IOLINK-520 and IOLINK-PRO Bridge / Routers with VPN USER AND SYSTEM ADMINISTRATION GUIDE Issue 1 © Copyright 2001 by Perle Systems Ltd.
IOLINK-520 and IOLINK-PRO Bridge / Routers with VPN USER AND SYSTEM ADMINISTRATION GUIDE Issue 1
IOLINK-520 and IOLINK-PRO Bridge / Router with IPSec USER AND SYSTEM ADMINISTRATION GUIDE
Export Control Notice Under the terms of Canadian Export Control, the exporter is obligated to inform the end user of certain restrictions on the use and re-exportation of products containing cryptographic technology 1. The exporter's Export Permit allows the distribution of this product containing specified cryptographic technology to only those countries listed below, and does not authorize the export, sale, transfer or other disposition to any country outside of those eligible.
Federal Communications Commission (FCC) Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Using This Manual This Installation and Applications Guide provides the basic information required to initially set-up and configure the IOLINK-520 & PRO Bridge/Router. This guide is organized into the following sections: “Installation” provides instructions for installing the IOLINK-520 & IOLINK-PRO. “Typical Applications & How to Configure Them” provides simple configuration examples for typical applications in which the IOLINK-520 & IOLINK-PRO might be used.
Contents 1 INSTALLATION___________________________________________1.1 Unpack the IOLINK Router................................................................................1.1 Select a Site ..............................................................................................................1.1 Identify the Reset Switch.......................................................................................1.2 Identify the Connectors...................................................................
Contents Configure Remote Site Profiles for Leased Line PPP ..............................................2.32 Configure Remote Site Profiles for Frame Relay with ISDN Backup...................2.34 Advanced Features................................................................................................. 2.35 Configure Dynamic Host Configuration Protocol....................................................2.35 Network Address Translation and Port Translation ..........................................
Contents A MENU TREES ____________________________________________A.1 B OCTET LOCATIONS ON ETHERNET FRAMES _____________B.1 Octet Locations on a Bridged TCP/IP Frame...................................................B.1 Octet Locations on a Bridged Novell Netware Frame .....................................B.2 ETHERNET Type Codes ....................................................................................B.2 Octet Locations on an IP Routed TCP/IP Frame............................................B.
Contents * * * * IOLINK-520 & IOLINK-PRO Installation & Applications Guide
1 Installation The IOLINK-520 & IOLINK-PRO are flexible Ethernet Bridge/Routers that may be configured to service Local Area Networks and Wide Area Network connections over leased lines, ISDN circuits, and frame relay permanent virtual circuits. The IOLINK-PRO supports a single LAN and one or two WAN links (one ISDN BRI interface or two other WAN modules).
Applications Identify the Reset Switch The small hole under the front right corner of the faceplate is used in case a hardware reset is required. The end of a paper clip is sufficient to toggle the small switch behind the hole. Front View RESET Bottom View Figure 1-1 Location of the Reset Hole on IOLINK Router 1.
Applications Identify the Connectors IOLINK-PRO The IOLINK-PRO may be ordered with a 10Base2, 10Base5, or 10BaseT LAN interface. If this IOLINK-PRO has an ISDN U or S/T Module, it must only be installed in the slot 1 (leftmost position when viewed from the rear of the unit). The slot 2 position may be unused and covered with a blank panel or may contain another type of module. If a second WAN module is installed, only one BRI channel will be available for use.
Applications LAN 2 module Link 2 module LAN/Console module MDI-X MDI MDI-X MDI 10/100 BT LAN 10 BT LAN RS-232/V.24 CONSOLE Power connector Figure 1-4 Rear View of the IOLINK-520 with Dual LAN connections and a single WAN module Connect to the Console Connection to the bridge/router operator’s console is made through the DB25 connector labeled CONSOLE on the back of the bridge/router.
Applications Power Up the Bridge/Router Once the LAN and Link connections are made and the console is connected to a terminal, you are ready to power-up the IOLINK router. Connect the AC power cord to the back of the IOLINK router and plug the cord into the AC wall outlet. Observe the LEDs as the bridge/router powers up. The LEDs will go through a circular flashing pattern as the power-up diagnostics are performed. After the power-up diagnostics are finished, the Power LED will go from red to green.
Applications Conventions Throughout this section, IOLINK-520 & IOLINK-PRO menu options are shown that are required for the various configuration choices. The appropriate menu options are shown in each instance in the following format: Configuration Option Name " Location: Main ! Sub-Menu Name ! Sub-Menu Name ! Option Name The configuration option is shown as well as the options location within the menu system. The ! character indicates that a sub-menu level must be chosen.
Applications Login to Bridge/Router and Enter the Required Configuration At the login screen type a 1 and the default password to enter the menu system of the IOLINK Router. The default password is “BRIDGE” (case sensitive) and should be changed if security is desired. With the options of the built-in menu system, the IOLINK router may be configured to operate within your environment.
Applications Mandatory Configuration The IOLINK-520 & IOLINK-PRO requires a minimum amount of mandatory configuration in order to operate. The following table identifies the configuration parameters that must be defined for proper operation under the operational states shown in the table.
Applications Identify the Status LEDs The four three colour Light Emitting Diodes (LEDs) on the front of the IOLINK router are depicted in Figure 1-1. The meanings of these LEDs are found in the following chart.
Applications * * * * 1.
2 Typical Applications & How to Configure Them The IOLINK-520 & IOLINK-PRO are flexible Ethernet Bridge/Routers. This section will describe how to set-up the IOLINK-520 & IOLINK-PRO routers using each of its networking functions. Note that depending on the model of unit and what interface modules are installed, some of the configuration examples may not apply; for example, if no ISDN BRI module is installed, the sections on setting up an ISDN PPP IOLINK router would not apply.
Applications 2.1 - Bridging and Routing Should You Bridge or Route? When connecting two networks together, the first question to ask is “should I bridge or route”? The decision to bridge or to route may be decided by how the existing networks have been already set-up. Bridging should be used when the network consists of non-routable protocols or routable protocols using the same network numbers.
Applications 2.1.1 - Bridging An Ethernet bridge intelligently forwards Ethernet data packet traffic between connected networks. The traffic may be across the Wide Area Network (illustrated below) or, in the case of the IOLINK-520, may be between two LANs connected to the same IOLINK-520.
Applications 2.1.2 - IP Routing An Ethernet IP router is used to intelligently route Internet Protocol (IP) traffic to another network. The networks may be connected across a WAN link (illustrated below) or two LANs connected to the same dual LAN IOLINK-520. Router IP Address 199.169.1.10 Router IP Address 199.169.2.12 WAN connection IP Network Address 199.169.2.0 IP Network Address 199.169.1.
Applications 2.1. 2 .1 - IP Addressing Devices on an IP network are located by their IP addresses, which is a 32 bit number divided into four 8 bit fields. The IP address identifies both the network and the host device (also known as a node) on that network. The address is usually written as the four decimal values for the fields (between 0 and 255) separated by decimal points; for example 196.65.43.21. The high order field defines the IP class of the address.
Applications 2.1.2.2 Masks The portion of the IP address to use as the network address is specified by using a mask; a mask is the contiguous number of bits to be used for the network address all set to 1. When the mask is logically ANDed with an IP address, the result is the network address. The mask is specified by entering the mask size as the number of bits in the mask. For the standard Class A, B and C Internet addresses, the mask sizes would be 8, 16 and 24 respectively.
Applications The IOLINK-520 & IOLINK-PRO allows mask sizes from 8 to 32 bits. The subnet mask size determines how many bits of the host field of the original IP network address will be used for the creation of subnets. In this example, specifying a mask size of 26 will produce a subnet size of 2 bits. Two bits gives 4 possible sub-network addresses from the original IP network address.
Applications 2.1.2.3 - IP Default Gateway An IP default gateway is an IP router that is resident on the local IP network that this IOLINK router is connected to and is used to route IP frames for destination networks that do not exist in the routing table. When an IP frame is received that is destined for a network that is not listed in the routing table of the IOLINK router, the router will send the IP frame to the default gateway.
Applications 2.1.3 - IPX Routing The IOLINK-520 & IOLINK-PRO are pre-configured to operate as an IPX router. When installed in an IPX network, the IOLINK router will learn the IPX network numbers from connected networks. It will then route the IPX frames to the appropriate destination IPX network. The IPX routing scenario may consist of one of the two following configurations. The first configuration consists of Novell servers located on each of the LAN segments to be connected.
Applications Once the WAN connections have been established to the remote partner IOLINK routers, the IPX router portion of the IOLINK routers will begin to build their routing tables according to the IPX frames they receive from the network. Manual entries may be made in the routing tables by adding static IPX routes. 2.1.3.
Applications The following steps must be performed on the IOLINK router connected to LAN #2. " IPX Routing Disabled Location: Main ! Configuration ! Packet Services Set-up ! IPX Routing Set-up ! IPX Routing Disabling IPX routing allows the IPX frame types to be modified. Configuration: Note IPX Routing does not need to be disabled in order to change the defined network numbers on a PPP IOLINK router.
Applications " IPX Forwarding Enabled Location: Main ! Configuration ! Packet Services Set-up ! IPX Routing Set-up ! IPX Forwarding IPX forwarding must be re-enabled to allow the IOLINK router to forward IPX frames onto the WAN to the partner IOLINK router IPX routers. The IPX Forwarding function enables or disables the forwarding of IPX traffic when IPX routing is enabled. When IPX forwarding is disabled, all IPX traffic across the WAN links will be blocked.
Applications 2.1.4 - PPP Overview Point to Point Protocol (PPP) is a connection protocol that allows control over the set-up and monitoring of network communications. It is used in procedures for user authentication (name and password), connection management (spoofing, bandwidth on demand, multilink), and compression. If any these functions are required on a frame relay connection, PPP encapsulation within frame relay is available. 2.1.4.
Applications 2.1.4.3 - Unnumbered Links An unnumbered link does not use network addressing on the WAN link. The WAN connection is roughly equivalent to an internal connection with each of the two end point routers operating as half of a complete router that is connected between the two endpoint LANs. When an IPCP link is set to unnumbered, the only configuration option applicable is Peer IP Address.
Applications 2.1.4.4 - Multilink Operation Multilink operation defines the use of more than one link to connect between two PPP routers. When a multilink connection is required, simply enable the Multilink Operation option of the remote site profile for that connection. When a multilink connection is established, the multilink (MP) options within the PPP setup and Advanced PPP set-up menus will determine the operation of the multilink connection.
Applications 2.2 Basic WAN Configurations 2.2.1 - Basic ISDN Connections If this IOLINK-520 & IOLINK-PRO are configured as an ISDN bridge/router, it may establish WAN connections to other bridge/routers via ISDN (Integrated Services Digital Network) connections. Before the IOLINK-520 & IOLINK-PRO can establish an ISDN connection to another ISDN router, the ISDN information must be defined. The ISDN switch type must be defined for the ISDN interface, and the phone numbers must be defined.
Applications The following steps must be performed to configure the IOLINK-520 & IOLINK-PRO: The default switch type for ISDN S/T interface modules is NET3, the default switch type for ISDN U interface modules is NI-1. If the type of service your provider uses matches the default setting for the interface module, the following step may be skipped, otherwise, the switch type must be set.
Applications Once the ISDN switch type and directory numbers have been configured, the IOLINK router must be reset for the new values to take effect and for the ISDN BRI interface to register with the central switch. " Soft Reset Location: Main ! Diagnostics ! Soft Reset Once the IOLINK router has restarted it is ready to establish ISDN connections. With the ISDN numbers and switch type defined, an ISDN call may be placed to another properly configured bridge/router.
Applications 2.2.1.1.1 - IPX Router Manual Call Connection To establish an IPX PPP direct dial connection, enter the ISDN phone number of the remote site PPP router in the manual dial option. Refer to the Configure as an Ethernet IPX Router section 2.3.1 for more information on IPX configuration required. " Manual Call Location: Main ! Configuration ! Connections Set-up ! Remote Site Set-up ! Manual Call Enter the ISDN phone number of the remote site IPX PPP router and an ISDN call will be placed. 2.2.
Applications 2.2.2 - Basic Frame Relay Configuration North American IOLINK-520 & IOLINK-PRO with at least one non-ISDN interface are configured to have frame relay enabled for that interface by default. IOLINK-520 & IOLINK-PRO shipped outside of North America with at least one non-ISDN interface will have frame relay disabled on that interface as a default setting. See the following page for instructions on switching Frame relay from disabled to enabled.
Applications Configuration: " The default configuration for IOLINK-520 & IOLINK-PRO shipped outside North America is to have frame relay disabled. To run frame relay on these routers, it must first be enabled. Selecting the Frame Relay option will toggle the setting from disabled to enabled. Frame Relay enable Location: Main ! Configuration ! Interfaces Set-up ! WAN Set-up ! Link Set-up ! Frame Relay enabled The router will request confirmation of the change, enter “yes”.
Applications learning process, the IOLINK router will automatically create a remote site profile for each PVC. The automatically created remote site profiles will be named “LinkxDLCIyyy” where x is the physical link number the PVC is on and yyy is the DLCI of the PVC. If during this learning process the maximum number of remote sites has been reached, the IOLINK router will prompt you that there are no remote sites available.
Applications 2.2.2.3 - Quick Start Frame Relay Since the IOLINK-520 & IOLINK-PRO auto-learns the frame relay configuration, only a couple of parameters need to be configured before the unit is fully operational as an IP router for frame relay. Upon initial start up, the IOLINK-520 & IOLINK-PRO are pre-configured to query the frame relay service to auto-learn the LMI type and the PVC DLCI numbers. The IOLINK-520 & IOLINK-PRO will then automatically create a remote site profile for each PVC.
Applications 2.2.3 - Basic Leased Line Configuration The IOLINK-520 & IOLINK-PRO establishes PPP (Point to Point Protocol) WAN connections to other PPP Leased Line IOLINK routers or to other vendors PPP leased line routers via direct leased line connections. Either 1 or 2 links may be used to connect to other PPP routers.
Applications The following steps must be performed on each of the IOLINK routers in the network. " Local IP Address Location: Main ! Configuration ! Interfaces Set-up ! LAN Set-up ! LAN IP Set-up ! IP Address / mask size This is the IP address and subnet mask for the link of this IOLINK router in the unnumbered IP connection. Usually the clocking signal is received from the link (see Appendix D Link Clocking Information). If the link interface is a V.11, V.
Applications 2.3 - Configure Remote Site Profiles Remote Site Profiles allow the IOLINK router to have different sets of configuration parameters for each of the remote site routers that may be called or that may call this IOLINK router. This allows complete control over the configuration of each possible connection.
Applications 2.3.1 - Configure Remote Site Profiles for ISDN PPP If this IOLINK router is configured to have at least one ISDN switched circuit, the ISDN call parameters must be defined so that the IOLINK router knows what ISDN phone number to dial when a connection to this remote site is required and what security parameters to use when establishing a connection.
Applications 1 b) Defining this remote site profile within the IP Address connect table, which will cause a call to be made when a packet for this IP address is routed, Location: Main ! Configuration ! Connections up ! IP Address Connect ! IP Address Connect Enabled 1 c) Defining the Auto-Call option within the Edit Remote Site menu of this remote site profile.
Applications 2.3.2 - Configure Remote Site Profile for Frame Relay Each of the PVC’s on the frame relay service must be configured within an individual remote site profile on the IOLINK router. This is usually done automatically through the auto-learning process. When the frame relay router first starts up it will query the frame relay service to try to determine the PVC configurations.
Applications The DLCI number defined here is the Data Link Connection Identifier value provided by your frame relay service provider. This value must be set if auto-learning is disabled. Each Remote Site PVC must be defined to exist on one of the two physical WAN links available on this IOLINK router.
Applications EIR " Location: Main ! Configuration ! Connections up ! Remote Site Set-up ! Edit Remote Site ! Connection Set-up ! EIR The EIR value specifies the indicated data rate that may be available for this PVC. This value must be set to the same as the value provided by the Frame Relay network provider. When EIR = 0, no excess burst data is allowed to be transmitted. If EIR is non-zero, bursting is allowed. The only restriction is that CIR + EIR > 0.
Applications 2.3.3 - Configure Remote Site Profiles for Leased Line PPP Remote Site Profiles allow the IOLINK router to have different sets of configuration parameters for each of the possible remote site PPP routers that may be connected to this IOLINK router. This allows greater control over the configuration of each possible PPP connection. Each remote site profile is named with an alias. The alias provides a simple method of maintaining configuration control over the remote site profiles defined.
Applications Now that the remote site profile is created, a link number must be assigned as the primary link number. The primary link number is the link interface that the IOLINK router will use to attempt to establish a connection to the remote site PPP router.
Applications 2.3.4 - Configure Remote Site Profiles for Frame Relay with ISDN backup Frame Relay operation is set-up as described in section 2.3.2 The PVC on both partner routers must be disabled during this set-up procedure, then re-enabled when ready to start. ISDN call set-up is done as described in section 2.3.1. Recovery operation is set-up on the secondary activation menu.
Applications 2.4 Advanced Features 2.4.1 - Configure Dynamic Host Configuration Protocol The IOLINK-520 & IOLINK-PRO use Dynamic Host Configuration Protocol (DHCP) to allow users in a small office environment to be added and removed from a network with all of the network information (i.e. IP address, DNS, subnet mask, etc.) being configured automatically. DHCP configures devices (DHCP clients) from a central DHCP server.
Applications " DNS Set-Up Location: Main ! Configuration ! Application Set-up !DHCP Set-up !DNS Set-up !Primary DNS -IP address local DNS server !Secondary DNS -IP address external DNS server External DNS Server (Secondary) Internet Service Provider Local DNS Server (Primary) Figure 2 -10 Local + External DNS Server Configuration The configuration options described here are only for initial set-up and configuration purposes.
Applications 2.4.2 - Network Address Translation and Port Translation The IOLINK-520 & IOLINK-PRO provide support for Network Address Translation (NAT). Network Address Translation is a technique that translates private IP address on a private network to valid global IP addresses for access to the Internet. Network Address Port Translation (NAPT) translates both the IP address and the port number.
Applications Private Network Addresses: Internet Service Provider e-mail server 1.1.1.2 telnet server 1.1.1.3 WWW server 1.1.1.4 1.1.1.8 Global IP Address: 199.87.65.43 NAPT mapping: 1.1.1.2 = 199.87.65.43 (25) 1.1.1.3 = 199.87.65.43 (23) 1.1.1.4 = 199.87.65.43 (80) 1.1.1.6 Figure 2 -11 NAPT Configuration 2.
Applications 2.4.3 - Security The IOLINK router provides a number of means of providing security on incoming and outgoing traffic on a network. These methods include the IPsec protocol suite, access password authentication, firewall limiting access to only designated device addresses, private network address translation (NAT) and filtering for both incoming and outgoing traffic. 2.4.3.
Applications make provision for NAT to be used with tunneling. We will use this example for the configuration on the pages that follow. The setup for an IPSec connection is done in the IP security set-up menu under Configuration Packet Services. IP Security may be disabled to check the link connections before the secure connection is set-up.
Applications Note that the policy will be applied to all WAN interfaces, so a link on a second WAN interface must have a policy item (or items) to permit traffic across that interface. Next, the policy item(s) that specify the SA(s), the rules to test packets against and encapsulation algorithms and keys must be set. Each policy item is created by entering a name after selecting the Edit Item menu option.
Applications Then the authentication algorithm should be set to MD5 " IPSec ESP SA Location: Main ! Configuration ! Packet Services Set-up ! IP Security Set-up ! Policy Set-up ! Edit Item item_name ! Manual ESP SA ! Authentication MD5 If Authentication is left as “none” (the default setting), no authentication will be done on the packet, only encryption will be performed. Next, the encryption and authentication keys are Set-up.
Applications Now the selection rules used to test each packet against are set " IPSec ESP SA Location: Main ! Configuration ! Packet Services Set-up ! IP Security Set-up ! Policy Set-up ! Edit Item item_name ! Selection Rules ! Src IP 10.10.10.1 (25) ! Dest IP 192.168.10.1 (24) ! Protocol any ! Src port any ! Dest Port any The example policy items for Router 1 show the source and destination specified by the local IP addresses with masks. All protocols will be allowed between all ports.
Applications To do its job as a router, this device must know where to forward packets with IP addresses outside the LAN. This may be done in a number of ways: a static IP route to the LAN at the other end of the SA connection may be set, the IP address of the Internet Service Provider may be set as the Default Gateway, or an IPSec policy item may be created specifically to pass RIP packets. To set a policy item for RIP packets, first set the action to bypass IPSec so the packets are not processed.
Applications Once the IPSec policies have been configured and it has been confirmed that traffic is passing over the IPSec connection, the default action for failed packets should be changed to discard. The initial factory setting is to bypass IPSec, which allows remote configuring of the router via Telnet. Once the IPSec configuration has been completed and tested, this should be changed so that only those packets matching the IPSec conditions are passed.
Applications 2.4.3.2 - Configure PPP Security The PPP IOLINK-520 & IOLINK-PRO provide support for both PAP and CHAP security access authentication. An outgoing user name, PAP password, and CHAP secret are defined that the IOLINK router will use when responding to an authentication request from a remote site PPP router. The cold start defaults for the security user name and passwords are as follows.
Applications " Remote Site Security Parameters Entry Location: Main ! Configuration ! Connections up !Edit Remote Site ! Security Parameters ! Outgoing User Name ! Incoming PAP Password ! Outgoing PAP Password or ! Incoming CHAP Secret ! Outgoing CHAP Secret The outgoing entries in the security database define the user names and passwords/secrets that this IOLINK router will send in response to an authentication request is sent from the remote partner router.
Applications 2.4.3.3 - Configure Firewall The IOLINK-520 & IOLINK-PRO provide Firewall security for restricting access between any two networks connected through the router. Firewalls are set-up on a per connection basis for the LAN and remote sites. The direction of filtering is from the perspective of the IOLINK router; incoming traffic is from the network in question to the IOLINK router, outgoing is from the IOLINK router to the network.
Applications First the firewall on the ISP connection (remote site 1) of the WAN is set-up. The firewall option is set to “inbound” to have this WAN firewall filter traffic from the ISP to the IOLINK router while allowing unrestricted access out to the Internet.
Applications Then an entry is placed in the firewall table to allow the devices in the branch office remote site to have unlimited TCP access to devices in the head office. " Firewall Table Entry Location: Main ! Configuration ! Applications Set-up ! Firewall Set-up ! LAN Firewall Set-up ! Edit Firewall Entry ! filter ID # 1 ! Destination Address — 195.100.1.0 ! Destination Mask — 255.255.255.0 ! Source Address — 195.100.2.0 ! Source Mask — 255.255.255.
Applications 2.4.3.4 - Network Address Translation Using private addresses on a network and NAT/NAPT for interactions over an internetwork connection hides the internal address from the rest of the world. Access is restricted to only those services that are specifically designated to be available. Please see section 2.4.2 for more information on Network Address Translation. 2.4.3.
Applications 2.4.5 - Bandwidth On Demand The IOLINK router may be set to activate its secondary link when the load on the primary link exceeds a user-defined threshold.
Introduction to Filtering 3 Introduction to Filtering The IOLINK-520 & IOLINK-PRO provide programmable filtering which gives you the ability to control under what conditions Ethernet frames are forwarded from one network to another. There are many reasons why this might need to be accomplished, some of which are security, protocol discrimination, bandwidth conservation, and general restrictions. Filtering may be accomplished by using two different methods.
Introduction to Filtering Pattern Filtering Pattern filtering is provided in three separate sections: Bridge Pattern Filters, IP Router Pattern Filters, and IPX Router Pattern Filters. When the IOLINK router is operating as an IP/IPX Bridge/Router, each of the frames received is passed on to the appropriate internal section of the IOLINK router. The IPX frames are passed on to the IPX router, the IP frames are passed on to the IP router, and all other frames are passed on to the bridge.
Introduction to Filtering Example: () brackets ~12-80 This filter pattern will match if the packet information starting at the 12th octet does not equal the 80 of the filter pattern. Used in pattern filters to separate portions of filter patterns for specific operators. Example: 12-80&(14-24|14-32) This filter pattern will be checked in two operations.
Introduction to Filtering Banyan Banyan (12-0BAD) (12-80C4) (12-80C5) IP Router IP router pattern filters are applied to IP Ethernet frames that are being routed. When the IOLINK router is operating as an IP router, all IP routed frames will be checked against the defined IP router pattern filters. IP routed frames are unaffected by the bridge pattern filters and the IPX router pattern filters.
Appendix A Menu Trees The menu trees on the following pages are a graphical representation of the hierarchy of the built-in menu system of the IOLINK-520 & IOLINK-PRO. Each of the menus are shown with the options of the menus being displayed below the specific menu name. Each of the menu options shown in each of the menu trees is explained in the accompanying IOLINK-520 & IOLINK-PRO VPN Menus Manual located on the accompanying CD-ROM. Menu names are displayed in boxes.
MAIN 1] Menu Tree ISDN Options software release: 51P.04.06.xx 52P.04.06.xx Frame Relay Options Configuration 1] Access Set-Up 1. Device Set-Up menu 2. Telnet Set-Up menu 3 Upgrade Device 4. Load FLASH Set-Up menu 5. Console 6. Hardware Status 7. TFTP access 1] Device Set-Up 1. Password 2. Device Name 3. Show Time 4. Set Time 2] Telnet Set-Up 1. Telnet access 2. Telnet 3. Telnet port 4. Show Names 5. Add Name 6. Remove Name 3] Upgrade Device 1. VPN 2. High Security VPN 4] Load FLASH Set-Up 1.
Continued from previous page 3] ISDN Options software release: 51P.04.06.xx 52P.04.06.xx Frame Relay Options Connections Set-Up 1] Remote Site Set-Up 1] 1. Edit Remote Site menu 2. Remote site summary 3. Display learned summary 3. Call summary 4. Remove remote site 5. Manual call 6. Force disconnect Edit Remote Site 1. Connection set-up menu 2. Activation menu 3. Protocol set-up menu 4. Security parameters menu 5. Remote site alias 6. Connection 7. Primary connection 8. Secondary connection 9.
Continued from previous page ISDN Options Frame Relay Options Packet Services Set-Up 4] 1] Bridging Set-Up 1] 1. Spanning Tree menu 2. Bridge Forwarding 3. Bridge Aging Timer 4. Show Bridging Table 5. Show Permanent Table 6. Clear Bridging Table 2] Spanning Tree 1. STP State 2. Bridge Priority 3. Forwarding Delay 4. Message Age Timer 5. Hello Time 6. Show Bridge 7. Show Ports IP Routing Set-Up 1] 1. IP Routes menu 2. ARP Set-up menu 3. IP routing 4. IP forwarding 5. ARP proxy 2] IP Routes 1.
Continued from previous page ISDN Options software release: 51P.04.06.xx 52P.04.06.xx Frame Relay Options 5] Application Set-Up 1] 1. SNMP set-up menu 2. DHCP set-up menu 3. Firewall set-up menu 4. NAT exports 5. Syslog 6. Time to live 7. Traceroute 8. Ping SNMP Set-Up 1. Edit Community menu 2. Message Size 3. Show Communities 4. Remove Community 2] 1] Edit Community 1. Write Access 2. Show Addresses 3. Add Address 4. Remove Address DHCP Set-Up 1] 1. Server IP pool address menu 2.
****
Appendix B Octet Locations on Ethernet Frames This appendix provides octet locations for the various portions of three of the common Ethernet frames. When creating pattern filters these diagrams will assist in the correct definition of the patterns. The offset numbers are indicated by the numbers above the frame representations. Note the differences in the TCP/IP and Novell frames when bridging and when routing.
Octet Locations Octet Locations on a Bridged Novell Netware Frame ETHERNET Type Codes Type Code Description 0800 DOD IP 0801 X.75 Internet 0804 Chaosnet 0805 X.
Configuration Pages Octet Locations on an IP Routed TCP/IP Frame Octet Locations on an IPX Routed Novell Netware Frame IOLINK-520 & IOLINK-PRO Installation & Applications Guide — B.
Octet Locations Octet Locations on a Bridged XNS Frame B.
Appendix C Servicing Information Opening of the case and changing of modules is only to be performed by qualified service personnel. WARNING ! Always disconnect the power cord from the rear panel of the bridge/router. The bridge/router case does not need to be opened to change LAN or WAN interface modules. Opening the case 1) Remove power from the bridge/router and remove the other cabling. 2) Turn the bridge/router over and place it on a flat, cushioned surface.
Servicing Information Identifying the Internal Components The major components of concern are shown in the following illustration. Primary LAN & Console Interface Module Link 2 Interface Module (ISDN BRI, DSU, G.703, RS232, V.35, RS422 or V.11) Link 1 or LAN 2 Interface Module (ISDN BRI, DSU, G.703, RS232, V.35, RS422 or V.11) Flash Memory Figure C-1 Top Internal View of the IOLINK-520 & IOLINK-PRO Ethernet Bridge/Router C.
Servicing Information To Clear a “Lost” Password 1) Remove power from the bridge/router. 2) Remove the screw securing the LAN / Console module to the rear of the bridge/router. Be sure to grip the module only by the flange at the bottom of the metal panel. 3) Unplug the LAN / Console module approximately 1/2 inch from the bridge/router. Be sure to grip the module only by the flange at the bottom of the metal panel.
Servicing Information Installing the ISDN Link Modules If there is an ISDN module plus another type of WAN interface module or if there is a single ISDN module, the ISDN U or S/T Module must only be installed in the Slot 1 position. The slot 2 position may contain another type of WAN module or may be unused and covered with a blank panel. For IOLINK-520 models, if there is a second LAN module in this unit, it must go in the Slot 1 position and the ISDN module in Slot 2.
Servicing Information Changing the Termination Straps on the ISDN S/T Interface The ISDN S/T link interface module has two configurable straps that control whether the ISDN LINE is set to terminated or unterminated. Jumper straps W5 and W6 are factory installed to configure the module as TERMINATED. The TERMINATED position is used when the bridge/router is the only ISDN device connected to the ISDN circuit. Removing the W5 and W6 straps sets the module to UNTERMINATED.
Servicing Information Performing a Software Upgrade 1) Execute the Network (TFTP) command from the Load FLASH Set-Up menu. 2) Enter “none” to connect locally or enter the remote site ID number or alias to connect to a remote site. 3) Start the TFTP application to be used for transfers to the router. (The IP address of the router may be found in the Internet Set-Up menu.). 4) Put the file “###.all” to the router from the Operational Code directory on the CD-ROM.
Servicing Information In the following diagram of a cluster of routers, when upgrading the three IOLINK routers in the diagram, the upgrade order should be Router C, then Router B, and finally Router A. A TFTP software load to router C would be performed as follows: - Using TFTP, get config.txt from each router and save. - Telnet to Router C. Enter the ID or alias of Router B in the Network (TFTP) option to put Router C in Network Load mode.
Servicing Information **** C.
Appendix D Interface Pinouts Pinout Information Each link interface available is described with detailed information on pin designation. Standard interface cables will provide correct connections to modems, datasets, or DSU/CSUs. When connecting two bridge/routers back-to-back without modems, a null-modem cable is required to crossover the pins on the links. Crossing over the pins allows two bridge/routers both configured as DTE interfaces to be connected together.
Interface Pinouts These modules may have either the UP/DOWN switch type or the ON/OFF slide switch type. Each type is illustrated below. Switches up down 1234 CSU/DSU LINE Figure D-1 Rear View of ATL-CSU/DSU Link Module with UP/DOWN Switches Figure D-2 View of ATL-CSU/DSU Link Module with Sliding ON/OFF Switches When connecting two bridge/routers back-to-back with CSU/DSU link modules, a null-modem cable is required to crossover the pins on the links.
Interface Pinouts Console Pinouts The connector shown here and pinouts described here correspond to the connector labeled “Console” on the back of the IOLINK-520 & IOLINK-PRO. 1 13 DB25 Female DCE 25 Contact Number 1 2 3 5 6 7 8 20 22 CCITT Circuit Number 101 103 104 106 107 102 109 108.2 125 IEEE Circuit Desig.
Interface Pinouts V.24 & RS232C Link Pinouts The connector shown here and pinouts described here correspond to the connector labeled “RS232 / V.24” on the back of the IOLINK-520 & IOLINK-PRO. 1 13 DB25 Female DTE 25 Contact Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 14 CCITT Circuit Number 101 103 104 105 Circuit Circuit Name AA BA BB CA 107 102 109 CC AB CF 114 DB 115 141 DD 108.
Interface Pinouts V.11/X.21 Link Pinouts The connector shown here and pinouts described here correspond to the connector labeled “V.11/x.21” on the back of the IOLINK-520 & IOLINK-PRO. DB15 Female DTE 8 15 Contact Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 X.
Interface Pinouts RS442 & RS530 Link Pinouts The connector shown here and pinouts described here correspond to the connector labeled “RS530” on the back of the IOLINK-520 & IOLINK-PRO.
Interface Pinouts V.35 Link Pinouts The connector pinouts described here correspond to the connector labeled “V.35” on the back of the IOLINK-520 & IOLINK-PRO. 1 13 25 DB25 Contact Number M.
Interface Pinouts RS232 Null-Modem Cable Configuration DB25 MALE DB25 MALE 1 Shield 2 Transmitted Data 3 Received Data 4 Request To Send 6 Data Set Ready Shield 20 DTE Ready 1 Received Data 3 Transmitted Data 2 Data Set Ready 6 Request To Send 4 Received Line Signal Detector (CD) 8 7 Signal Ground 8 Received Line Signal Detector (CD) Signal Ground 7 DTE Ready 20 15 Transmit Timing DCE Source Receiver Timing DCE Source 17 17 Receiver Timing DCE Source Transmit Timing DCE Source
Interface Pinouts V.
Interface Pinouts RS530 Null-Modem Cable Configuration DB25 MALE DB25 MALE 1 Shield 2 Transmitted Data (A) 14 Transmitted Data (B) 3 Received Data (A) 16 Received Data (B) 4 DCE Ready (A) 2 6 DCE Ready (B) 22 Clear To Send (A) Clear To Send (A) 22 DCE Ready (B) 3 Transmitted Data (B) 14 Request To Send (A) DCE Ready (A) Received Data (A) Transmitted Data (A) 5 Clear To Send (B) 13 13 Clear To Send (B) 6 1 Received Data (B) 16 19 Request To Send (B) 5 Shield Request To Send (A)
Interface Pinouts RS530 To RS449 Conversion Cable DB25 MALE DB37 MALE/FEMALE 2 Transmitted Data (A) 4 14 Transmitted Data (B) 22 3 Received Data (A) 6 16 Received Data (B) 24 8 Received Line Signal Detector (A) 13 10 Received Line Signal Detector (B) 31 6 Data Set Ready (A) 11 22 Data Set Ready (B) 29 4 Request to Send (A) 7 19 Request to Send (B) 25 5 Clear to Send (A) 9 13 Clear to Send (B) 27 20 Data Terminal Ready (A) 12 23 Data Terminal Ready (B) 30 17 Rece
Interface Pinouts V.11/X.21 Null-Modem Cable Configuration Figure D-13 V.11/X.21 Null-Modem Cable The connecting cable must be a shielded cable. Circuits which are paired (contain an (A) and (B) reference) should be connected to twisted pairs within the connecting cable. This cable is needed when it is necessary to connect two units back-to-back and a set of modems is not available.
Index A F AC power, 1.5 Address Filtering, 3.1 Auto Learning LMI Type, 2.21 Ferrite Module, C.6 Filters 2.47, 3.1-3.4 Filter if Destination, 3.1 Filter if Source, 3.1 Firewall, 2.39 Forward if Destination, 3.1 Forward if Source, 3.1 Frame Relay, 2.20, 2.23, 2.31, 2.34, 2.37, 2.40 Front View, 1.2 B Backup, ISDN, 2.34 BACP, 2.50 Bandwidth on Demand, 2.52 Battery Replacement, C.1 Bridge or Route?, 2.4 C Changing LAN Interfaces, C.3 Changing Link Interfaces, C.
Index N S NAT (Network Address Translation), 2.37 NAPT, 2.37 Negative Filtering, 3.1 Novell Server, 2.9, 2.10 Null Modem Cable, D.1 Numbered Links, 2.15 Secondary Link, 2.34, 2.41 Security, 2.39 SA (Security Association), 2.39 Security Level, 2.39 Servicing Information, C.1 Should you Bridge or Route?, 2.2 Soft Reset, 2.21 SPID, 2.20 Static IP Routes, 2.9, 2.10 Status LEDs, 1.10 O On Link, 2.35 Opening the case, C.1 P Password, 2.37 password - clear lost, C.3 Pattern Filtering, 3.2 Popular Filters, 3.
Lifetime Warranty Limited Lifetime Warranty Policy Limited Warranty. Subject to the schedules set forth below, Perle products carry a limited lifetime parts and labour warranty, that is, Perle warrants to the original purchaser of each new product that the product will be free from defective materials and workmanship.
Other Damage No Fault Found Upgrades Part 2 Multiple Port Failure This is where more than one port has been damaged.