manualshive.com logo in svg

Bay Networks 6300, Supplement Manual

Share
Download
Bay Networks 6300 Supplement Manual Download Page 321

A-293

Chapter 15    Using RA 6300 Security

Remote Annex 6300 Supplement to the Remote Annex Administrator’s Guide for UNIX

Book A

Using IPXCP Security

The Internet Packet Exchange Control Protocol (IPXCP) uses PPP
security. For information on PPP security, see Using PPP Security below.
For information on other aspects of IPXCP, see Internetwork Packet
Exchange (IPX) Protocol on page A-153.

Windows ‘95 IPXCP clients must make sure that SPAP security is not
enabled on their PCs. SPAP is a proprietary Microsoft security
mechanism not available to other systems, such as the RA 6300.

Using PPP Security

The RA 6300 supports two authentication protocols for PPP:

Password Authentication Protocol (PAP).

Challenge-Handshake Protocol (CHAP).

Both of these protocols are run over the PPP link after the LCP
negotiations are complete (for more details on using a PPP link, see Point-
to-Point Protocol (PPP) on page A-87).

Password Authentication Protocol (PAP)

PAP is a two-way handshake in which an ID/password pair are exchanged
in clear text. Each half of the connection can require security.

If one side of the link agrees to use PAP, after the LCP negotiations are
complete, that side will send a user name/password combination to its
peer. Upon receipt, the peer authenticates that combination.

Summary of Contents for 6300

Page 1: ...Part No 166 024 028 Rev A January 1997 Supplement to the Remote Annex Administrator s Guide for UNIX Remote Annex 6300 ...

Page 2: ...therightsoftheUnitedStatesGovernmentregardingitsuse reproduction anddisclosureareassetforthintheCommercial Computer Software Restricted Rights clause at FAR 52 227 19 Trademarks of Bay Networks Inc Annex Remote Annex Annex Manager Remote Annex 2000 Remote Annex 4000 Remote Annex 6100 Remote Annex 6300 Remote Annex 5390 Async Remote Annex 5391 CT1 Remote Annex 5393 PRI BayStack Remote Annex 2000 Se...

Page 3: ...iii Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Revision Level History Revision Description A Initial release ...

Page 4: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX iv ...

Page 5: ...etwork Configurations A 10 Voice Modem Calls A 10 Spare Modems A 11 V 120 Calls A 12 Synchronous PPP Calls A 13 Mixed Annex Environment A 14 Configuring Parameters A 14 RA 6300 Management Tools A 15 Parameter Types A 15 Loading Files A 16 Multi protocol Support A 16 Chapter 2 Configuring the Remote Annex 6300 Configuring RA 6300 Parameters A 18 Using the na Utility A 19 Using the CLI admin Command...

Page 6: ... 47 Using RIP A 47 Setting the IP Encapsulation Type A 48 Using the Terminal Server TTY TSTTY A 48 Using the Transport Multiplexing TMux Protocol A 49 Configuring LAT Services A 49 Configuring the Annex for AppleTalk A 49 Configuring IPX A 50 Chapter 3 Configuring the PRI Interface Global Ports and Sessions Delivering ISDN Calls A 51 Configuring the PRI Interface A 52 Port Handling A 55 Internal P...

Page 7: ...Port Parameters A 100 Sample Configuration for Connecting Two Subnets A 102 Routing across a PPP Link Basic Passive RIP A 105 Route Cache A 106 Protocol Stack A 106 Negotiating the LCP Options A 107 Negotiating the Network Control Protocol A 110 BOOTP Requests A 113 Using the CLI netstat ip Command A 114 Displaying Data for Ports A 114 Chapter 7 Serial Line Internet Protocol SLIP SLIP and Compress...

Page 8: ...ion Samples A 167 Sample Configuration Using Dial up Addresses A 167 Sample Configuration Using Fixed Addressing A 169 Obtaining IPX Information A 171 System Logs A 172 IPXCP Interface Statistics A 172 IPX Interfaces Memory Buffers Routes and Servers A 174 IPX Frame Type and Network Number A 180 IPX State A 181 IPX Connections A 181 Statistics for All Interfaces and for 802 2 A 182 Chapter 12 Appl...

Page 9: ... enable_security Parameter A 217 Overview of Local Password Protection A 217 Implementing Local Virtual CLI Password Protection A 218 Administrative Password A 220 Protecting the Superuser CLI A 221 Protecting Resources from Unauthorized Access A 222 Protecting the na Utility from Unauthorized Access A 222 Overview of Host based Security A 223 Basic ACP Configuration A 225 Configuring the Security...

Page 10: ... Protocol PAP A 293 Challenge Handshake Protocol CHAP A 295 Using the PPP Security Parameters A 298 Using Filters for Security A 300 Using Kerberos Authentication A 301 Enabling Kerberos Authentication A 301 Configuring the RA 6300 for Use with Kerberos Authentication A 302 Using the ACE Server A 303 Using the SecurID Card A 303 Assigning a SecurID Card to a User A 304 Clients A 304 The SecurID Ca...

Page 11: ...g PRI Calls Made to the RA 6300 B 5 pri call Command Syntax B 6 pri call Sample Display B 6 Displaying Active Session Parameter Blocks B 7 sessions Command Syntax B 7 sessions Sample Display B 7 Displaying Network Statistics B 8 netstat Command Syntax B 9 netstat Sample Displays B 11 Using the ping Command to Test Network Links B 30 ping Command Syntax B 30 ping Sample Display B 31 Managing the AR...

Page 12: ...ters vs Private Enterprise MIB B 73 Location of Private MIB Files B 73 Private MIB Filenames B 73 Configuration Parameters vs MIB Objects B 75 LAT specific Configuration Parameters vs MIB Objects B 78 LAT Statistic Objects B 79 TMux specific Parameters vs MIB Objects B 81 IPX specific Parameters vs MIB Objects B 81 Interface Parameters vs MIB Objects B 82 Global Port Parameters vs MIB Objects B 83...

Page 13: ... C 42 authoritative_agent C 42 authorized_groups C 43 backward_key C 43 banner C 43 broadcast_addr C 44 broadcast_direction C 45 buildout C 45 chap_auth_name C 45 char_erase C 46 circuit_timer C 46 cli_imask7 C 46 cli_inactivity C 47 cli_interface C 47 cli_prompt C 47 cli_security C 48 config_file C 49 connect_security C 49 data_bits C 49 daylight_savings C 49 dedicated_arguments C 50 default_zone...

Page 14: ...60 ipx_do_checksum C 61 ipx_dump_password C 61 ipx_dump_path C 61 show_dump_username C 61 ipx_file_server C 62 ipx_frame_type C 62 ipx_network C 62 ipx_node C 64 ipx_security C 65 ixany_flow_control C 66 keep_alive_timer C 66 lat_key C 66 lat_queue_max C 66 latb_enable C 67 line_erase C 67 load_broadcast C 67 load_dump_gateway C 68 load_dump_sequence C 68 local_address C 68 location C 69 lock_enab...

Page 15: ..._b_channels C 79 option_key C 79 output_flow_control C 80 output_is_activity C 81 output_start_char C 81 output_stop_char C 81 output_ttl C 81 parity C 82 password C 82 passwd_limit C 83 port_password C 83 port_server_security C 83 ppp_acm C 84 ppp_mru C 86 ppp_ncp C 86 ppp_password_remote C 86 ppp_sec_auto C 87 ppp_security_protocol C 87 ppp_username_remote C 88 pref_dump_addr C 88 pref_load_addr...

Page 16: ...ty C 98 server_name C 98 service_limit C 98 session_limit C 99 short_break C 99 slip_mtu_size C 99 slip_no_icmp C 99 slip_ppp_security C 100 slip_tos C 100 stop_bits C 100 subnet_mask RA 6300 C 100 subnet_mask port C 101 sys_location C 101 switch_type C 101 syslog_facility C 102 syslog_host C 102 syslog_mask C 102 tcp_keepalive RA 6300 C 103 tcp_keepalive asynchronous C 104 telnet_crlf C 104 telne...

Page 17: ...e Remote Annex Administrator s Guide for UNIX Contents user_name C 108 v120_mru C 108 vcli_groups C 108 vcli_inactivity C 109 vcli_password C 109 vcli_security C 109 zone C 110 Chapter 3 Using the CLI Commands Chapter 4 Utilities erpcd C 115 ...

Page 18: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Contents xviii ...

Page 19: ...ost Using PPP with Fixed Addresses A 101 Figure A 7 PPP Link Connecting Two Ethernet Subnets A 103 Figure A 8 Connecting a Single Host Using SLIP A 125 Figure A 9 SLIP Link with Two IP Addresses A 127 Figure A 10 RA 6300s to be Used for Dial out A 135 Figure A 11 Sample PPP Routing Configuration A 140 Figure A 12 Connecting a Single Host Using PPP A 167 Figure A 13 Connecting a Single Host Using P...

Page 20: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Figures xx ...

Page 21: ... A 23 Profile Criteria A 235 Table A 24 Authentication Regimes A 246 Table A 25 Entries for accesscode in the acp_userinfo File A 252 Table A 26 Arguments for the clicmd Entry in the acp_userinfo File A 255 Table A 27 Entry for climask in the acp_userinfo File A 257 Table A 28 Entry for deny in the acp_userinfo File A 258 Table A 29 Entry for filter in the acp_userinfo File A 259 Table A 30 Argume...

Page 22: ... 29 TMux specific Parameters vs MIB Objects B 81 Table B 30 IPX specific Parameters vs MIB Objects B 81 Table B 31 Interface Parameters vs MIB Objects B 82 Table B 32 Global Port Parameters vs MIB Object Names B 83 Table B 33 PPP and SLIP Port Parameters vs MIB Objects B 88 Table B 34 PPP and SLIP Port Parameters vs MIB Objects continued B 89 Table B 35 Multi Link PPP Parameters vs MIB Objects B 9...

Page 23: ..._flow_control Parameter C 80 Table C 27 Arguments for the remote_address Parameter C 92 Table C 28 Valid Options for the rip_accept Parameter C 93 Table C 29 Valid Options for the rip_advertise Parameter C 94 Table C 30 Valid Options for the rip_horizon Parameter C 95 Table C 31 Valid Options for the rip_recv_version Parameter C 95 Table C 32 Valid Options for the rip_send_version Parameter C 96 T...

Page 24: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Tables xxiv ...

Page 25: ... through an ISDN Primary Rate Interface PRI connection to the global telephone network The RA 6300 accepts connections from analog modems ISDN terminal adapters TAs using the V 120 Rate adaptation protocol ISDN NICs and ISDN routers such as the Nautica Series Marlin and CLAM This manual assumes its readers have a basic familiarity with UNIX systems and network administration in general and with th...

Page 26: ...tion information Book B Network Management describes the utilities for managing RA 6300s and monitoring the network Book C Reference provides a reference material for the commands parameters utilities and network protocols supported by the RA 6300 This manual is called a supplement because several of its chapters only describe how the RA 6300 differs from other members of the Remote Annex product ...

Page 27: ...se italics In the context of commands and command syntax lowercase italics indicate variables for which the user supplies a value In command dialogue square brackets indicate default values Pressing the Return key selects this value Square brackets appearing in command syntax indicate optional arguments Incommandsyntax bracesindicatethatone andonly one of the enclosed values must be entered In com...

Page 28: ... to the Remote Annex Administrator s Guide for UNIX Preface xxviii Related Documents Each RA 6300 or RA 5393 PRI hardware platform ships with the appropriate hardware guide The remaining documentation is included with the software ...

Page 29: ...nfigure the RA 6300 A list of general Annex capabilities supported by the RA 6300 including multiprotocol support and security systems The software described in this document also applies to the Remote Annex 5393 PRI ISDN Overview ISDN provides a high speed digital link to the telecommunications network for all types of remote users including telecommuters mobile workers andbusinesspersonnel ISDNr...

Page 30: ...channel types B Channels or Bearer Channels which are circuit switched channels D Channels or Data Channels which are packet switched channels ISDN Services Local telephone companies offer ISDN services under different names and combined with custom features However two basic types of ISDN are available Basic Rate Interface BRI a service used by individual users and small businesses Primary Rate I...

Page 31: ...lephone company The D channel also manages transmission and reception of packet data over an X 25 network Primary Rate Interface The ISDN PRI service provides greater B channel capacity and higher speed D channel operation than BRI service PRI is provided over dedicated trunk lines such as T1 and E1 Businesses and other institutions use PRI service to connect their communications resources to ISDN...

Page 32: ... provide 2 048Mbps of total bandwidth This flavor of PRI service is referred to as 30B 2D Incorporating ISDN Services Users can tailor ISDN services to meet their requirements and budget constraints Among the options are Using analog devices and replacing some analog links with ISDN Replacing all analog links with ISDN and integrating existing analog devices with ISDN Replacing all analog links wi...

Page 33: ... Devices with ISDN Users who replace their analog telephone line with ISDN BRI service do not need to give up their analog equipment telephone modem fax machine etc Using analog equipment on an IDSN line offers these users higher speed transmission rates while preserving their investments in analog equipment The devices access BRI service through the use of a device called a terminal adapter TA A ...

Page 34: ...ge PBX switch Computer equipment PCs file servers etc on a LAN might connect to PRI lines through an ISDN router Forexample atelecommutercanconnectaPCtoanexternalISDNrouter through a Network Interface Card NIC installed in the PC The router allows the PC to operate as a separate LAN Connections to other networks e g at a company headquarters operate as any other routed internetwork according to th...

Page 35: ...tandards are accepted worldwide universal adoption is not yet a reality There are two causes for the lack of universal standards based service First many United States telephone companies must modernize their switchestoperformcallsignalingthroughSignalingSystem7 SS7 SS7 an international standard specifies that ISDN D channel carry all call set up tear down and connection management signaling exclu...

Page 36: ...ssible since all international carriers and local phone companies accommodate the service differences ISDN users can still reach resources across the global telecommunications network Further all telephone companies and long distance carriers have committed to adopting ISDN standards RA 6300 Overview The RA 6300 described in this document is a PRI ISDN server It accepts the following kind of traff...

Page 37: ...t access method for remote users Supports ISDN connections for the same users in the future The Primary Rate Interface The RA 6300 provides a single ISDN Primary Rate Interface PRI The PRI line connects to a PRI line module within the RA 6300 Two versions of this module are available one for the United States and another for Europe The U S PRI module uses T1 as the physical medium and supports 23 ...

Page 38: ...stead of the one shown in Figure A 1 Figure A 1 Voice Call Over Analog Line In Figure A 1 the CO of the telephone company terminates the analog line from the modem converts the voice call into digital data and dynamically chooses a PRI B channel to carry the data through the telephone network to the RA 6300 The CO also converts the signals describing the characteristics of the call into ISDN out o...

Page 39: ...authenticated the RA 6300 places the user in the protocol environment you have configured Protocols supported are asynchronous PPP SLIP ARAP or CLI Spare Modems ThedomesticPRI T1RA6300containsanoptionalinternalmodembank of up to 24 modems Given only 23 B channels this leaves one extra modem Similarly the European PRI E1 RA 6300 can support up to 32 modems Given only thirty B channels this leaves t...

Page 40: ... have properly configured RA 6300 parameters for this kind of call then the call is accepted The RA 6300 converts the V 120 frames into an asynchronous data stream and the RA 6300 software handles the data as if it originated at V 120 asynchronous port Other V 120 call configurations can be established instead of the one shown in Figure A 1 For example the BRI line could be a PRI line Once a call ...

Page 41: ...d the user is authenticated the RA 6300 places the user in the protocol environment you have configured Protocols supported for synchronous calls are IPCP IP over PPP IPXCP IPX over PPP and ATCP AppleTalk over PPP Figure A 3 Synchronous PPP Connection Multilink PPP The RA 6300 also supports synchronous Multilink PPP MP MP is a protocol standard that provides a method to adjust the bandwidth of a c...

Page 42: ...es of Annexes are unlabeled Figure A 4 Network with Mixed Annex Types Configuring Parameters As mentioned in the previous sections the RA 6300 does not accept a call unless you have set certain parameters properly You can set parameters using various RA 6300 management tools PPP Analog ARA Modem pool UNIX host SLIP Laser printer X window display Modem Remote Ethernet Host without a network interfa...

Page 43: ...tatistics for the RA 6300 and the network The CLI also provides superuser commands for network administration and management The CLI admin command which you access as a superuser on a CLI connection is a local resides in the RA 6300 substitute for the host resident na command The admin command set provides a subset of the host resident na commands However all parameters that you can set via na you...

Page 44: ...ce parameters Modem parameters that apply to the internal modem set Loading Files RA6300filescanbeloadedfromahostusingeitherthetrivialfiletransfer protocol tftp or the expedited remote procedure call daemon erpcd The erpcd utility runs on a UNIX host it listens for RA 6300 file server host requests to download the operational code and other files The tftp program supplied on most hosts is supporte...

Page 45: ...s which include The Internet addresses for the RA 6300 The preferred hosts for booting and dumping Security for the RA 6300 The name servers to be used Event logging The local time zone for using a time server A customized RA 6300 environment LAT services AppleTalk access Please note the two major differences as described in this chapter between configuring any other type of Remote Annexes and con...

Page 46: ...meters use the show annex all command The set annex command allows you to change any setting All parameters have default settings Some of these parameters must be set using the ROM Monitor before booting the RA 6300 with its operational code see the Remote Annex 6300 Series Hardware Installation Guide for more details By default the show annex command scrolls the selected parameters line by line i...

Page 47: ...g sample command lines enable the DNS name server define two name server hosts enable security on the RA 6300 define a security server host enable security for virtual CLI connections define an administrative password enable event logging define a CLI prompt command set annex name_server_1 dns command set annex pref_name1_addr 192 9 200 95 command set annex name_server_2 dns command set annex pref...

Page 48: ...routed Y server_capability none disabled_modules vci tftp_load_dir tftp_dump_name ipencap_type ethernet ip_forward_broadcast N tcp_keepalive 120 option_key session_limit 1152 output_ttl 64 VCLI Parameters max_vcli unlimited cli_prompt a c vcli_security Y vcli_password unset vcli_inactivity off Nameserver Parameters nameserver_broadcast N rwhod Y pref_name1_addr 192 9 200 95 name_server_1 dns pref_...

Page 49: ...00 00 00 00 mop_password unset login_password set login_prompt login_timer 30 LAT Parameters lat_key facility_num 0 server_name sys_location lat_queue_max 4 service_limit 256 keep_alive_timer 20 circuit_timer 8 retrans_limit 8 group_value none vcli_groups none multicast_timer 30 multisessions_enable N AppleTalk Parameters a_router 00 00 00 00 00 00 default_zone_list node_id 0 0 zone Router Paramet...

Page 50: ...ltaneously using one of these sequences Define the RA 6300 using the annex command Next use the set annex command to change the parameters Define the parameters for one RA 6300 and use the write command to copy the parameters to a script file The script file will contain all copied parameter settings with a comment character at the beginning of lines defining the settings for the Internet address ...

Page 51: ...command functions only on the local RA 6300 1 At the CLI prompt execute the su command and enter the superuser password annex su password 2 At the superuser CLI prompt execute the admin command annex admin ANNEX PRI Rx x 32 async 32 sync 32 ta 32 modem ports admin 3 Execute the set annex command to change parameters The following sample command lines enable the DNS name server define two name serv...

Page 52: ...outed Y server_capability none disabled_modules vci tftp_load_dir tftp_dump_name ipencap_type ethernet ip_forward_broadcast N tcp_keepalive 120 option_key session_limit 1152 output_ttl 64 VCLI Parameters max_vcli unlimited cli_prompt a c vcli_security Y vcli_password unset vcli_inactivity off Nameserver Parameters nameserver_broadcast N rwhod Y pref_name1_addr 192 9 200 95 name_server_1 dns pref_n...

Page 53: ...ssword set login_prompt login_timer 30 LAT Parameters lat_key facility_num 0 server_name sys_location lat_queue_max 4 service_limit 256 keep_alive_timer 20 circuit_timer 8 retrans_limit 8 group_value none vcli_groups none multicast_timer 30 multisessions_enable N AppleTalk Parameters a_router 00 00 00 00 00 00 default_zone_list node_id 0 0 zone Router Parameters rip_auth unset rip_routers all IPX ...

Page 54: ...he RA 6300 to store its configuration and message of the day files in local non volatile memory The configuration files must have the appropriate file names for the operational image to locate and load them These files exist in the root directory rather than the usr spool erpcd bfs directory The files are manipulated using the CLI local file system commands RA 6300 Internet Addressing The RA 6300 ...

Page 55: ...ess in dotted decimal notation The Broadcast Address The broadcast address defines the Internet address the RA 6300 uses to broadcast The RA 6300 will broadcast requests when it has not received a response from a server such as file server or security server The broadcast_addr parameter defines this address The Subnet Mask If the network is divided into subnets you must specify the RA 6300 s Inter...

Page 56: ...ies the RA 6300 does not have an Ethernet connection IP services including SLIP PPP and IP routing are still available By default the RA 6300 acts as an authoritative agent for ICMP Address Mask Requests If another host broadcasts this message querying for the subnet mask the RA 6300 replies with the subnet mask Optionally you can prevent the RA 6300 from responding by setting the authoritative_ag...

Page 57: ... code from the first host that responds You can modify the pref_load_addr parameter using na or the admin command specify the host by its Internet address or its name The image_name parameter specifies the name of the image file that contains the Annex s operational code This file resides in different host directories depending on which transfer protocol tftp or erpcd is used If the load host has ...

Page 58: ...x assigns the dump file a unique name and places it in a directory named usr spool erpcd bfs If using tftp the file name is defined by the tftp_dump_name parameter and file placement is user defined If the dump host has a different network or subnet address you must define a gateway through which the Annex can reach the host The load_dump_gateway parameter specifies the Internet address for the ga...

Page 59: ...erational code for the message of the day motd and configuration files it uses the amount of space relative to the size of the files Theserver_capabilityparameterdefinesthefilesthattheserversupplies during a boot Table A 1 describes the arguments for server_capability the default is none If you configure an Annex to supply only a copy of the operational code the default is for the Annexes being bo...

Page 60: ... the local media issue the boot l command from na the superuser CLI or the ROM monitor Only ROM revisions 0601 and greater with the self boot option installed support the boot l command After executing a boot l command the ls command may not show the newly loaded image To boot the stored local image set the configuration parameter load_dump_sequence ortheROMmonitorparametersequence toself and rebo...

Page 61: ...n a file using tftp If the tftp request fails or times out the Annex retries opening the file using erpcd This cycle continues until the Annex succeeds in opening the file or until the it reaches a maximum try count currently 8 cycles If the load_broadcast parameter is enabled and the Annex cannot open a file from the pref_load_host it broadcasts the open request this is true for both erpcd and tf...

Page 62: ...s access through the administrative tools If unauthorized users can access your Annex we strongly suggest that you enable the security features after loading the host code and booting the unit For a detailed description of Annex security see Using RA 6300 Security on page A 211 Using Name Servers Name servers allow users to enter names in place of addresses in order to access a host or other entit...

Page 63: ...use with a name server Specify the name server type Specify the host s using the name server Enable or disable the rwhod parameter Specify the host table size Enable or disable the min_unique_hostnames parameter Defining Name Servers The Annex supports two standard name server protocols Domain Name System DNS server and IEN 116 server Both of these name server protocols are available in the UNIX e...

Page 64: ...name translation allows a host to obtain a name for a specific Internet address allowing an Annex to learn its name from a DNS server The DNS capabilities for assigning multiple aliases or multiple IP addresses to a single host allow you to assign multiple names to a rotary or multiple Annexes to the same rotary for more details see The Port Server and Rotaries on page A 77 IEN 116 Name Server The...

Page 65: ...ing the pref_name2_addr Thisserverisqueriedonlyifpref_name1serverdoes not respond Broadcasting for a Name Server Bydefault theAnnexdoesnotbroadcastforanameserverifthepreferred name servers do not respond However you can configure the Annex to broadcast requests for a name server by setting the nameserver_broadcast parameter to Y This causes the Annex to broadcast three requests for a Domain Name S...

Page 66: ...pose an excessive load on the network Some hosts send RWHO packets with incomplete source addresses in the IP header The Annex is unable to store an Internet address for these hosts causing the host table to display the host s Internet address as _ _ _ _ If an rwhod forwards packets from one network to another the Internet address in the IP header is that of the forwarding host not of the host who...

Page 67: ... in the Annex Alternatively you can set the size to none which forces the Annex to query the name server for each host name Minimum Uniqueness Minimumuniquenessprovidesanease of usefeature whichallowsusers to enter only the characters necessary to uniquely match an entry in the host table However users can force the Annex to select only an exactly matching host name by enclosing the name they ente...

Page 68: ...es the message Certain facilities are reserved such as kernel mail and daemons other facilities can be defined in the configuration file etc syslog conf Facilities allow you to selectively log messages by priority If the syslog_host does not have a syslog daemon or if you do not specify a syslog_host the Annex logs events to the RA 6300 console When configuring the host and the Annex for system lo...

Page 69: ...all messages of that level or greater i e of greater severity are forwarded to syslogd For example selecting error logs all error critical alert and emergency messages Table A 2 Priority Levels for the syslog_mask Parameter Level Description emergency Hardware failures alert All Annex reboots critical Configuration and initialization problems such as format errors in the gateway section of the con...

Page 70: ...time and uses it to log events to syslog and to calculate the time of a boot and or dump The CLI stats and who commands display this time the local file system ls command displays the time the files were last modified The Annex requests the time when it boots and synchronizes its clock with a server every 30 minutes It always queries the preferred load host firstifoneisdefined Ifatimeserverdoesnot...

Page 71: ...s Enter a positive number of minutes for time zones west of GMT and a negative number for time zones east of GMT For example since U S Eastern Standard Time is five hours west of GMT its value is 300 minutes since Paris is one hour east of GMT its value is 60 minutes The daylight_savings parameter defines the daylight savings time to which your geographic area adheres The Annex uses this parameter...

Page 72: ...stomize the prompt for each serial port using the prompt port parameter for more details see cli_prompt on page C 47 The values for this parameter are called prompt strings A prompt string consists of characters and embedded formatting codes that are expanded when the prompt is displayed The formatting codes consist of a percent character followed by a single lower case character Each formatting c...

Page 73: ...r For the superuser CLI prompt a pound sign and a space replace the code c otherwise a is appended at the end Code Expansion a The string annex c A colon followed by a space d The current date and time in standard UNIX format such as Mon Mar 14 13 59 42 1989 i The Annex s Internet address such as 132 245 6 40 j A new line character skip to the beginning of the next line n The Annex s name or Inter...

Page 74: ...values that you can enter are from 0 to 254 or unlimited The default is unlimited If you define this parameter as zero users cannot create a virtual CLI connection at the Annex Setting Up the Configuration File The configuration file contains all Annex configuration information It resides either on the preferred boot host or the local media and is loaded during the Annex booting process see Config...

Page 75: ...u to specify another name for this file The Annex reads this host file each time it is booted and when the na or admin command reset annex motd is issued Using RIP The Annex uses a routing daemon routed for its routing services This daemon implements Versions 1 and 2 of the Routing Information Protocol RIP The routed parameter enables or disables RIP the default is enabled If RIP is disabled the A...

Page 76: ...ndependent software modules that allow a host system to connect to Annex serial ports in such a way that users appear as if they are directly connected to the host system One module runs in the Annex and one module runs in the host A protocol links the two modules together When a host wishes to talk to a device attached to a port that is in slave or adaptive mode it must first establish a connecti...

Page 77: ...ad Configuring LAT Services The Annex can display and connect to currently available LAT services Initially all LAT functions in the Annex are disabled since this feature is optional To enable the LAT functions the network administrator must enter the correct lat_key parameter value and reboot the Annex see Configuring Hosts and Servers on page A 209 for more details The lat_key parameter value is...

Page 78: ...s in the Remote Annex are disabled since this featureisoptional ToenabletheIPXfunctions thenetworkadministrator must enter the correct option_key parameter value and reboot the Annex see Internetwork Packet Exchange IPX Protocol on page A 153 for more details The option_key parameter value is unique for each Annex If you purchased IPX contact your supplier to obtain a valid key ...

Page 79: ...nnexes as described in the corresponding chapters of the Remote Annex Administrator s Guides for UNIX This section is intended for administrators who are accustomed to or will be configuring other Remote Annexes Delivering ISDN Calls An ISDN PRI call can arrive on any B channel on the RA 6300 PRI line During the call SETUP process between the telephone company switch and the RA 6300 the switch dyn...

Page 80: ...e following superuser CLI admin command displays these parameters and their default values annex admin ANNEX PRI Rx x 24 async 32 sync 32 ta 24 modem ports admin show pri PRI Generic Parameters switch_type num_b_channels 0 dsx1_line_length 0 25 buildout 0dB fdl_type att analog_encoding auto admin To reset their default values execute the admin command or the host based na utility using the followi...

Page 81: ...ne AT9 is used With an E1 line ETS is used The switch type parameter is not case sensitive dsx1_line_length The approximate distance in meters from the RA 6300 PRI interface to the external CSU Enter this as a range e g 0 25 the default as a single number e g 30 or as a unique part of a range e g 136 If you enter a single number the RA 6300 picks the range that the number falls into You can then u...

Page 82: ... E1 PRI The only time you might want to change the default is in Europe where telephone company providers support PRI connections with fewer than 30 channels which can be cheaper buildout Applies only to RA 6300s with internal CSUs A string defining the CSU transceiver line provided by the telephone company Valid values are 0db the default 7 5db 15db 22 5db analog_encoding The encoding type used f...

Page 83: ...and Session Parameter Blocks SPBs as follows The RA 6300 comes with a set of global port parameters set to default values The RA 6300 applies these parameters to the appropriate internal port while a call is active on that port You can override the global port parameter defaults by resetting them using na or admin The same set of port parameters that you can modify globally can also be reset for o...

Page 84: ...anage V 120 calls The range of port numbers is 1 through 32 the ports are referred to as ta1 ta2 ta32 and calls are mapped to port numbers in the circular fashion described above Synchronous ports manage synchronous PPP calls These are referred to as syn1 syn2 syn32 Numbers are assigned in the circular fashion described above Asynchronous ports manage voice calls The port numbers assigned to them ...

Page 85: ... calls To specify a port parameter that applies only to a subset of calls define that subset in a Session Parameter Block SPB and include the parameter setting in that SPB Parameter values set in an SPB override global parameters set by na or admin which in turn override the supplied defaults see ISDN Sessions and Session Parameter Blocks SPBs on page 3 64 Displaying Global Parameters Both na and ...

Page 86: ...ers used with terminal emulation flow Displays the global flow control parameters generic Displays the basic global parameters ipx Displays the global IPX parameters lat Displays the global LAT parameters ppp Displays the global PPP parameters security Displays the global security parameters serial Displays the global serial parameters slip Displays the global SLIP parameters syn Displays the glob...

Page 87: ...7 Y banner Y tcp_keepalive 0 default_session_mode interactive dedicated_arguments resolve_protocol connect Flow Control and Signal Parameters input_flow_control eia input_start_char Q input_stop_char S output_flow_control eia output_start_char Q output_stop_char S ixany_flow_control N need_dsr N v120_mru 256 Port Timers and Counters forwarding_timer off forwarding_count 0 cli_inactivity off inacti...

Page 88: ...rd W erase_line U redisplay_line R toggle_output O newline_terminal N forward_key backward_key Serial Networking Protocol Parameters local_address 0 0 0 0 metric 1 slip_ppp_security N net_inactivity off do_compression N allow_compression N net_inactivity_units minutesaddress_origin local SLIP Parameters subnet_mask 0 0 0 0 slip_mtu_size small slip_no_icmp N slip_tos N PPP Parameters ppp_mru 1500 p...

Page 89: ...x x 32 async 32 sync 32 ta 32 modem ports admin show port syn global port user_name port_password unset ppp_username_remote ppp_password_remote unset slip_ppp_security Y ppp_security_protocol pap ppp_ncp atcp ipcp ipxcp mp metric 1 subnet_mask 0 0 0 0 ppp_mru 1500 inactivity_timer off input_is_activity Y output_is_activity N reset_idle_time_on input net_inactivity off net_inactivity_units minutes ...

Page 90: ...nd annex 132 245 6 40 or annex 132 245 6 40 hobbes password 3 Set the global port parameter whose default value you wish to change The following example sets the allow_broadcast parameter to N the default is Y command set port allow_broadcast N 4 Execute the following command to review your changes command show port generic global port mode cli location term_var prompt cli_interface uci data_bits ...

Page 91: ... copy the parameters to other RA 6300 sessions Thefollowingexamplecopiestheparametersettingforallow_broadcast from one RA 6300 to another RA 6300 command annex 132 245 6 40 command set port allow_broadcast N command copy port 1 132 245 6 40 1 132 245 6 55 You can also define all parameters including global port parameters for one RA 6300 Use the write command to create a script file on the specifi...

Page 92: ...i section must be defined within begin_session and end_session fields The begin_session field allows you to name an SPB within the configuration file An SPB consists of three sections An optional section presenting call setup criteria If the SETUP message that starts an incoming call meets all of these criteria or if no criteria are specified the call is handled by this SPB A mandatory call handli...

Page 93: ...ll If no match is found the call is rejected All criteria in an SPB must be met by the SETUP information elements in order for the RA 6300 to consider the SPB to be a match Once the RA 6300 finds a matching SPB setup criteria section for a particular call it handles the call as specified in the call handling section uses the per session port parameter settings to form the dynamic parameter values ...

Page 94: ...dash to separate the area code from the rest of the phone number or you can include the area code in parentheses No wild cards symbols are permitted and white space is ignored If this field is omitted any calling number is permitted in the corresponding call SETUP message Sometimes the calling number is not available in the SETUP information either because the phone company did not have the equipm...

Page 95: ...l This field is appropriate only for end to end ISDN calls using a PRI line that the telephone company has provisioned for subaddressing bearer Optional Specifies the bearer capability of the call Valid values are voice and data call_action Mandatory Defines how to handle the call Valid values reject which rejects the call modem which handles the call as a modem call v120 which handles the call as...

Page 96: ...B channel even if the bearer information in the incoming ISDN SETUP message indicates a different rate The default is no which sets the data rate to the rate provided in the SETUP message Do not change this default unless you are in Europe or Australia and are having problems receiving calls from the U S In this situation the phone company sometimes fails to specify the correct data rate In all ot...

Page 97: ...ing of the pri section since the RA 6300 searches SPBs in the order in which they appear The default pri section is as follows Sample session parameter blocks SPBs for the Primary Rate ISDN PRI Remote Annex RA6300 These set configuration parameters for sessions calls based on dialed number calling number and call type Each incoming call is compared against each SPB in order until there is a match ...

Page 98: ... ppp end_session This SPB isn t strictly necessary but illustrates how to arbitrarily disconnect undesired calls Any call matching information that can be used in a normal SPB could be used here so for instance an SPB like this could be used to reject calls from a particular phone number if desired begin_session unmatched call_action reject end_session 3 Modify the sample SPBs and or add any you w...

Page 99: ...de By configuring a port this way you can enforce CLI security before a user s session is placed in one of the two protocol modes A session defined as ipx supports the Internet Packet Exchange protocol IPX over PPP used by Novell Netware networks A session set to ppp mode supports the synchronous Point to Point Protocol when the call_action SPB field is set to sync If the call_action is set to mod...

Page 100: ...in an SPB you can also set it globally via na or admin For example if all your users areconnectingtotheRA 6300viaasynchronousPPPlines youcould issue the na command command set port mode ppp For information on setting port parameters globally see Global Port Parameters on page 3 57 Sample SPBs The following are sample SPBs Together these SPBs handle all call types pri begin_session modem bearer voi...

Page 101: ...e the only synchronous calls the RA 6300 can receive are those using the PPP protocol CLI Sessions ARemoteAnnex6300CLIsessionhastheglobalorSPBmodeparameter set to cli When the session begins the CLI prompt is displayed At this point the user has access to all permissible CLI commands You can configureseveraloptionsforaCLIsession WhenconfiguringCLIglobal or SPB parameters consider the following For...

Page 102: ... for the host to which the user is connecting The RA 6300 uses this parameter internally for the edit command only CLI activity timers provide simple security by resetting idle user connections Limited resources like dial in modems are released when not in use The inactivity_timer specifies the amount of time in minutes that the remote user can be inactive before the RA 6300 resets the connection ...

Page 103: ...at produces a break Typically parameters that display with the show port editing command define characters that provide CLI line editing functions Some of these characters are passed as Telnet special characters with CLI connected devices Configuration Differences When configuring the RA 6300 please note the following You cannot use the port command to define one or more ports although you do use ...

Page 104: ...the PRI Interface Global Ports and Sessions A 76 Book A You cannot set the mode parameter to dedicated You cannot set the following flow control parameter input_buffer_size You cannot set the following serial networking protocol parameters phone_number slip_load_dump_host slip_allow_dump always set to N ...

Page 105: ...orts so users cannot attach to a port to configure a device A destination phone number is mandatory for each RA 6300 rotary Once a user picks a rotary the RA 6300 automatically dials that phone number This is not the case with other Remote Annexes for which phone numbers in rotaries are optional On non RA 6300 Remote Annexes the user can dial out using the standard atd modem command set An RA6300 ...

Page 106: ...efinitions in the Annex configuration file for an RA 6300 rotary modems phone 5551212 asy 123 456 789 1 ta_service phone 5557777 ta 123 456 789 1 The first entry defines a rotary named modems that handles asynchronous modem calls on the 32 modem RA 6300 at Internet address 123 456 789 1 The second entry defines a rotary to handle V 120 calls on the same RA 6300 Argument Description ports One of th...

Page 107: ...ems rotary would be displayed as asy1 24 if there were only four internal modems asy1 4 would be displayed Rotaries for ta V 120 calls always display as ta1 32 since there are 32 virtual ta ports On an RA 6300 telnet commands can include TCP port numbers as described in Chapter 4 of the Remote Annex Administrator s Guide for UNIX with one restriction To telnet to an RA 6300 directly without being ...

Page 108: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 4 The Port Server and Rotaries A 80 Book A ...

Page 109: ...uentially through all modems If no modem is available for an incoming call the RA 6300 rejects the call with cause code 17 user busy The user hears a busy tone Analog Modem Support The RA 6300 supports 8 16 24 or 32 V 34 modems Internally the RA 6300 uses the Microcom Quad V 34 modem In a typical PRI T1 application the USA PRI T1 will be configured with 24 modems Since only 23 B channels are avail...

Page 110: ...ntained in the ISDN D channel call setup messages determines whether the RA 6300 will accept a call treat the call as Sync PPP V 120 or an analog modem call and start administrator specified processes for example CLI PPP SLIP or ARA The following elements determine whether or not the RA 6300 accepts a call and treats it as a modem call Calling Party Number This element identifies the originating t...

Page 111: ...ata Over Voice Bearer Service DOVBS it identifies the call to its local switch as a voice call and then transmits user data such as V 120 or Sync Many areas of the United States offer tariff advantages to voice traffic over data traffic If the bearer capability is identified as data the data rate is also identified 56KB or 64KB The RA 6300 does not use any of these call elements to invoke security...

Page 112: ...em modem_list admin set modem busy yes no admin show modem The first command defines a set of one or more modems by number e g 1 5 or 1 2 3 4 5 The second command busies out or does not busy out the defined modem set which means that it either removes the modems from or restores them to the pool of modems available for allocation The third command displays the status of the defined modem set After...

Page 113: ...Failed The display indicates that boot up diagnostics marked this modem as failed Allocated This condition indicates the call is being handled by the modem Make Modem Available Procedure To make a failed modem available use the following CLI superuser command annex modem unumber_range where number_range is an integer specifying the number assigned to an individual modem or a range of integers sepa...

Page 114: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 5 Modems A 86 Book A ...

Page 115: ... ISDN routers e g Nautica Series CLAM ISDN PRI lines using ISDN routers e g Nautica Series Marlin The Point to Point Protocol PPP is a standardized method for transmitting data from multiple protocols over asynchronous and synchronous point to point links Data transmission and reception takes place only between the nodes at the ends of the link PPP provides three functions Asynchronous High level ...

Page 116: ... 2 Edit the config annex file to define SPBs 3 Review the default global port parameters then reset the parameters you need for the PPP configuration Step 1 Decide How to Assign IP Addressing All IP addressing for PPP links is based on the value of the address_origin parameter which determines the method that the RA 6300 uses to assign IP addresses The addressing methods and their corresponding ad...

Page 117: ...se parameters use You can choose to configure the RA 6300 for any one of the methods but setting address_origin to dhcp has priority over addressing using the acp_dialup file which has priority over addressing using the asynchronous port parameters For information about how the RA 6300 operates when both dial up and fixed addressing are enabled see Determining Dial up Addresses using the acp_dialu...

Page 118: ...into the acp_dialup file see Creating the acp_dialup File on page A 276 Any ACP address request that comes from the RA 6300 includes the RA 6300 address and an associated user name which are used as keys in this file Once the keys are matched the corresponding user addresses are returned to the caller on the RA 6300 About Addressing Using Asynchronous Port Parameters Setting the address_origin par...

Page 119: ...f call Whether you intend to use one or all of the default SPBs provided in the PRI section of the configuration file disable one or all of the default SPBs or write your own set of SPBs See Configuring the PRI Interface Global Ports and Sessions on page A 51 for detailed information on SPBs The following instructions describe how to enable and disable the default SPBs that exist within the config...

Page 120: ...B you want to enable Enter a comment character at the beginning of each line of each SPB you want to disable Following the called_number field in an SPB that has one replace the string with the telephone number callers will use from remote nodes that will use this SPB For example to enable the default SPB that handles PPP calls do the following 3 Save the file 4 Issue a reset annex session command...

Page 121: ...d PPP global port parameter groups Instructions for changing a global port parameter setting Instructions for using the set pri b command to associate IP addresses with RA 6300 PRI B channels To view the entire set of default global port parameters use na or admin to issue the show port all command Default PPP Related Global Port Parameters Table A 8 lists the default parameters related to the PPP...

Page 122: ...er setting using na 1 At a terminal connected to a UNIX host enter na The following prompt displays on the screen Annex network administrator Rx x January 1997 COMMAND Parameter Default Setting allow_compression N address_origin local slip_ppp_security N do_compression N net_inactivity_units minutes ppp_mru 1500 ppp_security_protocol none ppp_password_remote unset ppp_ipx_network 00000000 ppp_ipx_...

Page 123: ...6300 For example COMMAND annex 132 245 6 40 or annex 132 245 6 40 132 245 6 45 password 3 Specify a new setting for the global port parameter at the COMMAND prompt For example to change the default setting of the address_origin parameter local to enable IP addressing through the acp_dialup file enter the following COMMAND set port address_origin acp The new parameter setting is stored automaticall...

Page 124: ...set pri b ch range remote_address ip addr increment where ch range is a single B channel number or the entire set of B channels specified by a range ip addr is the IP address you want to assign to a single B channel or the first channel of the entire set increment is the value number by which you want to increment automatic IP address assignment to B channels in a range or list after the first ass...

Page 125: ...channel 3 is assigned 132 245 66 234 and B channel 23 is assigned 132 245 66 274 When you do not specify any B channels the command makes 23 or 30 IP address B channel assignments based on the increment value When an increment is not specified the command assumes a default increment of zero 0 Configuration Samples The following samples illustrate how to set global port parameters to enable PPP con...

Page 126: ...A 5 are the steps to complete that implement this configuration Figure A 5 Connecting a Single Host Using PPP To enable this configuration 1 Edit the acp_dialup file Provide user green with access from all RA 6300s and other Remote Annexes by specifying a wildcard and a remote address of 132 245 5 18 Network 132 245 5 0 RA 6300 132 245 5 17 132 245 5 10 host03 PRI acp_dialup file User smith green ...

Page 127: ...fine an SPB You can use the default SPBs provided as part of the Annex configuration file or create them specifically for your requirements For more details see Step 2 Edit the Annex Configuration File on page 6 91 4 Reset the default global port parameters as required to the following settings Enable CLI and or connection security using the security parameters cli_security and connect_security Th...

Page 128: ...mote Annex forces the data_bits setting to 8 and the parity setting to none Otherwise the RA 6300 syslogs an error message Set the address_origin parameter to acp so that the RA 6300 requests the endpoint addresses based on the user s login from ACP You can leave ppp_mru parameter set to its default Sample Configuration for Addressing Using Asynchronous Port Parameters Figure A 6 illustrates a con...

Page 129: ...B Channels on page 6 96 for instructions to perform this step 2 Edit the Annex configuration file to define an SPB You can use the default SPBs provided as part of the Annex configuration file or create them specifically for your requirements for more details see Step 2 Edit the Annex Configuration File on page 6 91 3 Reset default global port parameters as required to the following settings Enabl...

Page 130: ...ed defaults for the data_bits 8 stop_bits 1 and parity none parameters PPPisan8 bitprotocol Ifdata_bitsissetto7 andparity is not set to none the RA 6300 forces the data_bits setting to 8 and the parity setting to none Otherwise the RA 6300 syslogs an error message for the port Set the local_address parameter to the RA 6300 s en0 address Set the address_origin parameter to local Leave the ppp_acm a...

Page 131: ...emote_address global port parameter to associate a set of IP addresses with the PRI B channels Specify an IP address of zero 0 When you specify an IP address of zero 0 the peer the Marlin router in this sample configuration must provide its IP address Subnet A 122 245 5 0 24 Subnet B 122 245 10 0 24 122 245 5 9 122 245 5 2 host01 RA 6300 host04 122 245 10 7 122 245 5 7 122 245 10 8 122 245 10 9 Te...

Page 132: ...bitsissetto7 andparity is not set to none the RA 6300 forces the data_bits setting to 8 and the parity setting to none Otherwise the RA 6300 syslogs an error message for the port Set the address_origin parameter to local Set the local_address parameter to 122 245 10 7 Set the subnet_mask parameter to 255 255 255 0 Set the metric parameter to one Set the ppp_username_remote parameter to the string ...

Page 133: ...5 0 net with a metric of 1 route add 122 245 5 0 255 255 255 0 122 245 5 9 1 else other Annexes will route to 122 245 5 0 via 122 245 10 7 with a metric of 2 route add 122 245 5 0 255 255 255 0 122 245 10 7 2 end Routing across a PPP Link Basic Passive RIP Both active and passive routing are available via the Routing Information Protocol RIP on the RA 6300 The following sections deal with using on...

Page 134: ...he route cache is a list of routing entries stored by the RA 6300 When the RA 6300 boots the route cache is created from the annex end and subnet end blocks in the gateway section of the configuration file When routed starts entries in the route cache are added to the routing table if their next hop addresses i e destinations are on a network or link directly connected to the RA 6300 The RA 6300 e...

Page 135: ...d be protocol escaped before being sent to the serial port The RA 6300 requests the ppp_acm parameter as its local mask If the peer NAKs ppp_acm the RA 6300 accepts the hint if it is a superset of the RA 6300 s mask otherwise it uses the PPP default of 0xFFFFFFFF The RA 6300 accepts any mask from the peer Values range from 0x00000000 to 0xffffffff The RA 6300 default is 0x00000000 Setting the ppp_...

Page 136: ...mal the bit indexed by this parameter is set in the ACCM If input_stop_char is 0 31 decimal the bit indexed by this parameter is set in the ACCM If output_flow_control is set to start stop the following two additions are made If output_start_char is 0 31 decimal the bit indexed by this parameter is set in the ACCM If output_stop_char is 0 31 decimal the bit indexed by this parameter is set in the ...

Page 137: ...P Configure Request Link Quality Monitoring LQM The RA 6300 will not request LQM It rejects any attempts by the remote peer for LQM and hints for the PPP default of none Protocol Field Compression PFC PFC compresses the two byte Asynchronous HDLC protocol field to one byte The RA 6300 always requests and accepts PFC from the peer If NAKed it accepts the PPP default of off If the peer does not requ...

Page 138: ...ote Annex Administrator s Guide for UNIX To specify one or more NCPs set the ppp_ncp port parameter to any combination of ipxcp ipcp atcp mp and ccp Separate multiple values with a commas You can also specify all to indicate all of the protocols which is the default Negotiating Data Compression If you specify ccp as an NCP the Annex automatically requests data compression for a PPP link Three type...

Page 139: ...ecurity check before starting NCP The RA 6300 negotiates for the security specified by the ppp_security_protocol parameter Valid arguments for this parameter are pap password authentication protocol PAP chap challenge handshake authentication protocol CHAP chap pap first negotiate for CHAP if peer NAKs negotiate for PAP none do not negotiate the default The RA 6300 responds to an authentication re...

Page 140: ...igned IP address If address_origin is set to local its default value or DHCP and ACP are not available the RA 6300 defaults to using the local_address and remote_address as the addresses The RA 6300 allows the other side of the link to select addresses only if these addresses are zero The RA 6300 uses two methods to negotiate the IP addresses The preferred technique is to use the NCP type 3 IP Add...

Page 141: ...allow_compression is set to N the RA 6300 never requests and always rejects TCP IP header compression the default is N BOOTP Requests BOOTP is a bootstrap protocol that allows a diskless client to determine its Internet address the Internet address of the server and the name of the file to be loaded into memory The RA 6300 ROMs use BOOTP to obtain boot information without requiring any manual set ...

Page 142: ...tat ipdevice_idcommanddisplaysconfigurationandstatistical data for serial interfaces The device_id argument specifies a serial port Displaying Data for Ports Ports are specified by port number alone or the string asy ta or syn followed by the port number with no intervening white space Each of the following sample commands specify PPP port 1 netstat ip1 or netstat ipsyn1 ...

Page 143: ... nodes and other types of RA 6300s that originated as serial traffic SLIP sessions operate over RA 6300 ISDN B channels in combination with the following Analog modems e g V 34 ISDN BRI lines with terminal adapters using V 120 rate adaptation protocol The RA 6300 implementation of SLIP is compatible with the 4 3BSD implementation SLIP and Compressed SLIP A SLIP link is a point to point connection ...

Page 144: ... only when the remote end sends compressed SLIP packets The RA 6300 s implementation of CSLIP offers four options Do compressed SLIP Allow compressed SLIP Discard ICMP requests over the SLIP link Give interactive traffic priority over other traffic SLIP Configuration Overview To configure the RA 6300 for SLIP sessions follow these steps 1 Decide how IP addressing will be handled Addresses can be h...

Page 145: ...ng the acp_dialup File on page A 278 About Dial up Addressing Dial up addressing is controlled through the global port parameter address_origin When this is set to acp the RA 6300 uses the host resident acp_dialup file to handle IP addressing The file resides in the install directory For more details on using the acp_dialup file see Dynamic Allocation of Network Addresses on page A 274 Any ACP dia...

Page 146: ...ddressing fixed IP addressing associates IP addresses with B channels not with specific users Step 2 Edit the Annex Configuration File SPBs are structures within the configuration file SPBs enable an RA 6300 to handle calls properly Before editing the file determine the following The type of calls that will be made to the RA 6300 e g modem V 120 and sync PPP If more than one type of call will be m...

Page 147: ...ation that precedes each default SPB providedintheconfigurationfile Youshouldbefamiliarwith this information before you enable or disable a default SPB Remove the comment character from the beginning of each line of each SPB you want to enable Enter a comment character at the beginning of each line of each SPB you want to disable Following the called_number field in an SPB that has one replace the...

Page 148: ...emainder of this section provides the following information A list of the default settings for the Serial Networking and SLIP global port parameter groups Instructions for changing a global port parameter setting Instructions for using the set pri b command to associate IP addresses with RA 6300 PRI B channels To view the entire set of default global port parameters use na or admin to issue the sh...

Page 149: ...ge a global port parameter setting using na 1 At a terminal connected to a UNIX host enter na The following prompt displays on the screen Annex network administrator Rx x January 1 1997 COMMAND Parameter Default Setting local_address 0 0 0 0 metric 1 net_inactivity off allow_compression N address_origin local slip_ppp_security N do_compression N net_inactivity_units minutes subnet_mask 0 0 0 0 sli...

Page 150: ...llowing is an example COMMAND annex 132 245 6 40 or annex 132 245 6 40 132 245 6 45 password 3 Specify a new setting for the global port parameter at the COMMAND prompt For example to change the default setting of the address_origin parameter local to enable dial up IP addressing through the acp_dialup file enter the following COMMAND set port address_origin acp The new parameter setting is automa...

Page 151: ...nnel IP address assignments set pri b ch range remote_address ip addr increment where ch range is a single B channel number or the entire set of B channels specified by a range ip addr is the IP address you want to assign to a single B channel or the first channel of the entire set increment is the value number by which you want to increment automatic IP address assignment to B channels in a range...

Page 152: ...245 66 230 2 B channel 1 is assigned the IP address of 132 245 66 230 B channel 2 is assigned 132 245 66 232 B channel 3 is assigned 132 245 66 234 and B channel 23 is assigned 132 245 66 274 When you do not specify any B channels the command makes 23 or 30 IP address B channel assignments based on the increment value When an increment is not specified the command assumes a default increment of ze...

Page 153: ... file Provide user green with access from all RA 6300s and other Remote Annexes by specifying a wildcard and a specific remote address for user green e g 132 245 5 18 Also set the address_origin parameter to acp For more details see Dynamic Allocation of Network Addresses on page A 274 Network 132 245 5 0 132 245 5 17 Remote PC 132 245 5 10 host03 PRI Telephone Network Modem V 34 RA6300 SLIP Link ...

Page 154: ...ink 2 Edit the configuration file to define an SPB You can use the default SPBs provided as part of the config annex file or create them specifically for your requirements For more details see Step 2 Edit the Annex Configuration File on page 7 118 3 Review the global port parameter settings then if required reset these parameter settings Set the subnet_mask parameter to 255 255 255 0 Set the cli_s...

Page 155: ...mple Configuration for Connecting Two Subnets Figure A 9 illustrates two Class C subnets connected through a SLIP link The IP addresses assigned to the end points of the SLIP link are the hosts primary network IP addresses Figure A 9 SLIP Link with Two IP Addresses 132 245 5 9 Network 132 245 5 0 Network 132 245 10 0 SLIP link 132 245 5 9 132 245 5 2 host02 annex03 annex02 host03 132 245 10 7 132 ...

Page 156: ...al port parameter settings then if required reset these parameter settings Set the subnet_mask parameter to 255 255 255 0 Set the cli_security parameter to Y to enable this function Enabling cli_security implements user authentication by the host based ACP server for all CLI connections Use the supplied defaults for the data_bits 8 stop_bits 1 and parity none parameters SLIP is an 8 bit protocol I...

Page 157: ...ameter rip_advertise to none for all Annex interfaces The RA 6300 bases its routing table on the information you specify in the gateway section of the configuration file As a passive gateway the RA 6300 then updates the table according to information it receives from otherroutersbutdoesnotbroadcastroutinginformationitself Thismeans that an RA 6300 with a SLIP interface forwards packets addressed t...

Page 158: ... a host advertise a route results in an extra hop situation Hosts must direct their traffic destined for host 132 245 5 9 to host 132 245 10 9 which then routes the traffic to the RA 6300 at 132 245 10 7 To avoid this extra hop the host at 132 245 10 9 needs to send out an ICMP redirect message To make RA 6300s aware of a route using a SLIP link create a gateway entry in the configuration file Usi...

Page 159: ...network or is an inactive link such as a SLIP link at boot time Extending a Single Host onto the Network The RA 6300 can use Proxy ARP to attach a single host and remote RA 6300s onto the network transparently Using Proxy ARP the RA 6300 answers ARP requests for the destination address of a SLIP link with its own hardware address The following is an example of the type of ARP entry that would appe...

Page 160: ...ernet address the Internet address of the server and the name of the file to be loaded into memory The RA 6300 ROMs use BOOTP to obtain boot information without requiring any manual set up on the RA 6300 If a diskless client sends a BOOTP request to the RA 6300 over a SLIP line the RA 6300 responds with its current local address remote address and boot host the Remote Annex 6300 Hardware Installat...

Page 161: ... or a range of port numbers for the ports field in a dial out entry Instead you specify a rotary name or a port type Table A 10 describes the valid port types Table A 10 Valid Port Types for ports Field in a Dial out Entry Port Type Description asy For asynchronous modem calls ta For V120 calls operating at 64 kilobytes ta_56 For V120 calls operating at 56 kilobytes ta_64 For V120 calls operating ...

Page 162: ...y To see the asynchronous and TA global port settings issue the superuser admin or na command show port all To see the synchronous PPP settings issue the superuser admin or na command show port syn Parameter settings in SPBs apply to incoming calls only and have no effect on outgoing calls However you must define an SPB to handle the incoming call on the remote side of a dial out route if the dest...

Page 163: ...00s to be Used for Dial out Router A s dialout configuration dialout annex 132 245 1 1 begin_route 1 mode ppp local 122 232 1 1 remote 122 232 2 1 set net_inactivity 20 phone 16175551234 continued on next page Telephone Network RA 6300 Router A 122 232 1 1 RA 6300 Router B 122 232 2 1 Subnet 132 232 2 0 Subnet 132 232 1 0 ISDN PRI Sync PPP ...

Page 164: ...n excl proto udp src_port router netact filter out excl proto udp src_port router netact end_route end In the previous example The subnet mask of 255 255 255 0 applies to the remote end of the PPP link The ppp_ncp parameter must be set to ipcp in order for the filters defined next to operate filters apply to IP packets only The two filters at the end of the dial out entry prevent RIP updates gener...

Page 165: ... set net_inactivity_units minutes set subnet_mask 255 255 255 0 set rip_sub_advertise Y set rip_sub_accept Y set rip_advertise all set rip_accept all advertise Y ports syn set ppp_ncp ipcp filter in excl proto udp src_port router netact filter out excl proto udp src_port router netact end_route end The following SPB is defined in Router A s Annex configuration file This SPB handles Router B s dial...

Page 166: ...he beginning of each line that is not a comment and specify the called number so that the SPB resembles the example above Then save the file and issue a reset annex session command from na or admin The following SPB is defined in Router B s Annex configuration file to handle Router A s dial out calls when they arrive at Router B pri begin_session sync called_no 16175551234 call_action sync set mod...

Page 167: ...nd port Entering port with an na or admin set command sets the parameter value globally that is for all calls arriving on the PRI interface For example the following sample admin session disables all RIP advertising over the PRI interface annex su password admin interface port admin set interface rip_advertise none admin reset interface admin reset default interface Y For more details see interfac...

Page 168: ...gin_session proxy_ARP called_no 6175559999 call_action modem set mode ppp end session Figure A 11 Sample PPP Routing Configuration PC 132 254 17 7 calling_no 6175550291 called_no 6175559999 RA 6300 132 254 1 22 subnet_mask 255 255 255 0 subnetwork 132 254 1 0 host01 132 254 1 1 subnet_mask 255 255 255 0 Proxy ARP Routing 1 PC 132 254 9 7 calling_no 6173335555 called_no 6175559999 Routing 2 PC 132 ...

Page 169: ...t called numbers in the SPBs The Proxy ARP SBP should not have a subnet defined nor should there be any static routes defined for the Proxy ARP interface Attempting to route through a Proxy ARP interface causes packets to be routed improperly or not at all Other important issues to note when configuring routing for the RA 6300 are remote_address is not a port parameter it is a pri b parameter To a...

Page 170: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 9 Routing Information Protocol RIP A 142 Book A ...

Page 171: ...6300 or to all RA 6300 interfaces and can affect incoming or outgoing packets An interface is the Ethernet port specified as en0 in commands or any other determined from acp_dialup per user specified by an asterisk in commands The add subcommand adds new filter s and enables them in both the currently running system and non volatile memory the RA 6300 need not be rebooted for the added filters to ...

Page 172: ... Specifies the network level address family protocol to which the filter applies Currently the RA 6300 only supports ip criteria Specify the conditions on which the filter is based All criteria must be met for the filter to match the packet Specify criteria in the form keyword value actions Specifies what a filter does when all of its criteria match a packet You can specify any combination of acti...

Page 173: ...ess where n is the number of bits in the non host portion of the subnet mask for this address For example 132 245 33 0 24 denotes a mask of 255 255 255 0 which matches destination addresses on network 132 245 33 0 If you list the filter 132 245 33 0 24 appears as the destination address To match all addresses enter 1 or instead of an address dst_port pnum sname 1 Matches the TCP or UDP destination...

Page 174: ...telnet or tftp Specifying 1 or matches all port numbers For a list of service names and their corresponding port numbers see Table A 13 src_address ip_addr n 1 Matches the packet s source IP address To match only the non host portion of the address enter n after the address where n is the number of bits in the non host portion of the subnet mask for this address For example 132 245 33 0 24 denotes...

Page 175: ...n host portion of an address enter n after the address where n is the number of bits in the non host portion of the subnet mask for this address For example 132 245 33 0 24 denotes a mask of 255 255 255 0 which matches destination addresses on network 132 245 33 0 If you list the filter 132 245 33 0 24 appears as the destination address To match all packets to or from a given address enter one ip_...

Page 176: ...or from a given port number enter one port number or service name and specify 1 or for the other For a list of service names and their corresponding port numbers see Table A 13 Restriction if you use the port_pair keyword you cannot use the dst_port or src_port keyword protocol protonum protoname Matches the transport protocol in the packet Valid protocol numbers range from 1 to 255 Or specify a p...

Page 177: ...Service Names and Port Numbers Multiple service names shown on the same line in Table A 13 are synonyms Using any one of them in a filter implies using the other However when you list the filter using the list subcommand you will see only the first service name Service Name Port Number domain 53 ercp 121 finger 79 ftp 21 name 42 nfs 2049 nntp 119 rlogin 221 route routed router 520 rtelnet 107 sftp...

Page 178: ...x filter filter add en0 input include protocol udp port_pair nfs icmp filter add en0 input include protocol udp port_pair tftp icmp Note the following about the preceding sample filters Both filters apply only to packets arriving on RA 6300 interface en0 To apply a filter to another interface specify a second filter for that interface or specify instead of en0 thereby blocking the protocol on all ...

Page 179: ...s requires configuration see Logging User and RA 6300 Events on page B 33 for more information The following example allows packets to and from 132 254 100 2 and 132 254 100 3 to be forwarded over interface en0 all other packets are discarded filter add en0 input exclude address_pair 132 254 100 2 discard filter add en0 input exclude address_pair 132 254 100 3 discard The following example allows ...

Page 180: ... e list displays only filters that are associated with active interfaces or those that were acquired from acp_dialup Argument Description e Lists the filters stored in non volatile memory instead of the filters in the currently running system Using list e eliminates the status column from the display because the enabled disabled status is not saved in non volatile memory i Sorts the output by inte...

Page 181: ...ovell Networks Standards based IPX IPX over PPP Features Enabling IPX Default IPX Parameter Settings IPX Configuration Overview Configuring Standards based IPX IPXCP Obtaining IPX Information Novell Networks Nodes on Novell network are servers or clients Servers provide shared accesstofiles printers andspecializedperipheraldevicesonthenetwork The RA 6300 functions as a communications server provid...

Page 182: ...s a PC to dial into an RA 6300 as an endpoint node on an IPX network The same PC can also simultaneously run IP over the connection allowing the user to use either IP or IPX services as the need arises The same link can also be used for AppleTalk over PPP To dial into an RA 6300 via IPXCP a PC client can be running any operating system that supports IPXCP networking This includes Windows 95 Window...

Page 183: ... explains setting both of these configuration parameters 1 Obtain a valid IPX value for the RA 6300 option_key parameter Some option key values are attached to the bottom of the RA 6300 If you find the value there enter it as described in Step 2 below If the value is not there contact your supplier to obtain a key You will need to specify the Ethernet address of your RA 6300 it is taped to the bac...

Page 184: ...rd annex admin Annex administration Remote Annex Rx x 72 ports admin set annex option_key RaqbDwv8e The option_key value is case sensitive The default superuser password for the RA 6300 is its IPX node 3 Specify the type of IPX frame that the Novell network uses to encapsulate IPX packets on the Ethernet To specify the frame type set the RA 6300 ipx_frame_type parameter Valid values are ethernetII...

Page 185: ... an incorrectly configured ipx_frame_type parameter or the absence of an IPX server on the network To disable IPX set the RA 6300 disabled_modules parameter to ipx and reboot the unit The stats o command should now display ipx in the DISABLED MODULES field See Step 1 Default IPX Parameter Settings The following table lists the default Serial Networking Protocol and IPX parameter settings Table A 1...

Page 186: ... Annex configuration file to define SPBs 3 Review the default global port parameters then reset the parameters you need for the IPX configuration Step 1 Decide How to Handle Addressing The RA 6300 handles IPX nodes using one of the following methods Dial up addressing Fixed addressing You can choose to configure the RA 6300 for both methods but dial up addressing has priority over fixed addressing...

Page 187: ...300 address and an associated user name which are used as keys in this file Once the keys are matched the corresponding dial up addresses are returned to the caller on the RA 6300 Dial up addressing offers the ability to assign IPX nodes to individual users Fixed Addressing Fixed addressing for the RA 6300 is controlled through the ipx_network parameter used with the set pri b command This paramet...

Page 188: ...Whether you intend to use one or all of the default SPBs provided in the PRI section of the configuration file disable one or all of the default SPBs or write your own set of SPBs See Configuring the PRI Interface Global Ports and Sessions on page A 51 for detailed information on SPBs The following instructions describe how to enable and disable the default SPBs that exist within the configuration...

Page 189: ...ace the string with the telephone number callers will use from remote nodes that will use this SPB For example to enable the default SPB that handles synchronous IPX over PPP calls do the following To handle IPX PPP asynchronous modem calls create the following SPB in the pri section of the configuration file 3 Save the file 4 Issue a reset annex session command from na or admin Replace this strin...

Page 190: ...ides the following information A list of the default settings for the Serial Networking and PPP global port parameter groups Instructions for changing a global port parameter setting Instructions for using the set pri b command to associate IPX nodes with RA 6300 PRI B channels To view the entire set of default global port parameters use na or admin to issue the show port all command Default PPP r...

Page 191: ...Default PPP related Global Port Parameter Settings Parameter Default Setting allow_compression N address_origin local do_compression N local_address 0 0 0 0 metric 1 net_inactivity off net_inactivity_units minutes ppp_acm 0x0 ppp_mru 1500 ppp_ncp all ppp_password_remote unset ppp_sec_auto N ppp_security_protocol none ppp_username_remote slip_ppp_security N ...

Page 192: ...administrative password for host at the password prompt You can specify the RA 6300 by its IPX nodes or name If you intend to change global port parameter settings on more than one RA 6300 separate their IPX nodes or names using a comma The password is the administrative password for this host For example COMMAND annex 132 245 6 40 or annex 132 245 6 40 132 245 6 45 password 3 Specify a new settin...

Page 193: ...dsyntaxwhencreatingBchannelIPXnetwork or node assignments set pri b ch_range ipx_network net_no ipx_node node_no increment ch range is a single B channel number a list of B channels separated by commas a range of B channels separated by a hyphen or the keyword all net_no is the IPX network in hexadecimal to which you want to assign a single B channel or the first channel of a set of B channels nod...

Page 194: ...an specify an increment by which IPX nodes are assigned in sequence based on the increment value The following example specifies the entire set of B channels available with a T1 based RA 6300 PRI module 23 an IPX node of 00 00 00 00 00 a0 and an increment of 2 set pri b 1 23 ipx_node 00 00 00 00 00 a0 2 In this case B channel 1 has an IPX node of 00 00 00 00 a0 B channel 2 is assigned 00 00 00 00 ...

Page 195: ...e acp_dialup file The PC is connected through a BRI line with a V 120 terminal adapter and the PRI line to the RA 6300 Based on the entries in the acp_dialup file user green has access from all RA 6300s and other Remote Annexes since the acp_dialup file entry is a wildcard User green s acp_dialup file remote address is 00446688 00802d0077bc The IPX address is 00802d0077bc and the IP address is 132...

Page 196: ...esides is unreachable by the RA 6300 or there is no entry in the acp_dialup file for a particular user the RA 6300 relies on the IPX nodes assigned to the B channel to provide a remote address for the link 3 Edit the configuration file to define an SPB You can use the default SPBs provided as part of the config annex file or create them specifically for your requirements See Step 2 Edit the Annex ...

Page 197: ...ta_bitsissetto7 andparity is not set to none the Annex forces the data_bits setting to 8 and the parity setting to none Otherwise the RA 6300 syslogs an error message Set the address_origin parameter to acp so that the RA 6300 requests the endpoint addresses based on the user s login from the acp_dialup file If no remote network and node address is specified in acp_dialup the RA 6300 uses the valu...

Page 198: ...or Nodes to B Channels on page 11 165 for instructions to perform this step 2 Edit the configuration file to define an SPB You can use the default SPBs provided as part of the config annex file or create specific SPBs for your requirements See Step 2 Edit the Annex Configuration File on page 11 160 for more information 3 Reset default global port parameters as required to the following settings En...

Page 199: ...e allow_compression parameter to Y if you want the RA 6300 to accept compressed packets Use the supplied defaults for the data_bits 8 stop_bits 1 and parity none parameters PPPisan8 bitprotocol Ifdata_bitsissetto7 andparity is not set to none the RA 6300 forces the data_bits setting to 8 and the parity setting to none Otherwise the RA 6300 syslogs an error message for the port Set the local_addres...

Page 200: ...A 324 IPXCP Interface Statistics The netstat ip command displays the IPXCP state and IPXCP options The following is an example of IPXCP statistics annex netstat ip 6 LCP Status State Current Open Prior Ack sent Options Local Remote MRU 1500 1500 Auth type None None LQM None None ACFC On On ACCM 0x00000000 0x000a0000 Magic 0xbb1ee499 0x0047501b PFC On On NCP IPXCP Status State Current Open Prior Ac...

Page 201: ...for a configure request ACK sent The RA 6300 received and answered a configure request Open IPXCP negotiation has completed successfully Closing The link is in the process of closing The RA 6300 has sent a terminate request and is waiting for a terminate ACK Options Shows the current values of the negotiated options The Local column displays the value suggested by the RA 6300 The Remote column dis...

Page 202: ...ilable in the IPX buffer pools IPX routes RIPs IPX servers The netstat x syntax is netstat x i r network_number s server_name m or netstat x i r network_number S server_name m IPX in General Issuing the netstat x command displays the number of NICs RIPs and Service Advertising Protocol SAP services on the RA 6300 NICs indicates the number of active IPX interfaces including en0 on the RA 6300 and R...

Page 203: ...splaysinformationabouttheRA6300s currently in use for dial in The following is a sample display The field headings in the above display indicate the following Name is the interface name of the corresponding IPX port over which IPX dial in or routing is currently occurring Network is the number of the network to which interface Name connects Tics indicate the amount of time associated with the cost...

Page 204: ...of IPX packets transmitted over this interface Oerrs is the number of outbound IPX packets that contained errors Collis is the number of times a packet transmission was terminated due to a collision IPX Buffer Pools Issuing the netstat xm command displays the amount of memory available in the large and small IPX buffer pools The RA 6300 creates these buffer pools when it boots allotting the approp...

Page 205: ...0000a2816349 24 5 en0 00000043 0000a2816349 3 2 en0 00000044 0020af07dec4 3 2 en0 00001234 ffffffffffff 0 0 en0 The field headings in the above display indicate the following Network is the number of a destination Netware network Gateway is the number of the next hop on the path to Network A gateway of ffffffffffff indicates a directly attached network Tics indicate the amount of time required to ...

Page 206: ...49 24 5 en0 IPX Servers Issuing the netstat xs command displays server names types and addresses annex netstat xs OSCAR File Server 2e80703c 000000000001 0451 CTEST Annex NAS 00000055 00802d01d252 e480 VENUS File Server 00006501 000000000001 0451 SMTPQ Advert Print 00000043 000000000001 8060 SNOWY Annex NAS 00000063 00802d01ea57 e480 From left to right the fields in the previous displays are as fo...

Page 207: ...nnex NAS Advert ised Print Btrieve 5 0 VAP SQL VAP TES NetW are VMS NetW are Access Named Pipes NetW are UNIX Netware 386 NETW are manage ment type 0x6601 NETW are manage ment type 0x6a02 Unknown type Inthelistabove textinparenthesesisprovidedforclarity netstat xs does not display it The third field is the server s hexadecimal address displayed in the format network address socket ...

Page 208: ...ith a server_name argument after the s or S option netstat sx or netstat Sx displays information for that specified server only Server names are typically in upper case IPX Frame Type and Network Number Issued with no arguments the CLI stats command displays various RA 6300 statistics including the RA 6300 Netware network number The following is part of a stats display IPX information is on the la...

Page 209: ...her or not IPX is enabled see IPX Configuration Overview on page 11 158 IPX Connections For all IPX ports the CLI who command displays specific information aboutanIPXconnection includingwhatprotocoltheconnectionisusing the user name associated with the connection where the connection is located when the connection was created how long the connection has been idle and the address from which the con...

Page 210: ...lis en0 1500 132 245 66 0 worm 26563 0 15085 744 0 en0 1500 10000 20000 18062 79 1626 0 823 0 0 lo0 1536 127 127 0 0 1 0 0 0 0 0 asy2 604 18358 18062 79 0 0 0 0 0 asy16 1006 132 245 6 annex01 14770 0 7468 0 0 asy3 1500 192 9 200 zipwad 3453 0 3002 0 0 Ethernet Address 00 80 2d 00 00 9b Frames Received 39861 Frames Transmitted 45239 Bytes Received 33965470 Bytes Transmitted 29453 CRC Errors 2 Align...

Page 211: ...y connected ARA network user The RA 6300 is transparent to the ARA user it behaves like an AppleTalk end node AppleTalk Remote Access Protocol ARAP ARAP allows Apple PowerBook and Macintosh computers to communicate with one another or with an AppleTalk network over standard telephone lines A remote ARA user can dial into an AppleTalk network and take advantage of all the services available on the ...

Page 212: ...ey value from your supplier be sure to mention any of the other option_key features currently enabled for your RA 6300 After the reboot the RA 6300 automatically determines the appropriate network information e g its AppleTalk node ID etc The AppleTalk specific RA 6300 parameters a_router zone and node_id are hints for the RA 6300 to use at start up AppleTalk specific RA 6300 Parameters on page 12...

Page 213: ...node_id parameter actsasahinttoacquireanaddressfortheclient TheRA 6300theninstalls a proxy aarp entry and the client s zone multicast address AppleTalk specific Configuration Parameters You can use either na or admin to configure RA 6300 parameters The AppleTalk specific configuration parameters are divided into two groups AppleTalk specific RA 6300 parameters AppleTalk specific global port parame...

Page 214: ...thernet address of the network s A_Router The RA 6300 uses this value as a hint at start up When a Routing Table Maintenance Protocol RTMP message arrives from this Ethernet address the RA 6300 gleans the AppleTalk DDP address from the packet and tries to talk to the AppleTalk router The address is a hexadecimal Ethernet address e g 00 7F 12 33 44 55 The default is 00 00 00 00 00 00 Parameter Defa...

Page 215: ...e 0 to 65534 valid node values are 0 to 254 The default is 0 0 option_key The option_key parameter enables the AppleTalk specific RA 6300 parameters as well as the ARA protocol AppleTalk commands parameters and port functions are enabled only after the correct key is set after setting the key the administratormust reboot the RA 6300 Each RA 6300 requires a unique key value The way to obtain a key ...

Page 216: ... these parameters the following subsections describe them in detail Table A 19 AppleTalk specific Global Port Parameters arap_v42bis The arap_v42bis parameter enables disables V 42bis compression during an ARA session A Y enables the parameter an N disables it The default is Y If you disable this parameter you may want to change the Communications Control Language CCL script for the remote modem t...

Page 217: ...alues are 0 to 254 The default is 0 0 at_security The at_security parameter enables disables ACP service for this port When both at_security and enable_security are set the RA 6300 uses ACP to get per user security information about the client authentication logging and zone access from the acp_userinfo file see Creating the acp_userinfo File on page A 249 If at_security is not set the RA 6300 use...

Page 218: ... to interpret a host name using minimum uniqueness enclose the name in double quotes For example entering hosts new prevents ambiguities between hosts newark and new You can enter commands and host names in all lower case all upper case or a combination of both The RA 6300 performs any necessary case conversion Command Description arap Converts a CLI line into an ARA connection When the port is re...

Page 219: ...6300 builds the ARP table dynamically you rarely need to modify it Table A 21 lists the arguments for this command Although the arp command shows AppleTalk information you cannot manipulate it Since arp interprets all address as IP addresses if you try to delete an AppleTalk address such as 1 123 using arp d the ARP table entry 1 0 0 123 is deleted The syntax is arp ads host addr temp pub Using ei...

Page 220: ...o the network through EtherTalk Argument Description host Displays the current ARP table entry for that host addr Displays the current ARP table entry for that address a Displays all entries in the table d Deletes the entry specified with host s Creates an entry for the host specified using either host or an Internet address at the hardware address specified using addr If you do not include temp o...

Page 221: ... for the PPP configuration Step 1 Setting the option_key Parameter ToenabletheAppleTalkfunctions thenetworkadministratormustobtain and enter the correct option_key parameter value and then reboot the RA 6300 The way to obtain a key depends on the configuration and type of RA 6300 you purchased Some option key values are physically attached to the bottom of the RA 6300 If the number is there use it...

Page 222: ...Whether you intend to use one or all of the default SPBs provided in the PRI section of the configuration file disable one or all of the default SPBs or write your own set of SPBs See Configuring the PRI Interface Global Ports and Sessions on page A 51 for detailed information on SPBs The following instructions describe how to enable and disable the default SPBs that exist within the configuration...

Page 223: ... want to enable Enter a comment character at the beginning of each line of each SPB you want to disable Following the called_number field in an SPB that has one replace the string with the telephone number callers will use from remote nodes that will use this SPB For example to modify a default SPB to handle AppleTalk calls 3 Save the file 4 Issue a reset annex sessions command from na or admin Re...

Page 224: ...dmin to issue the show port all command How to Change a Global Port Parameter Setting To change a global port parameter setting using na 1 At a terminal connected to a UNIX host enter na The following prompt displays on the screen Annex network administrator Rx x January 1 1997 COMMAND 2 Specify the RA 6300 on which you intend to change global port parameter settings at the COMMAND prompt Specify ...

Page 225: ...ity Y The new parameter setting is automatically stored in nonvolatile RAM 4 To review your changes issue the show port all command at the COMMAND prompt This command displays all of the global port parameter settings To locate the parameters you changed press the return key which allows you to scroll down through the file COMMAND show port all 5 Enter quit at the COMMAND prompt to exit na COMMAND...

Page 226: ...as part of the config annex file or create them specifically for your requirements For more details see Step 2 Edit the Annex Configuration File on page 12 194 3 Reset default global port parameters as required to the following settings Enable ARA security by setting at_security to Y ACP and port access is logged in the ACP log file RA 6300 Macintosh ARA link 12 8 13 6 12 7 Net 12 15 Zone engine A...

Page 227: ...leTalk node address for the remote Apple PowerBook or Macintosh If you intend to use AppleTalk over PPP see Point to Point Protocol PPP on page A 87 ARA Security The RA 6300 provides comprehensive security features that assist you in securing your RA 6300s and the network from unauthorized access Using these features you can select between host based security where at least one host on the network...

Page 228: ...ibility to integrate RA 6300 security with existing security for a network wide system The following subsections briefly describe RA 6300 security as it relates to ARA For a detailed description of ACP host based security and the acp_userinfo file see Using RA 6300 Security on page A 211 Security Features The RA 6300 implementation of ARA provides three areas of security ARA security Zone security...

Page 229: ... RA 6300 provides all the zones it has learned from the network If local security is used use the per RA 6300 parameter default_zone_list For more details see at_zone on page A 263 Logging The RA 6300 logs activity and errors from the ARA session The log is accessed via remote ACP and syslog see Logging User and RA 6300 Events on page B 33 for more details Network Visible Entity NVE Filtering NVE ...

Page 230: ...le PowerBook and Macintosh computers to connect as an endpoint node to an AppleTalk network The same Macintosh can also simultaneously run IP over the connection allowing the user to use either IP or AppleTalk services as the need arises When the RA 6300 opens a PPP connection it negotiates for link level options and then runs an optional security phase to authenticate the user Finally the two end...

Page 231: ...ialback Configuring the CCL Converter TheRA 6300administratorcanconfiguretheCCLConverterApplication to connect to an RA 6300 As administrator configure the CCL Converter on the Macintosh as follows 1 Using a Macintosh based ftp program such as Fetch that is set to MacBinary copy the CCL Converter from the following directory on your UNIX load host usr annex src examples ccl_scripts The file name i...

Page 232: ...curity including port password and SecurID if configured ARAP V1 Autodetect Delay and CLI Security at_security N Normal non ARAP ACP security including port password and SecurID if configured CLI Security at_security Y Both ARAP ACP security and normal non ARAP security ARAP V1 Autodetect Delay and CLI Security at_security Y Both ARAP ACP security and normal non ARAP security CLI Security mode ara...

Page 233: ...w appears In the dialog box enter the RA 6300 name portion of the RA 6300 prompt but not the port number since the user will be connecting to different ports and either click OK or press Return Make sure the RA 6300 name you enter is enclosed in quotes Once all modifications are made the configuration is complete Go to Running the Application below Running the Application 1 Double click on the CCL...

Page 234: ...ment to the Remote Annex Administrator s Guide for UNIX Chapter 12 AppleTalk A 206 Book A 3 Quit the CCL Converter 4 Select the converted CCL file from the remote access client see your Apple Remote Access Client documentation ...

Page 235: ...A 207 Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Book A Chapter 13 Printers The Remote Annex 6300 does not support printers ...

Page 236: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 13 Printers A 208 Book A ...

Page 237: ...a boot server Self booting without a local Ethernet interface Installing a time server Dump host services Setting up name servers Setting up a host for 4 3BSD syslogging Configuring LAT services For the RA 6300 please note the following changes The subsection Installing Software Using bfs in the section Accessing 4 2BSD Hosts is not up to date For current information see Software Installation Note...

Page 238: ...Ports and Sessions on page A 51 The section Creating modem Entries in the Configuration File is not applicable The RA 6300 supports only one type of modem Microcom and that type is hard coded The section Host Initiated Connections is not applicable because the RA 6300 does not support any physical ports for printing The section Creating rotary Entries in the Configuration File is not completely ac...

Page 239: ...at least one host on the network is functioning as a security server If unauthorized users can access your RA 6300 we strongly suggest that you enable security after loading the host code and booting the unit About RA 6300 Ports Rather than a set of physical ports the RA 6300 implements a set of internal ports which use the B channels that make up an ISDN PRI line Each internal port is configured ...

Page 240: ...nal ports is not possible For example you cannot guarantee that a user connecting via a remote PC will always use ISDN PRI B channel 9 and RA 6300 internal asynchronous port asy12 every time the user connects through the RA 6300 As a result the RA 6300 relies on a set of parameters to configure each port when performing the negotiations necessary to set up a call and establish a session i e dynami...

Page 241: ...t a user will establish a session through you cannot associate passwords with specific RA 6300 internal ports This RA 6300 Port Type Applies to pts virtual connections on the RA 6300 and all other Remote Annex servers asy modem connections on RA 6300 and all other Remote Annex servers ta V 120 TA connections on the RA 6300 syn synchronous PPP connections on the RA 6300 ctl internal RA 6300 control...

Page 242: ...Do specify ports when appropriate by port type e g ports ta in security profiles Do not specify port passwords within the acp_passwd file Use the correct RA 6300 name or IP address when specifying an RA 6300 within the acp_dialup file but do not specify ports by number range or group Information for Users of Other Remote Annexes Read this section thoroughly if RA 6300s are installed in an environm...

Page 243: ...r internal V 120 terminal adapter ta ports and synchronous PPP syn ports and will apply profile criteria to all RA 6300 ta and syn ports Port passwords specified in the acp_passwd file will affect RA 6300 operation negatively since the passwords will be matched to the equivalent RA 6300 internal asynchronous port As a result asynchronous modem connections made to an RA 6300 are subject to random p...

Page 244: ...o set for specific sessions by creating or editing Session Parameter Blocks SPBs within the Annex configuration file For more details see Configuring the PRI Interface Global Ports and Sessions on page A 51 About Local Password Protection Local password protection can be defined for access through virtual ports i e sessions Local password protection does not provide logging of security events to t...

Page 245: ...arameter is mandatory if you intend to use any security mechanisms except the administrative password for access to administrative tools If the enable_security parameter is set to N no security is used and no logging is performed regardless of any other parameter setting The enable_security parameter does not take effect until the RA 6300 is either rebooted or reset Overview of Local Password Prot...

Page 246: ...rver is not available Implementing Local Virtual CLI Password Protection Local password protection can be implemented for the RA 6300 in one of two ways Upon virtual CLI VCLI connection Upon access through administrative utilities The vcli_password parameter allows you to define a local password for VCLI connections The user enters only a password as opposed to a user name and password To configur...

Page 247: ...d If the vcli_security parameter is not set N and the vcli_password parameter is not set unset the RA 6300 does not perform a security check for VCLIs If the vcli_security parameter is set to Y the vcli_password parameter is not set unset and the password parameter is not set unset the RA 6300 denies access to the VCLI if the security server is unreachable You can also use the vcli_password as a b...

Page 248: ...r Password Files on page 15 247 If the remote server s fail Access is permitted only through the VCLI password No access is permitted if the vcli_password parameter is not set The show annex command does not display the value of thevcli_passwordparameter Instead itdisplays set or unset Administrative Password The RA 6300 administrative password protects the administrative tools the default adminis...

Page 249: ...e command and re entering all parameters As a safeguard against losing the unit s current configuration use the na command write to save the RA 6300 and global port parameter settings if necessary you can restore these settings using the read command for more details on using these commands see na Commands on page C 1 Protecting the Superuser CLI An RA 6300 administrative password is required for ...

Page 250: ... default cli_inactivity parameter default setting off sets the CLI inactivity timer When enabled the RA 6300 terminates thesessionaftertheamountoftimespecifiedinthisparameterhaselapsed or the last session is completed Users can protect their login sessions using the CLI lock command if they do not want to log out when leaving the terminal unattended Protecting the na Utility from Unauthorized Acce...

Page 251: ... The security server maintains a database of files that reside by default in the directory usr annex These files include acp_keys encryption key information acp_dialup user names and addresses for dial up connections acp_group user group associations for security acp_regime security authentication system and associated password file name acp_passwd security passwords Do not specify port passwords ...

Page 252: ...page 15 274 Dynamic Allocation of Network Addresses on page 15 274 Enhancing Password Security on page 15 279 Using AppleTalk Security on page 15 291 Using IPXCP Security on page 15 293 Using PPP Security on page 15 293 Using Kerberos Authentication on page 15 301 Using the ACE Server on page 15 303 Using SafeWord AS Security on page 15 314 Configuring Security for the RA 6300 FTP Daemon on page 1...

Page 253: ... Server on page 15 230 3 Create entries in the acp_regime file defining the authentication systems to be used and the conditions under which to use them The install program creates the acp_regime file then prompts you for a default regime and in some cases a password file name which it enters into acp_regime Subsequently you can add to and or change the contents of this file See Configuring the ac...

Page 254: ... a virtual CLI 1 Set the vcli_security parameter to Y so that the RA 6300 will use ACP 2 Define a security server using pref_secure1_host pref_secure2_host or security_broadcast parameter see Configuring the Security Server on page 15 230 3 Create entries in the acp_regime file defining the authentication systems to be used and the conditions under which to use them The install program creates the...

Page 255: ... vcli_password Connection Security You can authorize or deny IP or CLI access to specific hosts host ports or networks for a particular user group time of day or protocol in use 1 Define a security server using the pref_secure1_host pref_secure2_host or security_broadcast parameter see Configuring the Security Server on page 15 230 2 Set the connect_security parameter to Y so that the RA 6300 uses...

Page 256: ...mand rather than authenticating when the CLI connection is made set the cli_security parameter to N and the slip_ppp_security parameter to Y 4 Define a security server using the pref_secure1_host pref_secure2_host or security_broadcast parameter see Configuring the Security Server on page 15 230 5 Create entries in the acp_regime file defining the authentication systems to be used and the conditio...

Page 257: ...iguring the Security Server on page 15 230 3 Create entries in the acp_regime file defining the authentication systems to be used and the conditions under which to use them The install program creates the acp_regime file then prompts you for a default regime and password file name which it enters into acp_regime Subsequently you can add to and or change the contents of this file See Configuring th...

Page 258: ...00 does not perform a security check for port connections Configuring the Security Server The ACP security server software is provided as part of the expedited remote procedure call daemon erpcd software Included with the software is the eservices file that has two entries one for the block file server bfs and one for ACP The erpcd process must be running erpcd requires the etc services file to ha...

Page 259: ...to Y the RA 6300 broadcasts to the network for another host with erpcd running to authorize the access request If the security_broadcast parameter is set to N the RA 6300 denies the authentication request The network_turnaround parameter specifies the amount of time in seconds in which the RA 6300 expects a response from the security servers To reduce the possibility of a retry the network turnaro...

Page 260: ...ct until the RA 6300 is either rebooted or RA 6300 security is reset The acp_key parameter specifies the encryption key the RA 6300 uses to exchange messages with the security server The security server maintains the encryption key for each RA 6300 in the acp_keys file see Creating the acp_keys File on page 15 233 and Configuring Hosts and Servers on page A 209 The encryption key also validates th...

Page 261: ...rypted message from the RA 6300 the server tries to match that key against the key assigned to the RA 6300 in the file If no match exists the RA 6300 and the server cannot communicate The syntax rules for the acp_keys file are Any part of an IP address in the list can be specified with an asterisk A backslash is used to continue a line Any ASCII character except spaces and tabs are valid encryptio...

Page 262: ...300s listed in the example must be identical to the key included in the acp_keys file 132 245 6 15 insomniac 1 132 245 6 75 132 245 6 Piano annex01 annex02 annex03 gl12ch Changing the value of the acp_key parameter on any RA 6300 requires the same change to the acp_keys file on the security server The recommendedorderforchangingtheACPencryptionkeyonanRA 6300 is 1 Edit the acp_keys file on all secu...

Page 263: ... acp_regime acp_userinfo and acp_restrict files to create diverse security profiles based on any combination of the profile criteria shown in Table A 23 Table A 23 Profile Criteria Criterion Description username The user s userid group The name of a group to which the user belongs as defined in the etc groups or acp_group file see Creating User Groups on page 15 244 time The day of the week and or...

Page 264: ...n begins with one of the keywords listed in Table A 23 on page A 235 The keyword is followed by an sign which is followed by a value No space is permitted before or after the sign The syntax is keyword value To enter more than one criterion separate the criteria with semicolons Keep the criteria on one line Use the backslash continuation symbol to extend the line beyond the right margin if necessa...

Page 265: ... defined in the acp_group or etc group file the RA 6300 and port that chris connects to the time of connection and the connection protocol CLI PPP or SLIP erpcd saves these connection conditions for comparison with profile criteria specifications in the acp_regime acp_userinfo and acp_restrict files All of the profile criteria in a specification must be met in order for erpcd to consider that the ...

Page 266: ...gime specifies that the engineering group should be authenticated via Kerberos while the second line specifies that user chris should be authenticated by SecurID The result is that chris is authenticated by Kerberos since a match for the group entry is found first The first match algorithm is also true for acp_restrict entries that apply to CLI telnet and rlogin connections However acp_restrict en...

Page 267: ...at login The group criterion lets you control security based on a user s membership in a group You assign users to groups via either the acp_group file or the etc group file see Creating User Groups on page 15 244 When a group profile criterion is specified erpcd checks the acp_group file to find the users belonging to the group If it cannot find an acp_group file erpcd looks in the etc group file...

Page 268: ...y specifications observe minimum uniqueness and are not case sensitive For time1 specify the beginning of a time range for time2 specify the end of a time range Use hh mm am pm where hh is the hour and mm is the minutes as the format for each end of the range If you do not include am or pm the Remote Annex assumes you are using military 24 hour notation Both ends of a range must use the same type ...

Page 269: ... case sensitive The following are examples time 9 00am 5 00pm Monday Friday time 9 00 22 00 Sunday time Wed time 8 00AM Friday 6 35PM Friday time 10 30 Nov 30 21 30 Nov 31 The time criterion applies to initial access by the user For instance in the first example above the criterion is met if the user logs in at any time between 9 00 A M and 5 00 P M on Monday through Friday of any week in any mont...

Page 270: ...rts is implied The fourth example specifies all ports on all RA 6300s which is the default You cannot abbreviate the ports keyword Protocol The protocol criterion lets you control security based on the protocol used to attempt access to a host or host port Valid values are slip ppp cli for telnet and rlogin Specify a protocol criterion using the syntax protocol protocol_name To specify more than o...

Page 271: ... You can modify the initial acp_regime file so that different authentication schemes are used when particular criteria are met Do not confuse ACP the RA 6300 s Access Control Protocol that controls all host based security with acp one of several authentication systems regimes that can be used with ACP acp_userinfo This file allows you to configure login environments based on a single userid or one...

Page 272: ...should use etc group rather than acp_group see Changing the Expected File Names Used by ACP on page 15 328 The acp_group file must have the same format as the etc group file The following systems do not support the acp_group file Ultrix FreeBSD and BSDI On these systems you must use the etc group file An etc group or acp_group file contains a one line entry for each group To retain compatibility w...

Page 273: ...r runs the RA 6300 install program The program prompts for a security regime and if the regime requires it a password file name The regimes from which you can choose are acp securid safeword kerberos native and none see Table A 24 Password files are required for acp and kerberos the defaults are acp_passwd and temp tkt_erpcd_ Both the acp_regime file and the password files if any must be stored in...

Page 274: ... is valid only for the acp and kerberos regimes If you specify the acp or kerberos regime but supply no password_filename the default is used see Table A 24 If the file is not found an error message is logged and access is denied Table A 24 Authentication Regimes Regime Description acp ACP authentication using the password file you specify Default is the acp_passwd file safeword SafeWord authentic...

Page 275: ...all directory Even if user jack is defined in finance if he logs in between 9 00 A M and 10 P M erpcd nevertheless tries to authenticate him via SecurID since the profile criteria specification that begins with username is matched first Finally any users whose login characteristics do not match the first two profile criteria specifications are authenticated via ACP using the default password file ...

Page 276: ... etc passwd files from different hosts into one file on the security server thus allowing you to create a network wide password file If you are using a System V 4 or V 5 host use the etc shadow file rather than the etc passwd file Not all password files work with ACP For example you could not merge SCO UNIX password files into the acp_passwd file Non superusers can change their passwords only if t...

Page 277: ...sing Kerberos Authentication on page 15 301 PasswordFilesfor Other Regimes For information on passwords used with third party systems other than Kerberos see the following sections Using the ACE Server on page 15 303 Using SafeWord AS Security on page 15 314 Password Histories and Blacklisting You can enhance security for passwords by configuring the RA 6300 to record password histories and to bla...

Page 278: ...following format which is referred to as a user end block user username name profile_criteria entry end The syntax for profile_criteria is keyword value keyword value Entering profile criteria is described in detail in Profile Criteria Syntax on page 15 239 If you use the name argument instead of profile_criteria specify a valid userid This argument is supported for compatibility with Release 10 1...

Page 279: ... of the criteria in that profile criteria specification jill is not permitted to use slip or ppp since the first match found is the userid jill The remainder of the example specifies that the finance group is allowed to connect only if its members log in between 8 00 A M and 6 00 P M onthespecifieddays TheCLIporttheyareconnectedtowillbeconverted to ppp mode after the group members have been authen...

Page 280: ... Table A 25 Entries for accesscode in the acp_userinfo File continued on next page Entry Description code A character string defined by the administrator The user is prompted for this string after the user name and password prompts when logging onto a port defined for dial back security accesscode_entry A list of one or more of the accesscode entries phone_no in_pool_name out_pool_name job phone_n...

Page 281: ...t be defined for the inbound pool out_pool_name Specifies the name of the outbound modem pool with the format out_pool_name pool_name pool_name is the name of an outbound modem pool For the dial back request to be initiated the designated port type must be defined for the outbound pool job Defines a specific CLI command The default is the CLI Each accesscode can have up to one job record using the...

Page 282: ...ber 9 765 4321 and then logs cobb into the host calvin If cobb enters promptphone at the accesscode prompt the RA 6300 prompts for a phone number drops the connection and calls cobb back via the outbound modem pool Then the Annex prompt is displayed If cobb enters direct for the accesscode the Annex prompt is displayed and no dial back occurs user cobb at_passwd nedry at_zone bn 33net bn 55net end...

Page 283: ... clicmd CLI_command end clicmd end For clicmd to work the cli_security parameter must be set to Y Table A 26 Arguments for the clicmd Entry in the acp_userinfo File Argument Description CLI_command Any user or superuser CLI command or the name of a macro previously defined for the RA 6300 Only one command or macro is allowed per clicmd entry although a user end block can contain multiple clicmd en...

Page 284: ...disconnected from the RA 6300 user username kip time 9 00am 5 00pm Tuesday Friday clicmd ppp end end The next example does the same thing as the previous example except that it does not disconnect kip when the PPP link terminates user username kip time 9 00am 5 00pm Wednesday Friday clicmd ppp end clicmd end end climask For a single user or for conditions that meet profile criteria you can define ...

Page 285: ...pecified days he cannot issue the ppp or arap command In all other situations this particular user end block is ignored For example if sam logs into an RA 6300 at 11 00 PM the entry is ignored Entry Description command_list A list of user level CLI commands separated by spaces that are not available to the user Valid values are bg call fg hangup help hosts jobs kill netstat rlogin stats stty telne...

Page 286: ...wing is an example of using deny in the acp_userinfo file user username liza deny end user group eng time 9 00am 10 30pm Saturday Sunday clicmd ppp end end In this example even if user liza is a member of the eng group she is denied access since erpcd finds the match with the userid first In the following example no user is permitted to connect to any RA 6300 between 11 00 PM and 12 00 PM on any o...

Page 287: ...ing acp_restrict for this purpose can be easier than using acp_userinfo because you do not have to enter actual filters in acp_restrict Instead you enter user friendly statements from which filters are created for you Any filters you enter in acp_userinfo or arrange to have generated by acp_restrict will be combined with and interpreted according to the algorithm used for filters created by the su...

Page 288: ...nly is the above filter created but a pre defined macro named special_setup and the CLI command ppp are also executed for user sam user username sam clicmd special_setup end filter output include dst_address 132 245 4 33 discard end clicmd ppp end end route For a single user or for conditions that meet profile criteria you can define one or more IP routes in the acp_userinfo file You can enter onl...

Page 289: ...d dest Specifies the destination address of the route mask Specifies the subnet mask for the destination address You can enter the mask in dotted decimal notation e g 255 255 255 0 or you can specify the mask by appending n to the destination address where n is the number of 1 bits in the mask from left to right For example appending 24 specifies 255 255 255 0 as the subnet mask gateway Specifies ...

Page 290: ...works CLAM This route allows packets to be sent back and forth between the company network and the remote PC with the IP address 131 108 33 0 The destination address is 131 108 3 0 using a subnet mask of 255 255 255 0 The gateway address is 131 254 33 1 and the metric for the route is 1 the default user username routerA annex RA6300 route 131 108 33 0 24 131 254 33 1 1 end end 131 108 33 1 RA 6300...

Page 291: ...ax is at_zone zone end Table A 31 Entry for at_zone in the acp_userinfo File Entry Description zone A list of one or more ASCII character strings You can have any number of zones specified in a zone list subject to the following constraints A zone identifier cannot contain non printable characters An individual zone identifier cannot exceed 32 characters in length The combined length of the entire...

Page 292: ...gned to zones bn 11net and bn22 net user username hobbes time 8 00am 6 00pm Sunday Wednesday at_zone bn 11net bn 22net end end at_connect_time The acp_userinfo file can have an ARA connect timer defined at_connect_time defines the maximum amount of time in minutes that an ARA connection can remain open You can specify at_connect_time for a single user or for conditions that meet profile criteria T...

Page 293: ...onenve_filterentryperuserorperprofile criteria specification is permitted The entry uses the format at_nve_filter include exclude tuple tuple tuple end Table A 33 Entries for at_nve_filter in the acp_userinfo File Entry Description include exclude The include or exclude qualifier controls how filters are used include filters allow only matching answers exclude filters discard matching answers and ...

Page 294: ...Frick sales end end Like all other acp_userinfo entries nve_filter information is syntax checked by erpcd Any errors cause the entire filter to be discarded and an error message is generated This method of limiting NBP traffic is not secure and can be circumvented by a person willing to write code to probe the network without using NBP Also this feature has no local RA 6300 security equivalent at_...

Page 295: ...p_userinfo file looks like this Set up a guest user entry that allows guests to connect for 1 hr and hides our file servers user username Guest at_connect_time 60 00 at_nve_filter exclude AFPServer end end The Guest entry is case sensitive If it is entered incorrectly guests can log in with no restrictions because the at_guest parameter for this port is set to Y Entry Description string A string o...

Page 296: ... membership in a group Table A 35 defines the argument for the chap_secret entry The syntax is chap_secret secret_token Table A 35 Entry for chap_secret in the acp_userinfo File The following example illustrates a chap_secret entry in the acp_userinfo file user username smith chap_secret achapsecrettoken end For more details on CHAP and secret tokens see Challenge Handshake Protocol CHAP on page 1...

Page 297: ...no host or host port restrictions Host access security for CLI ports is enabled by setting the port parameter connect_security to Y Hosts or ports not listed in acp_restrict are considered unrestricted When a user issues a connection command or a SLIP or PPP link becomes active the RA 6300 using erpcd checks a restrict file for permission to connect to that host erpcd expects the restrict file to ...

Page 298: ...pecified hosts will be restricted or unrestricted For information on entering profile_criteria see Profile Criteria Syntax on page 15 239 colon Indicates that the hosts listed in the same entry are restricted White space may follow but not precede the colon tilde Indicates that the hosts are unrestricted White space may follow but not precede the tilde For PPP and SLIP connections hosts specified ...

Page 299: ...ss 132 245 6 15 the host at IP address 132 245 6 23 and annex01 In the next example which shows the use of profile criteria user carl is blocked from using telnet or rlogin to access hosts atlas and steam username carl protocol cli atlas steam Argument Description unrestricted host The name or IP address of an unrestricted host including RA 6300s The list of unrestricted hosts is separated by comm...

Page 300: ...his example all SLIP users on all RA 6300s are denied access to host finance but are allowed access to all other hosts and host ports Given an address of 132 245 11 4 for host finance the filters generated to effect these restrictions are in include address_pair 132 245 11 4 discard out include address_pair 132 245 11 4 discard In the next example the members of the group mail_only who connect usi...

Page 301: ...bset of hosts cannot be reached except for a few hosts in the subset and all other hosts can be reached For example you cannot use acp_restrict to allow a user named martha to access all hosts on her home network 132 245 0 0 except for the finance machine at IP address 132 245 77 1 and also deny her access to hosts outside the 132 245 0 0 network The acp_restrict entries for this would be user mar...

Page 302: ...opened Host based Security Logging on page B 33 provides sample ACP log file entries Dynamic Allocation of Network Addresses Introduction to DHCP The Dynamic Host Configuration Protocol DHCP enables dynamic IP addressing for remote access clients establishing a PPP connection to a Remote Annex ThiseliminatestheneedtoassignanIPaddressmanually and the subsequent need to reconfigure and reboot each t...

Page 303: ...ress from a pool of IP addresses made available for that subnet and offers it to the requesting DHCP client The DHCP client uses the allocated IP address for an interval of time called a lease which is maintained for as long as the remote client connection is active or until the DHCP client terminates the serial connection When the lease expires the DHCP client returns the address to the pool of d...

Page 304: ... the IPCP and the remote connection is terminated It is possible that the DHCP client will be unable to discover a DHCP server and obtain an IP address from it before the PPP connection establishment times out and terminates Creating the acp_dialup File The acp_dialup file resides in the RA 6300 install directory Any ACP dial up address request that comes from the RA 6300 includes the RA 6300 addr...

Page 305: ...ing the comment character a newline character terminates an entry In the previous example User smith can make a dial up address request from RA 6300 100 30 200 39 The remote address is 100 30 200 45 the local address is 100 30 200 46 User green can make a dial up address request from any RA 6300 The remote address is 100 30 200 48 the local address is the address of the RA 6300 from which the requ...

Page 306: ...al and remote address fields If both of these addresses are set in the acp_dialup file the RA 6300 forces the use of these values over the settings in the local_address and remote_address port parameters If the local address field is not set but the remote address field is set the RA 6300 forces the use of the remote address field setting for the remote address and forces the local address setting...

Page 307: ...are true for a remote SLIP client the connection is denied Enhancing Password Security The following sections describe how to configure the RA 6300 to record password histories and blacklist users It also explains how to view and manage the database in which password histories and blacklisting information is kept Overview of Password History and Aging You can configure ACP to save the encrypted fo...

Page 308: ...ever changes passwords there is no password history to record The user cannot change passwords until the predefined amount of time has elapsed This prevents potential intruders from changing passwords in rapid succession in an attempt to cycle the old passwords out of the password history and use them again Password aging is enabled through the use of a shadowfile in conjunction with a passwd file...

Page 309: ...urity parameter is set to Y for the RA 6300 s you are configuring 2 Use na or admin to make sure that you have defined a security host for the RA 6300 s you are configuring See Configuring the Security Server on page 15 230 3 Log into the security host as root 4 Go cd to the installation directory typically usr annex 5 cd to the src erpcd directory which is within the installation directory 6 In t...

Page 310: ...you are using a shadow file and want to change the number of passwords stored from 6 to some other value do so The maximum is 12 If you are using a passwd file alone and you want to enable password history change the value of the second STORED_PASS from 0 to a number from 1 through 12 Specifying a non zero value for either of the above STORED_PASSvariablesturnsontherecordingofpassword histories in...

Page 311: ...ave made In addition the following message is displayed WARNING If you have called make install yourself then in directory usr annex you will have to copy erpcd new to erpcd Make sure the erpcd daemon is not running when that is done If you used the installation script called make install then the copy will be done for you 9 If erpcd is running on the host and the host is running Berkeley BSD UNIX...

Page 312: ...resent in the acp_dbm hobbes fritz In the previous example password histories have been saved for users hobbes and fritz Overview of Blacklisting Auseraccountisconsideredunderattack andthereforeblacklisted when either or both of the following occurs A configurable number default is 5 of consecutive failed login attempts is exceeded In other words if you use the default a user is blacklisted on the...

Page 313: ...emains unless and until you delete it manually Second when you invoke the acp_dbm utility it immediately displays a warning identifying any blacklisted users See Viewing and Managing the acp_dbm Database on page 15 288 The data necessary for blacklisting is kept in the acp_dbm database keyed on the user name If password history and blacklisting are configured this database is created automatically...

Page 314: ...e the acp_policy h variables Table A 38 describes the options and their acp_policy h equivalents For information on how to edit and rebuild erpcd and the other files that have changed in the acp_policy h file to put the modifications into effect See Steps 6 through 11 in Enabling and Configuring Password Histories on page 15 281 Onceyouhaveconfiguredandactivatedblacklisting erpcdautomatically crea...

Page 315: ...lacklists based on consecutive login failures xmax_total MAX_BL_ NONCON The number of non consecutive login failures a user is permitted before being blacklisted Valid values are 0 20 A value of 0 enables blacklisting upon any login failure not recommended The default as pre set by MAX_BL_NONCON is 10 If MAX_BL_NONCON is undefined and you do not specify xmax_total ACP never blacklists based on con...

Page 316: ...the case acp_dbm immediately exits on invocation and displays the message You must have root privilege to run acp_dbm Execute the acp_dbm utility from the directory containing erpcd Upon execution acp_dbm immediately sends a warning message to standard output for each user on the blacklist The message format is Warning Annex user userid may be under attack all logins for this account have been dis...

Page 317: ...2 Login failure on Tue Dec 12 12 49 49 1995 Login failure on Mon Dec 11 11 25 10 1995 c username Clears username from the blacklist and deletes all records of login failures for username Does not clear the password history or any other information about username in the acp_dbm database Before using this option investigate the account thoroughly so that you are confident it is not under attack d us...

Page 318: ...ot read or write to acp_dbm the message is Cannot read from write to acp_dbm database If the acp_dbm utility fails to read or write the acp_dbm database it generates the following message acp_dbm Error reading from writing to acp_dbm database If the utility detects the wrong protection it generates the following message acp_dbm Wrong protection not 600 on acp_dbm database If the ch_passwd utility ...

Page 319: ...ication The RA 6300 authenticates the client using Apple s DES encryption algorithm To define a user name and password for a registered as opposed to guest user see Creating the acp_userinfo File on page 15 249 Guest access The RA 6300 allows anonymous access to the network Restrictions can be applied to guests by setting up an ACP guest profile with limitations For more details see at_zone on pag...

Page 320: ... for the user by the administrator will be visible The administrator can specify the NVE filter on a per user basis This feature complements the existing zone list described above by offering a higher level of control The nve_filter entry in the acp_userinfo file specifies a list of filters on a per user basis For detailed information on creating nve_filter entries see at_nve_filter on page 15 265...

Page 321: ...ble to other systems such as the RA 6300 Using PPP Security The RA 6300 supports two authentication protocols for PPP Password Authentication Protocol PAP Challenge Handshake Protocol CHAP Both of these protocols are run over the PPP link after the LCP negotiations are complete for more details on using a PPP link see Point to Point Protocol PPP on page A 87 Password Authentication Protocol PAP PA...

Page 322: ...inst the global port parameters user_name and port_password If the enable_security parameter is set to Y and the slip_ppp_security parameter is set to N the RA 6300 uses local security i e it compares the remote end s user name password against the global port parameters user_name and port_password If the user name password combination is valid the RA 6300 sends a PAP Authenticate ACK message If t...

Page 323: ... Currently the only encryption algorithm supported is MD5 The secret token must be distributed to both sides of the link by an external mechanism ACP is used only when the RA 6300 is authenticating a peer CHAP does not use the acp_regime file The secret token is defined within an entry option called chap_secret in the acp_userinfo file for more details see Creating the acp_userinfo File on page 15...

Page 324: ...in the response message is a result of running MD5 encryption on the secret token and the value in the challenge message If the RA 6300 receives a success message the link enters or remains in NCP negotiation otherwise the link is terminated The RA 6300 negotiates an authentication challenge from a peer only if the ppp_password_remote and ppp_username_remote parameters are set for this session CHA...

Page 325: ...t re issues the challenge for the defined number of retries ACP logging for CHAP includes the standard PPP login and reject It also logs whether or not a chap secret was found in the acp_userinfo file for more details on security logging as well as a sample log file see Host based Security Logging on page B 33 Re issuing a CHAP Challenge By default the RA 6300 sends a challenge only once at the ti...

Page 326: ...sername and password Second if ppp_username_remote and ppp_password_remote are not set the connection fails Table A 40 PPP Security Parameters and their Effect on RA 6300 Activity continued on next page If Then enable_security N ppp_security_protocol n a slip_ppp_security n a Request no PPP security incoming Do not log accesses in the ACP log file enable_security Y ppp_security_protocol none slip_...

Page 327: ...nable_security Y ppp_security_protocol chap slip_ppp_security N Use port_password for incoming secret token Do not log accesses in the ACP log file enable_security Y ppp_security_protocol chap pap slip_ppp_security Y Request CHAP in negotiation if it is NAKed by peer request PAP If using PAP use ACP for incoming user name and password If using CHAP use ACP for authentication sending username and c...

Page 328: ... provide this kind of protection is to pick one RA 6300 on the internal network to be the network s chokepoint or firewall through which all traffic to and from external networks must pass Then configure filters on that RA 6300 to block undesirable packets You can also use filtering to log in the syslog file traffic for security or network management purposes For the RA 6300 filtering applies only...

Page 329: ...he user name and password to the Kerberos library routine for authentication The Kerberos library routine returns a ticket to ACP indicating whether or not the user is authenticated If the Kerberos server authenticates the user it encrypts the ticket with the user s password before returning it to ACP If the Kerberos server rejectstheuser itreturnsanerrorcode andACPrefusestheloginattempt In either...

Page 330: ... old version as a back up in case of problems 5 Terminate the executing erpcd and start up the new version If both the primary and secondary ACP servers are defined it is important that both the primary and secondary ACP servers support Kerberos authentication for consistency Configuring the RA 6300 for Use with Kerberos Authentication To configure the RA 6300 for use with Kerberos authentication ...

Page 331: ...r Releases 2 1 1 and 2 2 ACE Server is supported using ACP and is limited to those UNIX platforms for which the vendor provides client libraries Using the SecurID Card To use the SecurID card feature you must purchase the ACE Server software from Security Dynamics The ACE Server software includes client software and the SecurID card The ACE Server system is designed to prevent any unauthorized acc...

Page 332: ...ty at least one person in your SecurID system has the authority to manage the ACE Server system and all its databases including changing any relevant information Clients An ACE Server UNIX Client is a TCP IP machine connected via a networktotheACE Server Wheneveraclientsendsauser authentication request the ACE Server looks up the client s name For this name to be found all clients network addresse...

Page 333: ... Generating PINs The ACE Server software provides three options related to generating a new PIN CANNOT_CHOOSE_PIN MUST_CHOOSE_PIN USER_SELECTABLE Before installing the ACE Server software you must determine which of the above options your site will use The following is an overview of the available options See the ACE Server Manual for more information When The a SecurID card is assigned to a user ...

Page 334: ...IN mode USER_ SELECTABLE The user is given the option to select a PIN or have the system generate anddisplayanewPIN TheuserispromptedtoenteranewPINcontaining 4 to 8 alphanumeric characters or have the system generate a new PIN and display it or leave the SecurID card in New PIN mode Installation Copy Files to src sdclient During the Remote Annex software installation you must copy the following li...

Page 335: ...CURIDFLAG DSECURID_CARD DACE2_0 SECURIDFILES sdclient sdiclient a PASSFLAG DPASS_SEC to SECURIDFLAG DSECURID_CARD DACE2_0 SECURIDFILES sdclient sdiclient a PASSFLAG DPASS_SEC To integrate SecurID into ACP you must make changes in the erpcd utility When you have made the necessary changes to the Makefile rebuild the Remote Annex software See Re compiling erpcd later in this chapter Define Makefile ...

Page 336: ...igits only or alphanumeric characters is determined by the system administrator when installing the ACE Server If the user enters a PIN ACP prompts for the code s re entry the typed charactersarenotechoedbacktotheterminal There entrypromptlooks like this Please re enter PIN IftheuserisnotallowedtochoosethePIN thefollowingtextisdisplayed Press Return to generate a new PIN and display it or Ctrl D R...

Page 337: ... prompted again for user name and passcode when trying to use the CLI ppp command The user must enter the PIN and SecurID card code for the passcode If you do not want to be prompted a second time set ppp_sec_auto to Y 4 Set the RA 6300 parameters password and vcli_password and the port parameter port_password to the null string if you want the ACE Server system to authenticate all login attempts ...

Page 338: ...CP servers are used each user must be allowed access to both servers since either of them can authenticate a user by calling the ACE Server host Integrating SecurID into ACP Integrating the ACE Server software into ACP requires changes to the erpcd utility The following instructions assume that the ACE Server software is installed in a directory called usr ace and the RA 6300 software is installed...

Page 339: ...ient system from the ACE Server host Make sure the ACE Server UNIX Client is installed on the system that is running erpcd 4 Edit the Makefile file in the usr annex src erpcd directory vi Makefile 5 Kill the existing erpcd process your process number will vary ps ax grep erpcd 25493 IW 0 00 erpcd 25494 IW 0 00 erpcd 25797 p1 S 0 00 grep erpcd kill 25493 6 Rebuild erpcd see Re compiling erpcd on pa...

Page 340: ...ile looks like this Enable ACP by removing the pound sign from its entry The edited file looks like this 9 Run erpcd from the current directory or install the newly built erpcd in the usr annex directory by entering erpcd or mv usr annex erpcd usr annex erpcd old make install usr annex erpcd erpc remote programs prog noverlo verhi name 1 0 0 bfs 3 0 99 acp erpc remote programs prog noverlo verhi n...

Page 341: ...le CLI security on the ports to be protected by SecurID If you have a secondary server the new erpcd must be installed on that host and that host must be registered as a client in the ACE Server database A sample admin session looks like this admin set annex enable_security Y security_broadcast N admin set annex pref_secure1_host calvin admin set port cli_security Y admin reset port SecurID Backup...

Page 342: ...ent server approach now allows erpcd to communicate only with the SafeWord server through a client API The server then interfaces with the database Also another difference is that clients are allowed to be on different hosts ACP hosts serve as clients to SafeWord AS You can use SafeWord software for SLIP PPP IPX and ARAP sessions only when you start a session from a CLI port IPX users must connect...

Page 343: ... into ACP you must make changes in the erpcd utility You must install SafeWord On a host running erpcd On a UNIX system that has a development environment You compile the host tools on this system as opposed to using the binaries from the RA 6300 distribution tape In a directory named safelog and Annex software in the usr annex directory If you do not use these directory names you must substitute ...

Page 344: ...S acp_safeword c ENIGMAOFILES acp_safeword o __assert comes up undefined the default You must uncomment the following line as well ENIGMAFLAG DENIGMA_SAFEWORD DNET_ENIGMA_ACP DNEED_ENIGMA_ASSERT_PATCH Configuration Management Place a new file called safeword cfg in the annex installation directory This file is created as sid cfg when you install the SafeWord AS client Move and Rename the sid cfg F...

Page 345: ...Status Messages to Console ERROR 17 Send Status Messages to log File NONE 18 Status Message Log Filename sid log 23 Status Message Label sid 7482 Integrating SafeWord into ACP Before you use SafeWord you need to integrate SafeWord into ACP 1 As a superuser change to the usr annex src directory cd usr annex src 2 Create a directory called enigma mkdir enigma 3 Copy the libidpb a custpb h and custfa...

Page 346: ... erpcd is running on the host kill the existing erpcd process your process number will vary ps ax grep erpcd 25493 IW 0 00 erpcd 25797 p1 S 0 00 grep erpcd kill 9 25493 7 Rebuild erpcd make erpcd If you have linkage errors try running the ranlib utility on the sdclient a library ranlib enigma lipidpb a make erpcd 8 Install erpcd into the usr annex directory make install 9 Restart erpcd usr annex e...

Page 347: ...ll not run when a user accesses an RA 6300 Fixed Passwords System administrators can generate a user s initial fixed password and can set the password s expiration date When an existing password expires RA 6300 users can choose a new fixed password 1 If the expiration message appears after you enter your username and password press the Escape key and then press Return The Old Fixed Password messag...

Page 348: ...mic password that you enter at your terminal In Semi synchronous mode Enter the password from your previous session into the token which then displays a new password Enter the dynamic password at your terminal In Asynchronous mode The token displays a string called a challenge before you enter a dynamic password Enter the challenge into the token which generates a dynamic password Enter the dynami...

Page 349: ...rs the source host with the who database A subsequent who displays annex who In the above sample command display since the user has not yet logged into the ftp session no user name appears in the User field If the enable_security parameter is set to Y but a preferred security server is not configured or if enable_security is set to N the user is prompted for a user name and a password The RA 6300 ...

Page 350: ...ord for an added level of security If the enable_security parameter is set to Y and the preferred security server is not reachable the RA 6300 denies access to the FTP daemon When the validation process is complete the RA 6300 logs FTP access in the ACP logfile see Host based Security Logging on page B 33 and updates the who command display to look something like this annex who The RA 6300 FTP dae...

Page 351: ...tem packets such as ICMP messages and RIP updates Nor does the RA 6300 check incoming packets for the presence of the IP Security Option To set the IPSO for packets generated on a port 1 Use the na utility the superuser CLI admin command or SNMP to set the RA 6300 parameter enable_security to Y the default is N 2 Use na admin or SNMP to set the serial line port parameter ipso_class to one of the f...

Page 352: ...y Each time the security server grants or denies a request for user access the security server logs it Each event is logged as a message in an ACP log file The ACP log file can be the default acp_logfile located in the usr annex directory or an RA 6300 specific log file An RA 6300 specific log file is created by uncommenting the following statement in the acp_policy h file define SEPARATE_LOGS Onc...

Page 353: ...ssing a user s profile Modifying the Supplied Security Application You can modify the supplied security policy to create a security scheme that meets the needs of your network Some simple modifications involve changing system definitions in the file annex_root src erpcd acp_policy h More elaborate security policies may require modifying or replacing functions in the file annex_root src erpcd acp_p...

Page 354: ...LIDATION 0 Messages are logged to the security server host when users access the CLI but the message does not include a user name To disable the port password requirement make sure the following line is commented out i e enclosed in asterisks as follows define PORT_PASSWORD 1 Linking NIS Password File Verification to ACP You can enable several options in the acp_policy h file by removing the slash...

Page 355: ... 1 Modifying Message Formats in the ACP Log File The USE_SECONDS option in the acp_policy h file enables messages in the ACP log file to use a seconds since 1970 ten decimal digits format This format is most useful for automatic ACP log file parsing programs since these programs frequently need to do comparisons and arithmetic on dates This option is disabled by default You can enable USE_SECONDS ...

Page 356: ...he following lines in the acp_policy h file define ACP_PASSWD str sprintf str s acp_passwd install_dir define ACP_PTMP str sprintf str s acp_ptmp install_dir To change only the filename define ACP_PASSWD str sprintf str s new_filename install_dir define ACP_PTMP str sprintf str s new_tempfile install_dir To change the full pathname define ACP_PASSWD str sprintf str new_path new_filename define ACP...

Page 357: ...licy h file in the same way ifdef NATIVESHADOW define ACP_SHADOW str strcpy str etc shadow define ACP_STMP str strcpy str etc shadow tmp define ACP_LOCKFILE str strcpy str etc pwd lock define ACP_GROUP str strcpy str etc group else define ACP_SHADOW str sprintf str s acp_shadow install_dir define ACP_STMP str sprintf str s acp_stmp install_dir define ACP_LOCKFILE str sprintf str s pwd lock install...

Page 358: ...printf str s acp_userinfo install_dir define ACP_ESERVICES str sprintf str s eservices install_dir In the same way you can also change the expected prompts for default applications ifndef SECURID_CARD define ACP_USERPROMPT Annex username define ACP_PASSPROMPT Annex password define ACP_PERMGRANTD nPermission granted n define ACP_PERMDENIED 007 nPermission denied n define ACP_INCORRECT nUsername Pas...

Page 359: ...NINGT 007 nYour account expires after today n define ACP_EXPIRED Your password has expired n define ACP_NEWPASS Enter a new password define ACP_NEWPASS2 Re enter new password define ACP_PASSMATCH Entered passwords do not match Try again n define ACP_ACCESSCODEPROMPT Access Code define ACP_PHONEPROMPT Telephone Number define ACP_DIALBACKGRANTD nRequest accepted dialback in progress n define ACP_CLI...

Page 360: ...ult application define INPUT_TIMEOUT 30 define INPUT_POLL_TIMEOUT 3 define RETRIES_MAX 3 Locking the ACP Log File To prevent two or more host processes from logging a record simultaneously the RA 6300 erpcd code uses the host system call lockf to lock the ACP log file This lock prevents other processes from writing the file until the file update is complete There are two ways to use the system loc...

Page 361: ...ss must repeatedly send the lockf call the until the resource is available Once available the system call returns a success and the resource is acquired The F_LOCK cmd has been determined to be faulty on many hosts Failures can not be narrowed down to any particular hardware manufacturer or UNIX system There are to many OS revs and variables to sense the correct lockf method to use at installation...

Page 362: ...isabled by masking the su command Superuser CLI mode overrides ACP command masking You can disable several other CLI commands in the same way define bit to disable each maskable CLI command define MASK_BG 0x00000001 define MASK_CALL 0x00000002 define MASK_FG 0x00000004 define MASK_HANGUP 0x00000008 define MASK_HELP 0x00000010 define MASK_HOSTS 0x00000020 define MASK_JOBS 0x00000040 define MASK_KIL...

Page 363: ...e code in the files annex_root src erpcd acp_policy c and annex_root src erpcd acp_policy h The program that executes ACP starts a new version of itself each time a security request is received from an RA 6300 A call is made to an ACP remote procedure which makes calls to functions in the ACP library to prompt for user names passwords etc When ACP gathers the information required to perform the au...

Page 364: ...cp_passwd The source files are in annex_root src erpcd where annex_root is the directory to which the RA 6300 s source code was copied To re compile 1 cd to annex_root src 2 To re compile only erpcd enter the command make erpcd 3 To re compile both erpcd and ch_passwd enter the command make all 4 To install enter the command make f make config f Makefile install This saves the old version of erpcd...

Page 365: ... or etc shadow file on the ACP host If ACP is configured to record password histories it saves the passwords set via the ch_passwd command ACP keeps these passwords in the acp_dbm database on the security host keyed by user name The value of the STORED_PASS variable in acp_policy h determines the number of passwords saved This variable is initialized to 6 for passwd shadow files and 0 for passwd f...

Page 366: ...rce files for both are provided with the RA 6300 software distribution and are located in the annex_root src erpcd directory For instructions on recompiling both see Configuring Hosts and Servers on page A 209 Table A 42 Supported Argument for ch_passwd Argument Description s directory Specifies the directory for the security files acp_passwd and if configured acp_shadow defaults to the defined in...

Page 367: ...3 Display PRI B channel assignment information pri b command See Displaying PRI B Channel Assignments on page 1 4 Control PRI calls pri call command See Controlling PRI Calls Made to the RA 6300 on page 1 5 Display session parameter blocks sessions command See Displaying Active Session Parameter Blocks on page 1 7 Manage and display information about modems modem command and its arguments See Disp...

Page 368: ...rity events enable_security and syslog_port parameters See Logging User and RA 6300 Events on page 1 33 Display entries in the RA 6300 host table hosts and reset annex nameserver commands host_table_size parameter See Managing the Host Table on page 1 49 Display and maintain the Host ARP Address Resolution Protocol Table arp command and its arguments See Managing the ARP Table on page 1 32 Disable...

Page 369: ... information module version and firmware revision PRI type T1 or E1 Switch Type Telco switch from which PRI line originates Analog encoding method mu_law or a_law Number of PRI interface errors Call information Incoming calls accepted Incoming calls rejected Outgoing calls accepted Outgoing calls rejected Calls disconnected normally Calls disconnected abnormally e g interface errors Number of time...

Page 370: ...ex pri pri Sample Display Displaying PRI B Channel Assignments The superuser CLI pri b command displays information about active B channels that includes Call setup information elements received during call establishment that includes called number calling number and bearer Name of the SPB associated with the session operating over the B channel ...

Page 371: ...me port 2 0100 6175551212 vo modem 21m 3s asy8 Controlling PRI Calls Made to the RA 6300 The superuser CLI pri call command controls whether calls are accepted or denied by the RA 6300 The command has two options Allow which lets the RA 6300 accept calls made to it Stop which denies acceptance of new calls but lets currently established calls to continue By default the RA 6300 accepts calls made t...

Page 372: ... 6300 The RA 6300 does not currently support outgoing calls However the command does display outgoing call information pri call Command Syntax pri call Sample Display To perform this task Issue this command Learn current status of call acceptance denial pri call Allow incoming calls pri call allow incoming Allow outgoing calls pri call allow outgoing Stop acceptance of new incoming calls pri call ...

Page 373: ...e SPBs that are active on an RA 6300 sessions Command Syntax sessions Sample Display To display Issue this command SPB name and setup criteria for all active SPBs sessions SPB name setup criteria and parameter settings for all active SPBs sessions a SPB name and setup criteria for a single active SPB sessions l spb_name SPB name setup criteria and parameter settings for a single active SPBs sessio...

Page 374: ...and displays information that the RA 6300 has obtained from the network Using netstat you can display Active connections Ethernet statistics PPP statistics SLIP statistics AppleTalk statistics IPX statistics RIP statistics Routing table information Route cache information Dial out route statistics Rotary information Filtering statistics Memory statistics Protocol statistics ...

Page 375: ...s protocol and the internal state of the protocol for all active connections A Adds the protocol control block PCB addresses to the default display a Adds the sockets used by server processes to the default display can be used in combination with A C Displays the contents of the route cache i Displays the state of the hardware interfaces e g AppleTalk SLIP PPP as well as a dial out route s interfa...

Page 376: ...memory buffer allocation R Displays information about rotaries r Displays the routing tables including dial out routes ra Displays only Appletalk routes ri Displays only IP routes s Displays network protocol statistics LAT statistics display only if the correct lat_key value is set AppleTalk statistics display only if the correct option_key value is set rs Displays routing statistics t Displays th...

Page 377: ...ternal state of the protocol for all active connections Table B 3 lists the arguments for this command Table B 3 Arguments for the netstat Command Argument Description xm Displays information about the amount of memory available in the large and small IPX buffer pools xr Displays the routes defined in the RA 6300 s IPX routing table xr network_number Displays the RA 6300 route for that network xs ...

Page 378: ...istics for Ethernet Active connections including servers Proto Recv Q Send Q Local Address Foreign Address state tcp 0 2 annex1 telnet test1 4759 ESTABLISHED tcp 0 0 annex1 883 gibbs login ESTABLISHED tcp 0 0 annex1 1085 ale telnet ESTABLISHED tcp 0 0 annex1 1081 opus telnet ESTABLISHED tcp 0 0 annex1 1022 test1 login ESTABLISHED tcp 211 0 annex1 953 xzyx login ESTABLISHED tcp 0 0 annex1 1021 test...

Page 379: ...e network interface with a bad CRC Alignment Errors The number of frames received from the network interface that were both misaligned and have a CRC error Bad Type Length Fields The number of frames received from the network interface that have an unrecognized type field ethernet or an illegal length field 802 3 Buffer Drops The number of frames received from the network interface that were good ...

Page 380: ...al Collisions Detected The number of times a frame transmission is terminated due to a collision Max Collision Retries The number times consecutive collisions for a frame exceed the maximum collision retry limit Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis en0 1500 132 245 66 0 worm 26563 0 15085 744 0 en0 1500 10000 20000 18062 79 1626 0 823 0 0 lo0 1536 127 127 0 0 1 0 0 0 0 0 asy2 60...

Page 381: ... for UNIX Book B PPP Statistics The netstat ip port number command displays a summary of a PPP interface and its current state Table B 5 describes the fields in the netstat ip command display The netstat ip command display for an asy port asynchronous port on the RA 6300 looks like this annex netstat ip asy22 ...

Page 382: ...apter 1 Network Administration B 16 Book B The netstat ip command display for a ta port terminal adapter V 120 port on the RA 6300 looks like this annex netstat ip ta10 The netstat ip command display for a syn port synchronous PPP on the RA 6300 looks like this annex netstat ip syn7 ...

Page 383: ...P IPCP Options Shows the current and the prior state of the connection Any current setting other than Open indicates the link is not up The states are Closed The layer has shut down via an administrative or peer request Request sent The RA 6300 has sent a configure request and is waiting for an answer ACK received The RA 6300 has received a configure ACK and is waiting for a configure request ACK ...

Page 384: ... down AACK sent The RA 6300 has authenticated the peer Possible remote states for PAP security Initial No PAP security has been initiated AREQ sent The RA 6300 has sent the Authenticate Request message and is waiting for the response ANAK received The RA 6300 s Authenticate Request has been rejected by the peer the link will be coming down AACK received The peer has authenticated the RA 6300 Possi...

Page 385: ...13 starts 22 vectors 108 bytes 1874 pkts 13 FRAME_ENDs 22 FRAME_ESCs 32 bytes intr 144 bytes vec 17 vec pkt 8 bytes pkt 144 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis en0 1500 192 9 200 annex1 648918 0 352845 0 0 lo0 1536 127 127 0 0 1 0 0 0 0 0 asy6 1006 192 9 200 annex1 0 0 0 0 0 asy13 256 192 9 200 annex1 0 0 0 0 0 Ethernet Address 00 80 2d 00 14 3d Frames Received 705482 Frames Tr...

Page 386: ...ued on next page Argument Description i Displays interface statistics ip port number Displays a specific RA 6300 PPP interface see PPP Statistics on page 1 15 z Displays the network zone list Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis en0 1500 132 245 66 0 worm 26563 0 15085 744 0 en0 1500 10000 20000 18062 79 1626 0 823 0 0 lo0 1536 127 127 0 0 1 0 0 0 0 0 asy2 604 18358 18062 79 0 0...

Page 387: ... 2 packets received 1 802 2 packets sent 0 ATALK packets sent 0 AARP packets sent 0 ATALK packets received 0 AARP packets received 0 Unknown 802 2 types 0 Unknown 802 2 SAP s 0 Unknown SNAP org codes 0 Unknown SNAP ether types 0 132 245 33 22 4661 packets 132 245 33 34 5632 packets 132 245 33 228 4822 packets 132 245 33 238 4816 packets 132 245 33 138 9 132 245 33 254 1 packet Rooting Changes 1 Qu...

Page 388: ...iggered updates transmitted over the interface The RA 6300 sends triggered updates whenever it changes the hop count of a route It transmits them immediately even if it is not yet time for one of the regular update messages to be transmitted Rec d Displays the number of packets with or without errors received over the interface Sent Displays the number of output packets the RA 6300 tried to send o...

Page 389: ... 0 2 en0 132 245 11 0 24 132 245 44 22 UR 114 0 2 en0 132 245 12 0 24 132 245 44 22 UR 114 0 2 en0 132 245 22 0 24 132 245 44 22 UR 114 0 2 en0 132 245 33 0 24 132 245 44 22 UR 33 147 2 en0 132 245 34 0 24 132 245 44 22 UR 114 0 2 en0 132 245 44 0 24 UI fixed 8382 1 en0 bermuda 132 245 44 22 USH 114 0 2 en0 132 245 66 0 24 132 245 44 22 UR 114 0 2 en0 132 245 77 0 24 132 245 44 22 UR 114 0 2 en0 F...

Page 390: ...no other route for a destination If a name appears in the Destination field the entry is for a host route name servers do not have names for network routes However the RA 6300 does not always know a host s name NextHop The next router to which packets with the given Destination are sent If the Destination is a local interface this field displays an asterisk interface routes have no next hop Flags ...

Page 391: ...n RIP adds a route to the routing table it sets its usage value to 0 Every time the route is used RIP adds one to the value every thirty seconds RIP subtracts one from the value When the routing table reaches its maximum size of 256 entries RIP removes the route with the lowest usage value If there is a tie RIP removes the first route listed The values range from 9999999 for a route that has not b...

Page 392: ...is can be a back up route for a an interface that has a duplicate definition in the routing table For example if you define a subnet mask for a Proxy ARP serial interface and that mask is the same as the RA 6300 s en0 subnet mask the routes to that interface will be considered duplicates As a result the RA 6300 will store the en0 interface route in the routing table and the serial interface route ...

Page 393: ...efinitions for the command display The netstat f command display looks like this annex01 netstat f Table B 11 Field Definitions for the netstat f Command Int In hits Out hits Drop ICMP Syslog en0 0 0 0 0 0 asy1 0 0 0 0 0 asy2 0 0 0 0 Field Definition Int Displays the interface In hits Displays the number of packets that matched an input filter Out hits Displays the number of packets that matched a...

Page 394: ...ets 1024 mbufs allocated to SPD Layer RX Data Status 899 Kbytes allocated to network 31 in use 0 requests for memory denied Protocol Statistics The netstat s command displays statistics for the following protocols ICMP UDP TCP IP TMux LAT and DDP The LAT statistics display only if the correct lat_key value is set TMux statistics display only if the tmux_enable parameter is set to Y DDP statistics ...

Page 395: ...nation unreachable 2358 Input histogram echo reply 41 tmux 65 packets from upper levels 0 TMUX packets sent 0 not suitable to TMUX 0 dropped by TMUX 65 not able to TMUX 0 packets from IP 0 encapsulated packets received 0 TMUX checksum fails 0 TMUX other fails 1 TMUX ENQ packets sent lat 241 Total run messages received 228 Total run messages transmit 56382 Total service messages recv 3796 Total ser...

Page 396: ...nd After completing ping displays a summary of all echo replies received This display includes a calculation of the time in milliseconds that it takes to return the message if the number of data bytes is 8 or greater ping Command Syntax ping artv host databytes count Table B 12 lists the arguments for this command Table B 12 Arguments for the ping Command continued on next page Argument Descriptio...

Page 397: ...transmitted 4 packets received 0 packet loss round trip ms min avg max 12 20 37 Argument Description t Traces the path of a packet from the local host to the destination host and back displaying information about each router in the path This option allows you to see whether a packet arrived at and or returned from its remote destination and if not where it stopped The option is based on the Tracer...

Page 398: ...ble for hosts that do not implement ARP enabling communications between the host and the RA 6300 Using arp you can delete a specified entry and or create an entry for a host quit A created entry is permanent unless it is defined as temporary in which case the entry is deleted after 20 minutes An entry defined as published causes the RA 6300 to respond with its hardware address for the specified ho...

Page 399: ...ty server logs each event as a message to its ACP log file Security logging is enabled automatically when host based security is enabled for an RA 6300 using the parameter enable_security Events are logged to the security server that responded to the security request either granting or denying access requests When using back up security servers the ACP log file is located on each server To change ...

Page 400: ...ter streams When more than one host functions as a security server the log files can be merged and sorted by the date and time fields Following is a sample from a log file that pertains to PRI calls 132 245 11 14 210201c5 24 960603 104555 PRI manager call accept clg 6175552536 cld 0300 cldsa br voice 132 245 11 14 210201c6 24 960603 104649 cli hook login smith 132 245 11 14 210201ca 24 960603 1050...

Page 401: ...ndicates that the port type is V 120 and the letter s indicates that the port type is synchronous The number 24 indicates that this is twenty fourth port configured as an asynchronous port 960603 This is the date by year 96 month 06 and day 03 i e June 3 1996 104555 This is the time by hour 10 minutes 45 and seconds 55 i e 10 45 55 PRI Manager This is the name of the software module performing the...

Page 402: ...s and the amount of activity generated at each RA 6300 determines the frequency for moving and compressing the file Events written while using ARA or the dial back security feature have their own messages bad access code Users entered an unidentified access code for the defined username the login was terminated call back Users logged in with a known username and access code the RA 6300 calls back ...

Page 403: ...vents for a system running a 4 3BSD style syslog daemon or syslog to a port on the RA 6300 The RA 6300 parameter syslog_port defines the port to which logged messages are sent for more details see Using Event Logging on page A 40 The logged message includes The date and time of the event The name or IP address of the RA 6300 on which the event occurred The name of the event and PID of the RA 6300 ...

Page 404: ...mand to access another RA 6300 or other Remote Annex May 5 8 56 3 annex telnet_cmd 35 Telnet Begin 9 telnet annex1 Displaying User Activity When the CLI who command is issued for an RA 6300 it displays the user name the jobs the user is running when the connection began any idle time and the source of the connection This command also displays current users on other RA 6300s and on other hosts if t...

Page 405: ...ed to the RA 6300 All users connected to specific port or virtual CLI A specific user who user host or all users who host logged into a specific host Using abbreviations you can display a range of hosts or user names Displaying Internal Modem Information The superuser CLI modem command displays information about the RA 6300 internal modems Using the modem command and its arguments you can display ...

Page 406: ...6300 a Displays the configuration settings for the internal modems u modem range Makes failed modems available The command has no effect on any modems available busied out or in use m modem range Displays information about each modem specified in the number range depending on its current state If number range is not specified then information about all installed modems displays The following statu...

Page 407: ...aying RA 6300 Statistics The CLI stats command displays general RA 6300 statistics or statistics for one or more port types It can also display statistics for the internal CSU if present A typical stats command display for an RA 6300 on an Ethernet network looks like this The stats s command displays statistics for all port types ...

Page 408: ...stats m number_range command displays statistics for asynchronous ports in specified number range For example specifying a range of 1 through 8 stats sta1 8 displays statistics for the first eight synchronous asy ports The stats sta number_range displays statistics for terminal adapter ta ports in the specified number range For example specifying a range of 1 through 8 stats sta1 8 displays statis...

Page 409: ...n for the current 15 minute interval total Displays a summary of T1 PRI statistics information for the last 24 hours This option is available only if the pri fdl_type parameter is set to att see Table A 4 on page A 53 all Displays the T1 PRI statistics for each valid interval There are up to 96 intervals 15 minutes per interval for a 24 hour period The most recently recorded interval is displayed ...

Page 410: ...m History Thu Oct 10 12 29 33 1996 EDT NO SYNC Current Alarms RED NO SYNC LOSS OF SIGNAL Circuit ID T1 info Loopback mode no loopback Current Statistics Fri Oct 11 10 08 31 1996 EST Number of valid seconds 124 CRC6 Error Event 0 Out of Frame 1 ESF Error Event 2 Errored Seconds 104 Severely Errored Seconds 104 Unavailable Seconds 104 Bursty Errored Seconds 0 Loss of Frame Count 1 Controlled Slip Se...

Page 411: ...cting pulses on the T1 PRI network interface receiver When LOSS OF SIGNAL is not displayed the T1 PRI network interface is receiving pulses The loss of signal condition causes the T1 PRI engine to transmit AIS all ones unframed on the network interface When BLUE is displayed the T1 PRI engine is receiving AIS all ones unframed from the network When BLUE is not displayed the T1 PRI engine is not re...

Page 412: ... Seconds Part of the current report that indicates the number of seconds for which statistics data has been collected CRC6 Error Event A CRC6 error occurs when the six bit CRC field calculated by the customer installation based on the incoming DS1 signal does not agree with the CRC field contained in the DS1 signal received from the network Out of Frame An Out of Frame OOF event begins when any tw...

Page 413: ...ilable Seconds Unavailable Seconds is a count of 1 second intervals during which service is unavailable Bursty Errored Seconds A Bursty Errored Second BES is a second with more than one but less than 320 CRC error events Loss of Frame Count Loss of Frame Count is the number of times that frame synchronization has been lost Controlled Slip Seconds A Controlled Slip Second is a second with one or mo...

Page 414: ... serial ports control and tap The superuser CLI control command is a diagnostic tool that for a specified port allows you to set DTR and RTS or output a short test message The superuser CLI tap command accesses wire taps a serial port from a terminal The tap command will not work with PPP Using tap you can Observe the output to the port The command also displays keystrokes entered from your termin...

Page 415: ...rcumstances the order of displayed data may not match the actual time sequence of the events All input and output data is displayed Special characters and control line changes are stored in a limited buffer If these changes occur too rapidly they may be lost Managing the Host Table The host table contains this information for each host Host name Aliases if any IP address Multiple IP addresses if a...

Page 416: ... an IEN 116 server or an RWHO broadcast information from an IEN 116 server always updates current information received from an RWHO broadcast The RA 6300 also deletes entries The criteria for deletion depend on the source of the entry Each DNS response includes a time to live TTL When an entry reaches its full life default 60 minutes the DNS server is queried again If a DNS server recognizes the n...

Page 417: ...ost table The na or CLI admin command reset annex nameserver The reset annex nameserver command resets all name server parameters discussed in this section and flushes all entries from the host table Flushing the host table and resetting the name server does not remove down loaded entries from the gateway section of the configuration file Additionally the gateway section of the configuration file ...

Page 418: ... should exercise extreme caution when disabling modules If disabled_modules is set to a value other than none and server_capability includes the operational image no modules are disabled a syslog message announces this override The vci option disables the RA 6300 interface for VMS environments along with the following commands backwards change clear crash define disconnect forwardlis forward list ...

Page 419: ...ver_2 resolves the name during a connect to a host using rlogin or telnet If both name servers are down or they do not exist there will be up to a 45 second delay If the host to which the user ID is trying to connect is in not in the RWHO host table an error occurs the terminal displays a message informing the user that the name server is unreachable Hosts not Appearing in Hosts Display The hosts ...

Page 420: ...r Wrong Host Address in Host Table The RA 6300 assumes that the host described in the data part of the RWHO packet sent the packet and the IP header s source Internet address field contains the host s address Usually this assumption is correct because routers do not forward broadcast packets Some RWHO daemons do forward RWHO packets You can turn off RWHO at the RA 6300 by setting the rwho paramete...

Page 421: ...e for UNIX Book B All Network Ports are in Use The rlogin or telnet command is rejected after the user name is entered in response to the login prompt The error message all network ports in useindicatesthatallavailablepseudo terminalsareinuse OnBSDhosts update etc ttys and create more pseudo terminals in dev ...

Page 422: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 1 Network Administration B 56 Book B ...

Page 423: ...view SNMP is a heavily used management protocol It operates over the User Datagram Protocol UDP which is part of the TCP IP protocol suite SNMP provides an easier and more efficient means of managing the RA 6300 The SNMP protocol can send queries to the SNMP agents located in each RA 6300 Each SNMP agent collects information about its RA 6300 and provides that information to the Network Management...

Page 424: ...es get set get next commands returns a response indicating the command s success or failure and returns the requested data for thegetandget nextcommands SNMPCommandsonpage2 62describes these commands in greater detail Message Delivery SNMP messages are encapsulated in UDP datagrams The UDP layer does not guarantee delivery The RA 6300 uses a time out and retry mechanism to guarantee the SNMP comma...

Page 425: ...enable the SNMP agent and define the operating characteristics of the SNMP daemon that controls the SNMP agent The gateway section of the configuration file contains four optional keywords for configuring the RA 6300 SNMP agent community traphost contact location The following subsections detail each of these keywords as well as the parameters required for use with SNMP A sample entry in the gatew...

Page 426: ...ter disabled_modules There is no notion of read only or read write communities You can specify up to four SNMP community names in the gateway section of the configuration file but each community requires a separate line The RA 6300 adds these communities to the SNMP agent s community table The syntax is snmp community name Defining Trap Hosts and Traps The RA 6300 employs two methods for defining ...

Page 427: ...he RA 6300 defaults to public You can specify up to ten static trap hosts in the configuration file but eachhostrequiresaseparateline SpecifythetraphostusingitsIPaddress RFC 1157 provides more details on communities and traps Table B 16 describes the supported SNMP traps The syntax is snmp traphost ipaddr Table B 16 Supported SNMP Traps Defining the Contact String The keyword contact defines the o...

Page 428: ... SNMP messages it receives By default the SNMP agent on the RA 6300 is enabled for more details see disabled_modules on page C 51 Defining the allow_snmp_sets Parameter The RA 6300 s default setting for the allow_snmp_sets parameter does not permit parameter value changes because the SNMP set command s header transmits the community string in clear text which may be a security risk To modify param...

Page 429: ...files provided in the directory annex_root src snmp must be compiled and included in your management station database before you can manage the RA 6300 Using SNMP set to Send Commands to the RA 6300 The private enterprise MIB objects allow you to change the configuration of the RA 6300 These configuration changes do not take effect until the RA 6300 is rebooted Action Description get Retrieves the...

Page 430: ...P set to write the desired value to the MIB object anxcReset To reset a single serial port use SNMP set to write the appropriate value to the character MIB object charPortReset defined in RFC 1316 that corresponds to the serial port to reset To reboot the RA 6300 set the desired image name to the MIB object anxcBootImage and set any boot warning message to the MIB object anxcBootMsg For a delayed ...

Page 431: ...rectory contains additional information about support for specific MIB objects MIB Defined in For information on restrictions MIB II RFC 1213 See Table B 18 on page B 67 AppleTalk MIB RFC 1243 See Table B 19 on page B 68 Dot3 Ethernet like Statistics MIB RFC 1389 See Table B 20 on page B 69 Rip2 MIB RFC 1389 See Table B 20 on page B 69 DS1 MIB RFC 1406 See Table B 24 on page B 72 MIB Defined in Fo...

Page 432: ... Annexes and standard MIBs listing the exceptions and restrictions placed on standard MIBs by the RA 6300 SNMP agent This section includes MIB Object Hierarchy Describing and Naming Objects Restrictions on Standard MIBs MIB Object Hierarchy MIBs define the hierarchy of managed objects MIB objects represent data that the RA 6300 can retrieve or configuration information that it can modify Describin...

Page 433: ...SNMP Agent does not use all objects in the supported standard MIBs This section lists the supported standard MIBs and outlines the differences between the Annex parameters and specific standard MIB objects RA 6300 Standard MIB Support on page 2 65 lists the supported standard MIBs RFC 1213 MIB II Restrictions The RA 6300 supports RFC1213 s system interfaces at ip icmp tcp udp and snmp groups It do...

Page 434: ...ble B 19 RFC 1243 AppleTalk continued on next page Object Name get set Restrictions Read Object Limitations ipRouteEntry Cannot create new rows none ipRouteProto none Returns only local 2 icmp 4 and rip 8 ipRouteType none Returns only invalid 2 direct 3 indirect 4 ipNetToMediaEntry Cannot create new rows none ipNetToMediaType Writes only invalid 2 dynamic 3 and static 4 Returns only dynamic 3 and ...

Page 435: ...B 20 RFC 1389 RIPv2 MIB Objects Object Name Restrictions Read Object Limitations atportStatus Read only None atportZone Read only None atportIfIndex Read only None ddpOutRequests Not supported None ddpInLocalDatagrams Not supported None ddpNoProtocolHandlers Not supported None ddpBroadcastErrors Not supported None ddpShortDDPErrors Not supported None ddpHopCountErrors Not supported None Object Nam...

Page 436: ...the char group with the restrictions outlined in Table B 22 Table B 22 RFC 1316 Character MIB Objects continued on next page Object Name Restrictions Read Object Limitations dot3StatsSQETestErrors Not supported None dot3StatsInternalMac ReceiveErrors Not supported None Object Name Restrictions Read Object Limitations charPortAdminStatus Read only Returns only enabled 1 disabled 2 off 3 charPortOpe...

Page 437: ...arPortAdminOrigin Read only None charPortName Read only None charPortSessionMaximum Maximum value is 16 None charSessKill Read only None charSessState None Returns only connected 2 charSessConnectionId None Returns only null charPort objects for virtual ports Read only read write objects apply only to physical ports None Object Name Restrictions Read Object Limitations rs232AsyncPortParity none 1 ...

Page 438: ...u are limited to setting default values The RA 6300 supports this MIB with the restrictions described in Table B 24 Table B 24 RFC 1406 DS1 MIB Objects Object Name Restrictions MIB Tables dsx1CurrentTable Not supported dsx1IntervalTable Not supported dsx1TotalTable Not supported DSX1ConfigTable dsxTimeElapsed Not supported dsxValidIntervals Not supported dsx1SendCode Not supported dsx1CircuitIdent...

Page 439: ... by the RA 6300 Location of Private MIB Files The standard MIBs reside in the annex_root src snmp directory Private MIB Filenames The software distribution provides this information in the following files MIB FIlename Description xylo smi Describes the structure of Xylogics management information bases xylo ports mib Contains all MIB object groups related to the management and configuration of por...

Page 440: ...g to the image_name parameter The MIB object name for image_name is preceded by the string iso org dod internet private enterprises xylogics annex annexcmds MIB Prefixes All MIB object names have a prefix that indicates the MIB in which it is defined Table B 25 lists these prefixes and their corresponding MIB Table B 26 lists the configuration parameters and the corresponding MIB object names Ther...

Page 441: ...d on next page Configuration Parameter MIB Object acp_key anxAcpKey allow_snmp_sets not applicable a_router anxAppleTalkRouter authoritative_agent anxAuthAgent broadcast_addr anxBcastAddr cli_prompt anxCliPrompt config_file anxConfigFile daylight_savings anxDaylightSavings default_zone_list anxAppleTalkDefZones disabled_modules anxDisabledModules enable_security anxEnableSecurity host_table_size a...

Page 442: ...xLoadDumpGateway load_dump_sequence anxLoadDumpSeq loose_source_route anxLooseSrcRoute max_vcli anxMaxVcli min_unique_hostnames anxMinUniqueHostNames motd_file anxMotdFile name_server_1 anxNameServer1Type name_server_2 anxNameServer2Type nameserver_broadcast anxNameServerBcast network_turnaround anxNetTurnAround node_id anxAppleTalkNodeId option_key anxOptionKey password anxPassword pref_dump_addr...

Page 443: ...uth anxRipAuth rip_routers anxRipRouteList routed anxRouted rwhod anxRwhod security_broadcast anxSecurBcast server_capability anxServerCap subnet_mask anxSubnetMask syslog_facility anxSysLogFacility syslog_host anxSysLogHost syslog_mask anxSysLogMask syslog_port anxSysLogPort tcp_keepalive anxTcpKeepAlive tftp_dump_name anxTftpDumpName tfpt_load_dir anxTftpDirName time_broadcast anxTimeBcast timez...

Page 444: ...The string iso org dod internet private enterprises xylogics annex precedes the MIB object names Table B 27 LAT specific Configuration Parameters vs MIB Object Name LAT specific na Parameter MIB Object circuit_timer anxCircuitTimer facility_num anxFacilityNum group_value anxLatGroupVal keep_alive_timer anxKeepAliveTimer lat_queue_max anxLatQueueMax retrans_limit anxReXmitLimit server_name anxServe...

Page 445: ...ription anxLatRecvRunMsgs total received run messages anxLatXmitRunMsgs total transmitted run messages anxLatRecvSlots total received slots anxLatXmitSlots total transmitted slots anxLatRecvBytes total received bytes anxLatXmitBytes total transmitted bytes anxLatDupMsgs total duplicate messages anxLatRexmitMsgs total retransmitted messages anxLatBadCircuitMsgs total bad circuit messages anxLatBadS...

Page 446: ...ic Objects continued MIB Object Name Description anxLatRecvFrames total received frames anxLatXmitFrames total transmitted frames anxLatIllegalFrames total illegal frames anxLatCircuitTimeouts total circuit time outs anxLatXmitSvcMsgs total transmitted service messages anxLatRecvSvcMsgs total received service messages anxLatUsedSvcMsgs total used service messages ...

Page 447: ...pecific Parameters vs MIB Objects Table B 30liststheIPX specificparametersandtheircorrespondingMIB object names The following string precedes the MIB object names iso org dod internet private enterprises xylogics annex Table B 30 IPX specific Parameters vs MIB Objects TMux Parameter MIB Object Name tmux_delay anxTmuxDelay tmux_enable anxTmuxEnable tmux_max_host anxTmuxMaxHost tmux_max_mpx anxTmuxM...

Page 448: ...The string iso org dod internet mgmt mib 2 interfaces precedes the MIB object names Table B 31 Interface Parameters vs MIB Objects Interface Parameter MIB Object rip_accept interfaceRipAccept rip_advertise interfaceRipAdvertise rip_default_route interfaceRipDefRoute rip_horizon interfaceRipHorizon rip_recv_version interfaceRipRecvVersion rip_send_version interfaceRipSendVersion rip_sub_accept inte...

Page 449: ...o org dod internet private enterprises xylogics annex ports portTable portEntry and appended by the port instance number The following string precedes the object names that are in the rs232 MIB iso org dod internet mgmt mib 2 transmission rs232 The string iso org dod internet mgmt mib 2 char precedes the MIB object names that are in the charlikeMIB Table B 32 Global Port Parameters vs MIB Object N...

Page 450: ...tion gpBcastDirection callBcastDirection char_erase gpLineEditCharErase callLineEditCharErase cli_imask7 gpGenericCliImask callGenericCliImask cli_inactivity gpTimerCliInactivity callTimerCliInactivity cli_security anxpCliSecurity connect_security anxpConnectSecurity control_lines gpSignalCtrlLines callSignalCtrlLines data_bits rs232AsyncPortTable rs232AsyncPortEntry rs232 AsyncPortBits forward_ke...

Page 451: ...eLine erase_word gpLineEditEraseWord callLineEditEraseWord forwarding_count gpTimerForwardCount callTimerForwardCount forwarding_timer gpTimerForwardTimer callTimerForwardTimer hardware_tabs gpLineEditHardwareTabs callLineEditHardwareTabs imask_7bits anxpImask7Bits inactivity_timer gpTimerInactivityTimer input_flow_control charPortTable charPortEntry charPortInFlowType input_is_activity gpTimerInp...

Page 452: ...er map_to_upper gpLineEditMapToUpper gpLineEditMapToLower max_cap_chall_int anxMaxChapChallInt max_session_count charPortTable charPortEntry charPortSessionMaximum mode gpGenericMode callGenericMode modem_var gpGenericModemVar callGenericModemVar need_dsr gpNeedDsr callSignalNeedDsr newline_terminal gpLineEditNewLineTerm callLineEditNewLineTerm net_inactivity gpNetInactivity callNetInactivity net_...

Page 453: ...OutputStartChar callSignalOutputStartChar output_stop_char gpSignalOutputStopChar callSignalOutputStopChar parity rs232AsyncPortTable rs232AsyncPortEntry rs232AsyncPortParity port_password anxpPortPassword port_server_security anxpPortServerSecurity tcp_keepalive gpGenericTcpKeepAlive call stop_bits rs232AsyncPortTable rs232AsyncPortEntry rs232AsyncPortStopBits tcp_keepalive gpGenericTcpKeepAlive ...

Page 454: ...enericTermVar tn3270_printer_host gpTn3270PrinterHost callTn3270PrinterHost tn3270_printer_name gpTn3270PrinterName callTn3270PrinterName toggle_output gpLineEditToggleOutput callLineEditToggleOutput user_name gpSecurityUserName callSecurityUserName PPP SLIP Parameter MIB Object allow_compression gpNetAllowCompression callNetAllowCompression address_origin gpNetPppDialupAddr callNetPppDialupAddr d...

Page 455: ...u ppp_ncp gpPPPNcp callPPPNcp anxPppNcp anxSyncPppNcp ppp_password_remote gpPPPRemotePasswd callPPPRemotePasswd ppp_security_protocol gpPPPSecurityProto callPPPSecurityProto ppp_username_remote gpPPPRemoteUser callPPPRemoteUser remote_address gpNetRemoteAddr callNetRemoteAddr slip_mtu_size gpSlipMtuSize callSlipMtuSize slip_no_icmp gpSlipNoIcmp callSlipNoIcmp slip_ppp_security gpNetSlipSecure call...

Page 456: ...trator s Guide for UNIX Chapter 2 Simple Network Management Protocol SNMP B 90 Book B Table B 35 Multi Link PPP Parameters vs MIB Objects Multi Link PPP Parameter MIB Object mp_mrru mpMrru mp_endpoint_option mpEndPointClass mp_endpoint_value mpEndPointValue ...

Page 457: ...by na The na utility can communicate with the RA 6300 only when the RA 6300 is running its operational code All na commands are taken from the na standard input you can run na interactively or provide it with input through a file or pipeline You can create a script file containing na commands to configure an RA 6300 This script file can save the configuration information for a specific RA 6300 and...

Page 458: ...at uniquely distinguish the name from any other name that may appear in the same context Type a new line character to end a command entry To continue an entry onto the next line type a backslash character immediately preceding the new line character To enter a space as an argument enclose it in double quotes Otherwise the space is assumed to be a delimiter The UNIX interrupt character usually CTRL...

Page 459: ... more RA 6300 parameters and values separated by white space space tab new line pref_load_addr 132 245 254 66 pref_dump_addr 132 245 254 66 interface_identifier Either en0 or port interface_parameters A list of one or more interface parameters with or without values separated by white space space tab newline rip_sub_advertise Y interface_set A list of one or more interface_identifiers separated by...

Page 460: ...s the RA 6300 broadcast Sends a broadcast message to one or more users on internal asynchronous ports copy Copies configuration parameters dumpboot Boots the RA 6300 and produces a dump echo Writes the remainder of the line to the standard output help or Displays help for commands and parameters interface Defines a default interface used with subsequent commands password Defines a default administ...

Page 461: ...t copy dumpboot read reset and set annex The annex command establishes a default annex_list that is used in subsequent commands Before issuing an na command specify the RA 6300 to which the executed command refers The RA 6300s you specify using the annex command become the default annex_list You can group several RA 6300s into a single list and then issue one command for the entire group of RA 630...

Page 462: ...2 245 6 40 frontlobby The following annex command displays a message identifying the specified RA 6300 its Internet address the number of serial lines it has and its software version command annex 132 245 6 1 132 245 6 1 Remote Annex 6300 Rx x The following annex command causes an RA 6300 to prompt for an administrative password provided that the password has been set and security has been enabled...

Page 463: ...down or if the wrong Internet address was entered using the annex command boot The boot command reboots all RA 6300s in the annex_list and optionally produces a dump of the RA 6300 s memory including the operational code You can set a time at which the boot is to take place The boot command can send a warning message to users attached to the RA 6300 Table C 3liststhesupportedargumentsforthebootcom...

Page 464: ... e g 15 15 indicates 3 15 p m HH MM The number of hours and minutes before the boot takes place e g 2 15 indicates a boot will occur in two hours and fifteen minutes annex_list Specifies the RA 6300s to be booted If you do not include an annex_list the command prompts for it Pressing the Return key accepts the default annex_list filename Identifies the name of the file in which the RA 6300 s image...

Page 465: ...ssage to modem users on specified internal asynchronous ports at the identified Remote Annex 6300s The syntax is broadcast async_port_set keyword annex_identifier message The async_port_set argument indicates the numbers of the internal asynchronous port s to which the message is to be broadcast For example a port set of 1 2 3 specifies internal ports asy1 asy2 and asy3 If the message requires mor...

Page 466: ... interface_set copy printer printer_number annex_identifier printer_set copy port annex_identifier Table C 5 Descriptions of the copy Command Command Description copy annex Copies all RA 6300 wide parameters except the IP address the administrative password the access control protocol key LAT key option key and the virtual CLI password from the specified RA 6300 to the annex_list copy interface Co...

Page 467: ...0 specified in the annex_list and then reboots the RA 6300 You can set the boot time and the dumpboot command sends a warning message to users attached to the RA 6300 Table C 6 describes the arguments for dumpboot The syntax is dumpboot aq HH MM annex_list filename warning The following is an example of the dumpboot command command dumpboot annex list return for default backhall filename return fo...

Page 468: ...umps and boots are to be performed If you do not include annex_list the command prompts for it Pressing the Return key accepts the default annex_list filename Identifies the name of the file in which the RA 6300 s image is maintained If you do not enter a filename the RA 6300 prompts for one Pressing the Return key at the prompt directs the RA 6300 to boot the default filename The RA 6300 requests...

Page 469: ...e script file created by the write command The syntax is echo message help The help or command displays on line help information about na Entering help without arguments displays a list of na commands Table C 7 defines the arguments for help The syntax is help command_name parameter_name syntax Table C 7 Arguments for the help Command command_name Displays the command syntax along with a descripti...

Page 470: ...mand or parameter name displays all entries beginning with the string The following example represents an abbreviated display command help t telnet_escape serial port parameter escape character to use with the telnet command a character term_var serial port parameter Terminal variable a string maximum sixteen characters time_broadcast annex parameter broadcast for time server to use if none found ...

Page 471: ...erface_set referring to the default annex_list is updated if a new annex command is issued Specifying all sets the default interface_ set to the global port interface plus en0 This example defines the default interface_set as the global port on the RA 6300 whose Internet address is 132 254 6 34 Specifying the global port indicates the interface set is for the PRI calls of protocol types SLIP and I...

Page 472: ...password password When accessing an RA 6300 with security enabled using the annex command na will try to match the RA 6300 s default password with the administrative password If they match access is authorized automatically if they do not match na prompts for the RA 6300 specific administrative password Enter a password for a given RA 6300 only once during an na session even if the RA 6300 is drop...

Page 473: ...meters manually using na or admin and reboot the RA 6300 before issuing the read command Also make sure the script file does not contain a different option_key setting if it does delete the setting before issuing a read The read command loads parameters even if the subsystem is disabled The following sample script file called testscript modifies RA 6300 parameters standard parameters for RA 6300s ...

Page 474: ...s reset annex annex_list annex_subsystem session reset interface interface_list keyword reset int_modem modem_range reset port async_port_list keyword reset sync sync_port_list keyword The allowed values for annex_subsystem are security motd nameserver macros lat syslog and all The reset annex session command causes the RA 6300 to re read the Session Parameter Blocks from the configuration file Ex...

Page 475: ...connections will use the new values existing circuits will continue to use the old values This keyword will not terminate existing LAT circuits annex macros Re reads the customized user interface macros annex motd Re reads the message of the day annex nameserver Resets the name server parameters and flushes the RA 6300 s host table annex security Resets the security parameters and reconnects to th...

Page 476: ...nterface_parameters port_parameters and pri_parameters and pri_b_parametersarguments require a name and a value separated by a space A space is required between each parameter argument You can enter more than one parameter argument with each command If you are entering multiple parameter arguments that require a new line precede the new line with the character Changes made to parameters take effec...

Page 477: ...ivity_timer 120 show The show command displays current RA 6300 interface global port or pri parameters The syntax is show annex annex_list keyword annex_parameters show interface interface_list keyword interface_parameters show port keyword port_parameters show pri keyword pri_line parameters show pri b range b_channel_parameters show annex Displays RA 6300 parameters show interface Displays inter...

Page 478: ...9 Keywords for the show annex Command continued on next page Keyword Parameters all Displays all RA 6300 parameters appletalk a_router default_zone_list node_id zone generic inet_addr subnet_mask pref_load_addr pref_dump_addr load_broadcast broadcast_addr load_dump_gateway load_dump_sequence image_name motd_file config_file authoritative_agent routed server_capability disabled_modules tftp_load_di...

Page 479: ... pref_secur1_host pref_secure2_host network_turnaround acp_key password allow_snmp_sets loose_source_route lock_enable passwd_limit chap_auth_name syslog syslog_mask syslog_facility syslog_host syslog_port time time_broadcast daylight_savings timezone_minuteswest time_server tmux tmux_enable tmux_max_host tmux_max_mpx tmux_delay vcli max_vcli cli_prompt vcli_security vcli_password vcli_inactivity ...

Page 480: ...t_stop_char ixany_flow_control need_dsr v120_mru generic mode location term_var prompt cli_interface data_bits stop_bits parity max_session_count allow_broadcast broadcast_direction imask_7bits cli_imask7 banner tcp_keepalive default_session_mode dedicated_arguments resolve_protocol ipx ipx_security lat authorized_groups latb_enable multisessions_enable ppp local_address address_origin metric slip...

Page 481: ... slip_ppp_security address_origin ppp_security_protocol ppp_ncp metric subnet_mask ppp_mru inactivity_timer input_is_activity output_is_activity reset_idle_time_on net_inactivity net_inactivity_units timers forwarding_timer forwarding_count cli_inactivity inactivity_timer input_is_activity output_is_activity reset_idle_time_on long_break short_break autodetect_timeout tn3270 printer_host printer_n...

Page 482: ..._auth and vcli_password Since the inet_addr parameter uniquely identifies the RA 6300 s location in the network it is not written to the script file and it is not restored during a read You must set this parameter manually You can remove the pound sign from the parameters written as comments in the script file enter valid data for their settings and issue a read command to copy or restore these pa...

Page 483: ...new RA 6300 specified in the annex_list defined using the annex command command write thirdfloor prm command annex 132 245 6 40 command read thirdfloor prm Following is an excerpt from the script file fronthall script annex 132 245 6 101 echo setting annex parameters set annex pref_load_addr 132 245 6 75 set annex pref_dump_addr 132 245 6 75 set annex load_broadcast Y set annex image_name set anne...

Page 484: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 1 na Commands C 28 Book C ...

Page 485: ...how or copy configuration parameters for more details see na Commands on page C 1 The CLI admin command is a counterpart of na that runs locally on the RA 6300 The SNMP agent included in the RA 6300 software provides MIB objects that can be read and set by a standard SNMP management station these MIB objects correspond to the configuration parameters for more details see Simple Network Management ...

Page 486: ...92 9 200 0x64 For parameters requiring a yes no input use either Y or N These parameters are not case sensitive For parameters that define passwords the na admin command show displays only set or unset it never displays the values entered for the parameters If you forget a password after setting it you can reset it only by using the ROM monitor erase command to erase all of the RA 6300 s non volat...

Page 487: ...mmand set annex pref_dump_addr 0 2 set annex annex_parameter The set annex annex_parameter command sets all parameters that require a string value these parameters default to either a null string or unset For example to set image_name to its default a null string enter command set annex image_name 3 set annex annex_parameter default The set annex annex_parameter default command sets all other para...

Page 488: ...he set port port_parameter command sets parameters that have single character default values Enter the default value as a two character sequence consisting of the circumflex character followed by the at sign For example to set erase_word to its default value W enter command set port erase_word The set port port_parameter command sets parameters that require a string these parameters default to eit...

Page 489: ...et and show commands accept these keywords as arguments Table C 14 lists the keywords and the associated parameters that display with the show annex command Table C 15 lists the keywords and the associated parameters that display with the show interface command Table C 16 lists the keywords and the associated parameters that display with the show port command Table C 17 lists the keywords and asso...

Page 490: ...g_file authoritative_agent routed server_capability disabled_modules tftp_load_dir tftp_dump_name ipencap_type ip_forward_broadcast tcp_keepalive option_key session_limit output_ttl vcli max_vcli cli_prompt vcli_security vcli_password vcli_inactivity nameserver nameserver_broadcast max_chap_chall_int rwhod pref_name1_addr pref_name2_addr name_server_1 name_server_2 host_table_size min_unique_hostn...

Page 491: ...s_limit group_value vcli_groups multicast_timer multisessions_enable appletalk a_router default_zone_list node_id zone router rip_routers rip_auth ipx ipx_file_server ipx_frame_type ipx_dump_username ipx_dump_password ipx_dump_path ipx_do_checksum tmux tmux_enable tmux_max_host tmux_delay tmux_max_mpx Keyword Description all Displays all global port and en0 interface routing parameters rip_send_ve...

Page 492: ...ts resolve_protocol flow control_lines input_flow_control input_start_char input_stop_char output_flow_control output_start_char output_stop_char ixany_flow_control need_dsr v120_mru timers forwarding_timer forwarding_count cli_inactivity inactivity_timer input_is_activity output_is_activity reset_idle_time_on long_break short_break security user_name cli_security connect_security port_server_secu...

Page 493: ...no_icmp slip_tos address_origin net_inactivity_unit do_compression net_inactivity slip_ppp_security metric local_address ppp ppp_acm ppp_mru ppp_security_protocol ppp_username_remote ppp_password_remote ppp_ncp ppp_sec_auto address_origin mp_endpoint_address mp_endpoint_class appletalk at_guest at_nodeid at_security arap_v42bis tn3270 printer_host printer_name lat authorized_groups latb_enable mul...

Page 494: ...uter The Ethernet address of the network s A_Router The RA 6300 uses this value as a hint at start up When a Routing Table Maintenance Protocol RTMP message arrives from this Ethernet address the RA 6300 gleans the AppleTalk DDP address from the packet and tries to talk to the AppleTalk router The address is a hexadecimal Ethernet address e g 00 7F 12 33 44 55 The default is 00 00 00 00 00 00 acp_...

Page 495: ...ter replaces the dialup_addresses parameter for Release 13 2 and later Earlier releases do not recognize address_origin and require the use of dialup_addresses instead Option Description acp The RA 6300 passes its own address and the user name and port to the ACP host The host then determines the local and remote addresses for the link by searching for entries in the acp_dialup file local The RA 6...

Page 496: ...initiates compression A Y enables this parameter an N disables it The default is N analog_encoding ThisPRIlineparameterspecifiestheencodingtypeusedformodemcalls Valid values are a_law used for E1 PRI lines in Europe mu_law used for T1 PRI in the U S auto the default which uses a_law or mu_law as appropriate Typically you do not need to change this parameter To check that the correct value is being...

Page 497: ...r an N disables it The default is N at_nodeid This asynchronous port parameter defines the node ID hint used for an ARA client during connection establishment This parameter value is an AppleTalk address in the form net node The valid net values are 0 to 65534 The valid node values are 0 to 254 The default is 0 0 at_security This asynchronous port parameter turns on ACP service for an AppleTalk se...

Page 498: ...g a stats sm ports time command with a defined time interval the RA 6300 ignores an attention string with multiple characters autodetect_timeout This asynchronous synchronous port parameter specifies the number of seconds that the RA 6300 waits for auto_detect mode to identify an incoming call as PPP If the number of seconds is exceeded or the user enters a carriage return before the call is detec...

Page 499: ...ready established at your port from within the current session without returning to local mode When defining this value use a unique unused character such as Control B or a string of characters To clear an existing setting enter a null string The default is no control character sequence On virtual telnet ports the backward_key value is limited to one printable or Control character If the user trie...

Page 500: ...he subnet mask from 255 255 255 255 Thus in the previous example you subtract 255 255 255 252 from 255 255 255 255 to arrive at 0 0 0 3 If your network is not subnetted you can specify a network broadcast address In this case you set the network portion of the broadcast address to match the RA 6300 network address as determined by the intrinsic mask for the network class And you set the host porti...

Page 501: ... you specify port the RA 6300 sends broadcast messages out the port side of the connection buildout This PRI line parameter is applicable only to RA 6300s with internal CSUs It is a string defining the CSU transceiver line provided by the telephone company Valid values are 0db 7 5db 15db 22 5db The default is 0db chap_auth_name ThisAnnexparameterdefinesthecharacterstringthatisusedastheName fielden...

Page 502: ...ional use of the erase character deletes and displays another character The first character typed other than the erase character echoes a and the character e g typing asdf Delete Delete g echoes as asdf fd g This parameter has effect only at the CLI level circuit_timer This Annex parameter defines the time interval in tens of milliseconds between the transmission of LAT packets e g if you enter 9 ...

Page 503: ...rt immediately after exiting the last job cli_interface This asynchronous port parameter allows you to control the prompt that appears for VMS or UNIX environments Allowable values are vci and uci The default is uci When set to vci the Local prompt is displayed followed by the Username prompt the uci setting provides a standard UNIX interface with prompts defined by the cli_prompt and prompt param...

Page 504: ...strative password for CLI ports A Y enables this parameter an N disables it The default is N When cli_security is enabled the RA 6300 logs PPP SLIP logins logouts to the ACP log file Code Expansion a The string annex c A colon followed by a space d The current date and time in the following format Mon Mar 14 13 59 42 1991 i The RA 6300 s IP address j A new line character skip to the beginning of t...

Page 505: ...ve authorization to connect to a host on the network The supplied security policy scans the file install directory acp_restrict to authorize a connection to a host from the RA 6300 If authorization is not granted the connection is not made A Y enables this parameter an N disables it The default is N data_bits This asynchronous port parameter defines the number of data bits in a character This valu...

Page 506: ...bedded spaces within a zone name use the backslash character If you do not set this parameter the RA 6300 provides the network zone list The default is a null string default_session_mode This asynchronous port parameter defines the default session mode when the VMS interface is configured i e when cli_interface is set to vci Valid options are interactive passthru passall or transparent The default...

Page 507: ... parameter to its default value If disabled_modules is set to a value other than none and server_capability includes the operational image no modules are disabled a syslog message announces this override The vci option disables the RA 6300 interface for VMS environments along with the following commands backwards change clear crash define disconnect forward list logout resume set show If lat_key i...

Page 508: ...cifies the approximate distance in meters from the RA 6300 PRI interface to the external CSU Enter this as a range e g 0 25 as a single number e g 30 or as a unique part of a range e g 136 If you enter a single number the RA 6300 picks the range that the number falls into You can then use the pri show command to determine the range assigned Valid ranges are 0 25 26 65 66 100 136 185 166 185 and 18...

Page 509: ...erase_char This asynchronous port parameter defines a control character sequence fortheCLIerasecharacter ThedefaultistheDeletekey displayedas erase_line This asynchronous port parameter defines a control character sequence for the CLI line erase character The default is CTRL U U fdl_type This PRI line parameter specifies the type of Facilities Data Link supported by the telephone company for your ...

Page 510: ...port parameter specifies a character or string that reopens the next available higher numbered session already established at your port When defining this value use a unique unused character such as Control F or a string of characters To clear an existing setting enter a null string The default is no control character sequence Onvirtual telnet ports theforward_keyvalueislimitedtooneprintable or Co...

Page 511: ...0 uses the value that occurs first Setting forwarding_count to one or forwarding_timer to zero may have a severe effect on the network when heavy serial input occurs forwarding_timer This asynchronous port parameter sets the amount of time in ten millisecond ms intervals that can elapse before an RA 6300 forwards received data If new data arrives before the timer expires the RA 6300 resets the tim...

Page 512: ...is asynchronous port parameter allows the RA 6300 to convert ASCII tab characters to the correct number of spaces when a terminal does not support hardware tabs This occurs only at the CLI level A Y enables this parameter an N disables it The default is Y host_table_size This Annex parameter defines the number of entries allowed in the host table Allowable values range from 0 to 255 Entering 255 a...

Page 513: ...es all sessions and resets the port You can use the input_is_activity and output_is_activity parameters to define activity as input to the port or output from the port Setting these parameterstoNcausesthetimertorunindependentofactivity Allowable values range from 0 to 255 The default is 0 timer disabled If you want a port to reset after a given number of minutes regardless of any activity you must...

Page 514: ...flow control for input received from a device connected to an asynchronous port Table C 21 describes the valid options the default is bell Table C 21 Valid Options for the input_flow_control Parameter Option Description bell The RA 6300 rings the terminal bell sends G when its input buffer is full eia Flow control is delegated to a lower level e g a parallel port The control_lines parameter must b...

Page 515: ...t parameter defines the control character sequence that restarts input if the input_flow_control parameter is set to start stop The default is CTRL Q Q input_stop_char This asynchronous port parameter defines the control character sequence that stops input if the input_flow_control parameter is set to start stop The default is CTRL S S ipencap_type This Annex parameter specifies whether the RA 630...

Page 516: ...at interface When disabled the RA 6300 does not scan the interface list and does not copy broadcast packets A Y enables this parameter an N disables it The default is N ipso_class This asynchronous port parameter specifies the U S Department of Defense basic IP Security Option IPSO classification level included in TCP packets generated locally on RA 6300 CLI dedicated or adaptive asynchronous port...

Page 517: ...ll file server before the RA 6300 sends a dump file to the server The string size ranges from 0 to 16 characters The default is unset ipx_dump_path ThisAnnexparameterspecifiesthefullpathnamethatstorestheuploaded RA 6300 dump image on the Novell file server The string size ranges from 0 to 100 characters This parameter has no default value show_dump_username This Annex parameter provides a user nam...

Page 518: ...ress es with B channel s This parameter works only when the mode parameter is set to ppp The syntax is set pri b channel_range all ipx_network net_number increment net_number is a 4 byte Novell network number that the RA 6300 suggests for theremotePCclientonanIPXCP IPXoverPPP link Validvaluesare00000001 to FFFFFFFF or 0 Leading zeroes if any should be included The network number must be unique on ...

Page 519: ... or the keyword all which specifies all B channels If not specified 23 for PRI T1 lines or 30 PRI E1 lines IPX network numbers are assigned based on the value of increment net_number The IPX network number to be assigned to the B channel if only one channel is specified in channel_range or the IPX network number to be assigned to the first channel in channel_range increment An integer specifying h...

Page 520: ...example the Appletalk multicast address is 090007000000 of which the first octet 09 is 0000 1001 in binary therightmost1isthemulticastindicator Thesyntaxforspecifying this parameter is set pri b channel_range all ipx_node node _number increment Table C 23 describes the arguments used in the previous command If the client suggests any valid value for the node number that number will be used instead...

Page 521: ...d all which specifies all B channels If not specified 23 for PRI T1 lines or 30 PRI E1 lines IPX node numbers are assigned based on the value of increment node_number The IPX node number to be assigned to the B channel if only one channel is specified in channel_range or the IPX node number to be assigned to the first channel in channel_range increment An integer specifying how node _number is to ...

Page 522: ...ets serve only asnoticestoremotenodesthatthehost sservicesareavailable Allowable values range from 10 to 255 seconds The default is 20 seconds lat_key This Annex parameter restricts access to LAT related RA 6300 commands parameters functions and the LAT protocol within the RA 6300 Each RA 6300 requires a unique key value contact your supplier to obtain a LAT key After setting the key your system a...

Page 523: ...N XOFF and the cursor keys on the terminal line_erase This asynchronous port parameter allows an RA 6300 to echo line erase for a video terminal When enabled the RA 6300 erases all characters on the line and moves the cursor back to the beginning of the line When disabled the RA 6300 echoes the line erase character for hard copy terminals making the deleted line visible and positioning the print h...

Page 524: ... can list more than one interface by using commas to separate interface names Table C 24 describes the valid options Table C 24 Valid Options for the load_dump_sequence Parameter local_address This asynchronous synchronous global port parameter defines the IP address for the asy ta or syn port on the RA 6300 side of a link This IP address is used only when the mode parameter is set to slip or ppp ...

Page 525: ...onment s lock command A Y enables this parameter an N disables it The default is N login_password This Annex parameter specifies the password for all ports using a VMS interface The string size ranges from 0 to 16 characters For security reasons the RA 6300 displays this value as set or unset The default is unset This parameter works only when cli_interface is set to vci and login_port_password is...

Page 526: ...can remain inactive Valid values are 0 through 60 minutes Entering 0 sets the timer to 30 minutes The default is 30 This parameter works only when cli_interface is set to vci login_timeout This asynchronous port parameter enables a login timer when the VMS command interface is configured i e when cli_interface is set to vci A Y enables this parameter an N disables it The default is N long_break Th...

Page 527: ...f Source Route Failed When loose_source_route is disabled the RA 6300 will not forward any IPpacketsthathavetheStrictSourceRoutingandRecordorLooseSource Routing and Record options set The RA 6300 accepts these packets only if the RA 6300 itself is the ultimate destination If the packets are not addressed to the RA 6300 they are dropped and the RA 6300 sends an ICMP type Destination Unreachable mes...

Page 528: ...rom 1 to 16 The default is 3 max_chap_chall_int This Annex security parameter enables the RA 6300tore issueaCHAP challenge to a remote node at random times during the course of a PPP connection The parameter itself specifies the maximum number of seconds in the interval from which the RA 6300 randomly chooses the timestore issuethechallenge Validvaluesare0to65535 approximately 18 2 hours For examp...

Page 529: ...g rather than the full host name A Y enables minimum uniqueness an N disables it The default is Y mode This asynchronous port parameter sets the mode for access to an asynchronous port Table C 25 describes the valid options the default is cli Table C 25 Valid Options for the mode Parameter continued on next page Option Description arap Allows a port to perform as a network interface using ARAP aut...

Page 530: ...the connect command This option works with the dedicated_arguments parameter ipx Allows dial in Novell access ppp Allows a port to perform as a network interface using PPP IP packets are encapsulated by PPP rlogin Allows a port to communicate via the rlogin command Use this option in conjunction with the asynchronous port parameter dedicated_arguments slip Allows a port to perform as a network int...

Page 531: ... elapse between service announcement transmissions for the LAT protocol Allowable values range from 10 to 180 seconds The default is 30 multisessions_enable This Annex parameter allows multisessions to be managed on a terminal server basis When enabled terminals that support DEC s Terminal Device Session Management Protocol TD SMP can display two active windows simultaneously over one communicatio...

Page 532: ...Y enables this parameter an N disables it The default is N need_dsr This asynchronous port parameter allows an RA 6300 to use the DSR Data Set Ready signal to determine whether a device is attached to the corresponding asynchronous line The RA 6300 will not allow connection to a slave port and will not activate the CLI until the DSR signal is active If DSR is deactivated the connection to a slave ...

Page 533: ... inactivity timer is within five seconds if net_inactivity_units is set to seconds we recommend using a value for net_inactivity that is a multiple of five net_inactivity_units This asynchronous synchronous port parameter defines the units of time used for the port s inactivity timer Valid options are minutes or seconds The default is minutes Use this parameter in conjunction with net_inactivity I...

Page 534: ...ual time which typically is longer than the defined value This parameter works only when the enable_security parameter is set to Y Allowable values range from 1 to 255 The default is 2 Setting this parameter to a high number is not recommended unless a large timeout value is required for contacting for security slow hosts or waiting for a slow host s response to a security request newline_terminal...

Page 535: ...ith the RA 6300 Valid values are 1 23 for T1 PRI and 1 30 for E1 PRI The default is 0 which the RA 6300 interprets as 23 for T1 PRI connections in the U S and 30 for E1 PRI connections in Europe and Australia The only time you might want to change the default is in Europe where telephone company providers support PRI connections with fewer than 30 channels which can be cheaper option_key This Anne...

Page 536: ...trol or both and the device is wired properly start stop Specifies XON XOFF flow control independent of the control_lines parameter Upon receiving XOFF output_stop_char the RA 6300 stops sending output to the device Upon receiving XON output_start_char the RA 6300 starts sending output to the device The RA 6300 removes these characters from the data stream both Specifies both in band XON XOFF and ...

Page 537: ...ort parameter defines the control character sequence that restarts output if output_flow_control is set to start stop The default is CTRL Q Q output_stop_char Thisasynchronousportparameterdefinesthecontrolcharactersequences that stops output if the output_flow_control parameter is set to start stop The default is CTRL S S output_ttl This Annex parameter sets the time to live TTL for packets the RA...

Page 538: ...es from 0 to 15 characters If the RA 6300 is configured with an IP address the default administrative password is the RA 6300 s IP address in dotted decimal notation If the RA 6300 is not yet configured with an IP address and the administrative password has not been modified either via this parameter or via the CLI passwd command the default password is a null string If the RA 6300 is not configur...

Page 539: ...nes an asy ta or syn port password for local password protection You can use this password as a back up for host based security if the security servers do not respond or as an additional line of security after entering a user name password When using SecurID set port_password to a null string and do not set a port password in the acp_passwd file see Using the SecurID Card on page A 303 for more de...

Page 540: ...F The RA 6300 accepts any mask from the peer Values range from 0x00000000 to 0xffffffff The RA 6300 default is 0x00000000 The ppp_acm parameter is a bit mask that is set as follows ppp_acm for ASCII NUL decimal 0 is 2 to the power of 0 0x00000001 ppp_acm for ASCII SOH decimal 1 is 2 to the power of 1 0x00000002 ppp_acm for ASCII DC1 decimal 17 is 2 to the power of 17 0x00020000 ppp_acm for ASCII D...

Page 541: ...et in the ACCM If output_stop_char is 0 31 decimal the bit indexed by this parameter is set in the ACCM For example the initial ACCM sent to the peer is 0x000A0001 if ppp_acm is set to 0x00000001 i e the ASCII NUL character will not be sent and the following parameters are set as indicated input_flow_control start stop input_start_char S input_stop_char Q output_flow_control start stop output_star...

Page 542: ... The RA 6300 negotiates for these protocols only Valid settings are one or more of the following ipcp Internet Protocol Control Protocol atcp AppleTalk Control Protocol ipxcp Internet Packet Exchange Control Protocol mp Multilink PPP and ccp Compression Control Protocol Separate multiple protocols with commas You can also specify all to indicate all of the protocols which is the default For inform...

Page 543: ...et to Y and enable_security is set to Y and if the RA 6300 determines via a mode parameter of auto_detect that a dial in user is using PPP the RA 6300 uses the current value of ppp_security_protocol The default for ppp_sec_auto is N which specifies that no matter how the user is placed in ppp mode the RA 6300 interprets ppp_security_protocol as described next ppp_security_protocol This asynchronou...

Page 544: ...s for the preferred dump host This is the host to which the RA 6300 first tries to dump The default is 0 0 0 0 A dump is not sent if the address is set to the default value pref_load_addr This Annex parameter specifies the IP address for the preferred load host ThisisthehosttowhichtheRA 6300firstrequestsaloadofitsoperational code The default is 0 0 0 0 Set this address to the boot host s IP addres...

Page 545: ...rver that a DHCP client will attempt to discover as a backup source for DHCP services when the primary DHCP server does not respond A DHCP client will broadcast a DHCP message when the dhcp_broadcast parameter has been set to Y The address specified by pref_dhcp2_addr will be used only if pref_dhcp1_addr is non zero and does not respond The value for pref_dhcp1_addr may be set to 0 pref_name1_addr...

Page 546: ...arameter is set to Y The default is 0 0 0 0 pref_secure2_host This Annex parameter specifies the IP address of the host that is the back up server if the host specified in pref_secure1_host is not available This parameter works only if the enable_security parameter is set to Y The default is 0 0 0 0 printer_host This asynchronous port parameter specifies the IP address or fully qualified domain na...

Page 547: ...cter followed by a single character is compressed and stored as a single character in non volatile memory The maximum number of characters stored for the prompt string is 16 Since each formatting code consists of two characters the maximum string size is 32 characters String sizes smaller than 32 characters are rejected as bad values if they cannot be stored into 16 characters in non volatile memo...

Page 548: ...ber of a single B channel a list of B channel numbers separated by commas a range of B channel numbers separated by a hyphen or the keyword all which specifies all B channels If not specified 23 for PRI T1 lines or 30 PRI E1 lines IP addresses are assigned based on the value of increment ip_addr The IP address to be assigned to the B channel if only one channel is specified in channel_range or the...

Page 549: ...fore notifying the LAT user about a network failure Allowable values range from 4 to 120 The default value is 8 rip_accept This interface parameter defines the networks for which the RA 6300 accepts advertised routes Table C 28 lists the valid options the default is all Table C 28 Valid Options for the rip_accept Parameter Option Description access_spec Uses the form include exclude network_list w...

Page 550: ... unset if a null string is entered When unset authentication is turned off and all RIP packets are accepted The default is a null string rip_default_route This interface parameter allows an RA 6300 to advertise that it is the default router Valid values are 0 through 15 or off A value of 1 through 15 indicates the hop count that will be advertised A value of 0 or off turns off the advertisement Th...

Page 551: ...op value is included in RIP version 2 advertisements Valid options are never needed or always The default is needed rip_recv_version This interface parameter controls the RIP version s that an RA 6300 accepts Table C 31 describes the valid options for this parameter The default is both Table C 31 Valid Options for the rip_recv_version Parameter Option Description off Disables split horizon split E...

Page 552: ...r controls the RIP version s that an RA 6300 sends over the IP interface s Table C 32 describes the valid options for this parameter The default is compatibility Table C 32 Valid Options for the rip_send_version Parameter rip_sub_accept This interface parameter controls whether or not subnet routes are accepted over the SLIP PPP and Ethernet interfaces When enabled subnet routes are accepted when ...

Page 553: ... if the option_key parameter is set to the correct value If option_key is not set correctly the RA 6300 performs only passive RIP routing when the daemon is enabled When disabled no RIP routing occurs A Y enables this parameter an N disables it The default is Y rwhod This Annex parameter determines whether or not the RA 6300 listens for RWHO broadcasts when it builds the host table A Y enables thi...

Page 554: ...6 characters The default value is the physical Ethernet address represented as a hexadecimal value appended to the string LAT_ for example LAT_080002BF0020 service_limit This Annex parameter defines the maximum number of LAT services that an RA 6300 can maintain in its local service table When the table is full the RA 6300 removes the service that has been idle longest If all services are busy and...

Page 555: ...ompt after receiving a break of less than two seconds This occurs only at the CLI level A Y enables this parameter an N disables it The default is Y slip_mtu_size This asynchronous port parameter sets the maximum transmission unit MTU size on a SLIP CSLIP port This parameter forces the SLIP interface to use large 1006 or small 256 MTUs The default is small slip_no_icmp This asynchronous port param...

Page 556: ... port parameter allows an RA 6300 to send interactive traffic telnet rlogin and ftp control sessions before sending any other traffic This parameter provides a type of service based SLIP queuing A Y enables this parameter an N disables it The default is N stop_bits This asynchronous port parameter specifies the number of stop bits for a port Allowable values are 1 1 5 or 2 The default is 1 subnet_...

Page 557: ...cause routing problems sys_location This Annex parameter supplies LAT host location or identification information The string size ranges from 0 to 32 characters The default is a null string switch_type This PRI line parameter is a string specifying the type of switch provided by the telephone company for the PRI line Valid values are AT9 for the AT T 5ESS switch DMS for Nortel s DMS100 switch NI2 ...

Page 558: ... 4 3BSD logging this parameter is ignored and messages are logged by priority level defined by syslog_mask syslog_host ThisAnnexparameterdefinestheIPaddressofthehostthatlogsRA 6300 messages The default 0 0 0 0 causes the RA 6300 to broadcast its log messages syslog_mask This Annex parameter defines the priority levels that the RA 6300 logs The options are all none or a combination of levels separa...

Page 559: ...tion Valid values are 0 through 255 minutes A value of 0 sets the keep alive time to 120 minutes which is the default a value of 255 disables the keep alive mechanism The tcp_keepalive parameters for serial line ports and parallel ports override this parameter for those individual ports Priority Level Description emergency Hardware failures alert All RA 6300 reboots critical Configuration and init...

Page 560: ...ng 255 disables the keep alive mechanism for the port telnet_crlf This asynchronous port parameter converts a carriage return in a Telnet session to a carriage return followed by a line feed When disabled a carriage return translates to a carriage return followed by a null string A Y enables this parameter an N disables it The default is N telnet_escape This asynchronous port parameter defines the...

Page 561: ...thestringthatprecedesallfiles e g image name configuration and motd files when you boot an RA 6300 via tftp This string s value is determined by the system serving the tftp requests This string does not precede the tftp_dump_name time_broadcast This Annex parameter defines whether the RA 6300 broadcasts for the time if the preferred load host is not available or does not provide a time server A Y ...

Page 562: ...MT The default is 300 tmux_delay This Annex parameter defines the maximum number of milliseconds during which small packets can accumulate to form larger packets When the time expires the RA 6300 sends the multiplexed packet Valid values are 0 through 255 milliseconds Entering 0 sets this parameter to 20 The default is 20 Address Description loopback address Do not query for time service 0 0 0 0 Q...

Page 563: ...of host addresses allowed in the TMux address table If the number of host addresses exceeds the value entered here the RA 6300 discards the oldest entry Allowable values are 10 through 255 the default is 64 tmux_max_mpx This Annex parameter specifies the largest user packet that can be placed in a TMux packet The RA 6300 does not multiplex larger packets but passesthemdirectlytotheIPlayer Allowabl...

Page 564: ...s It allows you to change the number of bytes allowed in an incoming V 120 frame if your TA cannot handle the default of 256 bytes Valid values are 30 260 vcli_groups This Annex parameter specifies which LAT remote group code is assigned to virtual CLI users All virtual CLI users have the same group code Values are specified as a series of numbers separated by commas e g 1 5 7 or a range of number...

Page 565: ...curity For local password protection set the enable_security parameter to Y set the vcli_security parameter to N and define a password for this parameter As a back up for host based security setting this parameter causes the RA 6300 to request a password on a virtual CLI connection whenever the security server does not respond The default is unset Changes to this parameter take effect immediately ...

Page 566: ...ion Parameters C 110 Book C zone ThisAnnexparameterdefinestheAppleTalkzonenamethattheRA 6300 uses at start up The string size ranges from 0 to 32 characters You must separate zone names with spaces e g general pubs lab To escape embedded spaces use the backslash character The default is a null string ...

Page 567: ...s apply to the RA 6300 see Displaying RA 6300 Statistics on page B 41 The warning that the boot command can send is seen only by CLI users on modem connections PPP SLIP ARAP V 120 and sync users do not see it The following statement is meaningless The R6 x ROM Monitor compact command is incompatible with R7 0 and above Once the Annex boots the current operational image use only the CLI superuser c...

Page 568: ...ports only modem types defined in the Annex configuration file RA 6300 modem types are hard coded Also the RA 6300 supports two additional arguments to the modem command m and u For more information see Modems on page A 81 The pri superuser CLI command is available for use with the RA 6300 This command displays PRI information Issued with the b argument the pri command displays information about t...

Page 569: ...the RA 6300 The tap command has a new argument f Specifying this argument forces a tap to occur and allows you to tap across several calls on one internal port When configuring tn3270 to be run from the RA 6300 you will probably want to set the term_var parameter within an SPB not via na or admin since it is unlikely that all the terminals you use will have exactly the same characteristics The out...

Page 570: ...Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Chapter 3 Using the CLI Commands C 114 Book C ...

Page 571: ... to the RA 6300 New arguments are available with erpcd a revised description follows erpcd The erpcd or expedited remote procedure call daemon responds to all Annex boot dump and ACP security requests This daemon contains two programs bfs the block file server used to access host files and dump Annex images acp the Access Control Protocol program for host based security requests Table C 36 lists t...

Page 572: ...n the acp_policy doc file the acp_policy c file contains examples for more details on implementing code changes see Modifying the Supplied Security Application on page A 325 and Modifying the Code on page A 335 Table C 36 Supported Arguments for erpcd continued on next page Argument Description Dlevel Restarts erpcd in test mode on the load server host it does not detach from the tty and it prints...

Page 573: ...s not interfere with any other erpcd running on the system Parsing errors are printed on stderr Error messages are in the form filename line number severity description where filename is the name of the file number designates the line on which the error occurs severity is either an error or a warning error indicates there is a serious parsing error warning indicates the parser remedied the situati...

Page 574: ...failures For more information see Configuring Blacklisting on page A 286 g period The time period in weeks over which max_total is applied Login failures that occurred more than this number of weeks ago do not count toward blacklisting Valid values are 0 52 his value can also be set via the MAX_BL_NONCON variable in acp_policy h The default as pre set via MAX_BL_PERIOD is 26 If MAX_BL_PERIOD is un...

Page 575: ...3 for use with Kerberos A 301 acp_policy c file C 116 acp_policy doc file C 116 acp_policy h file A 332 acp_regime file A 245 to A 247 acp_restrict file arguments A 270 using for connection security A 269 acp_userinfo file A 199 to A 202 A 325 creating A 249 to A 268 using accesscode option A 252 to A 254 using at_connect_time option A 264 using at_nve_filter option A 265 to A 266 using at_passwd ...

Page 576: ...rity A 291 to A 292 ARA security and A 291 logging and A 292 NVE filtering and A 292 zone security and A 292 ARA A 183 logins B 37 security A 199 to A 201 A 291 ARAP A 183 arap command A 191 arap_v42bis parameter A 188 C 41 ARP table management B 32 arp command A 191 at_connect_time A 264 at_guest parameter A 189 at_nodeid parameter A 189 C 41 at_nve_filter A 265 to A 266 at_passwd A 266 at_securi...

Page 577: ...rameter A 296 C 45 chap_secret A 268 A 295 char_erase parameter C 46 circuit_timer parameter C 46 CLI masking commands A 333 prompt setting for environment customization A 44 to A 45 protecting A 221 virtual VCLI connections implementing local password protection A 218 setting limit on A 46 CLI commands C 111 to C 113 admin superuser command A 15 A 23 to A 26 arap user command A 191 arp superuser ...

Page 578: ...cast C 67 load_dump_gateway C 68 load_dump_sequence C 68 lock_enable C 69 login_password C 69 login_prompt C 70 login_timer C 70 loose_source_route C 71 max_chap_chall_int C 72 max_vcli C 72 min_unique_hostnames C 73 mop_password C 74 motd_file C 75 multicast_timer C 75 name_server_1 C 75 name_server_2 C 76 nameserver_broadcast C 76 network_turnaround C 78 node_id A 187 C 79 option_key A 185 A 187...

Page 579: ...erase_char C 53 erase_line C 53 erase_word C 54 forward_key C 54 forwarding_count C 55 forwarding_timer C 55 hardware_tabs C 56 imask_7bits C 57 inactivity_timer C 57 input_flow_control C 58 input_is_activity C 59 input_start_char C 59 input_stop_char C 59 ipso_class C 60 ipx_security C 65 latb_enable C 67 line_erase C 67 local_address C 68 location C 69 login_port_password C 69 login_timeout C 70...

Page 580: ..._b_channels C 79 switch_type C 101 RIP specific interface rip_accept C 93 rip_advertise C 94 rip_default_route C 94 rip_horizon C 95 rip_next_hop C 95 rip_recv_version C 95 rip_send_version C 96 rip_sub_accept C 96 rip_sub_advertise C 97 synchronous port allow_compression C 40 ppp_username_remote C 88 vs MIB objects B 75 to B 81 configuring Annex A 46 to A 50 for AppleTalk A 49 for use with SecurI...

Page 581: ...activity B 38 do_compression parameter C 52 Domain Name System server See also name servers using for Annex configuration A 35 dsx1_line_length parameter C 52 dump host setting for Annex configuration A 30 dumpboot command C 11 arguments for C 12 dumping configuring for Annex A 28 to A 33 using tftp A 33 Dynamic Host Configuration Protocol DHCP A 274 to A 276 E echo command C 13 echo parameter C 5...

Page 582: ...A 93 A 94 to A 95 reviewing and resetting for SLIP A 120 to A 122 vs MIB objects B 83 to B 88 group profile criterion A 239 group_value parameter C 56 groups creating for security A 244 H hardware_tabs parameter asynchronous port C 56 help command C 13 to C 14 arguments for C 13 host table built using RWHO messages A 38 management A 39 B 49 to B 51 resetting B 51 host_table_size parameter A 39 B 5...

Page 583: ...53 to A 182 accessing IP nodes via FastLink II A 171 buffer pools A 176 configuring for Annex A 50 configuring standards based A 171 disabling A 157 enabling A 155 to A 157 information obtaining A 171 to A 182 and statistics for interfaces 802 2 A 182 for frame type and network number A 180 for interfaces memory buffers routes RIPs and servers A 174 to A 180 for IPX connections A 181 for IPX state...

Page 584: ...load dump sequence setting for Annex configuration A 30 loading files A 16 local password protection for Annex A 34 for virtual CLI VCLI connections A 218 overview A 217 to A 222 local_address parameter A 104 asynchronous port C 68 configuring for dial in PPP A 102 A 171 configuring for dial up PPP A 127 A 128 location parameter C 69 lock_enable parameter C 69 logging A 292 event using syslog B 37...

Page 585: ...75 multicast_timer parameter C 75 multisessions_enable parameter C 75 N na annex command C 5 to C 7 boot command C 7 to C 9 broadcast command C 9 command notation C 2 to C 4 commands C 1 to C 27 introduction to C 1 list of C 4 list of arguments for C 3 copy command C 10 dumpboot command A 29 C 11 echo command C 13 help command C 13 to C 14 interface command C 15 password command C 16 protecting fr...

Page 586: ...t xr command A 177 using to display Annex route for network A 178 netstat xS command using to display additional line of information for each server A 180 netstat xs command using to display server names types and addresses A 178 network active connections B 11 administration B 1 interfaces for IPX A 175 number IPX A 180 testing B 30 troubleshooting B 53 to B 55 Network Control Protocol See NCP ne...

Page 587: ...r A 229 C 83 ports profile criterion A 241 PPP A 87 to A 113 AppleTalk over A 202 authentication type A 111 connecting single host using A 98 A 167 connecting to single host using with fixed addresses A 101 A 170 connecting two subnets A 102 link connecting two subnets A 103 routing across A 105 multilink synchronous A 13 negotiating compression type A 113 negotiating data compression A 110 negoti...

Page 588: ... A 29 PRI B channel parameters ipx_network C 62 ipx_node C 64 remote_address C 92 pri b command B 5 command syntax B 5 sample display B 5 pri call command B 5 command syntax B 6 sample display B 6 pri command B 4 commnad syntax B 4 pri B 3 B 4 pri b B 4 B 5 pri call B 5 B 6 sample display B 4 pri commands pri b A 118 A 123 A 124 PRI interface configuring A 52 to A 54 PRI line A 212 PRI line parame...

Page 589: ...meter C 96 rip_send_version parameter C 96 valid options for C 96 rip_sub_accept parameter C 96 rip_sub_advertise parameter C 97 route cache A 106 information B 26 routed parameter A 47 C 97 routes IPX A 177 routing across PPP link basic passive RIP A 105 table statistics and information B 22 to B 25 RWHO protocol A 37 B 49 rwhod parameter A 35 A 37 C 97 S SafeWord A 314 to A 321 backup security A...

Page 590: ...to A 232 disabling broadcasting for A 231 setting up ACP encryption key A 233 SLIP and PPP A 228 using filters for A 300 using Kerberos authentication for A 301 security profiles configuring etc group file A 244 configuring acp_regime file A 245 configuring acp_restrict file A 269 creating acp_group file A 244 creating acp_userinfo file A 249 creating user password files A 247 defining A 235 to A ...

Page 591: ...SLIP Configuration Samples A 124 to A 128 connecting a single device A 124 to A 127 connecting two subnets A 127 A 128 SLIP Overview for the RA 6300 A 115 slip_mtu_size parameter C 99 slip_no_icmp parameter C 99 slip_ppp_security parameter A 296 C 100 configuring for a PPP link A 99 A 168 configuring for dial in PPP A 102 A 171 slip_tos parameter C 100 SNMP B 57 to B 67 B 73 to B 75 Annex paramete...

Page 592: ...ve control lines B 42 stats o command A 157 stats p command using to display statistics for parallel ports B 42 stats s command using to display statistics for serial ports B 41 stats T command C 111 using to display T1 PRI line statistics B 43 stop_bits parameter C 100 configuring for dial in PPP A 102 A 171 configuring for dial in SLIP A 126 A 128 configuring for dial up PPP A 100 A 169 configur...

Page 593: ...rt Multiplexing See TMux protocol Trivial File Transfer Protocol See tftp troubleshooting B 53 to B 55 all network ports in use B 55 host table not displaying hosts B 53 network logins to BSD hosts invisible B 54 wrong address in host table B 54 TSTTY using for environment customization A 48 tuple in nve_filter entries A 265 to A 266 U User Datagram Protocol See UDP user validation disabling A 326...

Reviews:

No comments

Brands by name

Popular brands

Load more brands