set any asynchronous port to be the console for administrative functions such
as configuring the PortMaster. The set console command takes effect immediately. If
you use the save console command, the port remains the console even after the
current session is ended.
To set a port as the console port, use the following command:
Command> set console S0
Setting the Port Idle Timer
The idle timer is used to control how long the PortMaster waits after activity stops on a
port before disconnecting a dial-in connection, and how long the PortMaster should
wait for a response to a login, password, or host prompt.
You can set the idle time in seconds or minutes, to any value from 0 to 240. The default
setting is 0 minutes.
If set to the special value of 1 second, a dial-in user has 5 minutes to respond to a login,
password, or host prompt. If the user does not respond, the port resets, making it
available to another user. Setting the idle time to 1 second turns off the idle timer after
the user logs in.
Note – The idle time special value of 1 second applies only to asynchronous ports that
have modem control turned on with the set S0 cd on command. Ports that are in the
✍
command state—with an administrator logged on—are not timed out with the special
value of 1 second. In ComOS releases earlier than 3.5, the idle time special value is 1
minute.
You can set the idle time of all the ports simultaneously by using the set all idletime
command.
Configuring an Asynchronous Port
5-7
Configuring a PortMaster for Login Users
To enable the idle timer and set a timeout value, use the following command:
Command> set S0 |all idletime Number [minutes|seconds]
To disable the idle timer, set it to 0.
Configuring a PortMaster for Login Users
A PortMaster can be configured to allow dial-in users to log in to a specified host. This
configuration is called user login. In user login mode, the user is prompted for his or
her login name after the attached modem answers and completes rate negotiation. Once
the user is identified as a valid user through the user table or RADIUS security, a login
session is established on the host specified for the asynchronous port.
Figure 5-1 User Login Configuration
serial
connection
user susan
PortMaster
host sales
workstation 1
workstation 2
11820001
11820001
In Figure 5-1 the user named susan is verified as an authorized user and is connected to
the host named sales, which has been specified as the host for this port.
5-8
PortMaster Configuration Guide
Configuring a PortMaster for Login Users
To configure a PortMaster for user login, use the following steps. These steps are
described in more detail in later sections.
1. Set the port type to login.
Command> set S0 login
2. Set the login service.
Command> set S0 service_login portmaster|rlogin|telnet|netdata [Tport]
3. Set the login host.
Command> set S0 host 1|2|3|4 default|prompt|Ipaddress
4. Specify the terminal type.
Command> set S0|all termtype String
5. Reset the port and save the settings.
Command> reset S0
Command> save all
Setting the Port Type
If you use the set S0 login command, the port is set for user login. After being verified
or authenticated, a login session is established to the host computer.
You can set the port type to login for all asynchronous ports simultaneously by using
the set all command as shown in the following example:
Command> set all login
Configuring an Asynchronous Port
5-9
Configuring a PortMaster for Login Users
Setting the Login Service
The login service specifies how login sessions are established. Table 5-1 describes the
four types of login services available.
Table 5-1
Types of Login Service
Login Service
portmaster
Function
PortMaster is the default login service and can be used to
access any host that has the PortMaster in.pmd daemon
installed. This type of login service is preferred because it
makes the PortMaster port operate like a serial port attached
to the host. This service is the most cost effective in terms of
host resources.
rlogin
telnet
The remote login service rlogin uses the rlogin protocol to
establish a login session to the specified host. Generally,
rlogin is used on mixed UNIX networks where the
PortMaster login service is impractical to use.
Telnet is supported on most TCP/IP hosts. This login service
should be selected when the PortMaster and rlogin protocols
are not available.
The default port number is 23.
netdata
The netdata login service creates a virtual connection
between the PortMaster port and another serial port on
another PortMaster, or between the PortMaster port and a
host. This login service creates a clear channel TCP
connection. To connect to another PortMaster port using
netdata, you must configure that port as /dev/network
with the netdata device service and the same TCP port
number.
The default netdata port is 6000; however, you can specify
any TCP port number between 1 and 65535. This range
allows TCP/IP to be used with a hardwired connection using
an RS-232 cable. However, some serial communications
protocols, such as FAX, might have latency problems with
netdata.
5-10
PortMaster Configuration Guide
Configuring a Port for Access to Shared Devices
Setting the Login Host
You can specify how the login host is determined for the selected port. The three ways
to determine the login host are described in Table 5-2.
Table 5-2
Login Host Options
Host Option
default
Description
The host used for this port is the default or alternate host
specified in the global settings.
prompt
The user is given the opportunity to enter a hostname or IP
address instead of the standard login prompt.
Ipaddress
You set a primary host and up to three alternate hosts for
this port. This option allows you to assign specific ports to
specific hosts.
Setting the Terminal Type
You can set the terminal type for a port if it has been configured as a user login or
twoway port and you have set the login service to PortMaster, rlogin, or Telnet. The
terminal type is passed as an environment variable when a connection is established
with a host. The terminal type should be compatible with the host you are logging in to.
You can set the terminal type for all asynchronous ports simultaneously using the set
all termtype command.
Configuring a Port for Access to Shared Devices
One of the functions of a communications server is to provide network users access to
shared devices such as printers and modems. The port connected to the printer or
modem can provide shared access if it is configured as a host device port. This
configuration is also useful when using the UNIX tip command and UNIX-to-UNIX
Copy Protocol (UUCP) services.
Once a port is defined as host device, a device service must be selected that defines the
method used to connect the user to the specified port and device. Host device services
include PortMaster, Telnet, and netdata.
Configuring an Asynchronous Port
5-11
Configuring a Port for Access to Shared Devices
You can provide access to host device ports by establishing a pseudo-tty connection to
the port from a UNIX host with the PortMaster daemon software installed. In this case,
the port operates as a host-controlled device. Figure 5-2 shows a host device
configuration using the PortMaster device service and a pseudo-tty connection. This
configuration is most commonly used to provide access to shared devices such as
printers.
Figure 5-2 Host Device Configuration
printer
√
PortMaster
pseudo-tty
X
11820002
Figure 5-3 shows a host device configuration where the device service is set as rlogin,
Telnet, or netdata. In this configuration, the host device name is set as /dev/network.
This configuration is used in cases where users want to log in remotely via Telnet or
rlogin to the shared device before transferring data, such as with a modem.
5-12
PortMaster Configuration Guide
Configuring a Port for Access to Shared Devices
Figure 5-3 Network Device Configuration
user 2
modems
host: /dev/network
PortMaster
Telnet/rlogin/netdata
11820003
user 1
11820003
Once the port type is set to accommodate a host device, the device service must be
selected and the hostname entered. If the device service selected is PortMaster for
pseudo-tty service, a hostname must be specified either in the port configuration or as
the global default host. In addition, the PortMaster in.pmd daemon must be installed
on the specified host.
To configure a port for access to shared devices, follow these steps:
1. Set the port type to device.
Command> set S0 device Device
2. Set the device service.
Command> set S0 service_device portmaster|telnet|netdata [Tport]
3. Save the configuration.
Command> save all
Configuring an Asynchronous Port
5-13
Configuring a Port for Access to Shared Devices
Setting the Device Service
The device service defines the method used to connect a host to a host device port. The
following device service options can be selected:
•
•
•
PortMaster
Telnet
Netdata
Selecting the host device port type with the PortMaster device service is sometimes
referred to as the host device configuration because the shared device you are
connecting to through the PortMaster is known to the host as /dev/tty**, where the
double asterisk (**) is the specific host device identifier.
Selecting the host device port type with the rlogin, Telnet, or netdata device service is
sometimes referred to as the network device configuration because the shared device
you are connecting to through the PortMaster is specified as /dev/network.
PortMaster Device Service
The PortMaster device service is the most efficient and highest-performance service. This
service can be used with any workstation that has the PortMaster in.pmd daemon
installed. PortMaster service is the default and preferred service because it allows the
specified port to operate like a serial port installed on the host.
When using the PortMaster device service, you must use a host device name listed in
the /dev directory of each UNIX host with access to the shared device. The standard
device entries have ranges like the following:
•
•
•
/dev/ttyp0 through /dev/ttypf
/dev/ttyq0 through /dev/ttyqf
/dev/ttyr0 through /dev/ttyrf
These tty devices can be dynamically selected for use by a variety of host programs.
Most programs start their selection from the beginning of the device list. You should
select devices at the end of the list to maximize the possibility of finding a device
available.
5-14
PortMaster Configuration Guide
Configuring a Port for Network Access
Telnet Device Service
Telnet is a remote terminal protocol supported by most computers using TCP/IP
protocols. Telnet allows the user at one site to establish a TCP connection to a login
server at another site. Once the connection is established, keystrokes are passed from
one system to the other. Use Telnet service in networks where a variety of hardware
devices with different operating systems must use the selected port.
In this configuration, the device name must be set to /dev/network.
The default TCP port number for Telnet is 23; however, another TCP port can be
specified on a per-port basis. All ports with a common Telnet port number form a pool
similar to the rlogin pool.
Note – If you use Telnet to administer the PortMaster, select a TCP port number for
your shared device port that is different from your administrative Telnet port.
✍
Netdata Device Service
The netdata device service provides a TCP clear channel on which 8-bit data is passed
without interpretation. This service can be used to connect to the selected port from
another serial port on a different PortMaster. This configuration can provide network
connections between hosts on different networks. The netdata service is most
commonly used for special applications which require the use of TCP-CLEAR channel
access to a network socket. This device service provides a direct data link from the
application to the device connected to the PortMaster port. With the socket connection,
no special option negotiation or protocol is required.
The default TCP port number for the netdata service is 6000, but you can specify
another port.
In this configuration, the device name must be set to /dev/network.
Configuring a Port for Network Access
You can configure PortMaster asynchronous ports for network dial-in-only access, dial-
out-only access, or both dial-in-and-out access (also known as two-way access). You can
combine dial-in and dial-out access with the login and device services discussed in the
previous sections.
Configuring an Asynchronous Port
5-15
Configuring a Port for Network Access
When you configure a port for network dial-in, dial-out, or two-way access, the port
becomes available for connections to and from remote sites using modems and the
Serial Line Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP).
To configure a port for network access, follow these steps:
1. Set the port to network and choose the access type.
Command> set S0 network dialin|dialout|twoway
2. Save the configuration.
Command> save all
Note – In any of these dial modes (dial-in, dial-out, and two-way) you can also
configure the port for other concurrent port types.
✍
Network dial-in-only access can be set on ports dedicated to answering requests from
mobile or home users. In this configuration, the selected port allows an authorized user
to connect to the network for mail, file, and other services through SLIP or PPP
encapsulation. Figure 5-4 shows how the PortMaster provides network connectivity for
remote users.
5-16
PortMaster Configuration Guide
Configuring a Port for Network Access
Figure 5-4 Dial-In-Only Port Access
mobile or at-home user
dial-in connection
modems
PortMaster
11820017
workstation 1
workstation 2
11820017
Network dial-out-only access can be set on ports dedicated to Internet connections or
connections to another office. In this configuration, the port is used to establish
communication from the PortMaster to an outside location. SLIP or PPP is used for these
types of connections. Figure 5-5 shows an example of a dial-out-only configuration.
Configuring an Asynchronous Port
5-17
Configuring a Port for Network Access
Figure 5-5 Dial-Out-Only Access
branch office
workstation 1
PortMaster
modem
dial-out
connection
main office
modems
workstation 2
PortMaster
workstation 1
11820018
Network Dial-In-and-Out (Two-Way) Access
Dial-in-and-out service on a selected port is also called two-way access. Two-way access
is specified for ports where both dial-in and dial-out access are needed. Dial-in modes
with modems allow users to connect to the main network without the cost of a leased-
line connection. This method can also be used for connecting to remote sites that need
only occasional telecommuting or backup connectivity.
To configure two-way access, set the port type for network use and then set the network
dial access for two-way use. The specified port operates in user login mode if DCD is
detected on pin 8 of the RS-232 connector. Otherwise, it can be accessed as a host
device on the computer through in.pmd or a Telnet session.
As mentioned in “Network Dial-In-Only Access” on page 5-16, SLIP or PPP is used to
define the method for sending IP packets over standard asynchronous lines with a
minimum line speed of 1200bps. These encapsulation methods allow you to establish
connections on an as-needed basis to reduce telephone costs.
5-18
PortMaster Configuration Guide
Configuring a Port for Network Access
To set a port for network two-way access, use the following commands
Command> set S0 network twoway
Command> save all
PPP and SLIP Connections
The Serial Line Internet Protocol (SLIP) is an older protocol than PPP and not as robust.
However, some hosts support only SLIP. The type of protocol allowed is specified for
each dial-in user, dial-out location, or network hardwired port.
PPP is a method of encapsulating network layer IP protocol information on
asynchronous point-to-point links. PPP is described in RFC 1331 and RFC 1332. Lucent’s
implementation of PPP provides PPP autodetection support for the Challenge Handshake
Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) on serial
ports running PPP. ComOS 3.3 and later releases support Multilink PPP as described in
RFC 1717 on ISDN BRI ports, and all ports on the PortMaster 3.
Note – Be sure to use the set S0 rts/cts command to enable hardware flow control
(RTS/CTS) for all SLIP and PPP connections.
✍
PAP and CHAP Authentication
PAP and CHAP authentication occur in the following sequence:
1. A user dials in to a port and starts sending PPP packets.
2. The PortMaster negotiates the authentication protocol with the remote host.
3. If the host refuses PAP authentication, the PortMaster prompts the host to
authenticate using CHAP. If the host refuses CHAP authentication, the PortMaster
hangs up.
Both the local communications server and the remote device must support CHAP to use
this protocol.
To configure PAP or CHAP for PPP users, the local user table or RADIUS must have an
entry for each authorized user that includes the username and password. The passwords
on both ends of the connection must be identical or the authentication process fails.
To disallow PAP authentication and accept only CHAP, enter the following command:
Command> set pap off
Configuring an Asynchronous Port
5-19
Configuring a Port for a Dedicated Connection
Configuring a Port for a Dedicated Connection
You can configure an asynchronous port for a permanent network connection (also
known as a hardwired connection). Hardwired connections require no modem dialing
or authentication protocol and are designed for connections to modems configured for
leased line service, asynchronous-to-synchronous converters, or Frame Relay
asynchronous devices (FRADs). Hardwired connections can use SLIP or PPP with IP and
Note – This type of configuration creates a continuous uninterrupted connection on
this port. If the port is configured for a hardwired connection, it cannot be used for any
other purpose.
✍
Figure 5-6 illustrates an example of a hardwired connection.
Figure 5-6 Hardwired Port Configuration
modem
PortMaster
analog leased line
workstation 2
leased line
modem
PortMaster
workstation 1
11820019
1
Hardwired connections on asynchronous ports provide the continuous connection
advantage of a synchronous port at lower bandwidth, but without the cost of T1 line
connection.
5-20
PortMaster Configuration Guide
Configuring a Port for a Dedicated Connection
To configure a port for a hardwired connection, follow this procedure:
1. Set the port for network hardwired.
Command> set S0 network hardwired
2. Set the protocol.
Command> set S0 protocol slip|ppp
3. Set the maximum transmission unit (MTU) size.
Command> set S0 MTU MTU
4. Set the destination IP address.
Command> set S0 destination Ipaddress [Ipmask]
5. Set the IPX network number if you are using IPX.
Command> set S0 ipxnet Ipxnetwork
6. Enable RIP routing.
Command> set S0 rip on|off|broadcast|listen
7. Set compression.
Command> set S0 compression on|off|stac|vj
8. Set the PPP asynchronous map (if required).
Command> set S0 map Hex
9. Set input and output filters (if using).
Command> set S0 ifilter [Filtername]
Command> set S0 ofilter [Filtername]
Omitting the Filtername removes any filter previously set on the port.
10. Save the configuration.
Command> save all
11. Reset the port.
Command> reset S0
Configuring an Asynchronous Port
5-21
Configuring a Port for a Dedicated Connection
Setting the Protocol
The network protocol for the hardwired port can be set for PPP packet encapsulation or
SLIP encapsulation as described in “PPP and SLIP Connections” on page 5-19. If you
want to use PPP you have your choice of the following options:
•
•
•
PPP with IP packet routing
PPP with IPX packet routing
PPP with both IP and IPX packet routing
You should select a protocol that is compatible with your network configuration.
Setting the MTU Size
The maximum transmission unit (MTU) defines the largest frame or packet that can be
sent through this port. If a packet exceeds the specified MTU size, it is automatically
fragmented if IP or discarded if IPX. PPP connections can have an MTU set from 100 to
1500 bytes. SLIP connections can have an MTU set from 100 to 1006 bytes. The remote
host can negotiate smaller MTUs if necessary.
The MTU is typically set to the maximum allowed for the protocol being used, either
1500 or 1006 bytes. Setting smaller MTU values is useful for interactive (typing) users
who send small packets, while larger values are better for multi-line load balance.
Setting the Destination IP Address and Netmask
The IP address or hostname of the machine on the other end of the hardwired
connection must be entered to identify the port destination. For PPP, the IP destination
can be set to negotiated (255.255.255.255). You can optionally specify the netmask of
the system on the other end of the hardwired connection.
Setting the IPX Network Number
IPX traffic can be passed through a port if you assign an IPX network number to the
hardwired network connection.
Note – The IPX network number must be different from the IPX networks used on the
Ethernets on either end of the connection.
✍
5-22
PortMaster Configuration Guide
Configuring a Port for a Dedicated Connection
Configuring RIP Routing
As described in the PortMaster Routing Guide, PortMaster products automatically send and
accept route information as part of RIP messages if RIP routing is turned on.
To configure RIP routing for a network hardwired asynchronous port, use the following
Command> set S0 rip on|broadcast|listen|off
Note – ComOS releases prior to 3.5 use routing instead of the rip keyword.
Table 5-3 describes the results of using each keyword.
✍
Table 5-3
Keywords for Configuring RIP Routing
Keyword
on
Description
The PortMaster broadcasts and listens for RIP information
from other routers on this interface. This is the default.
off
The PortMaster neither broadcasts nor listens for RIP
information on this interface.
broadcast
listen
The PortMaster broadcasts RIP information on this interface.
The PortMaster listens for RIP information on this interface.
Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions.
Configuring Compression
Compression can increase the performance of interactive TCP sessions over network
hardwired asynchronous lines. Lucent implements Van Jacobson TCP/IP header
compression and Stac LZS data compression. Compression is on by default.
Compression should not be used with multiline load-balancing, but can be used with
Multilink PPP.
Compression must be enabled on both ends of the connection if you are using SLIP. For
PPP connections, the PortMaster supports both bidirectional and unidirectional
compression. Refer to RFC 1144 for more information about header compression.
Configuring an Asynchronous Port
5-23
Configuring a Port for a Dedicated Connection
The PortMaster supports Stac LZS data compression only for PPP connections with
bidirectional compression. Stac LZS data compression cannot be used for SLIP
connections.
To configure compression, use the following command:
Command> set S0|W1 compression on|stac|vj|off
Table 5-4 describes the results of using each keyword.
Table 5-4
Keywords for Configuring Compression
Keyword
on
Description
Enables compression. The PortMaster tries to negotiate both
Van Jacobson and Stac LZS compression on PortMaster 3 and
on leased lines on Office Router products, or Van Jacobson
compression only on other PortMaster products. This is the
default.
off
Disables compression.
stac
Enables Stac LZS data compression only. Stac LZS
compression is supported only on PortMaster 3 and leased
lines on Office Router products.
vj
Enables Van Jacobson TCP/IP header compression only.
Note – This command is used only on network hardwired asynchronous ports. Dial-in
users must use the user table or RADIUS instead. Dial-out locations must use the
location table instead.
✍
To display compression information about a connection, enter the following command:
Command> show S0
Setting the PPP Asynchronous Map
The PPP protocol supports the replacement of nonprinting ASCII characters found in the
datastream. These characters are not sent through the connection but are instead
replaced by a special set of characters that the remote system interprets as the original
5-24
PortMaster Configuration Guide
Connecting without TCP/IP Support
characters. The PPP asynchronous map is a bitmap of characters that should be replaced.
The default PPP asynchronous map is 00000000. If the remote host requires a PPP
asynchronous map, the PortMaster accepts the request for the map.
Setting Input and Output Filters
Input and output packet filters can be attached to a network hardwired port. Filters
incoming packets on that port are evaluated against the rule set for the attached filter.
Only packets permitted by the filter are passed through the PortMaster.
If an output filter is attached, packets going to the interface are evaluated against the
rule set in the filter and only packets permitted by the filter are sent to the interface.
For more information about filters, see Chapter 9, “Configuring Filters.”
Connecting without TCP/IP Support
You can configure the PortMaster to connect to bulletin board service (BBS) systems or
other hosts that have serial ports and allow bidirectional communications, but do not
support TCP/IP. This connection requires that you connect the PortMaster to the host
with a null modem cable. For more information about null modem cables, refer to your
hardware installation guide.
The default setting is on, which sets the DTR drop time to 500 milliseconds (ms). Setting
the Data Terminal Ready (DTR) signal to off changes the behavior of the port to better
accommodate the connection.
To turn DTR on or off, use the following command:
Command> set S0 dtr_idle on|off
The following example shows how to configure this feature on port S1:
Command> set Telnet 24
Command> set s1 dtr_idle off
Command> set s1 cd on
Command> set s1 twoway /dev/network
Command> set s1 service_device Telnet
Command> reset s1
Command> save all
Configuring an Asynchronous Port
5-25
Configuring a Synchronous WAN Port
6
Area Network (WAN) port.
This chapter discusses the following topics:
•
•
“Synchronous Port Uses” on page 6-1
“Configuring WAN Port Settings” on page 6-4
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Synchronous Port Uses
Synchronous WAN ports are used for high-speed dedicated connections between two
remote local area networks (LANs). Once a connection is established between two
remote sites, a wide area network (WAN) is achieved. Synchronous WAN connections
can be achieved through the use of dedicated leased lines, Frame Relay connections,
switched 56Kbps lines, or ISDN lines. Connection rates can range from 9600bps to
2.048Mbps (E1). PortMaster products support any of these connection types using one
or more synchronous ports.
All WAN port connections are similar and are represented in Figure 6-1 on page 6-3.
For most applications, a dedicated line connects two PortMaster routers, each located on
a separate remote network
The following examples describe various uses for synchronous ports.
Routing over Leased Lines. A synchronous port can be used to connect to
synchronous leased lines from 9600bps to T1 (1.544Mbps) or E1 (2.048Mbps) for
continuous operation. A digital service unit/channel service unit (DSU/CSU) must be
attached to the WAN port on the PortMaster. For more information, see Chapter 19,
“Using Synchronous Leased Lines.”
Routing over Frame Relay. Frame Relay provides connectivity using a packet-
switched network. Its two advantages over a leased line network are lower cost and the
ability to have multiple permanent virtual circuits (PVCs) come into a single physical
port. It is especially popular for hub-and-spoke network arrangements. For example, a
6-1
Synchronous Port Uses
dozen field offices with 56Kbps or fractional T1 Frame Relay connections can connect to
a central office using a fractional T1 or T1 Frame Relay connection. The central office
requires only one CSU/DSU and synchronous port on the router, instead of 12. For
more information, see Chapter 13, “Using Frame Relay.”
Routing over Switched 56Kbps. Switched 56Kbps can be less expensive than Frame
Relay in applications where short bursts of connectivity are required but dial-up
modems do not provide enough bandwidth. V.25bis dialing is used to establish a link
over a switched network, and the link is brought down after a specified period with no
Connections.”
Routing over ISDN. Integrated Services Digital Network (ISDN) provides fast dial-up
connectivity for applications where the expense of a dedicated Frame Relay or leased
line connection is not called for by the amount and nature of the traffic. For more
information, see Chapter 12, “Using ISDN BRI.”
6-2
PortMaster Configuration Guide
Synchronous Port Uses
Figure 6-1 Synchronous WAN Connection
Bangkok
workstation 1
workstation 2
IRX Router
IRX Router
CSU/DSU
workstation 3
Frame
Relay
New York
CSU/DSU
workstation 1
IRX Router
IRX Router
workstation 3
workstation 2
11820004
Once you have determined the type of synchronous connection to use between your
remote locations, the synchronous port on each end of the connection must be
configured.
Configuring a Synchronous WAN Port
6-3
Configuring WAN Port Settings
The WAN port settings described in this section enable you to configure your
synchronous port for you needs. “General Synchronous Settings” on page 6-4 includes
settings that are available for all connection types. The settings in “Settings for
Hardwired Connections” on page 6-7 are available only for network hardwired
connections.
General Synchronous Settings
The following settings can be used on synchronous ports configured for all connection
types.
Displaying Extended Port Information
The PortMaster can display synchronous port information in brief or extended modes.
The default setting is off.
To enable or disable extended information for a port, use the following command:
Command> set W1 extended on|off
Note – This command affects only the display of port information. It does not affect port
behavior.
✍
Setting the Port Type and Connection Type
The port type for synchronous ports is always network, but you must explicitly set it.
You also must specify the kind of connection to use on the synchronous port.
To set the port type and the connection type, use the following command:
Command> set W1 network dialin|dialout|twoway|hardwired
Note – Some PortMaster products use S1 through S4 for the synchronous ports. Others
use W1, or W0 through W59. Refer to your hardware installation guide for information
on port numbering
✍
6-4
PortMaster Configuration Guide
Configuring WAN Port Settings
Table 6-1 describes the four connection types available on synchronous ports.
Table 6-1
Port and Network Types
Type
Description
hardwired
Allows you to establish a dedicated network connection between two
sites without modem dialing or authentication. In this mode, the port
immediately begins running the specified protocol. If the port is set
for a hardwired connection, it cannot be used for any other purpose.
A hardwired connection must be used for a leased line or Frame
Relay connection.
dialin
Allows the port to accept dial-in network connections, for use with
switched 56Kbps or ISDN connections. The dial-in user is required to
enter a username and password before the connection is established.
Authorized users are managed through the user table described in
Chapter 7, “Configuring Dial-In Users,” or through RADIUS.
PPP users wishing to authenticate with PAP or CHAP can start
sending PPP packets. When the packets are received, the PortMaster
automatically detects PPP and requests PAP or CHAP authentication.
dialout
Allows dial-out to establish connections with remote locations.
Dial-out network destinations are managed through the location table
described in Chapter 8, “Configuring Dial-Out Connections.” This
network type can be used for ISDN and switched 56Kbps connections.
twoway
Allows the port to accept dial-in users and use dial-out locations. This
network type can be used for ISDN and switched 56Kbps connections.
Setting the Port Speed Reference
The port or line speed is set either by the external clock signal on the device to which
the PortMaster is connected, or by the carrier. You can record this value as a reference
associated with a synchronous port, but it has no effect on PortMaster behavior.
To record the port speed, use the following command:
Command> set W1 speed Speed
Configuring a Synchronous WAN Port
6-5
Configuring WAN Port Settings
You can substitute any of the following for Speed:
9600
19200
38400
56000
57600
64000
76800
115200
1344k
1536k
2048k
t1
e1
14400
t1e
Setting Modem Control
When modem control is on, the PortMaster uses the condition of the carrier detect
(DCD) signal from an attached modem to determine whether the line is in use.
Modem control is off for synchronous connections by default. With modem control set
off, the PortMaster assumes the carrier detect line is always asserted. Table 6-2 describes
the effects of DCD condition on port behavior.
Table 6-2
Effects of Carrier Detect Condition on Port Behavior
Connection Type Carrier Detect Asserted
Carrier Detect De-asserted
Hardwired
Dialin
Port attempts to establish a
network connection.
Port is unavailable.
PortMaster initiates
authentication and displays a
login prompt.
Port is unavailable.
Dialout
No effect.
Transition from asserted to de-
asserted resets the port.
Twoway
Port attempts to establish a
network connection.
Port is available.
Set modem control on only if you want to use the DCD signal from the attached device.
In general, set modem control on for network dial-in or dial-out configurations. Modem
control is usually off for leased line or Frame Relay connections, but you can use it if the
CSU/DSU is configured accordingly.
To set modem control, use the following command:
Command> set W1 cd on|off
6-6
PortMaster Configuration Guide
Configuring WAN Port Settings
Assigning a Port to a Dial Group
You can create modem pools for dial-out connections by associating ports and dial-out
locations with dial groups. Dial groups can be used to reserve ports for dial-out to
specific locations, or to differentiate among different types of modems that are
compatible with the remote location. Dial groups are numbered 0 to 99. The default dial
group is 0.
To assign a port to a dial group, use the following command:
Command> set W1 group Group
Setting Hangup Control
You can control whether the data terminal ready (DTR) signal on the synchronous port
is dropped after a user session terminates. Hangup is set to on by default. In this state,
DTR is dropped for 500 milliseconds, causing a hangup on the line.
To set the hangup control, use the following command:
Command> set W1 hangup on|off
The reset command always drops the DTR signal.
Setting the Port Idle Timer
The idle timer indicates how long the PortMaster waits after activity stops on a
synchronous port before disconnecting a dial-in or dial-out connection.
You can set the idle time in seconds or minutes, to any value from 0 to 240. The default
setting is 0 minutes. If the value is set to 2 seconds or a longer interval, the port is reset
after having no traffic for the designated time. The idle timer is not reset by RIP,
keepalive, or SAP packets. To disable the idle timer, set the value to 0.
To set the idle timer, use the following command:
Command> set W1 idle Number [minutes|seconds]
Settings for Hardwired Connections
The following settings can be used only when the synchronous port is configured for
network hardwired connections.
Configuring a Synchronous WAN Port
6-7
Configuring WAN Port Settings
The transport protocol for synchronous connections must be set for a network
hardwired synchronous port. Choose PPP for leased line, switched 56Kbps, and ISDN
connections, or Frame Relay for a Frame Relay connection. Additional Frame Relay
settings must be configured for Frame Relay connections, described in Chapter 13,
“Using Frame Relay.”
To set the transport protocol, use the following command:
Command> set W1 protocol ppp|frame
Setting the Port IP Address
You can set the local IP address of the network hardwired synchronous port to create a
numbered interface.
You can use any IP address. If you set the local address of the WAN port to 0.0.0.0 for
PPP, the PortMaster uses the Ether0 address for the end of the serial link. If you set the
WAN port address to 0.0.0.0 for a Frame Relay connection, the port is disabled.
To set the IP address, use the following command:
Command> set W1 address Ipaddress
Setting the Destination IP Address
The destination IP address or hostname of the machine on the other end of the
connection is used for leased line connections only. The destination IP address can also
be set to 255.255.255.255 for PPP users. This setting allows the PortMaster to learn the
IP address of the system on the other end of the connection using PPP IPCP address
negotiation.
Do not set a destination IP address for Frame Relay connections. Instead, use the data
D and Inverse ARP to discover Frame Relay addresses dynamically. See Chapter 13,
“Using Frame Relay,” for more information.
For network dial-in or dial-out connections, do not set a destination IP address for the
port. Instead, you set the destination address in the user table or RADIUS for dial-in, or
in the location table for dial-out. See Chapter 7, “Configuring Dial-In Users,” and
Chapter 8, “Configuring Dial-Out Connections,” for more information.
6-8
PortMaster Configuration Guide
Configuring WAN Port Settings
To set the destination IP address for a leased-line connection only, use the following
command:
Command> set W1 destination Ipaddress [Ipmask]
Setting the Subnet Mask
The default subnet mask is 255.255.255.0. If you have divided your network into
subnets, enter the subnet mask that identifies how your network addresses are divided
between the network portion and the host portion. The value of Ipmask is dependent
on network hardwired ports only.
To set the subnet mask, use the following command:
Command> set W1 netmask Ipmask
See Appendix A, “Networking Concepts,” for more information about using subnet
masks.
Setting the IPX Network Address
When using IPX, you must identify an IPX network number of the serial link that is
unique from every other IPX number on the network. An IPX network address is
entered in hexadecimal format, as described in Appendix A, “Networking Concepts.”
Note – The serial link itself must have an IPX network number that is different from
those at either end of the connection.
✍
To set the IPX network address, use the following command:
Command> set W1 ipxnet Ipxnetwork
Configuring RIP Routing
As described in the PortMaster Routing Guide, PortMaster products automatically send and
accept route information as RIP messages.
Turn on RIP routing for the port for network hardwired connections only such as leased
lines or Frame Relay. Routing is set in the user table for dial-in connections and in the
location table for dial-out connections.
Configuring a Synchronous WAN Port
6-9
Configuring WAN Port Settings
To configure RIP routing, use the following command:
Command> set W1 rip on|broadcast|listen|off
Note – ComOS releases prior to 3.5 used the keyword routing instead of the rip
keyword.
✍
Table 6-3 describes the results of using each keyword.
Table 6-3
Keywords for Configuring RIP Routing
Keyword
on
Description
The PortMaster broadcasts and accepts RIP packets from the
system at the other end of the WAN connection. This is the
default.
off
The PortMaster neither broadcasts nor listens for RIP
information on the interface.
broadcast
listen
The PortMaster broadcasts RIP packets to the system at the
other end of the WAN connection.
The PortMaster accepts RIP packets from the device
connected to the WAN port.
Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions.
Setting Input and Output Filters
Input and output packet filters can be attached to a synchronous port for network
hardwired ports. Filters allow you to monitor and restrict network traffic. If an input
filter is attached, all packets received from the interface are evaluated against the rule
PortMaster. If an output filter is attached, packets going to the interface are evaluated
against the rule set in the filter and only packets permitted by the filter are sent out of
the interface.
Note – You must define a filter in the filter table before you can apply it. For more
information about filters, see Chapter 9, “Configuring Filters.”
✍
6-10
PortMaster Configuration Guide
Configuring WAN Port Settings
To apply an input filter to a synchronous port, use the following command:
Command> set W1 ifilter [Filtername]
To apply an output filter to a synchronous port, use the following command:
Command> set W1 ofilter [Filtername]
You can remove filters from the port by entering the command without a filter name. If
a filter is changed, you must reset the port for the change to take effect.
For example, to remove the output filter from a synchronous port, use the following
commands:
Command> set W1 ofilter
Command> reset W1
Command> save all
Note – You must reset the port and re-establish the connection for the new settings to
take effect.
✍
Setting Compression
You can set Van Jacobson TCP/IP header compression and/or Stac LZS data compression
on the port. To set compression, use the following command:
Command> set compression on|off|stac|vj
Van Jacobson TCP/IP header compression and Stac LZS data compression improve
performance on asynchronous lines but can degrade performance on high-speed
synchronous lines.
Configuring a Synchronous WAN Port
6-11
Configuring WAN Port Settings
6-12
PortMaster Configuration Guide
Configuring Dial-In Users
7
This chapter describes how to configure the PortMaster user table to support dial-in
connections. The user table settings define how each dial-in user is authenticated and
how dial-in connections are made.
To configure network dial-in connections from other routers, you must define each
remote router as a user on the PortMaster.
If you are using RADIUS, you must configure user attributes in individual user files in
Administrator’s Guide for more information.
This chapter discusses the following topics:
•
•
•
•
•
“Configuring the User Table” on page 7-1
“User Types” on page 7-3
“Configuring Settings for Network and Login Users” on page 7-4
“Configuring Network Users” on page 7-4
“Configuring Login Users” on page 7-10
Note – Only 100 to 200 users can be configured in the user table and stored in the
nonvolatile memory of the PortMaster. Therefore, use RADIUS for user authentication
when you must configure multiple PortMaster Communication Servers to handle more
than a few dozen users.
✍
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Configuring the User Table
This section describes how to display user information and how to add users to or delete
them from the user table.
7-1
Configuring the User Table
Displaying User Information
You can display the current users in the user table or the complete configuration
information for a specified user.
To display the current users in the user table, for example, enter the following
command:
Command> show table user
Name
Type
Address/Host Netmask/Service RIP
---------------------------------------------------------------------------
jozef
adele
elena
taffy
john
Netuser
Login User
Netuser
Login User
Netuser
negotiated
default
assigned
defaults
192.168.7.8
0000000000
Telnet
255.255.255.255 No
PortMaster
0000000000
No
To display configuration information for a particular user, for example, use the following
command:
Command> show user elena
Username:
Address:
Protocol:
MTU:
elena
Assigned
PPP
Type:
Dial-in Network User
255.255.255.255
Quiet, compressed
00000000
Netmask:
Options:
Async Map:
1500
Adding Users to the User Table
You must add users to the user table before configuring any settings for them. The
username is a string of from 1 to 8 printable, nonspace ASCII characters. The optional
user password is a string of from 0 to 16 printable ASCII characters. You cannot add
users with blank usernames.
To add a login user to the user table, use the following command:
Command> add user Username [password Password]
To add a network user to the user table, use the following command:
Command> add netuser Username [password Password]
7-2
PortMaster Configuration Guide
User Types
Note – To add a network user, you must use the netuser keyword. Thereafter, you can
use either the netuser or the user keyword to configure settings for the network user.
You must always use the user keyword when configuring login users.
✍
Deleting Users from the User Table
To delete a user from the user table, use the following command:
Command> delete user Username
User Types
User settings define the nature and behavior of dial-in users. The user table contains
entries for each defined dial-in user along with the characteristics for the user.
The user table provides login security for users to establish login sessions or network
dial-in connections. If you want to allow a network dial-in connection from another
router, the router must have an entry in the user table or in RADIUS.
PortMaster products allow you to configure two types of users, network users and login
users.
Network Users
Network users dial in to an asynchronous serial, synchronous serial, or ISDN port on the
PortMaster. A connection is established as soon as the user logs in. A PPP or SLIP (on
asynchronous ports) session is started. This type of connection can be used for dial-in
users or for other routers that need to access and transfer data from the network. Define
this type of user when network packets must be sent through the connection.
Login Users
Login users are allowed to establish PortMaster (in.pmd), rlogin, Telnet, or netdata
(TCP clear) connections through an asynchronous serial or ISDN port. A connection is
established to the specified host as soon as the user logs in. This type of connection is
useful for users who need to access an account on a host running TCP/IP.
Configuring Dial-In Users
7-3
Configuring Settings for Network and Login Users
Configuring Settings for Network and Login Users
The following settings can be configured for either network or login users.
Setting a Password
To set a password for either a login or network user, use the following command:
Command> set user Username password Password
The password can contain between 0 and 16 printable ASCII characters.
Setting the Idle Timer
The idle timer defines the number of minutes or seconds the line can be idle—in both
directions—before the PortMaster disconnects the user. You can set the idle time in
seconds or minutes, with any value between 2 and 240. The default setting is 0 minutes.
The idle timer is not reset by RIP, keepalive, or SAP packets.
To set the idle timer, use the following command:
Command> set user Username idle Number [minutes|seconds]
To disable the idle timer, set the time to 0 minutes.
Setting the Session Limit
You can define the maximum length of a session permitted before the PortMaster
disconnects the user. The session length can be set to between 0 and 240 minutes.
To set the session limit, use the following command:
Command> set user Username session-limit Minutes
To disable the session limit, set the time to 0.
Configuring Network Users
Network users establish PPP or SLIP connections with the network as soon as they have
been authenticated.
7-4
PortMaster Configuration Guide
Configuring Network Users
Setting the Protocol
You can set the network protocol for the network user to PPP or SLIP as described in
Chapter 5, “Configuring an Asynchronous Port.” Select a protocol that is compatible
with the rest of your network configuration and the user’s capabilities.
To set the network protocol for a network user, use the following command:
Command> set user Username protocol slip|ppp
If you set a nonzero IP address for a network user using PPP, IP is automatically routed.
If you set a nonzero IPX network number for the user, IPX is automatically routed.
Do not set an IPX number of all 0s (zeros) or all Fs for the IPX network address.
✍
Setting the User IP Address
You must define the IP address or hostname of the remote host or router. Table 7-1
describes three different ways that the user IP address can be determined.
Table 7-1
User IP Address Options
IP Address
Type
Description
assigned
This option allows the PortMaster to assign a temporary IP address
that is used for the current session only. The address used comes
from a pool of addresses set up during global configuration.
This method for assigning IP addresses to users is most commonly
used when a large number of users are authorized to dial in.
negotiated
This option is used only for PPP sessions. Here, the PortMaster learns
the IP address of the remote host using IPCP negotiation.
Ipaddress
This option allows you to define a specific IP address for the remote
host or router. This method for assigning an IP address to a user is
most commonly used for routers that establish a connection with
the PortMaster.
Configuring Dial-In Users
7-5
Configuring Network Users
To set the user IP address for a normal network user, use the following command:
Command> set user Username destination assigned|negotiated|Ipaddress
Setting the Subnet Mask
Do not set a subnet mask for a network user unless the user is routed to another
network from your network. In that case, set the subnet mask to 255.255.255.255.
To set the subnet mask, use the following command:
Command> set user Username netmask Ipmask
Setting the IPX Network Number
If you are using the IPX protocol for this user, you must assign a unique IPX number to
the network connection between the remote user device and the PortMaster. Each
user’s connection requires a different IPX network number. If you use fffffffe as the IPX
network number, the PortMaster assigns the user an IPX network number based on an
IP address from the IP address pool.
Note – Do not set a value of all 0s (zeros) or all Fs for the IPX network number.
✍
To set the IPX network number, use the following command:
Command> set user Username ipxnet Ipxnetwork
Configuring RIP Routing
As described in the PortMaster Routing Guide, PortMaster products automatically send and
accept route information as RIP messages.
To configure RIP routing for a network user, use the following command:
Command> set user Username rip on|off|broadcast|listen
Note – ComOS releases prior to 3.5 used the keyword routing instead of the rip
keyword.
✍
7-6
PortMaster Configuration Guide
Configuring Network Users
Table 7-2 describes the results of using each keyword.
Table 7-2
Keywords for Configuring RIP Routing
Keyword
on
Description
The PortMaster broadcasts and listens for RIP information.
off
The PortMaster neither broadcasts nor listens for RIP
information from the local Ethernet. This is the default.
broadcast
listen
The PortMaster broadcasts RIP information to the host at the
other end of the connection.
The PortMaster listens for RIP information from the host or
other router.
Setting the Asynchronous Character Map
The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream.
These characters are not sent through the line, but instead are replaced by a special set
of characters that the remote site interprets as the original characters. The PPP
asynchronous map is a bit map of characters that should be replaced. The lowest-order
bit corresponds to the first ASCII character NUL, and so on. In most environments, the
asynchronous map should be set to zero to achieve maximum throughput.
To set the PPP asynchronous character map, use the following command:
Command> set user Username map Hex
Setting the MTU Size
The maximum transmission unit (MTU) defines the largest frame or packet that can be
sent without fragmentation. A packet that exceeds this value is fragmented, if IP, or
discarded if IPX. PPP connections can have a maximum MTU of 1520 bytes. SLIP
connections can have a maximum MTU of 1006 bytes. PPP can negotiate smaller MTUs
when requested by the calling party.
Configuring Dial-In Users
7-7
Configuring Network Users
The MTU size is typically set to the maximum allowed for the protocol being used,
either 1500 bytes (for PPP) or 1006 bytes (for SLIP). However, smaller MTU values can
improve performance for interactive sessions. If you are using IPX, the MTU should be
set to at least 600.
To set the MTU for a network user, use the following command:
Command> set user Username mtu MTU
Setting the Maximum Number of Dial-In Ports
You can define the number of dial-in ports that a user can use on the PortMaster for
Multilink V.120, Multilink PPP (only on ISDN), and multiline load-balancing.
If the maximum number of ports is unconfigured, port limits are not imposed and
PortMaster’s multiline load-balancing, Multilink V.120, and Multilink PPP sessions are
allowed. You can also set the dial-in port limit using the RADIUS Port-Limit attribute.
To set the maximum number of dial-in ports, use the following command:
Command> set user Username maxports Number
The Number variable can be set to between 0 and the number of available ports—up to
60.
Setting Compression
Compression of TCP/IP headers can increase the performance of interactive TCP sessions
over network hardwired asynchronous lines. Lucent implements Van Jacobson TCP/IP
header compression and Stac LZS data compression. Compression is on by default.
Compression cannot be used with multiline load-balancing, but can be used with
Multilink PPP.
Compression must be enabled on both ends of the connection if you are using SLIP.
With SLIP, TCP packets are not passed if only one side of the connection has
compression enabled. For PPP connections, the PortMaster supports both bidirectional
and unidirectional compression. Refer to RFC 1144 for more information about header
compression.
7-8
PortMaster Configuration Guide
Configuring Network Users
The PortMaster supports Stac LZS data compression only for PPP connections with
bidirectional compression. Stac LZS data compression cannot be used for SLIP
connections.
To set header compression for a network user, use the following command:
Command> set user Username compression on|off
Table 7-3 describes the results of using each keyword.
Table 7-3
Keywords for Configuring Compression
on
Enables compression. The PortMaster tries to negotiate both
Van Jacobson and Stac LZS compression on PortMaster 3 and
on leased lines on Office Router products, or Van Jacobson
compression only on other PortMaster products. This is the
default.
off
Disables compression.
To find out what type of compression was negotiated for the user, enter the following
command:
Command> show S0
Setting Filters
Input and output packet filters can be applied to each network user. If an input filter is
applied to a user, when the user dials in and establishes a connection, all packets
received from the user are evaluated against the rule set for the applied filter. Only
packets allowed by the filter can pass through the PortMaster. If an output filter is
applied filter. Only packets allowed by the filter are sent out of the PortMaster to the
user. If either filter is changed while a user is logged on, the change will not take effect
until the user disconnects and logs in again.
Note – You must define a filter in the filter table before you can apply it. For more
information about filters, see Chapter 9, “Configuring Filters.”
✍
To apply an input filter for a network user, use the following command:
Command> set user Username ifilter [Filtername]
Configuring Dial-In Users
7-9
Configuring Login Users
To apply an output filter for a network user, use the following command:
Command> set user Username ofilter [Filtername]
Omitting the Filtername removes any filter previously set on the port.
Note – Filters will be applied to the user the next time the user dials in.
✍
Specifying a Callback Location
You can configure the user for callback connections to enhance network security or to
simplify telephone charges. When a network user logs in, the PortMaster disconnects
the user and then calls back to the location specified for that user. The location is stored
in the location table. The PortMaster always calls back using the same port on which the
user called in. Network users have PPP or SLIP sessions started for them, as defined in
the user table.
To specify the callback location for a network user, use the following command:
Command> set user Username dialback Locname|none
To disable callback connections for the user, use the none keyword.
For more information about configuring locations, refer to Chapter 8, “Configuring Dial-
Out Locations.”
Configuring Login Users
Login users establish connections with hosts using one of the login services—dial-in,
Setting the Login Host
You must define the host to which the user is connected. The login host can be defined
in one of three ways. Table 7-4 shows the login host options.
7-10
PortMaster Configuration Guide
Configuring Login Users
To set the login host for a login user, use the following command:
Command> set user Username host default|prompt|Ipaddress
Table 7-4
Login Host Options
Host Option
default
Description
This option allows the user to log in to the default or alternate
host specified for this PortMaster. You can specify the default host
with the set host command shown on page 17-5.
prompt
This option allows the user to log in to a host by IP address or
name at the time the login session is established.
Ipaddress
This option allows the user to connect only to the host specifically
named. A valid hostname or IP address must be entered.
This configuration is used when you want to allow a user to
access a specific host. For example, this configuration can be used
to allow the user carmela to always be connected with the host
sales.
Applying an Optional Access Filter
An access filter is an input filter that restricts which hosts users can log in to. Access
filters work as follows:
•
•
•
•
The user logs in and specifies a host.
The host address is compared against the access filter.
If the address is permitted by the filter, the connection is established.
To apply an access filter to a login user, use the following command:
Command> set user Username ifilter [Filtername]
Note – You must define a filter in the filter table before you can apply it. For more
information about filters, see Chapter 9, “Configuring Filters.”
✍
Configuring Dial-In Users
7-11
Configuring Login Users
Setting the Login Service Type
All login users must have an associated login service that determines the nature of their
connection with the host.
The login service specifies how login sessions are established. Four types of login
service are available as described in Table 7-5.
Table 7-5
Types of Login Service
Login Service
portmaster
Function
PortMaster is the default login service and can be used to
access any host that has the PortMaster in.pmd daemon
installed. This type of login service is preferred because it
makes the PortMaster port operate like a serial port attached
to the host. This service is the most cost-effective in terms of
host resources.
rlogin
telnet
The remote login service rlogin uses the rlogin protocol to
establish a login session to the specified host. Generally,
rlogin is used on mixed UNIX networks where the
PortMaster login service is impractical to use.
Telnet is supported on most TCP/IP hosts. This login service
should be selected when the PortMaster and rlogin protocols
are not available.
The default port number is 23, but you can enter another
number.
7-12
PortMaster Configuration Guide
Configuring Login Users
Table 7-5
Types of Login Service (Continued)
Login Service
netdata
Function
The netdata login service creates a virtual connection
between the PortMaster port and another serial port on
another PortMaster, or between the PortMaster port and a
host. This login service creates a clear-channel TCP
connection. To connect to another PortMaster port using
netdata, you must configure that port as /dev/network
with the netdata device service and the same TCP port
number.
The default netdata port is 6000; however, you can specify
any TCP port number between 1 and 65535. This range
allows TCP/IP to be used with a hardwired connection using
an RS232 cable. However, some serial communications
protocols, such as FAX, might have potential latency
problems.
To set the login service type for a login user, use the following command:
Command> set user Username service portmaster|rlogin|telnet|netdata [Tport]
Specifying a Callback Telephone Number
You can configure the login user for callback connections to enhance network security
or to simplify telephone charges. When a user logs in, the PortMaster disconnects the
user and then dials out to the telephone number specified for that user. The user is
reconnected to the host specified in the user table, via the same port on which the user
dialed in.
To enter the callback telephone number for a login user, use the following command:
Command> set user Username dialback String|none
To disable callback connections for the user, use the none keyword.
Configuring Dial-In Users
7-13
Configuring Login Users
7-14
PortMaster Configuration Guide
Configuring Dial-Out Connections
8
dial-out connections.
This chapter discusses the following topics:
•
•
•
•
“Configuring the Location Table” on page 8-1
“Setting Multiline Load Balancing” on page 8-11
“Setting Filters” on page 8-13
“Testing Your Location Configuration” on page 8-14
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Configuring the Location Table
A location defines a dial-out destination and the characteristics of the dial-out
connection. Locations control dial-out network connections in much the same way the
user table controls dial-in network connections.
Locations are stored in the location table. All dial-out locations have the following
minimum settings:
•
•
Location name
Name and password that the local PortMaster uses to authenticate itself to the
remote host
•
•
•
•
•
Telephone number of the remote host
IP address and netmask of the remote host
Protocol used for the connection
Dial group that associates the location with a particular dial-out port
Maximum number of ports
8-1
Configuring the Location Table
Locations can also optionally have the following settings:
•
•
•
•
•
•
•
•
•
•
Connection type (dial-on-demand, continuous, or manual)
Routing protocol
IPX network number
MTU size
Compression
Idle timer
Data-over-voice for ISDN connections
CHAP authentication
Asynchronous character map
Multiline load balancing
Note – The location table is not used for dialing out with the tip command or UUCP.
For information on these applications, refer to Chapter 18, “Accessing Shared Devices.”
✍
To display the location table, enter the following command:
Command> show table location
A location table display looks like the following. The location table entries shown here
are examples only. PortMasters have empty locations tables by default.
Location
-----------
hq
Destination
-----------------
172.16.1.1
Netmask
Group
Maxcon
Type
----------------
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
--------
----------
--------------
On Demand
Manual
1
4
1
0
1
sf
192.168.1.21
192.168.3.1
172.16.1.21
99
2
sub1
bsp
Manual
99
Manual
8-2
PortMaster Configuration Guide
Configuring the Location Table
Creating a Location
You must create a unique dial-out location for each remote host or router you want to
access. Location table entries are identified by this unique location name, which can
contain up to 12 characters.
To create a location, use the following command:
Command> add location Locname
Setting the Connection Type
Because the default method of initiating a connection is manual, you need to use the
dial command to cause the PortMaster to manually dial out to a location. You can
change the connection type as shown in Table 8-1. If you are changing an existing
location’s connection type, verify that the connection is not active.
Table 8-1
Dial-Out Connection Types
Connection Type
on_demand
Description
This type of connection is automatically started when
packets for the remote location are queued by the
PortMaster.
continuous
manual
This type of connection is always active. If the telephone
connection is dropped, the PortMaster initiates a new
connection with the location after a 30-second waiting
period.
This type of connection is started when you request a
connection. You can use this configuration to test a
connection or for network callback users. This is the
default
To configure the connection type, use the following command:
Command> set location Locname on_demand|continuous|manual
Configuring Dial-Out Connections
8-3
Configuring the Location Table
On-Demand
Dial-on-demand connections to selected locations can save money because the
telephone line is used only when traffic needs to be transmitted. The dial-on-demand
configuration can also be used as a backup for other types of connections such as those
using high-speed synchronous lines. A dial-on-demand connection usually has the idle
timer set so that the connection is closed when no longer needed.
Note – When configuring a dial-on-demand location, be careful not to have the
on-demand location be the route to the loghost, RADIUS server, RADIUS accounting
server, or any host for a port using the PortMaster login or device service, unless you
understand the effect of these services upon dial-on-demand.
✍
If routing for a dial-on-demand location is set to on, listen, or broadcast, the
PortMaster dials out to that location when it boots, to update routing information. The
PortMaster hangs up when the idle timer expires because RIP traffic does not reset the
idle timer.
To configure a location to support a dial-on-demand connection, use the following
command:
Command> set location Locname on_demand
Continuous
To establish a continuous dial-out connection, you must set the location type to
continuous. In this configuration, the PortMaster dials out after it boots and establishes
a network connection to the specified location. If the connection is dropped for any
reason, the PortMaster dials out again and establishes the connection again after a
30-second wait.
To configure a location to support a continuous connection, use the following
command:
Command> set location Locname continuous
Manual Dial-Out
Use manual dial-out to test the connection or if you want the connection to be
established only when you or a network callback user requests. You should test any
connection before configuring it as a continuous or on-demand location.
8-4
PortMaster Configuration Guide
Configuring the Location Table
To configure a location to support a manual connection, use the following command:
Command> set location Locname manual
Note – Disconnect dial-out connections by resetting the port before switching a
connection type from manual to on demand,.
✍
Setting the Telephone Number
The telephone number setting is used to dial out to the remote location.
To set the telephone number of the remote location, use the following command:
Command> set location Locname telephone String
Setting the Username and Password
The username and password are what the PortMaster uses to authenticate itself to the
remote host. Note that the username and password you enter here must also be resident
on the remote host (in the user table, RADIUS, or other authentication mechanism).
To set the username and password, use the following commands:
Command> set location Locname username Username
Command> set location Locname password Password
Setting the Protocol
The network protocol for a dial-out location can be set for PPP packet encapsulation,
SLIP encapsulation, or a Frame Relay subinterface. PPP can be used with either or both
IP and IPX packet routing. You should select a protocol that is compatible with the
remote location.
✍
To set the protocol for a location, use the following command:
Command> set location Locname protocol slip|ppp|frame|x75-sync
For more information about setting the location protocol to a Frame Relay subinterface,
see “Frame Relay Subinterfaces” on page 13-12.
Configuring Dial-Out Connections
8-5
Configuring the Location Table
Setting the Destination IP Address
The destination IP address is the IP address expected on the system at the remote end of
the dial-out connection.
For PPP connections, you can either specify an IP address or have it negotiated. If you
enter 255.255.255.255 (negotiated) for the destination IP address, the PortMaster learns
the IP address of the remote system during PPP IPCP negotiation.
For SLIP connections and locations set for on-demand dialing, enter the IP address or a
valid hostname of the system at the remote end of the connection.
Note – Assigned addresses are not supported for dial-out locations.
✍
To set the destination IP address for a location, use the following command:
Command> set location Locname destination Ipaddress
Setting the Destination Netmask
If the host or network on the remote end of the connection requires a netmask, you
must define it in the location table.
To set the destination netmask for a location, use the following command:
Command> set location Locname netmask Ipmask
Setting the IPX Network Number
If you are using the IPX protocol, you must assign a unique IPX network number to the
network connection between the remote host and the PortMaster. Enter the IPX
network number in the hexadecimal format described in Appendix A, “Networking
Concepts.” The number can consist of up to eight characters. The number is used only
for the serial link, and must be different from the IPX network numbers used for
Ethernets at either end.
To set the IPX network number for a location, use the following command:
Command> set location Locname ipxnet Ipxnetwork
Note – Do not set a value of all 0s (zeros) or all Fs for the IPX network numbers.
✍
8-6
PortMaster Configuration Guide
Configuring the Location Table
Setting RIP Routing
You can associate RIP routing with locations—for example, a dial on-demand
connection where the remote router is defined as a location on the local PortMaster.
As described in the PortMaster Routing Guide, PortMaster products automatically send and
accept route information as RIP messages.
Refer to the PortMaster Routing Guide for OSPF and BGP configuration instructions.
To set RIP routing for a location, use the following command:
Command> set location Locname rip on|off|broadcast|listen
Table 8-2 describes the results of using each keyword.
Table 8-2
Keywords for Configuring RIP Routing
Keyword
on
Description
The PortMaster broadcasts and listens for RIP packets from
this network interface when it is established.
off
The PortMaster neither broadcasts nor listens for RIP packets
from this network interface when it is established. This is the
default.
broadcast
listen
The PortMaster broadcasts RIP packets to this network
interface when it is established.
The PortMaster listens for RIP packets from this network
interface when it is established.
Note – ComOS releases prior to 3.5 use routing instead of the rip keyword.
✍
Configuring Dial-Out Connections
8-7
Configuring the Location Table
Setting the Dial Group
Dial groups associate locations with specific dial-out ports. By default, all ports and
locations belong to dial group 0 (zero). You can configure locations and ports into dial
groups numbered from 0 to 99. Dial group numbers can be used to reserve ports for
dial-out to specific locations, or to differentiate among different types of modems that
are compatible with the remote location.
The dial group associated with a location works with the dial group specified for each
port. For example, you create a dial-out location called home and specify that the dial
group for home is 2. When you configure each port, you can assign the port to a dial
group. Only ports assigned to group 2 will be used to dial the location home, while other
ports will not.
To associate a location with a dial group number, use the following command:
Command> set location Locname group Group
Setting the MTU Size
The maximum transmission unit (MTU) defines the largest frame or packet that can be
sent through this port, without fragmentation. If an IP packet exceeds the specified
MTU, it is automatically fragmented. An IPX packet that exceeds the specified MTU is
automatically dropped. PPP connections can have a maximum MTU of 1500 bytes. SLIP
connections can have a maximum MTU of 1006 bytes. With PPP, the PortMaster can
negotiate smaller MTUs when requested during PPP negotiation.
The MTU is typically set to the maximum allowed for the protocol being used. However,
smaller MTU values can improve performance for interactive sessions. During PPP
negotiation, the smaller number is used. If you are using IPX, the MTU should be set to
at least 600.
To set the MTU for a location, use the following command:
Command> set location Locname mtu MTU
Configuring Compression
Compression of TCP/IP headers can increase the performance of interactive TCP sessions
over network hardwired asynchronous lines. Lucent implements Van Jacobson TCP/IP
header compression and Stac LZS data compression. Compression is on by default.
8-8
PortMaster Configuration Guide
Configuring the Location Table
Compression cannot be used with multiline load-balancing, but can be used with
Multilink PPP.
Compression must be enabled on both ends of the connection if you are using SLIP.
With SLIP, TCP packets are not passed if only one side of the connection has
compression enabled. For PPP connections, the PortMaster supports both bidirectional
and unidirectional compression. Refer to RFC 1144 for more information about header
compression.
The PortMaster supports Stac LZS data compression only for PPP connections with
bidirectional compression. Stac LZS data compression cannot be used for SLIP
connections.
To configure compression for a location, use the following command:
Command> set location Locname compression on|off|stac|vj
Table 8-3 describes the results of using each keyword.
Table 8-3
Keywords for Configuring Compression
Keyword
on
Description
Enables compression. The PortMaster tries to negotiate both Van
Jacobson and Stac LZS compression on PortMaster 3 and on
leased lines on Office Router products, or Van Jacobson
compression only on other PortMaster products. This is the
default.
off
Disables compression.
stac
Enables Stac LZS data compression only. Stac LZS compression is
supported only on the PortMaster 3 and on leased lines on Office
Router products.
vj
Enables Van Jacobson TCP/IP header compression only.
To display compression information about a location, enter the following command:
Command> show S0
Configuring Dial-Out Connections
8-9
Configuring the Location Table
Setting the Idle Timer
You can set the idle timer for a location with manual or on-demand connections. This
timer defines the length of time the line can be idle, with no network traffic in either
direction, before the PortMaster disconnects the connection. You can set the idle time in
seconds or minutes, to any value from 0 to 240. The default setting is 0 minutes. If the
value is set to 2 seconds or a longer interval, the port is reset after having no traffic for
the designated time. The idle timer is not reset by RIP, keepalive, or SAP packets. To
disable the idle timer, set the value to 0.
Note – Idle timers for dial-in connections are set on each port or for specific users. Idle
timers for dial-out connections are set in the location table.
✍
To set the idle time for a location with a manual or on-demand connection, use the
following command:
Command> set location Locname idletime Number [minutes|seconds]
Setting Data over Voice
The PortMaster supports data-over-voice for inbound and outbound ISDN connections.
The PortMaster automatically accepts inbound voice calls and treats them as data calls.
You can force a data-over-voice call on an outbound ISDN connection by setting the
capability to on.
To turn on the data-over-voice capability for ISDN connections to a location, use the
following command:
Command> set location Locname voice on|off
For more information on ISDN connections, see Chapter 11, “Configuring the
PortMaster 3,” and Chapter 12, “Using ISDN BRI.”
Setting CHAP
When you enter a username and password into the location table, they are used as the
system identifier and MD5 secret for CHAP authentication. You can turn on outbound
CHAP authentication and eliminate the need to use the sysname identifier and user
table configurations for CHAP, unless the device being dialed also dials in to the
PortMaster. The default setting is off.
8-10
PortMaster Configuration Guide
Setting Multiline Load Balancing
To set CHAP authentication for a location, use the following command:
Command> set location Locname chap on|off
Setting the Asynchronous Character Map
The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream.
These characters are not sent through the line, but instead are replaced by a special set
of characters that the remote site interprets as the original characters. The PPP
asynchronous map is a bit map of characters that should be replaced. The lowest-order
bit corresponds to the first ASCII character NUL, and so on. Most environments should
set the asynchronous map to 0 (zero) to achieve maximum throughput.
To set the PPP asynchronous map for a location, use the following command:
Command> set location Locname map Hex
Setting Multiline Load Balancing
You can set several ports to connect to a single location to distribute heavy traffic loads.
This capability is called multiline load balancing. You can define a threshold known as a
high-water mark for a location. The high-water mark triggers the PortMaster to bring up
an additional connection to the location when the amount of data specified by the
high-water mark is queued. The PortMaster examines the queue several times a minute
to determine if the high-water mark has been reached.
Load balancing is useful for on-demand routing because additional ports for the location
are added as the load exceeds what can be handled by one port. When the ports are idle
for the time specified by the set location idletime command (see “Setting the Idle
Timer” on page 8-10), all ports used for that connection are timed out simultaneously.
Load balancing can save you money because you do not need to configure your
network to handle the maximum load between locations. Periods of heavy traffic can be
handled by additional ports on an as-needed basis. At other times, the additional ports
can be used for other purposes.
When multiple ports are in use, each packet is queued on the port with the least
amount of traffic in the queue. Ports with very different speeds should not be combined
for load balancing purposes. The overall throughput for a given number of ports is
approximately equal to the number of ports multiplied by the throughput of the slowest
port.
Configuring Dial-Out Connections
8-11
Setting Multiline Load Balancing
The following settings are used to configure load balancing and define when additional
lines to this location are dialed.
Setting the Maximum Number of Dial-Out Ports
To configure load balancing, you must define the number of dial-out ports that can be
used to dial and establish a connection with this location. This setting creates a pool of
ports that can be used at the same time to establish a connection with this location.
If the maximum number of ports is set to 0, no connection with this location is
high-water mark is used to determine when additional connections are established with
this location.
When more than one line is open to a given location, the PortMaster balances the load
across each line. When the ports are idle for the time specified by the set location
idletime command (see “Setting the Idle Timer” on page 8-10), all ports used for that
connection are timed out simultaneously.
To set the maximum number of dial-out ports for a location, use the following
command:
Command> set location Locname maxports Number
Setting Bandwidth-on-Demand
Bandwidth-on-demand determines when an additional line to this location should be
established. The PortMaster uses the high-water mark setting to configure bandwidth-
on-demand
The high-water mark specifies the number of bytes of network traffic that must be
queued before the PortMaster opens an additional connection. The PortMaster examines
the queue several times a minute to determine if the high-water mark has been
reached.
If you set a very small threshold number, the PortMaster quickly opens the maximum
number of ports you specified for this location. When you are deciding on a threshold,
keep in mind that interactive traffic from login users queues a relatively small number
of bytes, only several hundred. However, network users doing file transfers can queue
several thousand bytes of traffic. These activities should be considered before you set
your dial-out threshold.
8-12
PortMaster Configuration Guide
Setting Filters
This value is used only when the maximum number of ports is greater than one. The
default high-water mark is zero.
To set the high-water mark in bytes for a location, use the following command:
Command> set location Locname high_water Number
Setting Filters
You can attach input and output filters to each location. Filters must be defined in the
filter table before they can be added to the location table. For more information about
filters, see Chapter 9, “Configuring Filters.” When a filter is changed, all ports in use by
the location must be reset to have the changes take effect.
Note – If a matching filter name is not found in the filter table, this command is not
effective and all traffic is permitted.
✍
Input Filters
Input filters cause all packets received from the interface to be evaluated against the
filter rule set. Only packets allowed by the filter are accepted.
To set an input filter for a location, use the following command:
Command> set location Locname ifilter Filtername
Output Filters
Output filters cause all packets going out to the interface to be evaluated against the
filter rule set. Only packets allowed by the filter are passed out to the interface.
To set an output filter for a location, use the following command:
Command> set location Locname ofilter Filtername
Configuring Dial-Out Connections
8-13
Testing Your Location Configuration
Testing Your Location Configuration
When you are configuring a location, you can set a manual connection for the location
so that you can test the configuration before resetting the connection to on-demand or
continuous. To test the configuration, you must initiate a connection with the remote
location by using the dial command from the command line.
To display the chat script (if you are using one) during dialing, use the optional -x
keyword. You can watch the connection process to ensure that location-specific settings
are configured correctly. This keyword also resets some debugging values previously set
with set debug.
When your location is configured correctly, change the connection type from manual to
continuous or on-demand.
To test your configuration, use the following command:
Command> dial Locname [-x]
8-14
PortMaster Configuration Guide
Configuring Filters
9
This chapter describes how to configure input and output packet filters. IP, IPX, and
You can also use the ChoiceNet application to filter IP packets by lists of sites rather than
Administrator’s Guide.
This chapter discusses the following topics:
•
•
•
•
•
•
“Overview of PortMaster Filtering” on page 9-1
“Creating Filters” on page 9-5
“Displaying Filters” on page 9-8
“Deleting Filters” on page 9-8
“Example Filters” on page 9-9
“Restricting User Access” on page 9-15
Each topic in this chapter includes examples of filters used to accomplish the goal
described.
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Overview of PortMaster Filtering
Packet filters can increase security and decrease traffic on your network. Filters can be
used to limit certain kinds of internetwork communications by permitting or denying
the passage of packets through network interfaces. By creating appropriate filters, you
can control access to specific hosts, networks, and network services.
Security on your network can be enhanced by limiting authorized activities to certain
hosts. For example, you can restrict the DNS and SMTP interchange with the Internet to
a well-secured host on your network. All Internet hosts can then access only this single
server for those services. If you have several name servers or mail servers, you can use
additional rules to allow access to these servers.
9-1
Overview of PortMaster Filtering
You use Ethernet filters to constrain the types of packets allowed to pass through the
local Ethernet port, and you can set filters on asynchronous ports configured for
hardwired operation when security with another network is an issue.
The packet filtering process analyzes the header information contained in each packet
sent or received through a network interface. The header information is evaluated
against a set of rules that either allow the packet to pass through the interface or cause
the packet to be discarded.
A maximum of 256 filter rules per filter is allowed for the PortMaster 3 and IRX. For
other PortMaster products, the maximum number of filter rules allowed is 100. The
PortMaster generates an error message when the number of filter rules exceeds the
limit.
If a packet is discarded by a filter, an appropriate “ICMP unreachable” message is
returned to the source address. This message provides immediate feedback to the user
attempting the unauthorized access. Packets permitted or denied can optionally be
logged to a host.
Filters can also be used for packet selection—for example, you can use a packet trace
filter to do troubleshooting. The packets permitted by the ptrace filter are displayed,
while packets not permitted by the filter are not displayed. For more information about
the ptrace facility, see the PortMaster Troubleshooting Guide.
Filter Options
Table 9-1 shows different filter options.
Table 9-1
Filter Options
Option
Description
Restricting packet traffic
Each user, location entry, and network hardwired port
can be assigned both an input packet filter and an output
packet filter. Having both input and output filters can
decrease the number of rules needed and can provide
better tuning of your security policy.
9-2
PortMaster Configuration Guide
Overview of PortMaster Filtering
Table 9-1
Filter Options (Continued)
Description
Option
Restricting access based
on source and
destination address
You can create filters that evaluate both the source and
destination addresses of a packet against a rule list. The
number of significant bits used in IP address comparisons
can be set, allowing filtering by host, subnet, network
number, or group of hosts whose addresses are within a
given bit-aligned boundary.
Restricting access to
particular protocols
Packets of certain protocols can be permitted or denied
by a filter, including IPX, SAP, TCP, UDP, and ICMP
packets.
Restricting access to
network services
You can create filters that use the source and destination
port numbers to control access to certain network
services. The evaluation can be based upon whether the
port number is less than, equal to, or greater than a
specified value.
Restricting access based
on TCP status
You can create filters that use the status of TCP
connections as part of the rule set. This feature can allow
network users to open connections to external networks
without allowing external users access to the local
network.
Filter Organization
Filters are stored in a filter table in the PortMaster nonvolatile configuration memory.
Filters can be created or modified at any time, and the changes are not applied to an
active use of the filter. Filter names must be between 1 and 15 characters.
Each packet filter can contain three sets of rules: IP, IPX, and SAP. Within each set, the
rules are numbered starting at one. Newly created packet filters contain zero rules, or an
empty set of rules.
An empty set of rules is equivalent to the permit rule. If a filter contains one or more
rules in the set, any packet not explicitly permitted by a rule is denied at the end of the
rule set.
Configuring Filters
9-3
Overview of PortMaster Filtering
A maximum of 256 filter rules per filter is allowed for the PortMaster 3 and IRX. For
other PortMaster products, the maximum number of filter rules allowed is 100. The
PortMaster generates an error message when the number of filter rules exceeds the
limit.
How Filters Work
IP and IPX packet filters are attached to users, locations, Ethernet interfaces, or network
hardwired ports as either input or output filters. SAP filters are attached as output filters
only. The Ethernet interface filter is enabled as soon as the name of the input or output
filter is set.
Input and output are defined relative to the PortMaster interface. As shown in
Figure 9-1, an input filter is used on packets entering the PortMaster and an output
filter is used on packets exiting the PortMaster.
Figure 9-1 Input and Output Filters
Packets out to
Packets in from
network users
network users
Ethernet interface
Input filter
PortMaster
Output filter
Input filter
Output filter
Serial interface
Packets in from
branch office
Packets out to
branch office
11820005
All packets entering a PortMaster through an interface with an input filter are evaluated
against the rules in the filter. As soon as a packet matches a rule, the action specified by
that rule is taken. If no rules match the specific packet, the packet is denied and is
discarded. Whenever an IP packet is discarded, the PortMaster generates an “ICMP Host
Unreachable” message back to the originator.
For interfaces with output filters attached, all packets exiting the interface are evaluated
against the filter rules and only those packets permitted by the filter are allowed to exit
the interface.
9-4
PortMaster Configuration Guide
Creating Filters
Creating Filters
You construct a filter by creating the filter and then adding rules that permit or deny
certain types of packets. A maximum of 256 filter rules per filter is allowed for the
PortMaster 3 and IRX. For other PortMaster products, the maximum number of filter
rules allowed is 100. The PortMaster generates an error message when the number of
filter rules exceeds the limit.
Packets are evaluated in the same order as the rules are listed. Therefore, the rules
representing the highest security concern should be specified early in the list of rules,
followed by a rule limiting the volume of traffic.
User filters are attached to users configured for dial-in SLIP or PPP access. When a user
makes a PPP or SLIP connection, the designated filters are attached to the network
interface created for that connection.
Location filters are attached to dial-out locations using SLIP or PPP connections. When
the connection is established to a remote site, the designated filters are attached to the
network interface used.
You can attach filters for incoming packets, or for outgoing packets or for both. It is
usually more effective to filter incoming packets so that you can protect the PortMaster
itself.
For more detailed instructions on using the filter commands, see the PortMaster Command
Line Reference.
To create a filter, use the following command:
Command> add filter Filtername
You must then use the appropriate set command to add rules that permit or deny
packets. A maximum of 256 filter rules per filter is allowed. The PortMaster generates
an error message when the number of filter rules exceeds the limit.
See the following sections for instructions:
•
•
•
“Creating IP Filters” on page 9-6
“Filtering TCP and UDP Packets” on page 9-7
“Creating IPX Filters” on page 9-7
Configuring Filters
9-5
Creating Filters
Creating IP Filters
You can create a rule that filters IP packets according to their source and destination IP
addresses. For more information on the command syntax for creating filters, see the
PortMaster Command Line Reference.
To create an IP filter rule that filters by address, use the following command—entered
on one line:
Command> set filter Filtername RuleNumber permit|deny [Ipaddress/NM
Ipaddress(dest)/NM] [protocol Number] [log] [notify]
You can replace protocol Number with one of the following keywords:
•
•
•
esp—matches packets using Encapsulation Security Payload (ESP) protocol. See
RFC 1827 for more information on this protocol.
ah—matches packets using Authentication Header (AH) protocol. See RFC 1826 for
more information on this protocol.
ipip—matches packets using the IP Encapsulation within IP (IPIP). See RFC 2003
for more information on this protocol.
If you are using ChoiceNet, you can also replace either the source or destination IP
address with the value =ListName which specifies a list of sites in the
/etc/choicenet/lists directory in the ChoiceNet server. The equal sign (=) must
immediately precede the value.
Filtering ICMP Packets
Internet Control Message Protocol (ICMP) packets—commonly known as ping
packets—report errors and provide other information about IP packet processing. You
can filter ICMP packets by source and destination IP address, or by ICMP packet type.
Packet types are identified in RFC 1700.
To create an ICMP filter rule, use the following command—entered on one line:
Command> set filter Filtername RuleNumber permit|deny [Ipaddress/NM
Ipaddress(dest)/NM] icmp [type Itype] [log]
9-6
PortMaster Configuration Guide
Creating Filters
TCP Packets
You can filter TCP packets by source and destination IP address, or by TCP port number.
Appendix B, “TCP and UDP Ports and Services,” lists port numbers commonly used for
UDP and TCP port services. For a more complete list, see RFC 1700.
To create a TCP filter rule, use the following command—entered on one line:
Command> set filter Filtername RuleNumber permit|deny [Ipaddress/NM
Ipaddress(dest)/NM] tcp [src eq|lt|gt Tport] [dst eq|lt|gt Tport]
UDP Packets
You can filter UDP packets by source and destination IP address, or by UDP port
number. Appendix B, “TCP and UDP Ports and Services,” lists port numbers commonly
used for UDP and TCP port services. For a more complete list, see RFC 1700.
To create a UDP filter rule, use the following command—entered on one line:
Command> set filter Filtername RuleNumber permit|deny [Ipaddress/NM
Ipaddress(dest)/NM] udp [src eq|lt|gt Tport] [dst eq|lt|gt Tport]
[established] [log]
Creating IPX Filters
You can filter IPX packets in the following ways:
•
•
•
Source and/or destination IPX network number
Source and/or destination IPX node address
Source and/or destination IPX socket number
To create an IPX filter rule, use the following command—entered on one line:
Command> set ipxfilter Filtername RuleNumber permit|deny [srcnet Ipxnetwork]
[srchost Ipxnode] [srcsocket eq|gt|lt Ipxsock] [dstnet Ipxnetwork]
[dsthost Ipxnode] [dstsocket eq|gt|lt Ipxsock]
Configuring Filters
9-7
Displaying Filters
Creating SAP Filters
The Service Advertising Protocol (SAP) is an IPX protocol used over routers and servers
that informs network clients of available network services and resources. SAP packets
can be filtered only on output. You can filter SAP packets according to the following
information about the server that is advertising the service via SAP:
•
•
•
•
Name
IPX network number
IPX node address
IPX socket number
To create a SAP filter rule, use the following command—entered on one line:
Command> set sapfilter Filtername RuleNumber permit|deny
[server String][network Ipxnetwork] [host Ipxnode] [socket eg|gt|lt Ipxsock]
Displaying Filters
To display the filter table, use the following command:
Command> show table filter
To display a particular filter, use the following command:
Command> show filter Filtername
Deleting Filters
To delete a filter, use the following command:
Command> delete filter Filtername
9-8
PortMaster Configuration Guide
Example Filters
Example Filters
Because filters are very flexible, you must carefully evaluate the types of traffic that a
specific filter permits or denies through an interface before attaching the filter. If
possible, a filter should be tested from both sides of the filtering interface to verify that
the filter is operating as you intended. Using the log keyword to log packets that match
a rule to the loghost is useful when you are testing and refining IP filters.
Some of the following examples use the 192.168.1.0 network as the public network.
You should substitute the number of your network or subnetwork if you use these
examples.
Note – Any packet that is not explicitly permitted by a filter is denied, except for the
special case of a filter with no rules, which permits everything.
✍
Simple Filter
A simple filter can consist of the following rules:
Command> set filter simple 1 permit udp dst eq 53
Command> set filter simple 2 permit tcp dst eq 25
Command> set filter simple 3 permit icmp
Command> set filter simple 4 permit 0.0.0.0/0 192.168.1.3/32 tcp dst eq 21
Command> set filter simple 5 permit tcp src eq 20 dst gt 1023
Table 9-2 describes, line by line, each rule in the filter.
Table 9-2
Description of Simple Filter
Rule
Description
1.
Permits Domain Name Service (DNS) UDP packets from any host to
any host.
2.
3.
4.
5.
Permits SMTP (mail) packets.
Permits ICMP packets.
Permits FTP from any host, but only to the host 192.168.1.3.
Permits FTP data to return to the requesting host. This rule is required
to provide a reverse channel for the data portion of FTP.
Configuring Filters
9-9
Example Filters
Input Filter for an Internet Connection
The filter in this example is designed as an input filter for a network hardwired port that
connects to the Internet. You can use this filter for a dial-on-demand connection by
attaching it to the location entry.
The rules for the filter are set as follows:
Command> set filter internet.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter internet.in 2 permit tcp estab
Command> set filter internet.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.4/32 tcp dst eq 21
Command> set filter internet.in 5 permit tcp 0.0.0.0/0 192.168.0.5/32 dst eq 80
Command> set filter internet.in 7 permit udp dst eq 53
Command> set filter internet.in 8 permit tcp dst eq 53
Command> set filter internet.in 9 permit icmp
Table 9-3 describes, line by line, each rule in the filter.
Table 9-3
Description of Internet Filter
Rule
Description
1.
Denies any incoming packets from the Internet claiming to be from—
or spoofing—your own network (192.168.1.0). This rule blocks IP
spoofing attacks. This rule also logs the header information in the
spoofing packets to syslog.
2.
Permits already established TCP connections that originated from your
network—packets with the ACK bit set.
3.
4.
5.
6.
7.
8.
Permits SMTP connections to 10.0.0.3 (the mail server).
Permits FTP connections to host 172.16.0.4.
Permits Hypertext Transfer Protocol (HTTP) access to host 192.168.0.5.
Permits an FTP data channel.
Permits DNS.
Permits DNS zone transfers. (You can write this rule to allow only
connections to your name servers.)
9-10
PortMaster Configuration Guide
Example Filters
Table 9-3
Description of Internet Filter (Continued)
Rule
Description
9.
Permits ICMP packets.
Input and Output Filters for FTP Packets
Filters can be used to either permit or deny File Transfer Protocol (FTP) packets. You
must understand how this protocol works before you develop FTP filters.
FTP uses TCP port 21 as a control channel, but it transfers data on another channel
initiated by the FTP server from TCP port 20 (FTP-data). Therefore, if you want to allow
your internal hosts to send out packets with FTP, you must allow external hosts to open
an incoming connection from TCP port 20 to a destination port above 1023. Allowing
this type of access to your network can be very risky if you are running Remote
Procedure Call (RPC) or X Windows on the host from which you are transmitting FTP
packets. As a result, many sites use FTP proxies or passive FTP, neither of which is
discussed in this guide.
Consult Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick and Bellovin
and Building Internet Firewalls by Chapman and Zwicky for information on FTP proxies
and passive FTP.
Likewise, if you want to allow external hosts to connect to your FTP server and transfer
files, you must allow incoming connections to TCP port 21 on your FTP server and allow
outgoing connections from TCP port 20 of your FTP server.
In the following examples, 172.16.0.2 is the address of your FTP server and 192.168.0.1
is the address of the host from which you allow outgoing FTP.
Caution – This configuration is not recommended if you run any of the following
protocols on any of the hosts from which you allow FTP access: NFS, X, RPC, or any
other service that listens on ports above 1023.
!
Configuring Filters
9-11
Example Filters
The rules for the input filter are as follows:
Command> set filter internet.in 1 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq
20 dst gt 1023
Command> set filter internet.in 2 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq
21 estab
Command> set filter internet.in 3 permit 0.0.0.0/0 172.16.0.2/32 tcp dst eq 21
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.2/32 tcp src gt
1023 dst eq 20 estab
The rules for the output filter are as follows:
Command> set filter internet.out 1 permit 192.168.0.1/32 0.0.0.0/0 tcp dst eq
21
Command> set filter internet.out 2 permit 192.168.0.1/32 0.0.0.0/0 tcp src gt
1023 dst eq 20 estab
Command> set filter internet.out 3 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq
20 dst gt 1023
Command> set filter internet.out 4 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq
21 dst gt 1023 estab
If you allow any internal host to send out packets with FTP, replace 192.168.0.1/32 with
0.0.0.0/0 or your network_number/24. Take appropriate precautions to reduce the risk
this configuration creates.
Rule to Permit DNS into Your Local Network
If the DNS name server for your domain is outside your local network, you should add
the following rule to your input filter:
Command> set filter filtername RuleNumber permit udp src eq 53
This rule permits DNS replies into your local network.
Rule to Listen to RIP Information
To permit incoming RIP packets, add the following rule to your input filter:
Command> set filter filtername RuleNumber permit 172.16.0.0/32 192.168.0.0/32
udp dst eq 520
In the above example, 172.16.0.0/32 is the other end of the Internet connection and
192.168.0.0/32 is the local address of the connection.
9-12
PortMaster Configuration Guide
Example Filters
Rule to Allow Authentication Queries
To allow authentication queries used by some mailers and FTP servers, add the following
rule to your input filter:
Command> set filter filtername RuleNumber permit tcp dst eq 113
For more information about these types of queries, refer to RFC 1413.
Rule to Allow Networks Full Access
To allow some other network to have complete access to your network, add the
following rule. In the example below, 172.16.12.0 is granted full access to
192.168.1.0/24:
Command> set filter filtername RuleNumber permit 172.16.12.0/24 192.168.1.0/24
Caution – Beware of associative trust. If you allow a network complete access to your
network, you might unknowingly allow other networks complete access, as well. Any
network that can access a network having complete access privileges to your network,
also has access to your network. For example, if Network 1 trusts Network 2 and
Network 2 trusts Network 3, then Network 1 trusts Network 3.
!
Restrictive Internet Filter
This example filter allows any kind of outgoing connection from the server, but blocks
all incoming traffic to any host but your designated Internet server. This filter also limits
incoming traffic on your Internet server to: SMTP, Network News Transfer Protocol
(NNTP), DNS, FTP, and ICMP services.
Note – Even if you have the latest versions of the daemons ftpd, httpd, and sendmail
you may be vulnerable to attacks through these services. Check the latest CERT
Coordination Center advisories, available on ftp.cert.org, for the vulnerabilities of these
services.
✍
Configuring Filters
9-13
Example Filters
If you use the following example, replace the name server with the IP address or
hostname of your Internet server:
Command> set filter restrict.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter restrict.in 2 permit 0.0.0.0/0 10.0.0.3/32 tcp estab
Command> set filter restrict.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 21
Command> set filter restrict.in 4 permit 0.0.0.0/0 10.0.0.3/32 tcp src eq 20
dst gt 1023
Command> set filter restrict.in 5 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 119
Command> set filter restrict.in 6 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter restrict.in 7 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 80
Command> set filter restrict.in 8 permit 0.0.0.0/0 10.0.0.3/32 udp dst eq 53
Command> set filter restrict.in 9 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 53
Command> set filter restrict.in 10 permit 0.0.0.0/0 10.0.0.3/32 icmp
Table 9-4 describes, line by line, each rule in the filter.
Table 9-4
Description of Restrictive Internet Filter
Rule
Description
1.
Denies any incoming packets from your own network (192.168.1.0)
and makes a log.
2.
Permits packets from any established TCP connection to 10.0.0.3 (the
Internet server).
3.
4.
Permits FTP from any IP address to 10.0.0.3 (the server).
Permits the FTP data back channel.
5.
Permits incoming NNTP (news) to 10.0.0.3 (the Internet server).
Permits incoming SMTP (mail) to 10.0.0.3 (the Internet server).
Permits HTTP requests to 10.0.0.3 (the Internet server).
Permits DNS queries to 10.0.0.3 (the Internet server).
Permits DNS zone transfers from 10.0.0.3 (the Internet server).
6.
7.
8.
9.
10.
Permits ICMP to 10.0.0.3 (the Internet server). You can further limit
ICMP packet types to types 0, 3, 8, and 11 using four rules instead of
one.
To log all packets that are denied, add the following rule to the end of your filter:
Command> set filter filtername RuleNumber deny log
9-14
PortMaster Configuration Guide
Restricting User Access
Restricting User Access
Access filters enable you to restrict Telnet or rlogin connections to a specific host or
network, or a list of hosts or networks. You can create an access filter that restricts user
access to particular hosts.
Access filters work as follows:
1. The user specifies a host.
2. The host address is compared against the access filter.
3. If the address is permitted by the filter, the connection is established.
4. If the address is not permitted, the connection is denied unless access override is
enabled.
If you want a user to be able to override a port’s access filter, enable access override on
that port. In this case, the process is as follows:
1. Access is denied by the access filter.
2. The user is prompted for a user name and password.
3. The user is verified by the user table or RADIUS.
4. The access filter defined for this user is used to determine if the user has permission
to access the specified host.
To enable a user to override a port’s access filter with his or her own filter, use the
following command:
Command> set S0 access on
Configuring Filters
9-15
Restricting User Access
9-16
PortMaster Configuration Guide
Using Modems 10
This chapter explains how to configure external modems to work with PortMaster
see Chapter 11, “Configuring the PortMaster 3.”
This chapter discusses the following topics:
•
•
•
•
“Null Modem Cable and Signals” on page 10-1
“Modem Functions” on page 10-2
“Using Automatic Modem Configuration” on page 10-2
“Configuring Ports for Modem Use” on page 10-7
See the PortMaster Command Line Reference for more detailed command descriptions and
instructions.
Because the PortMaster is a DTE device, a straight-through RS-232 cable is used to
connect modems to it. Straight-through cables for modems use pins 2, 3, 4, 5, 6, 7, 8,
and 20.
Null Modem Cable and Signals
Ports S0 through S29 are asynchronous DTE ports with female RS-232 connectors. To
connect these ports to a terminal or other DTE, use a null modem cable, typically male-
to-female. Directions (input/output) are with respect to the PortMaster. The PortMaster
does not use the Data Set Ready (DSR) signal.
Note – When the console port is connected to a terminal, it uses software flow control
and therefore requires pins 2, 3, and 7 only.
✍
Null modem cables can be obtained from most suppliers of computer equipment.
10-1
Modem Functions
Dial-up modems that operate over normal telephone lines at speeds of 28,800bps or
higher are now available. These modems do not operate at a guaranteed throughput,
but rather at a speed dependent on the quality of the line, the effectiveness of data
compression, and other variables. These modems use hardware flow control to stop the
data from the host by raising and lowering the Clear to Send (CTS) signal.
PortMaster products support hardware flow control using the RTS output signal and the
CTS input signal, which is also used by the normal modem handshake.
Modem Functions
Configure modems to do the following for use with the PortMaster:
•
•
•
•
Raise DCD when a call comes in
Reset itself when DTR is dropped
Lock the DTE speed
Use hardware flow control (RTS/CTS)
Using Automatic Modem Configuration
PortMaster products use a modem table to automate the modem configuration process.
The modem table is user-configurable and includes long and short modem names,
preferred DTE rate, and the modem initialization string. For convenience, the table is
preconfigured by Lucent for many common modems.
When you specify the name of the modem and the attached port, the PortMaster
automatically configures the modem for you, provided the modem is in the factory
default state when it is initialized.
After a modem type has been specified, the PortMaster automatically sets the port for
hardware flow control, the correct speed, and modem control when the port is reset.
Displaying Modem Settings and Status
To display the modems currently configured in your modem table, use the following
command:
Command> show table modem
10-2
PortMaster Configuration Guide
Using Automatic Modem Configuration
A modem table display looks like the following:
Short Name
--------------
cardinal
Long Name
Type
-------------
------
System
User
Cardinal MVP288XF
Massive MegaFast
Supra V.34
mega
supra-288
System
The modem type is either system or user. System indicates that the configuration settings
are the factory default settings. User indicates that the user has configured the modem
table settings for that modem.
To display the settings for a particular modem, use the following command:
Command> show modem ModemName(short)
The display for a modem looks like this:
Short Name: supra-fax-288
Long Name: SupraFax 28.8
Optimal Speed: 115200
Type: User Defined
Init Script: Send Command
-----------------------------------------------
AT&F2&C1&D3S0=1S2=129s10=20&W
Wait for Reply
--------------------
OK
Adding a Modem to the Modem Table
To add a modem to the modem table, use the following command:
Command> add modem ModemName(short) “ModemName(long)” Speed “String”
For example, to add a Paradyne 3811+ modem to the modem table, enter:
Command> add modem para3811 “Paradyne 3811+" 115200 “AT&FS0=1&W\r^OK"
Note – Use a \r for a carriage return, and a caret (^) to separate the send and expect
characters in the string. In the example above, the PortMaster expects OK. Never use
on or off for a modem short name.
✍
Using Modems
10-3
Using Automatic Modem Configuration
Table 10-1 shows the current factory default settings for commonly used modems.
Table 10-1 Factory Default Modem Table Entries
Modem Name Modem Name
DTE
Rate
(Short)
(Long)
Initialization String
at&t-v32
AT&T Keep In
Touch
57600
AT&F&D3&T5&R0\\D1S0=1&W^OK
cardinal
Cardinal
MVP288XF
11520
0
AT&F1&C1&D2&K3S0=1S2=129S10=20&W0&
W1
card-v34-p
Cardinal
MVP288CC
PCMCIA
11520
0
AT&F&C1&D3S0=1s2=129S10=20&W
|