Pipeline User’s Guide Ascend Communications, Inc. Part Number: 7820-0330-001 For software version 6.
Pipeline, MAX, and Bandwidth-on-Demand are trademarks, and Ascend and the Ascend logo are registered trademarks of Ascend Communications, Inc. Other trademarks and trade names mentioned in this publication belong to their respective owners. Copyright © 1998, Ascend Communications, Inc. All Rights Reserved. This document contains information that is the property of Ascend Communications, Inc.
Ascend Customer Service Ascend Customer Service You can request technical assistance or additional information by telephone, email, fax, or modem, or over the Internet. Obtaining Technical Assistance If you need technical assistance, first gather the information that Ascend Customer Service will need for diagnosing your problem. Then select the most convenient method of contacting Ascend Customer Service.
Ascend Customer Service France (+33) 492 96 5673 Italy (+33) 492 96 5676 Japan (+81) 3 5325 7397 Middle East/Africa (+33) 492 96 5679 Scandinavia (+33) 492 96 5677 Spain/Portugal (+33) 492 96 5675 UK (+33) 492 96 5671 Email support@ascend.com Email (outside US) EMEAsupport@ascend.
Contents Ascend Customer Service .............................................................................. iii About This Guide .................................................... xix How to use this guide ................................................................................... xix What you should know ................................................................................. xix Documentation conventions ..........................................................................
Contents Monitoring DBA .......................................................................... Clearing a call on the basis of idle bandwidth ............................. BACP connections ....................................................................... Nailed MPP connections .............................................................. Configuring Frame Relay connections ...................................................... Configuring a Frame Relay profile ...................................
Contents Identifying Temporary routes in the routing table ............................. Configuring IP routing connections .......................................................... Checking remote host requirements ................................................... Example host connection with static address ..................................... Example router connection ................................................................. Example router connection on a subnet ..............................
Contents Single-address NAT and port routing ................................................ Outgoing connection address translation ..................................... Incoming connection address translation ..................................... Translation table size ................................................................... Multiple-address NAT ........................................................................ Configuring single or multiple address NAT .................................
Contents Applying an IPX SAP filter ......................................................... Configuring IPX routing connections ....................................................... An example dial-in client connection ................................................. An example with NetWare servers on both sides of the link ............. An example with local NetWare servers only .................................... 4-23 4-24 4-24 4-25 4-29 Configuring the Pipeline as a Bridge ......................
Contents Defining IP filter conditions ............................................................... Example filters ........................................................................................... An example generic filter to handle AppleTalk broadcasts ............... An example IP filter to prevent address spoofing .............................. An example IP filter for more complex security issues ..................... Working with predefined call filters ..................................
Contents Connection security ................................................................................... Authentication protocols .................................................................... Name and password verification ........................................................ Calling-line ID authentication ............................................................ Settable disconnect cause codes for CLID authentication ................. Callback security ................................
Contents Caller ID supported ............................................................................. A-6 Using Call Waiting .............................................................................. A-6 Using Call Hold ................................................................................... A-7 Monitoring telephone connections ...................................................... A-7 Call conferencing ................................................................................
Contents Problems configuring the Pipeline ............................................................. D-5 ISDN BRI interface problems .................................................................... D-7 Bridge/router problems ....................................................................... D-9 Problems accessing the remote network ................................................... D-10 Check the installation ........................................................................
Figures Figure 1-1 Figure 1-2 Figure 2-1 Figure 2-2 Figure 2-3 Figure 2-4 Figure 2-5 Figure 2-6 Figure 2-7 Figure 2-8 Figure 3-1 Figure 3-2 Figure 4-1 Figure 4-2 Figure 4-3 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 6-1 Figure 6-2 Figure 6-3 Figure 7-1 Figure 8-1 Pipeline User’s Guide Bandwidth algorithms for MP+ calls........................................ 1-17 Gateway connections to the Frame Relay network .................. 1-26 An IP routing connection between two networks.........
Tables Table 1-1 Table 2-1 Table 2-2 Table 8-1 Table C-1 Table E-1 Pipeline User’s Guide Frame Relay and gateway profiles............................................. 1-26 IP address classes and default netmasks ...................................... 2-4 Standard netmasks and Ascend netmask notation ....................... 2-5 Terminal server commands........................................................ 8-18 APP Server INI file contents .......................................................
About This Guide How to use this guide This manual is part of a set that describes all the standard features of a Pipeline running software version 6.0. Some features might not be available with older versions or specialty loads of the software. Features available only with specialty loads are documented in separate publications. This manual is organized with basic information about setting up connections first, followed by more specific information about administering the unit.
About This Guide Documentation conventions • Wide area network (WAN) concepts • Local area network (LAN) concepts, if applicable Documentation conventions The following list explains how special characters and typographical conventions are used in this manual. Convention Meaning Monospace text Represents text that appears on your computer’s screen, or that could appear on your computer’s screen.
About This Guide How to use the on-board software How to use the on-board software This manual describes how to change the settings in the on-board software to add, change, or remove functions on the Pipeline. You can access the on-board software in these ways: • By Telneting to the unit using the IP address to make the connection.
About This Guide Manual set With the exception of parameters designated N/A (not applicable), you can edit all parameters in any menu. N/A means the parameter is dependent on another parameter that is set to a value that is causing this parameter to not be used. (See the Reference Guide for dependency information.) Changing parameter values When a parameter has preset choices, press Enter to cycle through the choices. To select the current value, use the arrow key or Ctrl-N to move to the next field.
Configuring WAN Connections 1 This chapter contains the following topics: About Wide Area Network (WAN) connections . . . . . . . . . . . . . . . . . . . . . 1-1 Link encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Nailed groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 How calls are initiated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring WAN Connections Link encapsulation This chapter explains how to set up the Answer and Connection profiles. A profile is a group of settings that define the attributes needed to set up or answer a call. You can define multiple Connection profiles and one Answer profile. Connection profiles are used for both incoming and outgoing connections.
Configuring WAN Connections Nailed groups Method Connection description and attributes MPP (includes MP+) Multichannel Point-to-Point Protocol (MPP), Multilink Protocol Plus (MP+), and Bandwidth Allocation Control Protocol (BACP) are all enhancements to PPP for supporting multi-channel links. (MP+ is an implementation of MPP developed by Ascend Communications, Inc.) If a connection is set up for MPP, the Pipeline first requests MP+.
Configuring WAN Connections How calls are initiated To make channels available for a nailed connection, you have to designate them for nailed usage by assigning them to a group number. Note: Make sure the group numbers are unique across all WAN interfaces. The group numbers for the Pipeline WAN interfaces are as follows: • If you set the Chan Usage parameter to Leased/Switch, the Group number for the first B channel is 1 (this value cannot be changed).
Configuring WAN Connections How calls are answered You can control how the Pipeline brings up WAN sessions using these methods: • Use filters to block certain packets, such as broadcast, or IPX RIP or SAP queries, from bringing up a connection to the remote network. (For information about creating filters, refer to Chapter 6, “Defining Filters and Firewalls.”) • When bridging, you can prevent the Pipeline from dialing out when it receives broadcasts by setting the Dial Brdcast parameter to No.
Configuring WAN Connections Data compression options can match IP-routing PPP calls against the IP address specified in the LAN Adrs parameter of the Connection profile. 4 What information is used to build the connection? If authentication succeeds, the Pipeline builds the connection with the encapsulation, Telco Options, and Session Options specified in the Connection profile.
Configuring WAN Connections The Answer profile Compression Description MS-Stac For PPP-encapsulated calls. MS-Stac refers to Microsoft LZS Coherency compression for Windows 95. This is a proprietary compression scheme for Windows 95 (not Windows NT). If the caller requests MS-Stac and the matching profile does not specify MS-Stac compression, the connection appears to come up correctly but no data is routed.
Configuring WAN Connections The Answer profile PPP options... Session options... 2 To require a matching profile for incoming calls, set Profile Reqd=Yes. This prevents the Pipeline from building a connection on the basis of parameters in the Answer profile. 3 If appropriate, set Id Auth=Required. Some connection types do not provide an authentication method. If you plan to allow those types of calls, you might need to use Id Auth (calling line ID).
Configuring WAN Connections Connection profiles Route IP=Yes Route IPX=No Bridge=No Note: You must have routing or bridging globally enabled in the Ethernet > Mod Config menu or in the Configure menu in order to route or bridge in a Connection profile. 3 Set the Recv Auth parameter to PAP, CHAP, or Either. An incoming call must then match a Connection profile in order to be accepted. If the parameter is set to Either, any authentication scheme supported by both hosts can be used, including MS-CHAP.
Configuring WAN Connections Connection profiles Dial Brdcast=N/A Encaps options... Ip options... Ipx options... Session options... Telco options... 2 Enter the Station name. For example: Station=Corporate-gateway This is the name of the Remote end of the connection, and can be up to 31 characters. 3 Specify if the connection is allowed to be used or is disabled. For example: Active=Yes Yes indicates the profile can be used. No deactivates the use of the connection. 4 Set the type of encapsulation.
Configuring WAN Connections Connection profiles 8 Enter whether or not the connection will Route IP, Route IPX, or Bridge unrouted protocols. 9 Enter a value for Dial brdcast. For example: Dial Brdcast=No The value determines if broadcast packets initiate a connection. 10 To set the Encaps options, see “Encapsulation options” on page 1-13, “MP, MPP, and MP+ connections” on page 1-15, or “Configuring Frame Relay connections” on page 1-24, depending on the value of the Encaps parameter.
Configuring WAN Connections Connection profiles 3 If a filter is applied, and you want the filter to persist even if the connection is timed out or disconnected, set Filter Persistence to Yes. (For more information, refer to Chapter 6, “Defining Filters and Firewalls.”) 4 Set the Idle (timer) parameter to a value in seconds. For example: Idle=120 This specifies the Pipeline will wait 120 seconds before clearing a call when a session is inactive. If the timer expires, the Pipeline clears the call.
Configuring WAN Connections Connection profiles Call Type=Switched Group=N/A FT1 Caller=N/A Data Svc=56KR Force 56=N/A Bill #=[] 2 AnsOrig specifies whether the Pipeline initiates the connection, answers an incoming call, or both. Both is the default. 3 When Callback is Yes, the Pipeline hangs up the incoming call and calls back the remote end, using the Dial # specified in the Connection profile. 4 The Call Type parameter describes a type of link to a telecommunications service.
Configuring WAN Connections Connection profiles • Configure the routing or bridging setup of the Pipeline and for the WAN connection. Note: This section assumes that the Answer profile has been set up to enable PPP connections. (For a discussion of enabling this connection, see “The Answer profile” on page 1-7.) PPP connections are usually bridged or routed network connections initiated in PPP dialup software. (Bridging and routing configurations are discussed in their own chapters.
Configuring WAN Connections Connection profiles Both sides of the connection must support the selected protocol. Note that MS-CHAP is only supported when both ends are using Windows NT 4.0. 4 Enter the password sent from the Pipeline to the remote device in the Send PW parameter’s edit field. For example: Send PW=*SECURE* 5 Enter the password the remote device sends to the Pipeline in the Recv PW parameter’s edit field.
Configuring WAN Connections Connection profiles MP+ (Multilink Protocol Plus), extends the capabilities of MP (Multilink PPP) to support inverse multiplexing, session management, and bandwidth management. MP+ consists of two components: a low-level channel identification, error monitoring, and error recovery mechanism, and a session management level for supporting bandwidth modifications and diagnostics.
Configuring WAN Connections Connection profiles parameters are set in Ethernet > Answer > PPP Options, and Ethernet > Connections > any profile > Encaps Options.) When the level of activity on the line is sampled, the weight assigned to the currently required bandwidth depends on how much of the specified time period has elapsed and which weighting algorithm was selected. As shown in Figure 51, the weight can grow at a linear or quadratic rate or remain constant.
Configuring WAN Connections Connection profiles For a discussion about removing the base channel in response to reduced bandwidth requirements, see “Clearing a call on the basis of idle bandwidth” on page 1-19. For the recommended method of bringing down inactive connections on the basis of idle time, see “Session options” on page 1-11.
Configuring WAN Connections Connection profiles By default, the calling unit adds or subtracts bandwidth on the basis of how much data it transmits. To alter the default behavior, you can set the DBA Monitor parameter to Transmit-Recv, which tells the calling unit to add or subtract bandwidth on the basis of how much data it transmits and receives. Or, you can set it to None to tell the Pipeline not to monitor traffic over the link. If both sides of the link have DBA Monitor set to None, DBA is disabled.
Configuring WAN Connections Connection profiles 3 Open the Encaps Options submenu of the same profile. Send Auth=CHAP Send PW=*SECURE* Aux Send PW=N/A Recv PW=*SECURE* DBA Monitor=Transmit Base Ch Count=1 Min Ch Count=1 Max Ch Count=2 MRU=1524 LQM=No LQM Min=600 LQM Max=600 Link Comp=Stac VJ Comp=Yes Dyn Alg=Quadratic Sec History=15 Add Pers=5 Sub Pers=10 Target Util=70 Idle Pct=0 Split Code.User=No 4 Specify the authentication protocol to be used.
Configuring WAN Connections Connection profiles Link Comp=Stac VJ Comp=Yes 8 Configure the bandwidth options. For example: Dyn Alg=Quadratic Sec History=15 Add Pers=5 Sub Pers=10 Target Util=70 9 Set the Idle Pct parameter. For example: Idle Pct=0 When this parameter is set to 0, the Idle parameter is used instead. 10 You can set Split Code.User to Yes so that multiple users on your LAN can use a token card to authenticate with a central server.
Configuring WAN Connections Connection profiles >BACP=Yes Dyn Alg=Quadratic Sec History=15 Add Pers=5 Sub Pers=10 2 Open Ethernet > Connection > any profile. 3 Set the Encaps Option to MP. For example: Encaps=MP 4 Open the Encaps Options submenu of the same profile and set BACP to Yes. For example: Encaps options...
Configuring WAN Connections Connection profiles Nailed MPP connections A Nailed/MPP connection is a permanent connection that can add switched channels for increased bandwidth. A Nailed/MPP connection is established when its nailed or switched channels are connected end-to-end. Switched channels are added to or subtracted from the Nailed/MPP connection as required by the DBA parameters of either the far-end or near-end Connection profile.
Configuring WAN Connections Configuring Frame Relay connections On the far end of the connection, set the AnsOrig and FT1 Caller parameters for answering only. Note that the DO Hangup command only works from the caller end of the connection. You can reconfigure the parameters of a Nailed/MPP Connection profile at any time, but the changes become active only after the call is brought down and then back up.
Configuring WAN Connections Configuring Frame Relay connections network, and the DLCI may change as frames are passed through multiple switches. Note: You need at least one Frame Relay profile and Connection profile to define a logical link to the Frame Relay network. To configure a Frame Relay connection, you must perform the following tasks: • Make sure that nailed channels are available for the link to the Frame Relay switch.
Configuring WAN Connections Configuring Frame Relay connections connections can support bridging and routing, so the Pipeline can forward any type of protocol traffic from the local network onto the Frame Relay network. NO LINK Figure 1-2. Gateway connections to the Frame Relay network Connection profiles #1, #2, and #3 use Frame Relay encapsulation (RFC 1490) and include both a DLCI number for the logical link and the name of the Frame Relay profile for the nailed connection.
Configuring WAN Connections Configuring Frame Relay connections Table 1-1. Frame Relay and gateway profiles (continued) Connection profiles (gateway) Frame Relay profile Station=CPEB Active=Yes Encaps=FR Encaps options... FR Prof=PacBell DLCI=58 See profile above. Station=CPEC Active=Yes Encaps=FR Encaps options... FR Prof=PacBell DLCI=59 See profile above. Configuring a Frame Relay profile To define the Frame Relay profile: 1 Open Ethernet > Frame Relay > profile.
Configuring WAN Connections Configuring Frame Relay connections T392=15 MRU=1532 2 Assign the profile a name. For example: Name=PacBell The name can contain up to 15 alphanumeric characters. You have to use this name in Connection profiles that use this connection to the switch. 3 Activate the profile. For example: Active=Yes 4 Specify that this is a nailed connection. For example: Call Type=Nailed 5 Specify the Frame type of service.
Configuring WAN Connections Configuring Frame Relay connections 9 Specify the link management protocol used between the Pipeline and the Frame Relay switch. For example: Link Mgmt=T1.617D If you specify Link Mgmt=T1.617D, set the following additional parameters: N391 DTE N392 DTE N393 T391 T392 N391 specifies how many polling cycles the Pipeline waits before requesting a full status report. DTE N392 is the maximum number of error events that can occur in the sliding window defined by DTE N393.
Configuring WAN Connections Configuring Frame Relay connections 4 Select Frame Relay encapsulation. For example: Encaps=FR The Pipeline uses this encapsulation method to encapsulate packets before routing them out to the CPE, and removes the Frame Relay encapsulation from packets coming in from the CPE. 5 Open the Encaps Options submenu of the same profile. FR Prof=Pac Bell DLCI=17 6 Set the DLCI parameter to the number assigned by the Frame Relay administrator.
Configuring WAN Connections Configuring Frame Relay connections The Inverse ARP response supplies the following data: • ARP source protocol address is the IP address of the Pipeline, found in the Ethernet > Mod Config > Ether Options > IP Adrs parameter. • ARP source hardware address is the Q.922 address of the local DLCI. Note: The Pipeline does not issue any Inverse ARP requests. Refer to RFCs 1293 and 1490 for details on Inverse ARP.
2 Configuring IP Routing This chapter contains the following topics: Introduction to IP routing on the Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Managing the routing table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Configuring IP routing connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Ascend Tunnel Management Protocol (ATMP) . . . . . . . . . . . . . . . . . . . . .
Configuring IP Routing Introduction to IP routing on the Pipeline IP routing connections have a level of built-in authentication, because the Pipeline matches the IP address of a Connection profile to the source IP address of a caller. For most sites, however, this level of security is not enough and a form of password authentication is used as well. (For more information, see Chapter 7, “Setting Up Pipeline Security.
Configuring IP Routing Introduction to IP routing on the Pipeline interfaces. If the Pipeline is configured for RIP, it also broadcasts its updated routing table to other hosts. Router-to-router connections When the device connecting to the Pipeline is an IP router that belongs to an IP network, the connection results in a route to that remote network (or subnet). For example, Figure 2-1 shows a Pipeline connected to a remote router. The two Ethernet segments are separate IP networks.
Configuring IP Routing Introduction to IP routing on the Pipeline Subnet mask notation In the Pipeline, IP addresses are specified in decimal format (not hexadecimal). For example: 198.5.248.40 If no netmask is specified, the Pipeline assumes a default netmask based on the “class” of the address: Table 2-1. IP address classes and default netmasks Class Address range Network bits Class A 0.0.0.0 → 127.255.255.255 8 Class B 128.0.0.0 → 191.255.255.255 16 Class C 192.0.0.0 → 223.255.255.
Configuring IP Routing Introduction to IP routing on the Pipeline 198.5.248.40/29 In the example address shown above, the /29 specification indicates that an additional 5 bits of the address will be interpreted as a subnet number. Figure 2-3. A 29-bit netmask and number of supported hosts Eight bit-combinations are possible in 3 bits.
Configuring IP Routing Introduction to IP routing on the Pipeline Table 2-2. Standard netmasks and A scend netmask notation (continued) Netmask Ascend notation Number of host addresses 255.255.255.224 /27 30 hosts + 1 broadcast, 1 network base 255.255.255.240 /28 14 hosts + 1 broadcast, 1 network base 255.255.255.248 /29 6 hosts + 1 broadcast, 1 network base 255.255.255.252 /30 2 hosts + 1 broadcast, 1 network base 255.255.255.254 /31 invalid netmask (no hosts) 255.255.255.
Configuring IP Routing Introduction to IP routing on the Pipeline The “0” address for this subnet is 192.168.8.64.The broadcast address must be the network base address plus six ones (six ones in base 2 equals 63 decimal, and 64+63=127) 192.168.8.127. Note: Early implementations of TCP/IP did not allow zero subnets. That is, subnets could have the same base address that a class A, B, or C network would have. For example, the subnet 192.168.8.
Configuring IP Routing Introduction to IP routing on the Pipeline Route IP=Yes 3 Set Recv Auth=Either. Or set it to PAP, CHAP, or MS-CHAP. Either indicates any protocol that both sides agree upon. Connection profiles and IP routes The Pipeline creates a routing table when it powers up. It adds all known routes to the table, including connected routes (such as Ethernet) and routes configured in its resident Connection profiles and Static Rtes profiles.
Configuring IP Routing Introduction to IP routing on the Pipeline routing connection that comes in. In that case, it does not have a route for the incoming source IP address, and builds a temporary route using an assumed Class A (8), B (16), or C (24) netmask for the source IP address.
Configuring IP Routing Introduction to IP routing on the Pipeline Authentication RIP-v1 provided no way of authenticating its routing advertisements. Any program that transmitted packets on UDP port 520 was considered a router with valid distance vectors. RIP-v2 packets include an authentication field that can contain a simple password. If a RIP-v1 router receives a RIPv2 packet that contains a password, it ignores the field.
Configuring IP Routing Introduction to IP routing on the Pipeline numbered, then the unit operates exactly as it does when using unnumbered routing. Configure interface numbering in the Connection profile.
Configuring IP Routing Introduction to IP routing on the Pipeline Specifying the remote interface address This section provides some guidelines on using interface-based routing. If both the system and interface addresses are known If you are adding interface-based routing to a system set up for system-based routing, enter the remote interface address in the WAN Alias parameter of the Connection profile. WAN Alias identifies the remote end of the link.
Configuring IP Routing Introduction to IP routing on the Pipeline • A host route is created to the Lan Adrs (interface) address. • A net route is created to the subnet of the remote interface. • Incoming PPP/MPP calls must report their IP addresses as the Lan Adrs (interface) address.
Configuring IP Routing Managing the routing table IP-only version of the Pipeline. If no profile name is specified and Multicast Forwarding is set to Yes, the Pipeline assumes that its Ethernet is the Multicast interface. 4 Reset the Pipeline for the changes to take effect. Managing the routing table The Pipeline routing table is created when the Pipeline powers up. (Which routes are included and when is discussed in “Connection profiles and IP routes” on page 2-8.
Configuring IP Routing Managing the routing table the redundant Pipeline. To prevent the problem, set Adv Dialout Routes to Trunks Up. For details on these parameters, see the Reference Guide. • Ethernet > Mod Config > Ether Options IP Adrs=10.2.3.2/245 2nd Adrs=0.0.0.0/0 RIP=Both-v2 RIP2 Use Multicast=Yes Ignore Def Rt=No • Ethernet > Connections > any profile Route IP=Yes • Ethernet > Connections > any profile > IP Options LAN Adrs=10.9.8.10/22 WAN Alias=0.0.0.
Configuring IP Routing Managing the routing table Static and dynamic routes A static route is a path from one network to another, which specifies the destination network and the router to use to get to that network. For routes that must be reliable, the administrator often configures more than one path (adds a secondary route), in which case the Pipeline chooses the primary route on the basis of an assigned metric.
Configuring IP Routing Managing the routing table • Gateway=10.9.8.10 CPE Router WAN IP Adrs=10.2.3.1/22 IP Adrs=10.9.8.10/22 Figure 2-4. A n IP routing connection serving as a static route Note: If you do not specify the netmask in the LAN Adrs parameter, the Pipeline inserts a default netmask which assumes the entire far-end network is accessible. Normally, if the far-end router’s address includes a netmask, you should include it.
Configuring IP Routing Managing the routing table Metric=2 Private=Yes Creating a Static Rtes profile To configure a Static Rtes profile: 1 Open the Ethernet > Static Rtes > any profile. 2 Assign the route a name. For example: Name=sales-gw 3 Specify that the route should be added to the routing table. Active=Yes 4 Specify the destination network. For example: Dest=10.210.1.30/12 The Pipeline must have a Connection profile that specifies this address.
Configuring IP Routing Managing the routing table Private=No This setting specifies that the Pipeline will disclose the existence of the route when queried by RIP or another routing protocol. 8 Close and save the profile. Configuring the default route If no routes exist for the destination address of a packet, the Pipeline forwards the packet to the default route. Most sites use the default route to specify a local IP router (such as a UNIX host running the route daemon).
Configuring IP Routing Managing the routing table Specifying default routes on a per-user basis You can specify a default route on a per-user basis by setting the parameter in Ethernet > Connection > profile > IP Options > Client Gateway. When the IP address of the user’s default route is set, the Pipeline routes IP packets in this way: 1 The Pipeline consults its routing table to find a next-hop address. 2 If the next hop is the default route for the system (destination 0.0.0.
Configuring IP Routing Managing the routing table Enabling the Pipeline to use dynamic routing In addition to RIP, the Pipeline can use Internet Control Message Protocol (ICMP) Redirects to acquire routes dynamically. ICMP dynamically determines the best IP route to a destination network or host and uses ICMP redirect packets to transfer packets over a more efficient route.
Configuring IP Routing Managing the routing table Or, if you do not want the Pipeline to transmit its WAN connections to the RIP-v1 routers on the local subnet: RIP=Recv-v1 3 Set Ignore Def Rt to Yes. The default route specifies a static route to another IP router, which is often a local router such as another Pipeline. When the Ignore Def Rt parameter is set to Yes (recommended), RIP updates do not modify the default route in the Pipeline routing table. 4 Close and save the profile.
Configuring IP Routing Managing the routing table both networks implement consistent routing tables (all of which might become quite large). To configure the Answer profile for RIP and IP routing: 1 Open the Ethernet > Answer > PPP Options menu. 2 Turn on IP routing. Route IP=Yes 3 Open the Ethernet > Answer > Session Options menu. 4 Turn on the RIP parameter. For example: RIP=Recv-v2 This setting means that the Pipeline receives RIP-v2 updates across incoming connections with other IP routers.
Configuring IP Routing Managing the routing table RIP=Recv-v2 This setting means that the Pipeline receives RIP-v2 updates from the other IP router. If the remote router is running RIP-v1 and the local network is running RIPv2, or if you do not want the Pipeline to send or receive RIP updates on this connection, use the following setting: RIP=None 5 Close and save the Connection profile. Route preferences Route preferences provide additional control over which types of routes take precedence over others.
Configuring IP Routing Managing the routing table • Ethernet > Connections > any profile > IP options > Preference=[] • Ethernet > Static Rtes > any profile > Preference=[] • Ethernet > Mod Config > Route Pref Static Preference=100 Rip Preference=100 Viewing the routing table The Iproute show terminal-server command includes information relevant to multiple IP routing protocols.
Configuring IP Routing Managing the routing table Destination These routes are specified in a Connection profile. Note that there are two routes—a direct route to the gateway itself and a route to the larger network. Gateway IF Flg Pref Met Use Age 10.207.77.0/24 Destination - 10.0.0.100 10.0.0.100 - lo0 CP 0 0 0 20887 Use Age 0 20887 wan0 wan0 SG S 100 100 1 1 21387 153 20887 20887 ie0 C 0 0 19775 20887 This route describes the connection to the Ethernet interface.
Configuring IP Routing Managing the routing table Fields in the routing table The columns in the routing table display the following information: • Destination The Destination column indicates the target address of a route. To send a packet to this address, the Pipeline will use this route. Note that the router will use the most specific route (having the largest netmask) that matches a given destination.
Configuring IP Routing Managing the routing table • – rj0 is the reject interface. It has an IP address of 127.0.0.2. Packets routed to this interface are sent back to the source address with the ICMP “host unreachable” message. – wann specifies one of the active WAN interfaces. – wanidle0 is the inactive interface (the special interface where all routes point when their WAN connections are down). Flg The Flg column can contain the following flag values: – C=Connected (A directly connected route.
Configuring IP Routing Managing the routing table This is a count of the number of times the route has been referenced since it was created. (Many of the references are internal, so this is not a count of the number of packets sent using this route.) Unused routes are indicated by a 0 in the Use column. • Age This is the age of the route in seconds. It is used for troubleshooting, to determine when routes are changing rapidly (referred to as “flapping”).
Configuring IP Routing Configuring IP routing connections Identifying Temporary routes in the routing table The “T” flag appears in the IP routing display to indicate temporary routes. In this example, the Show IP Routes command displays two temporary routes: ascend% show ip routes Destination 192.168.252.0/30 192.168.252.1/32 Gateway 192.168.252.1 192.168.252.
Configuring IP Routing Configuring IP routing connections administration documentation describes how to configure these programs and files. • PC-compatibles PCs running Windows or OS/2 need the TCP/IP networking software or “stack.” The stack is included with Windows 95, but the user might have to purchase and install it separately if the computer has a previous version of Windows or OS/2. • Macintosh Macintosh computers need MacTCP or Open Transport software for TCP/IP connectivity.
Configuring IP Routing Configuring IP routing connections following shows how to configure a host route. (For details on the /32 netmask, see “Subnet mask notation” on page 2-4.) WAN 10.2.3.1 10.8.9.10 Host with ISDN modem card Figure 2-6. A dial-in user requiring a static IP address (a host route) In this example, the PC on the right in Figure 2-6 is running PPP software, a TCP/IP stack, and has an ISDN modem card.
Configuring IP Routing Configuring IP routing connections Encaps options... Send Auth=CHAP Recv PW=*SECURE* IP options... LAN Adrs=10.8.9.10/32 RIP=Off 6 Close and save the profile. Example router connection In the following example, the Pipeline is connected to a corporate IP network, and needs a switched connection to another company that has its own IP configuration. Figure 2-7 shows an example network diagram. Site A Site B Ethernet Ethernet WAN IP Adrs=10.2.3.1/22 LAN Adrs=10.9.8.
Configuring IP Routing Configuring IP routing connections Recv PW=*SECURE* Send PW=*SECURE* IP options... LAN Adrs=10.9.8.7/22 RIP=Send-v2 3 Close and save the profile. To configure the Pipeline at site B link to the one at site A, do the following: 1 Open Ethernet > Connection > profile for site A. 2 Set these parameters: Station=PipelineA Active=Yes Encaps=MPP Route IP=Yes Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* IP options... LAN Adrs=10.2.3.
Configuring IP Routing Configuring IP routing connections Example router connection on a subnet In the following example network, the Pipeline is used to connect telecommuters with their own Ethernet networks to the corporate backbone. The Pipeline is on a subnet, and assigns subnet addresses to the telecommuters’ networks. Site B 10.7.8.232 Site A Cisco Pipeline 10.4.4.133/24 WAN 10.7.8.200/24 10.4.5.1/24 10.7.8.204 Figure 2-8.
Configuring IP Routing Configuring IP routing connections IP options... LAN Adrs=10.7.8.200/24 RIP=Off 3 Close and save the profile. 4 Open the Ethernet > Static Rtes > Default profile. 5 Set these parameters: Active=Yes Gateway=10.4.4.133/24 Metric=1 Preference=100 Private=Yes 6 Close and save the profile. On the site B router: 7 Open Ethernet > Connection > profile for site A. 8 Set these parameters: Station=MAXA Active=Yes Encaps=MPP Route IP=Yes Encaps options...
Configuring IP Routing Ascend Tunnel Management Protocol (ATMP) 12 Close and save the profile. Ascend Tunnel Management Protocol (ATMP) Virtual private networks can include the Pipeline as a Home Agent ATMP end point in implementations where the Pipeline operates in router mode. Using a Pipeline in a virtual private network Virtual private networks provide low-cost remote access to private LANs via the Internet.
Configuring IP Routing Ascend Tunnel Management Protocol (ATMP) packet routing to reach the home network, it operates in router mode. It is in gateway mode when it has a nailed connection to the home network. A home agent can be an Ascend MAX or a Pipeline 50 or 130. When a Pipeline is used as the home agent end point, only routing is supported.
Configuring IP Routing Ascend Tunnel Management Protocol (ATMP) Ethernet Connections Station=foreign-agent Active=Yes Encaps=MPP Dial #=555-1213 Route IP=Yes Encaps options... Send Auth=CHAP Recv PW=foreign-pw Send PW=home-pw IP options... LAN Adrs=10.65.212.
3 IP Address Management This chapter includes the following topics: Connecting to a local IP network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 BOOTP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 DHCP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Dial-in user DNS server assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Address Management Connecting to a local IP network • Ethernet > Mod Config > Ether Options IP Adrs=10.2.3.1/24 2nd Adrs=10.128.8.55/24 RIP=Both-v2 RIP2 Use Multicast=Yes Ignore Def Rt=Yes Proxy Mode=Off UDP Cksum=Yes TCP Timeout=100 • Ethernet > Mod Config > DNS >Domain Name=abc.com Sec Domain Name=Yes Allow As Client DNS=Yes List Attempt=Yes List Size=6 Client Pri DNS=0.0.0.0 Client Sec DNS=0.0.0.
IP Address Management Connecting to a local IP network Assigning the Ethernet interface IP address The Pipeline Ethernet interface must have a unique IP address that is consistent with the addresses of other hosts and routers on the same network. To assign the Pipeline an IP address on the Ethernet: 1 Open the Ethernet > Mod Config > Ether Options menu. 2 Enter the IP address for the Ethernet interface in IP Adrs. For example: IP Adrs=10.2.3.1 3 Close and save the profile.
IP Address Management Connecting to a local IP network IP Adrs=10.2.3.1/24 3 Close and save the profile. With this subnet address, the Pipeline requires a static route to the backbone router on the main network. Otherwise, it can only reach the subnets to which it is directly connected. To create the static route and make the backbone router the default route: 1 Open the Ethernet > Static Rtes > Default profile. 2 Specify the IP address of a backbone router in the Gateway field.
IP Address Management Connecting to a local IP network Dual IP also allows you to make a smooth transition when changing IP addresses. That is, a second IP address can act as a place holder while IP addresses are changed on other network equipment. Figure 3-2 shows two routers configured with a second address on the same subnet. IP Adrs=10.128.8.55/24 2nd Adrs=10.2.3.1/24 10.2.3.5/24 Router-1 10.2.3.120/24 10.128.8.130/24 10.2.3.121/24 10.128.8.131/24 10.2.3.122/24 Figure 3-2.
IP Address Management Connecting to a local IP network Using Ping to verify the address The Ping command sends an Internet Control Message Protocol (ICMP) mandatory echo request datagram, which asks the remote station “Are you there?” If the echo request reaches the remote station, the station sends back an ICMP echo response datagram, which tells the sender, “Yes, I am alive.” This exchange verifies that the transmission path is open between the Pipeline and another station.
IP Address Management Connecting to a local IP network If the IP addresses are assigned statically, use this setting instead: Proxy Mode=Always 3 Close and save the profile. Enabling DNS on the Pipeline If the local network supports Domain Name System (DNS) servers, you can configure the local domain name and the IP addresses of those servers in the Ethernet profile.
IP Address Management Connecting to a local IP network Ethernet and PPP checksums for the appropriate packets. However, it does not generate UDP checksums unless you set the UDP Cksum parameter. You should turn on UDP checksums if data integrity is of the highest concern for your environment and you need redundant checks. UDP checksums are also appropriate if your UDP-based servers are located on the remote side of a WAN link that is prone to errors.
IP Address Management BOOTP Relay BOOTP Relay The Bootstrap Protocol (BOOTP) defines how a computer on a TCP/IP network can get its Internet Protocol (IP) address and other information it needs to start up from another computer. The computer that requests startup information is called the BOOTP client, and the computer that supplies the startup information is called the BOOTP server. A request for startup information is called a BOOTP request, and the BOOTP server’s response is called a BOOTP reply.
IP Address Management DHCP services BOOTP servers in the BOOTP Relay menu does not necessarily determine which server is tried first. Note: Previously, the Pipeline could not enable both BOOTP relay and DHCP spoofing at the same time because the two functions attempted to respond to the same packets in different ways. Now, if both features are enabled and no WAN links are active, the Pipeline performs DHCP spoofing.
IP Address Management DHCP services (and potentially other IP stacks) to assign an IP address and other wide-area networking settings to a requesting device automatically. With plug-and-play you can use the Pipeline to respond to distant networks without having to configure an IP address first. • If there is an IP address that is reserved for the host, the Pipeline assigns the reserved address. • If the host is renewing the address it currently has, the Pipeline assigns the host the same address.
IP Address Management DHCP services Maximum no reply wait=5 IP group 1=181.100.100.100/16 Group 1 count=1 IP group 2=0.0.0.0/0 Group 2 count=0 Host 1 IP=181.100.100.120 Host 1 Enet=0080c75Be95e Host 2 IP=0.0.0.0/0 Host 2 Enet=000000000000 Host 3 IP=0.0.0.0/0 Host 3 Enet=000000000000 1 Set the DHCP Spoofing parameter to Yes to enable any DHCP service. This parameter, which was included in earlier versions of the Ascend software, now has a different meaning. It must be Yes for any DHCP service to be enabled.
IP Address Management DHCP services If both DHCP Spoofing and Always Spoof are Yes, the DHCP server feature is enabled. If DHCP Spoofing is Yes and Always Spoof is No, DHCP spoofing is enabled and works as it did in earlier releases when the value of Always Spoof was Yes. 7 Set Validate IP to Yes to check if a spoofed address that is about to be assigned is already in use, and if it is, automatically assign another address. 8 Set Maximum No-Reply Wait only if you are validating IP addresses.
IP Address Management DHCP services Setting up a DHCP server To set up a DHCP server, these parameters are required to be set: DHCP Spoofing... DHCP Spoofing=Yes Always Spoof=Yes IP group 1=nnn.nnn.nnn.nnn/nn Group 1 count=n Additionally, you might set these parameters: Renewal Time=nn IP group 2=0.0.0.0/0 Group 2 count=0 Host 1 IP=nnn.nnn.nnn.nnn/nn Host 1 Enet=0080c75Be95e Host 2 IP=0.0.0.0/0 Host 2 Enet=000000000000 Host 3 IP=0.0.0.
IP Address Management Dial-in user DNS server assignments Dial If Link Down=Yes|No Validate IP=Yes Maximum no reply wait=n Dial-in user DNS server assignments IP addresses for Domain Name System (DNS) servers can be set for users who dial into the Pipeline via PPP. DNS information is supplied on the basis of these rules: • First, if Client PRI DNS and Client Sec DNS parameters are specified at the profile level, these parameters are passed to the user.
IP Address Management Dial-in user DNS server assignments Enable Local DNS Table=Yes Loc. DNS Tab Auto Update=Yes 2 Set the Pri DNS and Sec DNS as the Pipeline defaults. 3 Set ‘Allow As Client DNS’ to Yes or No, depending on if you want DNS information passed to users if the Client DNS information is not defined. The default for this field is Yes to permit backward compatibility.
IP Address Management Local DNS host address table Multicast Rate Limit=5 Client Pri DNS=111.11.11.1 Client Sec DNS=111.11.11.2 Client Assign DNS=Yes 2 Enter the IP address of the primary DNS server for the dial-in user for this profile in the Client Pri DNS field. This is the IP address that will be passed to the user when logged in using a profile. It is considered not defined if set to 0.0.0.0. 3 Enter the IP address of the secondary DNS server for this profile in the Client Sec DNS field.
IP Address Management Local DNS host address table You can check the list of host names and IP addresses in the table using the termserv command Show Dnstab. Configuring the local DNS table To enable and configure the local DNS table: 1 Open the Ethernet > Mod Config > DNS menu. 2 Select List Attempt=Yes to allow a list of the IP addresses to be displayed when using the terminal server command Dnstab Entry. 3 Select List Size and enter the number of entries you want in the list.
IP Address Management Local DNS host address table The default is No. When automatic updating is enabled, the list of IP addresses for each entry is replaced with a list from the remote DNS when the remote DNS successfully resolves a connection to a host named on the table. Creating the local DNS table To create a local DNS table, you use the DNS table editor from the terminal server. While the editor is in use, the local DNS table is disabled for reading and updating.
IP Address Management Local DNS host address table Editing the local DNS table You use the DNS table editor from the terminal server to edit the DNS table entries. While the editor is in use, the local DNS table is disabled for reading and updating. Note: This procedure defines a table entry as one of the eight table indexes, which include the host name, IP address (or addresses), and information fields. 1 Use the DO Terminal Server command menu to open the Terminal Server.
IP Address Management Local DNS host address table The IP address you enter is checked for format. If the format is correct, the address is entered into the table and the editor prompts for another entry. 6 When you are finished making entries, type O and press Return when the editor prompts you for another entry. Deleting an entry from the local DNS table To delete an entry from the local DNS table: 1 Use the DO Terminal Server command menu to open the Terminal Server.
IP Address Management Network Address Translation (NAT) for a LAN timing out. When client software timed out, the connection was dropped and no remaining addresses on the DNS list were tried. Then, each time the Pipeline restarted, it attempted the same connection that was previously unsuccessful. To specify a timeout value, set the TCP Timeout parameter to a value from 1 to 200 seconds. Then connections to additional host addresses can be attempted before the client software times out.
IP Address Management Network Address Translation (NAT) for a LAN • When the local host sends packets to the remote network, the Pipeline automatically translates the host’s private address on the local network to an official address on the remote network. • When the local host receives packets from the remote network, the Pipeline automatically translates the official address on the remote network to the host’s private address on the local network.
IP Address Management Network Address Translation (NAT) for a LAN Incoming connection address translation For incoming calls, the Pipeline can perform NAT for multiple hosts on the local network using its own IP address. The Pipeline routes incoming packets for up to 10 different TCP or UDP ports to specific servers on the local network. Translations between the local network and the Internet or remote network are static and need to be preconfigured.
IP Address Management Network Address Translation (NAT) for a LAN The translation table entries are reused as long as packets are seen that match an entry. All are freed (expired) when a connection disconnects. For Nailed connections, the connection is designed not to disconnect. Multiple-address NAT Multiple-address NAT can be performed when translating addresses for more than one host on the local network.
IP Address Management Network Address Translation (NAT) for a LAN the Pipeline from its IP address pool. The Pipeline uses the dynamic addresses it receives from the server to translate IP addresses on behalf of local hosts. As packets are received on the LAN, the Pipeline determines if the source IP address has been assigned a translated address. If so, then the packet is translated, and forwarded to the wide area network.
IP Address Management Network Address Translation (NAT) for a LAN Static Mappings... Def Server=N/A Reuse last addr=N/A Reuse addr timeout=N/A 2 Enable NAT by setting Routing to Yes. Without this setting, no other setting is valid. 3 Set Profile to the name of a Connection profile you want to use to connect to the Network Access Server (NAS). 4 The Lan parameter can be set to Single IP Addr (by default) or to Multiple. 5 FR address refers to Frame Relay.
IP Address Management Network Address Translation (NAT) for a LAN 8 Optionally set Reuse last addr to Yes to continue to use a dynamically assigned IP address. The Reuse addr timeout value specifies the time to use the address. Set it to a number of minutes (up to 1440). Limitations apply, which are described in the Reference Guide. 9 Exit and save the profile.
IP Address Management Network Address Translation (NAT) for a LAN Configuring NAT port routing (Static Mapping submenu) The Static Mappings menu includes 10 Static Mapping nn submenus, where nn is a value from 01 to 10. Each of these submenus contains parameters for controlling the translation of a private IP address and port number to a TCP or UDP port number. Static Mappings applies only to single-address NAT.
IP Address Management Network Address Translation (NAT) for a LAN 4 Set the Lan parameter to Single IP Addr. 5 If you previously configured the Pipeline to route incoming packets for specific TCP or UDP ports (as described in “Routing incoming sessions for up to 10 servers on a LAN” on page 3-30). – Open each Ethernet > NAT > Static Mapping > Static Mapping nn menu (where nn is a number between 01 and 10). – Set the Valid parameter in each menu to No.
IP Address Management Network Address Translation (NAT) for a LAN 7 Set the Valid parameter to Yes. This enables the port routing specified by the remaining parameters in the menu. Setting this parameter to No disables routing for the specified port. 8 Set the Dst Port # parameter to the number of a TCP or UDP port which users outside the private network can access. Each Dst Port # corresponds to a service provided by a server on the local private network.
IP Address Management Network Address Translation (NAT) for a LAN Disabling routing for specific ports To disable routing of incoming packets from a remote network for specific TCP or UDP ports: 1 Open the Ethernet > NAT > NAT > Static Mapping menu. 2 Open a Static Mapping nn menu, where nn is a number between 01 and 10. The parameters in each Static Mapping nn menu specify the routing for incoming packets sent to a particular TCP or UDP port. 3 Set the Valid parameter to No.
4 Configuring IPX Routing This chapter includes the following topics: How the Pipeline performs IPX routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Adding the Pipeline to the local IPX network . . . . . . . . . . . . . . . . . . . . . . 4-12 Working with the RIP and SAP tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Configuring IPX routing connections . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IPX Routing How the Pipeline performs IPX routing interoperable with other vendors’ products that conform to these protocols and associated RFCs. Note: IPX can be transmitted using different frame types. The Pipeline routes only one IPX frame type, and it routes and spoofs IPX packets only if they are encapsulated in that type of frame. If bridging is enabled in the same Connection profile as IPX routing, the Pipeline will bridge any other IPX-packet frame types.
Configuring IPX Routing How the Pipeline performs IPX routing IPX Routing Information Protocol (RIP) tables IPX RIP is similar to the routing information protocol in the TCP/IP protocol suite, but it is a different protocol. In this chapter, RIP always refers to IPX RIP. The Pipeline follows standard IPX RIP behavior for routers when connecting to other-vendor units.
Configuring IPX Routing How the Pipeline performs IPX routing • IPX Route profiles • IPX SAP filters • Dial Query • Watchdog spoofing Virtual IPX network for dial-in clients The Pipeline allows individual NetWare clients that do not have an IPX network address to use an IPX routing connection to the local network if they are running PPP client software. To enable the Pipeline to route to such dial-in clients, you must specify an IPX network number in the Ethernet profile.
Configuring IPX Routing How the Pipeline performs IPX routing The IPX Options submenu in the Answer profile contains the Peer parameter which enables the Pipeline to route to dial-in NetWare clients when the client has no configured profile. The Peer parameter is set to Router by default, which tells the Pipeline to negotiate inbound IPX calls as if the far end is a router. The Dialin setting tells the Pipeline to negotiate inbound IPX calls as if the far end is a dialin NetWare client.
Configuring IPX Routing How the Pipeline performs IPX routing end. However, it does respond to RIP and SAP queries received from dial-in clients. IPX Route profiles Static IPX routes are specified in IPX Route profiles. When the Pipeline unit’s RIP and SAP tables are cleared due to a reset or power-cycle, the static routes are added when the unit initializes. Each static route contains the information needed to reach one server.
Configuring IPX Routing How the Pipeline performs IPX routing Tick Count=12 Connection #=0 Note: The Pipeline cannot support more than 300 server and route entries. In order to keep the Pipeline operational with IPX enabled on a large network, the Pipeline enforces a maximum limit of 300 server and route entries, including limit checking for both server and route entries. When the Pipeline reaches its limit of 300, it drops all IPX route and SAP packets containing additional routes and services.
Configuring IPX Routing How the Pipeline performs IPX routing IPX Type 20 packet propagation support Some applications, such as NetBIOS, use IPX Type 20 packets to broadcast names over a network. By default, these broadcasts are not propagated over routed links (as Novell recommends), and are not forwarded over links that have less than 1 Mbps throughput. Since the Pipeline cannot support these types of applications, you can change the setting of IPX Type 20 packet propagation to Yes if required.
Configuring IPX Routing How the Pipeline performs IPX routing Watchdog spoofing NetWare servers send out NCP watchdog packets to monitor client connections. Clients that respond to watchdog packets remain logged into the server. If a client does not respond to watchdog packets for a certain amount of time, the server logs the client out. Repeated watchdog packets can cause a WAN connection to stay active. But if the Pipeline filters out the packets, client logins are dropped by the remote server.
Configuring IPX Routing How the Pipeline performs IPX routing and drops any SPX-watchdog keep-alive packets from the LAN, without sending them on to the WAN. You do not need to set any parameters to enable this function; however, note that routers on both ends of the connection must support this feature for it to function. WAN considerations for NetWare client software In most cases, NetWare clients on a wide-area network do not need special configuration.
Configuring IPX Routing How the Pipeline performs IPX routing IPX in the Answer profile Before the Pipeline answers an incoming call, it checks the settings in its Answer profile. If the call does not include the information required by the Answer profile, the Pipeline hangs up. Note: Unlike an IP routing configuration, where the Pipeline uniquely identifies the calling device by its IP address, an IPX routing configuration does not include a built-in way to uniquely identify callers.
Configuring IPX Routing Adding the Pipeline to the local IPX network Adding the Pipeline to the local IPX network To connect the Pipeline to your local IPX network, you must perform the following tasks: • Turn on IPX routing. • Specify the IPX frame type the Pipeline will route and watchdog spoof. • Specify the Pipeline IPX network number (or allow it to learn the number from other routers). In addition, you might want to define an IPX network number for dial-in clients.
Configuring IPX Routing Adding the Pipeline to the local IPX network The “Load” line specifies the packet frame being used by this server’s Ethernet controller (in this example, 802.3 frames). If you are not familiar with the concept of packet frames, see your NetWare documentation. Note: IPX network numbers on each network segment, and internal network within any server, on the entire WA N must each have a unique network number.
Configuring IPX Routing Adding the Pipeline to the local IPX network IPX Enet #=C90AB997 Note: If you specify an IPX network number other than zero, the Pipeline becomes a “seeding” router and other routers can learn their number from the Pipeline. In that case, make sure that the number you enter is the same one used by other IPX routers on the same network. (For more information about seeding routers, see your NetWare documentation.) 2 Close and save the Ethernet > Mod Config profile.
Configuring IPX Routing Working with the RIP and SAP tables Defining a virtual IPX network for dial-in clients Dial-in clients do not belong to an IPX network, so they must be assigned an IPX network number to establish a routing connection with the Pipeline. To provide an IPX network number for dial-in clients, you must define a virtual IPX network in the Ethernet profile. The Pipeline advertises the route to this virtual network and assigns it as the network address for dial-in clients.
Configuring IPX Routing Working with the RIP and SAP tables Viewing the RIP and SAP tables To see the current RIP table, invoke the terminal server (described on page 8-17) and type: show netware networks The current RIP table will be displayed, and will be similar to the following: network next router hops ticks origin 22222222 A30E0A04 A30E1347 A30E0EB8 A304B294 EE000001 AA000002 000000000000 0080A30E0A04 0080A30E1347 0080A30E0EB8 0080A304B294 00608CB24081 000000000000 2 1 1 1 1 1 0 12 3 3 3 3 3
Configuring IPX Routing Working with the RIP and SAP tables You’ll see a SAP table similar to the following: type 026b 0004 0278 0047 0047 0047 0047 IPX address EE000001:000000000001:0040 EE000001:000000000001:4510 EE000001:000000000001:4005 A30E0A04:000000000001:8060 A30E1347:000000000001:8060 A30E0EB8:000000000001:8060 A30EB294:000000000001:8060 server name SERVER1__ NOVL1 SERVER2__ EPS_0E0A04 EPS_0E1347 EPS_0E0EB8 EPS_04B294 Fields in the SAP table, and their contents, are: • IPX Address.
Configuring IPX Routing Working with the RIP and SAP tables This setting specifies that the Pipeline receives the RIP table from the other IPX router but will not upload its RIP table. To disable IPX RIP, set: IPX RIP=None 4 Close the Connection profile. Configuring a static IPX route Each static IPX route contains all of the information needed to reach one NetWare server on a remote network.
Configuring IPX Routing Working with the RIP and SAP tables For example: Server Name=SERVER-1 3 Specify that the route should be added to the RIP table: Active-Yes 4 Enter the remote server’s internal network number. For example: Network=ABC01FFF 5 Enter the remote server’s node number. For example: Node=0000000000001 The default 0000000000001 is typically the node number for NetWare file servers. 6 Specify the remote server’s socket number.
Configuring IPX Routing Working with the RIP and SAP tables Usually the default of 12 is appropriate, but you might need to increase this value for very distant servers. 10 Specify the number of the Connection profile that defines the WAN connection. A Connection profile is referenced by the unique part of the number it is assigned in the Connections menu (1, 2, 3, and so forth). Connection #=2 11 Close the IPX Route profile.
Configuring IPX Routing Working with the RIP and SAP tables Managing IPX SAP filters IPX SAP filters include or exclude specific NetWare services from the Pipeline unit’s SAP table. Note: IPX SAP filters control which services are added to the local SAP table or passed on in SAP response packets across IPX routing connections (not IPX bridging connections).
Configuring IPX Routing Working with the RIP and SAP tables When the IPX filter type is specified, the following IPX submenu is available: Ipx... Forward=No Src Network Adrs=cfff0000 Dst Network Adrs=cf088888 Src Node Adrs=111222333 Dst Node Adrs=aaabbbccc Src Socket Cmp=equal Src Socket #=0451 Dst Socket Cmp=equal Dst Socket #=0015 The Forward parameter works just as it does for other filter types. If it is set to No, a matching packet is discarded.
Configuring IPX Routing Working with the RIP and SAP tables • Dst Socket Cmp and Dst Socket # If you specify the destination socket number, you can also specify the type of comparison to be made between the destination socket for an IPX packet and the value specified in this filter. You can specify that the filter matches the packet if the destination socket number is equal, not-equal, less-than, or greater-than the one specified in the filter.
Configuring IPX Routing Configuring IPX routing connections Configuring IPX routing connections This section describes how to configure IPX routing connections.
Configuring IPX Routing Configuring IPX routing connections Station=NetWareClient1 Active=Yes Encaps=PPP Route IPX=Yes Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* IPX options... Peer=Dialin 5 Close the Connection profile. An example with NetWare servers on both sides of the link In the following example the Pipeline is connected to an IPX network that supports both servers and clients.
Configuring IPX Routing Configuring IPX routing connections Load 3c509 name=ipx-card frame=ETHERNET_8023 Bind ipx ipx-card net=1234ABCD The NetWare server at site B is configured as follows: Name=SERVER-2 internal net 013DE888 Load 3c509 name=net-card frame=ETHERNET_8023 Bind ipx net-card net=9999ABFF To configure the Pipeline at site A: 1 Assign the Pipeline a name if it does not already have one. To assign the Pipeline a name, open the System profile and specify the name in the Name parameter.
Configuring IPX Routing Configuring IPX routing connections 3 Close Connection profile #5. 4 Open the Ethernet profile and make sure that it is set up for IPX routing. For example: IPX Routing=Yes Ether options... IPX Frame=802.2 IPX Enet #=1234ABCD 5 Close the Ethernet profile. Because IPX RIP is set to None in the Connection profile, configure a static route to the remote server: 6 Open an IPX Route profile.
Configuring IPX Routing Configuring IPX routing connections Set up the Connection profile as follows: Station=SITEAGW Active=Yes Encaps=MPP Dial #=555-1213 Route IP=No Route IPX=Yes Bridge=No Dial brdcast=N/A Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* IPX options... IPX RIP=None IPX SAP=Both NetWare t/o=30 3 Close Connection profile #2. 4 Open the Ethernet profile and make sure that it is set up for IPX routing. For example: IPX Routing=Yes Ether options... IPX Frame=802.
Configuring IPX Routing Configuring IPX routing connections Server Type=0004 Connection #=2 Note: The Connection # parameter in the IPX Route profile must match the number of the Connection profile you configured to that site. 8 Close the IPX Route profile.
Configuring IPX Routing Configuring IPX routing connections Site B is a home office that consists of one PC and a Pipeline. It is not an existing Novell LAN, so the Pipeline configuration creates a new IPX network (for example, 1000CFFF). Note: The new IPX network number assigned to site B cannot be in use anywhere on the entire IPX wide-area network. (It cannot be in use at site A or any network to which site A connects.
Configuring IPX Routing Configuring IPX routing connections To configure the site B Ascend unit: 1 Assign the Ascend unit a name if it does not already have one. To assign the Pipeline a name, open the System profile and specify the name in the Name parameter. For example: Name=SITEBGW 2 Open the Connection profile for site A. Set up the Connection profile like this: Station=SITEAGW Active=Yes Encaps=MPP Dial #=555-1213 Route IP=No Route IPX=Yes Bridge=No Dial brdcast=N/A Encaps options...
Configuring the Pipeline as a Bridge 5 This chapter contains the following sections: Introduction to Ascend bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Enabling bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Managing the bridge table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Configuring bridged connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Pipeline as a Bridge Introduction to Ascend bridging Routing is much faster than bridging, and has these advantages: • Routers examine packets at the network layer, so you can filter on logical addresses, providing enhanced security and control. • Routers support multiple transmission paths to a given destination, enhancing the reliability and performance of packet delivery.
Configuring the Pipeline as a Bridge Introduction to Ascend bridging Broadcast addresses and Dial Brdcast A broadcast address is recognized by multiple nodes on a network. For example, the Ethernet broadcast address at the physical level is: FFFFFFFFFFFF All devices on the same network receive all packets with that destination address. As a router, the Pipeline discards broadcast packets.
Configuring the Pipeline as a Bridge Introduction to Ascend bridging to the remote bridge must be exactly the same name specified in the Station parameter of that Connection profile. Note: The most common cause of trouble when initially setting up a PPP bridging connection is that the names are not specified exactly. Check for case, dashes, spaces, underscores, and so forth. Bridging in the Answer profile Bridging must be enabled on both the answering and dialing side of a PPP, MP, or MP+ session link.
Configuring the Pipeline as a Bridge Introduction to Ascend bridging When there is no server support on the local network If the local Ethernet supports NetWare clients only and no NetWare servers, the bridging connection should enable a local client to bring up the WAN connection by querying (broadcasting) for a NetWare server on a remote network. However, the connection should not stay up indefinitely because of RIP or SAP broadcasts.
Configuring the Pipeline as a Bridge Enabling bridging Examples If IPX Frame=802.3, and Route IPX=Yes and Bridge=No in the Connection profile, only 802.3 IPX packets are routed; all other packets are dropped. If IPX Frame=802.3, and Route IPX=Yes and Bridge=Yes in the Connection profile, 802.3 IPX packets are routed and all other packets are bridged, including IPX packets in other frame types, AppleTalk packets, NetBios packets, DECnet and so forth. If the Pipeline receives an IPX packet in the 802.
Configuring the Pipeline as a Bridge Managing the bridge table Managing the bridge table To forward bridged packets to the right network destination, the Pipeline uses a bridge table that associates end nodes with particular connections. It builds this table dynamically, as described in “Transparent bridging” on page 5-7. It also incorporates the entries found in its Bridge profiles. Bridge profiles are analogous to static routes in a routing environment.
Configuring the Pipeline as a Bridge Managing the bridge table Figure 5-2 shows the physical addresses of some nodes on the local Ethernet and one at a remote site. The Pipeline at site A, configured as a bridge, gradually learns addresses on both networks by looking at each packet’s source address. Site A Site B 08009FA2A3CA 0000D801CFF2 Ethernet Ethernet WAN 080045CFA123 08002B25CC11 Figure 5-2.
Configuring the Pipeline as a Bridge Configuring bridged connections broadcast requests. Instead, it relies on its bridging table to recognize which Connection profile to use. Note: If you turn off Dial Brdcast and the Pipeline does not have a bridge-table entry for a destination address, the Pipeline will not bring up that connection. To define a static bridge-table entry: 1 Open a Bridge profile. 2 Specify the physical address of the remote host.
Configuring the Pipeline as a Bridge Configuring bridged connections Ethernet Connections profile Station=SITEBGW Bridge=Yes Dial Brdcast=No Ethernet Connections profile Send Auth=None Recv PW=N/A Send PW=N/A Ethernet Connections profile IPX options... Handle IPX=Client For details on each parameter, see the Reference Guide. An example AppleTalk bridged connection An AppleTalk connection at the link level requires a bridge at either end of the connection. Be careful when specifying names.
Configuring the Pipeline as a Bridge Configuring bridged connections the Answer profile enables bridging (as discussed in “Bridging in the Answer profile” on page 5-4). Note: In the example, Dial Brdcast is turned off in the Connection profiles and a Bridge profile is specified. This is not required. You can turn on Dial Brdcast and omit the Bridge profile if you prefer. To configure the local Pipeline for a bridged connection: 1 Open the System profile.
Configuring the Pipeline as a Bridge Configuring bridged connections 2 If the Pipeline does not already have a system name, assign one. For example: Name=SITEBGW 3 Close the System profile. 4 Open Connection profile #2 on the Pipeline. 5 Set these parameters: Station=SITEAGW Active=Yes Encaps=PPP Bridge=Yes Dial Brdcast=No Encaps option... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* 6 Close Connection profile #2. 7 Open a Bridge profile.
Configuring the Pipeline as a Bridge Configuring bridged connections An example IPX client bridge (local clients) In the following example, the local Ethernet supports NetWare clients, and the remote network supports NetWare servers and clients. WAN Figure 5-3. A n example IPX client bridging connection To configure the Pipeline in this example: 1 Open the System profile. 2 If the Pipeline does not already have a system name, assign one. For example: Name=SITEAGW 3 Close the System profile.
Configuring the Pipeline as a Bridge Configuring bridged connections Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* IPX options... Handle IPX=Client 10 Close the Connection profile. Dial Brdcast is enabled to allow service queries to bring up the connection. When Handle IPX=Client, the Pipeline applies a data filter that discards RIP and SAP periodic broadcasts at its WAN interface, but forwards RIP and SAP queries.
Configuring the Pipeline as a Bridge Configuring bridged connections 4 Open the Ethernet profile. 5 Open the Ether Options submenu. 6 Set the IPX Frame type. For example: IPX Frame=802.3 7 Close the Ethernet profile. 8 Open a Connection profile. 9 Set these parameters: Station=SITEBGW Active=Yes Encaps=PPP Route IPX=No Bridge=Yes Dial Brdcast=Yes Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* IPX options... NetWare t/o=30 Handle IPX=Server 10 Close the Connection profile.
Configuring the Pipeline as a Bridge Configuring bridged connections An example IP bridged connection If you are bridging between two segments of the same IP network, you can use the Net Adrs parameter in a Bridge profile to enable the Pipeline to respond to ARP requests while bringing up the bridged connection.
Configuring the Pipeline as a Bridge Configuring bridged connections Encaps options... Send Auth=CHAP Recv PW=*SECURE* Send PW=*SECURE* 6 Close Connection profile #7. 7 Open a Bridge profile. 8 Set these parameters: Enet Adrs=0CFF1238FFFF Net Adrs=10.2.3.100/24 Connection #=7 9 Pipeline User’s Guide Close the Bridge profile.
Defining Filters and Firewalls 6 This chapter contains the following topics: Introduction to filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview of Filter profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 Example filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 Working with predefined call filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Filters and Firewalls Introduction to filters You can define conditions in filters to drop (reject) all packets except the ones you explicitly allow, or allow all packets except the ones you explicitly drop. Additionally, you can specify whether to apply the filter to inbound packets, outbound packets, or all packets, regardless of their origin. Depending on how a filter is used, it is either a data filter or a call filter. The following describes each type: • Data filter Affects the flow of data.
Defining Filters and Firewalls Introduction to filters To define which packets will be allowed to cross the WAN interface, apply a data filter to a Connection or Answer profile using the following steps: 1 Open Ethernet > Connection or Answers > profile Note: You can apply a filter in the Answer profile only if the Profile Reqd parameter is set to No. 2 Open the Session Options submenu. 3 Apply a data filter.
Defining Filters and Firewalls Introduction to filters Call filters for managing connections Call filters are used to prevent unnecessary connections and to help the Pipeline distinguish active traffic from “noise.” By default, any traffic to a remote site triggers a call to that site, and any traffic across an active connection resets the connection’s idle timer. Note: The idle timer is set to 120 seconds by default.
Defining Filters and Firewalls Introduction to filters If it is set to any other value, the value must be a valid Filter profile number. The Filter profile number is the number in the Filters menu. You don’t have to specify the whole number, just the unique portion of it. 4 Close and save the profile. When you apply a filter to the WAN interface, it takes effect only when a connection goes from an offline state to a call-placed state.
Defining Filters and Firewalls Overview of Filter profiles information about predefined-filter settings, see “Working with predefined call filters” on page 6-21.) Note: For information about IPX SAP filters, pertaining to NetWare services the Pipeline adds to its service table, see Chapter 4, “Configuring IPX Routing.” Overview of Filter profiles You apply a filter to an interface by specifying its profile number.
Defining Filters and Firewalls Overview of Filter profiles At the top level of a Filter profile are two submenus: Input Filters and Output Filters. The Input submenu allows you to define 12 In-filter conditions to apply to incoming data. The Output submenu allows you to define 12 Outfilter conditions to apply to outgoing data. The conditions are applied to the data stream in filter order, starting with 01. • Generic or IP filters Each In filter and Out filter can be one of two types: “Generic” or “IP.
Defining Filters and Firewalls Overview of Filter profiles In In In In In In In In In In In filter filter filter filter filter filter filter filter filter filter filter 02 03 04 05 06 07 08 09 10 11 12 By default, all packets are forwarded. So if a packet does not match any of the defined conditions in a filter, it is forwarded as usual. Note: If only Input filters are defined, all outbound packets are forwarded or allowed to reset the idle timer.
Defining Filters and Firewalls Overview of Filter profiles Generic filter conditions define bits and bytes within a packet. They are applied to all packet types, including TCP and IP. IP filter conditions are related only to TCP/IP/UDP packets. Defining generic filter conditions If the Type parameter in a filter is set to GENERIC, you can define generic conditions using these menus: 1 Open Ethernet > Filters > any profile 2 Determine if you need an Input or Output filter.
Defining Filters and Firewalls Overview of Filter profiles value. If Compare is set to NotEquals, the filter is applied if the packet data are not identical. 7 Set the More parameter. The More parameter specifies whether the current filter is linked to the one immediately following it. If More=Yes, the filter can examine multiple noncontiguous bytes within a packet, by “marrying” the current filter to the next one, so that the next filter is applied before the Forward decision is made.
Defining Filters and Firewalls Overview of Filter profiles If a filter is applied as a data filter, the “forward” action determines which packets will be transmitted and received. If a filter is applied as a call filter, the “forward” action determines which packets can either initiate a connection or reset the timer for an established connection.
Defining Filters and Firewalls Example filters The source and destination Port Cmp and Port # parameters specify whether to compare the protocol ports, which identify the application running over TCP/IP. The comparison may match a protocol port number that is less-than, greater-than, equal, or not-equal. 8 Set the TCP Estab parameter. The TCP Estab parameter can be set to match a packet only if a TCP session is already established.
Defining Filters and Firewalls Example filters 2 Assign a name to the Filter profile. For example: Name=AppleTalk Data 3 Open the Output Filters submenu. 4 Open Out filter 01 and set Valid=Yes and Type=GENERIC. For example: >Valid=Yes Type=GENERIC Generic... IP... IPX... 5 Open the Generic submenu and specify the following conditions: Generic...
Defining Filters and Firewalls Example filters These conditions define non-AppleTalk traffic. Note that AppleTalk has the protocol type 0x809b. Outbound packets that are not AppleTalk packets will be forwarded. Because all non-AppleTalk packets have now been forwarded, subsequent filters can assume that a packet is AppleTalk. 8 Close Out filter 02, then open Out filter 03. 9 Set Valid=Yes and Type=GENERIC, and then open the Generic submenu and specify the following conditions: Generic...
Defining Filters and Firewalls Example filters Length=4 Mask=ff00fff000000000 Value=0200022000000000 Compare=Equals More=Yes Together, Out filters 05 and 06 specify NBP lookup packets with a wildcard entity name. NBP lookups are transmitted by the Chooser and other applications that look up entities on AppleTalk networks. 14 Close Out filter 05, then open Out filter 06. 15 Set Valid=Yes and Type=GENERIC, and then open the Generic submenu and specify the following conditions: Generic...
Defining Filters and Firewalls Example filters An example IP filter to prevent address spoofing This section shows how to define an IP data filter whose purpose is to prevent “spoofing” of local IP addresses. “Spoofing” IP addresses—not to be confused with watchdog or DHCP spoofing described elsewhere in this manual—is a technique whereby outside users pretend to be from the local network in order to obtain unauthorized access to the network.
Defining Filters and Firewalls Example filters 4 Open In filter 01. In filter 01 >Valid=Yes Type=IP Generic... IP... IPX... 5 Set Valid=Yes and Type=IP, and then open the IP submenu. 6 Specify the following conditions: Ip... >Forward=No Src Mask=255.255.255.192 Src Adrs=192.100.50.128 Dst Mask=0.0.0.0 Dst Adrs=0.0.0.0 Protocol=0 Src Port Cmp=None Src Port #=N/A Dst Port Cmp=None Dst Port #=N/A TCP Estab=N/A These conditions specify the local net mask and IP address in the Src Mask and Src Adrs fields.
Defining Filters and Firewalls Example filters Dst Port #=N/A TCP Estab=N/A These conditions specify the loopback address in the Src Mask and Src Adrs fields. If an incoming packet has this address, it will not be forwarded onto the Ethernet. 9 Close the current Input filter, and then open In filter 03. 10 Set Valid=Yes and Type=IP, and then open the IP submenu and specify the following conditions: Ip... >Forward=Yes Src Mask=0.0.0.0 Src Adrs=0.0.0.0 Dst Mask=0.0.0.0 Dst Adrs=0.0.0.
Defining Filters and Firewalls Example filters Dst Port Cmp=None Dst Port #=N/A TCP Estab=N/A These conditions specify the local net mask and IP address in the Src Mask and Src Adrs fields. If an outbound packet has a local source address, it will be forwarded. 14 Close the Filter profile. An example IP filter for more complex security issues This section describes an IP data filter that illustrates some of the issues you may need to consider when writing your own IP filters.
Defining Filters and Firewalls Example filters In In In In In In In In filter filter filter filter filter filter filter filter 02...Ip...Dst Mask=0.0.0.0 02...Ip...Dst Adrs=0.0.0.0 02...Ip...Protocol=6 02...Ip...Src Port Cmp=None 02...Ip...Src Port #=N/A 02...Ip...Dst Port Cmp=Gtr 02...Ip...Dst Port #=1023 02...Ip...TCP Estab=No In In In In In In In In In In In filter filter filter filter filter filter filter filter filter filter filter 03...Ip...Forward=Yes 03...Ip...Src Mask=0.0.0.0 03...Ip...
Defining Filters and Firewalls Working with predefined call filters The second Input filter specifies TCP packets, Protocol=6, from any address and to any address and forwards them if the destination port is greater than the source port. For example, Telnet requests go out on port 23 and responses come back on some random port greater than port 1023. So, this filter defines packets coming back to respond to a user's request to Telnet, or to other requests using the TCP protocol, to a remote host.
Defining Filters and Firewalls Working with predefined call filters NetWare servers broadcast SAP packets every 60 seconds to make sure that all routers and bridges know about available services. To prevent these packets from keeping a connection up unnecessarily, apply the predefined NetWare Call filter in the Session Options submenu of a Connection or Answer profile in which IPX routing is configured.
Defining Filters and Firewalls Working with predefined call filters Out filter 04...Generic...Compare=Equals Out filter 04...Generic...More=Yes Out Out Out Out Out Out Out filter filter filter filter filter filter filter 05...Generic...Forward=No 05...Generic...Offset=24 05...Generic...Length=8 05...Generic...Mask=ffffffffffffffff 05...Generic...Value=ffffffffffff0452 05...Generic...Compare=Equals 05...Generic...More=Yes Out Out Out Out Out Out Out filter filter filter filter filter filter filter 06...
Defining Filters and Firewalls Working with predefined call filters Out filter 08...Generic...Compare=Equals Out filter 08...Generic...More=No Out Out Out Out Out Out Out filter filter filter filter filter filter filter 09...Generic...Forward=No 09...Generic...Offset=0 09...Generic...Length=6 09...Generic...Mask=ffffffffffff0000 09...Generic...Value=ffffffffffff0000 09...Generic...Compare=Equals 09...Generic...More=Yes Out Out Out Out Out Out Out filter filter filter filter filter filter filter 10...
Defining Filters and Firewalls Working with predefined call filters This example SNEP filter is intended to be applied as a data filter on the Ethernet interface. To create a SNEP data filter for the Ethernet interface of the Pipeline, create a new Filter profile and define the following Input filters: In In In In In In In filter filter filter filter filter filter filter 01...Generic...Forward=No 01...Generic...Offset=30 01...Generic...Length=2 01...Generic...Mask=ffff000000000000 01...Generic...
Defining Filters and Firewalls Working with predefined call filters IP Call filter The predefined IP Call filter prevents inbound packets from resetting the idle timer. It does not prevent any type of outbound packets from resetting the timer or placing a call. The IP Call filter contains one Input filter, which defines all inbound packets, and one Output filter, which defines all outbound packets destined for the remote network specified in a Connection or Answer profile in which the filter is applied.
Defining Filters and Firewalls Working with predefined call filters these two pairs, a packet has to meet the criteria defined in both filters to be considered a match. The last Output filter tells the Pipeline to allow all other outbound packets to reset the idle timer or initiate a call. In In In In In In In filter filter filter filter filter filter filter 01...Generic...Forward=No 01...Generic...Offset=0 01...Generic...Length=0 01...Generic...Mask=000000000000000000 01...Generic...
Defining Filters and Firewalls Display unwanted dial-out packets Out Out Out Out Out filter filter filter filter filter 04...Generic...Length=3 04...Generic...Mask=ffffff0000000000 04...Generic...Value=0404040000000000 04...Generic...Compare=Equals 04...Generic...More=No Out Out Out Out Out Out Out filter filter filter filter filter filter filter 05...Generic...Forward=yes 05...Generic...Offset=0 05...Generic...Length=0 05...Generic...Mask=0000000000000000 05...Generic...Value=0000000000000000 05...
Defining Filters and Firewalls Display unwanted dial-out packets • Dial out in response to a DHCP Discover message • Dial out caused by the Pipeline sending a DHCP packet for DHCP client processing • Dial out caused in response to an APP (Ascend Password Protocol) Connect Request message Turning on the diagnostic option 1 Use the DO command D-Diagnostic to open the Diagnostic monitor. 2 At the prompt (>) type: help ascend you should see the wdDialout option listed. By default, the option is off.
Defining Filters and Firewalls Display unwanted dial-out packets Date: 01/01/1990. Time: 00:00:53 Cause an attempt to place call to 92233002 WD_DIALOUT_DISP: chunk 260126 type OLD-STYLE-PADDED.
Defining Filters and Firewalls Display unwanted dial-out packets Date: 01/01/1990. Time: 00:00:56 Cause an attempt to place call to 92233002 WD_DIALOUT_DISP: chunk 260126 type OLD-STYLE-PADDED.
Defining Filters and Firewalls Display unwanted dial-out packets Date: 01/01/1990. Time: 00:01:13 Cause an attempt to place call to 92233002 WD_DIALOUT_DISP: chunk 260126 type OLD-STYLE-PADDED.
Defining Filters and Firewalls Display unwanted dial-out packets chksum packet len Transport Control packet type dest network dest Node dest Socket source network source Node Source Socket Sap operation Sap Service Type ff:ff 00:22 /* 34 */ 00 /* 0 */ 11 /* 17 NCP Packet */ 00:00:00:00 ff:ff:ff:ff:ff:ff 04:52 /* SAP */ 00:00:00:00:00 00:a0:24:be:d5:84 /*physical addr of Node*/ 40:09 /*4000h-7fffh Dynamic socket*/ 00:03 /* Get Nearest Server Request */ 0:04 /* File Server */ Example 5 In this example, the
Defining Filters and Firewalls Secure Access Firewalls destination MAC address 00:80:5f:74:93:d5 source MAC address 00:80:c7:2f:32:4c chksum ff:ff packet len 00:29 /*41*/ packet type 11 /*17 NCP Packet */ dest network 30:6c:6b:00 dest Node 00:00:00:00:00:01 dest Socket 04:51 /* NCP Pkt*/ source network 82:c1:b6:bf source Node 00:80:c7:2f:32:4c /* addr of src Node */ Source Socket 40:03 /*4000h-7fffh Dynamic socket*/ Secure Access Firewalls Determining if Secure Access is present All software that includes
Defining Filters and Firewalls Secure Access Firewalls • Name specifies the name of the firewall and is originally created using the Secure Access Manager (SAM) graphical user interface. • Each firewall contains a version number to ensure that any firewall that is uploaded to the router will be compatible with the firewall software on the router. Secure Access Manager (SAM) checks the version number before uploading a firewall.
Defining Filters and Firewalls Filter persistence 1 Create a firewall filter using SAM. 2 Download it to the Pipeline. 3 Open Ethernet > Mod Config > Ether Options. 4 Enter the number of the firewall filter you want to use in the Filter field. This number is derived from the number in the Firewall menu. For example, if the firewall is number 20-503, enter number 103 in the Data Filter field. 5 Exit and save the profile.
Defining Filters and Firewalls Filter persistence A persistent filter or firewall is maintained even when its associated connection becomes inactive. Additionally, the filter or firewall can be applied when an additional session becomes associated with a connection, as is the case with additional channels of an MPP connection. Note: Firewalls need to use persistence to work correctly, but filters do not need to use persistence to work as designed.
Setting Up Pipeline Security 7 This chapter includes the following topics: Recommended security measures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Pipeline Security profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Connection security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Using filters to secure the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up Pipeline Security Recommended security measures • Activate the Full Access security level. After you change the password, activate the Full Access security level for your own use in performing the rest of these basic security measures. (For instructions, see “Activating the Full Access security level” on page 7-4.) • Make the default security level very restrictive. The Pipeline provides terminal services via Telnet.
Setting Up Pipeline Security Recommended security measures Changing the Full Access security level password The Full Access security profile is intended to provide unrestricted access to the Pipeline. This is the “super-user” profile that enables you to configure, dial-up remote locations, reset the unit, upgrade system software, and so forth. Note: Write down and save the Full Access password in a safe place.
Setting Up Pipeline Security Recommended security measures Now only users who have the password you assigned will be able to activate the Full Access security level. Activating the Full Access security level To activate the Full Access profile, do the following: 1 From the VT100 menus, press Ctrl-D to open the DO menu, and then press P (or select P=Password). DO… >0=ESC P=Password 2 In the list of security profiles, select Full Access. The Pipeline prompts for the password.
Setting Up Pipeline Security Recommended security measures Operations=No When you restrict this privilege, all other privileges are N/A. 3 Close the Default profile. Once set, users who access the Pipeline terminal server will be unable to make any changes to its configuration or perform restricted operations. For all users with the default security level, passwords (including the null password) will be hidden by the string *SECURE* in the Pipeline user interface.
Setting Up Pipeline Security Recommended security measures The read community string enables an SNMP manager to perform read commands (for example, Get and Get next) to request specific information. • R/W Comm The read-write community string enables an SNMP manager to perform both read and write commands (for example, Get, Get next, and Set), which means the SNMP application can access management information, set alarm thresholds, and change some settings on the Pipeline.
Setting Up Pipeline Security Pipeline Security profiles Requiring profiles for incoming connections There are many authentication measures you can set for incoming connections. At the most basic level, you can configure the Pipeline to reject all incoming calls that don’t have a Connection profile. To require configured profiles for all incoming connections: 1 Open the Ethernet > Answer profile. 2 Specify that a matching profile is required for incoming calls.
Setting Up Pipeline Security Pipeline Security profiles settings for the two predefined Security profiles, see “Recommended security measures” on page 7-1.) Default security level The Pipeline has three possible security levels, including the default. The Default security profile has no password. This security level is always activated for all users who Telnet into the unit or access the terminal server interface in another way.
Setting Up Pipeline Security Pipeline Security profiles When Edit Security=No, all passwords are hidden by the string “*SECURE*.” • Edit System If Edit System=Yes, users can edit the System profile and other system-wide settings. • Field Service If Field Service=Yes, users can perform field service operations, such as uploading new system software to the Pipeline unit. Field service operations are special diagnostic routines not available through Pipeline menus.
Setting Up Pipeline Security Pipeline Security profiles (To learn more about DO commands, see the Reference Guide chapter on using the Do commands.) 1 Press Ctrl-D to open the DO menu, and then press P (or select P=Password). DO… >0=ESC P=Password 2 Open System > Security > Full Access. The Pipeline prompts for the password. 3 Type the password for the Full Access profile and press Enter.
Setting Up Pipeline Security Connection security 5 Close and save the profile. Connection security Connection security has two levels: caller authentication regulating authorized access, and network security preventing unauthorized wide-area network access. All authentication relies on the Pipeline finding a matching profile to verify information presented by the caller. • Authentication mechanisms – Password authentication, such as PAP, CHAP, or MS-CHAP, requires a name and password from the caller.
Setting Up Pipeline Security Connection security Authentication protocols Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) require Point-to-Point Protocol (PPP) encapsulation. These authentication protocols apply to PPP, Multilink PPP (MP), and Multichannel PPP (MP+) connections to the Pipeline. Both sides of the connection must support the same protocol.
Setting Up Pipeline Security Connection security When the Pipeline receives a PPP call, it tries to match the caller’s name and password to a Connection profile. If the Pipeline doesn’t find a matching profile, it ends the call. If the Pipeline finds a matching profile, it authenticates the call and establishes the connection. When an IP routing connection is being authenticated, the IP address is verified as part of the PPP negotiation before a call is established.
Setting Up Pipeline Security Connection security The Id Auth parameter in the Answer profile can be set to the following values: Ignore Ignore indicates that calling-party information is not required for authentication. Prefer or Called Prefer Prefer specifies that whenever CLID is available, the calling-party’s phone number must match the Calling # parameter before answering the call.
Setting Up Pipeline Security Connection security Set the CLID Fail Busy parameter to Yes to make the disconnect message “User Busy;” set it to No for the message “Normal call clearing,” which is the default. Callback security Callback security instructs the Pipeline to hang up on an incoming caller and then immediately initiate a call to that destination.
Setting Up Pipeline Security Using filters to secure the network 6 Close and save the profile. Expect callback support If Ping or Telnet attempt to reach a far end that is using callback security, it causes a problem. Ping and telnet try continuously to open a connection and reject the return callback because the process is already trying to establish a connection. To remedy the situation, set Expect Callback to Yes.
Setting Up Pipeline Security Using security cards Filters can also be used to prevent remote users from accessing information on your local network, even if they know how to “spoof” a local source address that would enable them to get past a filter. For example, you can define a filter that drops inbound packets whose source address is on the local network or the loopback address. Each filter consists of an ordered list of conditions (“rules”) based on either IPspecific or protocol-independent information.
Setting Up Pipeline Security Using security cards MAX (acting as the NAS). The NAS requests authentication from the RADIUS server, which in turn contacts the external server. RADIUS Pipeline (NAS) WAN User with security card MAX ACE or SAFEWORD Figure 7-1. RA DIUS acting as client of ACE or Safeword server When a user initiates a login to a secure site, the following events occur: 1 The calling unit (for example, a Pipeline) calls a NAS (the MAX).
Setting Up Pipeline Security Using security cards For the Pipeline to place calls to a NAS at a secure site, it needs the appropriate Connection profile specifying a token-based authentication mode. The authentication mode configured in the Pipeline affects how the token passwords are transmitted and how the dial-in user is affected by channels being added to an established session.
Setting Up Pipeline Security Using security cards Requesting PAP-TOKEN-CHAP mode PAP-TOKEN-CHAP authenticates additional channels using CHAP. If it is specified in the Send Auth parameter, but the RADIUS profile at the far end is not set up for PAP-TOKEN-CHAP, then PAP-TOKEN is used instead. The dynamic password supplied by a user authenticates the base channel of the call. It is sent in the clear (via PAP).
Setting Up Pipeline Security Using security cards Ethernet Connections profile Encaps options... Send Auth=CACHE-TOKEN Send PW=*SECURE* The Send Auth parameter specifies the authentication mode requested by the calling unit (CACHE-TOKEN). The Send PW password is sent as part of the initial session negotiation. Then, the user is prompted for a token password to authenticate the base channel of the call via CHAP.
Setting Up Pipeline Security Using security cards To set up the Pipeline to communicate with the APP Server utility, do the following: 1 Open the Ethernet > Mod Config > Auth menu. 2 Set the APP Server parameter to Yes. For example: APP Server=Yes This enables the Pipeline to communicate password challenges to the host running the APP Server utility. 3 Specify the IP address of the host running the APP Server utility. For example: APP Host=10.65.212.
Setting Up Pipeline Security Using security cards [^C to exit] Password Mode> 2 Dial the remote site using any commands you normally use to make the call. Note: When connecting via modem, skip this step. 3 While the connection is being negotiated, the remote NAS returns a challenge prompt similar to the following: From: hostname 0-Challenge: challenge Enter next password: 4 The hostname is the name of the NAS you called. (Not all systems respond with their host name.
Pipeline System Administration 8 This chapter includes the following topics: Overview of administration functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Activating administrative privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Configuring administration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Using the Pipeline status windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pipeline System Administration Overview of administration functions System admin commands These include commands for rebooting, saving or restoring configuration information, upgrading system software, and viewing statistics and other conditions and settings. (See “Performing system administration operations” on page 8-10. Also see Appendix E, “Upgrading system software.
Pipeline System Administration Activating administrative privileges SNMP management The Pipeline supports SNMP on a TCP/IP network. An SNMP management station that uses the Ascend Enterprise MIB can query the Pipeline, set some parameters, sound alarms when certain conditions appear in the Pipeline, and so forth. An SNMP manager must be running on a host on the local IP network, and the Pipeline must be able to find that host, either via static route or RIP.
Pipeline System Administration Configuring administration options D=Diagnostics 2 Press P (or select P=Password) to invoke Password command. A menu of Security Profiles opens. 3 Select Full Access. The Pipeline prompts for the password for the Full Access profile. 00-300 Security Enter Password: [] Press > to accept 4 Type the password and press Enter to accept it. If you enter the right password, a message states that the password was accepted and the Pipeline is using the new security level.
Pipeline System Administration Configuring administration options Term Rate=9600 Console=Standard Remote Mgmt=No 2 Specify a system name up to 16 characters long. 3 Enter the physical location of the Pipeline. You can enter up to 80 characters. An SNMP manager can read this field, but its value does not affect the operation of the Pipeline. 4 Specify a person to contact in case of error conditions. You can enter up to 80 characters.
Pipeline System Administration Configuring administration options 90-C00 Mod Config Log... Syslog=Yes Log Host=206.65.212.205 Log Port=514 Log Facility=Local0 2 Turn on Syslog. 3 Specify the IP address of the host running the Syslog daemon. The host running a Syslog daemon is typically a UNIX host, but it may also be a Windows system. If the log host is not on the same subnet as the Pipeline, the Pipeline must have a route to that host, either via RIP or a static route.
Pipeline System Administration Configuring administration options Syslog messages Syslog messages have a standard format that is described below. In addition to the normal traffic logged by Syslog, information may be generated for packets seen by the Secure Access firewall, if specified by SAM. By default, SAM will cause a syslog message to be generated for all packets blocked by a firewall.
Pipeline System Administration Configuring administration options local For non-IP packets, is the source Ethernet MAC address of transmitted packets and the destination Ethernet MAC address of received packets. On a non-bridged WAN connection, the two MAC addresses will be all zeros. Local for IP protocols, is the IP source address of transmitted packets and the IP destination address of received packets. In the case of TCP or UDP, it will also include the TCP or UDP port number ([IP-address];[port]).
Pipeline System Administration Using the Pipeline status windows Using the Pipeline status windows Eight status windows are displayed on the right side of the screen in the Pipeline configuration interface (Figure 8-1). These status windows provide a great deal of read-only information about what is currently happening in the Pipeline. This section gives an overview of the information contained in the eight windows.
Pipeline System Administration Performing system administration operations Performing system administration operations This section describes the following system administration operations: • Using DO commands to manually place and clear calls • Restoring and saving a configuration • Resetting the Pipeline • Invoking the terminal server interface Using DO commands The DO menu is a context-sensitive list of commands that appears when you press Ctrl-D from the VT100 interface.
Pipeline System Administration Performing system administration operations To manually place a call: 1 Select or open the Connection profile for the destination you want to call. 2 Press Ctrl-D to invoke the DO menu. 3 Press 1 to invoke the Dial command. 4 Watch the information in Sessions status window. You should see the number being called followed by a message that the network session is up.
Pipeline System Administration Performing system administration operations Send and Recv passwords, Security profile passwords, and passwords specified in the Ethernet profile (Mod Config menu), are all set to the null password when you restore a configuration from a saved file. Be sure to record your passwords off-line if you need to restore them. Before you start, verify that your terminal emulation program has a disk capture feature.
Pipeline System Administration Performing system administration operations If you examine the saved Pipeline data file, notice that some of the lines begin with START= and other lines begin with END=. These START/STOP lines and the block of data contained between them constitute a profile. If a parameter in a profile is set to its default value, it does not appear. In fact, you can have profiles with all parameters at their defaults and the corresponding START/STOP blocks would be empty.
Pipeline System Administration Performing system administration operations To use the tsave command, you must use the diagnostic mode. From the DO menu, select D-Diagnostics. Then, to save the configuration of the Pipeline with the MIB field numbers instead of parameter names, enter this command line: tsave -m For example: tsave -m 200.253.164.100 all This saves the entire configuration of the Pipeline with an IP address of 200.253.164.100 to a file called “all”.
Pipeline System Administration Performing system administration operations To load configuration information from disk: 1 Connect the backup device to the Pipeline Terminal port. The backup device is typically the PC through which you access the VT100 interface. 2 Open the Sys Diag menu. 3 Select Restore Cfg and press Enter. The following message appears: Waiting for upload data... 4 Use the Send ASCII File feature of the communications software to send the Pipeline the configuration file.
Pipeline System Administration Performing system administration operations To reset the unit: 1 Open the Sys Diag menu. 2 Select Sys Reset and press Enter. The Pipeline asks you to verify that you want to reset. 0=ESC 1=Reset 3 To confirm, type 1. During a reset, the Pipeline clears active connections and runs its Power-On Self Test (POST), just as it would if the unit were power-cycled. If you do not see the POST display, press Ctrl-L.
Pipeline System Administration Using the terminal server interface Using the terminal server interface This section describes how to use the administrative commands that are available in the terminal server command-line interface. Invoking and quitting the terminal server interface To invoke the terminal server command-line interface, you must have administrative privileges. See “Activating administrative privileges” on page 8-3.
Pipeline System Administration Using the terminal server interface The following table lists the terminal server commands, which are documented in detail in the “Terminal Server Commands” chapter of the Reference Guide. Table 8-1. Terminal server commands Command Description ? Displays help information. dnstab edit Starts editor for local DNS table. dnstab entry Displays local DNS table entry. dnstab show Displays local DNS table. hangup Closes the connection. help Help on any named command.
Pipeline System Administration Using the terminal server interface Table 8-1. Terminal server commands (continued) Command Description set password Enables dynamic password settings. set sessid [val] Sets and stores [val] or current ID. set term Sets the telnet/rlogin terminal type. show arp Displays the ARP cache. show dhcp Displays DHCP configuration parameters. show dhcp address Displays DHCP Address Assignment Information. show dhcp lease Displays DHCP lease Information.
Pipeline System Administration Using the terminal server interface Table 8-1. Terminal server commands (continued) Command Description show ip routes Displays IP routes. show ip stats Displays IP statistics. show isdn Displays ISDN events. show netw networks Displays NetWare IPX Networks. show netw pings Displays NetWare IPX Ping Stats. show netw servers Displays NetWare IPX Servers. show netw stats Displays NetWare IPX Statistics. show revision Displays system revision.
Pipeline System Administration Accessing a local Pipeline via Telnet Accessing a local Pipeline via Telnet If a remote user Telnets to the Pipeline and the Ethernet > Mod Config > Telnet PW has been set, the user is prompted for the Telnet password. Local users Telneting to the Pipeline over the Ethernet must also supply this password. The Telnet password verification trap reports the IP address of the Telnet client whose login attempts failed.
A Pipeline 75 Voice Features This appendix includes the following topics: About the integrated services of ISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 How your ISDN service affects voice features. . . . . . . . . . . . . . . . . . . . . . . A-2 How outgoing voice calls are handled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 How incoming voice calls are handled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5 Support for 2-channel calls on one SPID . . .
Pipeline 75 Voice Features How your ISDN service affects voice features • Two analog ports for phones, modems, and fax machines. • Both analog devices can be used simultaneously when both B-channels are available. • Calling features let you Hold, Drop, Transfer, and Conference call. • Call routing automatically directs calls to the correct analog device (phone, fax or modem).
Pipeline 75 Voice Features How your ISDN service affects voice features The menu for specifying Supplementary Services and enabling/disabling services is the Dual POTS menu, located in the Main Edit Menu. When opening the menu, a listing similar to the following appears: 40-000 Dual POTS Hook Activator=Enabl Dbl Hook Activator=Enabl Conf Button=6 Drop Button=8 Trans Button=7 Save= The values shown in this listing are the defaults.
Pipeline 75 Voice Features How outgoing voice calls are handled The sections that follow note differences in voice features for certain types of ISDN service and for certain switches. Because standardized ISDN services, such as National ISDN-1 (NI-1), are becoming more common, these differences are becoming less frequent.
Pipeline 75 Voice Features How incoming voice calls are handled • If both B channels are used for a data call to the same location, you can make a voice call by picking up the receiver of a telephone connected to either analog port. The Pipeline automatically borrows one of the B channels for the voice call. This feature works for outgoing calls on all types of ISDN service and all switches.
Pipeline 75 Voice Features How incoming voice calls are handled • If both B channels are used for a data call to the same location, you can receive a voice call to either telephone number. The Pipeline automatically borrows one B channel for the voice call, and the call is routed to the analog port assigned to the telephone number. – • Exceptions: AT&T Custom Multipoint service and AT&T Custom Point-to-Point service do not support channel borrowing for incoming calls.
Pipeline 75 Voice Features How incoming voice calls are handled by the Pipeline, is either an approximation of the Call Waiting tone provided by most telephone companies or, on a Pipeline with a U interface, a brief “burr” tone. To use Call Waiting, follow these steps: 1 When you hear the call waiting tone, decide whether you want to answer the new call.
Pipeline 75 Voice Features How incoming voice calls are handled B1 B2 * In this example, B2—the second B channel—has one voice call on hold as well as an active voice call. 10-100 1 Link D B1 B2 h * Call conferencing If your ISDN service includes the Call Conferencing feature, you can use the Pipeline to establish conference calls. Conference calls allow more than two callers to converse at the same time.
Pipeline 75 Voice Features Support for 2-channel calls on one SPID Support for 2-channel calls on one SPID If your switch type is AT&T 5ESS NI-1, you can reuse the same Channel Endpoint Suffix (CES) for a 2-channel call (one voice and one data) on the same service provider identifier (SPID). The same CES can be reused to support 2-channel calls under the following circumstances (this information is for provisioning the line): • The call is data on a specific CES.
Pipeline 75 Voice Features EAZ Terminal ID for Germany How 3.1K audio calls work In the Configuration menu, the current default is Phone 1 Usage=A and Phone 2 Usage=B. This means that the device type connected to both analog port 1 and analog port 2 are telephones. Any outgoing call from the corresponding analog port uses the Speech information transfer in its ISDN SETUP message. If you set Phone 1 Usage=A 3.
B IDSL Implementations This appendix contains the following topics: ISDN Digital Subscriber Line (IDSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 Configuring an IDSL connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Making voice calls over IDSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDSL Implementations Configuring an IDSL connection DSL requires dedicated DSL equipment at each end of the line, which bypasses the public switched telephone network. IDSL is a proprietary technology which enables DSL over an ISDN line, using a Pipeline. IDSL uses the same line coding used for ISDN BRI circuits, but provides dedicated, continuously “up” 128 Kbps service for installations within 18,000 feet of the central office (or longer distances when ISDN line repeaters are used).
IDSL Implementations Configuring an IDSL connection Note that the IDSL switch type is used to enable this function. The IDSL switch is identical to AT&T Point-to-Point, but has support for Q.931 enbloc dialing, and enables voice calls over the DSL service. The name, IP and subnet address you assign to the Pipeline (My Name and My Addr), and the name, IP and subnet address of the remote host (Rem Name and Rem Addr), should be provided by your DSL service provider. 3 Exit and save the Configure profile.
IDSL Implementations Making voice calls over IDSL Making voice calls over IDSL To make voice calls, your service must be connected to Ascend-supplied IDSL COE and the Pipeline must use the IDSL switch type, which supports Q.931 enbloc dialing. Only when the switch supports en-bloc dialing, can you make voice calls. En-bloc dialing reports the dialed number in the set up message sent to the COE, which uses the information to route the call to the voice network.
APP Server utility C This appendix includes these topics: About the APP Server utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 APP Server installation and setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 About the APP Server utility The Ascend Password Protocol (APP) Server utility lets you respond to token password challenges received from an external network authentication server (NAS).
APP Server utility APP Server installation and setup Then configure your Pipeline to communicate with the APP Server utility. The steps to do this are listed in “Configuring the Pipeline to use the APP server” on page C-2. APP Server installation and setup The APP Server utility is provided for Macintosh, DOS, Windows 3.1, Windows 95, Windows NT, and UNIX. The utility is available from the Ascend FTP server. The files can be found at ftp.ascend.com/pub/Software-Releases/AppServer.
APP Server utility APP Server installation and setup For example: APP Host=7001 7001 is the default UDP port for the APP Server. Note: If you change this number, you must specify the new UDP port number in the Password AppServer Control Panel (Macintosh), APP Server utility (DOS), the WIN.INI file (Windows), or /etc/services (UNIX). The Pipeline and the host running the APP Server utility must agree on the UDP port number. 5 Close the Ethernet profile.
APP Server utility APP Server installation and setup In the APPSRVR.INI file, the first line of the file must contain the text “[BANNER]”. For example: [BANNER] line1=The security password has changed. Please consult your line2=security card and enter the current password now. line3=You have 60 seconds to enter the new password. The banner is followed by the challenge prompt in the APP Server screen. A user has 60 seconds to obtain the current password from the security card and enter it correctly.
APP Server utility APP Server installation and setup Table C-1. A PP Server INI file contents (continued) INI section Description [WinSNK] Consists of 33 lines with the first using the key name, Path, and all remaining lines using a number from 0 to 31. Path is the fully qualified path to the location of the installed Axent SecureNet Softkey.
APP Server utility APP Server installation and setup 8=Access Denied.^M^J 9=All Channels of Security Server are busy. Try again later ^M^J 10=Unexpected packet from Agent^M^J 11=Cannot start new call on active channel^M^J 12=Cannot start new call on active channel^M^J 13=Unexpected input from user.^M^J 14=Enter Password: 15=Invalid Identification.^M^JEnter ID: 16=Your password has expired.^M^JEnter New Password: 17=Enter New Password: 18=Enter New Password again: 19=Passwords didn't match.
APP Server utility APP Server installation and setup enter it correctly. If multiple users need to use the APP Server, the user can include a name in this format: password.username (A password followed by a period, followed by the user name.) To install the APP Server utility on a UNIX host: 1 Edit the Makefile appropriately for your operating system and compiler. 2 Compile the appsrvr source file (make). 3 Add a line to /etc/services assigning UDP port 7001 to the APP Server utility.
APP Server utility APP Server installation and setup The –b option sets a socket option to allow broadcast transmissions and inhibits the utility’s complaints about receiving invalid APP frame types when it receives its own transmissions. Note: On some UNIX systems, you need root privileges to run the APP Server utility in broadcast mode. (Some hosts disallow broadcast transmissions without root privileges.
APP Server utility APP Server installation and setup The APPSRVDS.EXE DOS utility does not require an IP stack or IP address, but it does require an ODI driver. The command line for APPSRVDS.EXE must be positioned after the line invoking the network ODI driver and before the network protocol stack (TCP/IP or IPX or other supported protocol). For example: C:\NOVELL\LSL.COM C:\NOVELL\XXXODI.COM C:\ASCEND\APPSRVDS.EXE REM Protocol Stack is loaded next 5 Close AUTOEXEC.BAT. 6 Reboot.
APP Server utility APP Server installation and setup • UDP port to use = 7001 • Broadcast UDP port is the same as communication UDP port • APP Server will force a connection upon execution Note: A Connection profile defined in the Pipeline is required to log into the remote secure network, so if the APP Server line in AUTOEXEC.BAT does not specify Connection profile name, the user will be prompted for one as the system boots. For example, this command: C:\ASCEND\APPSRVDS.
APP Server utility APP Server installation and setup 2 Click Connect. A Settings dialog box opens (shown below). 3 Enter the name of the Connection profile used to log into the remote secure network. 4 Enter your user name. The name you enter must be no longer than 32 characters and cannot contain spaces. Once entered, it is saved to disk and appears as the default the next time you log on. 5 Click OK.
APP Server utility APP Server installation and setup Choose File > New > Program Item. 3 To launch the APP Server utility when you start Windows, place the APPSRV31.EXE icon in your Startup group. If you prefer not to add the APP Server utility to your Startup group, you can launch the utility manually by double-clicking its icon. 4 Reboot. Installing the APP Server utility for Windows 95 To install the APP Server on a Windows 95 system: 1 Copy the file XAS-W95.EXE into a temporary directory. XAS-W95.
APP Server utility APP Server installation and setup 4 Follow prompts and select the destination directory where the APP Server for Windows NT should be installed. The APP Server for Windows NT will start automatically whenever the system reboots. You may close the APP Server in a session, but next time the system is rebooted, it will start again.
D Troubleshooting This appendix includes the following topics: Cabling problems: Rule these out first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 Common problems and their solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-2 Problems configuring the Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-5 ISDN BRI interface problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-7 Problems accessing the remote network. . . .
Troubleshooting Common problems and their solutions See “Check the installation” on page D-10 for related information. Common problems and their solutions This section lists problems you might encounter and describes ways to resolve them. General problems When the list of DO commands appears, most operations are not available You might need to select a specific Connection profile in order to see certain DO commands.
Troubleshooting Common problems and their solutions The first channel of an MP+ call connects, but then the call clears or does not connect on the remaining channels The most common error in defining Connection profiles is specifying incorrect phone numbers. The Pipeline cannot successfully build inverse multiplexing or MP+ calls if the phone numbers in the Connection profile of the called unit are incorrect. The phone numbers that you specify in the Connection profile are the numbers local to your unit.
Troubleshooting Common problems and their solutions 100 terminal If the unit passed its power-on self tests and you still cannot communicate with the Control Monitor, type Ctrl-L to refresh the screen. If you still do not see any data, check the cabling between the Pipeline and your terminal by following these steps: 1 Check the pin-out carefully on the 9-pin cable. The control terminal plugs into the HHT-VT-100 cable or 9-pin connector labeled Terminal on the back of the Pipeline.
Troubleshooting Problems configuring the Pipeline The start-up display indicates a power-on self test failure If the start-up display indicates a failure in any of its tests, an internal hardware failure has occurred with the unit. In this case, contact Ascend Communications, Inc. Customer Support. Problems configuring the Pipeline There are two common problems associated with the Pipeline configuration procedure: • The communications program does not display a profile when you press Ctrl-L.
Troubleshooting Problems configuring the Pipeline If your Pipeline is plugged into a power strip or surge protector, make sure the power strip or surge protector is plugged in and turned on. Once you are sure the Pipeline is connected to a power source, if the pwr LED is on, continue to step 3. If the pwr LED is still not on, contact the Ascend Technical Assistance Center at 1-800-ASCEND-4. 3 Check the con LED.
Troubleshooting ISDN BRI interface problems – Direct connect If necessary, configure your communications program, then continue to the next step. 8 Press Ctrl-L to refresh the screen. If no profile appears, contact your network administrator. If a profile appears but it isn’t the Configure profile, continue to the next section. A profile appears but it isn’t the Configure profile If a profile appears, but it isn’t the Configure profile, your Pipeline may already have been configured.
Troubleshooting ISDN BRI interface problems The most common problem with SPIDs is that they were entered incorrectly, either by mistake or because the telephone company provided the wrong information. If wrong or incomplete information was provided about the SPID numbers assigned to your ISDN line, try adding 00 to the end of the SPID number. Or, if the suffix ends in a double digit, such as 01 or 02, try replacing those two digits with a single digit, such as 1 or 2.
Troubleshooting ISDN BRI interface problems If you are running multipoint (passive bus) on your switch, all of the ISDN telephone cables must be wired straight through. If any of the cables are wired to cross over, you will not be able to place calls. 2 Check that 100% termination is provided on each ISDN line. 3 Check whether you have correctly specified the SPIDs (Service Profile Identifiers) in the Configure profile for each line.
Troubleshooting Problems accessing the remote network Connection profile. Try enabling PAP or CHAP for the Recv Auth parameter so that the Pipeline matches the caller’s name to the Station parameter in a Connection profile and gets the corresponding LAN Adrs.
Troubleshooting Problems accessing the remote network If necessary, connect your Pipeline to your ISDN line. If your Pipeline does not have an integrated NT-1 interface, make sure it is connected to an NT-1, and that the NT-1 is connected to the ISDN line as shown in your NT-1 manual. Once you are connected, if the WAN LED is still blinking, continue to step 4. 4 Contact your ISDN service provider to see if your lines have been activated.
Troubleshooting Problems accessing the remote network • If an X appears in the Link field of the 10-100 status window instead of a P, M, or D, your ISDN line is not activated or you have entered an incorrect switch type. • If an asterisk (*) appears in the B1 or B2 field of the 10-100 status window and the remote site’s name appears in the 20-100 Sessions status window, your Pipeline is connected to the remote site. Skip to step 6.
Troubleshooting Problems accessing the remote network – Contact the service provider who installed your ISDN line to confirm your SPID or SPIDs. Once you have confirmed that all the information is entered correctly and you have saved the Configure profile, try accessing the network again. If you still have trouble, continue to step 6. 6 If you are routing, check to make sure you have configured your computer’s IP address accurately.
Upgrading system software E This appendix includes the following topics: What you need to upgrade system software . . . . . . . . . . . . . . . . . . . . . . . . . E-1 Displaying the software load name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-2 The upgrade procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-3 Warning: Do not “upgrade” to an older version of software.
Upgrading system software Displaying the software load name server, and you will need to create a tftpboot directory to hold the binary while executing the upgrade. • Alternatively, you can use a serial connection between a PC and the Pipeline. Use a serial connection to upload a standard-size binary. You cannot upgrade to a fat or extended load with a serial connection. Note: The HyperTerm and Terminal programs that ship with Microsoft Windows do not reliably restore saved settings.
Upgrading system software The upgrade procedure Features i p x a 1 2 IP only (OSPF - no IPX, ARA) IPX only X.25 Appletalk routing Old hardware (e.g., b1.p50) New hardware (e.g., b2.p75) Examples t.p22 b2.p75 Pipeline 220 T1 new Pipeline 50 and 75, and Pipeline 85 Note: When downloading the newest version of software from the Ascend FTP site (ftp.ascend.com/pub/Software-Releases), determine which file to download by referring to the README file associated with each sub-directory.
Upgrading system software The upgrade procedure Instructions for completing these tasks are described in this appendix. Before you go any further, check to see which version of the system software is currently installed on your Pipeline and which Security profile is activated. To see which software version is currently running on the Pipeline, look in the Sys Option status window. Refer to the Reference Guide for information on using the status windows.
Upgrading system software The upgrade procedure Message #119 Password accepted. Using new security level. 5 If the password you enter is incorrect, you are prompted again to enter the password. This section explains how to upgrade your system software.
Upgrading system software The upgrade procedure • You must use TFTP to upload a fat or extended load. Note: To use Trivial File Transfer Protocol (TFTP) you need a TFTP server on your computer (host) or accessible over the Ethernet. You can obtain a TFTP server from software download sites on the Internet. • If you are upgrading your software using TFTP, you must use the fsave command immediately after executing the tload command. Failure to do so may cause your Ascend unit to lose its configuration.
Upgrading system software The upgrade procedure 3 If necessary, activate a Security profile that allows for field upgrade. If you are not sure how, see the section on Security profiles in your documentation. 4 If you are using TFTP, be sure you have loaded the correct binaries into the / tftpboot directory on the TFTP server. Upgrading system software with a standard load You can upgrade system software with a standard load using either the serial console or by using TFTP over the Ethernet.
Upgrading system software The upgrade procedure 8 From the VT100 interface, access the diagnostics monitor by typing these characters in rapid succession: Press Ctrl-D to invoke the DO menu and select D=Diagnostics. 9 Type nvramclear to clear any differences in NVRAM memory before and after the upgrade. After the Ascend unit clears NVRAM memory, it automatically resets. 10 The unit resets a second time to load the configuration from flash memory. This completes the upgrade.
Upgrading system software The upgrade procedure 5 Enter the following command to clear any differences in NVRAM memory before and after the upgrade. nvramclear After executing this command, the Pipeline will be inaccessible while it clears NVRAM and resets. Please wait for the unit to reset before attempting to use it. This completes the upgrade.
Upgrading system software The upgrade procedure nvramclear After executing this command, the Pipeline will be inaccessible while it clears NVRAM and resets. Please wait for the unit to reset before attempting to use it. 6 Repeat the procedure, this time uploading the fat or extended load. Be sure your system is backed up before you begin so you can revert to a saved configuration, if necessary. After a successful upgrade, one of the following messages appears.
Upgrading system software The upgrade procedure UART initialized fat load: bad CRC!! forcing serial download at 57600 bps please download a "thin" system... Immediately after this message appears, the serial console speed is switched to 57600 bps, and the Pipeline initiates an Xmodem serial download.
Upgrading system software The upgrade procedure This check is initiated by the currently-loaded software. If your Pipeline is using a version of software with this feature and you attempt to load an older version of software that does not have this feature, the download will be aborted because the older software has no platform identifiers that the currently-loaded software uses to validate compatibility.
Upgrading system software The upgrade procedure loading code from tftpserver.ascend.com file /tftpboot/b.p75... thin load: This load has no platform identifier. Proceed with caution. Download aborted. Use ’tloadcode -f’ to force. In the previous example, the user decides that he or she requires the older version and forces the download. The following messages are displayed: 1 User enters the following command tloadcode -f tftpserver b.
Glossary Authentication—A method of identifying a caller before accepting a call. The Pipeline supports token card authentication, as well as standard password, and encrypted password authentication. (Encryption is a method of encoding and decoding data.) Bandwidth—The amount of information that can flow through a line, measured in bits per second Bridging—One method the Pipeline can use to move data between your network and a remote network. Bridging makes remote networks look like one large network.
Glossary Broadcast packets Broadcast packets—Those sent to all users on a network, even if they are for only one user. When the Pipeline is defined as a bridge, they can cause the unit to dial out. Dialing out versus initiating a session—Anytime the Pipeline initiates a session with a remote network it dials out, but you don’t have to dial or connect to Dial-Up networking, as all the dialing is done automatically. If you want to dial manually, use the DO Dial command.
Glossary Profile address, plus the data payload and other information. Surrounding a packet is a frame, which includes information about the transport protocol. Profile—A menu (including submenus) that defines a link or system. Q.931 en-bloc dialing—A function included in the ISDN User-Network Interface Layer 3 Specification for Call Control, which has to do with the messages that are sent over the D channel to set up and disconnect calls. Remote device or remote end—Refers to another network.
Glossary VT-100 terminal emulation IP address, then the Pipeline broadcasts a request to all hosts on the local network. When the APP server responds, it uses the IP address of the Pipeline and the same port number, which ensures that the response goes to exactly the right process on the Pipeline. VT-100 terminal emulation—See LCD interface. Wide Area Network (WAN)—All remote networks not attached to the local network that you reach by connecting to a telecommunications service.
Index Numerics 2-channel calls on a single SPID A-9 2nd Adrs parameter 2-15 3.
Index B described 2-37 example of how to set up 2-38 RADIUS authenticates mobile nodes 2-37 Auth profile 7-14, C-2 authenticating on caller’s number 1-10 authentication CACHE-TOKEN 7-20 CACHE-TOKEN-CHAP 1-21 Challenge Handshake Authentication Protocol (CHAP) 1-2 function described 1-2 how to assign 1-14 Microsoft CHAP (MS-CHAP) 1-2 PAP and CHAP 7-12 PAP/CHAP 7-12 PAP-TOKEN 7-19 PAP-TOKEN-CHAP 7-20 Password Authentication Protocol (PAP) 1-2 AUTOEXEC.
Index C C CACHE-TOKEN-CHAP authentication 1-21 Call Conferencing A-8 call filter AppleTalk 6-26 described 6-4 IP 6-26 NetWare 6-21 Call Filter parameter 1-11, 6-4 Call Hold A-7 Call Type parameter 1-13, 1-23, 1-27, 1-28 Call Waiting A-6 Callback parameter 1-12, 7-15, 7-16 Called # parameter 1-9, 1-10 caller ID capabilities A-6 Calling # parameter 1-9, 7-15 calling back the caller to authenticate 1-13 calling line ID authentication, see Id Auth parameter 1-8 Calling-line ID 7-13 calls authenticating incomin
Index D bridging AppleTalk 5-10 bridging IPX client 5-13 bridging IPX server 5-14 configuring IP address for 2-33 configuring IPX routing 4-24 configuring RIP for 2-23 configuring RIP for incoming WAN 2-22 manually placing 8-11 network-to-network 2-33 processes following established 8-21 routing IP 2-3 static IPX routes 4-18 See also bridged connections console interface, type specified 8-5 Console parameter 8-5 Contact parameter 8-4 cost management, call filters used for 6-4 Customer Premises Equipment (CP
Index E DNS host address table 3-17 DNS list attempt 3-7 DNS profile 3-2, 3-15 Dnstab edit command 8-18 Dnstab entry command 8-18 Dnstab show command 8-18 DO commands accessing 8-3 availability D-2 for security/manual tasks 8-3 using 8-10 DO commands described 8-3, 8-10 Domain Name Server (DNS), assigned 3-15 Drop Button parameter A-3 Drop call A-2 DSL over ISDN B-1 Dst Adrs parameter 6-10 Dst Mask parameter 6-10 Dst Network Adrs parameter 4-22 Dst Node Adrs parameter 4-22 Dst Port # parameter 6-10 Dst Port
Index G assigned to a Connection profile 6-35 configured for port routing 3-29 Force 56 parameter 1-7, 1-13 Forward parameter 4-22, 6-9 FR Prof parameter 1-26, 1-30 FR Type parameter 1-27, 1-28 Frame Relay configuring 1-27 forcing the link up at all times 1-28 gateway connection example 1-29 Gateway mode 1-25 obtaining the DLCI number 1-30 option installed 1-24 planning for 1-25 shown in status window 1-24 status reports 1-29 Frame Relay profile 1-24 FT1 Caller parameter 1-13, 1-23 Full Access profile 7-3 F
Index I input filter conditions described 6-6 of IP call filter 6-26 SAP filters 4-7 interface-based routing described 2-10, 2-13 Internet Group Membership Protocol (IGMP) 2-13 Inverse Address Resolution Protocol (InARP) response data described 1-31 supported for Frame Relay 1-30 inverse multiplexing 1-16 IP address assigned automatically 3-10 assigning to Ethernet interface 3-3 preventing spoofing in a filter 7-16 subnet mask notation 2-4 IP Adrs parameter 2-15 IP bridged connection 5-16 IP filter conditio
Index L configuring 4-24 configuring IPX SAP on a WAN link 4-20 connecting a dial-in user 4-4 defining a network for dial-in clients 4-15 dynamic addresses for dialin clients 4-4 enabling system-wide 4-11 extensions for WAN links 4-3 filtering SAP packets 4-7 learning the Ethernet IPX number 4-14 local NetWare server issues 4-12 NetWare client software 4-10 NetWare server table 4-2 NetWare server table displayed 4-16 RIP default route 4-3 Routing table displayed 4-16 SAP filters 4-2 using IPX RIP for dynami
Index N Macintosh clients of NetWare servers 4-10 manually dialing a connection 1-4 manually dialing, problems with 8-11, D-2 Mask parameter 6-9 Max Ch Count parameter 1-8, 1-18, 1-20, 1-23, B-3 Maximum Receive Unit (MRU) packet size 1-15 messages, working with status/log 8-9 Metric parameter 2-18 Min Ch Count parameter 1-8, 1-18, 1-20, B-3 monitoring DBA 1-18 More parameter 6-9 MP connections described 1-15 MP+ configuring a profile with 1-19 connections described 1-16 cost considerations 1-18 tasks to set
Index P conditions described 6-6 in NetWare Call 6-22 of IP call filter 6-26 SAP filters 4-7 P Packet Burst 4-10 packets defining filter types for 6-8 dial-out, displayed 6-29 disable routing of 3-32 forwarding/blocking 6-2 identifying outbound SAP 6-22 PAP-TOKEN authentication for outbound calls 7-19 PAP-TOKEN-CHAP authentication for outbound calls 7-20 Passwd parameter 7-9 Password Authentication Protocol (PAP) 7-12 passwords default full access 7-5 for establishing bridging 5-3 hidden in Security profil
Index S redial attempts controlled Block Calls After parameter 1-12 redundant routes advertised 2-14 Registered Ports 3-32 Remote command 8-18 remote interface address 2-12 remote management setting higher terminal rate for 8-5 Remote management via Telnet 8-3 Remote Mgmt parameter 8-5 reserved IP addresses 3-10 resetting the unit 8-15 Restore Cfg 8-12, 8-15 restoring saved configurations 8-14 RIP (Routing Information Protocol) 2-21 configuring for a connection 2-23 configuring for incoming WAN connections
Index S Security profiles activating Field Service E-4 security profiles 7-8, 7-10 activating 7-4 upgrading, used when E-4 Send Auth parameter 1-14, 7-19 Send PW parameter 1-14, 7-19 Server Name parameter 4-7, 4-18 Server Type parameter 4-6, 4-7, 4-18 servers NetWare configurations for preferred 4-10 Service Type parameter 4-19 Session options 1-11 Set all command 8-18 Set ARP clear command 8-18 Set FR command 8-18 Set password command 7-22, 8-19 Set sessid command 8-19 Set term command 8-19 Show ARP comman
Index T static route described 2-16 Static Rtes profile 2-17, 2-18 Connection profile and 2-17 station names, for establishing bridging 5-3 Station parameter 1-9 status information, access to 8-2 status messages, working with 8-9 status windows 8-9 Sub Pers parameter 1-8, 1-17, 1-18, 1-20 subnet addresses described 2-4 table of values 2-4 Supplementary Services Activator numbers A-2 switched call type described 1-13 Sys Config menu 8-4 Sys Config profile 1-14 Sys Diag menu 8-12 Sys Diag menu, described 8-10
Index U general types of D-2 ISDN BRI interface D-7 trunk number removed from called number 1-10 tsave -a command 8-13 tunnels, configuring ATMP 2-37 U UDP checksums 3-7, 3-8 UDP Port parameter 2-38 UDP ports 3-23 UDP/IP sessions described 2-37 UNIX clients for NetWare servers 4-10 upgrading on-board software E-3 User Busy disconnect cause code 7-14 WAN connections configuring RIP for 2-22 Filter profile connected to 6-16 watchdog spoofing, described 4-9 wdDialout diagnostic command 6-29 weighting algorit