3Com REMOTE ACCESS SYSTEM 1500, Management Manual

Page 1: ... http www 3com com SuperStack II Remote Access System 1500 System Management Guide Release 2 0 Part No 1 024 1797 Rev 2 00 December 1999 ...

Page 2: ...ely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 Ju...

Page 3: ... 18 Shared ISP 19 LAN to LAN 19 Individual Dial Out 19 Comprehensive Security Options 20 Configuration Options 20 Web Configuration Interface 20 Command Line Interface 20 2 USING THE COMMAND LINE INTERFACE CLI Overview 22 Viewing Command Line Interface Help 22 Navigating the Command Line Interface 22 Obtaining Registered IP Addresses 23 Accessing the CLI 23 IBM Computer compatible Computers 24 Mac...

Page 4: ... the Primary Access Unit 33 Configuring Expansion Units 34 Reconfiguring the Private IP Network 34 Replacing I O Modules in the Port Expansion Unit 35 Disconnecting Expansion Units 35 Expansion Unit Configuration after Rebooting 35 Configuring the WAN Interface 36 Configuring Static Routes 36 IP Routes 36 IPX Routes 37 3 WEB BASED CONFIGURATION OF THE RAS 1500 Overview 39 Preparing the RAS 1500 fo...

Page 5: ...efore You Begin 59 Required Information 59 Optional Information 60 RAS 1500 Configuration 60 Computers on the Network 60 Configuring the RAS 1500 61 Step One Add a System Name 61 Step Two Add an IP Network 62 Step Three Add a Modem Group optional 62 Step Four Add the Dial out Service 63 Step Five Add Users 65 Step Six Save Your Work 66 Configuring Network Computers 66 Dialing Out From a Network Co...

Page 6: ...nfiguring Callback Users 79 Calling Line Identification Callback 80 Overview 80 Call Handling 82 Configuring CLID Callback 84 Step One Add a CLID User 84 Step Two Configure the User CLID callback Settings 84 Step Three Configure CLID Security 86 Troubleshooting CLID Callback 87 Case Study 88 Network Callback User Case Study 88 Assumptions 88 How to Configure this User 88 How it Works 89 Network Us...

Page 7: ...ur Configure the User Routing Parameters 102 Step Five Configure the User PPP Parameters 103 Step Six Configure Phone Numbers 104 Step Seven Configure Authentication 105 Step Eight Save Your Work 105 LAN to LAN Routing Case Study 105 Goals 105 Assumptions 105 Strategies 106 Configuring IP on Demand 110 8 BRIDGING WITH THE RAS 1500 Overview 112 How the RAS 1500 Acts as a Bridge 112 When to Use Brid...

Page 8: ...ce 130 AT Commands 130 Sending AT Command 130 Obtaining AT Command Help 131 Commonly Used AT Commands 131 Disconnecting with AT Commands 133 Configuring Data Compression Settings 134 Configuring Error Control Options 136 Using Error Control 137 Configuring Carrier Delay Times 138 Modifying Carrier Receive Delay 139 Configuring Link Option Settings 140 Link Speed Index 140 Obtaining Modem Call Info...

Page 9: ... Setting the Originate Call Type 154 11 CONFIGURING THE RAS 1500 ROUTER Reconfiguring Your System 157 Customizing CLI Parameters 157 Discarding and Renaming Files 161 Communicating with Remote and Local Sites 161 Dial Disconnect and Hangup Commands 161 Exiting the CLI 162 Network Services 163 Troubleshooting Commands 168 Viewing Facility Errors 168 Terminating an Active Process 168 Resolving Addre...

Page 10: ...ng NOS Authentication on the RAS 1500 192 Troubleshooting NOS Authentication 195 RADIUS Accounting 195 Configuring RADIUS Accounting 196 Enabling and Disabling RADIUS Accounting 198 13 USING FRAME RELAY Overview 202 What is Frame Relay 202 Permanent and Switched Virtual Circuits 202 Data Link Connection Identifier 202 Committed Information Rate 203 Forward and Backward Explicit Congestion Notifica...

Page 11: ...ic Filters 220 Creating Filters 220 Filter File Components 220 Creating Filter Files 224 Configuring Filters 226 Setting Filter Access 226 Interface Filters 227 User Filters 228 Assigning a Filter to an Interface 229 Assigning a Filter to a User 229 Managing Filters 230 Displaying the Managed Filter List 230 Adding Filters to the Managed List 230 Removing a Filter from an Interface 231 Removing a ...

Page 12: ...gram Protocol Broadcast Forwarding 251 Configuring UDP Broadcast Forwarding 252 Displaying UDP Broadcast Forwarding Parameters 252 16 USING NETWORK ADDRESS TRANSLATION AND PORT ADDRESS TRANSLATION Overview 253 Network Address Translation 253 Port Address Translation 255 Configuring NAT and PAT 257 Configuring Network Address Translation 257 Configuring Port Address Translation 258 Case Studies 260...

Page 13: ...ormation 280 Analog V 34 Model FCC Part 68 Compliance Statement 280 Canadian Installations 280 Physical Dimensions 281 Interfaces 281 Power Requirements 283 C TECHNICAL SUPPORT Online Technical Services 285 World Wide Web Site 285 3Com FTP Site 285 3Com Bulletin Board Service 286 3ComFacts Automated Fax Service 287 Support from Your Network Supplier 287 Support from 3Com 287 Returning Products for...

Page 14: ......

Page 15: ...nformation Required Reference Command Line Interface basics Using the Command Line Interface Web based Configuration Web based Configuration of the RAS 1500 Configuring NOS or RADIUS security Using Security and Accounting Enhancing security with packet filters Handling Packet Filters How to configure outgoing calls via DialOut IP Configuring DialOut IP How to configure outgoing calls via Telnet Co...

Page 16: ...s primary dial back number Set user name phone_number number In this example you must supply the user s name for name and phone number for number Commands The word command means you must enter the command exactly as shown in text and press the Return or Enter key Example To list the current IP routes enter the following command list IP routes This guide always gives the full form of a command in u...

Page 17: ...r Module or Port Expansion Module Release Notes SuperStack II Remote Access System 1500 This document provides information about the system software release including new features and bug fixes It also provides information about any changes to the RAS 1500 system Key names Key names appear in text in one of two ways Referred to by their labels such as the Return key or the Escape key Written with ...

Page 18: ...This guide describes the installation and initial configuration of the RAS 1500 system SuperStack II Remote Access System 1500 System Reference Guide This guide describes how to configure the software for the SuperStack II Remote Access System 1500 Year 2000 Compliance For information on Year 2000 compliance and 3Com products visit the 3Com Year 2000 Web page http www 3com com products yr2000 html...

Page 19: ...1 OVERVIEW This chapter contains the following information Overview Applications Configuration Options This guide provides the most commonly used command line interface CLI parameters ...

Page 20: ...Primary Access Unit The RAS 1500 maybe be configured with a Router Unit and a Primary Access Unit as follows T1 North America Primary Access Unit with 23 Primary Rate Interface PRI ISDN channels E1 European Primary Access Unit with 30 PRI ISDN channels Applications The RAS 1500 is a multiprotocol dial up router and terminal server commonly described as a remote access server The RAS 1500 performs ...

Page 21: ... and a remote LAN Routing occurs when one device dials up another device and logs in as a user There are several types of LAN to LAN connections Manual On demand Timed Continuous The RAS 1500 supports many routing and protocol configurations It is capable of establishing additional connections to increase bandwidth automatically when network traffic increases Individual Dial Out Dial Out is used t...

Page 22: ... configuration options Web Configuration Interface Command Line Interface Web Configuration Interface You can configure the RAS 1500 by accessing the RAS 1500 Web Configuration Interface The Web Configuration Interface consists of a series of Web pages that are embedded on the RAS 1500 and viewed through a Web browser Command Line Interface The RAS 1500 command line interface CLI provides the most...

Page 23: ...wing information CLI Overview Obtaining Registered IP Addresses Accessing the CLI Using CLI Quick Setup Configuration with the CLI Configuring a Manage User Configuration with the CLI Configuring Expansion Units Configuring the WAN Interface Configuring Static Routes ...

Page 24: ...ssible options Navigating the Command Line Interface In addition to CLI commands required to configure the RAS 1500 the CLI has several additional commands to help make navigation through the CLI easier Table 3 General CLI Editing Functions Action Command Move to the beginning of the command line Ctrl A Move to the end of the command line Ctrl E Go left one character Ctrl B or left arrow Go right ...

Page 25: ...inal Use the following steps to access the CLI from the Windows 95 or Windows NT desktop 1 Connect the provided serial cable to the RAS 1500 console port and your computer serial port 2 Click Start then Programs then Accessories then click Hyperterminal 3 Select hypertrm exe HyperTerminal starts and displays the Connection Description dialog box 4 In the Connection Description dialog box type a na...

Page 26: ...mmunications package or your program does not support VT100 emulation use ZTerm UNIX based Computers Kermit minicom and tip are typical terminal emulation programs for UNIX based computers Depending on the platform you use you may need to modify a configuration file for VT100 settings Using CLI Quick Setup The RAS 1500 automated Quick Setup program provides initial configuration through the CLI It...

Page 27: ...y additional system information The name you enter serves as the RAS 1500 DNS name and SNMP system name The name is also the name that the RAS 1500 advertises in SAP broadcasts The name must be unique no other device on your network can share it a Set system information Use the following command set system name RAS 1500 name up to 64 characters location system site contact contact information You ...

Page 28: ...ptable range is 8 30 32 if a host The network address is considered invalid if the portion of the station address not covered by the mask is 0 or if the station address plus the mask is 1 all 1s Defining a numerical subnet is useful when your classification falls in between classes To enter the IP network information enter the following command add ip network network name interface rm0 eth 1 addre...

Page 29: ... 202 40 metric 1 Check the default route setting with the list ip routes command Step Four Configure IPX To configure the RAS 1500 LAN interface on an IPX network you must Determine the IPX network number Set the RAS 1500 IPX parameters Specify Frame Type Even if your network uses only the IPX protocol you must still set up an IP address for the RAS 1500 if you want to use the Web Management Inter...

Page 30: ...fh Interrupt Ah Node address 0000C0488D28 Frame type ETHERNET_802 2 Board name TENBASE_802 2 LAN protocol RPL LAN protocol IPX network 00000684 This is an example of the information returned for one version 3 xx card that has two different frame types The card has one port address but two LAN protocol network addresses one for each frame type The network number for 802 3 is 00000255 and for 802 2 ...

Page 31: ...AS 1500 LAN port The same physical network segment has a different network number for each frame type used Be sure to enter the network number associated with the chosen frame type Use the following command add ipx network network name address ipx address interface rm0 eth 1 frame dsap ethernet_ii novell_8023 snap Example abbr add ipx network segment2 add 00000576 interface rm0 eth 1 frame etherne...

Page 32: ... error message For instance in the case of three offline servers A B and C the RAS 1500 admits failure only after trying to reach them one after the other three times Use the following command add dns server ip_address preference number name server_name Example add dns server 192 75 222 182 preference 1 name farley The DNS server is only consulted to resolve host names not found in the Hosts Table...

Page 33: ... your generic SNMP software You must set the following SNMP community values name community name address IP address of the Windows SNMP manager access either read only read write or administrator read and write access For a public community with read only privileges assign the address to any station 0 0 0 0 To add the SNMP community values enter the following add snmp community name address IP add...

Page 34: ...anage privileges to establish a secure centrally administered router through the CLI You can configure a remote login user or if you prefer to dial in you can create a manage user locally through the console port You cannot do so via Telnet at this point in the configuration Only manage users can access the CLI 1 Create a manage user If you want the manage user to login use the command below set t...

Page 35: ...r Router Unit use the following command set imodem interface rm0 slot1 mod 1 at_command ati12 Configuring Modems in the Port Expansion Unit To configure specific modems on your Port Expansion Unit use the following rule set imodem interface pem 0 2 slot 1 2 mod 1 4 For example to view the configuration of the first I modem in the left slot of the first Port Expansion Unit in your stack use the fol...

Page 36: ...s private it may possibly conflict with other private IP networks defined in an office or enterprise If there is a conflict unpredictable problems with routing those private IP addresses through the RAS 1500 and unpredictable problems with booting expansion units could occur Therefore the RAS 1500 supports reconfiguration of this private network Use the following steps to reconfigure the RAS 1500 ...

Page 37: ... module if the Port Expansion Unit does not correctly recognize it complete the following steps 1 Disconnect the FireWire cable to the Router Unit 2 Delete the Port Expansion Unit delete pem pem name 3 Save the configuration save all 4 Reconnect the FireWire cable 5 Reset the Port Expansion Unit via the front panel 6 After the boot procedure is complete blinking green on the Port Expansion Unit sa...

Page 38: ...mands set the destination IP IPX address the gateway used to access the remote destination and a metric value or distance in hops to reach the destination from the RAS 1500 The RAS 1500 also allows you to configure a static route when you know the destination you want to connect with IP Routes The command below adds an IP static route entry to the IP Routing Table add ip route ip_network_address g...

Page 39: ... the remote destination is written in the hexadecimal format xxxxxxxx where addresses ffffffff or fffffffe are invalid The gateway is expressed in the hex format xxxxxxxx xx xx xx xx xx xx where xxxxxxxx is the IPX network address and xx xx xx xx xx xx is a MAC Ethernet address Metric and tick values are also required Ticks specify the interval between transmission and delivery of a packet to the ...

Page 40: ......

Page 41: ...e RAS 1500 by accessing the RAS 1500 Web Configuration Interface The Web Configuration Interface consists of a series of Web pages that are embedded on the RAS 1500 and viewed through a remote Internet browser such as Netscape Navigator or Microsoft Internet Explorer 4 x or greater Initially use the Web Configuration Interface Setup Wizard to perform basic configuration of the RAS 1500 The Setup W...

Page 42: ...ation NAT and port address translation PAT settings Authentication Remote Authentication Dial In User Service RADIUS and network operating system NOS and accounting settings Login host Simple Network Management Protocol SNMP community and Trivial File Transfer Protocol TFTP client settings System log settings Modem group settings User settings Network services such as Telnet Calling line identific...

Page 43: ...n an IP address to a device Before you start this procedure confirm the RAS 1500 is connected to the same LAN segment as the workstation on which you are running the IP Wizard 1 Insert the SuperStack II Remote Access System 1500 Resource CD into the CD ROM drive The RAS 1500 Setup Screen appears If your PC does not automatically run the CD perform the following steps a At the Windows 95 or NT desk...

Page 44: ...nt as the IP Wizard workstation but do not have an IP address The RAS 1500 MAC address is printed on a sticker on the rear of the unit 4 In the IP Address text box type the IP address in dotted decimal notation you want to assign to the RAS 1500 The IP address you assign must be a part of the IP network to which the RAS 1500 is attached 5 In the Netmask text box type the network mask in dotted dec...

Page 45: ...eater Java script supported and enabled Style sheets supported and enabled Frames supported 800 x 600 resolution on a 15 monitor 2 In the location or address field at the top of the browser type the RAS 1500 IP address The Web Management Interface appears Web based Management of the RAS 1500 This section provides an overview of the RAS 1500 Web Configuration Interface Basic Navigation Figure 3 hig...

Page 46: ...44 CHAPTER 3 WEB BASED CONFIGURATION OF THE RAS 1500 Figure 3 Web Configuration Interface Initial Screen B C A D E ...

Page 47: ...Table 4 Web Configuration Interface Initial Screen Callout Description A Uniform resource locator URL of the RAS 1500 B Available views Each of these views displays a different tree of folders and Web pages in the left frame of the window The Configure view displays Web pages in which you change the RAS 1500 settings The View view displays Web pages in which you view the RAS 1500 settings The Help...

Page 48: ...d you are prompted to setup a manager user as shown in Figure 5 Once this is done you may setup the RAS 1500 Figure 5 Setting Manager User Username and Password Configuration Pages Figure 6 shows a configuration page in the Web Management Interface See Table 5 for a detailed description ...

Page 49: ...ed Management of the RAS 1500 47 Figure 6 Web Configuration Interface Configuration Page Table 5 Web Management Interface Configuration Page Callout Description A Configuration fields B Navigation buttons B A ...

Page 50: ...a field label A new window appears and displays help text for the selected field Page specific help In a configuration page click the Help button at the bottom of the page or in the Help view click the configuration page for which you want help A new window appears and displays help text for the page Advanced Configuration After initial configuration using the setup wizard you use the Navigation f...

Page 51: ...that you could access with a modem directly connected to the computer Dialout IP Verses Telnet Network computers communicate with the RAS 1500 over the LAN using either DialOut IP or Telnet A difference between DialOut IP and Telnet network dial out is that DialOut IP supports Windows Dial Up Networking and Telnet does not So if you need access to the Internet over a dial up PPP connection or any ...

Page 52: ...ce name Optional Information The following information is optional Modem group name Modems to include in the modem group Configuring Your System For DialOut IP Software The RAS 1500 includes DialOut IP software for Windows 95 98 NT computers DialOut IP allows the RAS 1500 modems to be shared for dialing out However the RAS 1500 is not configured out of the box to support dial out Setting up your s...

Page 53: ...dem group for example dialout_modems The list of modems is a comma separated list of modem device names It cannot contain spaces Example rm0 slot 1 mod 1 rm0 slot 1 mod 2 The RAS 1500 includes a default modem group named all that contains all of the modems on the RAS 1500 If you want dial out available from all of the modems on the RAS 1500 skip the add command and use the all modem group in the s...

Page 54: ...ut DialOut IP does not support authentication through the RAS 1500 therefore a login prompt must not appear when the network service is first contacted To ensure security is off issue the following command set dial_out security no Step 4 Save the Configuration Save the configuration using the following command save all Step 5 Test the Configuration To test that the configuration was successful com...

Page 55: ...readability Use the all modem group only if every modem port on the 1500 is connected to a telephone switch central office or PBX set modem_group all access two_way add network service dialout_service server_type telnetd socket 6000 data auth off service_type dialout modem_group all set dial_out security no save all Example 2 Dial out using the first four modems To enable dial out for the first fo...

Page 56: ... Select Ports dialog box appears Step 2 Create DialOut IP COM Ports 1 In the Select Ports dialog box select the COM ports you want DialOut IP to create The list does not include COM ports that are in use 2 Click OK The COM ports are created A dialog box appears 3 Click Reboot Now The workstation reboots Step 3 Run the Configuration Wizard 1 After the workstation reboots a DialOut IP icon appears i...

Page 57: ...TCP port number of the RAS 1500 8 Click Start DialOut IP determines the correct settings for the COM port If the process finishes with no errors click Use Settings to configure the selected COM port If the process finishes with errors you must investigate and correct them before proceeding 9 Repeat steps 3 through 8 for each COM port you want to configure 10 Close the dialog box Step 4 Add a Windo...

Page 58: ......

Page 59: ...IGURING TELNET NETWORK DIAL OUT This chapter contains the following information Overview Before You Begin Configuring the RAS 1500 Configuring Network Computers Dialing Out From a Network Computer Case Study ...

Page 60: ...the local area network LAN to access modems on the RAS 1500 as though the modems were directly connected to the computers Once connected to a modem a network user can dial out to the Internet electronic bulletin board systems BBSs information services such as CompuServe ftp sites and e mail sites anything that you could access with a modem directly connected to the computer See Figure 7 for a diag...

Page 61: ...set up This chapter details Telnet network dial out For details about DialOut IP refer to Chapter 4 Configuring DialOut IP Configuring and Using Telnet Network Dial out Complete the following steps to dial out from a network computer through a RAS 1500 Each of these steps is detailed later in this chapter 1 Configure the RAS 1500 2 Configure computers on the network 3 Dial out from a computer on t...

Page 62: ...meout Login banner Login prompt RAS 1500 Configuration Before you begin confirm the following steps are complete as detailed in the Getting Started Guide The RAS 1500 hardware is successfully installed An IP address is assigned to the RAS 1500 If necessary the RAS 1500 ISDN ports are configured including SPIDs directory numbers and switch type Computers on the Network Must have Telnet ...

Page 63: ...ed in the RAS 1500 command line interface CLI If you need assistance with accessing the CLI refer to the Getting Started Guide You must press Enter to issue a command in the CLI This step is not included in the procedures below Step One Add a System Name The system name helps you identify the RAS 1500 during subsequent configuration Use the following command to add a system name set system name na...

Page 64: ...00 sends a message to alert the user Users can either re submit the request for a modem or select another modem group Configure modem groups by specifying the interfaces that you want to belong to the group add modem_group group_name interface modem slot modem port Table 7 IP Network Parameters Parameter Description network name Name of IP network Unique ASCII string of up to 64 characters address...

Page 65: ...dem group you create in this step Step Four Add the Dial out Service 1 Add the Telnet dial out service Use the following command add network service service name server_type server type socket socket number data ancillary data Table 9 Network Service Parameters Parameter Description network service name Name of the service Limit 64 ASCII characters server type Designates the type of service which ...

Page 66: ...es This parameter is optional For example modem_group telnet_users If you do not enter this command the network service uses the default modem group all which includes all of the modems on the RAS 1500 Important You cannot assign more than one modem group to a DialOut IP network service auth on off which indicates whether a dial out user is required to login This parameter is optional If you do no...

Page 67: ...rk dial out service enable network service service_name Example enable network service telnet_lab You cannot change the service name using the set network service command To change the service name you must delete the network service using the delete network service command and add it again using the add network service command Step Five Add Users Create at least one dial out user Use the followin...

Page 68: ...n each of the network computers as noted in Before You Begin on page 59 Table 10 User Parameters Parameter Description username Name of user up to 64 ASCII characters user password Password of the user user type Type of user A user can be more than one type but for Telnet dial out these types must include dial out Login Network Callback Dial out Manage modem group name Name of modem group used to ...

Page 69: ...rovides a step by step example of configuring the RAS 1500 and network computers for Telnet dial out A user on the network Eddie wants to dial out through the RAS 1500 using Telnet This example assumes the following Eddie uses a Windows 95 computer Analog I O cards are installed in the RAS 1500 All basic system and network configuration is complete To configure network dial out service follow thes...

Page 70: ...rs Use the following command add network service telnet server_type telnetd socket 6666 data service_type dialout modem_group telnet_users 7 Save your work Use the following command save all 8 On the network computer launch Telnet and access the RAS 1500 From the Windows 95 desktop click Start then Run In the Run dialog box enter the following telnet 192 112 227 110 6666 Click OK 9 Log in to the R...

Page 71: ... contains the following information Overview Before You Begin Configuring the Remote Computer Configuring RAS 1500 Using Callback and Roaming Callback Calling Line Identification Callback Network Callback User Case Study Network User Case Study ...

Page 72: ... connect to the local network via Novell IPX Internet Protocol IP or AppleTalk Using Network Dial In Use network dial in Figure 8 if you want to configure a RAS 1500 to allow dial in users to do the following Access network servers such as e mail Access the Internet Access bulletin board systems Access UNIX hosts Remotely access your RAS 1500 Figure 8 How Network Dial In Works ...

Page 73: ...Requirements Provide the remote RAS 1500 dial in user with the following Username and password Telephone number to access RAS 1500 Communications Software Provide the remote computers with the correct communications software Dial up Adapter to connect to PPP and RAS 1500 TCP IP Dial up Adapter to connect to the Internet and Wide Area Networks WANs Client for Microsoft Networks to connect to other ...

Page 74: ... PPP parameters for network users 4 Configure additional dial up parameters IP Address Pool Overview RAS 1500 has an option to dynamically assign IP addresses to dial in network users from a pool each time they connect This is done on RAS 1500 by configuring IP address pools RAS 1500 bundles several IP addresses into one to limit Routing Information Protocol RIP advertisements The IP pool is creat...

Page 75: ...xample set ip pool kurtspool size 24 3 Configure the state of the IP address pool Use the following command set ip pool name public private Example set ip pool kurtspool public 4 Configure the IP address pool route Use the following command set ip pool name route aggregate no_aggregate Example set ip pool kurtspool route aggregate Table 11 IP Pool Access User Type Parameter All users public Specif...

Page 76: ...following command add user name password password type network login callback dialout manage network_service slip ppp fcp arap fr_1490 Example add user kurt password chicago type network login network_service ppp IP users can use SLIP or PPP as their remote access protocol but SLIP is not supported for network users using the negotiate address selection method For example to add a network manage u...

Page 77: ...supported for network users employing this method Use the following command set network user name address_selection assign negotiate specified Example set network user gina address_selection negotiate 4 Save your work save all For most configurations additional setup is not required If you are an advanced user read steps three and four and determine if you need to perform advanced configuration or...

Page 78: ...ompression algorithm type Use the following command set network user name ppp compression_algorithm ascend auto microsoft none stac Example set network user tom ppp compression_algorithm stac 2 Configure the PPP expansion algorithm type Use the following command set network user name ppp expansion_algorithm constant linear Example set network user tom ppp expansion_algorithm constant 3 Configure t...

Page 79: ...optimum compression algorithm Use the following command set network user name ppp reset_mode_co auto every_packet every_error Example set network user tom ppp reset_mode_co auto 7 Configure the ML PPP channel values Use the following commands set network user name ppp channel_decrement 0 100 set network user name ppp channel_expansion 0 100 set network user name ppp max_channels 0 8 Example set ne...

Page 80: ...y to use either the Password Authentication Protocol PAP or Challenge Handshake Authentication Protocol CHAP for PPP connections The default setting is either When a user dials in RAS 1500 first tries to authenticate the user using CHAP If the remote computer does not respond RAS 1500 attempts to use PAP If the remote computer doesn t respond the connection is dropped Change the authentication set...

Page 81: ...AS 1500 call you back at a preconfigured phone number Dynamic callback Dynamic callback or Roaming callback allows your users to dial into your SuperStack II Remote Access 1500 prompts for the callback number hangs up and negotiates the number to be called back Configuring Callback Users You can use the SuperStack II Remote Access 1500 to call back users Configuring a Normal Callback User Use the ...

Page 82: ... dial in user based on the user s Automatic Number Identification ANI Benefits of callback over dial in Cheaper in certain cases Provides lower cost connections when the calling party s tariffs are higher than the service provider s tariffs More secure Provides additional security because remote users must be contacted at a phone number maintained at the service provider Benefits of CLID callback ...

Page 83: ...he RAS 1500 supports only CLID callback for ISDN users not analog users The RAS 1500 supports only CLID callback for local users not Network Operating System NOS and Remote Authentication Dial In User Service RADIUS users Microsoft Windows Dial Up Networking does not support the RAS 1500 s implementation of CLID callback in which the remote user does not initially connect to the RAS 1500 and is no...

Page 84: ...ches the incoming ANI The RAS 1500 queries the user s record for its type A remote user dials into the RAS 1500 Does the ANI of the incoming call match the CLID of a user The RAS 1500 places a dial out call through a modem in the user s modem group to the remote user at the phone number or the alternate phone number if necessary specified in the user s record The RAS 1500 answers the call as a reg...

Page 85: ... If the ANI of the incoming call matches the CLID of the user the user is called back If the ANI of the incoming call does not match the CLID of the user the call is rejected Option 2 CLID callback and other types of calls are possible CLID security DISABLED User type CLID_callback If the ANI of the incoming call matches the CLID of the user the user is called back If the ANI of the incoming call ...

Page 86: ...use the following command add user name type clid_callback network and or login For example add user schmidt type clid_callback network When issuing the add command for a clid_callback user the type parameter must also include either network or login or both To modify an existing user to be a CLID user use the following command set user name type clid_callback network and or login For example set ...

Page 87: ...e RAS 1500 calls back the remote user The RAS 1500 attempts the alternate number if the primary number is unavailable Use the following command set user name phone_number primary phone number set user name alternate_phone_number alternate phone number For example set user schmidt phone_number 8475552100 set user schmidt alternate_phone_number 8475552101 CLID callback and PPP callback use the same ...

Page 88: ...etting to modems or modem groups To set CLID security for a modem You can only configure modems one at a time To configure multiple modems at the same time use modem groups below set switched interface interface name clid_security on off For example set switched interface rm0 slot 1 mod 1 clid_security on To set CLID security for a modem group set modem_group modem group name clid_security on off ...

Page 89: ...ser fred type manage clid_callback ras1500 set user fred phone_number 384010 modem_group onest ras1500 set user fred callback_delay 5 ras1500 set fac Call Initiation Process log verb ras1500 set switched inter rm0 slot 2 mod 1 clid_security off ras1500 AT 05 42 41 Facility Call Initiation Process Severity VERBOSE CIP Call arrived request id 2 was accepted on interface rm0 slot 2 mod 1 ras1500 set ...

Page 90: ...sumptions This case study assumes the following A Windows 95 Dial Up Networking connection was created and Network settings were configured for the client RAS 1500 uses the correct IP address and netmask The IP network is configured All other settings remain at factory defaults How to Configure this User Use the following steps to configure the user 1 Add a user Gina of the network callback type a...

Page 91: ...detects the authentication method the remote computer is using CHAP or PAP RAS 1500 first attempts CHAP then PAP authentication If the remote computer does not support one of these methods RAS 1500 drops the call If the PPP link to RAS 1500 succeeds the message appears on Gina s screen as shown in Figure 10 Figure 10 Connection Message Network User Case Study In this case study a network user is c...

Page 92: ...lt IP addresses are not broadcast aggregate IP addresses are broadcast 4 Add idle and session timeouts to limit Bridgett s time on the line set user bridgett idle_timeout 90 session_timeout 1800 5 Save your work save all How it Works Bridgett dials into RAS 1500 using PPP Dial Up Networking with the username and phone number supplied by the administrator Bridgett is authenticated by PAP and Window...

Page 93: ...information Overview Before you Begin Configuring LAN to LAN Routing LAN to LAN Routing Case Study Configuring IP on Demand This chapter assumes that all routing devices have been installed and that both local area networks LANs have been properly configured ...

Page 94: ...ket arrives at a bridge or a router the device uses tables to determine where the packet belongs A major difference between routing and bridging is the layer at which each works Bridges use hardware address Data Link layer to determine the destination of the packet Routers use network address Network layer to determine the destination of the packet This chapter discusses configuring the RAS 1500 f...

Page 95: ...S 1500 connects to another router periodic router updates called RIP messages allow routers to identify which networks are accessible You can configure the RAS 1500 to send and receive these RIP messages on a per user router basis for the IP protocol Enable routing if you want to use dynamic routing the default value is none Table 18 Types of LAN to LAN Connections Type Status On Demand This conne...

Page 96: ... the expansion value you specify the RAS 1500 brings up an additional B channel If on a second sample line usage drops below the decrement value you set the RAS 1500 drops the additional B channel The sampling interval cannot be modified but you can configure expansion and decrement thresholds to meet your system needs IP Routing Overview Numbered and Unnumbered Interfaces Either a numbered or an ...

Page 97: ...ave defined a static route to a given location the RAS 1500 assumes you want to use that route and ignores dynamic routing broadcasts pointing to the same location Static routes remain in the table until removed by the administrator Default Routes A default route is used to route to networks not specifically listed in the routing table It can be used on routers that have just one connection to rem...

Page 98: ...ay to reach a remote network your RAS 1500 is not aware of by manually specifying it Spoofing The RAS 1500 supports spoofing between another RAS 1500 or Total Control products Spoofing is an inexpensive way to make two sides of a disconnected circuit believe that the connection still exists in order to limit network traffic and maintain the advantages of on demand service The RAS 1500 spoofs RIP b...

Page 99: ...string the challenged system replies with a packet containing both the response value and a username The authenticating host looks up the correct password for the username received and then performs the same calculations the client performed comparing the result to the response value received If the results match the RAS 1500 allows the challenged system to pass through However the authenticating ...

Page 100: ...ree Configure the user dial_out parameters Step Four Configure the user routing parameters Step Five Configure the user PPP parameters Step Six Configure phone numbers Step Seven Configure authentication Step Eight Save your work Step One Add the LAN to LAN User To add a LAN to LAN user use the following command 1 Add a user Add the user password user type dial_out network and enable the user Exam...

Page 101: ...ss for a numbered link is the IP address of the dial up port on the remote device The remote_ip_address for an unnumbered link is the IP address associated with the unnumbered interface on the remote device to which this link is being configured for example the Ethernet port of the remote device Example set network user main_office address_selection specified remote_ip_address 123 123 123 2 Table ...

Page 102: ...supplied by the RAS1500 when it is prompted for a password by a remote router that is authenticating it It should match the password defined on the remote router for that identity When the default route option is enabled a default route is added to the routing table with the gateway set to the user remote ip address as set on the local RAS 1500 Example set network user main_office send_password me...

Page 103: ...ssion These settings are only necessary if the connection type is timed set dial_out user username site start_time hh mm ss end_time hh mm ss Example set dial_out user main_office site start_time 13 00 00 end_time 14 00 00 Table 21 Connection Type Action on demand Initiation is automatic when valid interesting data requires to traverse the link timed Initiated and terminated automatically at preco...

Page 104: ...oute is added to the routing table after the user connection is active Until then it is not visible in the routing table add framed_route user username ip_route ip hostname ip network address gateway hostname station address metric value Configure a framed route for a user add framed_route user username ip_route ip hostname ip network address gateway hostname station address metric value Example a...

Page 105: ...ccm 1 Configure basic PPP parameters set network user username ppp compression_algorithm algorithm max_channels maximum number of channels channel_expansion at x percent load on current link channel_decrement at y percent load on current link The recommended compression algorithm for dial in users is AUTO which is the default value The recommended compression algorithm for dial out users is Ascend...

Page 106: ...channels 2 channel_expansion 60 channel_decrement 20 2 Configure optional PPP parameters set network user username ppp expansion_algorithm linear or constant min_size_compression 0 2047 bytes reset_mode_compression when to reset receive_acc_map accm transmit_acc_map accm Example set network user main_office ppp min_size_compression 256 reset_mode_compression auto receive_acc_map 00000000 transmit_...

Page 107: ...dial up LAN to LAN connection Example set ppp receive_authentications chap set system transmit_authentication_name main_office Step Eight Save Your Work Save your work save all LAN to LAN Routing Case Study Goals Connect the main_office the RAS 1500 that is on LAN 1 to the branch_office the RAS 1500 that is on LAN 2 Use a LAN to LAN connection over a dial up on demand PPP link Increase the bandwid...

Page 108: ...1 C interface rm0 eth 1 2 Add a user add user branch_office password chicago type network dial_out set user branch_office idle_timeout 300 Idle_timeout must be a minimum of 180 3 Configure the user network parameters set network user branch_office address_selection specified remote_ip_address 78 0 0 2 A set network user branch_office ipx disable appletalk disable bridging disable set network user ...

Page 109: ...ess 192 112 227 1 C interface rm0 eth 1 2 Add a user add user main_office password boston type network dial_out set user main_office idle_timeout 300 3 Configure the user network parameters set network user main _office address_selection specified remote_ip_address 78 0 0 1 A set network user main _office ipx disable appletalk disable bridging disable set network user main _office send_password ch...

Page 110: ...etwork add ip network ipnet 1 address 192 112 226 1 C interface rm0 eth 1 2 Add a user add user branch_office password chicago type network dial_out set user branch_office idle_timeout 300 3 Configure the user network parameters set network user branch_office address_selection specified remote_ip_address 192 112 227 1 C set network user branch_office ipx disable appletalk disable bridging disable ...

Page 111: ...k ipnet 2 address 192 112 227 1 C interface rm0 eth 1 2 Add a user add user main_office password chicago type network dial_out set user main_office idle_timeout 300 3 Configure the user network parameters set network user main _office address_selection specified remote_ip_address 192 112 226 1 C set network user main _office ipx disable appletalk disable bridging disable set network user main _off...

Page 112: ...p enabled no set network user username ip_routing both set user username phone_number phone number set user username alternate_phone_number phone number set system transmit_authentication_name authentication name set network user username send_password password set network user username ppp max_channels 2 add modem_group modem group name interfaces rm0 mod 5 6 set user username modem_group modem g...

Page 113: ...8 BRIDGING WITH THE RAS 1500 This chapter contains the following information Overview Enabling Bridging Over the LAN Using FCP to Bridge with OfficeConnect Routers ...

Page 114: ...rmines where the frame belongs by analyzing address information When to Use Bridging When a frame arrives at a bridge the bridge analyzes the frame for the hardware address Figure 12 shows an example of the RAS 1500 bridge configuration Figure 12 Bridging with the RAS 1500 Table 24 Bridge Frames Destined for a Hardware Address Location RAS 1500 Action Remote network Places a phone call to the RAS ...

Page 115: ...ing Over the LAN Use the following steps to enable bridging over the local area network LAN 1 Create a user Use the following command add user name password password type network dial_out Example add user Boston password sayhey type network dialout 2 Create a bridge network Parameters for interface are optional because the RAS 1500 will choose the first LAN rm0 eth 1 it finds in your system The en...

Page 116: ...umber alternate_phone_number second number set network user name ppp channel_decrement percent ppp channel_expansion percent 5 Save your work save all Using FCP to Bridge with OfficeConnect Routers The RAS 1500 gives you a choice of connection protocols the PPP ideal for Internet access as well as internetworking in mixed vendor environments and FastConnect Protocol FCP from 3Com FCP runs over LAP...

Page 117: ...CP works 1 The RAS 1500 established the LAPB link as a part of the FCP negotiation 2 Both sides of the link exchange Names and MAC addresses negotiate compression STAC and reset the sequence numbers 3 The RAS 1500 prepends data packets with a 2 byte sequence number a If you have a routed link the routed packets are first prepended with a Ethernet MAC Header and then with the 2 byte sequence number...

Page 118: ...e a user with the modem group set user username modem_group 12 b Set the user phone number set user username phone phone number c Set the user alternate phone number set user username alternate phone number d Add a bridge and associate a user with it set dial_out user username site type ondemand 4 Enable the user enable user username 5 Configure MultiLink FCP set network user username fcp max_chan...

Page 119: ...re to send the frame Maybe a dial up link is still available where that can be forwarded If it does not know where to send it it will cycle through the configured dialout bridging users bringing up their dial up links and bridges the frame over to all these users Configuring OfficeConnect for FCP See the documentation that shipped with your OfficeConnect product for configuration information ...

Page 120: ......

Page 121: ... the local network using a login service such as Telnet Rlogin or ClearTCP Before You Begin Before you begin configuring the RAS 1500 as an IP terminal server follow all the configuration steps in the RAS 1500 Getting Started Guide Configuring Remote Computers The system administrator should provide the remote login user with the following information A username A telephone number to dial into Log...

Page 122: ...e user to access a login host using a host name you must first configure a DNS server using the add dns server command Example add dns server 7 7 7 7 name boston preference 1 To set up login host table entries perform the following steps 1 Configure the login hosts up to 10 hosts add login_host host_name address ip_address preference number rlogin_port TCP_port_number telnet_port TCP_port_number c...

Page 123: ...e number specified in their user profile You can setup the user for a specific login service to access a specific login host or you can let the user determine the login service and login host You can also specify login user information in RADIUS When RADIUS authenticates a user it can also pass on user configuration information to the RAS 1500 To configure a login user 1 Add the user with the foll...

Page 124: ...y a phone number at which the user is called back using the following command set user name phone_number number At this point it may be helpful to use the show user command to display the user s default values This lets you decide which parameters you need to set and which parameters you can leave as defaults 2 Configure login user parameters with the following command set login user name host_typ...

Page 125: ...etting Login Host IP Address If login user s host type is specified you must enter the IP address for the host to be connected to Login Service Specifies the default login service See step 1 for details TCP Port Optional If the login host uses a TCP port number other than 23 the default for Telnet you can set the TCP port number using this command For ClearTCP connections make sure that the host s...

Page 126: ...he user has set up a terminal emulation session such as the Windows HyperTerminal with a phone number and standard communications parameters The IP network is configured All other settings remain at factory defaults A Domain Name System DNS server is configured Follow these steps to configure the login host and user 1 Add a user Jack of the login user type add user jack type login 2 Add login host...

Page 127: ...o enter the following command to connect to either host connect quartz or connect granite Jack is connected to the host and prompted for a username password Trying 195 112 133 2 Connected to 195 112 133 2 Hummingbird Communications Ltd Telnet Daemon V5 1 Username jack Password Microsoft R Windows 95 C Copyright Microsoft Corp 1981 1995 Quartz When Jack ends his host session he is returned to the R...

Page 128: ...ogin_service rlogin 2 Add a login host for Jill to access Use the following command add login_host granite address 195 112 133 10 pref 1 3 Configure Jill to specifically access Granite Use the following command set login user Jill host_type specified login_host_ip_address 195 112 133 10 4 Save your work save all When Jill dials in she is prompted for a login name password as shown below Welcome to...

Page 129: ...em authentication Jill is up and running on the host When Jill logs out of her host session she exits from the RAS 1500 as well Example Granite logout NO CARRIER Microsoft R Windows 95 C Copyright Microsoft Corp 1981 1995 Granite ...

Page 130: ......

Page 131: ... Information Working with Modem Memory Configuring Modem Call Control Settings Configuring 56 Kbps Technology Configuring ISDN 3Com recommends using the Web configuration interface to configure the modems on the SuperStack II Remote Access System RAS 1500 This chapter explains how to configure modems with the command line interface CLI For information about configuring modems with the Web configur...

Page 132: ... from your management station or computer You are now ready to use the Console Interface to configure the RAS 1500 AT Commands AT commands are used to communicate directly with the ports within the RAS 1500 module You can use AT commands to change your modem port settings at any time Most commercial communications programs send an initialization string to the modem when you start the program Remov...

Page 133: ... others used in modem initialization strings Basic AT Dial Commands The basic commands needed to dial using an RAS 1500 are listed in the Table 26 Refer to the Issuing AT commands section earlier in this document for information on how to send AT commands Table 26 Basic AT Dial Commands Help Type Command Basic AT Command Help AT Ampersand AT Command Help AT Percent AT Command Help AT Asterisk AT C...

Page 134: ... codes X3 or higher W AT9W5551234 Wait for an answer After the modem detects at least one ring it waits for five seconds of silence at the other end of the call and then continues executing the Dial string If the modem is set to ATX2 or lower the command is ignored If set to ATX5 or ATX6 the modem hangs up when it detects a voice answer and send the VOICE result code If the correct conditions do n...

Page 135: ...lls go on hook issue the command below H Example ATH hangs up the modem Action Command Example View stored telephone numbers I5 ATI5 Write the following Dial string s to NVRAM at position n n 0 3 Zn s AT Z3 5551234 Write the last dialed number to NVRAM at position n n 0 3 Zn L AT3 L Display the phone number stored in NVRAM at position n n 0 3 Zn AT Z0 5551234 Dial the phone number stored in NVRAM ...

Page 136: ...ed as a default setting V 42 bis versus MNP 5 Data Compression Of the two data compression protocols V 42 bis is considered to be the better of the two in most cases because it dynamically deletes entries that are no longer used In addition it works better with files that are already compressed These include ZIP files downloaded from many electronic bulletin board systems and 8 bit binary files wh...

Page 137: ...are in Table 30 Table 30 Dictionary Sizes The RAS 1500 uses an 11 bit or 2048 entry dictionary but can reduce its size to accommodate a remote modem that uses a 9 or 10 bit dictionary As the dictionary fills the RAS 1500 deletes the oldest unused strings Configuring Data Compression The MNP level 5 Disabled setting allows V 42 compression only for use when transferring compressed files MNP 5 compr...

Page 138: ...speed but without error control and if you are not using an error control protocol for your call you may lose data Error Control The RAS 1500 is set at the factory to M4 causing it to try for an error control connection and if that is not possible to proceed with the call in Normal mode The RAS 1500 first tries to make a V 42 connection then an MNP connection The following information is based on ...

Page 139: ...e receiving device If errors are encountered retransmission activity can cause a steady stream of data from the computer to overflow the buffer Error control is required for data compression and recommended for all calls above 2400 bps Cyclic redundancy checking is used to detect errors An ARQ is issued when a corrupted data frame is detected and the data frame is retransmitted ARQ denotes error c...

Page 140: ...d during the handshaking process allowing for a faster connection The commands used are ATS27 4 and ATS 27 5 See the Table 32 for setting information Table 32 V 42 MNP Negotiation Method The defaults are to complete handshaking sequence 4 and 5 0 Configuring Carrier Delay Times Carrier delay time is the amount of time the modem waits to disconnect after detecting the absence of a carrier signal Th...

Page 141: ... allows the modem to distinguish between a momentary lapse due to line quality and a true disconnect by the remote modem If this value is set to 255 the modem does not hang up on loss of carrier It hangs up only when it receives the escape code sequence and returns to Command Mode ATS10 n n 0 255 ATS10 7 The duration and spacing milliseconds of dialed touch tones ATS11 n n 0 255 ATS11 70 The 2100 ...

Page 142: ...dem connects to an RAS 1500 it limits the maximum speed of the connection based on the value specified with N If the U argument is zero the connection is limited to the single speed implied by the N argument Example AT N16 configures the highest possible connect speed to 33600 bps AT U6 configures the lowest possible connect speed to 9600 bps Link Speed Index Link Speed Index Link Speed Index High...

Page 143: ... the U argument is zero the connection is limited to the single speed implied by the N argument For asymmetrical links N and U are used to constrain the speed of the higher speed direction of the link The speed of the lower speed direction is constrained by values given in S registers If the link speed associated with the U argument is greater than the link speed associated with the N argument the...

Page 144: ...nimum rate implied by the U value Controlling the Minimum Low speed Direction Low speed direction speed is the send receive baud rate of the slowest end of a connection Use the following S74 settings in Table 36 to control the minimum low speed direction speed Table 36 S74 Lower Limit Link Speeds Lower Limit Link Speed Setting Example No lower limit 0 ATS74 0 2400 1 ATS74 1 4800 2 ATS74 2 7200 3 A...

Page 145: ...s in Table 37 to control the maximum low speed direction speed Table 37 S75 Upper Limit Link Speeds Upper Limit Link Speed Setting Example No upper limit 0 ATS75 0 2400 1 ATS75 1 4800 2 ATS75 2 7200 3 ATS75 3 9600 4 ATS75 4 12000 5 ATS75 5 14400 6 ATS75 6 16800 7 ATS75 7 19200 8 ATS75 8 21600 9 ATS75 9 24000 10 ATS75 10 26400 11 ATS75 11 28800 12 ATS75 12 31200 13 ATS75 13 33600 14 ATS75 14 ...

Page 146: ...able 38 lists each command available Table 38 Modem Query Commands ATI8 ATI0 ATI2 and ATI18 are reserved Display Command Product name ATI3 Current modem settings ATI4 Settings stored in the modem s NVRAM If your modem connects to a modem that has Link Security and local access enabled you cannot view the stored phone numbers ATI5 Link diagnostics of the current or previous call including character...

Page 147: ...no data was transferred but the protocol was able to recover Link NAKs Negative acknowledgments one or more blocks Data Compression The type of data compression negotiated for the call V 42 bis or MNP5 on NONE A V 42 bis response includes the size of the dictionary and the maximum string length used for example 2048 32 Equalization Long Short The status of S15 bit 0 Long if bit 0 0 Short if bit 0 ...

Page 148: ...ata frame without error LD received The remote modem sent an MNP error control Link Disconnect request DISC The remote modem sent a V 42 Disconnect frame Loop loss disconnect The modem detected a loss of current on the loop connecting it with the telephone company central office CO This usually occurs because the remote modem has hung up the CO drops current momentarily when there is a disconnect ...

Page 149: ...late Viewing Settings When you issue an AT configuration command the modem stores the command RAM as a current setting Any setting s that you change and do not save to the modem are active until you reset or power off a modem Storing Settings in Flash Memory Save modem settings to Flash memory by adding the W to the end of the AT command This changes the default setting for that modem after the cu...

Page 150: ...m interface rm0 slot1 mod 4 at_ command AT F08W Configuration templates cannot be customized since they are a part of the modem ROM However you may load a template into active memory modify it and save it to Flash memory Example set switched interface rm0 slot1 mod 1 at_command at f0 k3s10 40 A2 W Insert your changes after the F0 command but before W If you do not the changes are be overwritten by...

Page 151: ... then save them to Flash with the W command as in the following example AT K3 X3 S10 40 A2 T W Configuring Modem Call Control Settings You can use AT commands to configure how modems operate You can control the following types of call control settings Enabling Answer In Originate Mode Setting ARQ Negotiation Setting Carrier Wait Time After Dialing Setting Idle Time Before Disconnect Setting MNP V ...

Page 152: ...ation in seconds that the local modem waits to detect a carrier signal from the remote modem ATS7 n n 0 255 60 Setting Command Parameters Default Idle time before disconnect If set in minutes to greater than 0 the Inactivity Timer is activated when there is no data activity in either the transmit or receive direction If no data activity is detected by the timeout period the modem hangs up ATS19 n ...

Page 153: ...in tenths of a second of the EIA specified Multimode Training sequence for V 32 modems which includes 3Com Dual Standard modems set to answer V 32 calls set to B0 The delay gives V 32 modems additional time to connect with most U S Canada modems at 9600 bps before falling back to attempt a V 21 connection to answer overseas calls 300 bps 1200 bps with a 75 bps back channel The fallback occurs only...

Page 154: ...e system The larger the window the more frames that can be transferred without an acknowledgment However the more frames that are transferred without an acknowledgment the more the receiver is required to allocate additional buffer space to handle the incoming transmissions Selecting Frame and Window Size Use the following AT commands to select frame and window size Action Command Allow V 34 and x...

Page 155: ... Every time a call comes in the RAS 1500 goes through a link negotiation process called handshaking with the remote device The way the RAS 1500 handles outgoing and incoming calls depends on the call type setting you chose You can set the RAS 1500 to handle incoming calls seven different ways Best possible connection Universal Connect Clear channel synchronous V 120 only V 110 only X 75 only Analo...

Page 156: ...cific type V2 1 6 and the desired connection cannot be made the RAS 1500 does not negotiate for other types of connections Default configuration to V 120 with X 75 turned off Setting the Originate Call Type You can set the originate call type for each B channel These commands are only valid when auto detect is used V2 0 These state of these new commands is saved in flash Attempt Call Type Protocol...

Page 157: ...ols Originating Non HDLC Protocols Use the commands in Table 48 to control the originating non HDLC 64 protocols Table 48 Non HDLC 64 Protocols Originating Analog Modem Mode Use the commands in to control the originating analog modem mode Table 49 Originating Analog Call Type Setting Command None U1 0 V 120 U1 1 X 75 U1 2 PPP U1 3 Setting Command None U2 0 V 110 U2 1 Setting Command None U3 0 Anal...

Page 158: ......

Page 159: ...zing CLI Parameters Local Prompt Use set command if you have more than one SuperStack II Remote Access System RAS 1500 and want to differentiate between them or you just want to customize your prompt from the default The prompt can be up to 64 characters Use the following command set command local_prompt prompt message Example set command local_prompt Welcome Command History If you want to customi...

Page 160: ...global prompt value is useful if you are running a number of processes and want to differentiate between the global and session prompts Or if you are Telnetting to the system for instance and want to create a separate easily identifiable prompt If your prompt consists of more than one word remember to enclose it in quotes Use the following command set command prompt string Example set command prom...

Page 161: ...EM INFO set system name marauder set system contact Henry Stimson set system location 3Com Lab SETTING THE LOCAL COMMAND PROMPT set command prompt RAS 1500 SETTING THE SYSTEM COMMAND HISTORY set command history 100 SNMP COMMUNITIES add snmp community sqatest a 0 0 0 0 a rw add snmp community bearcat a 0 0 0 0 a rw add snmp community public a 0 0 0 0 a ro IP NETWORKS add ip network ipnet 157 172 24...

Page 162: ...et accounting primary_server 157 172 248 54 secondary_server 157 172 248 40 enable accounting enable ip rip enable ip routing enable security_option remote_user_administration dialin or telnet ADDING USERS ROOT ADMIN MANAGER add user root password root type manage NETWORK_SERVICE enable network_service root add user henry type network dial_out set network user henry ip_routing both set network use...

Page 163: ...tes Dial Disconnect and Hangup Commands You can dial up a remote or local site with the dial command and log in to hosts with the rlogin and telnet commands You can use the hangup and logout commands to clear those lines Dial Command The dial command makes an immediate connection for a manual dial out user using the dial out information in the user s profile Use the following command dial user_nam...

Page 164: ...s the message as it was configured The options are date current date according to system uptime callid user call number according to system uptime port port occupied by user rm0 mod y hostname user host name sysname user system name same as hostname time time of call according to system uptime Like all CLI string values the message must be enclosed in quotations Example set switched interface rm0 ...

Page 165: ...command shown below add network service service_name close_active_connections false true data ancillary entry enabled no yes socket socket number server_type cleartcpd dialout snmpd telnetd tftpd Example add network service DIALOUT close_active_connections true socket 99 data auth off login_banner Welcome to my Net service_type dialout drop_on_hangup on login_prompt My Session To edit a network se...

Page 166: ...tes and forward slashes and auth must be on Default login service_type manage dialout Indicates whether the service is offering modem sharing service or manage service Modem sharing service connects the client to a modem Manage service connects the client to the command line to manage the system Applicable only to Telnet servers you cannot ClearTCP into the system to manage Default manage modem_gr...

Page 167: ...e it is enabled by default When changing any parameter you must first disable the service then re enable it Example abbr set network service telnet user server_type telnetd data auth off enabled yes server_type Type of service being offered ClearTCPd Dialout SNMPd Telnetd TFTPd socket Sets the port number the RAS 1500 listens on for network service requests Enabling and Disabling Network Service B...

Page 168: ...was sent to RAS 1500 If you want to obtain a file from another network host add that host as a TFTP client and from within the system use Telnet to access that host and use the following command to obtain the file get filename Do not transfer binary files Transferring binary files of any type will cause unexpected results and may cause RAS 1500 to hang Using Rlogin and Telnet You can connect to a ...

Page 169: ...to and the value of the Telnet escape character Typing status at the telnet prompt will produce something like this Connected to 172 144 122 144 Escape character is Telnet Control Characters Console port users service unavailable to login users can use the send command to transmit a Telnet control character to a host After you have established a Telnet session logged in and given your password typ...

Page 170: ...o the console port Although messages are sent to the Console port by default you can configure a SYSLOG host to receive messages This would free up the Console since sending messages uses system resources and can slow down the connection Log levels range from the lowest state debug to the highest critical The default is critical Use the following command set facility name loglevel common critical ...

Page 171: ...ollege hu com address 133 114 121 15 resolve name hahvahd Remotely add dns server 133 114 121 45 preference 1 name Our DNS server Screen output example Network Name hahvahd college hu com is resolved to Address 133 114 121 015 Using Ping The ping Command The ping command is very helpful in testing RAS 1500 connectivity with other network devices Options let you set ping attempts count the period b...

Page 172: ...eout 1 60 verbose yes no Example ping 199 55 55 55 count 3 verbose yes The command would display the following PING Request 1 Time ms 10 PING Request 2 Time ms 0 PING Request 3 Time ms 0 PING Destination 199 55 55 55 Status ALIVE Count 3 Timeouts Occurred 0 Minimum Round Trip ms 0 Maximum Round Trip ms 10 Average Round Trip ms 1 Listing ping settings You can use the show ping settings command to d...

Page 173: ...ping maximum_rows command sets the maximum number of rows permissible in the Remote Ping Table Setting this parameter to a number smaller than the current number of rows will not cause any row deletions immediately but in the future Default 20 Range 1 1000 Configuring a ping User You can configure a ping user to test the connectivity of a specified login host using the add user command This user p...

Page 174: ...ct Larry Johnson System Name RAS 1500 System Location westboro System Services Internet EndToEnd Applications System Transmit Authentication Name RAS 1500 System Version V1 5 Viewing Interface Status Settings Several commands are useful to display the active inactive status and settings of specific interfaces ports They are list switched interfaces list interfaces and show interface settings and s...

Page 175: ... use show commands to view the current configuration and its routing activity A few of the show commands used for troubleshooting are covered in this section including show memory show connection settings show connection counters and show accounting settings Show Memory The show memory command displays the system DRAM memory utilization Example SYSTEM MEMORY RESOURCES Total System Memory Resources...

Page 176: ...terface of current connections Username name of users currently connected Type current type of connections established on modems They include On demand user connection established for on demand purposes Dial back user connection established for callback purposes Continuous user connection established for continuous utilization Manual user connection established manually Timed user connection estab...

Page 177: ...date of a connection established on the specified interface Start Time start time of a connection established on the specified interface Example CONNECTIONS IfName User Name Type DLL Date Time Start Start rm0 slot1 mod 2 ginger SHRMOD NONE 05 AUG 2041 13 57 2 rm0 slot1 mod 1 Larry DIALIN PPP 01 SEP 1997 00 34 25 rm0 slot1 mod 2 larry DIALIN NONE 05 AUG 2041 13 56 1 ...

Page 178: ......

Page 179: ...he RAS 1500 grants or denies access based on information in the local user table only RADIUS authentication only The RAS 1500 sends a request to the RADIUS server and grants or denies access based on the response NOS authentication only The RAS 1500 sends a request to the NOS authentication server and grants or denies access based on the response Local authentication and either RADIUS or NOS authe...

Page 180: ...w configuration RADIUS Authentication Overview Use the RADIUS authentication for centralized authentication services on your network RADIUS authentication is enabled by default The RADIUS authentication process consists of two parts an authentication server and RADIUS client The authentication server is installed on a machine on your network The RAS 1500 acts as a RADIUS client sending authenticat...

Page 181: ...if local authentication is enabled 2 The RAS 1500 encrypts the user s password using an encryption key shared by both the RAS 1500 and the RADIUS server and passes the username and encrypted password to the RADIUS server 3 The RADIUS server checks the username and password against its users file determines whether to grant or deny access and passes this information back to the RAS 1500 4 If access...

Page 182: ...ecret string primary_server name_or_ip_address secondary_port port_number secondary_secret string secondary_server name_or_ip_address retransmissions number timeout seconds type nos radius Each of the following steps describes a parameter An example is shown after the final step 1 Set the authentication type Use the following command set authentication type radius 2 Select the primary RADIUS secur...

Page 183: ...retransmits an authentication request to both primary and secondary RADIUS servers Use the following command set authentication retransmissions count 7 Set the UDP port to match the UDP port setting on the RADIUS server The default is 1645 Use the following command set authentication primary_port port_number or set authentication secondary_port port_number 8 Set the interval in seconds between ret...

Page 184: ...ne of the following commands show authentication settings or show configuration NOS Authentication Overview NOS authentication is an alternative to RADIUS authentication for local and dial in users using Novell or Windows NT networks NOS authentication allows you to control network access by remote users through an existing network security mechanism NOS authentication has the following limitation...

Page 185: ...1500 server and indicates to the user that the authentication has failed or passed 5 The RAS 1500 assigns the default user profile to the dial in user Installation Overview For NOS authentication to operate correctly perform the following steps detailed in later sections Install NOS authentication software on your Novell NetWare or Windows NT server This chapter contains separate procedures for ea...

Page 186: ... You MUST load the software application on an Novell Server The time on the RAS 1500 and the Novell NetWare server must be within 15 minutes of each other 1 Copy the appropriate security NLM see below from the RAS 1500 Resource CD to the sys system directory on the Novell server For NDS Client Security Novell SNDS NLM For bindery Client Security Novell SBINDERY NLM 2 Add TCP IP to the Novell serve...

Page 187: ...p 25 tcp mail time 37 udp timeserver name 42 udp nameserver whois 43 tcp nicname domain 53 tcp hostnames 101 tcp hostname sunrpc 111 udp Host specific functions tftp 69 udp finger 79 udp link 87 udp ttylink x400 103 tcp x400 snd 104 tcp csnet ns 105 tcp pop 2 109 tcp uucp path 117 tcp nntp 119 tcp usenet News 114 tcp news UNIX specific services these are NOT officially assigned exec 512 tcp login ...

Page 188: ...t for Bindery sbindery nlm or for Novell Directory Services NDS snds nlm depending upon your NetWare Server version and which service is used load sbindery 3Com where sbindery is NLM name for the RAS 1500 Security Client for Novell NetWare Bindery 3Com is the default password for the RAS 1500 Security Client load snds 3Com where snds is NLM name for the RAS 1500 Security Client for Novell NetWare ...

Page 189: ...ty client starts each time the system is rebooted add the above commands in autoexec ncf file For NDS add the command after TCP IP binding IP to an interface and LOAD DSAPI For bindery add the command after TCP IP and binding IP to an interface ...

Page 190: ... 3c5x9 slot 5 frame ETHERNET_II name 3c5x9_2 bind ipx to 3c5x9_2 net cc100001 load 3C5X9 slot 5 frame ETHERNET_802 3 NAME 3C5X9_3 bind IPX to 3C5X9_3 net AA330000 load 3c5x9 slot 5 frame ETHERNET_SNAP name 3c5x9_4 bind ipx to 3c5x9_4 net AA550000 bind IP to 3c5x9_2 addr 192 147 72 3 mask 255 255 255 0 set maximum concurrent directory cache writes 50 set maximum directory cache buffers 4000 load cp...

Page 191: ...count database with NT User Account Manager This application software is a NT service that processes authentication requests from the RAS 1500 The NT Security Client uses a 3Com proprietary communication protocol to communicate with the RAS 1500 This protocol which runs on top of registered UDP service crsecacc provides secured end to end communication services such as messages encryption and the ...

Page 192: ...1500 and the Windows NT server must be within 15 minutes of each other If you change the time on a Windows NT Server you must reboot the server for the change to take effect 1 Insert the RAS 1500 Resource CD into the Windows NT server or workstation 2 Locate Client Security NT Setup exe 3 Double click SETUP EXE The software loads 4 From the Windows NT desktop click Start then Programs then Accessb...

Page 193: ...nt are encrypted with an Encryption Key The default Encryption Key is 3com The Encryption Key is stored in the NT Registry database in the entry of EncryptionKey under the subkey HKEY_LOCAL_MACHINE system CurrentControlSet Services ABSecurityClient You can change the default encryption key by using NT Registry Editor If you change the encryption key make sure that you also update the ScrtyClntPass...

Page 194: ...thentication server may differ If you want to change the primary_secret refer to the readme file provided with the Security application 3 Configure the secondary NOS authentication server set authentication secondary_server domain name or ip address secondary_port 888 secondary_secret 3com The industry standard port setting for NOS authentication server is 888 Your NOS authentication server may di...

Page 195: ...e GMT offset of the RAS 1500 This setting is between 12 00 and 14 00 inclusive set timezone hh mm See Appendix A GMT Time Zones to find the GMT offset for your location Eastern United States example set timezone 5 00 Setting Daylight Saving Time Configuring daylight saving time DST on the RAS 1500 requires two steps First set the begin time end time and adjustment for DST Second enable DST Only th...

Page 196: ...st day_of_week sunday month october time_to_correct 02 00 00 amount_to_correct 01 00 00 Use the following command to enable DST on the RAS 1500 enable dst Setting the Date Use the following command to set the date on the RAS 1500 set date dd mon yyyy Example set date 10 jan 1999 Setting the Time For the RAS 1500 and the NOS authentication server to operate correctly together set their system times...

Page 197: ...administrator The RAS 1500 sends frames to the RADIUS accounting server that enables RADIUS to perform accounting functions The RADIUS accounting server uses the same basic protocol as the RADIUS authentication server You can run both servers on the same host or you can choose a different host to provide each function The RADIUS accounting server performs session accounting for the stack Session a...

Page 198: ...er An example is shown after the final step 1 Select the primary RADIUS accounting server Use the following command set accounting primary_server ip_address 2 Optional Select the secondary RADIUS accounting server If your network has more than one RADIUS accounting server indicate which one is considered the secondary server If for some reason the primary server is unavailable the RAS 1500 checks ...

Page 199: ... begins accounting either at the point of authentication or the point of connection Use the following command set accounting start_time authentication connection 7 Set the interval in seconds between retransmissions Use the following command set accounting timeout number_seconds 8 Set the UDP port to match the UDP port setting on the RADIUS server The default is 1646 Use the following command set ...

Page 200: ...es of RADIUS accounting output The first describes a login user who has just begun a session Thurs Jan 16 22 00 55 1999 Acct Session ID 06000003 User Name cindyg Acct Status Type Start Acct Authentic RADIUS User Service Type Login User Login Host NY_Sales Login Service Telnet When the user above ends the session with the host a record similar to the one below is sent to the accounting server Thurs...

Page 201: ...Service Type Framed User Framed Protocol PPP Framed Address 122 132 124 152 Framed Netmask 255 255 124 0 When the framed user ends the session a record similar to the one below is sent to the accounting server Thurs Jan 16 16 25 57 1999 Acct Session Id 06000004 User Name harryk Client Id 201 123 234 79 Client Id Port 5 Acct Status Type Stop Acct Session Time 664 Acct Authentic Local User Service T...

Page 202: ......

Page 203: ...me Relay Configuration Using the Command Line Interface Frame Relay Data Link Configuration Frame Relay PVC Configuration Monitoring and Troubleshooting Case Study The Frame Relay Stack complies with the Idacom Conformance Test Suite When ordering Frame Relay service tell your Frame Relay service provider ...

Page 204: ...elay supports congestion management which attempts to notify endpoints that the network is experiencing congestion and that the volume of traffic should be reduced to stop Frame Relay nodes from discarding frames Frame Relay reduces its error correction overhead by assuming high quality transmission lines and relying on the endpoints to detect and correct transmission errors This reduces the laten...

Page 205: ...I LMI provides a polling mechanism that allow switches and routers to request the status of all PVCs on a given interface Supporting Frame Relay The RAS 1500 provides a synchronous serial interface capable of supporting data rates between 9 6 kbps and 2 048 mbps The RAS 1500 routes IP and IPX over Frame Relay The RAS 1500 supports RFC 1490 which is a standard that provides for routing of multiple ...

Page 206: ...its the Excess Burst Size Be is reached Any data in excess of Be is discarded All data is discarded until a new Tc begins Abbreviation Term Description Bc Committed Burst Size The number of bits above CIR that are transmitted during a time interval Tc without setting the DE bit Be Excess Burst Size The number of Bits that are transmitted during a time interval Tc in excess of Bc that will have the...

Page 207: ...n 24k Bc Max 40k Be 48k Access 64k 56k 32k Bc Tc All Data between Bc and Be is sent with the DE bit set All data in excess of Be is discarded Bc is variable between Bc_Max and Bc_Min depending on congestion Be is in addition to Bc and will increase and decrease as Bc increases and decreases ...

Page 208: ...quired system level parameters you are ready to begin configuring the RAS 1500 to use Frame Relay There are three basic components to a Frame Relay configuration Frame Relay user Frame Relay data link PVC User mappings The parameters specified in these components define the physical Frame Relay interface the protocols to routed over Frame Relay and the relationship between Frame Relay users and an...

Page 209: ...s the IP address of the remote router WAN port The local_ip_address is the IP address of the local router WAN port 4 Set the user routing options as follows For a command description see Table 54 set network user username ip_routing both send listen none rip ripv1 ripv2 5 For IPX specify the network address WAN status routing options and spoofing status set network user username ipx_address ipx ne...

Page 210: ...ling_interval 5 30 The parameters in Table 55 do not usually need modification They are based on the management type configured in Step 2 Table 55 Frame Relay Parameters Parameter Description access_rate Speed in bits per second of the Frame Relay access line management_type Type of LMI protocol used by the Frame Relay carrier ANSI ANSI T1 617 Annex D ITU ITU Q 933 Annex A LMI LMI rev 1 No LMI Tur...

Page 211: ...e to the associated user profile There is one PVC per user You must create a user for each PVC that you configure Use the following steps to configure the Frame Relay PVC 1 Add the Frame Relay PVC and DLCI and associated user profile add frame_relay pvc pvc name dlci dlci number interface rm0 wan 1 user username Example add frame_relay pvc chicago dlci 16 interface rm0 wan 1 user tom 2 Configure t...

Page 212: ... burst All data above Bc is marked DE Any data in excess of Be is discarded becn_cmp Backward Explicit Congestion Notification Congestion Monitoring Period The number of seconds in each BECN Monitoring Interval becn monitoring Backward Explicit Congestion Notification Monitoring Determines the ratio of BECN frames to non BECN frames during a becn_cmp If there are more BECN frames than non BECN fra...

Page 213: ...cs show frame_relay pvc pvc name counters List the Status of all Frame Relay PVCs Use the following command to list the status of all Frame Relay PVCs list frame_relay Case Study Goal Use a Frame Relay link to connect the sitea RAS 1500 located at Site A to the siteb RAS 1500 located at Site B Assumptions Each site has a functioning RAS 1500 Use the RIPv1 routing protocol Each site has separate IP...

Page 214: ...tocol ripv1 3 Enable the IP network enable ip network sitea 4 Add a Frame Relay user add user siteb type network network_service fr_1490 enabled no 5 Set the user protocol settings set network user siteb ip enable ipx disable appletalk disable bridging disable 6 Set the user remote IP address set network user siteb remote_ip_address 172 17 253 254 b 7 Set the user routing settings set network user...

Page 215: ...3 Enable the IP network enable ip network siteb 4 Add a user add user sitea type network network_service fr_1490 enabled no 5 Set the user protocol settings set network user sitea ip enable ipx disable appletalk disable bridging disable 6 Set the user remote IP address set network user sitea remote_ip_address 172 16 253 254 b 7 Set the user routing settings set network user sitea ip_routing both r...

Page 216: ...col set ip network sitea routing_protocol ripv1 3 Enable the IP network enable ip network sitea 4 Add a Frame Relay user add user siteb type network dialout network_service fr_1490 enabled no 5 Set the user network parameters set network user siteb ip enable ipx disable appletalk disable bridging disable 6 Set the user WAN link IP address set network user sitea remote_ip_address 192 168 168 2 c se...

Page 217: ... the RAS 1500 steps 1 through 3 are not necessary 1 Add an IP network add ip network siteb interface rm0 eth 1 address 172 17 253 254 b 2 Set the IP network routing protocol set ip network siteb routing_protocol ripv1 3 Enable the IP network enable ip network siteb 4 Add a Frame Relay user add user sitea type network dialout network_service fr_1490 enabled no 5 Set the user network parameters set ...

Page 218: ... sitea 9 Configure the Frame Relay datalink add datalink frame_relay interface rm0 wan 1 enabled yes 10 Configure a Frame Relay PVC and associate a user with it add frame_relay pvc btoa dlci 102 interface rm0 wan 1 user sitea enabled yes 11 Save your work save all ...

Page 219: ...sed Filtering Overview Filter Types Creating Filters Configuring Filters Managing Filters General Filter Setup Filter Examples This chapter describes how to use a text editor and the command line interface CLI to use filters Transcend Remote Access Manager TRAM provides the same functionality using a graphical interface for more information see TRAM online Help ...

Page 220: ...he following filtering capabilities Input output filtering Packet filters can be used to control inbound or outbound data packets Source destination address filtering A packet filter can accept or deny access to a host or user based on the address of the source and or destination Protocol filtering Inbound or outbound network traffic can be evaluated based on the protocol Source destination port f...

Page 221: ...tering on source network destination network protocol type source socket destination socket source node and destination node of the IPX packet Advertisement Filters Advertisement filters act on network protocol packets that contain information such as Routing Information Protocol RIP Filtering these packets is performed by the specific protocol process IP RIP IPX RIP and IPX Service Advertising Pr...

Page 222: ...ld use generic filters and strictly in cases where data and advertising filters cannot provide necessary filtering capabilities Creating Filters The RAS 1500 performs packet filtering based on rules you create This section describes how to create packet filters Filter File Components Filter rules are defined within filter files Filters are text files stored either in FLASH memory or on a RADIUS se...

Page 223: ...col Sections Protocol Rules You define protocol rules within each protocol section in the filter file These rules set which packets may and may not access the network The following is the rule syntax line verb keyword operator value The combination of keyword operator and value forms a condition which when combined with a verb sets whether packets are accepted or rejected Protocol Description IP I...

Page 224: ...stination address is yyy the following rules are used IP 010 ACCEPT src addr xxx 020 ACCEPT dst addr yyy Field Description line Each rule must have a unique line number 1 999 You must arrange rules in increasing order verb This field can be one of the following ACCEPT allow packet access if condition is met REJECT do not allow packet access if condition is met AND logically use the AND condition w...

Page 225: ...n increasing order verb This field can be one of the following ACCEPT allow packet access if the condition is met REJECT do not allow packet access if the condition is met AND logically use the AND condition with condition of the next rule to determine if packet is accepted or rejected Both defined conditions must be met IMPORTANT No more than 15 consecutive AND rules are permitted keyword The key...

Page 226: ...lter Files To create a filter use a text editor on your computer to create or edit a filter file Use the Trivial File Transfer Protocol TFTP to load the file in the RAS 1500 FLASH memory If you TFTP an edited file to the RAS 1500 it replaces the original file Be careful the following steps require frequent switching between your computer and the RAS 1500 To create a filter file on your computer pe...

Page 227: ...tion if different from the default value of PERMIT Example 030 DENY 5 Continue to define protocol rules for each protocol section you want to filter Then check the file to ensure it meets the RAS 1500 requirements and save the file To set up RADIUS filter files see Chapter 12 Using Security and Accounting 6 Access the CLI on the RAS 1500 Configure your computer as a TFTP client by entering the fol...

Page 228: ...uires the original filter files to be deleted using delete filters Reverify and reapply using set interface Use show filter filter name to view your file If you are applying a filter to a RADIUS user use show remote user Configuring Filters Once a filter has been added to the managed filters list turn filter access on or off and assign the filter to the RAS 1500 interfaces or users Setting Filter ...

Page 229: ...s to determine whether the interface accepts or rejects the packet Interface filters can be applied dynamically without having to disable and re enable each network on that interface If you prefer to configure a filter through a modem group first issue the add modem group name interfaces rm0 slot 1 2 mod 1 4 or pem 1 2 slot 1 2 mod 1 4 command Use either of the following commands set interface rm0...

Page 230: ...e does not waste time processing a packet that is going to be discarded anyway Most importantly the RAS 1500 does not know which interface an outgoing packet came in through If a potential intruder forges a packet with a false source address to appear as a trusted host or network there is no way for an output filter to tell if that packet came in through the wrong interface An input filter however...

Page 231: ...slot1 mod 3 output_filter outfilter fil filter_access off If you want to set slot 4 mod 8 input and output filters at the same time enter the following set interface rm0 slot1 mod 3 input_filter infilter fil output_filter outfilter fil IP networks and interfaces must be disabled then enabled for interface filters to be effective Assigning a Filter to a User To configure an input or output filter f...

Page 232: ...following command list filters The resulting display might look like the following example Adding Filters to the Managed List The add filter command verifies filter syntax before adding a filter to the managed list If syntax is valid no message is generated and the command prompt returns If syntax errors exist messages are sent describing them If the syntax is invalid the filter is still added to ...

Page 233: ... set interface rm0 eth 1 output_filter ENTER Now be sure to reapply the filter with the set interface command Enter the following set interface rm0 eth 1 output_filter filter_name Removing a Filter from a User Profile Removing a filter assigned to a user profile is mandatory when editing it The value is a null value that removes the defined filter from the user profile Enter the following set user...

Page 234: ...ter you issue the set interface command So remember to remove and reapply the filter to ensure new filter rules apply to all affected interfaces To verify a filter file use the following command verify filter filter_name Showing Filter File Contents To view the contents of an entire filter file that has been added to the managed list of filters use the following command show filter filter_name To ...

Page 235: ...ut filter is named ras1500 fil 2 If you are configuring a user filter not an interface filter enable filter_access off by default with the following command Filter access should remain off for an interface filter set interface rm0 pem1 pem2 slot 1 2 mod 1 4 3 Add the filter to the RAS 1500 Managed Filter Table with the following command add filter ras1500 fil 4 The RAS 1500 automatically verifies ...

Page 236: ...d to limit permitted access to trusted hosts and networks only to explicitly deny access to hosts and networks that are not trusted or to limit external access to a given host for example a Web server or a firewall Only the part of the IP address specified by the mask field is used in the comparison If a match is found the packet is forwarded rules containing accept or discarded rules containing r...

Page 237: ...re unimportant 8 Compare the first byte octet in the IP addresses 16 Compare only the first two bytes of the IP addresses 24 Compare only the first three bytes of the IP Addresses 32 Match the entire IP address default The masks are separated from source address and destination address by forward slashes TCP and UDP Parameter Filtering TCP and UDP packets are typically sent from and destined for s...

Page 238: ... IP 010 AND tcp dst port 23 020 ACCEPT tcp dst port 40 030 DENY The following rule example accepts only UDP packets that have a destination port number that is in the range of 24 to 39 filter IP 010 AND udp dst port 23 020 ACCEPT udp dst port 40 030 DENY The following rule example rejects TCP and UDP packets filter IP 010 REJECT protocol tcp 020 REJECT protocol udp ...

Page 239: ...1 111 Sun Remote Procedure Call 113 113 Authentication Service 119 Network News Transfer Protocol 123 123 Network Time Protocol 161 161 Simple Network Management Protocol 162 162 Simple Network Management Protocol trap 220 220 Interactive Mail Access Protocol v3 512 remote process execution 513 remote login rlogin 513 remote who rwhod 514 remote command rsh 514 Syslog accounting 515 lpd spooler 51...

Page 240: ...filter all but the following IPX networks enter the following filter IPX RIP 010 REJECT network 00 00 99 ff 020 REJECT network 99 88 0 45 030 REJECT network 0 8 7 5 To filter an IP route based on a subnet mask all but 195 223 0 0 networks enter the following filter IP RIP 010 REJECT network 195 223 87 225 16 Spurious RIP messages can disrupt your routing tables If you are listening for RIP message...

Page 241: ...t are error messages necessary for the correct operation of TCP IP Table 61 ICMP Message Types If you are concerned about security filter out incoming type 5 messages Sending ICMP redirects is an easy way for a vandal to change your routing tables Although ping is a troubleshooting aid it allows a potential intruder to obtain a map of your network by systematically pinging every possible address I...

Page 242: ...work addresses hosts and socket numbers Call filtering occurs after output filters are processed and are used for ondemand calls only For example to allow outgoing calls from the user of IP address 192 112 42 6 enter the following filter IP CALL 010 ACCEPT src addr 192 112 42 6 020 DENY For example to allow outgoing calls to IPX host 77 88 99 aa bb cc and reject calls from the source socket number...

Page 243: ... of 1 Some routers used on the same network RAS 1500 may be configured to filter out specific traffic In some cases these routers may not apply the filter correctly Should this happen those packets will be discarded In accordance with RFC 1858 this security feature syslogs every instance of a packet being discarded The following commands are associated with this feature enable ip security_option d...

Page 244: ...ation as specified in the sender packet IP header Using this command you can discard packets of this type although this is a lower level of security than All Header Options The following commands are associated with this feature enable ip security_option disallow_source_route_options ENTER disable ip security_option disallow_source_route_options Default Keywords This section describes valid keywor...

Page 245: ...in form 0Xxxxx Keyword Description Operators Value network network address or xx xx xx xx node node address or xx xx xx xx xx xx server server name or character string max 32 service type service type or 0 ffff in form 0Xxxxx socket socket number all 1 ffff in form 0Xxxxx Keyword Description Operators Value dst addr destination host address or ddd ddd ddd ddd Keyword Description Operators Value sr...

Page 246: ...0 65536 src node source node address or 0 255 dst node destination node address or 0 255 src socket source socket number all 1 254 dst socket destination socket number all 1 254 generic field based on offset length mask value generic generic Keyword Description Operators Value network network address or 0 65536 Keyword Description Operators Value zone name AppleTalk zone name or character string m...

Page 247: ...eeded basis A user receives IP information when it is required and returns the IP information when finished with it This is useful when IP addresses are limited or used temporarily DHCP allows centralized management and configuration of IP information You avoid manually configuring each computer on the network and at remote sites The SuperStack Remote Access System RAS 1500 can serve in one of two...

Page 248: ...a DHCP server in behalf of the DHCP dial in clients The DHCP server receives and processes the request and sends the IP information back to the dial in server via the RAS 1500 Acting as a DHCP relay the RAS 1500 passes on a request for IP information from a local user to a DHCP server Scenario 1 In this scenario when a local user requests IP information the RAS 1500 acting as a DHCP server provide...

Page 249: ...ests IP information the DHCP server not the RAS 1500 sends it to the user When a dial in user requests IP information the RAS 1500 acting as a proxy server relays the request to the DHCP server The DHCP server processes the request and sends the IP information to the RAS 1500 which relays it to the dial in user Figure 16 RAS 1500 as a proxy server DHCP server on the same LAN RAS 1500 LAN local LAN...

Page 250: ...ation to the local LAN 1 user When a local LAN 2 user requests IP information the DHCP server sends it to the user When a dial in user to the RAS 1500 requests IP information the RAS 1500 acting as a proxy server relays the request to the router The router relays the request to the DHCP server on LAN 2 The DHCP server processes the request and sends the IP information to the router The router rela...

Page 251: ...sends it to the user When a dial in user to the RAS 1500 A requests IP information the RAS 1500 A acting as a proxy server relays the request through the PSTN to the RAS 1500 B The RAS 1500 B relays the request to the DHCP server on LAN 2 The DHCP server processes the request then sends the IP information to the RAS 1500 B The RAS 1500 B relays the information to the RAS 1500 A The RAS 1500 A rela...

Page 252: ...mode dhcp_proxy 2 Set the DHCP mode set dhcp mode server 3 Set parameters for DHCP users These are the settings the DHCP server sends to users a Set the subnet mask and start and end addresses of the DHCP pool set dhcp server mask subnet mask start_address ip address end_address ip address Do not overlap the ip addresses of the DHCP pool and IP address pool b Set the lease duration RAS 1500 B LAN ...

Page 253: ...ignment mode set ip address_assign_mode dhcp_proxy 2 Set the DHCP mode set dhcp mode disabled or relay 3 Specify the IP addresses of the primary and alternate DHCP servers set dhcp proxy server1 address IP address of the primary DHCP server server2 address IP address of the secondary DHCP server User Datagram Protocol Broadcast Forwarding When a server on your network broadcasts User Datagram Prot...

Page 254: ...ing By default UDP broadcast forwarding is disabled To add or delete a UDP broadcast forwarding port use the following command add delete ip udp_bcast_forwarding_port port number For example to add port 40001 use the following command add ip udp_bcast_forwarding_port 40001 Displaying UDP Broadcast Forwarding Parameters To display the status of UDP broadcast forwarding use the following command sho...

Page 255: ...your ISP assigns you a public subnetwork 200 1 1 0 28 from which you set aside a pool of public addresses from 200 1 1 1 to 200 1 1 10 When a user on 192 168 111 to 200 1 1 15 and a user on your private network with an IP address of 192 168 111 1 C on the private network attempts to access a public host The following happens The SuperStack II Remote Access System RAS 1500 when it receives the outb...

Page 256: ...amic NAT Public Private 200 1 1 1 200 1 1 3 200 1 1 2 Public 192 168 111 1 Private 200 1 1 1 200 1 1 3 200 1 1 2 Public 192 168 111 1 Private 200 1 1 1 192 168 111 3 200 1 1 3 200 1 1 2 Public Private 200 1 1 1 192 168 111 3 200 1 1 3 200 1 1 2 When no users are attempting to access the public network no addresses are assigned When a user attempts to access the public network the private address o...

Page 257: ... address 200 1 1 1 port 5001 The RAS 1500 maintains a dynamic PAT mapping for this translation Then when an inbound packet addressed to 200 1 1 1 port 5001 arrives at the RAS 1500 from the public network the RAS 1500 uses the dynamic PAT mapping to reverse the translation from 200 1 1 1 port 5001 to 192 168 111 1 port 4444 and the packet is routed to the correct user on the private network The nex...

Page 258: ...in the public IP address pool When another user attempts to access the public network the private address and port of the user are assigned the next available IP address and port in the public IP address pool When a connection ends the public IP address and port of that connection again become available Public 192 168 111 1 4444 Private 200 1 1 1 5001 200 1 1 1 5003 200 1 1 1 5002 192 168 111 3 44...

Page 259: ...et network user nat_user nat_option nat To disable NAT for a user use the following command set network user username nat_option disable Example set network user nat_user nat_option disable Adding Dynamic and Static Address Assignments To add a dynamic public address pool add nat dynamic user public_pool_start ip address count number of addresses Example add nat dynamic user nat_user public_pool_s...

Page 260: ...settings show user username Example show user nat_user To list active NAT address mappings use the following command list nat user username address To list active NAT port mappings use the following command list nat user username port Configuring Port Address Translation Enabling and Disabling Users To enable PAT for a user use the following command set network user username nat_option pat Example...

Page 261: ...xample add pat tcp user pat_user private_address 192 168 111 1 private_port 80 public_port 80 Incoming packets from the public network whose destination port mappings do not exist in the dynamic PAT translation table are directed to a default host To specify the default host use the following command set network user username pat_default_address IP address Example set network user pat_user pat_def...

Page 262: ...g must match the password ras The public subnet allocated by the ISP for use by this private network is 202 55 55 40 29 The RAS 1500 is assigned the address 202 55 55 41 29 The private network has two servers that will be accessed by hosts from the public network The ISP access number is 3067 The local area network LAN configuration of the RAS 1500 is the same as it would be without a NAT user add...

Page 263: ...up named 78 add modem_group 78 interface rm0 slot 2 mod 3 4 5 Add and configure a user named nat_user add user nat_user password ras type network dial_out enable no set user nat_user modem_group 78 phone_number 3067 set network user nat_user ppp compression_algorithm ascend set network user nat_user transmit_authentication main send_password ras set network user nat_user ipx disable appletalk disa...

Page 264: ...already configured the ISDN modems for proper operation However adding more than 4 Multi Link Point to Point Protocol MLPPP links diminishes the gain of adding the channels because of the MLPPP overhead 1 Specify the local Ethernet IP address add ip network ip address 192 168 1 1 C 2 Enter the local IP address pool for dial in users add ip pool ippool initial_pool_address 192 168 1 10 size 24 3 Sp...

Page 265: ...ing listen set network user pat_user nat_option pat set network user pat_user pat_default_address 192 168 1 2 set dial user pat_user data async set dial user pat_user local_ip_address 255 255 255 255 set dial user pat_user site type ondemand 6 Specify the default gateway add framed_route user pat_user ip_route 0 0 0 0 gateway 255 255 255 255 set dial user pat_user site type ondemand 7 Set multilin...

Page 266: ......

Page 267: ...sed line on its serial port A leased line is a dedicated line between two sites and is permanently installed rather than a dialed up connection PPP over the WAN port can connect to another RAS 1500 or any device that supports PPP PPP over leased line offers the following benefits Constant connection Once the connection between the sites is established the link does not come down unless you issue a...

Page 268: ...S 449 V 11 V 10 EIA 530 V 11 V 10 EIA 530A V 11 V 10 Case Study Before You Begin Before you configure the RAS 1500 for PPP over leased line do the following 1 Work with the phone company to acquire a leased line between the two sites 2 The leased line attaches to the Channel Service Unit Data Service Unit CSU DSU at both customer sites 3 The leased line is responsible for providing a clock either ...

Page 269: ... seconds Assumptions Each office has a functioning RAS 1500 Each office has a separate IP network The main office has 192 112 226 0 C the branch office has 192 112 227 0 C Use Routing Information Protocol RIPv1 Process The goals can be achieved with either a numbered IP link or an unnumbered link between the sites Figure 24 shows a numbered link and Figure 25 shows an unnumbered link Figure 24 Num...

Page 270: ...0 3 Configure the user network parameters a Numbered link set network user branch_office address_selection specified remote_ip_address 78 0 0 2 A set network user branch_office ipx disable appletalk disable bridging disable set network user branch_office send_password boston b Unnumbered link set network user branch_office address_selection specified remote_ip_address 192 112 227 1 C set network u...

Page 271: ...AS 1500 steps 1 through 3 are not necessary 1 Add an IP network add ip network ipnet 2 address 192 112 227 1 C interface rm0 eth 1 2 Add a user add user main_office password boston type network dial_out set user main_office idle_timeout 300 3 Configure the user network parameters set network user main _office address_selection specified remote_ip_address 78 0 0 1 A set network user main _office ip...

Page 272: ...ection issue the following command disable datalink ppp interface rm0 wan 1 Viewing the Status of the Connection To view the status of the link use the list ppp command Troubleshooting For debugging purposes view the LCP negotiation which is part of the PPP negotiation These negotiations are only visible if the loglevel is set to verbose or debug You should also check the following Cable type User...

Page 273: ...n 12 0 Kwajalein 11 0 American Samoa Canton Enderbury Islands Midway Island Niue Island Samoa 10 0 Christmas Islands Cook Islands French Polynesia Johnston Island Society Island Tahiti Tuamotu Island Tubuai Island USA Aleutian USA Hawaii 9 5 0 Marquesas Islands 9 0 Gambier Island 9 8 1 USA Alaska 8 7 1 Canada Yukon and Pacific Mexico Baja Calif Norte USA Pacific 7 0 Mexico Nayarit Mexico Sinaloa M...

Page 274: ...ica El Salvador Guatemala Honduras Mexico 6 5 1 Canada Central Easter Island Nicaragua USA Central 5 0 Cayman Islands Colombia Ecuador Galapagos Islands Jamaica Panama Peru USA Indiana East 5 4 1 Bahamas Canada Eastern Cuba Haiti Turks and Caicos Islands USA Eastern 4 5 1 Brazil Acre ...

Page 275: ...s Montserrat Puerto Rico Saba St Christopher St Croix St John St Kitts Nevis St Lucia St Maarten St Thomas St Vincent Trinidad and Tobago Venezuela Virgin Islands Windward Islands 4 3 1 Bermuda Brazil West Canada Atlantic Chile Falkland Islands Greenland Thule Paraguay 3 5 2 5 1 Canada Newfoundland 3 0 Argentina French Guiana Guyana Suriname Uruguay 3 2 1 Greenland St Pierre Miquelon 3 1 2 Brazil ...

Page 276: ...land Liberia Mali Mauritania Morocco Principe Island Sao Tome e Principe Senegal Sierra Leone St Helena Togo 0 1 1 Canary Islands Channel Islands England Faroe Island Ireland Republic of Madeira Northern Ireland Scotland United Kingdom Wales 1 0 Angola Benin Cameroon Central African Rep Chad Congo Dahomey Equitorial Guinea Gabon Niger Nigeria Tunisia Zaire Kinshasa Mbandaka ...

Page 277: ...gary Italy Luxembourg Macedonia Mallorca Islands Malta Melilla Monaco Namibia Netherlands Norway Poland Portugal San Marino Slovakia Slovenia Spain Sweden Switzerland Vatican City Yugoslavia 2 0 Botswana Burundi Lesotho Libya Malawi Mozambique Rwanda South Africa Sudan Swaziland Zaire Kasai Zaire Haut Zaire Zaire Kivu Zaire Shaba Zambia Zimbabwe ...

Page 278: ...Romania Russian Federation zone one Syria Turkey Ukraine 3 0 Azerbajian Bahrain Djibouti Eritrea Ethiopia Kenya Kuwait Madagascar Mayotte Qatar Saudi Arabia Somalia Tanzania Uganda Yemen 3 4 1 Iraq 3 5 0 Iran 4 0 Georgia Mauritius Oman Reunion Seychelles United Arab Emirates 4 5 1 Armenia Russian Federation zone three Russian Federation zone two 4 5 0 Afghanistan ...

Page 279: ...land Vietnam 7 8 1 Russian Federation zone six 8 0 Australia Western Brunei China People s Rep Hong kong Indonesia Central Malaysia Mongolia Philippines Singapore Taiwan 8 9 1 Russian Federation zone seven 9 0 Indonesia East Japan Korea Dem Republic of Korea Republic of Palau 9 10 1 Russian Federation zone eight 9 5 0 Australia Northern Territory 9 5 10 5 1 Australia South 10 0 Australia Queenslan...

Page 280: ...0 5 Australia Lord Howe Island 11 0 Caroline Island New Caledonia New Hebrides Ponape Island Solomon Islands 11 12 1 Russian Federation zone ten Vanuatu 11 5 0 Norfolk Island 12 0 Fiji Kiribati Kusaie Marshall Islands Nauru Republic of Pingelap Tuvalu Wake Island Wallis and Futuna Islands 12 13 1 New Zealand Russian Federation zone eleven 12 75 13 75 1 Chatham Island 13 0 Tonga ...

Page 281: ...ed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by o...

Page 282: ...e the equipment will operate to the user s satisfaction Before installing this equipment users should ensure that it is permissible to be connected to the facilities of the local telecommunications company The equipment must also be installed using an acceptable method of connection The customer should be aware that compliance with the above conditions may not prevent degradation of service in som...

Page 283: ...500 has the following physical dimensions Interfaces Console Interface Electrical specification RS 232 C EIA TIA 232 E standard Connector DB 9 male Configuration DTE Transmission method Unbalanced RS 232 Transmission rate 230 kbps LAN Interface Data Transfer Rate 10 Mbps Accessing Scheme CSMA CD Carrier Sense Multiple Access with Collision Detection Topology Star Wired hub using multiport repeater...

Page 284: ... Ohms for frequency range of 5 10 MHz Propagation Delay 5 7 nanseconds meter Cabling RJ 45 plug to RJ 45 plug straight through for multiport repeater applications transmit to receiver crossover cable for two node network FireWire Electrical specification N A Connector IEEE P1394 Configuration N A Transmission method High Speed Serial Bus HSSB Transmission rate N A Environmental Shipping and Storag...

Page 285: ...of the 12 VDC supply is 30 W the remaining 40 W is shared between the 3 3 and 5 VDC supplies If no load in 3 3 V and 12 V limited to 0 6 A then 5 V can deliver 12 A Input Voltage 90 264 VAC 47 63 Hz Maximum Input Current 2 5 A Voltage VDC Maximum Current A Maximum Power Output W 12 2 5 30 5 12 35 3 3 10 33 ...

Page 286: ......

Page 287: ...rld Wide Web site 3Com FTP site 3Com Bulletin Board Service 3Com BBS 3ComFactsSM automated fax service World Wide Web Site Access the latest networking information on the 3Com Corporation World Wide Web site by entering the URL into your Internet browser http www 3com com This service provides access to online support information such as technical documentation and software library as well as supp...

Page 288: ... modem to 8 data bits no parity and 1 stop bit Call the telephone number nearest you Access by Digital Modem ISDN users can dial in to the 3Com BBS using a digital modem for fast access up to 64 Kbps To access the 3Com BBS using ISDN use the following number 1 847 262 6000 Country Data Rate Telephone Number Australia Up to 14 400 bps 61 2 9955 2073 Brazil Up to 14 400 bps 55 11 5181 9666 France Up...

Page 289: ...ady Product model name part number and serial number A list of system hardware and software including revision levels Diagnostic error messages Details about recent configuration changes if applicable If you are unable to contact your network supplier see the following section on how to contact 3Com Support from 3Com If you are unable to obtain assistance from the 3Com online technical resources o...

Page 290: ...ope From anywhere in Europe call 31 0 30 6029900 phone 31 0 30 6029999 fax From the following European countries you may use the toll free numbers Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 06 607468 0800 71429 800 17309 0800 113153 0800 917959 0130 821502 00800 12813 1 800 553117 177 3103794 1678 79489 Netherlands Norway Poland Portugal South Africa Spain Sweden S...

Page 291: ...Middle East 44 1442 435860 44 1442 435718 From the following European countries you may call the toll free numbers select option 2 and then option 2 Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy Netherlands Norway Poland Portugal South Africa Spain Sweden Switzerland U K 06 607468 0800 71429 800 17309 0800 113153 0800 917959 0130 821502 00800 12813 1800553117 177 3103...

Page 292: ......

Page 293: ...using Rlogin 166 using Telnet 166 using Telnet control characters 167 using TFTP 166 viewing facility errors 168 viewing interface status and settings 172 viewing system settings 172 viewing Telnet status 167 ARP resolving addresses with 169 using 169 ARQ description 134 136 setting negotiation 149 AT commands basic dial commands 131 call control settings 149 configuring data compression settings ...

Page 294: ...tion 137 using 137 escape code 146 exit commands 162 F fax service 3ComFacts 287 FECN 203 files deleting 161 renaming 161 filters adding filters to the managed list 230 advertisement filters 219 assigning filters 228 call filters 220 capabilities 218 configuring filters 226 creating 220 data filters 219 deleting 232 displaying managed filter list 227 file components 220 filter out all IP options s...

Page 295: ...on 94 case study 105 267 configuring network parameters 98 connection types 93 connections to remote gateways 96 dialout scripts 94 PAP and CHAP authentication 96 setting internal networks for unnumbered links 96 spoofing 96 LMI 203 local management interface 203 login hosts configuring 120 login users adding the user 121 case study 126 loop loss disconnect 146 loss of carrier 146 M manual setup d...

Page 296: ...159 software configuration configuring a manage user 32 finding IPX network number 27 IP configuration 26 IPX configuration 27 setting default domain 30 setting IPX parameters 29 spoofing 96 standard port numbers 237 switched virtual circuits 202 system information displaying 173 system settings viewing 172 T Tc 204 technical support 3Com URL 285 bulletin board service 286 fax service 287 network ...

Page 297: ...INDEX 295 V 90 151 W Windows 95 Dial Up Networking 89 World Wide Web WWW 285 X X 75 152 ...

Page 298: ...296 INDEX ...

Page 299: ...nsed to Customer on and after January 1 1998 that is date sensitive will continue performing properly with regard to such date data on and after January 1 2000 provided that all other products used by Customer in connection or combination with the 3Com product including hardware software and firmware accurately exchange date data with the 3Com product with the exception of those products identifie...

Page 300: ...STING UNAUTHORIZED ATTEMPTS TO OPEN REPAIR OR MODIFY THE PRODUCT OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE OR BY ACCIDENT FIRE LIGHTNING OTHER HAZARDS OR ACTS OF GOD LIMITATION OF LIABILITY TO THE FULL EXTENT ALLOWED BY LAW 3COM ALSO EXCLUDES FOR ITSELF AND ITS SUPPLIERS ANY LIABILITY WHETHER BASED IN CONTRACT OR TORT INCLUDING NEGLIGENCE FOR INCIDENTAL CONSEQUENTIAL INDIRECT SPECIAL...