* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Compatible Systems Reference Guides
Survey
Document related concepts
Airborne Networking wikipedia , lookup
Parallel port wikipedia , lookup
Computer network wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Deep packet inspection wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Serial digital interface wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Transcript
Text-Based Configuration and Command Line Management Reference Guide Compatible Systems Corporation 4730 Walnut Street Suite 102 Boulder, Colorado 80301 303-444-9532 800-356-0283 http://www.compatible.com Text-Based Configuration and Command Line Management Reference Guide. This document supports Router software version 4.5 and IntraPort version 5.1.X © Copyright 2000, Compatible Systems Corporation All rights reserved. All product names and trademarks are the property of their respective organizations. Part number: A00-1641 Compatible Systems Support: Phone: FAX: E-mail: Web site: (303) 444-9532 (800) 356-0283 (303) 444-9595 [email protected] http://www.compatible.com TABLE OF CONTENTS Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 [ AppleTalk <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 [ AppleTalk Tunnels ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 [ BGP Aggregates ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 [ BGP General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 [ BGP Networks ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 [ BGP Peer Config <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 [ BGP Peer List ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 [ Bridging <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 [ Bridging Global ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 [ Command Line ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 [ DECnet <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 [ DECnet Global ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 [ Domain Name Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 [ DS3 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 [Dynamic Firewall Globals ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 [Dynamic Firewall Logging ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 [Dynamic Firewall Path <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . 57 [ Ethernet Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . 70 [ Frame Relay <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 [ General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 [ HSSI Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 [ IKE Policy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 [ IP Loopback ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 [ IP Protocol Precedence ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 [ IP Route Redistribution ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 [ IP <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 [ IPX <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 [ IPX Tunnels ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 [ L2TP General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 [ LDAP Auth Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 [ LDAP Config <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 [ Link Config <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 [ Logging ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 [ Multilink PPP <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Table of Contents i Table of Contents [ NAT Global] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ OSPF Area <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ OSPF Virtual Link <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . [ PPP <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ Radius ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ RS232 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . [ SecurID ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ SMDS <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ SNMP ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ SNMP CommunityString <Name> ] . . . . . . . . . . . . . . . . . . . . . . [ SNMP Trap <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ T1 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ Time Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ Tunnel Partner <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . [ V.35 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . [ VPN Group <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . edit config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ AppleTalk Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ Auth ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [BGP Route Map <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ Chat <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IP Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IP Route Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IP Static ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IPX Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IPX Route Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ IPX SAP Filter <Name> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ NAT Mapping ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ VPN Users ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . apply(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bgpenable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . boot(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . help(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . interface(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ipxping(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ospfenable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii 119 123 125 127 131 135 137 138 139 141 142 143 147 149 156 157 168 171 178 180 185 189 198 202 205 209 212 216 218 223 224 225 226 228 229 230 231 233 234 Table of Contents Table of Contents save(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sys(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vpn tunnel(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . write(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip arp(add) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip route(add) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . chat(edit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . filter(edit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . appletalk(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . arp(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bgp(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . config(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . decnet(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ipx(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ospf nbr(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . resevent(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . securid secret(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . statistics(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bridge(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ppp quality(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . smds(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . system log(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . terminal(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wan connect(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wan csu(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wan ds3(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wan hssi(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . all(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . appletalk(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . arp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bgp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bridge(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . config(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . decnet(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ethernet(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . firewall(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table of Contents 236 237 240 242 244 245 246 247 250 251 252 253 254 255 256 257 258 259 260 261 262 264 269 271 272 275 277 279 281 282 284 286 292 294 300 307 311 314 317 iii Table of Contents frelay(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . history(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ipx(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l2tp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mppp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nat(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . os(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ospf(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ppp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . radius(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . routing(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . securid(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . smds(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . statistics(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . system(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . version(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vpn(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wan(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix A: Default Sections and Default Values . . . . . . . . . . . . Appendix B: Configuration Variable Types . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv 326 328 330 338 343 345 347 352 354 361 366 369 370 372 375 377 379 380 385 403 408 411 Table of Contents Introduction Introduction Purpose and Scope of this Manual The TEXT-BASED CONFIGURATION AND COMMAND LINE MANAGEMENT REFERENCE GUIDE is intended for use by the system administrator who will configure and maintain a Compatible Systems networking device. This manual includes information on the Command Line interface and documentation of the text-based configuration for most Compatible Systems devices. Note: The only Compatible Systems devices which do not support textbased configuration are the RISC Router 3000E and the MicroRouter 1000R. Users should consult the Command Line Reference Guide which was shipped with their router for configuration and management information. Each device is shipped with an Installation Guide which includes installation instructions and offers basic configuration parameters which will be appropriate for many network applications. For the latest documentation on Compatible Systems products, including the most current version of this manual, visit the Technical Support section of our Web site at http://www.compatible.com. Creating Configurations with CompatiView All of the products in the Compatible Systems networking family can be managed from a single remote management platform called CompatiView. CompatiView provides a Graphical User Interface (GUI) and is by far the easiest way to create a configuration for a device. See the CompatiView Reference Guide for information on how to use CompatiView. Introduction to Command Line Management and Text-Based Configuration The Command Line Manager features text-based configuration and allows you to configure and manage the device and perform various network diagnostic functions. Sessions can be established by directly attaching a terminal or a computer running terminal emulation software to the system Console port (the RISC Router 3000E console port is "LocalTalk/Serial A"). This connection is at 9600 Baud, 8 bits, and no parity. Sessions can also be established by connecting via telnet to an IP address of the device. See the Installation Guide for your device for more information. Both methods of establishing a session require that the system passwords be entered before any commands can be entered. Configuration Section 1 Introduction The default passwords as shipped from the factory are letmein. It is strongly recommended that the password be changed using the [ General ] section. Once the passwords are set, the same passwords are used by CompatiView. Modes of Operation There are two modes of operation in the Command Line interface, supervisor and normal modes. All operations that do not modify the system configuration or display critical (security related) information are permitted in normal mode. This mode of operation is protected by the password. In normal mode, the command prompt ends in a ">". Supervisor mode is protected with the enable password. If no enable password has been configured, then the regular password will be used. There are two ways to enter supervisor mode. If a privileged command is entered, the user will be prompted for the enable password, and if successful, the user will be in supervisor mode. The other way is to use the enable command (see enable(mgmt)). The command prompt for supervisor mode ends with a "#". If there is no activity for 5 minutes, supervisor mode will time out. Types of Commands There are two basic types of commands, configuration commands and management commands. Note: Some of the commands described in this manual may not exist on every system. Some of the commands are hardware-specific; if the hardware platform has no WAN interfaces, commands that are WANspecific will not exist. Other commands are related to software features such as bridging that may not be available with all releases. The charts on the following pages show how the commands and configuration sections are grouped within this manual. 2 Configuration Section Introduction CONFIGURATION A text-based configuration is a collection of section headings followed by keywords or other data which define device settings. The configuration COMMANDS commands allow you to edit, create and manage these sections. configure This command enters the configuration editor which allows you to add or modify configuration variables using keyword and value pairs and ensures that they are syntactically correct. As an added benefit, within the configuration editor, all of the management commands are still available. The following sections are configured using the configure command: [ AppleTalk <Section ID> ] [ AppleTalk Tunnels ] [ BGP Aggregates ] [ BGP General ] [ BGP Networks ] [ BGP Peer Config <Name> ] [ BGP Peer List ] [ Bridging <Section ID> ] [ Bridging Global ] [ Command Line ] [ DECnet <Section ID> ] [ DECnet Global ] [ Domain Name Server ] [ DS3 Interface <Section ID> ] [ Dynamic Firewall Globals ] [ Dynamic Firewall Logging ] [ Dynamic Firewall Path <Name>] [ Ethernet Interface <Section ID> ] [ Frame Relay <Section ID> ] [ General ] [ HSSI Interface <Section ID> ] [ IKE Policy ] [ IP Loopback ] [ IP Protocol Precedence ] [ IP Route Redistribution ] edit config [ IP <Section ID> ] [ IPX <Section ID> ] [ IPX Tunnels ] [ L2TP General ] [ LDAP Auth Server ] [ LDAP Config <Name> ] [ Link Config <Section ID> ] [ Logging ] [ Multilink PPP <Name> ] [ NAT Global ] [ OSPF Area <Name> ] [ OSPF Virtual Link <Name> ] [ PPP <Section ID> ] [ Radius ] [ RS232 Interface <Section ID> ] [ SecurID ] [ SMDS <Section ID> ] [ SNMP ] [ SNMP CommunityString <Name> ] [ SNMP Trap <Name> ] [ T1 Interface <Section ID> ] [ Time Server ] [ Tunnel Partner < Section ID> ] [ V.35 Interface <Section ID> ] [ VPN Group Config <Name> ] This two-word command allows you to create and manage complex lists such as filter and chat sections. These special sections do not have keyword and value pairs. The edit config command can also be used as a line editor for the entire configuration. The list that follows includes sections which are configured using the edit config command. Some of these sections can also be configured using the edit command (see the edit section under Management Commands). [ AppleTalk Filter <Name> ] [ Auth ] [ BGP Route Map <Name> ] [ Chat <Name> ] [ IP Filter <Name> ] [ IP Route Filter <Name> ] Configuration Section [ IP Static ] [ IPX Filter <Name> ] [ IPX Route Filter <Name> ] [ IPX SAP Filter <Name> ] [ NAT Mapping ] [ VPN Users ] 3 Introduction MANAGEMENT COMMANDS 4 The management commands allow you to perform a variety of diagnostic and management operations. In this manual, the management commands are broken down into the following sections, and the commands are alphabetized within the sections: mgmt Miscellaneous management commands that don't fit into other sections. apply - Apply config without restart bgpenable - enable BGP boot - Restart the device enable - Enable privileged commands exit - Exit the command loop parser help - Display context-sensitive online help info interface - Set current interface ipxping - Ping a remote machine over ipx ospfenable - Enable OSPF ping - Ping a remote machine save - Save edited config sys - Various system related commands tftp - Initiate TFTP software downloads traceroute - Route tracing to remote machine vpn tunnel - Establish or tear down a LAN-toLAN tunnel. write - Write config to Flash add Runtime commands to add IP entries. ip arp - Add a static IP ARP cache entry ip route - Add a static IP route edit chat - Create and edit chat scripts Commands to edit filter - Create and edit protocol filter sections complex lists and the format of those lists. Note: The function of these "legacy" commands is duplicated by the edit config command. reset Commands to delete items from tables and simple lists, and commands to manage configurations and statistics kept by the system. appletalk - AppleTalk statistics and tables arp - Delete ARP table entries bgp - Reset BGP session config - Restore flash config deleting any changes decnet - Delete DECnet routing table entries ip - Reset IP statistics and tables ipx - Delete entries from IPX tables ospf nbr- Reset OSPF adjacency with a neighbor resevent - Clear restart event information securid- Reset SecurID secret statistics - Reset statistics Configuration Section Introduction set Commands to set cer- bridge - Set bridge config parameters tain runtime configura- ppp - Set PPP protocol settings smds - Enable or disable SMDS keepalive tion parameters. system - Set system parameters terminal - Set Terminal parameters wan - Set WAN and AUX port hardware parameters show Commands to display tables and configuration parameters. all - Complete configuration appletalk - AppleTalk config, status and statistics arp - ARP table bgp - BGP config and statistics bridge - Bridge config, status and statistics config - Show device configuration decnet - DECnet config and routing ethernet - Ethernet information firewall - Firewall config and statistics frelay - Frame Relay config and statistics history - Command history ip - IP config and statistics iprouting - Runtime IP route filters ipx - IPX config and routing ipxrouting - Runtime IPX route filters ipxsap - Runtime IPX SAP filters l2tp - L2TP config and statistics mppp - Mulitlink PPP config and statistics nat - NAT config and statistics os - Operating system information ospf - OSPF config and statistics ppp - PPP information radius - Radius config and statistics routing - Routing tables securid- SecurID statistics and servers smds - SMDS config and statistics statistics - Statistics system - General system information version - General device info vpn - VPN config and statistics wan - WAN port information Command Parsing Commands are parsed as a sequence of words on a single line of input. A long line may be split by escaping the new line (see below). The commands and subcommands are compared with the minimal set of characters needed to form a unique command. If extra characters beyond the unique subset are entered, they must also match. Escape sequences (\x) are provided to embed control characters and other input. The following escape sequences are supported: \n Insert a new line. Configuration Section 5 Introduction \t Insert a tab. \ <space> Follow the backslash with a space to insert a space. \" Insert a " (double quote). \<octal digits> Insert a single control character by entering its ASCII code as an octal number. \<new line> Continue a long line of input across multiple lines. The new line will be converted to a single space character. \\ Insert a backslash. White space between command arguments is truncated to a single space after parsing. Embedded spaces and tab characters may be entered using the following rule. "<text in quotes...>" White space (spaces and tabs) may be preserved by placing text in quotes. No escape sequences are expanded except \". The sys echo command may be used to test command parsing rules. See sys(mgmt) for a more complete description. MODIFYING CONFIGURATIONS Configuration modification is a privileged operation that requires the user to be in supervisor mode. After a command modifies a configuration, subsequent command prompts will be preceded by a star (*). Most commands that modify configurations only modify a local configuration buffer which must be saved using the save command (see save(mgmt)). The effects of the few commands which can modify a runtime system configuration will only be remembered until the system is restarted. There are some runtime commands which do not have equivalent permanent configurations. Because there is only one configuration buffer for the system, only one person can modify a configuration at any time. The second person who tries will get a message letting them know this and they will not be able to edit. If a telnet session is disconnected, it is possible to attach to the modified configuration using the sys attach command (see sys(mgmt)). Configuration Sections All sections are uniquely identified by their section name. All section names begin with a fixed string. However, some section names also have variable portions. In this manual, each manual page will have the 6 Configuration Section Introduction section name in the upper left or right hand corner of the page. The section name will appear within square brackets ([ ]), as in the device’s configuration. In the manual, section names with variable portions will appear with the variable portion contained in angle brackets (< >) as follows: [ Chat <Name> ] [ IP <Section ID> ] As illustrated, the variable portion of the section name may be a name or a section ID. The sections which expect names require a character string to uniquely identify the object being defined in that section. The name must be between one and 16 alphanumeric characters, including any spaces. If the name includes spaces or special characters, it must be enclosed in quotes (""). Section names are not case-specific. The sections which expect a section ID require a port identifier string. For more information on valid section IDs see Appendix A - Default Sections and Default Values. Within the device’s configuration, a complete section name, including the variable portion, must be unique. Duplicate section names are ignored by the device and only the first occurrence is used. There are three types of sections: port-specific sections, general sections, and special sections. Port-Specific Sections Port-specific sections of the device’s configuration are used to configure parameters for a specific interface (e.g., WAN 0, Ethernet 0, STEP 0, etc.) or type of interface if using the device’s hierarchical parsing capabilities (e.g., WAN, Ethernet, STEP, AppleTalk, etc.). For more information on hierarchical parsing, see Appendix A. If the device is a multislot product such as a VSR or IntraPort Enterprise, both the slot number and the interface number must be given, separated by a colon (e.g., Ethernet 0:0 indicates Slot 0, Ethernet 0, while Ethernet 0:1 indicates Slot 0, Ethernet 1). If no slot number is indicated, then Slot 0 is assumed. All port-specific sections require a section ID as part of the section name. They are the only sections which have a section ID. The data in port-specific sections is made up of keyword and value pairs. The device uses hierarchical parsing. Configuration Section 7 Introduction General Sections General sections of the device’s configuration are also collections of keyword and value pairs, but they differ from port-specific sections in that they do not configure a port and there is no hierarchical parsing of sections. The settings in general sections are usually global to the device. Special Sections Special sections of the device’s configuration are different from the other two types of sections in that they have no keyword and value pairs. These sections are configured using the edit config command instead of the configure command. The data portion of a special section is unique to each section type. The manual page for each of these sections describes the syntax of the data in the section and its usage. Special sections generally are filter lists, chat scripts, or other databases that don't lend themselves to the constraints of the keyword and value pairs. Keywords Each manual page of a port-specific or general section contains a brief description of the section as a whole, followed by a list of all of the keywords that are valid in that section. The keywords are paired up with a value, usually on a single line of the configuration. Some keywords want specific values (i.e., labels); others want arbitrary text strings as values. Keywords are separated from their values by an equal sign (=). Keyword = Some Value On each manual page describing keywords, the keyword is in bold and the type of value that it expects is listed. Arbitrary text strings are in italics. IPAddress = IP Address Labels are enclosed in square brackets ([ ]) and are separated by a vertical bar ( | ), meaning you can use one of the values. Mode = [ Routed | Bridged | Off ] The keyword and value pair is followed by a description of the keyword’s function. 8 Configuration Section Introduction Configuration Syntax for General and Port-Specific Sections A section contains a unique section title which is enclosed in square brackets ([ ]), followed by the data in the section. [ Some Section Title ] The data in the section A section title must begin in the first column of a line in the configuration in order to be parsed correctly. If the section begins in any other column, it will be ignored and its data will be included with the previous section. A section may contain blank lines or comments and continues from its title until the next section title. [ This is one section ] and its data [ Here is another section ] and its data [ This is an invalid section] its data will be included with the previous section Comments Comments and blank lines may occur anywhere in a configuration. If you create your own configuration files, you are encouraged to make them as readable as possible. Comments begin with a pound sign (#) and continue until the end of the line. # This is a comment [ New Section ] # So is this Keyword/Value Pairs If a section has keyword and value pairs, the keyword portion of the value pair must begin in column 1 at the beginning of a line in the data portion of that section. Some keywords may occur multiple times in the same section, but most may not. Of those that may not, only the first keyword/value pair in that section will be recognized; later ones will be ignored. Keywords with Boolean values will accept any version, such as On/ Off; True/False; 1/0; Yes/No. The keyword must be fully spelled out, but its case does not matter. An equal sign (=) is used to separate the keyword from its value. Any amount of white space may be used between the equal sign and the keyword and/or value. The following keywords all have valid syntax. keyword1 = value keyWORD2=value KEyWorD3 =value Configuration Section 9 Introduction See Appendix B - Configuration Variable Types for more information on values and variable types. An example configuring the IP protocol on Ethernet 0 follows: [ IP Ethernet 0 ] Mode = Routed IPAddress = 198.41.12.1 SubnetMask = 255.255.255.0 IPBroadcast = 198.41.12.255 # RIP is defined below RIPVersion = V1 # V1 means version 1 of RIP. RIPOut = TRUE RIPIn = TRUE Syntax of Special Sections The data in special sections may contain comments and blank lines like any other section, only they do not have keyword/value pairs. These sections are configured using the edit config command. For specific syntax information about a given special section, see its manual page. The following example shows how to define a chat script named "simple script." [ Chat "simple script" ] send ATDT 5551212 expect CONNECT Saving a Configuration Compatible Systems products use Flash ROM technology to store their operating software and configuration parameters. Flash ROMs can be rewritten tens of thousands of times and will maintain the information which has been written in them regardless of whether they are powered on or not. Once a configuration is complete, the save command is needed to save the new or modified configuration from the configuration buffer to Flash ROM and restart the device to have the new configuration take effect (see save(mgmt)). Note: Turning off a device in the middle of a save/restart will cause it to lose its operating software. Please wait at least 5 minutes before deciding that the save command has failed. Transferring Configurations to the Device All devices support a secure TFTP mechanism to transfer configuration files to and from the device. TFTP is disabled on the device by default and must be enabled using the tftp command from a console or telnet session (see tftp(mgmt)). Transfer configuration files to and from the device using an ASCII mode transfer. The remote file name must be the device type followed by ".cfg". So for a RISC Router 4000S, the file name would be 10 Configuration Section Introduction rr4000s.cfg and for a MicroRouter 1200i, the file name would be mr1200i.cfg. It is also possible to create a text-based configuration file and use CompatiView to transfer the file to and from the device. This method uses a secure transfer mechanism, preventing the configuration from being observed while it is in transit to the device. See the CompatiView Reference Guide for more information. Configuration Section 11 Configuration Section configure COMMAND NAME configure - Configuration editor to modify, delete, or add parameters. SYNOPSIS configure [ <section name> ] SYNOPSIS OF CONFIGURATION EDITOR SUBCOMMANDS list [ <options>... ] delete <keyword> <keyword> <value> <keyword> ? ? exit DESCRIPTION This manual page describes the subcommands and usage of the device's configuration editor. The configuration editor is the primary way to manage (create, modify, display, and delete) configuration parameters from the command line interface of the device. The only other way is to edit the configuration with the edit config command. The configuration editor simplifies the process of creating configurations from the console or telnet and will ensure a syntactically correct configuration. Note: The edit config command must be used to configure special sections of the configuration, which includes tables and complex lists. See the edit config section for more information. The configuration editor is entered by selecting a section of the configuration to modify. If the section doesn't exist in the configuration, the configuration editor will ask if you want to add the section. To indicate that you are in the configuration editor, the command line prompt will change to the section name followed by a pound sign (#). For example, when modifying parameters for the section IP WAN 0, the prompt would be: [ IP WAN 0 ]# The new prompt indicates that you are modifying the IP WAN 0 section of the configuration using the configuration editor. All of the subcommands of the configuration editor will now work to modify, display, delete or create configuration parameters. The primary function of the configuration editor is to add or modify configuration variables. These variables are entered as keyword and value pairs. The configuration editor will only permit valid keywords to be added to the section being edited. Additionally, it checks to make sure that the value being entered for the keyword is a valid type and within the prescribed ranges defined by the device. When a configuration variable has been changed with the configuration editor, the command line's configuration buffer will be changed. It is possible to reset the configuration buffer to what is stored in the permanent Management Section 15 configure configuration memory or to the default settings by using the reset config command (see config(reset)). Once all changes to the configuration are complete, the save command is needed to save the modified configuration to the permanent configuration storage and restart the device so that the new configuration takes effect (see save(mgmt)). The configuration editor has an extensive help facility that tries to guide you through your configuration. The help information for keywords will specify what type of value is expected and other information about the keyword. This is the ? command. Within the configuration editor, all of the regular management commands are still available. For instance, if you are modifying the section IP WAN 0 and you want to see what the device's IP configuration would look like with your new changes, you can still use the show ip config command to display that information without leaving the configuration editor. This is true of all other management commands. The configuration editor can also be used to convert old binary configuration data to the new text-based format. The configure command will automatically convert an old configuration to the new format if an old configuration is detected. OPTIONS Section Name The section name is an optional parameter to the configure command. If you are already in the configuration editor and no section name is specified, the configuration editor will tell you the name of the section you are currently editing and the line on which it can be found in the configuration buffer. Otherwise, if no section name is specified, the configuration editor will inform you that you have not specified a section and will prompt for a section name. My Test Router# configure You have not selected a section. Enter '?' for a list of section names, 'help' for information about the configure command. Enter section name (or '?', 'help'): At this point, a list of section names can be retrieved, or a short help message can be displayed. Enter section name (or '?', 'help'): help Configuration parameters are grouped into "sections." To change parameters using the configuration editor, the section has to be selected using the configure command. Usage: configure <section name> 16 Management Section configure Examples: configure ip ethernet 0 configure ppp wan 1 configure general After you have selected the section, the prompt will be the name of the section. At this point parameters can be configured. Use the "list" command to display parameters already configured or "?" for a list of valid keywords. My Test Router# By entering a "?" at the section name prompt, a list of configurable sections will be generated by the configuration editor. You may choose from this list. The section name must be one of the valid configuration sections for the device, and it must be fully spelled out. No abbreviations to the section name are permitted. When a section name has been successfully entered, either at the section name prompt or when entering the configure command, you will be in the configuration editor. The following example shows the results of successfully entering the configuration editor. My Test Router# configure ip wan 0 Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" [ IP WAN 0 ]# At this point all subcommands of the configuration editor will be accepted. SUBCOMMANDS The following subcommands are only valid from within the configuration editor. Using them at any other time will result in either a parsing error or an invalid usage message. Unlike other vendors' interfaces, all of the management commands are available within the configuration editor. Only the subcommands unique to the configuration editor are described below. For information about the other commands, see each command’s specific manual page. List The list subcommand will display the section that is currently being modified by the configuration editor. The list subcommand has many options that can be used to display different aspects of the configuration section. The list subcommand and its options are fully described in a separate manual page. See config(show) for more information. Management Section 17 configure Delete The delete subcommand is used to delete a keyword and its associated value from the configuration. Most keywords may only appear one time in a section, and in those cases, the delete subcommand will simply display the configuration entry and the line it was found on. You will then be asked if you want to delete it. [ IP WAN 0 ]# delete ripout Delete 'RIPOut from line 31? y *[ IP WAN 0 ]# = TRUE', In the case of keywords that may (and actually do) appear multiple times within a section, each instance will be prompted as in the previous example until no more instances of the keyword exist in the section. You may delete any, all or none of the keyword/value pairs. The command will continue through all instances of the keyword regardless of your input. If you only want to change a configured value for a keyword, then it is not necessary to use the delete subcommand. The normal keyword entry procedures described in the following section will both change and create new keywords. Keyword/Value Entry In the configuration editor, additions and modifications to the configuration are made by using keyword and value pairs. The real strength of the configuration editor is the ability to enter keywords in a section and ensure that the value associated with the keyword is syntactically correct. To get a list of keywords for a section, enter a ? after the section name. A keyword and value may be entered as it would appear in the configuration. keyword = value Unlike section names, keywords may be abbreviated to a unique subset of characters at the beginning of the keyword. Labels and values in general may not be abbreviated. Note: The configuration editor will insert the full, unabbreviated keyword into the configuration. The configuration editor provides this service as a convenience. Labels and section names must not be abbreviated in configurations or parsing errors will occur during router initialization. The value may be entered as a question mark (?) to find out additional information about the keyword. *[ IP WAN 0 ]# ripin = ? The keyword 'RIPIn' expects Boolean values: Default: On Valid Values: True/False, On/Off, 1/0, or Yes/No. 18 Management Section configure Similar information is displayed when an invalid value is entered. *[ IP WAN 0 ]# ripout = foo Command Line: 1: Boolean parse failed, 'foo' The value 'foo' is invalid. The keyword 'RIPOut' expects Boolean values: Default: On Valid Values: True/False, On/Off, 1/0, or Yes/No. When a value is accepted, the new keyword will be inserted in the section directly below the section name, before any other items in the section. If the keyword already exists in the section, the value will be replaced, leaving the keyword where it was in the section. If a keyword may appear more than once in a section, like the Zone keyword in an AppleTalk section, each keyword/value pair will be added to the section. If you want to change such a value, you must first delete the value and then add the new value. Help Facilities Within the configuration editor, several help facilities exist. To find out about valid keywords and configuration editor subcommands, enter a question mark (?). *[ Time Server ]# ? Valid keywords for the 'Time Server' section: Enabled ServerAddress Adjust Adjustment in minutes from server Other useful commands: delete <keyword> section list current section <keyword> = ? about a keyword help Delete a keyword in this Display the contents of Display more information Information about other commands Exiting the Configuration Editor There is really no reason to exit the configuration editor, since all management commands are available from within the configuration editor. However, if you want to leave the editor, enter exit at the prompt. *[ Time Server ]# exit Leaving section editor. *My Test Router# Comments Comments and blank lines may occur anywhere in a configuration. If you create your own configuration files, you are encouraged to make them as readable as possible. Management Section 19 configure Comments begin with a pound sign (#) and continue until the end of the line. # This is a comment [ New Section ] # So is this EXAMPLES In the following example session, the IP interface in a router will be configured. The router currently has the default configuration for IP. My Test Router> sh ip config Addresses Port IP Addr Subnet Broadcast Flags Ether0 disabled Ether1 disabled Bridge 198.41.12.1 255.255.255.0 198.41.12.255 <RIP:out,in> Wan0 Unnumbered interface <RIP:disabled> Remote Address: 0.0.0.0 <> Wan1 Unnumbered interface <RIP:disabled> Remote Address: 0.0.0.0 <> In this example we will set an IP address for Ethernet 0 and disable the bridge interface. We will start by disabling the IP bridge interface. My Test Router> configure ip bridge Enter Password: password entered here... Section 'ip bridge' not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IP Bridge ]# Notice that the section was not found in the configuration. The configuration editor prompts to see if the section should be added. Also now that we have selected a section, the router prompt has changed. The star (*) preceding the prompt indicates that the configuration has been modified. Now we can disable the interface. *[ IP Bridge *[ IP Bridge [ IP Bridge Mode *[ IP Bridge 20 ]# mode = off ]# list ] = Off ]# Management Section configure The show ip config command verifies that the interface has been disabled. *[ IP Bridge ]# show ip config Addresses Port IP Addr Subnet Broadcast Flags Ether0 disabled Ether1 disabled Bridge disabled Wan0 Unnumbered interface <RIP:disabled> Remote Address: 0.0.0.0 Wan1 Unnumbered interface <RIP:disabled> Remote Address: 0.0.0.0 <> <> Note: The actual router interfaces are still running as before the changes were made. No changes take effect until they are saved using the save command (see save(mgmt)). Until saved, all changes are made in a separate buffer. Enable the Ethernet 0 interface, using the following command sequence. *[ IP Bridge ]# configure ip ethernet 0 Section 'ip ethernet 0' not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IP Ethernet 0 ]# *[ IP Ethernet 0 ]# *[ IP Ethernet 0 ]# *[ IP Ethernet 0 ]# [ IP Ethernet 0 ] SubnetMask IPAddress Mode *[ IP Ethernet 0 ]# mode = routed ipaddr = 10.0.0.1 subnet = 255.255.255.0 list = 255.255.255.0 = 10.0.0.1 = Routed The preceding example shows the minimal set of parameters needed to enable an IP router interface. The show ip config command verifies the configuration. *[ IP Ethernet 0 ]# show ip config Addresses Port IP Addr Subnet Broadcast Flags Ether0 10.0.0.1 255.255.255.0 10.0.0.255 <RIP:out,in> Ether1 disabled Bridge disabled Wan0 Unnumbered interface Management Section 21 configure <RIP:disabled> Remote Address: <> Wan1 Unnumbered interface <RIP:disabled> Remote Address: <> 0.0.0.0 0.0.0.0 Notice that the RIP routing protocol and broadcast address are configured, even though they are not explicitly listed in the configuration. The list subcommand has a cooked mode to display all of the important parameters in the configuration. By adding the cook and mark options the list subcommand will tell us parameters that we have entered which are different from the router's default values. See config(show) for a complete description of these and other features. *[ IP Ethernet 0 ]# list cook mark [ IP Ethernet 0 ] Mode = Routed => Bridged IPAddress = 10.0.0.1 => 0.0.0.0 SubnetMask = 255.255.255.0 => 0.0.0.0 IPBroadcast = 0.0.0.0 RIPVersion = V1 OutFilters = InFilters = # Default # Default # Default Now that we are satisfied with the configuration, it must be written to the permanent configuration storage area in the router. The save command initiates that process and restarts the router (see save(mgmt)). *[ IP Ethernet 0 ]# save Save configuration to flash and restart router? y (Router writes configuration information and restarts....) Note: Turning off a device in the middle of a save/restart will cause it to lose its operating software. Please wait at least 5 minutes before deciding that a download has failed to be stored in Flash ROM. SEE ALSO edit config, config(reset), config(show), save(mgmt) 22 Management Section [ AppleTalk <Section ID> ] [ AppleTalk <Section ID> ] This section is used to configure AppleTalk parameters for a device. Compatible Systems devices support AppleTalk Phase 1 and AppleTalk Phase 2, and "transitional routing" between the two. AppleTalk Phase 1 is an earlier version of the AppleTalk protocol. We recommend that all new AppleTalk installations use AppleTalk Phase 2. Keywords recognized in this section are described below. Mode = [ Routed | Bridged | Off ] The Mode keyword describes the method the device is to use to handle AppleTalk packets when received by the device. Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server. If the device is a router, packets are forwarded by looking up the network address in the device’s routing table maintained by AppleTalk RTMP (Routing Table Maintenance Protocol). If the device is a VPN access server (IntraPort class) packets are forwarded to the virtual private network depending on the access parameters and settings of the users that are attached to the server. It will use the routing table maintained by RTMP to forward packets from the virtual private network to the local area network. Bridged enables the port of a router to be attached to a bridged network and forward packets based on the physical address using the router’s bridge cache maintained through the IEEE Spanning Tree Protocol or through active listening. The VPN access servers do not support this mode. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an AppleTalk address to the router using the Appletalk Phase 2 Bridge section if it is to be managed by CompatiView using the AppleTalk protocol while bridging. Off disables the port of the device. If Off is specified, then AppleTalk packets received on the interface will be silently discarded. Seed = [ Seed | Auto | NoSeed ] The Seed keyword specifies whether the interface will function as the seed Ethernet interface for the attached network. When set to Seed, the interface provides network number and zone information to the network attached to the interface. The network number and zone name must be specified using keywords documented later in this section. Before seeding, the device will listen to the network for existing network number and zone information. This existing information takes precedence over the configured information if found to be different. Configuration Section 23 [ AppleTalk <Section ID> ] Auto specifies that the AppleTalk interface be an autoseed interface. Autoseed means the device will listen for a network range being set by another router on the segment connected to this interface and use this range if it exists. If it doesn't discover a range, the device will automatically generate a valid number using the AppleTalk Routing Table discovered by listening for 15 seconds. NoSeed specifies that the AppleTalk interface be a non-seed interface. NoSeed means the device will listen for an AppleTalk network range being set by another router on the segment connected to this interface and use this range if it exists. It will wait indefinitely until a range is set by another router on the segment. NetLower = Number The NetLower keyword specifies the lower network number in a range of AppleTalk network numbers for a seed Ethernet interface, or the single network number for a numbered WAN interface. This keyword is ignored if the interface isn't configured as either a seed Ethernet interface or numbered WAN interface. The network number must be between 1 and 65,279. Each network number will support up to 253 node addresses. For all types of Ethernet interfaces being seeded, the NetLower and the NetUpper keywords must be specified. For Phase 2 Ethernet interfaces, the two values may be equal. For Phase 1 Ethernet interfaces, they must be equal. Accidental selection of an AppleTalk network number (or range of numbers) which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which AppleTalk network numbers are in use, and where. The show appletalk command can help in tracking your network configuration (seeappletalk(show)). NetUpper = Number The NetUpper keyword specifies the upper network number in a range of AppleTalk network numbers for a seed Ethernet interface. This keyword is ignored if the interface isn't configured as a seed Ethernet interface. The network number must be between 1 and 65,279. Each network number will support up to 253 node addresses. For all types of Ethernet interfaces being seeded, the NetLower and the NetUpper keywords must be specified. For Phase 2 Ethernet interfaces, the two values may be equal, but for Phase 1 Ethernet interfaces, they must be equal. Accidental selection of an AppleTalk network number (or range of numbers) which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which AppleTalk network numbers are in use, and where. The show appletalk command can help in tracking your network configuration (see appletalk(show)). 24 Configuration Section [ AppleTalk <Section ID> ] Node = Number The Node keyword lets you provide a suggestion for the node number the device should use when performing its dynamic node probing when starting up. On WAN interfaces it specifies the exact number to be used for the AppleTalk node number since dynamic node probing isn't performed on WAN interfaces. The value must be between 1 and 253. On Frame Relay WAN interfaces a unique node number must be assigned to the interface. Note: Since AppleTalk on Ethernet claims node numbers dynamically at start up, assigning known AppleTalk node numbers to an interface can make it easier to diagnose network problems using a network packet monitor. DefZone = String The DefZone keyword defines the default AppleTalk zone name for Phase 2 Ethernet interfaces and the single zone name that can be defined for WAN and Phase 1 interfaces. This keyword must be used on Phase 2 and Phase 1 interfaces configured to seed, and on WAN interfaces configured to be numbered, otherwise it will be ignored. Zone names may be up to 32 characters in length and may include spaces. If you wish to add other zones to the zone list for the extended network (Phase 2 only), use the Zone keyword in this section. Zone = String The Zone keyword lets a zone list be specified for extended (Phase 2) interfaces. Only extended Ethernet interfaces (Phase 2 Ethernet) which you set to seed can have zone lists specified for them. Use this keyword multiple times to define a complete zone list for the interface. This keyword will be ignored if specified in a nonextended (Phase 1 or WAN) interface. Typically, zone names are chosen which have some significance to the physical location or the corporate purpose of the network segment. An example would be "Accounting Department" or "Administration." These names will appear in the Chooser for Macintoshes on the network. Note that this keyword is not used to specify the interface's zone name. The keyword DefZone, documented in this section, allows specification of either the default zone name for an extended interface (Phase 2) or the interface’s zone name for a nonextended interface (Phase 1). Numbered = [ On | Off ] The Numbered keyword specifies whether the wide area network connected to this interface will have an AppleTalk network number associated with it. If On is specified, then you must set an AppleTalk network number and zone for this WAN interface. See the NetLower and DefZone keywords. Many wide area network connections are simple point-to-point links. Configuration Section 25 [ AppleTalk <Section ID> ] These links do not generally require a network number because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. You generally do not need a numbered WAN interface if you are using the PPP transport protocol. In contrast, Frame Relay networks may have a number of participating routers connected through a single physical interface. Because of this, use of the Frame Relay transport protocol requires a numbered WAN interface. Updates = [ Periodic | Triggered ] The Updates keyword specifies the way in which the device sends AppleTalk RTMP information over the link. When updates are designated as Periodic, the device will send RTMP packets over the link every 10 seconds. These periodic update packets will cause a WAN interface set for dial-on-demand operation to either stay up indefinitely or to continuously dial, connect, and then drop the connection. When updates are designated as Triggered, the device will modify the standard AppleTalk RTMP behavior for this interface to send AppleTalk RTMP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router. RemoteNet = Number The RemoteNet keyword specifies the AppleTalk net number to be assigned through PPP to a remote end node dialing into a device. This keyword along with the RemoteNode keyword allows a complete AppleTalk internet address to be specified. This address is used to provide proxy services which allow the client machine to participate as a node on one of the device's local networks. Remote end node functionality allows single client machines to use the WAN interface on a router to connect to the LAN serviced by the router. If the WAN interface is numbered, the network number specified must be the same as the network number specified in the NetLower and NetUpper keywords for the WAN interface. RemoteNode = Number The RemoteNode keyword specifies the AppleTalk node number to be assigned through PPP to a remote end node dialing into a router. This keyword along with the RemoteNet keyword allows a complete AppleTalk internet address to be specified. This address is used to provide proxy services which allow the client machine to participate as a node on one of the router's local networks. This number must not be the same as the value specified in the Node keyword. 26 Configuration Section [ AppleTalk <Section ID> ] NodeProxy = [ On | Off ] The NodeProxy keyword specifies that the device dynamically reserve an AppleTalk address on Ethernet for the WAN interface. This proxy address will be used if the remote PPP AppleTalk implementation requires address negotiation (which is typical of end nodes). If you wish to seed the proxy address to a specific network or node number, use the RemoteNet and RemoteNode keywords. NodeProxy can only be specified on an unnumbered WAN interface. OutFilters = String The OutFilters keyword allows the named AppleTalk packet filter to be associated with the output filter interpreter of the interface. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter interpreter will process the sets in the order specified. The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode and srcskt. For Name Binding Protocol (NBP) request and reply packets the NBPName, NBPType and NBPZone rules are also used. All other rules are ignored. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk Packet filtering rules. InFilters = String The InFilters keyword allows the named AppleTalk packet filter to be associated with the input filter interpreter of the interface.Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter interpreter will process the sets in the order specified. The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode and srcskt. For NBP request and reply packets the NBPName, NBPType and NBPZone rules are also used. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. All other rules are ignored. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules. Configuration Section 27 [ AppleTalk <Section ID> ] OutRTMPFilters = String The OutRTMPFilters keyword allows the named AppleTalk filters to be associated with the output RTMP (Routing Table Maintenance Protocol) filter interpreter of the interface. RTMP tuples (AppleTalk network numbers) originating on the interface will be filtered with these rules. The only rules used in this interpreter are the network and net-range rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules. InRTMPFilters = String The InRTMPFilters keyword allows the named AppleTalk filters to be associated with the input RTMP filter interpreter of the interface. RTMP tuples (AppleTalk network numbers) received on the interface will be filtered with these rules. The only rules used in this interpreter are the network and net-range rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules. GetZoneFilters = String The GetZoneFilters keyword allows the named AppleTalk filters to be associated with the Get Zone List (GZL) filter interpreter of the interface. The interpreter allows the filtering of outgoing GZL replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. This interpreter will allow control of the zones that are seen on a Macintosh behind a device. The only rules used in this interpreter are the network, net-range and zone rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules. 28 Configuration Section [ AppleTalk <Section ID> ] ZIPReplyFilters = String The ZIPReplyFilters keyword allows the named AppleTalk filters to be associated with the ZIP reply filter interpreter of the interface. The ZIP reply interpreter allows incoming zone names in ZIP reply packets to be filtered. ZIP reply packets are used between routers and access servers to exchange the zone names for the networks kept in their routing tables. These devices are required to maintain a zone list for each of the networks maintained in the AppleTalk routing table and receive the zone name from an upstream router advertising the network. Extended networks allow more than one zone name to be associated with the range, even if it is a single range. Note: If zone filtering for Macintosh end workstations is required, use a Get Zone List filter. If a zone list is restricted in an upstream router with a ZIP reply filter, then the downstream routers will receive the filtered zone list for the network and subsequent downstream routers will also receive the filtered zone list. The only rules used in this interpreter are the zone and network rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk Packet filtering rules. LockOut = [ On | Off ] The LockOut keyword specifies an NBP filter that is applied to the physical network segment connected to the interface. Specifying On causes the device to drop any NBP lookups which are destined for this physical segment. This will protect devices on the segment from access by users on other segments. LockIn = [ On | Off ] The LockIn keyword specifies an NBP filter that is applied to the physical network segment connected to the interface. Specifying On causes the device to drop any NBP lookups which originate on this network segment destined for another network segment. The effect will be that users will not have access through the device to network devices on other segments. LWFilter = [ On | Off ] The LWFilter keyword allows a LaserWriter filter to be enabled for the interface. A LaserWriter filter protects all LaserWriters in the AppleTalk zone configured for the interfaces from NBP lookup by computers in other AppleTalk zones. The effect is that LaserWriter devices in the DefZone will only be visible to Macintoshes on networks with the same zone name across your AppleTalk internet. Configuration Section 29 [ AppleTalk <Section ID> ] TildeFilter = [ On | Off ] The TildeFilter keyword allows a tilde filter to be enabled for the interface. A tilde filter protects all devices in the AppleTalk zone configured for this interface's network segment whose names end with a tilde character (~) from NBP lookup by computers in other AppleTalk zones. The effect is that ~ devices in the DefZone will only be visible to Macintoshes on networks with the same zone name across your AppleTalk internet. StIZFilter = [ On | Off ] The StIZFilter keyword allows a stay-in-zone AppleTalk zone filter to be enabled for the interface. Stay-in-zone filtering means the device will not forward NBP lookups which are directed from the AppleTalk zone configured for this interface's network segment to any other zone. The effect is that you will only see devices on other networks with the same zone name across your AppleTalk internet. This filter is applied based on logical AppleTalk zones rather than on physical segments. On nonextended networks (Phase 1), zone filters are applied for the AppleTalk zone configured for the network segment. On extended networks (Phase 2) they are applied to the AppleTalk default zone configured for the network segment. Examples The following example shows a typical AppleTalk Configuration for Ethernet interfaces. [ AppleTalk Phase 2 Ethernet 0 ] Mode = Routed Seed = Seed NetLower = 4000 NetUpper = 4100 Node = 100 DefZone = "The 4000 Club" Zone = "Accounting" The same configuration can be viewed with the show appletalk config command, as follows. Port Ether0 Ether0 Ether1 Ether1 Bridge Bridge Wan0 Wan1 30 Phase Seed Netnum Node 1 ** Disabled ** 2 On 4000 - 4100 100 The 1 ** Disabled ** 2 Auto n/a 1 ** Disabled ** 2 ** Disabled ** Unnumbered interface Remote Address: 0:0 Unnumbered interface Remote Address: 0:0 Zone Name 4000 Club <Trigger> <Trigger> Configuration Section [ AppleTalk <Section ID> ] NBP Filters: Port Ether0 Ether0 Ether1 Ether1 Bridge Bridge Wan0 Wan1 Phase Stay in Lookups Tilde zone? In Out Devices 1 ** Disabled ** 2 Off Off Off Off 1 ** Disabled ** 2 Off Off Off Off 1 ** Disabled ** 2 ** Disabled ** Off Off Off Off Off Off Off Off LaserWriters Off Off Off Off Appletalk Zone List: Accounting AARP Timeout: 0 See Also appletalk(show), [ AppleTalk Filter <Name> ], [ Bridging <Section ID> ], [ Bridging Global ] Configuration Section 31 [ AppleTalk Tunnels ] [ AppleTalk Tunnels ] This section is used to modify AppleTalk tunneling parameters. An AppleTalk tunnel is a "virtual" AppleTalk network running between tunnel peers. Tunnel peers are defined by their IP addresses. This protocol was originally developed by Cayman Systems and is most commonly referred to as Cayman Tunnels. Note: Newer STEP tunneling is available for AppleTalk-in-IP tunneling. This includes authentication and encryption features not available in regular AppleTalk tunnels. See the [ Tunnel Partner <Section ID> ] section for more information. AppleTalk-in-IP tunneling is sometimes needed when a network is limited to IP traffic only, either because there are routers elsewhere on the network which do not route AppleTalk protocols, or for administrative reasons. AppleTalk-in-IP tunneling provides a solution for this problem by sending AppleTalk information across an IP internet by encapsulating AppleTalk information in IP packets. AppleTalk networks that are connected via a tunnel will communicate as if they are on the same network even though they are separated by an IP-only Ethernet backbone or internet. Note: You must set up both ends of every tunnel. Therefore, you must repeat this setup with the other router(s) you want as participants in the tunnel. The keywords recognized in this section are described below. Tunnel = IP Address The Tunnel keyword specifies the IP address of the tunneling interface of each tunnel peer with which this router will communicate using an AppleTalk-in-IP tunnel. There must be one entry for each tunnel peer and you may enter up to 32 different tunnel peers. Note: You must configure the other tunnel peer router(s) with the IP address of tunneling interface on this router for the tunnel to be functional. Filter = Number The Filter keyword controls which of the AppleTalk networks accessible through tunnels are actually made available by this router. This is done by applying the filter list to the AppleTalk RTMP packets which are received through the tunnel from other tunnel peers. Without any tunnel filters, all of the AppleTalk networks known to your tunnel peer list of routers will be advertised at this end. You can enter up to 96 different AppleTalk tunnel filters in each router. FilterType = [ Recognize | Ignore ] The FilterType keyword tells the router how it should treat the list of AppleTalk network numbers you have entered using the Filters keyword. 32 Configuration Section [ AppleTalk Tunnels ] If you specify Recognize, only the configured AppleTalk network numbers will be allowed through the tunnel and installed in this router's routing table. If Ignore is specified, all AppleTalk network numbers except the configured values will be allowed through the tunnel and installed in the routing table. Examples To create an AppleTalk-in-IP tunnel to 198.248.55.1 and filter out AppleTalk network number 57. [ AppleTalk Tunnels ] Tunnel = 198.248.55.1 Filter = 57 FilterType = ignore See Also [ AppleTalk <Section ID> ],[ Tunnel Partner <Section ID> ], appletalk(show) Configuration Section 33 [ BGP Aggregates ] [ BGP Aggregates ] This section defines a list of networks which are to be aggregated before being advertised to external peers. The router's IP routing table must contain the networks which are a subset of the aggregate in order for the aggregate to be advertised. Only the aggregate, and not the individual routes, will be advertised to external peers. Internal peers will receive the individual routes if they originated outside the Autonomous System. Internal peers do not exchange internal routes via BGP. Keywords recognized in this section are described below. AddrAndMask = IP address [ mask ] The AddrAndMask keyword specifies the IP address and subnet mask of the network to be aggregated. The IP address is entered in the standard dotted-decimal notation for IP addresses. The mask field is the subnet mask of the network. The mask is entered in dotted-decimal format and has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route. If a mask is not provided, an all 255’s mask will be assumed. This keyword may appear multiple times within this section in order to specify several different networks to be aggregated. Examples In the following example, the single route 198.41.8.0/22 will be advertised to BGP external peers. Without the BGP Aggregates entry, the four networks would be advertised separately. [ BGP Aggregates ] AddrAndMask = 198.41.8.0 255.255.252.0 See Also [ BGP Networks ], [ IP Route Redistribution ] 34 Configuration Section [ BGP General ] [ BGP General ] This section is used to modify parameters that affect the way BGP (Border Gateway Protocol) operates. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. BGPEnabled = [ On | Off ] The BGPEnabled keyword turns on BGP globally on the router. If no peers have been configured in the[ BGP Peer Config <Name> ] section, BGP will not operate on the router, even if BGPEnabled is set to On. The default is Off. BGPAS = Number The BGPAS keyword specifies the Autonomous System (AS) to which this router belongs. An Autonomous System is a collection of networks under a common administration sharing a common routing strategy. Autonomous Systems are subdivided by Areas. An Autonomous System must be assigned a unique 16-bit number by the American Registry for Internet Numbers (ARIN). It is not required to apply for an AS number to run BGP if an installation has only one Internet Service Provider. The ISP should provide an AS in that case. However, an "official" AS number is required for a multi-homed installation where more than one ISP is used. The BGPAS number is a required parameter. BGPLocPref = Number The BGPLocPref keyword sets the local preference of this router. The local preference is exchanged among routers in the same AS and is an indication about which path is preferred to exit the AS. A path with a higher local preference is more preferred. The number must be within the range of 0 to 65,535. The default is 100. BGPUseIPRFltrs = [ On | Off ] The BGPUseIPRFltrs keyword sets whether the router will use IP route filters instead of BGP route maps. BGP uses BGP route maps to filter routes and set attributes. If no BGP route maps have been configured in the [ BGP Route Map <Name> ] section, the router will automatically use any configured IP route filters (see the [ IP Route Filter <Name> ] section). Examples BGPEnabled BGPAS BGPLocPref BGPUseIPRFltrs = = = = On 1 100 Off See Also [ BGP Peer Config <Name> ], [ BGP Route Map <Name> ], [ IP Route Filter <Name> ], [ BGP Peer List ], [ IP Route Redistribution ], [ BGP Aggregates ], [ BGP Networks ], bgp(show), bgp(reset, bgpenable(mgmt) Configuration Section 35 [ BGP Networks ] [ BGP Networks ] This section defines a list of routes which will be advertised as originating inside the Autonomous System this router belongs to. These may be directly connected routes, static routes, RIP routes or OSPF routes. The route must be contained in the router's IP routing table or it will not be advertised. To advertise local networks which are not in the router's own IP routing table, they must be added as static routes. Note: The only way to get directly connected routes advertised into BGP is to include them in this list. Static, RIP and OSPF routes can also be imported into BGP by using route redistribution. See the [ IP Route Redistribution ] section for more information. Keywords recognized in this section are described below. LocalNet = IP address [ mask ] The LocalNet keyword specifies a route to be advertised as originating inside the Autonomous System to which this router belongs. The IP address is entered in the standard dotted-decimal notation for IP addresses. The optional mask parameter tells the router how many bits of the IP routing table entry to match against the LocalNet IP address. This is not necessarily the actual mask of the network you wish to advertise because subnet masks more specific than Class C are automatically truncated. This truncation is not the same as aggregation, and only applies to internal networks, and only to masks more specific than Class C. For route aggregation, use the [ BGP Aggregates ] section. See the examples for more information. If a mask is not provided, an all 255’s mask will be assumed. Examples In the following example, the router has subnets 198.41.9.32, 198.41.9.64, and 198.41.9.96, all with mask 255.255.255.224. To get BGP to advertise one 198.41.9.0/24 network, the LocalNet entry would look like this: [ BGP Networks ] LocalNet = 198.41.9.32 255.255.255.255 The router will match only the 198.41.9.32 entry due to the mask. It will advertise the network as 198.41.9.0/24, since it automatically truncates subnet masks more specific than Class C. However, if you provided a mask of 255.255.255.0, the 198.41.9.0/24 net would be advertised three times, since all three of the subnets would match the LocalNet entry. See Also [ BGP General ],[ IP Route Redistribution ], [ BGP Aggregates ] 36 Configuration Section [ BGP Peer Config <Name> ] [ BGP Peer Config <Name> ] This section defines configuration parameters for a single BGP peer or for a group of BGP peers of this router. Any two routers that have opened a TCP connection to each other for the purpose of exchanging BGP routing information are known as peers. Peer configurations are assigned to this router’s peers in the [ BGP Peer List ] section. A peer configuration should only be used for more than one peer if all the same parameters are desired. Keywords recognized in this section are described below. InputRouteMap = String The InputRouteMap keyword allows a named BGP Route Map or IP Route Filter to be used for this peer configuration. No input routes will be accepted by the router unless a BGP route map or IP route filter has been defined. Route maps are configured in the [ BGP Route Map <Name> ] section. IP route filters are configured in the [ IP Route Filter <Name> ] section. OutputRouteMap = String The OutputRouteMap keyword allows a named BGP Route Map or IP Route Filter to be used for this peer configuration. Route maps are configured in the [ BGP Route Map <Name> ] section. IP route filters are configured in the [ IP Route Filter <Name> ] section. NextHopSelf = [ On | Off ] The NextHopSelf keyword sets whether the router will advertise itself as the next hop to the routes it advertises to this peer. The default is Off. EBGPMultihop = [ On | Off ] The EBGPMultihop keyword allows routers which are not directly connected to be peers. BGP usually requires external peers to be directly connected. If EBGPMultihop is set to On, the router must also have a route to the external peer that is not directly connected in order to establish a connection. The default is Off. PeerWeight = Number The PeerWeight keyword assigns an internal rating to the peer. Peers with a higher weight are preferred when multiple routes exist to the same destination. The number must be within the range of 0 to 65,535 The default is 100. PeerRetryTime = Number The PeerRetryTime keyword is the amount of time, in seconds, between retries to establish a connection to configured peers which have gone down for some reason. If a peer is down but its state is set to On, the router will continually try to contact the peer every PeerRetryTime seconds. The value must be at least 10 seconds. The default is 30. PeerHoldTime = Number The PeerHoldTime keyword is the interval, in seconds, the router will wait for an update or keepalive packet from the peer before declaring Configuration Section 37 [ BGP Peer Config <Name> ] the peer down. The hold time is actually negotiated between peers, which will use the smaller of the two hold times proposed. The value must be either zero or at least 3 seconds. If the negotiated hold time interval is zero, then periodic keepalive packets will not be sent. The default is 180. BGPUseLoopback = [ On | Off ] The BGPUseLoopback keyword allows the router’s Loopback address to be used as the IP source in TCP packets to that peer rather than a specific IP address of one of its interfaces. A LoopbackAddress must be specified in the [ IP Loopback ] section. The peer must have a route to the loopback address via normal IP routing procedures. If the address is not on a subnet already known to the peer, it must be added via a static route. The Loopback address is normally only used for internal peers, since external peers are usually directly connected. The default is Off. AdvertiseDefault = [ On | Off ] The AdvertiseDefault keyword sets whether the default route to this peer will be advertised to other peers. The default is Off. Examples The following example shows both a sample BGP Peer List and BGP Peer Config sections. In the example, Peers 198.41.11.213 and 206.14.128.2 use BGP Peer Config "Peer 1," and Peer 205.14.128.1 uses BGP Peer Config "Peer 2." [ BGP Peer List ] BGPPeer = On 198.41.11.213 BGPPeer = On 205.14.128.1 BGPPeer = On 206.14.128.2 100 110 120 Peer 1 Peer 2 Peer 1 [ BGP Peer Config "Peer 1" ] InputRouteMap = bgpin1 OutputRouteMap = bgpout1 PeerHoldTime = 180 PeerRetryTime = 65 PeerWeight = 1000 [ BGP Peer Config "Peer 2" ]w InputRouteMap = bgpin2 OutputRouteMap = bgpout1 PeerHoldTime = 180 PeerRetryTime = 45 PeerWeight = 2000 See Also [ BGP General ], [ BGP Route Map <Name> ], [ IP Route Redistribution ], [ BGP Peer List ], [ IP Loopback ], bgp(show) 38 Configuration Section [ BGP Peer List ] [ BGP Peer List ] This section defines a list of configured peers for this router. Routers that exchange BGP information are called BGP peers. A router may have both external peers in other Autonomous Systems (AS’s), and internal peers within its own AS. Routers establish BGP sessions using the TCP protocol. Upon startup of a new BGP session, BGP peers will exchange their full routing tables, and then only incremental updates are sent as the routing table changes. The router will not establish a BGP connection with any router not on this list. If there is no BGP Peer List, BGP will not be enabled even if BGPEnabled is set to On in the [ BGP General ] section. The keywords recognized in this section are described below. BGPPeer = String The BGPPeer keyword specifies a BGP peer for this router. The string has the following syntax: On | Off <IP Address> <AS Number> [ Peer Config ID ] On | Off This parameter determines whether the router will try to establish a BGP session with the peer at start-up. As long as this parameter is set to Off, the peer will not be contacted at start-up, although the router can still establish a BGP session with this peer when the bgpenable command is issued (see bgpenable(mgmt)). The next time the router is booted, the peer will come up in the Off state. IP Address This specifies the IP address of the interface which will be a BGP peer for this router. The router will contact the peer using this IP address. The router must have the network of the supplied IP address in its routing table in order for the session to be established. External peers should be directly connected to the router (usually over a WAN link). Internal peers do not need to be directly connected. The IP address is entered in the standard dotted-decimal notation for IP addresses. AS Number This specifies the number of the Autonomous System (AS) of the BGP peer. The router determines if a peer is internal or external based on the AS number of the peer, since internal peers have the same AS number as the router itself. Peer Config ID This optional parameter specifies the number of the BGP Peer Configuration to which this peer will belong. A BGP Peer Configuration is a section where various peer-specific BGP configuration items may be set. It is configured using the [ BGP Peer Config <Name> ] section. A BGP Peer Configu- Configuration Section 39 [ BGP Peer List ] ration section may be used for more than one peer only if all the same parameters are desired. Examples The following example shows both a BGP Peer List and a BGP Peer Config section. In the example, Peers 198.41.11.213 and 206.14.128.2 use BGP Peer Config "Peer 1" , and Peer 205.14.128.1 uses BGP Peer Config "Peer 2". [ BGP Peer List ] BGPPeer = On 198.41.11.213 BGPPeer = On 205.14.128.1 BGPPeer = On 206.14.128.2 100 110 120 1 2 1 [ BGP Peer Config "Peer 1" ] InputRouteMap = bgpin1 OutputRouteMap = bgpout1 PeerHoldTime = 180 PeerRetryTime = 65 PeerWeight = 1000 [ BGP Peer Config "Peer 2" ] InputRouteMap = bgpin2 OutputRouteMap = bgpout1 PeerHoldTime = 180 PeerRetryTime = 45 PeerWeight = 2000 See Also [ BGP General ], [ BGP Peer Config <Name> ], bgpenable(mgmt), bgp(show) 40 Configuration Section [ Bridging <Section ID> ] [ Bridging <Section ID> ] This section is used to modify parameters that affect how bridging and the IEEE Spanning Tree algorithm operate on each bridge interface. Bridging of specific protocols on an interface is set in that protocol’s configuration section. (See the [ AppleTalk <Section ID> ], [ DECnet <Section ID> ], [ IP <Section ID> ] and [ IPX <Section ID> ] sections.) Keywords recognized in this section are described below. Mode = [ On | Off ] The Mode keyword turns bridging on or off for this interface. To enable bridging on an interface, the Mode keyword in the [ Bridging Global ] section must also be set to either Learning or IEEE. See the examples below for more details. UnknownProtocolsBridged = [ On | Off ] The UnknownProtocolsBridged keyword indicates whether unknown protocols which the device does not route (such as NetBEUI and DEC LAT) will be bridged on this interface. The default is On. PortPriority = Number The PortPriority keyword sets the IEEE 802.1D Spanning Tree protocol port priority parameter. This parameter is used to give precedence to an interface within the bridge. The port priority is combined with the interface number to create a Port ID. The interface with the lowest Port ID (numerically) will have precedence over interfaces with higher Port IDs. Values range from 0 to 255. PathCost = Number The PathCost keyword sets the IEEE 802.1 Spanning Tree protocol path cost parameter. This parameter sets the cost of using an interface and is used by the bridge to compute the distance from the root bridge. It may be used to artificially change the topology of a Spanning Tree network. The default value of 100 is recommended by the IEEE specification for 10 Mbit Ethernet interfaces. Values range from 1 to 65535. Examples The following example shows a sample bridging configuration, and some interaction between this section and other configuration sections. # # Bridging Configuration # [ Bridging Global ] Mode = IEEE # Make sure that Bridging is on [ Bridging Ethernet 0 ] Mode = On PathCost = 100 [ Bridging Ethernet 1 ] Mode = On PortPriority = 1 Configuration Section 41 [ Bridging <Section ID> ] # # Bridge IP and Appletalk # [ IP Default ] Mode = Bridged [ Appletalk Default ] Mode = Bridged It is important to remember that bridging must be turned on for the whole device in addition to turning it on in the individual interface sections. For example, to bridge IP traffic on Ethernet 0, the following parameters must be set. [ Bridging Global ] Mode = IEEE [ Bridging Ethernet 0 ] Mode = On [ IP Ethernet 0 ] Mode = Bridged If all interfaces for a particular protocol are being bridged and you would like to manage the system using that protocol family, then that protocol must be Routed on the bridge port. For example, if AppleTalk is bridged on all interfaces and you want to use CompatiView on a Macintosh to configure the device, configure the AppleTalk bridge port this way: [ AppleTalk Phase 2 Bridge ] Mode = Routed If IP is bridged on all interfaces and you want to use CompatiView or telnet to the device, configure the IP bridge port as follows. When configured this way, you can telnet to the IP address noted. [ IP Bridge ] Mode = Routed IPAddress = 192.15.1.1 SubnetMask = 255.255.255.0 See Also [ Bridging Global ], bridge(show), bridge(set), [ AppleTalk <Section ID> ], [ DECnet <Section ID> ], [ IP <Section ID> ], [ IPX <Section ID> ] 42 Configuration Section [ Bridging Global ] [ Bridging Global ] This section is used to modify parameters that affect the way bridging and the IEEE Spanning Tree algorithm operate. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. Mode = [ IEEE | Learning | Off ] The Mode keyword specifies whether bridging will be enabled and how it will be configured for the system as a whole. To disable bridging, set the mode to Off. The bridge supports two operating modes: IEEE and Learning. The IEEE mode configures the bridge to support the IEEE 802.1D Spanning Tree algorithm. The Spanning Tree algorithm is used by bridges to detect loops (i.e., two or more pathways to the same destination) and "prune" them into a tree-like, loop-free topology by establishing a root bridge and then calculating the best path from each bridge to the root bridge. Traffic is then forwarded only along this path. If the network to which the bridge is attaching contains loops, Spanning Tree must be enabled to prevent packet duplication. The Learning mode configures the bridge for operation with the Spanning Tree algorithm disabled. The bridge listens to all network traffic and builds an Ethernet address cache of the devices on each interface. When a bridge receives a packet on one interface which is destined for an address on another interface, it looks up the destination in its address cache. If it has an entry, it forwards the packet directly to the appropriate interface. If it doesn’t have an entry, it forwards the packet to all interfaces except the one from which it was received. If there is a loop in the network topology, a bridge that doesn’t employ the Spanning Tree algorithm will endlessly forward the same packet back and forth on its interfaces because it cannot detect the loop formed by the second pathway. Learning mode should only be used on networks without active loops. Note: Because the parameters in this section are global to the device, it isn't possible to turn on IEEE (Spanning Tree) or Learning for individual interfaces. When the mode is IEEE, the root bridge dictates the parameters for the whole network. AgingTime = Number The AgingTime keyword sets the time that entries can remain in the bridge’s Ethernet address cache. Each time the bridge receives traffic for an address, the aging timer is reset for that address. If no traffic comes through for the address and the aging time expires, the entry is purged. The default value is 300 seconds. Values range from 10 to 100,000 seconds. Configuration Section 43 [ Bridging Global ] HashTableSize = Number The HashTableSize keyword sets the maximum number of address entries in the bridge's Ethernet address cache. The bridge only allocates as many entries as it needs, up to the limit specified in this parameter. The default value is 1024. Values range from 256 to 16,384. BridgePriority = Number The BridgePriority keyword is used by the Spanning Tree algorithm to calculate the root bridge. The bridge priority is combined with the bridge's Ethernet address to create an 8-byte bridge ID. The Spanning Tree algorithm uses the bridge ID to determine the root bridge for a network. The numerically lowest bridge ID on a network will be the root bridge for that network. There will only be one root bridge on a network. The IEEE recommended default value is 32,768; values range from 0 to 65,535. MaxAge = Number The MaxAge keyword is used to determine when a Spanning Tree configuration packet is considered stale and its information is discarded. The default value recommended by the IEEE specification is 20 seconds; values range from 6 to 40 seconds. HelloTime = Number The HelloTime keyword sets the interval between Spanning Tree configuration packets sent by the bridge. The default value recommended by the IEEE specification is 2 seconds; values range from 1 to 10. ForwardDelay = Number The ForwardDelay keyword sets the time that a bridge will spend determining whether or not to include an interface in the network’s Spanning Tree. If included, the interface will spend this same amount of time listening to network traffic and building its address cache before it begins forwarding packets. It is also used as the aging time during periods of topology change on the network. The recommended default value is 15 seconds; values range from 4 to 30 seconds. Examples The following example shows a bridge configuration for a network with an unstable topology. By setting the Spanning Tree parameters to the minimum values, the topology changes will be detected quicker at the expense of more Spanning Tree protocol traffic on the network. [ Bridging Global Mode = AgingTime = HashTableSize = MaxAge = HelloTime = ForwardDelay = 44 ] IEEE 300 1024 6 1 4 Configuration Section [ Bridging Global ] To set this as the root bridge, set the bridge priority to a lower value. [ Bridging Global ] BridgePriority = 1000 See Also [ Bridging <Section ID> ], bridge(show), bridge(set) Configuration Section 45 [ Command Line ] [ Command Line ] This section is used to configure terminal settings that define the way that the command parser interacts with the user. The command parser is accessed via telnet or the AUX/console. Keywords recognized in this section are described below. Enhanced = [ On | Off ] The Enhanced keyword allows control over the "enhanced" parsing mode that is supported by the command parser. If Enhanced is On and the command parser cannot decipher the input entered or an invalid option was entered for a command, the parser will redisplay the portion that was successfully parsed. The default is On. Erase = [ BackSpace | Delete ] The Erase keyword sets the command parser's erase character. Normally, BackSpace and Delete are recognized by the command parser for erasing characters. However, when using the line editing feature or with some prompts from the command parser, the two erase characters above aren't recognized and the erase character selected by this keyword takes effect. The default is BackSpace. More = [ On | Off ] The More keyword specifies "more" processing of all displayed output. If More is On, displayed output that is longer than the configured terminal height will be paused and a "--more--" prompt will be displayed. To display the next screen of data, enter a <SPACE>. To display only the next line of data, enter a <RETURN>. Any other input terminates the output and the next command prompt will be displayed. The default is On. PrintPortLabel = [ Numbers | Letters ] The PrintPortLabel keyword tells the parser whether interfaces should be displayed with numbers or letters. Both letters and numbers are recognized as input to the command parser. The default is Numbers. Width = Number The Width keyword sets the terminal width. The Width is the number of characters per line. The default is 80 characters. Height = Number The Height keyword sets the terminal height. The Height is the number of lines displayed. This value is used by the "more" processor. The default is 24 lines. Examples [ Command Line ] Enhanced Erase = On # Enable "Enhanced" mode = Delete See Also terminal(set) 46 Configuration Section [ DECnet <Section ID> ] [ DECnet <Section ID> ] This section controls how DECnet packets are handled on each router interface. Compatible Systems routers support DECnet Phase IV intra-area routing. Keywords recognized in this section are described below. Mode = [ Routed | Bridged | Off ] The Mode keyword specifies whether DECnet Phase IV packets will be routed across the interface, bridged across the interface, or ignored on the interface. If Bridged is specified, bridging must also be enabled for the interface in the [ Bridging <Section ID> ] section. If Bridged or Off are specified, the HelloTimer and RoutingTimer are ignored. HelloTimer = Number The HelloTimer keyword tells the router how frequently it should send DECnet hello messages on a WAN interface. DECnet hello messages tell end nodes which routers are available to route packets. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). This timer value is also inserted into hello messages themselves. Once an end node has received a hello message from a router, it begins to track the availability of that router. If an end node does not hear an additional hello message within 3 timer periods, it assumes that this router is no longer available. Note: For dial-on-demand links, this parameter should be set to the longest period practical, since the router will dial the remote end each time one of these packets is sent. RoutingTimer = Number The RoutingTimer keyword tells the router how frequently it should send routing messages on a WAN interface. DECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). The default is 120. Note: For dial-on-demand links, this parameter should be set to the longest period practical, since the router will dial the remote end each time one of these packets is sent. Examples [ DECnet WAN 0 ] Mode = Routed HelloTimer = 30 RoutingTimer = 120 See Also [ DECnet Global ], decnet(show), [ Bridging <Section ID> ] Configuration Section 47 [ DECnet Global ] [ DECnet Global ] This section controls how DECnet packets are handled for the router. Compatible Systems routers support DECnet Phase IV intra-area routing. Keywords recognized in this section are described below. Enabled = [ On | Off ] The Enabled keyword controls how DECnet packets will be handled by the router. If Enabled is On, then DECnet packets received on any interface in the router which also has DECnet turned on will be routed to the correct interface. In addition, individual interfaces must be set to route packets in the [ DECnet <Section ID> ] section. If Enabled is set to Off, DECnet routing will be turned off globally in the router, and DECnet settings for individual interfaces will be ignored. Area = Number The Area keyword assigns this router to a DECnet area. A DECnet area may include one or more physical network segments. The area information is specific to this individual router and, along with the node number, uniquely identifies it on the network. The area number must be within the range of 1 to 63 and is a required parameter. Node = Number The Node keyword assigns this router a DECnet node number. Each device in a DECnet area must have a unique node number. The node number is specific to each router or workstation and, along with the area number, uniquely identifies it on the network. The node number must be within the range of 1 to 1023. Note: Using the same area and node combination as an address for two different devices can cause problems on your network that are difficult to diagnose. You should carefully track the assignment of this information for devices on your DECnet network. HelloTimer = Number The HelloTimer keyword tells the router how frequently it should send DECnet hello messages on its LAN interfaces. DECnet hello messages tell end nodes which routers are available to route packets. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). This timer value is also inserted into hello messages themselves. Once an end node has received a hello message from a router, it begins to track the availability of that router. If an end node does not hear an additional hello message within 3 timer periods, it assumes that this router is no longer available. RoutingTimer = Number The RoutingTimer keyword sets how frequently the router should send routing messages on its LAN interfaces. DECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. Valid values range from 1 to 8191 seconds (approximately 48 Configuration Section [ DECnet Global ] 2 hours and 15 minutes). The DECnet Hello and RoutingTimer values for individual WAN interfaces are set with the HelloTimer and RoutingTimer keywords in the [ DECnet <Section ID> ] section. Maxnode = Number The Maxnode keyword sets the maximum number of node addresses allowed for this particular DECnet area. Valid values range from 1 to 1023. By limiting the number of addresses, a network administrator can limit the size of the internal routing table and the size of the routing messages sent to other routers. Generally, all routers on the network should be consistent and use the same value for this parameter. This number should be at least as large as the highest node number assigned to this router or any other workstation on the network. Examples [ DECnet Global ] Enabled = On Area = 1 Node = 1000 See Also [ DECnet <Section ID> ], decnet(show) Configuration Section 49 [ Domain Name Server ] [ Domain Name Server ] This section is used to list the addresses of the primary and secondary domain name servers used by the router for Domain Name Service (DNS) name lookups. DNS allows the device to report DNS names instead of raw IP addresses when using the traceroute command, and also allows the ping command to be optionally issued with a DNS name. (See the traceroute(mgmt) and the ping(mgmt) sections for further information.) A primary name server must be specified in order to use DNS lookup. The keywords recognized in this section are described below. PrimaryServer = IP Address The PrimaryServer keyword specifies the IP address of the primary domain name server. SecondaryServer = IP Address The SecondaryServer keyword specifies the IP address of the secondary domain name server(s). If no response is received from the primary name server, then the secondary servers are used. Up to 2 secondary servers may be added to the configuration. Examples [ Domain Name Server ] PrimaryServer SecondaryServer SecondaryServer = 10.0.0.101 = 10.0.0.142 = 10.0.0.130 See Also ping(mgmt), traceroute(mgmt) 50 Configuration Section [ DS3 Interface <Section ID> ] [ DS3 Interface <Section ID> ] This section sets configuration parameters for an internal DSU on the specified WAN interface. DS3 digital transmission has a data capacity of 44.736 Mbps (referred to as Data Speed 3 or DS3). Keywords recognized in this section are described below. LineBuildOut = [ Short | Long ] The LineBuildOut keyword should be set based on the distance between the device and the DS3 terminal located in your building. Cable lengths from 0 - 100 feet require that LineBuildOut be set to Short. Cable lengths from 101 - 900 feet require that LineBuildOut be set to Long. Clocking = [ Internal | External ] The Clocking keyword configures whether the DSU will use its own internal clock or obtain the clock from the network to use for the DSU’s DS3 transmit signal towards the network. In Internal mode, an internal clock is used. In External mode, the clock derived from the DS3 receive signal is used. The default is Internal mode. Verify this setting with your ISP. DS3SubRate = [ 3_158 | 6_316 | 9_474 | 12_632 | 15_790 | 18_948 | 22_106 | 25_264 | 28_422 | 31_580 | 34_738 | 37_896 | 41_054 | 44_210 ] The DS3SubRate keyword specifies the data rate for the CSU/DSU. This can be used to set the throughput to match the bandwidth provided by your NSP (Network Service Provider). The values are specified in megabits per second, using an underscore ( _ ) as the decimal point (e.g., 3_158 is 3.158 Mbps). Both ends of the DS3 connection must have the same rate specified. Unless the remote end is a Larscom CSU/ DSU (or equivalent) or another Compatible Systems DS3 interface, the default setting of 44_210 must be used. InvertData = [ On | Off ] The InvertData keyword allows the user to invert data. Data inversion can be used to meet pulse density requirements. Always set to Off unless otherwise instructed by your ISP. If a DSU at one end of a DS3 line inverts its data, then the DSU at the other end must do the same. CRC = [ 16 bit | 32 bit ] The CRC keyword configures whether the DSU will use a 16-bit or 32bit frame check sequence. Both ends of a DS3 connection must use the same CRC (Cyclical Redundancy Check) setting. The default is 16 bit. Examples [ DS3 Interface Wan 0 ] LineBuildOut CRC = Long = 16 bit See Also [ Link Config <Section ID> ], wan(show), wan ds3(set) Configuration Section 51 [Dynamic Firewall Globals ] [Dynamic Firewall Globals ] This section sets global timers for Compatible Systems IntraGuard Firewall devices. The keywords for this section are described below. SYNTimer = Number The SYNTimer keyword sets the number of seconds the firewall will wait without receiving a response to a SYN TCP packet before clearing a TCP session. The SYN flag is included in the header of the first couple of TCP packets and indicate that a session is being established. If the SYNTimer is set too low, half-open sessions may accumulate. If the SYNTimer is set too high, there may not be enough time to complete the handshake and establish a session. Values may range from 0 to 120. The default is 20 seconds. FINTimer = Number The FINTimer keyword sets the number of seconds the firewall will wait without receiving a response to a FIN TCP packet before clearing a TCP session. TCP specifies that for a session to be fully closed down, both ends of the connection must send out a FIN packet. If the FINTimer is too high, half-shut sessions may accumulate. If the FINTimer is too low, sessions may be shut down too quickly. Values may range from 0 to 120. The default is 10 seconds. TCPTimeout = Number The TCPTimeout keyword sets the number of seconds the firewall will wait before shutting down an inactive TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 172,800 seconds (48 hours). UDPTimeout = Number The UDPTimeout keyword sets the number of seconds the firewall will wait before shutting down an inactive non-TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 60 seconds. HalfShutTimer = Number The HalfShutTimer keyword sets the number of seconds the firewall will wait to close down a half-shut, inactive TCP session. TCP specifies that for a session to be fully closed down, both ends of the connection must send out a FIN packet. If the firewall has not received a FIN packet from the other end and there has been no activity during the specified length of time, the firewall will clear the session. Values may range from 0 to 0xFFFFFFFF. The default is 120 seconds. Setting a value of 0 will disable the timer. DynamicTimer = Number The DynamicTimer keyword sets the number of seconds the firewall will wait before shutting down an inactive dynamic session. Dynamic sessions are created by the firewall to allow TCP sessions or non-TCP packets to come through the firewall. The firewall does this by monitoring packet headers and data, and then opening permitted sessions only when necessary. Values may range from 0 to 300. The default is 60 seconds. 52 Configuration Section [Dynamic Firewall Globals ] RejectTimer = Number The RejectTimer keyword sets the number of seconds the firewall will keep track of rejected packets after the packet flow has ended. The firewall tallies the different types of rejected packets and summarizes the information in a display using the show firewall rejects command (see firewall(show)). Values may range from 0 to 0xFFFFFFFF. The default is 120 seconds. If the RejectTimer is set to 0, the firewall will log every rejected packet individually, without summarizing them in a tally. Examples This example shows the default settings. [ Dynamic Firewall Globals ] SYNTimer = 20 FINTimer = 10 TCPTimeout = 172800 UDPTimeout = 120 HalfShutTimer = 300 DynamicTimer = 60 RejectTimer = 120 See Also [ Dynamic Firewall Logging ], [ Dynamic Firewall Path <Name> ], [ NAT Mapping ], [ NAT Global ], firewall(show) Configuration Section 53 [Dynamic Firewall Logging ] [Dynamic Firewall Logging ] This section sets the level at which specific events are logged on IntraGuard Firewall devices. The IntraGuard “tags” the log messages associated with each type of event with the specified log level. The eight logging levels are listed below in descending order of importance. • Off • 0/Emergency • 1/Alert • 2/Critical • 3/Error • 4/Warning • 5/Notice • 6/Info • 7/Debug The event log messages will appear in the log buffer (or wherever log messages are being sent), only if the global log level is at the same level or a lower level of importance. This allows you to closely monitor certain events while excluding events you do not wish to closely monitor from the log. Logging parameters for the device, including the global log level, are set in the [ Logging ] section. The keywords for this section are described below. Rejects = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The Rejects keyword sets the level at which Reject messages will be logged. A Reject message is created by the firewall whenever an IP packet is rejected for any reason. The default is Info. TCP_EST_Reject = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TCP_EST_Reject keyword sets the level at which TCP_EST_Reject messages will be logged. These messages are created by the firewall whenever an established TCP session is rejected. These messages are also created when a TCP session for which the firewall has not seen the SYN flag is established. This is a feature enabled using the PermitEstTCP keyword in the [ Dynamic Firewall Path <Name> ] section. The default is Error. Sessions = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The Sessions keyword sets the level at which Sessions messages will be logged. These messages are created by the firewall whenever an IP session is established. The default is Error. TearDown = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TearDown keyword sets the level at which TearDown messages 54 Configuration Section [Dynamic Firewall Logging ] will be logged. These messages are created by the firewall whenever an IP session is torn down. The default is Warning. IP_Timeouts = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The IP_Timeouts keyword sets the level at which IP_Timeouts messages will be logged. These messages are created by the firewall whenever a non-TCP session (i.e., IP or UDP session) is timed out. The default is Warning. TCP_Timeouts = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TCP_Timeouts keyword sets the level at which TCP_Timeouts messages will be logged. These messages are created by the firewall whenever a TCP session is timed out due to inactivity. The default is Alert. TCP_Resets = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TCP_Resets keyword sets the level at which TCP_Resets messages will be logged. These messages are created by the firewall whenever a TCP session is reset. The default is Notice. ICMP_Resets = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The ICMP_Resets keyword sets the level at which ICMP_Resets messages will be logged. These messages are created by the firewall whenever a non-TCP session (i.e., UDP or ICMP session) is reset. The default is Notice. TCP_SYN = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TCP_SYN keyword sets the level at which TCP_SYN messages will be logged. These messages are created by the firewall whenever a TCP connection cannot be completed because it was timed out. The default is Critical. TCP_FIN = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The TCP_FIN keyword sets the level at which TCP_FIN messages will be logged. These messages are created by the firewall whenever a TCP connection cannot be properly torn down and is instead timed out. The default is Critical. Redirects = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The Redirects keyword sets the level at which ICMP redirect messages will be logged. These messages are created by devices on the network when they receive a misdirected packet. These messages sometimes indicate route instability or the presence of an incorrectly configured IP host, but they do not necessarily indicate a problem on the network. The default is Critical. Configuration Section 55 [Dynamic Firewall Logging ] General = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The General keyword sets the level at which General messages will be logged. General messages are created when errors occur within the IntraGuard. This might include running out of memory or internal state errors, and should be infrequent. The default is Critical. Examples The following example shows the default logging configuration for the IntraGuard firewall. [ Dynamic Firewall Logging ] Rejects = Info TCP_EST_Reject = Error Sessions = Error TearDown = Warning IP_Timeouts = Warning TCP_Timeouts = Alert TCP_Resets = Notice ICMP_Resets = Notice TCP_SYN = Critical TCP_FIN = Critical Redirects = Critical General = Critical If the following global logging settings were in place, then the only firewall messages which would not appear in the log would be Rejects (which are set to Info, one level below Notice). [ Logging ] Enabled Level = On = Notice See Also [ Dynamic Firewall Globals ], [ Dynamic Firewall Path <Name> ], [ Logging ], firewall(show) 56 Configuration Section [Dynamic Firewall Path <Name> ] [Dynamic Firewall Path <Name> ] This section sets parameters for paths on an IntraGuard Firewall. Paths define a route for packets through the firewall. Each path has two endpoints – inside interfaces and outside interfaces. Typically, the inside interfaces are secure while the outside interfaces are less secure. These paths are directional, meaning packets travel out along the path from the inside interface to the outside interface and in along the path from the outside interface to the inside interface. There are three pre-set paths in the IntraGuard firewall. Each of the three paths already has a name, a security policy and interface definitions. The default settings of each pre-set path are shown below. [ Dynamic Firewall Path "Green-Red" ] SecurityPolicy = Standard InsideInterfaces = "Ether 0" InsideInterfaces = "Bridge" OutsideInterfaces = "Ether 2" [ Dynamic Firewall Path "Yellow-Red" ] SecurityPolicy = Standard InsideInterfaces = "Ether 1" OutsideInterfaces = "Ether 2" [ Dynamic Firewall Path "Green-Yellow" ] SecurityPolicy = Lenient InsideInterfaces = "Ether 0" InsideInterfaces = "Bridge" OutsideInterfaces = "Ether 1" The Name portion of the section name can be changed to anything between one and 126 alphanumeric characters. The keywords for this section are described below. INTERFACE ASSIGNMENTS InsideInterfaces = Port identifier string The InsideInterfaces keyword sets the specified interface to serve as the inside end of the path. This is typically the secure side of the path. This keyword may appear multiple times within this section in order to specify multiple interfaces. OutsideInterfaces = Port identifier string The OutsideInterfaces keyword sets the specified interface to serve as the outside end of the path. This is typically the insecure side of the path. This keyword may appear multiple times within this section in order to specify multiple interfaces. SECURITY POLICY SecurityPolicy = [ Blocked | Strict | Standard | Lenient | Open ] The SecurityPolicy keyword sets the general security policy for the path. Each security policy has an associated list of protocol-specific pushbutton settings that determine how the interfaces along the path will handle each protocol’s packets. Each security policy can be used Configuration Section 57 [Dynamic Firewall Path <Name> ] as-is, or can be used as the basis for a customized policy by using the pushbutton settings. Blocked is the most secure policy, which does not allow packets in or out along the path. It is the equivalent of physically separating the internal and external networks. The Blocked policy can be used to create a very restrictive policy set using the additional configuration options. Strict is a restrictive policy set. A small set of outgoing client sessions are permitted through the firewall and all incoming server sessions are excluded. Standard is the default policy set. Almost all outgoing client sessions are permitted and almost all incoming server sessions are excluded. The only exceptions to those rules are that the BGP and X Windows protocols are excluded from going in or out of the firewall. Lenient is a less secure policy. All outgoing client sessions are permitted and some incoming server sessions are permitted. Open is an insecure policy set. Everything is permitted through the firewall, thereby turning the firewall into a transparent bridge. 58 Configuration Section [Dynamic Firewall Path <Name> ] The SecurityPolicy keyword controls a list of pushbutton protocol settings for the path. These settings specify how a protocol will be handled on the path. These keywords can be changed individually to create a customized security policy. The chart below shows the different protocol-specific settings for each security policy. PROTOCOL PUSHBUTTONS PROTOCOL PORTS TYPE USED TCP 179 BGPUse TCP 512, 513, 514 BSDUse UDP 33020 CompatiViewUse TCP, UDP 53 DNSUse TCP 21 FTPUse TCP 1720 H323Use ICMP 1 ICMPUse ICMP 50, 51 IPSecUse TCP 6667 IRCUse TCP 515 LPRUse TCP 25 MailUse UDP 635, 340, 2049 NFSUse TCP, UDP 137, 138 NetBIOSUse TCP 119 NewsUse TCP, UDP undefined NonIPUse ICMP 89 OSPFUse TCP 109, 110 POPUse UDP 520 RIPUse TCP 7070 RealAudioUse TCP, UDP 111 SunRPCUse TCP 23 TelnetUse UDP 69 TFTPUse ICMP 47 TunnelUse TCP 80, 8000, 8080 WebUse TCP 6000, 6010 XWinUse UDP 500 ISAKMPUse TCP 70 GopherUse UDP 123 NTPUse TCP undefined OtherTCPUse UDP undefined OtherUDPUse undefined undefined OtherUse Configuration Section SECURITY POLICY Blkd Strict Std. Len. Open None None None Both Both None None Out Out Both None Out Out Both Both None Out Out Both Both None Out Out Both Both None None Out Out Both None None Out Out Both None Out Out Both Both None None Out Out Both None None Out Out Both None Out Out Both Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None None Out Out Both None Out Out Out Both None Out Out Out Both None None Out Out Both None Out Out Both Both None None None In Both None Out Out Both Both None Out Out Out Both None None Out Both Both None None Out Out Both None None Out Both Both None None Out Both Both 59 [Dynamic Firewall Path <Name> ] In indicates that a protocol will be allowed through to the inside interface(s) of a path. Out indicates that a protocol will be allowed through to the outside interface(s) of a path. None indicates that a protocol will be allowed neither in nor out. Both indicates that a protocol will be allowed both in and out. Changing the SecurityPolicy keyword for a path automatically changes the pre-set protocol pushbuttons to reflect the new security policy. However, any protocol pushbutton which has been changed individually will maintain its setting rather than change to reflect a new policy (e.g., changing the WebUse keyword to Both means it will keep that setting no matter what the security policy). PUSHBUTTON OPTIONS BGPUse = [ None | In | Out | Both ] The BGPUse keyword defines how BGP (Border Gateway Protocol) packets will be handled on the path. BGP is the routing protocol between Internet backbone routers. BSDUse = [ None | In | Out | Both ] The BSDUse keyword defines how BSD packets will be handled on the path. BSD is the UC Berkeley remote execution and terminal session protocol. RSH, RCP, RLogin, and RExec are the protocols supported. CompatiViewUse = [ None | In | Out | Both ] The CompatiViewUse keyword defines how CompatiView packets will be handled on the path. CompatiView is Compatible System’s GUI manager. This option also defines handling for earlier versions of STAMP, Compatible System’s tunnel authentication protocol. DNSUse = [ None | In | Out | Both ] The DNSUse keyword defines how DNS (Domain Name Service) packets will be handled on the path. DNS is the protocol which translates IP addresses into hostnames and hostnames into IP addresses. FTPUse = [ None | In | Out | Both ] The FTPUse keyword defines how FTP (File Transfer Protocol) packets will be handled on the path. Dynamic sessions are created for file transfers using the PASV and PORT commands. H323Use = [ None | In | Out | Both ] The H323Use keyword defines how H323 packets will be handled on the path. H323 is a video and audio conferencing protocol. IPSecUse = [ None | In | Out | Both ] The IPSecUse keyword defines how IPSec (Internet Protocol Security) packets will be handled on the path. Both encrypted (ESP) and authenticated (AH) packets are supported. IRCUse = [ None | In | Out | Both ] The IRCUse keyword defines how IRC (Internet Relay Chat Protocol) packets will be handled on the path. 60 Configuration Section [Dynamic Firewall Path <Name> ] LPRUse = [ None | In | Out | Both ] The LPRUse keyword defines how LPR packets will be handled on the path. LPR is a network printing protocol. MailUse = [ None | In | Out | Both ] The MailUse keyword defines how SMTP (Simple Mail Transfer Protocol) packets will be handled on the path. This protocol is used to send mail between servers. NFSUse = [ None | In | Out | Both ] The NFSUse keyword defines how NFS (Network File Sharing Protocol) packets will be handled on the path. To permit NFS In, it may be necessary to set SunRPCUse to In as well. NetBIOSUse = [ None | In | Out | Both ] The NetBIOSUse keyword defines how NetBIOS packets will be handled on the path. NetBIOS is Microsoft’s file sharing protocol. NewsUse = [ None | In | Out | Both ] The NewsUse keyword defines how NNTP (Network News Transfer Protocol) packets will be handled on the path. NonIPUse = [ None | In | Out | Both ] The NonIPUse keyword defines how non-IP packets will be handled on the path. This would include other protocols such as AppleTalk and IPX. OSPFUse = [ None | In | Out | Both ] The OSPFUse keyword defines how OSPF (Open Shortest Path First) packets will be handled on the path. OSPF is a link state routing protocol. POPUse = [ None | In | Out | Both ] The POPUse keyword defines how POP packets will be handled on the path. POP is a mail client protocol. This protocol allows users to receive mail. RIPUse = [ None | In | Out | Both ] The RIPUse keyword defines how RIP (Routing Information Protocol) packets will be handled on the path. RealAudioUse = [ None | In | Out | Both ] The RealAudioUse keyword defines how Internet Real Audio Protocol packets will be handled on the path. Real Audio is an audio and video conferencing protocol. SunRPCUse = [ None | In | Out | Both ] The SunRPCUse keyword defines how SunRPC (Sun’s Remote Procedure Call Protocol) packets will be handled on the path. The SunRPC Protocol is used by NFS and other UNIX utilities to get the server’s port address. TelnetUse = [ None | In | Out | Both ] The TelnetUse keyword defines how Telnet packets will be handled on the path. Telnet is a virtual terminal protocol. Configuration Section 61 [Dynamic Firewall Path <Name> ] TFTPUse = [ None | In | Out | Both ] The TFTPUse keyword defines how TFTP (Trivial File Transfer Protocol) packets will be handled on the path. TunnelUse = [ None | In | Out | Both ] The TunnelUse keyword defines how GRE (General Router Encapsulation) packets will be handled on the path. GRE packets are IP-encapsulated tunneled packets. This option does not work with non-STEP tunnels (e.g., STAMP tunnels), which are enabled using the CompatiViewUse keyword. WebUse = [ None | In | Out | Both ] The WebUse keyword defines how HTTP (Hypertext Transfer Protocol) packets will be handled on the path. HTTP is the World Wide Web protocol. This option affects only HTTP packets; Telnet and FTP must be enabled individually to allow users to reach FTP sites or Telnet via the web. See the TelnetUse and FTPUse keywords. XWinUse = [ None | In | Out | Both ] The XWinUse keyword defines how X Windows packets will be handled on the path. X Windows is the UNIX GUI. GopherUse = [ None | In | Out | Both ] The GopherUse keyword defines how Gopher packets will be handled on the path. Gopher is a file transfer and browsing protocol. ISAKMPUse = [ None | In | Out | Both ] The ISAKMPUse keyword defines how ISAKMP (Internet Security Association Key Management Protocol) packets will be handled on the path. ISAKMP is the VPN (Virtual Private Network) key management protocol used by Compatible’s VPN products. NTPUse = [ None | In | Out | Both ] The NTPUse keyword defines how NTP (Network Time Protocol) packets will be handled on the path. OtherTCPUse = [ None | In | Out | Both ] The OtherTCPUse keyword defines how all other TCP-based protocols will be handled on the path. OtherUDPUse = [ None | In | Out | Both ] The OtherUDPUse keyword defines how all other UDP-based protocols will be handled on the path. OtherUse = [ None | In | Out | Both ] The OtherUse keyword defines how IP packets which are not included in the other pushbutton options will be handled on the path. ALLOW PORTS/PROTOCOLS These options allow you to specify any port or protocol which isn’t already a pushbutton option. All pushbutton settings take precedence over the Allow Ports/Protocols options. For example, if the OtherTCPUse pushbutton option is set to In, then it would be unnecessary to specify any particular TCP port using the TCPInPort option below. 62 Configuration Section [Dynamic Firewall Path <Name> ] TCPInPort = Port number The TCPInPort keyword specifies that a TCP port number will be allowed in along the path. This applies only to TCP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. TCPOutPort =Port number The TCPOutPort keyword specifies that a TCP port number will be allowed out along the path. This applies only to TCP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535.This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. UDPInPort =Port number The UDPInPort keyword specifies that a UDP port number will be allowed in along the path. This applies only to UDP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. UDPOutPort = Port number The UDPOutPort keyword specifies that a UDP port number will be allowed out along the path. This applies only to UDP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. IPInProto = Protocol number The IPInProto keyword specifies that an IP protocol number will be allowed in along the path. The Protocol may be specified as may be specified as a decimal number or as a keyword. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. IPOutProto = Protocol number The IPOutProto keyword specifies that an IP protocol will be allowed out along the path. The Protocol may be specified as may be specified as a decimal number or as a keyword.This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. Configuration Section 63 [Dynamic Firewall Path <Name> ] IP PACKET FILTERS There are two types of static IP packet filters which can be used on the firewall. These filters are applied after the pushbutton settings and the Allow Ports/Protocols options. Remember that when applying static IP filter sets, the final rule should always be permit 0.0.0.0 0.0.0.0 ip OrFilterOut = String The OrFilterOut keyword allows a named set of IP packet filtering rules to be associated with the outside interface(s) of the path. OrFilterOut allows the device to accomplish packet filtering on packets that will be forwarded out this interface. "Or" filters are typically used to permit certain packets. These filters are checked only for those protocols or ports which have been denied by a pushbutton or Allow Ports/Protocols setting. For example, if TelnetUse has been set to None, then an "Or" filter can be used to permit Telnet sessions from a particular site which you trust. Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. OrFilterIn = String The OrFilterIn keyword allows a named set of IP packet filtering rules to be associated with the inside interface(s) of the path. OrFilterIn allows the device to accomplish packet filtering on packets that will be forwarded along this interface. "Or" filters are typically used to permit certain packets. These filters are checked only for those protocols or ports which have been denied by a pushbutton or Allow Ports/Protocols setting. For example, if TelnetUse has been set to None, then an "Or" filter can be used to permit Telnet sessions from a particular site which you trust. Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. AndFilterOut = String The AndFilterOut keyword allows a named set of IP packet filtering rules to be associated with the outside interface(s) of the path. AndFilterOut allows the device to accomplish packet filtering on packets that will be forwarded out this interface. "And" filters are typically used to deny certain packets, so they are checked only for those protocols or ports which have been permitted by a pushbutton, Allow Ports/Protocol setting or an "Or" filter. 64 Configuration Section [Dynamic Firewall Path <Name> ] Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. AndFilterIn = String The AndFilterIn keyword allows a named set of IP packet filtering rules to be associated with the inside interface(s) of the path. AndFilterIn allows the device to accomplish packet filtering on packets that will be forwarded along this interface. "And" filters are typically used to deny certain packets, so they are checked only for those protocols or ports which have been permitted by a pushbutton, Allow Ports/Protocol setting or an "Or" filter. Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. OTHER PATH SETTINGS SendTCPReset = [ On | Off ] The SendTCPReset keyword sets whether the device will send a TCP reset message to the client when a TCP session has been rejected. The default is Off. SynRejectOnly = [ On | Off ] The SynRejectOnly keyword sets whether the device will limit itself to sending TCP reset messages only when a TCP packet containing the SYN flag has been rejected. This can be useful when ICMP redirects are being sent , which could cause sessions to terminate prematurely. The default is On. SendICMPReset = [ On | Off ] The SendICMPReset keyword sets whether the device will send an ICMP message to the client when an IP or UDP packet has been rejected. The default is Off. ICMPtoTCPsession = [ On | Off ] The ICMPtoTCPsession keyword sets whether the device will send an ICMP message to the client when a TCP packet has been rejected. This is in addition to sending a TCP reset message, if it has been enabled using the SendTCPReset. The default is Off. PermitEstTCP = [ On | Off ] The PermitEstTCP keyword sets whether the path will permit TCP sessions for which the IntraGuard did not see the SYN flag. The SYN flag is included in the header of the first couple TCP packets and indicates that a session is being established. Setting PermitEstTCP to On allows established connections to continue after rebooting the device, but it is also a less secure option. The default is Off. Configuration Section 65 [Dynamic Firewall Path <Name> ] ResetRedirects = [ On | Off ] The ResetRedirects keyword sets whether the device will terminate sessions on a firewall path where ICMP redirects have been sent. ICMP redirects are generated when a device cannot route a packet correctly on its own. The affect can be that three firewall paths will be created to route the packet correctly, two of which will not be needed after the first packet gets delivered. The default is Off. MinIPFragLen = Number The MinIPFragLen keyword sets the minimum acceptable length of IP packets. Raising the minimum packet length can be useful in preventing "frag" attacks, which can take advantage of the use of partial header information in fragmented packets. The IntraGuard protects against overlapping fragmentation attacks, even when the MinIPFragLen is set to the minimum value of 40. Values may range between 40 and 1,500. The default is 40. RejectSRCRoute = [ On | Off ] The RejectSRCRoute keyword sets whether the device will reject source-routed IP packets. The default is On. 66 Configuration Section [Dynamic Firewall Path <Name> ] Examples The following examples show the default path settings for the IntraGuard firewall. [ Dynamic Firewall Path "Yellow-Red" ] [ Dynamic Firewall Path "Green-Red" ] SecurityPolicy = Standard SecurityPolicy = Standard InsideInterfaces = "Ether 1" InsideInterfaces = "Ether 0" OutsideInterfaces = "Ether 2" InsideInterfaces = "Bridge" BGPUse = Outside OutsideInterfaces = "Ether 2" BSDUse = Outside BGPUse = Outside CompatiViewUse = Outside BSDUse = Outside DNSUse = Both CompatiViewUse = Outside FTPUse = Outside DNSUse = Outside H323Use = Outside FTPUse = Outside ICMPUse = Outside H323Use = Outside IPSecUse = Outside IPSecUse = Outside IRCUse = Outside IRCUse = Outside LPRUse = Outside LPRUse = Outside MailUse = Both MailUse = Outside NFSUse = Outside NFSUse = Outside NetBIOSUse = Outside NetBIOSUse = Outside NewsUse = Outside NewsUse = Outside NonIPUse = Outside NonIPUse = Outside OSPFUse = Outside OSPFUse = Outside OtherTCPUse = Outside OtherTCPUse = Outside OtherUDPUse = Outside OtherUDPUse = Outside POPUse = Outside POPUse = Outside RIPUse = Outside RIPUse = Outside RealAudioUse = Outside RealAudioUse = Outside SunRPCUse = Outside SunRPCUse = Outside TelnetUse = Outside TelnetUse = Outside TFTPUse = Outside TFTPUse = Outside TunnelUse = Outside TunnelUse = Outside WebUse = Both WebUse = Outside XWinUse = None XWinUse = None ISAKMPUse = Both ISAKMPUse = Out GopherUse = Out GopherUse = Out NTPUse = Both NTPUse = Both OtherTCPUse = Out OtherTCPUse = Out OtherUDPUse = Out OtherUDPUse = Out OtherUse = Out OtherUse = Out SendTCPReset = On SendTCPReset = On SynRejectOnly = On SynRejectOnly = On SendICMPReset = On SendICMPReset = On ICMPtoTCPsession = Off ICMPtoTCPsession = Off PermitEstTCP = Off PermitEstTCP = Off ResetRedirects = Off ResetRedirects = Off MinIPFragLen = 40 MinIPFragLen = 40 RejectSRCRoute = On RejectSRCRoute = On AndFilterOut = AndFilterOut = AndFilterIn = AndFilterIn = OrFilterOut = OrFilterOut = OrFilterIn = OrFilterIn = Configuration Section 67 [Dynamic Firewall Path <Name> ] [ Dynamic Firewall Path "Green-Yellow" ] SecurityPolicy = Lenient InsideInterfaces = "Ether 0" InsideInterfaces = "Bridge" OutsideInterfaces = "Ether 1" BGPUse = Outside BSDUse = Outside CompatiViewUse = Both DNSUse = Both FTPUse = Both H323Use = Outside ICMPUse = Outside IPSecUse = Both IRCUse = Outside LPRUse = Outside MailUse = Both NFSUse = Outside NetBIOSUse = Outside NewsUse = Outside NonIPUse = Outside OSPFUse = Outside OtherTCPUse = Outside OtherUDPUse = Outside POPUse = Outside RIPUse = Outside RealAudioUse = Outside SunRPCUse = Outside TelnetUse = Outside TFTPUse = Outside TunnelUse = Outside WebUse = Both XWinUse = Inside ISAKMPUse = Out GopherUse = Out NTPUse = Out OtherTCPUse = Out OtherUDPUse = Both OtherUse = Both SendTCPReset = On SynRejectOnly = On SendICMPReset = On ICMPtoTCPsession = Off PermitEstTCP = Off ResetRedirects = Off MinIPFragLen = 40 RejectSRCRoute = On AndFilterOut = AndFilterIn = OrFilterOut = OrFilterIn = 68 Configuration Section [Dynamic Firewall Path <Name> ] In the following example, an application which uses UDP port 8565 is allowed in and TCP sessions for which the firewall has not seen the SYN flag will be allowed. [ Dynamic Firewall Path "Green-Red" ] UDPInPort = 8565 PermitEstTCP = On See Also [ Dynamic Firewall Globals ], [ Dynamic Firewall Logging ], [ IP Filter <Name> ], firewall(show) Configuration Section 69 [ Ethernet Interface <Section ID> ] [ Ethernet Interface <Section ID> ] This section configures the serial characteristics of the device’s 10/100BaseT Ethernet interface(s). This section does not apply to standard 10 Mbps Ethernet interfaces. Keywords recognized in this section are described below. Speed = [ 10meg | 100meg | Auto ] The Speed keyword provides a way to manually set the speed at which the interface will operate. Normally, the 10/100BaseT interface will autonegotiate the speed with the Ethernet hub or switch. If the autonegotiation is unsuccessful, this keyword can be used to force the setting. The default is Auto. Duplex = [ Full | Half | Auto ] The Duplex keyword provides a way to manually configure whether the interface will operate in full duplex or half duplex mode. Normally, the 10/100BaseT interface will autonegotiate with the Ethernet hub or switch. If the autonegotiation is unsuccessful, this keyword can be used to force the setting. In Full duplex mode, the interface can successfully transmit data at the same time the switch is transmitting data, which effectively doubles the possible transmission speed. Full duplex requires the use of Category 5 cable and an Ethernet switch which supports full duplex. In Half duplex mode, data can only be transmitted in one direction (by the interface or by the hub) at a given time. The default is Auto. Examples In the following example, the Ethernet interface will be forced to 100 Mbps and half duplex mode. [ Ethernet Interface Ethernet 0 ] Speed = 100meg Duplex = Half See Also ethernet(show) 70 Configuration Section [ Frame Relay <Section ID> ] [ Frame Relay <Section ID> ] This section is used to configure Frame Relay parameters for either the interface specified or for multiple interfaces using the default sections as explained in Appendix A. The keywords in this section are described below. MaintProtocol = [ AnnexD | AnnexA | LMI | Static ] The MaintProtocol keyword allows you to specify which Frame Relay maintenance protocol is used on the WAN interface. The maintenance protocol is used to send link status and virtual circuit information between Frame Relay switches and other devices (such as routers) that communicate with them. AnnexD is an ANSI standard and is the most commonly used standard in the United states. AnnexD is the default maintenance protocol. AnnexA is a CCITT European standard. LMI was developed by a vendor consortium and is also known as the "consortium" management interface specification. It is still used by some carriers in the United States. Static is a method for using WAN broadcast media (e.g., satellite ground stations) to emulate a Frame Relay network. Do not use this setting for normal Frame Relay switch communications. PollingFrequency = Number The PollingFrequency keyword specifies the interval at which the router polls the Frame Relay switch using the maintenance protocol you have selected. The router is required to periodically poll the Frame Relay switch at the remote end of the communications link in order to determine whether the link is active. If any three out of four polls go unanswered by the switch, the router will assume the Frame Relay link is down. Every sixth poll, the router requests a full status packet from the switch in order to update its table of active permanent virtual circuits. The interval is specified in seconds and must be between 5 and 30. The default is 10. MTU = Number The keyword MTU allows the MTU (Maximum Transfer Unit) to be configured for the Frame Relay connection. The MTU value must be between 262 and 1700 bytes (except for the MicroRouter 900i and MicroRouter 1000R; the MTU value for these units must be between 262 and 1500 bytes). The default is 1500. HomeDLCI = Number The HomeDLCI keyword allows the specification of a DLCI (Data Link Connection Identifier) number for the link when the maintenance protocol is Static. The number is the DLCI value for the router being Configuration Section 71 [ Frame Relay <Section ID> ] configured. Each router attached to the emulated network must have a unique DLCI. DLCI = String The keyword DLCI specifies how a network protocol address is mapped to a DLCI on the Frame Relay PVC (Permanent Virtual Circuit). Based on information exchanged between the router and the Frame Relay switch through the maintenance protocol, the router will know the hardware address (the DLCI in this case) but not the protocol address of the remote end of a new PVC. For the PVC to be usable, the router must map the protocol address to the DLCI address either statically or dynamically. The default mapping for all protocols is IARP (Inverse ARP), which allows dynamic mapping and is more flexible and easier to configure than static mapping. IARP, as documented in RFC 1293, functions much like ARP in that when a PVC is first signalled, the Frame Relay station sends out an address request packet. IARP differs from ARP in that the request is for the protocol address rather than the hardware address and is targeted rather than broadcast. When the far end of the PVC receives the request, it replies with the targeted protocol address and the PVC is usable. If a station with multiple protocol addresses assigned to a single interface receives an IARP request, it replies with the host address. This address must be within the requesting station’s subnet. If the two stations aren’t on the same subnet, the receiving station won’t respond and the PVC will remain unusable. DLCI also allows you to create static mappings for the different protocols by specifying the protocol address. The string has the following format: <DLCI Number> IP=[<IPAddr>|IARP] Apple=[<Net:Node>|IARP] IPX=[<Net:Node>|IARP] DECnet= [<Area.Node>|IARP] DLCI Number is the decimal address (16-991) which uniquely identifies this end of a PVC. A DLCI number will be provided to you by your Frame Relay carrier for each end of each PVC. The protocols' keywords are used to specify which protocols are being mapped. Possible values are: IP, IPX, Apple or DECnet. When static addressing is used, the protocol addresses for the different protocols have the following formats: The IPAddr is the IP address at the remote end of the PVC. It should be a dotted decimal IP address (i.e., 10.1.1.1). If the interface is subnetted, both ends of the PVC must be mapped within the same IP subnet. Static mapping must be used with an IP subinterface (i.e., 72 Configuration Section [ Frame Relay <Section ID> ] virtual ports) implementation, because IARP can only resolve a physical port, not a logical subinterface on that port. The Apple arguments Net:Node are a combination of the AppleTalk net and node numbers of the router’s WAN interface at the remote end of the PVC (i.e., 33333:2). Net is a decimal AppleTalk net number in the range 1-65279. Node is a decimal AppleTalk node number in the range 1-253. The IPX arguments Net:Node are the IPX net and node numbers of the router’s WAN interface at the remote end of the PVC (i.e., FACE0FF:0.0.A5.0.0.1). Net is a hex IPX net number in the range 1FFFFFFFE. The Node number is an IPX node number specified as a 6byte hex number separated by dots (.) and represents an Ethernet address. Note: The IPX node address at the remote end is generally a "borrowed" Ethernet address from one of the remote router’s Ethernet interfaces. There is no addressing conflict because the actual Ethernet interface is on a network with a different IPX network number. The DECnet arguments Area.Node are the DECnet area and node numbers of the router at the remote end of the PVC (i.e. 1.2). The Area is a DECnet area in the range 1-63. The Node number is a DECnet node number in the range 1-1023. The DECnet Area.Node pair is traditionally separated by a dot rather than a colon. The DLCI keyword is valid for port-specific Section ID sections only. It cannot be specified in a default section. Compress = [ FRF.9_STAC | Off ] The Compress keyword specifies whether Stac LZS compression will be used. LZS compression uses an algorithm to build a history of frequently repeated groups of 8-bit characters and creates shorter bit patterns to represent them. Compatible Systems’ current implementation of LZS does not support more than one history. It uses a sequence number and LCB (Longitudinal Check Byte) for error detection. By choosing the Off option, compression is disabled. The default is Off. PollingFrequency = Number The PollingFrequency keyword specifies the interval at which the router polls the Frame Relay switch using the maintenance protocol you have selected. The router is required to periodically poll the Frame Relay switch at the remote end of the communications link in order to determine whether the link is active. If any three out of four polls go unanswered by the switch, the router will assume the Frame Relay link is down. Every sixth poll, the router requests a full status packet from the switch in Configuration Section 73 [ Frame Relay <Section ID> ] order to update its table of active permanent virtual circuits. The interval is specified in seconds and must be between 5 and 30. The default is 10. Examples Set DLCI 16 to Inverse ARP IP on the link. DLCI=16 IP=IARP Set DLCI 16 to Inverse ARP all protocols recognized on the link. DLCI=16 IP=IARP IPX=IARP Apple=IARP DECnet=IARP Set DLCI 16 to map the protocols to the addresses shown. DLCI=16 IP=10.1.1.1 IPX=DEAF:0.0.A5.0.0.1 Apple=10:1 DECnet=1.2 See Also [ Link Config <Section ID> ], [ IP <Section ID> ], frelay(show), Appendix A 74 Configuration Section [ General ] [ General ] This section is used to modify global device parameters such as the device name, password, route filters, and other informational data. Keywords recognized in this section are described below. DeviceName = String The DeviceName keyword sets the system name. The maximum name length is 32 characters. Password = String The Password keyword is used to set the device password. The password is required for logging into the device using a console or as a telnet client. This login level will allow a user to display tables and statistics, but does not permit a user to view or make any changes to the configuration. The password is stored as clear text and may have a maximum length of 8 characters. EnablePassword = String The EnablePassword keyword is used to set the password which enables supervisor mode. The password is required for viewing or making changes to the device’s configuration. If no EnablePassword is created, then the Password will be used. The password is stored as clear text and may have a maximum length of 8 characters. RadiusLogin = [ On | Off ] The RadiusLogin keyword allows telnet and console logins to be authenticated with a RADIUS server. If RadiusLogin is On, the device will not perform internal password authentication using the Password or the EnablePassword. Only RADIUS authentication will be done, so communication with a RADIUS server must be set up using the [ Radius ] section. The RadiusShowName and RadiusEnableName keywords must also be set and the RADIUS server must have two password and name pairs configured so that the two different levels of access can be provided. The default is Off. RadiusShowName = String The RadiusShowName keyword sets the user name which will be sent to a RADIUS server for authentication. If this name and the entered password are validated, then the user will be able to display statistics and tables, but will not be able to view or make changes to the configuration. The string may be between 1 and 16 characters. RadiusEnableName = String The RadiusEnableName keyword sets the user name which will be sent to a RADIUS server for authentication. If this name and the entered password are validated, then the user will be able to view and make changes to the configuration. The string may be between 1 and 16 characters. Configuration Section 75 [ General ] TelnetFilter = String The TelnetFilter keyword allows a named set of IP packet filtering rules to be applied to all Telnet packets which come into the device. This can be used to block unauthorized Telnet access to the device. Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. ANSPCompatible = [ On | Off ] The ANSPCompatible keyword allows the device to be configured for networks where earlier versions of Compatible Systems' Macintoshbased security "INIT" (called ENS in those versions) are still in use. With compatibility On, both ANSP and ENS Macintosh "CDEVs" will operate correctly on the network. Slightly more network traffic will be generated during network name lookups using this option. AppleTalkPhase2Timeout = Number The AppleTalkPhase2Timeout keyword is used to set the timeout for the AARP (Apple Address Resolution Protocol) address claim which probes made at device startup time. The value specified will be added to the standard 2 seconds. This may be necessary on AppleTalk networks which include WAN bridges. On these networks, it may take longer than 2 seconds for a node on the far side of a WAN bridge connection (logically still on the same AppleTalk internet) to respond to an AARP address claim made by the device, therefore leaving an opportunity for a duplicate address to be used by the device. IPBlockSourceRouting = [ On | Off ] The IPBlockSourceRouting keyword is used to block source-routed IP packets through the device. IPLogSourceRouting = [ On | Off ] The IPLogSourceRouting keyword is used to log source-routed packets that have been blocked. This keyword is only valid if the IPBlockSourceRouting keyword has been enabled. IPRouteFilters = String The IPRouteFilters keyword is used to set the IP Route filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IP route filtering rules are specified in the [ IP Route Filter <Name> ] section. 76 Configuration Section [ General ] IPXRouteFilters = String The IPXRouteFilters keyword is used to set the IPX Route filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IPX route filtering rules are specified in the [ IPX Route Filter <Name> ] section. IPXSAPFilters = String The IPXSAPFilters keyword is used to set the IPX SAP filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IPX SAP filtering rules are specified in the [ IPX SAP Filter <Name> ] section. RIPv2Password = String The RIPv2Password keyword sets the password used to authenticate IP routing information sent and received by RIP version 2. The string may be between 1 and 16 characters. ConfiguredOn = String The ConfiguredOn keyword is set by the device to the current time when a configuration is saved. If no time server is configured, the device will set the string to "Time server not configured." (See the [ Time Server ] section.) ConfiguredFrom = String The ConfiguredFrom keyword is set by the device when a configuration is saved. ConfigFile = String The ConfigFile keyword is set by the management software and exists for informational purposes only. It can be used to help track the source (e.g., a file name) of a configuration. DeviceType = String The DeviceType keyword is set by the device when a configuration is saved. It is needed by CompatiView to determine what type of device a configuration is for. IPSecGateway = IP Address The IPSecGateway keyword specifies the IP address that will be used as the gateway to the Internet for IPSec traffic. This keyword may only be used on multi-Ethernet VPN Access Servers (e.g., the IntraPort 2/ 2+). For those devices, this keyword is required only when the device is set to operate in parallel with your existing firewall as the IPSec component of your security system. There is no default value. Configuration Section 77 [ General ] Examples The following example shows a default General section. [ General ] DeviceType ConfiguredOn ConfiguredFrom DeviceName Password = = = = = MicroRouter 2220R 02/28/99 14:54:40 Command Line, from Console "INI Old Router" letmein The following example shows a device which has RADIUS authentication enabled. [ General ] DeviceType ConfiguredOn ConfiguredFrom DeviceName RadiusLogin RadiusShowName RadiusEnableName = = = = = = = MicroRouter 2220R 03/30/99 16:33:27 Command Line, from Console "ROR 2220" On LRicardo Lucy See Also [ Radius ], [ IP Route Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], version(show), [ Time Server ] 78 Configuration Section [ HSSI Interface <Section ID> ] [ HSSI Interface <Section ID> ] This section sets configuration parameters for the specified HSSI WAN interface. The HSSI interface has a data capacity of 44.736 Mbps (referred to as Data Speed 3 or DS3). Keywords recognized in this section are described below. Clocking = [ Internal | External ] The Clocking keyword configures whether the interface will use its own internal clock or obtain the clock from the DCE to use for the interface’s transmit signal towards the network. In Internal mode, an internal 33 Mb clock is used. Internal clocking should only be used when testing between two back-to-back HSSI ports connected via a NULL-modem cable. In External mode, the clock provided by the DCE (usually a CSU/DSU) is used. Always use external clocking when attached to a CSU/DSU. The default is External mode. Verify this setting with your ISP. CRC = [ 16 bit | 32 bit ] The CRC keyword configures whether the DSU will use a 16-bit or 32bit frame check sequence. Both ends of a DS3 connection must use the same CRC (Cyclical Redundancy Check) setting. The default is 16 bit. Examples [ HSSI Interface Wan 0 ] Clocking = External CRC = 16 bit See Also [ Link Config <Section ID> ], wan hssi(set), wan(show) Configuration Section 79 [ IKE Policy] [ IKE Policy] This section is used to set certain Internet Security Association Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) parameters for an IntraPort VPN Access Server or VPN router. These settings control how the IntraPort server and client or LAN-to-LAN tunneling devices will initally identify and authenticate each other so that tunnel sessions can then be established. This initial negotiation is referred to as Phase 1. Phase 2 IKE negotiation sets how the IntraPort server and client will handle individual tunnel sessions. Phase 2 IKE negotiation parameters for the IntraPort Client and server are set in the [ VPN Group <Name> ] device. Phase 2 negotiation parameters for LAN-to-LAN tunnels may be set in the [ Tunnel Partner <Section ID> ] section. These Phase 1 security parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. Protection = [ MD5_DES_G1 | MD5_3DES_G1 | MD5_DES_G2 | MD5_3DES_G2 | MD5_DES_G5 | MD5_3DES_G5 | SHA_DES_G1 | SHA_3DES_G1 | SHA_DES_G2 | SHA_3DES_G2 | SHA_DES_G5 | SHA_3DES_G5 | The Protection keyword specifies a protection suite for the ISAKMP/ IKE negotiation between the IntraPort server and client, or between VPN routers which have been configured as LAN-to-LAN tunneling devices. This keyword may appear multiple times within this section, in which case the IntraPort server or VPN router will propose all of the specified protection suites. The IntraPort client or tunnel peer will accept one of the options for the negotiation. The first piece of each option is the authentication algorithm to be used for the negotiation. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. The second piece is the encryption algorithm. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data. The third piece is the Diffie-Hellman group to be used for key exchange. Because larger numbers are used by the Group 2 (G2) algorithm, it is more secure than Group 1 (G1). Group 5 (G5) uses a 1536bit algorithm and is more secure than Group 1 or Group 2. PPTPAuth = [ PAP | CHAP | MSCHAP1 | MSCHAP2 ] This keyword specifies ONLY one allowed method of authentication for PPTP client connections. If PAP is specified, clear text passwords are passed. If CHAP is specified, MD5 hashes, or "signatures" are used to authenticate passwords.If MSCHAP1 is specified, Microsoft Chal- 80 Configuration Section [ IKE Policy] lenge Authentication Protocol version1, which uses a hash, will be used to authenticate. If MSCHAP2 is specified, Microsoft Challenge Authentication Protocol version 2 will be used to authenticate. Note: We recommend that you check to see which protocols are supported by your client before making your selection. Examples [ IKE Policy] Protection = MD5_DES_G1 Protection = SHA_3DES_G5 See Also [ VPN Group <Name> ], [ Tunnel Partner <Section ID> ] Configuration Section 81 [ IP Loopback ] [ IP Loopback ] This section allows a Loopback address to be specified for the router. This is used only by the BGP protocol. The keywords recognized in this section are described below. LoopbackAddress = IP Address The LoopbackAddress keyword specifies the IP address of the Loopback interface on the router. This can be used to provide a separate IP address for the router which is not tied to one of its IP interfaces. The IP address is specified in standard dotted-decimal notation. Examples [ IP Loopback ] LoopbackAddress = 192.168.55.23 See Also [ BGP Peer Config <Name> ] 82 Configuration Section [ IP Loopback ] Configuration Section 83 [ IP Protocol Precedence ] [ IP Protocol Precedence ] This section sets the precedence order the router will follow in including routes in its routing table when multiple IP routing protocols are in use on the network. The keywords recognized in this section are described below. Precedence = [ ospf rip static | ospf static rip | rip ospf static | rip static ospf | static ospf rip | static rip ospf ] The Precedence keyword sets the precedence order for including OSPF, RIP and static routes in its routing table. If a router has OSPF, RIP and Static route advertisements for the same IP route, this keyword allows it to make a determination as to which route to install in its IP routing table. This section is only relevant if there is more than one possible route to a destination. For example, if there are no OSPF or RIP routes to a destination but there is a static route, that route will be installed even if the precedence is ospf rip static. If there is a configured static route to a destination for which there was a RIP or OSPF route with greater precedence, that static route will be automatically re-installed if the RIP/OSPF route goes away. For BGP-capable routers, BGP will always be first in the precedence order. Note: An exception to the precedence rule is an OSPF external (i.e., type ASE) route. OSPF external routes will be overwritten by a RIP or static route, regardless of the precedence. This is because OSPF external routes originally come from another protocol, usually RIP or static. If the router is running both RIP and OSPF, but another router on the network is redistributing RIP into OSPF, the RIP routes would be overwritten by OSPF external routes without this exception. In order to get the RIP routes via OSPF external routes, simply turn off the RIPin keyword in the [ IP <Section ID> ] on the router, and it will then install the routes as OSPF externals. Examples [ IP Protocol Precedence ] Precedence = ospf rip static See Also [ IP <Section ID> ], [ OSPF Area <Name> ], [ IP Route Redistribution ], [ IP Static ] 84 Configuration Section [ IP Route Redistribution ] [ IP Route Redistribution ] This section sets global configuration parameters which allow the redistribution of routes from one dynamic IP routing protocol into another. This allows the RIP, OSPF and BGP protocols to co-exist and exchange routing information. Redistribution of static routes can be set using the [ IP Protocol Precedence ] section. Note: Route redistribution is global to the device. For instance, if a router is running OSPF on Wan 0 and Ethernet 0 and RIP on Ethernet 1, setting the RIPtoOSPF keyword to On will cause the router to advertise its RIP routes to all its OSPF neighbors on Wan 0 and Ethernet 0. In order to exclude external advertisements into Ethernet 0 in this example, you would need to configure Ethernet 0 as an OSPF Stub Area using the [ OSPF Area <Name> ]section. Individual routes may be excluded from redistribution with IP Route Filters using the [ IP Route Filter <Name> ] section, or, in the case of OSPF or RIP into BGP, using the [ BGP Route Map <Name> ] section. The keywords recognized in this section are described below. OSPFRouteAggregation = [ On | Off ] The OSPFRouteAggregation keyword sets whether static and RIP routes will be consolidated along class boundaries before they are advertised into OSPF. If the router has a split subnet coming into the device from different interfaces, OSPFRouteAggregation should be set to Off. Note: Aggregation of BGP routes is done using the [ BGP Aggregates ] section; OSPFRouteAggregation is only used for importing static and RIP routes into OSPF. RIPToOSPF = String The RIPToOSPF keyword sets whether the router will redistribute RIP routes into the OSPF routing domain. The string has the following syntax: True | False [ 1 | 2 <metric> ] True | False This parameter sets whether the router will redistribute RIP routes into OSPF. 1 | 2 <metric> This optional parameter allows the metric, or cost, on the two types of external OSPF routes to be incremented or decremented. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that route. A type 1 cost is the sum of both the external cost and the internal cost used to reach that route. The default is type 2. The metric parameter sets the external cost to be used. The value can be a number between 1 and 32,767. The default is 10. Note: For a type 1 route, the internal costs along the routing path will be added to this cost to get the total cost of the route. Configuration Section 85 [ IP Route Redistribution ] DefaultIntoOSPF = String The DefaultIntoOSPF keyword sets whether the router will redistribute default routes into the OSPF routing domain. The string has the following syntax: True | False [ 1 | 2 <metric> ] True | False This parameter sets whether the router will redistribute default routes into OSPF. Redistributing a static or RIP default route into OSPF is specified separately, due to the special nature of a default route. If this is not set, or if False is specified, a RIP or BGP default route will not be advertised into the OSPF domain even if non-default routes from that protocol are being redistributed. 1 | 2 <metric> This optional parameter allows the metric, or cost, on the two types of external OSPF routes to be incremented or decremented. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that route. A type 1 cost is the sum of both the external cost and the internal cost used to reach that route. The default is type 2. The metric parameter sets the external cost to be used. The value can be a number between 1 and 32,767. The default is 10. Note: For a type 1 route, the internal costs along the routing path will be added to this cost to get the total cost of the route. OSPFToRIP = String The OSPFToRIP keyword sets whether the router will redistribute OSPF routes into the RIP routing domain. The string has the following syntax: True | False [ <metric> ] True | False This parameter sets whether the router will redistribute OSPF routes into RIP. If True is specified, RIP will simply pick up the OSPF routes along with any other routes it is going to advertise. <metric> This optional parameter allows the metric, or cost, on routes to be incremented or decremented. The value can be a number between 1 and 32,767. The default is 1. BGPToOSPF = String The BGPToOSPF keyword sets whether the router will redistribute BGP routes into the OSPF routing domain. The string has the following syntax: True | False [ <metric> ] True | False This parameter sets whether the router will redistribute BGP routes into OSPF. 86 Configuration Section [ IP Route Redistribution ] Note: The full Internet BGP routing table of some 50,000+ routes cannot be redistributed into OSPF. Only up to 1000 BGP routes will be accepted. <metric> This optional parameter allows the metric, or cost, on routes to be incremented or decremented. The value can be a number between 1 and 32,767. The default is 1. BGPToRIP = String The BGPToRIP keyword sets whether the router will redistribute BGP routes into the RIP routing domain. The string has the following syntax: True | False [ <metric> ] True | False This parameter sets whether the router will redistribute BGP routes into RIP. If True is specified, RIP will simply pick up the BGP routes along with any other routes it is going to advertise. Note: The full Internet BGP routing table of some 50,000+ routes cannot be redistributed into RIP. Only up to 1000 BGP routes will be accepted. <metric> This optional parameter allows the metric, or cost, on routes to be incremented or decremented. The value can be a number between 1 and 32,767. The default is 1. RIPToBGP = [ On | Off ] The RIPToBGP keyword sets whether the router will redistribute RIP routes into the BGP routing domain. BGP will provide its own hop count in its route advertisements. OSPFToBGP = [ On | Off ] The OSPFToBGP keyword sets whether the router will redistribute OSPF routes into the BGP routing domain. BGP will provide its own hop count in its route advertisements. Examples RouteAggregation RIPToOSPF DefaultIntoOSPF OSPFtoRIP = = = = Off True 2 10 True 2 10 True 1 See Also [ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ],[ IP Protocol Precedence ], [ IP Static ], [ BGP General ], [ BGP Networks ], [ IP Route Filter <Name> ], [ BGP Route Map <Name> ], ospf(show) Configuration Section 87 [ IP <Section ID> ] [ IP <Section ID> ] This section sets parameters that control how IP packets are handled on each interface of the device. Compatible Systems devices support IP Version 4 routing. All references to IP on this manual page refer to this set of protocols. The keywords of the IP section are described below. Mode = [ Routed | Bridged | Brouted | Off ] The Mode keyword describes the method the device is to use to handle IP packets when received by the device. Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server. Bridged enables the port of a router and specifies that it is attached to a bridged network and will forward packets based on the physical address using the router’s bridge cache, which is maintained through the IEEE Spanning Tree Protocol or through active listening. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an IP address to the router using the [ IP Bridge ] section if it is to be managed by either CompatiView, telnet or SNMP using the IP protocol while bridging. Brouted is only available on WAN interfaces and allows the device to accept both bridged and routed IP packets over the interface. This is particularly useful for Frame Relay networks with multiple PVCs attached to the same physical WAN interface. The Brouted mode allows the device to demultiplex the packet stream for processing by the bridge or router modules as appropriate. Off disables the port of the device. If Off is specified, then IP packets received on the interface will be silently discarded. IPAddress = IP Address The IPAddress keyword specifies the IP address for this interface. Every network interface on an IP internetwork must have a unique IP address that identifies that interface to other devices on the internetwork. Part of this address identifies the network segment the interface is connected to, and the remainder uniquely identifies the interface itself. Most IP networks use subnetting in order to subdivide a large network into smaller logical subnetworks. The subnet mask address is used to tell the device what part of the IP address identifies the network segment (the "network" portion), and what part identifies individual interfaces (the "host" portion). Additionally, an IP subinterface may be assigned to a port. IP subinterfaces allow the device to service more than one IP address range on a single physical network segment. A subinterface may be specified by adding a decimal point to the primary interface (e.g., WAN 1.1, 88 Configuration Section [ IP <Section ID> ] Ethernet 2.1, etc.) A port’s primary interface is always assumed to be .0, although it will not appear as such in the configuration editor (i.e., it will appear as WAN 1 or Ethernet 2, etc.). Because a routed IP packet does not contain any information regarding which networks it has passed across, the router must associate all IP packets received from a physical segment with the primary interface connected to the segment. As a result of this, the only IP parameters which may be set for subinterfaces greater than .0 are IPAddress, SubnetMask, and IPBroadcast. Note: Subinterfaces are only allowed on WAN ports configured for Frame Relay operation. They are not allowed on WAN ports configured for PPP. Frame Relay DLCIs (Data Link Connection Identifiers) must be statically mapped when subinterfaces are in use because IARP (Inverse ARP) can only resolve a physical port, not a logical subinterface on that port. See the [ Frame Relay <Section ID> ] section for more information. SubnetMask = IP Address The SubnetMask keyword specifies the IP subnet mask for this interface. There are three "classes" of subnetted IP networks: A, B and C. Each class uses a different amount of the 32-bit IP address for the network and host portions. These classes may also be further divided (subnetted) by increasing the number of bits used for the network portion and reducing the number of bits used for the host portion. Class A addresses use 8 bits for the network portion and 24 for the host portion, Class B addresses use 16 bits for the network portion and 16 for the host portion, and Class C addresses use 24 bits for the network portion and 8 bits for the host portion. Example: Assuming that you want a single network for all of the available host addresses, the corresponding subnet masks would be as follows: 255.0.0.0 for Class A, 255.255.0.0 for Class B, and 255.255.255.0 for Class C. IPBroadcast = IP Address The IPBroadcast keyword specifies the IP broadcast address of this interface. The IPBroadcast keyword is used to tell the device what address to use to send any IP broadcast messages. The standard broadcast address has all 1 bits set in the host portion of the address. A few networks use all zeroes for the broadcast address. If you are unsure which type your network uses, check with your network administrator. If you do not set a broadcast address, the device will derive one from the IP address you entered and the subnet mask. RIPVersion = [ V1 | V2 | None ] The RIPVersion keyword specifies which version of the Routing Information Protocol (RIP) is used by the router. RIP is used by routers to exchange information between themselves about the most effective Configuration Section 89 [ IP <Section ID> ] path for forwarding packets between various end points. RIP is the most widely used routing protocol on IP networks. All gateways and routers that support RIP periodically broadcast routing information packets. These RIP packets contain information concerning the networks that the routers and gateways can reach, as well as the number of routers/gateways that a packet must travel through to reach the destination address. RIP version 1 (V1) will send and accept RIP packets and will then periodically update its routing table with the information provided from these packets. On a large network, an up-to-date routing table will enhance network performance, since the router will always be aware of the optimal path to use when sending packets. RIP version 2 (V2) is an enhancement of RIP version 1 which allows IP subnet information to be shared among routers, and provides for authentication of routing updates. When RIP V2 is chosen, the router will use the multicast address 224.0.0.9 to send and/or receive RIP V2 packets for this network interface. As with RIP V1, the routing table will be periodically updated with information provided in these packets. It is recommended that on any segment where all routers can use the same IP routing protocol, RIP V2 be used. If one or more routers on a segment must use RIP V1, then all other routers on that segment should also be set to use RIP V1. If None is specified for this keyword, the router will not update its routing table and should always direct traffic to addresses for which it does not have a route (addresses not on one of the networks connected to its interfaces) to the "gateway/port" defined in the [ IP Static ] section. It will then be the responsibility of that router to direct the packets to the correct address. Note: Some routers, in particular those designed to create very large corporate backbones, may use other routing protocols such as OSPF (Open Shortest Path First). These routers can simultaneously use RIP to communicate with smaller routers, or each of the smaller routers can be set to use one of these backbone routers as their default gateway/port. NatMap = [ On | Off ] The NatMap keyword, when set to On, enables this interface to perform Network Address Translation. NAT should only be enabled for this interface if it is to serve as the external NAT port. RIPOut = [ On | Off ] The RIPOut keyword, when set to On, allows the interface to send RIP. RIPIn = [ On | Off ] The RIPIn keyword, when set to On, allows the interface to receive RIP. 90 Configuration Section [ IP <Section ID> ] SplitHorizon = [ SplitHorizon | PoisonReverse | None ] The SplitHorizon keyword specifies the technique used by RIP to avoid routing loops and allow smaller update packets. SplitHorizon specifies that when sending a RIP update out a particular network interface, it never includes routing information acquired from that interface. PoisonReverse is a variation of the Split Horizon technique that specifies that all routes should be included in an update out a particular interface. It also sets the metric to infinity for those routes acquired over that interface. One drawback is that routing update packet sizes will be increased when using Poison Reverse. If None is selected, all routes are included in an output packet regardless of where they originated and will use a normal metric value. ProxyARP = [ On | Off ] The ProxyARP keyword is used to allow the network portion of a group of IP addresses to be shared between several physical network segments. An example would be sharing one Class C address range between two physical Ethernets. The ARP protocol itself provides a way for devices on an IP network to create a mapping between physical (i.e., Ethernet) addresses and logical IP addresses. Proxy ARP makes use of this mapping feature by instructing a device to answer ARP requests as a "proxy" for the IP addresses behind one of its interfaces. The device which sent the ARP request will then correctly assume that it can reach the requested IP address by sending packets to the physical address that was returned to it. This technique effectively hides the fact that a network has been (further) subnetted. If ProxyARP is On, then when an ARP request is received on this interface, the address is looked up in the IP routing table (applying the normal rules of IP routing). If the forwarding interface for the route isn't the one the ARP request was received on and doesn't resolve to the IP default route, the device will answer (i.e., become a proxy for) the ARP request. If ProxyARP is Off, then the device will only respond to ARP requests received for its own IP interface address. Note: Using Proxy ARP requires an in-depth understanding of the workings of the IP protocol, along with careful manipulation of the IP subnet masks for the interfaces on a router. A more straightforward method of achieving similar results is to use bridging when using a multiprotocol router. Relay = String The Relay keyword is used to add a relay agent for User Datagram Protocol (UDP) broadcast packets. Normally, the router will not forward UDP broadcast packets. However, many network applications use UDP broadcasts to configure addresses, hostnames, and other information. If hosts using these protocols are not on the same network segment as the servers providing the information, the hosts will not Configuration Section 91 [ IP <Section ID> ] receive a response without enabling a relay agent on the interface. By enabling an IP relay on an interface, the router is instructed to forward UDP broadcast packets to the relay server specified by an IP address in the string. It is common for BOOTP and DHCP clients to broadcast on their local segments looking for a server to assign them an IP address. This feature of the router allows the BOOTP and DHCP server to reside on segments which are non-local to the client. The syntax of the string is as follows: <relay-address> [ <ports/protocols> ] relay-address A relay-address is the IP address of the server that will receive the relayed packet. The address is entered in the standard dotted decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers should be preceded by a "0x". ports/protocols The ports/protocols parameter specifies the service which will be relayed. Multiple services may be entered. Services may be entered as a number from 1 to 65535 to specify the UDP port being relayed. They may also be entered as one of the following keywords: DHCP, TFTP, DNS, NTP (Network Time Protocol, port 123), NB_NS (NetBIOS Name Server, port 137), NB_DG (NetBIOS Datagram, port 138), and BOOTP. Multiple port names and numbers must be separated by white space. By default, if no ports/protocols are specified then the following protocols are forwarded: • Domain Name Service (UNIX named), UDP port 53. • BOOTP Server, UDP port 67. • Dynamic Host Configuration (DHCP), UDP port 67. • Trivial File Transfer (TFTP), UDP port 69. Up to four IP relays may be installed per interface using separate keywords. Distinct ports/protocols may be specified for each relayaddress. The UDP broadcast packet will be forwarded to each relayaddress which exists for the service specified in the packet. To see a sample IP relay, see the Examples at the end of this section. OutFilters = String The OutFilters keyword allows a named set of IP packet filtering rules to be associated with the output side of the interface. OutFilters allows the device to accomplish packet filtering on packets that will be forwarded out this interface. Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. 92 Configuration Section [ IP <Section ID> ] If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. InFilters = String The InFilters keyword allows a named set of IP packet filtering rules to be associated with the input side of the interface. InFilters allows the device to accomplish packet filtering to packets that are received on this interface. Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. Numbered = [ On | Off ] The Numbered keyword specifies whether the wide area network connected to this interface will have an IP address associated with it. On indicates that the WAN interface will have a numbered interface. Off indicates that the WAN interface will be unnumbered. Many wide area network connections are simple point-to-point (PPP) links. These links do not generally require numbered WAN interfaces because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. In contrast, Frame Relay networks may have a number of participating devices connected through a single physical interface. Because of this, a WAN interface set for Frame Relay must be set up in one of two ways. It can be set as a numbered interface, which requires that an IP address, subnet mask, and IP broadcast address also be set; or, it can be set as an unnumbered interface, which requires that you set the PointToPointFrame keyword to On and set the local DLCI (Data Link Connection Identifier) using the InterfaceDLCI keyword. Note: If you are connecting the device to an Internet Service Provider using PPP, you may be required to use a numbered interface for compatibility reasons. Check with their technical support staff. PointToPointFrame = [ On | Off ] The PointToPointFrame keyword specifies whether a WAN interface is part of a point-to-point Frame Relay link. If setting up an unnumbered Frame Relay connection, this must be set to On. This is in contrast with numbered Frame Relay links, which may have a number of participating devices connected through a single physical interface. When set to On, the device will recognize that the link is not multipoint and that a static frame Relay DLCI will be specified for the PVC. The device will not perform any dynamic Inverse ARP for the PVC Configuration Section 93 [ IP <Section ID> ] (Permanent Virtual Circuit), as it would for a numbered Frame Relay link. A static DLCI must also be set for the interface using the InterfaceDLCI keyword. InterfaceDLCI = number The InterfaceDLCI keyword specifies the DLCI that is the local endpoint for an unnumbered Frame Relay link. This provides a mapping between the protocol address and the physical (hardware) address on the link. This keyword must be set when a Frame Relay link is being set as an unnumbered interface. The number can be between 16 and 991, and will be provided to you by your Frame Relay carrier. Updates = [ Periodic | Triggered ] The Updates keyword specifies the way in which the device sends RIP information over its link When updates are designated as Periodic, the device will use the standard RIP protocol, which sends RIP packets over the link every 30 seconds. If periodic update packets are sent across a dial-on-demand link, this will cause a WAN interface to stay up indefinitely. When updates are designated as Triggered, the device will modify the standard RIP behavior for this interface to send RIP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router. VJHeaderComp = [ On | Off ] The VJHeaderComp keyword specifies whether to use Van Jacobson Header Compression (VJHC) on the WAN link. VJHC is a standard method of reducing the amount of redundant IP header information which is transferred over a wide area connection. VJHC reduces the size of the IP header to as few as three bytes. There is a trade-off between the amount of time it takes to compress the header information, and the amount of time it would take to simply send it in native form across the WAN link. Note: A general rule of thumb for Compatible Systems devices would be to use VJHC on uncompressed links at up to 56K rates, but to turn it off at higher speeds or if other means of compression (such as the V.42 compression built into modems) are in use. A few simple FTP transfer tests over your particular WAN setup will yield a more exact answer. IPCPAddr = [ On | Off ] The IPCPAddr keyword specifies whether the device's configured IP address is to be sent to the remote PPP client on initial IPCP (IP Control Protocol)/PPP negotiations. On causes the device to send its address to the remote PPP client. Some vendors (e.g., Xyplex) require this in order to establish proper IP routing across the PPP link. If the WAN interface is configured as numbered, the WAN IP address is sent. If the interface is configured as unnumbered, Ethernet 0's IP address is sent. 94 Configuration Section [ IP <Section ID> ] RemoteAddress = IP Address The RemoteAddress keyword specifies the IP address that will be served to a client PPP machine when dialing into the device. Besides defining a method for router-to-router communication, PPP defines a method for individual client machines to dial in to an interface. Once a client machine has connected to an interface in this fashion, the device provides proxy services which allow the client machine to participate as a node on one of the device's local networks. If remote node operation is desired, the WAN interface would usually be set up as an Unnumbered interface, and the RemoteAddress would then be set to an unused IP address from the device’s Ethernet network(s). Alternatively, if the interface is set to Numbered, an unused address from the interface’s host range may be used. GatewayAddress = IP Address The GatewayAddress keyword specifies the IP address that will be used as the default router for IP traffic leaving the device. The gateway address will be used to route packets when the destination network is not known by the device. This keyword may only be used for the single Ethernet interface on the IntraPort VPN Access Server, and is required for proper operation. There is no default value. DirectedBroadcast = [ On | Off ] The DirectedBroadcast keyword sets whether the interface will forward network-prefix-directed broadcasts. This is a security feature which can help prevent your network from being used as an intermediary in certain kinds of attacks which use ICMP echo traffic (pings) or UDP echo packets with fake (i.e., “spoofed”) source addresses to inundate a victim with erroneous traffic. The default is Off. OSPFenabled = [ On | Passive | Off ] The OSPFenabled keyword sets how the interface will function on a network utilizing OSPF (Open Shortest Path First). OSPF uses a linkstate algorithm in order to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each router’s usable interfaces and reachable neighbors. Unlike RIP updates, OSPF link-state database updates are only sent when routing changes occur, instead of periodically, and the link-state database is updated instantly rather than gradually as stale information is timed out. Also, routing decisions are based on "cost" which is an indication of the overhead required to send packets across a certain interface. The cost of an interface is calculated based on link bandwidth rather than the number of hops to the destination. The cost can also be configured to specify preferred paths. If On is specified, the interface will serve as an active interface on an OSPF network. This router will establish adjacencies with other routers. Adjacent routers exchange database information with the Configuration Section 95 [ IP <Section ID> ] Designated Router, which then floods the information to all other routers in their area. If Passive is specified, the interface will not send out Hello packets and thus will not establish any adjacencies with other routers on that network, even if they are running OSPF. A Passive interface will, however, have its network advertised to other OSPF networks. This can be used to have a non-OSPF interface’s network advertised into OSPF. A Passive interface must also be associated with an OSPF Area. If Off is specified, the interface's network is not advertised to the router's other interfaces. OSPFareaID = [ <Number> | <IP address> ] The OSPFareaID keyword sets the area to which this interface belongs. An area is a generalization of an IP subnetted network. It can be specified as a number between 0 and 0xFFFFFFFF or as an IP address in dotted-decimal notation. Area 0 is the backbone area and is the default setting. All routers within an area have the same link-state database. An interface can only belong to one area, although different interfaces on a router can belong to different areas, making the router an Area Border Router. Area Border Routers disseminate routing information or routing changes between areas. The other routers which are connected to this router on this interface must also be configured with the same OSPFareaID in order for the routers to communicate. OSPFcost = Number The OSPFcost keyword specifies the priority of one particular path over another path. An OSPF router will choose the gateway with the lowest cost to enter into its routing table. To give preference to a path, set a lower cost on that interface. The value can be a number between 1 and 65,535. The default is 10. OSPFRtrPri = Number The OSPFRtrPri keyword sets the router priority and is only used on multi-access networks such as LANs. This establishes whether the router is eligible to become the Designated Router for the LAN. The Designated Router is the single router within an area which broadcasts the Link State Advertisement for the area. A priority of 0 means that the router is not eligible. The router with the highest priority becomes the Designated Router, however, if a router with a lower priority is the Designated Router and a new router with a higher priority comes online, the Designated Router will not change. The value can be a number between 0 and 255. The default priority is 1; if all routers have the same priority, they will negotiate with each other for the Designated Router election. At least one router on a LAN must have a priority greater than 0 in order for OSPF to work, since there must be a Designated Router. 96 Configuration Section [ IP <Section ID> ] AuthKey = String The AuthKey keyword sets the OSPF packet authentication key. In order to use authentication, the OSPFAuthType for this interface's area should be set to Simple in the [ OSPF Area <Name> ] section. The authentication key must match for each router connected to the interface and belonging to the area. The string may be between one and 8 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes. HelloInterval = Number The HelloInterval keyword sets the interval, in seconds, that the router sends out OSPF keepalive packets which let other routers know the router is up. The value must be greater than one. The default settings of 10 seconds for a LAN and 30 seconds for a point-to-point connection are recommended for most applications. RtrDeadInterval = Number The RtrDeadInterval keyword sets the length of time, in seconds, that OSPF neighbors will wait without receiving an OSPF keepalive packet from a neighbor before assuming the router is down. The value must be at least twice the HelloInterval. The default is 40 seconds on a LAN and 120 seconds for a point-to-point connection. Note: The HelloInterval and RtrDeadInterval for each connected router must match or the routers will not be able to communicate. If you change the defaults on one router, you must change them on all attached routers within an area. Transdelay = Number The Transdelay keyword sets the amount of time added to the age of OSPF Link State Update packets before transmission. It is the estimated number of seconds to transmit a packet over the interface. The value can be between 1 and 65,535 seconds. The default is 1. RetransInterval = Number The RetransInterval keyword sets the interval, in seconds, between retransmission of Link State Update packets. The value can be between 2 and 65,535 seconds. The default is 5. Examples This example shows an IP configuration for Ethernet interface 0 on a 4000S. [ IP Ethernet 0 ] Mode = Routed IPAddress = 192.168.9.1 SubnetMask = 255.255.255.224 IPBroadcast = 192.168.9.31 RIPVersion = V1 Configuration Section 97 [ IP <Section ID> ] This example shows an IP configuration for Ethernet interface 3 on a 4000S. The configuration specifies an input filter set, RIP to output only, and an IP relay to 192.15.2.1 for DNS, BOOTP, DHCP and TFTP requests. [ IP Ethernet 3 ] Mode = Routed IPAddress = 192.15.1.1 SubnetMask = 255.255.255.0 RIPVersion = V1 RIPOut = ON RIPIn = OFF InFilters = "no-ftp" "permit-all" Relay = 192.15.2.1 DNS BOOTP DHCP TFTP This example shows an IP configuration for Ethernet interface running OSPF. [ IP Ethernet 0 Mode IPAddress SubnetMask IPBroadcast OSPFenabled OSPFAreaID OSPFcost OSPFRtrPri AuthKey HelloInterval RtrDeadInterval ] = = = = = = = = = = = Routed 198.41.9.1 255.255.255.224 198.41.9.31 On 0 10 1 "Franny" 10 40 This example shows a WAN interface set as an unnumbered Frame Relay interface. The link configuration is included. [ IP Wan 0 ] Mode Numbered PointToPointFrame InterfaceDLCI = = = = [ Link Config Wan 0 ] ConnectMode Mode = Dedicated = FrameRelay Routed Off On 500 See Also [ IP Static ], [ IP Filter <Name> [ IP Route Filter <Name> ], [ General ], [ Frame Relay <Section ID> ], ip(show), [ Bridging Global ], [ Bridging <Section ID> ], [ NAT Mapping ], [ NAT Global ], [ OSPF Area <Name> ] 98 Configuration Section [ IPX <Section ID> ] [ IPX <Section ID> ] This section sets parameters that control how IPX packets are handled on each interface of the device. The keywords in this section are described below. Mode = [ Routed | Bridged | Off ] The Mode keyword describes the method the interface is to use to forward IPX packets through the device. Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server. If the device is a router, packets are forwarded by looking up the network address in the device’s routing table maintained by IPX RIP (Routing Information Protocol). If the device is a VPN access server (IntraPort class) packets are forwarded to the virtual private network depending on the users that are attached to the server. It will use the routing table maintained by RIP to forward packets from the virtual private network to the local area network. Bridged enables the port of a router to be attached to a bridged network and forward packets based on the physical address using the router’s bridge cache maintained through the IEEE Spanning Tree Protocol or through active listening. The VPN access servers do not support this mode. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an IPX address to the router using the [IPX Bridge] section if it is to be managed by CompatiView using the IPX protocol while bridging. Off disables the port of the device. If Off is specified, then IPX packets received on the interface will be silently discarded. RipTimer = Number The RipTimer keyword allows the IPX RIP (Routing Information Protocol) timer to be set on the interface. This value specifies the interval, in seconds, the device sends out IPX RIP packets on the network segment attached to this interface. The RIP packets sent out on this interface contain routing information about networks for which this interface is responsible. The number can be between 1 and 180 seconds. The default is 60. SapTimer = Number The SapTimer keyword allows the IPX SAP (Service Advertising Protocol) timer to be set on the interface. This value specifies the interval, in seconds, the device sends out IPX SAP packets on the network segment attached to this interface. The SAP packets sent out on this interface contain information about services (such as servers, printers, etc.) for which this interface is responsible. The number can be between 1 and 180 seconds. The default is 60. Configuration Section 99 [ IPX <Section ID> ] BlockType20 = [ On | Off ] The BlockType20 keyword specifies how IPX Packet Type 20 is handled on the interface. In order for certain protocol implementations, like NetBIOS, to function in the NetWare environment, routers must allow a broadcast packet to be propagated throughout an internet. The IPX Packet Type 20 is designated to perform broadcast propagation for these protocols. When a device receives this packet, it rebroadcasts it across all interfaces, except the one it received it on, and includes the network number of that interface in the data portion of the packet. The IPX Router Specification from Novell notes that Type 20 packets should not be propagated across slower links (line X.25 and asynchronous links) with bandwidths of less than 1 Mbps. On prevents these packets from being rebroadcast out an interface. This is useful for on-demand WAN links where the link may be brought up as a result of this packet. Off allows these propagated packets to be rebroadcast out the interface. OutFilters = String The OutFilters keyword allows a named set of IPX packet filtering rules to be associated with the output side of the interface. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter interpreter will process the sets in the order specified. See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter. InFilters = String The InFilters keyword allows a named set of IPX packet filtering rules to be associated with the input side of the interface. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword. Packets being received on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter interpreter will process the sets in the order specified. See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter. 100 Configuration Section [ IPX <Section ID> ] FrameTypeII = [ Seed | Auto | NoSeed | Off ] FrameRaw = [ Seed | Auto | NoSeed | Off ] Frame8022 = [ Seed | Auto | NoSeed | Off ] FrameSNAP = [ Seed | Auto | NoSeed | Off ] Compatible Systems routers support four IPX frame types, and will perform routing between frame types. The four frame types supported are Frame Type II, Frame Raw, Frame 8022, and Frame SNAP. Each Ethernet interface may be configured to simultaneously handle any or all of the frame types. The seed parameter defines what the device is to do with the network information (with respect to the frame type) when starting up. Seed tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it does not discover a number in use, the device will use the configured IPX network number to set the network number for the segment. Auto tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it doesn't discover a number in use, the device will automatically generate a valid number using its routing tables. NoSeed tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it doesn't discover a number in use, the device will wait indefinitely until a number is set by another router on the segment. Off means that the device will neither listen for, nor send, packets with the specified frame type on this interface. Numbered = [ On | Off ] The Numbered keyword specifies whether the wide area network connected to this interface will have an IPX network number associated with it. If numbered is On then you must set an IPX network number for this WAN interface. On WAN interfaces it is only necessary to specify the network number and not the frame and seed parameters as you do with Ethernet interfaces. Many wide area network connections are simple point-to-point links. These links do not generally require a network number because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. You generally do not need a numbered WAN interface if you are using the PPP transport protocol. In contrast, Frame Relay networks may have a number of participating routers connected through a single physical interface. Because of this, use of the Frame Relay transport protocol requires a numbered WAN interface. Configuration Section 101 [ IPX <Section ID> ] Updates = [ Periodic | Triggered ] The Updates keyword specifies the way in which the device sends RIP information over the link. When updates are designated as Periodic, the device will send RIP packets over the link at the time interval defined by the RIPTimer keyword. These periodic update packets will cause a WAN interface set for dial-on-demand operation to either stay up indefinitely or to continuously dial, connect, and then drop the connection. When updates are designated as Triggered, the device will send RIP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router. NodeProxy = [ On | Off ] Besides defining a method for router-to-router communication, PPP defines a method for individual client machines to dial in to an interface. Once a client machine has connected to an interface in this fashion, the device provides proxy services which allow the client machine to participate as a node on one of the device's local networks. The NodeProxy keyword allows the device to dynamically reserve an IPX address on the Ethernet for the WAN interface. This proxy address will be used if the remote PPP IPX implementation requires address negotiation (which is typical of end nodes). RemoteNet = Hex number The RemoteNet keyword specifies an IPX address that is set aside for remote nodes (such as dial-in users accessing the LAN remotely). This net number is set to an IPX network number from the device's Ethernet interface(s). Values for this number may range from 1 to FFFFFFFE. Net = Hex number The Net keyword is a number that must be assigned if the interface is being configured for Frame Relay. This number is assigned to the device's WAN interface, and must be an unused IPX network number. Values for this number may range from 1 to FFFFFFFE. FrameTypeIINet = Hex number FrameRawNet = Hex number Frame8022Net = Hex number FrameSNAPNet = Hex number Ethernet interfaces that have frame types set to Seed must be assigned a net number. These numbers are eight-digit hexadecimal numbers that uniquely identify the network segment connected to this interface. Values range from 1 to FFFFFFFE. Accidental selection of an IPX network number which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which IPX network numbers are in use, and where they are located in your configuration. 102 Configuration Section [ IPX <Section ID> ] Examples The following shows an Ethernet interface with the 802.2 frame type set for seed. [ IPX Ethernet 1 ] Mode FrameTypeIINet FrameRawNet Frame8022Net FrameSNAPNet FrameTypeII FrameRaw Frame8022 FrameSNAP = = = = = = = = = Routed 0 0 CAFEF00D 0 Off Off Seed Off See Also [ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], ipx(show), [ Bridging <Section ID> ], [ Bridging Global ] Configuration Section 103 [ IPX Tunnels ] [ IPX Tunnels ] This section is used to modify IPX tunneling parameters. An IPX tunnel is a "virtual" IPX network running between tunnel peers. Tunnel peers are defined by their IP addresses. IPX over IP/UDP tunneling is defined and specified by RFC 1234 "Tunneling IPX traffic through IP networks." Note: Newer VPN tunneling is available for IPX-in-IP tunneling. This includes authentication and encryption features not available in regular IPX tunnels. See the [ Tunnel Partner <Section ID> ] section for more information. IPX over IP tunneling is sometimes needed when a network is limited to IP traffic only, either because there are routers elsewhere on the network which do not route IPX protocols, or for administrative reasons. IPX-in-IP tunneling provides a solution for this problem by sending IPX information across an IP Internet by encapsulating IPX information in IP packets. IPX networks that are connected via a tunnel will communicate as if they are on the same network even though they are separated by an IP-only Ethernet backbone or internet. Note: You must set up both ends of every tunnel. Therefore, you must repeat this setup with the other router(s) you want as participants in the tunnel. Keywords recognized in this section are described below. Tunnel = IP Address The Tunnel keyword specifies the IP addresses of the tunnel peers with which this router will communicate using IPX-in-IP tunneling. There must be one entry for each tunnel peer and you may enter up to 32 different tunnel peers. TunnelNet = Number The TunnelNet keyword is used to specify the unique IPX network number for the virtual IPX network created by the tunnels. Each member of the tunnel peer group to which this router belongs must use the same IPX network number. The number must be specified as a hex value in the range of 1 to FFFFFFFE. BindTo = Port identifier string The BindTo keyword is used to specify which Ethernet or bridge interface is attached to the local side of the tunnel. Use the associated IP address of this interface when configuring a remote device participating in an IPX-in-IP tunnel with this router. Filter = Number For administrative reasons, there may be a need to limit the IPX networks that will pass through the tunnel. Compatible Systems routers (except 1000Rs) support filters to the tunnels you have defined. These filters control which IPX networks are accessible through the tunnel. 104 Configuration Section [ IPX Tunnels ] The filter list specified by the Filter keyword is applied to the IPX RIP packets which are received through the tunnel from other tunnel peers. Without any tunnel filters, all of the IPX networks will be advertised. There must be one entry for each IPX network filter and you can enter up to 96 different filters. Numbers must be specified as a hex value in the range of 1 to FFFFFFFE. FilterType = [ Recognize | Ignore ] The FilterType keyword specifies how the router should treat the list of IPX network numbers you have configured with the Filter keyword. If the type specified is Recognize, only the configured IPX network numbers will be allowed through the tunnel and installed in this router's routing table. If it is Ignore, all IPX network numbers except the configured values will be allowed through the tunnel and installed in this router's routing table. Examples The example below shows the configuration of both ends of an IPX tunnel. This first example is the local configuration. It restricts the tunneled IPX traffic to the 747 and 777 IPX networks. ## Local Router IPX Tunnel Configuration [ IPX Tunnels ] FilterType = Recognize TunnelNet = 707 BindTo = Ethernet 0 Tunnel = 10.0.0.1 Filter = 777 Filter = 747 ## IP Ethernet 0 Configuration [ IP Ethernet 0 ] Mode = Routed IPAddress = 10.0.1.1 SubnetMask = 255.255.255.0 The remote configuration is included for comparison. ## Remote Router [ IPX Tunnels ] TunnelNet = BindTo = Tunnel = IPX Tunnel Configuration 707 Bridge 10.0.1.1 ## IP Bridge Configuration [ IP Bridge ] Mode = Routed IPAddress = 10.0.0.1 SubnetMask = 255.255.255.0 See Also [ IPX <Section ID> ], [ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ Tunnel Partner <Section ID> ], ipx(show) Configuration Section 105 [ L2TP General ] [ L2TP General ] This section is used to set how L2TP will operate. L2TP is a VPN protocol which creates "virtual" PPP sessions between remote Windows computers and a corporate network. L2TP is only available in the IntraPort 2/2+, IntraPort Enterprise and IntraPort Carrier VPN Access Servers. In general, a remote user connects to an ISP which acts as an LAC (L2TP Access Concentrator) and encapsulates the packets in IP before sending them over the Internet to the IntraPort. The IntraPort acts as an LNS (L2TP Network Server) and strips off the encapsulation before sending the packets on to the network. Certain software packages can also be used to allow a remote user’s PC to act as its own LAC, opening an individual tunnel between the PC itself and the LNS. An example of this is the RouterWare VPN Client. In order for a remote user to connect to an IntraPort using L2TP, the user’s VPN Group Configuration must have the AllowL2TP keyword set to On (see the [ VPN Group <Name> ] section). There also must be an entry for that user in the [ VPN Users ] section, unless a RADIUS server is being used for authentication. If a RADIUS server is being used, then the user must be entered in the RADIUS server’s user database. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. ReceiveWindowSize = Number The ReceiveWindowSize keyword sets the number of control messages the peer can send before waiting for an acknowledgment. This number will only be sent to the remote peer (i.e., the LAC) if this number has been set to something other than the default of 0. Otherwise, the remote peer will assume a window size of 4 messages. TunnelAuth = [ On | Off ] The TunnelAuth keyword sets whether the IntraPort server will accept L2TP connection requests from anonymous peers. If this is set to Off, then no authentication of remote peers will be done. This is an insecure option since the device will accept any connection request. If this is set to On, then the L2TP negotiation between the LAC and the IntraPort will use a CHAP-like tunnel authentication mechanism, so there must be an LACPeer keyword configured for any remote peer who is to have access using L2TP. The default is On. HiddenAVPs = [ On | Off ] The HiddenAVPs keyword sets whether certain types of L2TP control message data, known as AVPs, will be hidden, via encryption, during tunnel setup. This includes passwords and user IDs. This can only be set to On when the TunnelAuth keyword is set to On because the LACPeer secret is used to encrypt the data. 106 Configuration Section [ L2TP General ] LACPeer = String The LACPeer keyword sets the name and secret for an LAC peer. If the TunnelAuth keyword has been set to On, then there must be an entry for an LACPeer in order for a remote peer (and, secondarily, an L2TP user) to connect to the IntraPort. The string has the following syntax: <Peer Name> <Secret> Peer Name This parameter specifies the remote LAC peer’s name which will be used to authenticate the peer to the IntraPort. Secret This specifies the secret which will be used to authenticate the peer and the IntraPort to each other. This secret must also be configured in the remote peer in order for the authentication to work. Examples [ L2TP General ] ReceiveWindowSize TunnelAuth HiddenAVPs LACPeer LACPeer = = = = = 0 On Off bungie jump l2tpmax letmein See Also [ VPN Group <Name> ], [ VPN Users ], l2tp(show) Configuration Section 107 [ LDAP Auth Server ] [ LDAP Auth Server ] This section configures LDAP (Lightweight Directory Access Protocol) parameters into a device. LDAP can be used for VPN user authentication. It can also be used to serve configurations to a Compatible Systems device using the [ LDAP Config <Name> ] section. LDAP authentication is done only if the user cannot be found in the authentication database first (see the [ VPN Users ] section)or in a RADIUS server if one has been configured (see the [ Radius ] section.) The device acts as a client and exchanges packets with an LDAP server Each section specifies an LDAP server and some information about the VPN attributes to be served. The Name portion of the section name uniquely identifies this section. Keywords recognized in this section are described below. LDAPAuthEnabled = [ On | Off ] The LDAPAuthEnabled keyword enables or disables this section. If this is set to On, then the settings from this section will be used to get VPN user authentication information from an LDAP server. If this is set to Off, then no settings from this section will be used. The default is Off. PrimaryServer = String The PrimaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary LDAP server which contains the authentication information. PrimaryPasswd = String The PrimaryPassword keyword is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long. base = String The base keyword specifies the portion of the LDAP tree where the authentication information is located. The value may be up to 32 characters long. VPNGroupAttr = String The VPNGroupAttr keyword specifies the attribute name given to the VPN group attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this attribute, so you must specify one. If no value is given for the VPNGroupAttr the device will assume the attribute name is "vpngroupattr". The value may be up to 32 characters long. VPNSecretAttr = String The VPNSecretAttr keyword specifies the attribute name given to the VPN shared secret attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this 108 Configuration Section [ LDAP Auth Server ] attribute, so you must specify one. If no value is given for the VPNSecretAttr the device will assume the attribute name is "sharedsecret". The value may be up to 32 characters long. timeout = Number The timeout keyword timeout is the number of seconds the device will wait for a response from the LDAP server. The value must be between 0 and 255 seconds. A value of 0 will disable the timeout. The default is 10. Examples [ LDAP Auth Server ] LDAPauthenabled = On PrimaryServer = compatisecure.compatible.com PrimaryPasswd = letmein base = "ou=people, o=compatible.com" VPNgroupattr = vpngroup VPNsecretattr = sharedsecret timeout = 10 Priority = 3 See Also [ LDAP Config <Name> ], [ VPN Users ] ,[ Radius ] Configuration Section 109 [ LDAP Config <Name> ] [ LDAP Config <Name> ] This section configures LDAP (Lightweight Directory Access Protocol) parameters into a device. LDAP can be used to serve configurations to a Compatible Systems device. It can also be used for VPN user authentication using the [ LDAP Auth Server ] section. Each [ LDAP Config <Name> ] section specifies an LDAP server and some information about the configuration to be served. The configuration can be a full IntraPort configuration, or just a portion of one. When new configurations are added to the Intraport, the device’s configuration is rebuilt to include the one that was just added. The Name portion of the section name uniquely identifies this section. Keywords recognized in this section are described below. LDAPEnabled = [ On | Off ] The LDAPEnabled keyword enables or disables this section. If this is set to On, then the settings from this section will be used to get a configuration from an LDAP server. If this is set to Off, then no settings from this section will be used. The default is Off. PrimaryServer = String The PrimaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary LDAP server which contains the configuration. PrimaryPassword = String The PrimaryPassword keyword is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long. SecondaryServer = String The SecondaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the secondary LDAP server. If no response is received from the primary LDAP server, then this secondary server is used. SecondaryPassword = String The SecondaryPassword keyword is used to authenticate the device to the secondary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long. base = String The base keyword specifies the portion of the LDAP tree where the configuration is located. The value may be up to 32 characters long. rdn = String The rdn keyword specifies the relative distinguished name used in the LDAP server to identify the entry which contains the configuration. 110 Configuration Section [ LDAP Config <Name> ] The value may be up to 32 characters long. timeout = Number The timeout keyword timeout is the number of seconds the device will wait for a response from the LDAP server. The value must be between 0 and 255 seconds. A value of 0 will disable the timeout. The default is 10. Priority = Number The Priority keyword specifies which configurations take precedence. When new configurations are added to the Intraport, the device’s configuration is rebuilt to include the one that was just added. If a new configuration contains a section which contains a higher priority than one already in place, the new keywords are added above the keywords already there. That way, higher priority sections will take precedence. The config stored in flash has the lowest possible priority (65536). The value may range from 0 and 65536. The highest priority is 0. The default is 10. Examples [LDAP Config IP WAN ] LDAPEnabled = TRUE PrimaryServer = compatisecure.compatible.com PrimaryPasswd = letmein SecondaryServer = 198.41.11.139 SecondaryPasswd = ldapisfun base = "o=compatible.com" rdn = "cn=netlist config" timeout = 10 Priority = 3 See Also [ LDAP Auth Server ] Configuration Section 111 [ Link Config <Section ID> ] [ Link Config <Section ID> ] This section is used to configure the WAN protocol and connection parameters for a given interface. The keywords for this section are described below. Note: If multiple WAN interfaces are being configured for a multilink, each interface to be included in the bundle must have the same connection parameters. (See the [ Multilink PPP <Name> ] section for more information on multilinks.) Mode = [ FrameRelay | PPP | SMDS | Off ] The Mode keyword enables this interface for either FrameRelay, PPP or SMDS as a low-level communications protocol. To disable all activity on this interface, set to Off. ConnectMode = [ Dedicated | DialUp ] The ConnectMode keyword determines how the router will maintain the WAN link. Dedicated is used for links that are available regardless of traffic activity. DialUp is used for links that are brought up and down based upon the activity on the link. Since DialUp links require dialing commands to be issued, your communications device (modem, CSU/DSU, TA, etc.) must be set to raise the DCD (Data Carrier Detect) and/or DSR (Data Set Ready) lines when a connection is established, and drop it when the connection is terminated. Whether a connection can be initiated by this router, another router (or remote node client), or both, is set using the DialIn and DialOut keywords. For interfaces set to DialUp, there are certain maintenance packets for each protocol (IP, IPX, etc.) which will not cause an inactive connection to be dialed. This is a security measure that keeps intruders out and allows on-demand links to be useful. DialIn = [ On | Off ] The DialIn keyword allows the router to accept incoming on-demand PPP connections from other routers or end node clients. If DialIn is set to On, then the ConnectMode must be set to DialUp. DialOut = [ On | Off ] The DialOut keyword tells the router whether traffic forwarded from other interfaces on the router will cause an on-demand connection to be established on this interface. If DialOut is On, incoming packets from another interface on this router will initiate a dialing sequence if the link is not already connected. If the link is already connected, then the packets will simply be forwarded. If DialOut is Off, then incoming packets from another interface on this router will be dropped if the link is not already connected. If DialOut is set to On, then the ConnectMode must be set to DialUp. 112 Configuration Section [ Link Config <Section ID> ] AlwaysUp = [ On | Off ] The AlwaysUp keyword should be used for links which require dialing commands to be issued. When AlwaysUp is On, the link will stay up regardless of the activity on the link. If the link drops for any reason, it will be brought back up immediately. DialOut must also be enabled for AlwaysUp links. AlwaysUp requires that your communications device (modem, CSU/ DSU, TA, etc.) be set to raise the DCD (data carrier detect) line when a connection is established, and drop it when the connection is terminated. DropInact = Number The DropInact keyword sets the amount of time, in minutes, that an idle DialUp connection will stay up. Only outgoing WAN traffic resets the inactivity timer. PPP control packets and network "keepalive" packets do not reset the inactivity timer. If DropInact is set to 0, the link will not be brought down due to inactivity. This is useful for the incoming side of an AlwaysUp link. Dialing = [ AT | V.25bis ] The Dialing keyword sets the dialing method which will be used for a DialUp connection on this interface. The type of communications equipment determines the dialing method. In general, asynchronous modems use AT dialing, while dialed synchronous CSU/DSU's and ISDN TA's generally use V.25bis dialing. The commands used in your chat scripts should match the dialing method selected. DialOutScript = Chat script name The DialOutScript keyword specifies the name of the chat script used for outgoing connections. If ConnectMode is DialUp, then a chat script must be selected. DialOutScript will be executed whenever dialing is initiated. If ConnectMode is Dedicated, then a chat script may be selected for WAN devices which require one. This script will be run when the router starts up and again whenever communications are lost for some reason. The script can also be used to provide a set of required connect responses to a device (such as a terminal server) at the other end of the dedicated line. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks. See [ Chat <Name> ] for more information about chat scripts. DialBackScript = Chat script name The DialBackScript keyword is the name of the chat script used if dial-back security is required. If DialBackScript is enabled, any incoming calls to this interface will be dropped and the DialBackScript will be used to initiate an outgoing connection. DialOut does not need to be on to use DialBackScript. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks. See [ Chat <Name> ] for more information about chat scripts. You may also enforce dial-back security on selected connections by Configuration Section 113 [ Link Config <Section ID> ] using the PPP authentication dial-back mechanism. See the [ Auth ] section for more information DialTries = Number The DialTries keyword determines the number of connection attempts the router will make after an unsuccessful connection effort. If DialTries attempts fail, DialUp links will stop trying to connect until new network activity is routed to the WAN interface. AlwaysUp and Dedicated connections will immediately start a new connection cycle if DialTries attempts fail. Values range from 1 to 255. RetryDelay = Number The RetryDelay keyword sets the time to wait between dialing attempts. Values range from 1 to 255 seconds. ScriptTimeout = Number The ScriptTimeout keyword sets the length of time, in seconds, that the chat script will wait for an expected string. DCDCheck = [ On | Off ] The DCDCheck keyword is used to disable/enable the DCD (Data Carrier Detect) signal check. AT dialing uses the "at&c" Hayes command to verify that the WAN serial cable shipped with the router is being used. If your modem doesn't support the "at&c" command, set DCDCheck to Off. BackupInterface = [ <WAN port> | None ] The BackupInterface keyword is the name of the WAN port to use as the backup interface for failover. This allows the router to divert traffic to a secondary interface (known as failing over) if a line problem is detected. The designated interface must be a PPP connection and can be specified as the backup for only one interface. The backup interface may be a DialUp or Dedicated connection. When the router has determined that the primary link is down, it will redirect the primary interface's traffic to the backup link. For PPP connections, the link is determined to be down when the echo protocol has failed. This means that echo protocol must be enabled on the PPP link(s). PPP failure determination can be controlled by the EchoDrop and EchoThreshold keywords. See the [ PPP <Section ID> ] section for more information about the keywords. For Frame Relay connections, the link is considered down when the maintenance DLCI is not functioning, when all user DLCI’s become inactive, or when no user DLCI’s appear. The backup interface must be configured to support whichever protocols the user wants to be redirected while in failover mode. In addition, the backup interface must be set as an unnumbered interface for each of the selected protocols. The router will only send and receive redirected routing packets over this interface; all others will be suppressed. 114 Configuration Section [ Link Config <Section ID> ] BackupInitDelay = Number The BackupInitDelay keyword is the time, in seconds, to wait before checking the link state of the primary interface after the router has been powered on. This will prevent the router from triggering failover mode while the primary interface is attempting to establish an initial link. BackupEnableDelay = Number The BackupEnableDelay keyword is the time, in seconds, to wait before attempting to bring up the backup interface once the router has determined that the primary link is down. This is used to keep the router from bringing up the backup link too soon if the primary link has an intermittent connection. BackupDisableDelay = Number The BackupDisableDelay keyword is the time, in seconds, to wait before attempting to switch packets back to the primary link and bring down the backup link once the router has determined that the primary link is operational. This is used to keep the router from switching out of failover mode too soon if the primary link has an intermittent connection. Examples This router's ports 0, 1, and 2 have been set up for three different configurations. WAN 0 is set to PPP Dedicated. [ Link Config WAN 0 ] ConnectMode Mode = Dedicated = PPP WAN 1 is set to Frame Relay Dedicated. [ Link Config WAN 1 ] ConnectMode Mode = Dedicated = FrameRelay WAN 2 is set to DialOut. The chat script is included. [ Link Config WAN 2 ] DropInact DialOutScript DialIn DialOut = = = = 10 OutChat OFF ON [ Chat "OutChat" ] send atdt 9,555-1212 expect CONNECT expect login: send MyLogin expect sword: send MyPassword expect beginning To designate WAN 2 as the backup interface when WAN 0 fails, wait 2 Configuration Section 115 [ Link Config <Section ID> ] minutes after power up before checking for link failure, and wait 10 seconds after link failure before redirecting traffic to WAN 2: [ Link Config WAN 0 ] BackupInterface BackupInitDelay BackupEnableDelay = WAN 2 = 120 = 10 See Also [ Multilink PPP <Name> ], [ Chat <Name> ], [ Frame Relay < Section ID> ], [ PPP <Section ID> ], [ SMDS <Section ID>], [ DS3 Interface <Section ID> ], [ RS232 Interface <Section ID> ], [ V.35 Interface <Section ID> ], [ Auth ], wan(show) 116 Configuration Section [ Logging ] [ Logging ] This section is used to pass configuration, error and debug information to the device administrator. Log messages are cached in an internal buffer, sent to the AUX serial port, or sent to a UNIX-style syslog facility. Messages stored in the buffer can be viewed later by the show system log command (see system(show)) or from the Windows or Macintosh CompatiView managers. If the device is restarted, the log messages stored in the buffer are lost. Keywords recognized in this section are described below. Enabled = [ On | Off ] The Enabled keyword enables or disables all logging in the device. If enabled, log messages are stored in an internal buffer. Other output options are described below. Level = [ 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ] The Level keyword determines the detail of messages logged. 0/Emergency means that you will receive logging information only when the system is unusable. These log messages will help indicate the source of the problem. 1/Alert reports only alert and emergency messages. An alert message requires immediate attention. 2/Critical reports critical, alert and emergency messages. A critical condition requires immediate attention. 3/Error reports exception cases pertaining to violations of protocols or other operational rules. Such violations may include illegal packets and improper command syntax. 4/Warning reports problems which may need a response. Examples include network number conflicts and resource allocation problems. If Warning messages are repeated, they require a response. 5/Notice reports information that may be useful on a day-to-day basis by an administrator but generally does not require any response. Examples include login/logout, serial line resets, and LAN-to-LAN connections. This setting is suitable for most conditions. 6/Info reports routine information, such as WAN network connect and disconnect messages. 7/Debug reports every action of the device and should not be used on a day-to-day basis since it generates a large number of log messages. The value applies to all log messages generated by the device, regardless of where the message is output or from which interface it was generated. LogToAuxPort = [ On | Off ] The LogToAuxPort keyword enables logging to the AUX serial port. A <Ctrl-Z> entered at the console will toggle this setting in the runtime device parameters. Configuration Section 117 [ Logging ] LogToSysLog = [ On | Off ] The LogToSysLog keyword enables logging to a remote UNIX-style syslog daemon. See syslog.conf(5) or syslogd(8) on the remote host for details on configuring syslog. SyslogFacility = [ Local0 | Local1 | Local2 | Local3 | Local4 | Local5 | Local6 | Local7 ] The SyslogFacility keyword sets the syslog facility to which remote log messages are sent. SyslogIPAddress = IP Address The SyslogIPAddress keyword specifies the IP address of the remote syslog daemon. DisabledPorts = [ <port string> | None ] The keyword DisabledPorts is used to specify ports for which no log messages will be generated. This keyword is used to limit the number of messages generated. If None is specified, log messages will be generated for all ports. Examples This sets the logging to Info level and sends the log to the auxiliary port. [ Logging ] Enabled Level LogToAuxPort DisabledPorts = = = = On Info On WAN 1 Ethernet 2 See Also system(show) 118 Configuration Section [ Multilink PPP <Name> ] [ Multilink PPP <Name> ] This section is used to configure Multilink PPP (MPPP) parameters for multiple WAN interfaces. MPPP allows multiple physical links to be combined into a "bundle" which provides a virtual link with greater bandwidth than a single link. Note: Each interface included in the bundle must be of the same type (i.e., V.35, synchronous, etc.). The interfaces do not need to be set at the same speed, however, the speed of the multilink will only be twice as fast as the slowest interface (or three times as fast if three interfaces are included, etc.). Keywords recognized in this section are described below. MPEnabled = [On | Off] The MPEnabled keyword is used to specify whether multilink bundling will function on the router. Bundle = WAN ports The Bundle keyword is used to list each of the physical WAN interfaces included in the bundle (e.g., WAN 0, WAN 1, WAN 2, etc.). Primary = WAN port The Primary keyword is used to specify which interface in the bundle should be used by the router to configure the network protocol for the multilink. ShortSeq = [On | Off] The ShortSeq keyword allows the router to use an abbreviated sequence number in its multilink headers. Note: While the shorter header can enhance performance slightly, routers from other vendors may not be compatible with this feature. The default is Off. MPQual = [On | Off] The MPQual keyword allows the router to use echo packets on each of the physical ports in the bundle to determine whether individual links are up. If one link in a bundle goes down, the router can divert data away from that port; however, if the primary port goes down, the entire link will go down even if MPQual is enabled. If MPQual is Off, any individual link in the bundle can bring down the entire multilink. The default is On. Parameters for echo packets are defined in the [ PPP <Section ID> ] section. Configuration Section 119 [ Multilink PPP <Name> ] Examples In the following example, WAN 0 and WAN 1 are part of the “home office” multilink bundle. WAN 0 provides the configuration parameters for the upper layer protocol. [ Multilink PPP "home office" ] MPEnabled = on Bundle = wan 0 wan 1 Primary = wan 0 ShortSeq = off MPQual = on See Also [ Link Config <Section ID> ], [ PPP <Section ID> ] 120 Configuration Section [ NAT Global] [ NAT Global] This section is used to modify parameters that affect the way NAT (Network Address Translation) operates. NAT allows internal networks which use private IP addresses to be translated into a valid external global IP address (or addresses). (See RFC 1918 "Address Allocation for Private Internets" for more information about private IP addresses.) This can allow a private network to provide Internet access through a single "official" IP address. It can also function as a minimal firewall by limiting access to the internal network from external networks while allowing the internal network easy access to the Internet. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. Note: For WAN interfaces, the "official" IP address must be assigned statically from the router’s configuration. The WAN interface performing NAT cannot have its IP address dynamically assigned by a dialup-PPP negotiation. Enabled = [ On | Off ] The Enabled keyword, when set to On, allows the router to perform NAT translations between the internal and external networks. The default is Off. Note: NAT must also be enabled for the external NAT port in the [ IP <Section ID> ] section for NAT to function on the router. InternalRange = IP address range The InternalRange keyword defines the address range of the internal NAT network. This range will be translated into the range of IP addresses defined by the ExternalRange keyword. It can be a single IP address or a range of addresses. The InternalRange must be part of the same IP network as the internal NAT port. The address range may be specified in several different ways: a) IP address(es) can be specified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). b) An inclusive range of addresses can be specified using a "dash notation" in the form of #.#.#.{# -#}. For example, 10.5.3.{1-30} would be parsed as the IP addresses 10.5.3.1, 10.5.3.2, ..... 10.5.3.29, and 10.5.3.30 (and every IP address in between). Each of these parsed addresses would have a mask of /32 or 255.255.255.255 c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). d) A bit field can also be used to indicate a range of addresses by Configuration Section 121 [ NAT Global] denoting the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indicate a range from 192.15.32.1 to 192.15.63.255. This keyword may appear multiple times within this section in order to specify several different ranges. ExternalRange = IP address range The ExternalRange keyword defines the address range of the external NAT network. This range will be translated into the range of IP addresses defined by the InternalRange keyword. It can be a single IP address or a range of addresses, but they must be valid global Internet addresses and the value(s) must be routable on the network. If only a single Internet IP address is available, then the ExternalRange must be the same as the IP address on the IP port communicating with the Internet. In this case, care must be taken not to create a one-to-one translation pair using this IP address in the [ NAT Mapping ] section. If a range of addresses is specified, the NAT software makes the decision about which Internet address is assigned to outgoing packets. The ExternalRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges. PassThruRange = IP address range The PassThruRange keyword defines an address range which may pass through the external NAT port without being translated. This is used when the NAT router has an IP interface (or interfaces), in addition to the NAT internal port and NAT external port, which is connected to part of the local network which is configured with global IP addresses. Note: If an IP address or range of addresses is included in both the ExternalRange and PassThruRange, NAT will treat the IP address(es) as being members of the ExternalRange only. The PassThruRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges. UDPTimeout = Number The UDPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active non-TCP NAT session. Values may range from 0 to 3600 seconds (1 hour). A value of zero will cause non-TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 300 seconds (5 minutes). 122 Configuration Section [ NAT Global] TCPTimeout = Number The TCPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active NAT session for TCP. The value may range from 0 to 172,800 seconds (48 hours). A value of zero will cause TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 86,400 seconds (24 hours). TCPSynTimeout = Number The TCPSynTimeout keyword specifies the amount of time to lapse without a response to a SYN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes). TCPFinTimeout = Number The TCPFinTimeout keyword specifies the amount of time to lapse without a response to a FIN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes). RouterAddr = [On | Off] The RouterAddr keyword, when set to On, allows communication with the router through the IP addresses of the router's ports. This allows the user to communicate with the router (e.g., establish a telnet session with the router). The default is On. RespondICMP = [ On | Off ] The RespondICMP keyword, when set to On, allows external workstations/routers to ping workstations/routers in the internal NAT network if a one-to-one translation pair in the [ NAT Mapping ] section will allow such a translation. The default is On. The workstation/router on the internal NAT network will not be allowed to respond to a ping if RespondICMP is Off. Examples The following example shows an internal subnetted network which has Internet access through 198.41.9.219. The internal network will also be able to respond to pings from external devices if a one-to-one translation pair has been configured in the [ NAT Mapping ] section. [ NAT Global ] Enabled = InternalRange = ExternalRange = RespondICMP = Configuration Section On 10.5.3.0/27 198.41.9.219 On 123 [ NAT Global] The following example shows another internal subnetted network which has Internet access through a range of Internet addresses. The internal network will not be able to respond to pings from external devices. [NAT Global ] Enabled InternalRange ExternalRange RespondICMP = On = 10.5.3.0/29 = 198.41.9.200/29 = Off See Also [ IP <Section ID> ], ip(show), [ NAT Mapping ], nat(show) 124 Configuration Section [ OSPF Area <Name> ] [ OSPF Area <Name> ] This section defines configuration parameters for an OSPF area. An area is a generalization of an IP subnetted network within an Autonomous System (AS). An AS is a collection of networks under a common administration sharing a common routing strategy. All routers within an area have the same link-state database. An interface can only belong to one area, although different interfaces on a router can belong to different areas, making the router an Area Border Router. Area Border Routers disseminate routing information or routing changes between areas. The Name portion of the section name is an integer or IP address. If more than one area is configured within an AS, then one of these areas has to be area 0, which is the backbone. The backbone has to be physically connected to all other areas. The only exception is for virtual links, which are explained in the [ OSPF Virtual Link <Name> ] section. When designing networks it is good practice to start with area 0 and then expand into other areas later on. The keywords recognized in this section are described below. OSPFAuthtype = [ None | Simple ] The OSPFAuthtype keyword specifies whether the router will perform authentication of Link State Advertisements received from other routers. If Simple is specified, then you need to specify an authentication password using the Authkey keyword in the [ IP <Section ID> ] section for any interface which is associated with this area. If None is specified, no authentication will be done on Link State Advertisements. None is the default. StubArea = [ On | Off ] The StubArea keyword sets whether this area will function as a stub area. A stub area is an area which cannot receive external advertisements, which means RIP or static routes will not be redistributed into this area. If routing from a stub area to external routes (i.e., non-OSPF routes) is needed, a default route must be set. A stub area may not be a transit area for a virtual link. Note: The backbone area (area 0) cannot be designated as a stub area. StubDefaultCost = Number The StubDefaultCost keyword sets the cost of the default route which will be used by routers within the stub area to route to external destinations. The value can be a number between 0 and 65,535. NetRange = String The NetRange keyword can be used to consolidate routing information at area boundaries, or to hide routing information from routers outside the area. Net ranges only apply to inter-area networks; if all the routers are in one area, any defined net ranges will not be used by the router. This keyword may appear multiple times within the configuration in order to specify several different ranges. Configuration Section 125 [ OSPF Area <Name> ] The string has the following syntax: { On | Off <IPAddress > <IP Subnet Mask > } [ Advertise | DoNotAdvertise ] On | Off On specifies that a Net Range is being used. Off indicates that a Net Range is not being used. IPAddress This is the IP address of the Net Range. IP Subnet Mask This is the subnet mask of the Net Range. Advertise | DoNotAdvertise This is an optional parameter. If Advertise is specified, the net range will be advertised to other areas. If DoNotAdvertise is specified, the network in the net range will not be advertised to other areas. Note: DoNotAdvertise only applies to OSPF routes and not to routes learned from external protocols using IP route redistribution. External routes must be excluded by using route filtering. (See the [ IP Route Redistribution ] section.) Examples This example shows a Net Range being used to consolidate information for subnets 198.41.9.32, 198.41.9.64, 198.41.9.96 and 198.41.9.128, all of which have a subnet mask of 255.255.255.224. OSPFAuthtype StubArea NetRange tise = "None" = Off = On 198.41.9.0 255.255.255.0 Adver- See Also [ IP <Section ID> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], [ IP Route Filter <Name> ], ospf(show) 126 Configuration Section [ OSPF Virtual Link <Name> ] [ OSPF Virtual Link <Name> ] This section defines configuration parameters for an OSPF Virtual Link. Configuring a virtual link is the only way to allow an area which is not contiguous to the backbone area (area 0) to operate. The virtual link must be configured in both routers which are providing the tunnel to the backbone. These two routers do not need to be physically connected, but they must share a common area called the "transit area." The Name portion of the section name is the Router ID of the virtual neighbor and is entered as an IP address. The Router ID of the virtual neighbor is the largest IP interface address associated with that router. You can request the Router ID of the virtual neighbor by issuing the command show ospf rtrid command (see ospf(show)). The keywords recognized in this section are described below. LinkActive = [ On | Off ] The LinkActive keyword specifies whether an OSPF virtual link will operate. On activates the virtual link. Off deactivates the virtual link. TransitArea = Area ID The TransitArea keyword designates the area that is to function as the transit area. The transit area is the area number assigned to the tunnel “between” the two routers of the virtual link. Each router must have at least one interface attached to the transit area. The Area ID can be specified as a number between 0 and 0xFFFFFFFF or as an IP address in dotted-decimal notation. VirtTransDelay = Number The VirtTransDelay keyword sets the amount of time added to the age of Link State Update packets before transmission. It is the estimated number of seconds to transmit a packet over the virtual link. The value can be between 1 and 65,535 seconds. The default is 4. VirtRetrans = Number The VirtRetrans keyword sets the interval, in seconds, between retransmission of Link State Update packets across the virtual link. The value can be between 2 and 65,535 seconds. The default is 30. VirtHelloInt = Number The VirtHelloInt sets the interval, in seconds, that the router sends out "keepalive" packets across the virtual link to let the other end of the link know the router is up. The value must be greater than 10 seconds. The default is 30. VirtRtrDeadInt = Number The VirtRtrDeadInt keyword sets the length of time, in seconds, that this router will wait without receiving a "keepalive" packet from the other end of the virtual link before assuming it’s down. The value must be at least twice the VirtHelloInterval. The default is 4 times the VirtHelloInterval. Note: The VirtHelloInterval and VirtRtrDeadInterval for each end Configuration Section 127 [ OSPF Virtual Link <Name> ] of the virtual link must match or the virtual link will not function. If you change the settings on one router, you must change them on the other. VirtAuthKey = String The VirtAuthKey keyword sets the OSPF packet authentication key for the virtual link. The authentication key must be the same for both ends of the virtual link. The string may be between one and 8 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes. Examples This example shows a virtual link which uses the default settings. LinkActive TransitArea VirtRetrans VirtTransDelay VirtHelloInt VirtRtrDeadInt VirtAuthKey = = = = = = = On 2 30 4 30 120 "Zooey" See Also [ IP <Section ID> ], [ OSPF Area <Name> ], [ IP Route Redistribution ], ospf(show) 128 Configuration Section [ PPP <Section ID> ] [ PPP <Section ID> ] This section is used to set Compression, Link Quality, LCP and Authentication parameters. The keywords in this section are described below. COMPRESSION The Compression Control Protocol (CCP) is used to negotiate the method for compressing data before it is passed across a PPP link. Sequenced Predictor is proprietary to Compatible Systems devices. It requires a Compatible Systems device at the remote end. Compress = [ SeqPred | Stac | Off ] The Compress keyword specifies whether compression will be used. The remote device must also be enabled to use the same compression algorithm to successfully negotiate compression over the PPP link. SeqPred specifies that the Sequenced Predictor Compression Control Protocol (CCP) algorithm will be used for outgoing data. Stac specifies that Stac LZS compression will be used. LZS compression uses an algorithm to build a history of frequently repeated groups of 8-bit characters and creates shorter bit patterns to represent them. Compatible Systems’ current implementation of LZS does not support more than one history. It uses only a sequence value check byte for error detection. By choosing the Off option, compression is disabled. The default is Off. LINK QUALITY To monitor the quality of a WAN link, echo packets are sent out at a specified interval and the responses are counted. The link will be dropped if the number of missed packets out of the total number of echo packets exceeds the specified parameters. The link can then be re-established with a (hopefully) better quality line, or, if a multilink is being used, data can be diverted away from the downed link. (See the [ Multilink PPP <Name> ] section for more information on multilinks.) Echo packets will not affect the inactivity timer of a dialup connection. EchoPackets = [ On | Off ] The EchoPackets keyword sets the device to perform link quality testing for the current interface. When EchoPackets is On, echo packets will be regularly sent and the line quality will be monitored. EchoInterval = Number The EchoInterval keyword sets the time, in seconds, between echo packets. EchoInterval also sets the amount of time in which an echo response must be received in order not to be counted as missed. The value must be in the range of 1 to 255 seconds. EchoDrop = Number The EchoDrop keyword sets the number of echo reply packets that must be missed out of the last EchoThreshold echo packets sent for the link to be dropped. The value must be in the range of 1 to 32. Configuration Section 129 [ PPP <Section ID> ] EchoThreshold = Number The EchoThreshold keyword defines the sample size of echo reply packets that the device examines for missed packets. The value must be in the range of 2-32. LINK CONTROL PROTOCOL The Link Control Protocol (LCP) parameters are used to determine the options to be negotiated by PPP LCP. The default settings will work with the vast majority of PPP implementations. ACCM = [ On | Off ] The ACCM keyword is used to configure the Asynchronous Character Control Map (ACCM). Communications devices on WAN links sometimes (but not normally) use ASCII characters in the range 0x0-0x1F hex as control characters. Without an ACCM mechanism, data in the range 0x0-0x1F could be erroneously interpreted as control characters. If devices on the WAN link are known to use control characters, the bit corresponding to each used control character should be set in ACCMVal. ACCM is only used for asynchronous links. Note: If you set Flow Control to XOn_ XOff in the [ RS232 Interface <Section ID> ] section for this WAN interface, the characters for XOn and XOff will automatically be escaped by the device. ACCMVal = Number The ACCMVal keyword specifies a 32-bit hexadecimal number containing bits set for the ACCM corresponding to the control characters used. The least significant bit of the ACCM mask corresponds to ASCII character NULL (0). AddrCompress = [ On | Off ] The AddrCompress keyword enables the compression of the 2-byte address and control field of the PPP packet header. ProtoCompress = [ On | Off ] The ProtoCompress keyword enables the compression of the upper byte of the protocol field of the PPP packet header. Magic = [ On | Off ] The Magic keyword causes PPP to detect a loopback connection by checking a magic value in the PPP header. AUTHENTICATION The following keywords are used to configure the type of authentication to be used during the establishment of a PPP connection. CHAP (ChallengeHandshake Authentication Protocol) and PAP (Password Authentication Protocol) are supported. Both CHAP and PAP require the exchange of packets between the PPP peers. A device can request authentication and/or respond to authentication requests. If both CHAP and PAP are configured as "request," the LCP negotiation will attempt to negotiate CHAP first. If CHAP is not accepted, 130 Configuration Section [ PPP <Section ID> ] the negotiation will then attempt PAP. If the device requests authentication and the remote peer doesn't accept, the LCP negotiation phase will not complete and the link will not come up. Devices that request PAP or CHAP must have an authentication database entry (see the [ Auth ] section) or RADIUS authentication enabled (see the [ Radius ] section) for the remote peer. PAP uses a 2-way handshake for authentication. For example, assume Router1 requests PAP and Router2 will respond to PAP. After PPP LCP negotiation, Router2 will send an authentication request to Router1 containing its PAPName and PAPPassword (see below). Router1 uses either its internal database or RADIUS to validate the request and returns an authentication "success" or "failure" packet. The link will be dropped if the validation fails. CHAP uses a 3-way handshake for authentication. A shared secret combined with the message-digest hash algorithm (MD5) is used for message passing. For example, assume Router1 requests CHAP and Router2 will respond to CHAP. After PPP LCP negotiation, Router1 will send a challenge containing a random number to Router2. Router2 feeds the random number and the shared secret to MD5 and sends the MD5 output, along with Router2’s CHAPName, to Router1 as its response. When Router1 receives a response, the response is validated by first checking for Router2’s CHAPName in the authentication database. If the name is found, the validation is done by checking the MD5 output from Router2. If it’s not found, and RADIUS is enabled, the RADIUS server is used to validate the response. If the validation is good, Router1 sends a "success" packet to Router2. Otherwise, a "failure" packet is returned, and the link is dropped. Router1 will use the same method to re-authenticate Router2 every minute for as long as the link is up. These packets do not affect the inactivity timeout of an on-demand (dialup) link. Whereas PAP sends both the name and password across the link, CHAP only sends the name and an encrypted response. Because the secret is never passed across the link, CHAP is considered a more secure method of authentication than PAP. CHAPRequest = [ On | Off ] The CHAPRequest keyword sets the device to request CHAP authentication from the remote peer. If CHAPRequest is On, the CHAPName for this device must be configured. In addition, there must be an entry in the internal authentication database for the remote peer, or RADIUS authentication must be configured. CHAPRespond = [ On | Off ] The CHAPRespond keyword sets the device to accept CHAP authentication requests from the remote peer. If CHAPRespond is On, the CHAPName and CHAPSecret for this device must be configured, and the remote peer must have an entry for this device in its internal authentication database, or RADIUS authentication must be configured. Configuration Section 131 [ PPP <Section ID> ] CHAPName = String The CHAPName keyword is used to identify the requesting or responding device. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required secret. CHAPSecret = String The CHAPSecret keyword is used by CHAP for creating the encrypted authentication response. It is only required for devices which need to respond to CHAP challenges. The challenging peer must have an authentication database entry or RADIUS entry with the responding device’s CHAPName and this secret value. It can be up to 255 characters long. PAPRequest = [ On | Off ] The PAPRequest keyword is used to request PAP authentication from the remote peer. The requesting device must be configured with an entry in its internal authentication database for the remote peer, or it must be configured to use RADIUS authentication. PAPRespond = [ On | Off ] The PAPRespond keyword sets the device to accept PAP authentication requests from the remote peer. The name and password expected by the remote peer must be specified. PAPName = String The PAPName keyword is used to identify the sender of PAP authentication packets. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required password. PAPPassword = String The PAPPassword keyword is used by PAP in conjunction with the name to uniquely identify the remote peer. The value may be up to 255 characters long. Examples [ PPP WAN A ] Compress CHAPRequest CHAPName AddrCompress EchoDrop EchoThreshold = = = = = = Off TRUE "This is my name." OFF 8 32 See Also [ Auth ], [ Radius ], [ RS232 Interface <Section ID> ], [ Multilink PPP <Name> ] 132 Configuration Section [ Radius ] [ Radius ] This section is used to configure RADIUS parameters into a device. RADIUS can be used for remote access authentication using PAP or CHAP and for remote access accounting. RADIUS authentication is done only if the peer or remote user cannot be found in the authentication database first (see the [ Auth ] and/or [ VPN Users ] sections for more information.) The device acts as a client and exchanges packets with a RADIUS server running on an external host. An optional secondary server can be configured. The secondary server will be used if the retries limit is reached when sending packets to the primary server. Compatible Systems devices conform to the following IETF RADIUS RFC drafts: draft-ietf-radius-radius-02.txt and draft-ietf-radius-accounting02.txt. Any server used with Compatible Systems devices must also conform to these RFC drafts. Possible sources for a RADIUS server are Livingston, Ascend or Merit. Keywords recognized in this section are described below. PrimAddress = String The PrimAddress keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary RADIUS server. PrimRetries = Number The PrimRetries keyword sets the number of times the device will attempt to contact the primary RADIUS server. Values may range from 1 to 10 with a default value of 5. The device uses a back-off algorithm while retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5. Secret = String The Secret keyword is set to a shared secret used by the device and RADIUS server to validate packets exchanged between them. This secret must match the client secret configured in the RADIUS server. The string can be from 1 to 31 ASCII characters in length. Note: When the UseChap16 keyword is set to On, the Secret may not be more than 16 ASCII characters. BindTo = Port String The BindTo keyword specifies which interface on this device will have its IP address used as a source address for all packets sent to the RADIUS server. The IP address for the specified interface must be configured in the RADIUS server as the client address. Challengetype = [ CHAP | PAP | Challenge ] The Challengetype keyword allows you to specify which type of RADIUS challenge is used to validate the VPN Client to the RADIUS server. CHAP specifies that the user is sent a CHAP challenge. PAP specifies that the user is sent a PAP challenge. If PAP is selected, a PAPAuthSecret must be specified. The default is CHAP. Configuration Section 133 [ Radius ] PAPAuthSecret = String The PAPAuthSecret keyword is set to a secret used by an IntraPort VPN Access Server and VPN Client to authenticate and encrypt packets exchanged between them before they are passed on to the RADIUS server. This is used only when PAP is specified in the Challenge keyword. IntraPort Client software users will be prompted for both this secret and their regular RADIUS password. The string can be from 1 to 255 ASCII characters in length. UseChap16 = [ On | Off ] When the UseChap16 keyword is On, CHAP challenges to the RADIUS servers are limited to 16 bytes. Older RADIUS servers cannot handle longer challenges. PrimUseSecret = [ On | Off ] When the PrimUseSecret keyword is On, the device includes the secret in the hash it uses to encrypt packets sent to the primary RADIUS server. Since older RADIUS servers did not include the secret in their hash, it's been made a configurable option in Compatible Systems’ devices. SecAddress = String The SecAddress keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com), of the secondary RADIUS server. If no response is received from the primary RADIUS server after PrimRetries, then this secondary server is used. If no response is received from the secondary server after SecRetries, the device will return a "failure" packet to the peer and the link will be dropped. SecRetries = Number The SecRetries keyword sets the number of times the device will attempt to contact the secondary RADIUS server. Values may range from 1 to 10 with a default value of 5. The device uses a back-off algorithm while retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5. SecUseSecret = [ On | Off ] When the SecUseSecret keyword is On, the device includes the secret in the hash it uses to encrypt packets sent to the secondary RADIUS server. Since older RADIUS servers did not include the secret in their hash, it's been made a configurable option in Compatible Systems’ devices. Accounting = [ On | Off ] If the Accounting keyword is On, each time a user logs into the device, a record of their login is sent to the RADIUS server where it is catalogued. 134 Configuration Section [ Radius ] Authentication = [ On | Off ] The Authentication keyword specifies whether the device will exchange user authentication information with a RADIUS server. If On is specified, the RADIUS server will be used for authentication. AcctPort = Number The AcctPort keyword defines which UDP port the device will use to send RADIUS accounting information to the RADIUS server. The default is 1646. The port number may be changed in certain situations for security reasons. AuthPort = Number The AuthPort keyword defines which UDP port the device will use to exchange RADIUS authentication information with the RADIUS server. The default is 1645. The port number may be changed in certain situations for security reasons. VPNPassword = Number The VPNPassword keyword sets the attribute number for the VPN tunnel secret. The tunnel secret is a shared secret between the IntraPort Client and the RADIUS server which is used for authentication of tunnel connections. This attribute number must also be set up in the RADIUS server’s dictionary file. The value may range between 64 and 191. The default is 69. VPNGroupInfo = Number The VPNGroupInfo keyword sets the attribute number for the VPN group configuration. The group configuration defines tunneling profiles for a group of one or more IntraPort Client users. This attribute number must also be set up in the RADIUS server’s dictionary file. The value may range between 64 and 191. The default is 77. VPNRealIP = Number The VPNRealIP keyword sets the attribute number for the reporting of the actual IP address of an IntraPort user. If this number has been set both here and in the RADIUS server’s dictionary file, then the actual IP address of a user will be reported by the IntraPort Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 66. VPNAssignedIP = Number The VPNAssignedIP keyword sets the attribute number for the reporting of the IP address which the IntraPort server assigns to an IntraPort user. If this number has been set both here and in the RADIUS server’s dictionary file, then the assigned IP address will be reported by the IntraPort Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 67. Configuration Section 135 [ Radius ] Examples Enable RADIUS accounting and authentication using both a primary and secondary server. The shared secret is "Homer Simpson." [ Radius ] PrimAddress SecAddress Secret Authentication Accounting = = = = = 192.168.12.9 192.168.12.8 "Homer Simpson" On On See Also [ Auth ], [ VPN Users ], [ PPP <Section ID> ] 136 Configuration Section [ RS232 Interface <Section ID> ] [ RS232 Interface <Section ID> ] This section is used to configure characteristics of the router's RS-232 interfaces. Keywords recognized in this section are described below. LinkType = [ Async | Sync ] The LinkType keyword is used to set the type of serial connection for the current interface. RS-232 interfaces can be configured for asynchronous or synchronous operation. FlowCntl = [ None | Hardware | Xon_Xoff ] The FlowCntl keyword is used to set the serial flow control method for the current interface. Flow control is used to prevent either the router or the devices it is connected to from sending data faster than the other device can process. Hardware flow control uses signal wires built into the RS-232 interface to throttle the connection. Hardware flow control is generally more reliable and should be used whenever possible. Select Hardware to enable hardware flow control. Not all devices support hardware flow control; those that don't use software flow control, which can be selected with the Xon_Xoff option. Software flow control uses special characters in the data stream to throttle the connection. Select None to disable flow control. TxInternal = [ On | Off ] The TxInternal keyword is used to tell the router to source a synchronous clock. The vast majority of configurations will have this set to Off. Normally, the circuit provider, the DSU, or the ISDN TA will be configured to supply the transmit data clock. The On value is normally used when creating a NULL connection between two routers. RS-232 interfaces on some routers must also have a hardware jumper changed to supply the transmit data clock (check the Installation Guide for the specific device.) The receive data clock is always an input to the router. Baud = [ 2400 | 9600 | 14400 | 19200 | 38400 | 56000 |57600 | 64000 | 115200 | 128000 | 230400 | 256000 ] The Baud keyword specifies the asynchronous data rate or the transmit clock baud rate used when internal clocking is enabled. Not all values are available on all devices. Check the Installation Guide for the specific device for the appropriate setting. Examples Wan 0 is set to synchronous TxInternal 128000. [ RS232 Interface WAN 0 ] Baud = 128000 LinkType = Sync TxInternal = On Configuration Section 137 [ RS232 Interface <Section ID> ] Wan 1 is set to asynchronous 115200 Hardware Flow Control. [ RS232 Interface WAN 1 ] Baud = 115200 LinkType = Async Flow Control = Hardware See Also wan(show), statistics(show), [ Link Config <Section ID> ] 138 Configuration Section [ SecurID ] [ SecurID ] This section is used to configure SecurID parameters into an IntraPort VPN Access Server. All IntraPort servers and the IntraPort Client software are SecurID-ready. SecurID is Security Dynamic’s proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic two-factor authentication. Keywords recognized in this section are described below. Enabled = [ On | Off ] If the Enabled keyword is On, SecurID authentication of users will be enabled on the server. EncryptionType = [ DES | SDI ] The EncryptionType keyword selects the encryption algorithm for data exchanged between the IntraPort and the ACE/Server. DES specifies that the DES algorithm will be used to scramble the data in both directions. SDI specifies that Security Dynamic’s propriety algorithm will be used. The default is DES. Port = number The Port keyword defines which UDP port on the ACE/Server will be used to exchange information. The default is 5500. The value may range between 1 and 65,535. PrimaryServer = IP Address The PrimaryServer keyword sets the IP address of the primary ACE/ Server. BackupServer = IP Address The BackupServer keyword sets the IP address of the secondary ACE/ Server. If no response is received from the primary ACE/Server after the Timeout period, then this secondary server is used. Timeout = number The Timeout keyword sets the number of seconds the device will wait before trying the backup ACE/Server. The default is 5. The value may range between 1 and 75. BindTo = Port String The BindTo keyword specifies which interface on this device will have its IP address used as a source address for all packets sent to the SecurID server. The IP address for the specified interface must be configured in the RADIUS server as the client address. Examples [ SecurID ] Enabled EncryptionType PrimaryServer BackupServer Timeout BindTo = = = = = = On DES 192.168.12.8 192.168.41.2 5 Ethernet 0:0 See Also [ VPN Group <Name> ], securid(show), securid secret(reset) Configuration Section 139 [ SMDS <Section ID> ] [ SMDS <Section ID> ] This section is used to configure SMDS (Switched Multi-megabit Data Service) parameters for either the interface specified or for multiple interfaces using the default sections as explained in Appendix A. SMDS is a connectionless, packet-switched service that offers LAN-to-LAN connectivity across a wide area at up to 1.544 Mbps. SMDS is enabled in the [ Link Config <Section ID> ] section. Keywords recognized in this section are described below. StationAddress = String The StationAddress keyword is used to configure the SMDS physical station address. The address is assigned by the service provider and follows the E.164 format (i.e., 64-bit/15-digit addressing). The station address must start with the letter C and be followed by at least 10 digits.The missing digits will be filled in with F. The address should be entered exactly as it is assigned by the service provider. IPMulticast = String The IPMulticast keyword is used to configure the IP multicast address. This address is the SMDS group address assigned by the service provider and follows the E.164 format. The multicast address must start with the letter E and be followed by at least 10 digits. The missing digits will be filled in with F. The address should be entered exactly as it is assigned by the service provider. PollingFrequency = Number The PollingFrequency keyword specifies the interval that the router uses to poll the SMDS switch. The interval is specified in seconds and must be between 0 and 30. If the switch does not respond to the polling, the router will eventually declare the SMDS link down and start dropping packets designated for that interface. A value of 0 will disable the polling mechanism. Disabling the polling mechanism will automatically declare the SMDS link up. Note: The keepalive mechanism is also referred to as "heartbeat exchange" in the SMDS literature. Examples The following is an example of a valid StationAddress setting: StationAddress = C130.3302.1310 The following is an example of IPMulticast setting: IPMulticast = E130.3302.4139 See Also Appendix A, [ Link Config <Section ID> ] 140 Configuration Section [ SNMP ] [ SNMP ] This section permits parameters to be defined for SNMP (Simple Network Management Protocol) management of the device. The keywords for this section are described below. Enabled = [ On | Off ] The keyword Enabled allows SNMP management of the device to be completely enabled or disabled. When set to Off, no SNMP management will be allowed by the device. SetsEnabled = [ On | Off ] The SetsEnabled keyword controls whether SNMP sets can be applied to a device. TrapsEnabled = [ On | Off ] The TrapsEnabled keyword controls whether SNMP traps will be reported by the device when trap conditions are encountered. Compatible Systems devices support the following SNMP Traps (as outlined in RFC 1157): coldStart - this will be generated when a restart to save a configuration or software download is accomplished. warmStart - this will be generated when a restart event is received. linkDown - this will be generated from a WAN interface when a link is dropped due to abnormal conditions, such as lost carrier, lost PVC, etc. linkUp - this will be generated from a WAN interface when a link which was lost due to abnormal conditions comes back up. authenticationFailure - this will be generated when a protocol message is not properly authenticated. AdminName = String The keyword AdminName allows the administrator name of the device to be specified. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 characters in length and contain special characters as outlined in Appendix B. The administrator name usually specifies who is responsible for the equipment. Items that can be included might be the administrator's name, phone number, office number, etc. Domain = String The keyword Domain allows the domain name of the device to be specified. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 characters in length and contain special characters as outlined in Appendix B. Configuration Section 141 [ SNMP ] The domain name usually has network-specific information about the device. Items that can be specified include the device's DNS name, its TCP/IP domain, or the cable segment or subnet that it is connected to. This variable is independent from the actual DNS record for the device and is used to provide information to external managers. Location = String The Location keyword allows the location of the device to be specified. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 characters in length and contain special characters as outlined in Appendix B. The location usually has information about where the equipment is physically located. The building, room and rack are examples of information that could be specified for this parameter. Examples [ SNMP ] Enabled SetsEnabled TrapsEnabled AdminName Domain Location = = = = = = On On On "Velma Dinkley" "velma’s 2270" "Upstairs" See Also [ SNMP CommunityString <Name> ], [ SNMP Trap <Name> ] 142 Configuration Section [ SNMP CommunityString <Name> ] [ SNMP CommunityString <Name> ] This section permits parameters to be defined for SNMP (Simple Network Management Protocol) Community Strings. SNMP Community Strings are groups of administrators who have access to the device via an SNMP console. The Name portion of the section name should be a string associated with an administrator (or administrators). This string is included in every message and is used, along with the IP address(es) configured below, for access authentication. The default name is "Public," which allows any Community String to have access to this device. Once you have set an SNMP CommunityString Name section, access will be limited to the named Community String. The keywords for this section are described below. Access = [ Read | ReadWrite | None ] The Access keyword specifies the type of access the administrator(s) within the Community String will have to this device. If None is chosen, the Community String will have no access. If Read is specified, the Community String will receive information such as Traps, but can not do Sets. If ReadWrite is specified, the Community String can both perform Sets to, and receive Traps from, this device. IPAddress = IP Address The IPAddress keyword sets the IP address, or addresses, of the SNMP console(s) which will have access to this device. The address is used, along with the Community String, for access authentication. Up to four IP addresses may be entered. They should be entered in standard IP dotted-decimal notation (e.g., 198.41.9.1). An address with all zeros (0.0.0.0) can be used as a wildcard to allow the specified Community String access from any console. Examples In the following examples, the Community String "Info Services" is allowed full access to the device, while the Community String "Tech Support" is allowed read-only access from any console. [ SNMP CommunityString "Info Services" ] Access = ReadWrite IPAddress = 192.168.41.95 IPAddress = 192.168.41.3 IPAddress = 192.168.41.2 IPAddress = 192.168.5.5 [ SNMP CommunityString "Tech Support" ] Access = Read IPAddress = 0.0.0.0 See Also [ SNMP ], [ SNMP Trap <Name> ] Configuration Section 143 [ SNMP Trap <Name> ] [ SNMP Trap <Name> ] This section permits parameters to be defined for SNMP (Simple Network Management Protocol) Traps. SNMP Traps are messages sent by the device to an SNMP console. The Name portion of the section name should be the IP address of the SNMP console to which the device will transmit a Trap message whenever one is generated. It should be entered in standard IP dotted-decimal notation (e.g., 198.41.9.1). The keywords for this section are described below. Name = String The Name keyword is the name of the Community String on the SNMP console to which the Trap message will be sent. This Community String is a string associated with an administrator (or administrators) who have access to the SNMP console. Examples In the following examples, the Community String "Info Services" will receive SNMP Traps at 192.168.41.2, while "Tech Support" can receive Traps at any console. [ SNMP Trap "0.0.0.0" ] Name = "Tech Support" [ SNMP Trap "192.168.41.2" ] Name = "Info Services" See Also [ SNMP ], [ SNMP CommunityString <Name> ] 144 Configuration Section [ T1 Interface <Section ID> ] [ T1 Interface <Section ID> ] This section sets configuration parameters for an internal CSU on the specified WAN interface. T1 digital transmission has a data capacity of 1.544 Mbps (referred to as Data Speed 1 or DS1). Fractional T1 refers to a standard T1 line that has been divided into 24 channels of 64Kbps (referred to as DS0) each, with only one or more channels enabled for a particular user. The channels are sold individually or in groups, up to a desired bandwidth (e.g., four channels would provide a data capacity of 256Kbps), at a lower cost than a full T1 line. Note: T1 lines are available from local telcos with two options that can generally be specified by a user: framing format and line encoding. Since tariffs and procedures vary across the country, users may pay a premium for ESF framing and B8ZS line encoding (see below). While cost and availability are always determining factors, users should opt for ESF line framing and B8ZS line encoding whenever possible, because they offer greater bandwidth and additional features. Since many of the parameters for this section are dependent upon the service provided by the telco or ISP, users may need to contact them to find out the appropriate specifications. Keywords recognized in this section are described below. DS0Start = Number The DS0Start keyword selects which channel the T1 stream will start on when using Fractional T1 transmission. Valid values range from 1 to 24. When using the entire T1 line, this value should be 1. Both ends of a WAN connection must be configured with the same DS0Start number. DS0Count = Number The DS0Count keyword defines the number of DS0s that will be used with Fractional T1 transmission. Values range from 1 to 24. When using the entire T1 line, this value should be 24. Both ends of a WAN connection must be configured with the same DS0Count number. ContiguousChannels = [ On | Off ] The ContiguousChannels keyword specifies whether the CSU will use contiguous or alternating channels. If more than 12 channels are defined by the DS0Count variable or when using the entire T1 line, then ContiguousChannels must be configured On. Alternating channels can be used to meet pulse density requirements when using a 64Kbps channel rate with AMI line coding (see below). Both ends of a WAN connection must be configured with the same value for ContiguousChannels. LineBuildOut = [ 0db | -7.5db | -15db | -22.5db ] The LineBuildOut keyword should be set based on the length of your T1 line. Setting this value to 0db specifies that you want to transmit at the maximum level. Users who don't know the length of their line and Configuration Section 145 [ T1 Interface <Section ID> ] haven't been told to use a specific value by their service provider should set LineBuildOut to 0db. Other settings may be necessary if so instructed by the telco or T1 line supplier. If setting this value based on the receive signal level, use the following rules: If receive level is: Set transmit level to: 0 to -7.5 -15 dB -7.5 to -15 -7.5 dB -15 to -22 or <-22 0 dB LineFraming = [ ESF | D4 ] The LineFraming keyword may be set to ESF for Extended Super Frame, or D4 for Super Frame. D4 is an older framing format and may be the only one available in some areas. ESF is the preferred format because it offers a Facility Data Link which can provide performance monitoring, error checking and other features. Both ends of a WAN connection must be configured with the same LineFraming format. LineEncoding = [ B8ZS | AMI ] The LineEncoding keyword may be set to either B8ZS or AMI to define the line code for the network. In AMI (Alternate Mark Inversion), "1s" are transmitted as alternating positive or negative pulses, while a "0" is an absence of a pulse. If too many consecutive "0s" are sent, the line appears dead and synchronization could be lost. Pulse density requirements on a T1 line dictate that no more than 15 "0" bits in a row be sent on the line. On an AMI encoded line, to ensure that this requirement is met, the user must select either 56Kbps as the channel rate (which allows the CSU to invisibly insert "1s" such that there can never be more than 7 "0s" in a row), or select 64Kbps and use alternating channels. In the latter case, the CSU fills the unused alternating channels with "1s" to provide the required pulse density. B8ZS is a variation of AMI in that data is still transmitted using alternating positive and negative pulses. However, B8ZS addresses the problem of too many "0s" by encoding any string of eight "0s" into a bit pattern that uses either two consecutive negative or positive pulses, which is a violation of the AMI line encoding format. Because of the unique pattern of "double negative" or "double positive" pulses, the string is easily recognized and decoded back into "0s," and the "1" pulses can be used for clock synchronization. B8ZS provides clear channel transmission (i.e., using the full 64Kbps). Both ends of a WAN connection must be configured with the same LineEncoding format. 146 Configuration Section [ T1 Interface <Section ID> ] InvertData = [ On | Off ] When set to On, the InvertData keyword allows the user to invert data. Data inversion can be used to meet pulse density requirements. Always set to Off unless otherwise instructed by your ISP. If a CSU at one end of a T1 line inverts its data, then the CSU at the other end must do the same. ChannelDataRate = [ 64K | 56K ] The ChannelDataRate keyword defines the base rate of each T1 channel. With B8ZS line encoding, the data rate is 64K. With AMI line encoding, the base rate can be either 56K (using contiguous channels) or 64K (using alternating channels and Fractional T1). The T1 stream's actual data rate depends on the base rate and the number of DS0s defined. Both ends of a WAN connection must be configured with the same ChannelDataRate. ClockSource = [ Slave | Master ] The ClockSource keyword configures whether the CSU will use its own internal clock or obtain the clock from the network. In Master mode, an internal clock is used. In Slave mode, the network clock is used. Most network applications will use Slave mode. Verify this setting with your ISP. TransmitPRM = [ On | Off ] The TransmitPRM keyword determines whether the CSU transmits Performance Report Messages (PRM) data on the Facility Data Link. PRM messages can only be sent if the CSU is configured for Extended Super Frame (ESF). Set to On to transmit PRM data. ReceiveATTLoopUps = [ On | Off ] When set to On, the ReceiveATTLoopUps keyword enables the CSU to recognize ATT64211 line loopup patterns from a remote CSU. When the pattern is received, the CSU will be put into network loopback. ReceiveV54LoopUps = [ On | Off ] When set to On, the ReceiveV54LoopUps keyword enables the CSU to recognize the V.54 line loopup pattern from a remote CSU. When the pattern is received, the CSU will be put into network loopback. Configuration Section 147 [ T1 Interface <Section ID> ] Examples The following example shows ESF line framing and B8ZS line encoding, using the network clock. [ T1 Interface Wan 0 ] DS0Start DS0Count ContiguousChannels LineBuildOut LineFraming LineEncoding ChannelDataRate ClockSource ReceiveATTLoopUps ReceiveV54LoopUps = = = = = = = = = = 1 24 On 0db ESF B8ZS 64K Slave On On In the following example, the telco has indicated that only D4 framing and AMI line encoding are available and that the line buildout should be 0db. The desired bandwidth is 256Kbps. The ISP provides the network clock. [ T1 Interface Wan 0 ] DS0Start DS0Count ContiguousChannels LineBuildOut LineFraming LineEncoding ChannelDataRate ClockSource ReceiveATTLoopUps ReceiveV54LoopUps = = = = = = = = = = 1 4 Off 0db D4 AMI 64K Slave On On See Also [ Link Config <Section ID> ], wan(show), wan csu(set) 148 Configuration Section [ Time Server ] [ Time Server ] This section is used to enable the setting of the device's internal clock from a network time server. The device's time server will connect to most UNIX systems running "inetd" using either the time server port (UDP 37) or NTP port (UDP 123). The time is used when logging is enabled or to time stamp configurations when saved. If the time server function is off, the log time stamp reports how long the device has been up and the saved configuration time stamp will be zero. Automatic daylight savings adjustment is not supported by the device. Keywords recognized in this section are described below. Enabled = [ On | Off ] The Enabled keyword turns the time server access On and Off, respectively. TimeProtocol = [ Timed | SNTP ] The TimeProtocol keyword identifies the type of time server protocol to use. The time server being used will dictate the protocol type to be used. UNIX servers generally use Timed. Windows servers generally use SNTP (Simple Network Time Protocol). The default is Timed. ServerAddress = IP Address The ServerAddress keyword is used to tell the device the IP address of the primary time server. All time requests go to this server first. It is recommended that you use a time server which is local to your network. A ServerAddress must be specified if Enabled is set to On. BackupAddress = IP Address The BackupAddress keyword is used to tell the device the IP address of the backup time server. All time requests go to the primary server first. If there is no response then the backup will be used. This address is optional. Adjust = Number The Adjust keyword allows you to offset the device time from the time returned by the time server. The adjustment is in whole minutes and can be plus or minus. Most servers will return GMT. Unless you know what your server returns, adjust the offset from GMT. The following chart shows the values for standard U.S. time zones. Time Zone Offset Configuration Section PST -480 MST -420 CST -360 EST -300 149 [ Time Server ] Examples Set timeserver for 198.41.9.30 with an offset of -420 minutes. [Time Server] Enabled TimeProtocol ServerAddress Adjust = = = = On Timed 198.41.9.30 -420 See Also system(show) 150 Configuration Section [ Tunnel Partner <Section ID> ] [ Tunnel Partner <Section ID> ] The Tunnel Partner section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. Tunneling of IP, IPX, AppleTalk or bridging protocols can then be configured using the appropriate protocol-specific section for the configured VPN port (e.g., [ IP VPN 0 ]). Tunnel Partner sections do not have to be numbered consecutively (e.g., Tunnel Partner VPN 0, Tunnel Partner VPN 2, Tunnel Partner VPN 5, etc.). All tunnel traffic sent between Tunnel Partners is processed according to the rules specified in this section. These parameters must be set for both ends of the tunnel. Note: Products shipped to certain nations or organizations which are subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Compatible Systems retailer for more information if your product does not support 3DES. Keywords recognized in this section are described below. Partner = IP Address The Partner keyword specifies the IP address of the interface at the remote end of the tunnel. All tunnel traffic is sent to the Partner address for processing. BindTo = Port String The BindTo keyword specifies which interface on this device will act as the end point for the tunnels defined by this configuration. Packets sent from this device to the partner will use the selected interface's IP address as a source address. Note: When configuring the remote end of the tunnel, the Partner keyword will be this interface’s IP address. The BindTo keyword will be the remote device’s tunneling interface (which was used as the Partner for this end of the tunnel). Note: If both Ethernet ports are being used on an IntraPort 2/2+, then the BindTo port must be set to Ethernet 1. Note: All packets sent through the VPN tunnel are IP-encapsulated packets. If IP packet filtering is enabled for the configured VPN interface, then GRE (General Router Encapsulation) and AH (Authentication Header) packets must specifically be permitted through the filter. See the [ IP Filter <Name> ] section for more information. KeyManage = [ Auto | Manual | Initiate | Respond ] The KeyManage keyword specifies how the tunnel will be set up. Auto specifies that IKE (Internet Key Exchange) will be used and that this device can both initiate tunnels and respond to tunnel establishment requests from other devices. Auto is the default setting and requires that the SharedKey keyword be set to the same value for both Tunnel Partners. This allows the two devices to negotiate between themselves what type of encryption and Configuration Section 151 [ Tunnel Partner <Section ID> ] authentication to use for the tunnel, based on the options specified by the Transform keyword. The Auto setting should only be used when the Tunnel Partner is another Compatible Systems VPN device. Initiate specifies that this Tunnel Partner will use IKE, but will only initiate tunnel establishment. It will not respond to tunnel establishment attempts from other devices. Respond specifies that this Tunnel Partner will use IKE, but will only respond to tunnel establishment attempts which have been initiated by other devices. It will not initiate tunnel establishment. Manual specifies that this Tunnel Partner will not use IKE, so the tunnel’s encryption and authentication parameters must be manually set. Therefore, you must set the Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for both Tunnel Partners, and the values selected for them must match. Transform = [ ESP (SHA,DES) | ESP (SHA,3DES) | ESP (MD5,DES) | ESP (MD5,3DES) | ESP (MD5) | ESP (SHA) | AH (MD5) | AH (SHA) | AH (MD5) + ESP (DES) | AH (MD5 ) + ESP (3DES) | AH (SHA) + ESP (DES) | AH (SHA) + ESP (3DES) ] The Transform keyword specifies the protection types and algorithms which will be used for tunnel sessions. Each option is a “protection piece” which specifies authentication and/or encryption parameters. This keyword controls IKE Phase 2 negotiation. Security settings for the IKE Phase 1 negotiation are set in the [ IKE Policy ] section. The mode setting for the Phase 1negotioation is automatic unless the remote tunnel partner is another vendor’s device, in which case the Mode keyword should be set (see Interoperability Settings later in this section for more information). This keyword may appear multiple times within this section, in which case the device will propose all of the specified protection pieces. The remote Tunnel Partner must have at least one matching Transform keyword. The two devices will then agree to use one of the options during the session. ESP (SHA,DES), ESP (SHA,3DES), ESP (MD5,DES) and ESP (MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algorithm to scramble the data. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups. ESP (MD5) and ESP (SHA), denote using the (ESP) header to authenticate packets (with no encryption). 152 Configuration Section [ Tunnel Partner <Section ID> ] AH (MD5) and AH (SHA) denote using the Authentication Header (AH) to authenticate packets. AH (MD5) + ESP (DES), AH (MD5) + ESP (3DES), AH (SHA) + ESP (DES) and AH (SHA) + ESP (3DES) use the Authentication Header to authenticate packets and the ESP header to encrypt packets. SharedKey = <Pass Phrase> The SharedKey keyword is used to generate session keys which are then used to authenticate and/or encrypt each packet received or sent through the tunnel. The same key must be entered into the remote Tunnel Partner for the tunnel session to be successfully established. The Pass Phrase may be between 1-255 characters long. PFS = [ G1 | G2 | On | Off ] The PFS keyword specifies whether “perfect forward secrecy” will be used during client sessions. PFS means that every time encryption and /or authentication keys are computed, a new Diffie-Hellman Key Exchange is included. This greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recoverable. G1 specifies that the Group 1 algorithm will be used. G2 specifies that the Group 2 algorithm will be used. Because larger numbers are used by the Group 2 algorithm, it is more secure than Group 1. On specifies that the group used in Phase 1 of the IKE negotiation will be used as the group for the PFS Diffie-Hellman Key Exchange. This Phase 1 group setting is configured in the [ IKEPolicy ] section. The default is Off. Authentication = [ On | Off ] The Authentication keyword allows authentication of all tunnel traffic. This keyword is used when the KeyManage keyword is set to Manual. Each packet is digitally signed before sending. The receiving end of the tunnel checks the signature before allowing the traffic onto its local network. Encryption = [ On | Off ] The Encryption keyword specifies whether encryption of all tunnel traffic will be enabled. This keyword is used when the KeyManage keyword is set to Manual. EncryptMethod = [ Fixed | None | PLE | DES | 3DES ] The EncryptMethod keyword selects the encryption algorithm for this tunnel. This keyword is used when the KeyManage keyword is set to Manual. If None is entered, then the tunnel session will be sent in the clear in both directions. If Fixed is entered, then Personal Level Encryption will be used to scramble the data in both directions using a fixed key. If PLE is entered, then Personal Level Encryption will be used to scramble the data in both directions using a key generated from Configuration Section 153 [ Tunnel Partner <Section ID> ] the encryption secret. If DES is entered, then the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate. If DES3 is entered, then triple DES encryption will be used. The default value is either Fixed (for export releases) or PLE (for North American releases). AuthSecret = <Authentication Secret> The AuthSecret keyword is used to generate session keys which are used to authenticate each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If AuthSecret is omitted, then packets sent through this tunnel are not authenticated. The authentication secret may be between 1-255 characters long. EncryptSecret = <Encryption Secret> The EncryptSecret keyword is used to generate session keys which are used to encrypt each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If EncryptSecret is omitted, then packets sent through this tunnel are not encrypted. The encryption secret may be between 1-255 characters long. SLAEnablePartner = [ On | Off ] The SLAEnablePartner keyword specifies that Service Level Agreement (SLA) information will be gathered for tunnel sessions. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met. SNMP is used to display the gathered information. This requires that SNMP be enabled using the [ SNMP ] section and that Compatible’s private Enterprise MIB be used. The default is Off. INTEROPERABILITY SETTINGS The following keywords allow the IntraPort to interoperate with other vendors’ devices. If the remote Tunnel Partner is a Compatible Systems device, it is not necessary to configure these keywords. Mode = [ Main | Aggressive ] The Mode keyword sets the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authenticate each other so that tunnel sessions can be established. Security settings for the IKE Phase 1 negotiation are set in the [ IKE Policy ] section. Main and Aggressive are the two IPSec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode. It is only necessary to set this keyword if the KeyManage keyword is set to Auto or Initiate. As part of their interoperability function, the following keywords specify 154 Configuration Section [ Tunnel Partner <Section ID> ] access from one area behind a VPN device to another area behind a VPN device. The local settings specify what local subnets, hosts, ports and/or protocols will be reachable via the tunnel. The peer settings specify what remote subnets, hosts, ports and/or protocols will be reachable via the tunnel. The remote tunnel partner (i.e., peer) must have a matching policy in order for traffic to be successfully tunneled. LocalAccess = IP Address/bits The LocalAccess keyword is used to specify a local host or subnet which will be reachable by the tunnel. The LocalAccess keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To allow access to only a single host, specify 32 in the bits portion. Note: In order to specify more than one reachable host or subnet for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured. LocalProto = protocol number The LocalProto keyword is used to specify an IP protocol which will accepted by this end of the tunneled. The default of 0 will allow all protocols. A list of the IP protocols and their protocol numbers follows. TCP (6) ICMP (1) AH (51) ESP (50) UDP (17) GRE (47) OSPF (89) Note: In order to specify more than one protocol type for a LAN-toLAN tunnel, multiple Tunnel Partner sections would have to be configured. LocalPort = port number The LocalPort keyword is used to specify a local port number which will be reachable via the tunnel. The default of 0 will allow all ports. A list of some of the more commonly used ports and their numbers can be found in the [ IP Filter <Name> ] section. Note: In order to specify more than one reachable port for a LAN-toLAN tunnel, multiple Tunnel Partner sections would have to be configured. Peer = IP Address/bits The Peer keyword is used to specify a host or subnet behind the remote tunnel partner which will be reachable via the tunnel. The Peer keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To tunnel to only a single host, specify 32 in the bits portion. Any communications with an address which is part of one of the networks defined by a Peer keyword will be tunneled. Configuration Section 155 [ Tunnel Partner <Section ID> ] Note: In order to specify more than one reachable host or subnet for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured. PeerProto = protocol number The PeerProto keyword is used to specify an IP protocol which will be tunneled. If a PeerProto keyword is specified, then only traffic of that protocol type will be tunneled. The default of 0 will allow all protocols. A list of the IP protocols and their protocol numbers follows. TCP (6) ICMP (1) AH (51) ESP (50) UDP (17) GRE (47) OSPF (89) Note: In order to specify more than one protocol type for a LAN-toLAN tunnel, multiple Tunnel Partner sections would have to be configured. PeerPort = port number The PeerPort keyword is used to specify a port number. If a PeerPort keyword is specified, then only traffic destined for that particular port will be tunneled. The default of 0 will allow all ports. A list of some of the more commonly used ports and their numbers can be found in the [ IP Filter <Name> ] section. Note: In order to specify more than one reachable port for a LAN-toLAN tunnel, multiple Tunnel Partner sections would have to be configured. Examples This example shows a VPN tunnel configuration which uses Manual key management. The VPN Tunnel Server at 192.168.169.170 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device’s Ethernet 0. Because it uses manual key management, all of the authentication and encryption parameters have to be entered. The KeyManagement, Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for the remote Tunnel Partner would have to match the ones listed below. There would also have to be [ IP VPN 0 ], [ IPX VPN 0 ], [ AppleTalk VPN 0 ], and/or, [ Bridging VPN 0 ] sections for those protocols to be tunneled. [ Tunnel Partner VPN 0 ] Partner = 192.168.169.170 BindTo = Ethernet0 KeyManagement = Manual Authentication = On Encryption = On AuthSecret = "No Fakes" EncryptSecret = "No Peeking" This example shows a VPN Tunnel configuration which uses IKE. The VPN Tunnel Server at 192.168.117.18 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device’s 156 Configuration Section [ Tunnel Partner <Section ID> ] Ethernet 1. The Transform and SharedKey keywords would have to match the ones listed below. There would also have to be [ IP VPN 1 ], [ IPX VPN 1 ], [ AppleTalk VPN 1 ], and/or, [ Bridging VPN 1 ] sections for those protocols to be tunneled. [ Tunnel Partner VPN 1 ] Partner = 192.168.117.18 BindTo = Ethernet1 KeyManagement = Auto Transform = ESP(DES,SHA) SharedKey = Pebbles02 See Also [ IP <Section ID> ], [ IP Filter <Name> ], [ IPX <Section ID> ], [ AppleTalk <Section ID> ], [ Bridging <Section ID> ], [ SNMP ], vpn(show) Configuration Section 157 [ V.35 Interface <Section ID> ] [ V.35 Interface <Section ID> ] This section configures the serial characteristics of the router's V.35 interfaces. Keywords recognized in this section are described below. TxInternal = [ On | Off ] The TxInternal keyword is used to tell the router to source a synchronous clock. The vast majority of configurations will have this set to Off. Normally, the circuit provider, the DSU, or the ISDN TA will be configured to supply the transmit data clock. The On value is normally used when creating a NULL connection between two routers. The receive data clock is always an input to the router. TxClkinvert = [On | Off] The TxClkinvert keyword is used to configure the polarity of the transmit clock. Some DSU’s have this option as well. This option can be set in lieu of configuring the DSU. Set this parameter to On if instructed to do so by the circuit provider, or if there is reason to believe that the router is not syncing up the data with the clock. Baud = [ 56000 | 64000 | 128000 | 256000 | 512000 | T1 | 1544000 | E1 | 2048000 ] The keyword Baud specifies the transmit clock baud rate used when internal clocking is enabled. This keyword is ignored if external clocking is used. Examples [ V.35 Interface Default ] TxInternal = On Baud = 1544000 See Also wan(show), statistics(show), [ Link Config <Section ID> ] 158 Configuration Section [ VPN Group <Name> ] [ VPN Group <Name> ] This section defines tunneling profiles for a group of one or more IntraPort users. Thus, there may be several VPN Group sections, each with a unique name of 16 characters or less. IntraPort users are assigned to one of these VPN Group configurations in the [ VPN Users ] section, unless a RADIUS server is being used for authentication. If a RADIUS server is being used, then the RADIUS server’s user database must be set up to assign users to a VPN Group configuration. See the installation guide for your IntraPort for more information on setting up a RADIUS server to perform this function. The following table lists the maximum number of VPN Group configurations allowed per device type. Device Type Maximum Number of VPN Groups IntraPort 2 16 IntraPort 2+ 100 IntraPort Enterprise-2 IntraPort Carrier-2 IntraPort Enterprise-8 IntraPort Carrier-8 1,000 The keywords recognized in the VPN Group sections are described below. Note: This section of the configuration was previously called [ STEP Client <Name> ]. STEP is Compatible Systems’ older, proprietary tunnel establishment protocol. STEP parameters are not recommended for new configurations, but if they have already been set in the device, they are supported as aliases to VPN Group sections. Note: Products shipped to certain nations or organizations subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Compatible Systems retailer for more information if your product does not support 3DES. BindTo = <port string> The BindTo keyword specifies which interface on the device will act as the local end point for the tunnels defined by this configuration. MaxConnections = Number The MaxConnections keyword may be used to limit the number of client connections which use this VPN Group configuration. This is useful to reserve tunnel connections for users using other VPN Group configurations. MaxConnections may not exceed the maximum number of tunnel connections supported by the device. If the sum of Configuration Section 159 [ VPN Group <Name> ] the MaxConnections entries of all VPN Group sections exceeds the maximum number of tunnel connections supported by the device, tunnel connections will be served on a first-come, first-served basis. KeepaliveInterval = Number The KeepaliveInterval keyword specifies the number of seconds between keepalive packets sent to each connected client by the device. The range is 1 to 65535 seconds. The default is 60 seconds. Clients which do not answer these packets and/or generate other traffic within several keepalive intervals will have their connections shut down. Keepalive packets are only sent in the case where no other traffic has been received from the client in the specified number of seconds. InactivityTimeout = Number The InactivityTimeout keyword specifies the number of seconds the device will wait without receiving any traffic from a client belonging to this VPN Group configuration before ending the tunnel session. Keepalive packets and ICMP (ping) traffic do not affect this timeout. This prevents users from using ping to keep their tunnels up. The range is 0 to 65535 seconds. The default of 0 seconds means there is no timeout. MinimumVersion = String The MinimumVersion keyword places a limit on the VPN Client Software version number which will be allowed. A value of 0 or 1 will allow any software version number. A value of 2 will prevent Compatible’s older STAMP Clients from having access. A value of 3 will prevent both older STAMP Clients and any other Clients with version numbers less than 3.0. A value greater than three will prevent all clients from having access. Transform = [ ESP(SHA,DES) | ESP(SHA,3DES) | ESP(MD5,DES) | ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) | AH(MD5) | AH(SHA) | AH(MD5)+ESP(DES) | AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) | AH(SHA)+ESP(3DES) ] The Transform keyword specifies the protection types and algorithms which will be used for IKE (Internet Key Exchange) client sessions. Each option is a “protection piece” which specifies authentication and/ or encryption parameters. This keyword controls IKE Phase 2 negotiation. IKE Phase 1 negotiation security settings are set in the [ IKE Policy ] section. This keyword may appear multiple times within this section, in which case the IntraPort will propose the specified protection pieces in the order they are parsed, until one is accepted by the IntraPort client for use during the session. In most cases, only one Transform keyword is needed. ESP(SHA,DES), ESP(SHA,3DES), ESP(MD5,DES) and 160 Configuration Section [ VPN Group <Name> ] ESP(MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algorithm to scramble the data. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups. ESP(MD5) and ESP(SHA), denote using the (ESP) header to authenticate packets (with no encryption). AH(MD5) and AH(SHA) denote using the Authentication Header (AH) to authenticate packets. AH(MD5)+ESP(DES), AH(MD5)+ESP(3DES), AH(SHA)+ESP(DES) and AH(SHA)+ESP(3DES) use the Authentication Header to authenticate packets and the ESP header to encrypt packets. Note: The Mac OS IntraPort Client software does not support using the AH options. At least one ESP option should be specified if using the Mac OS client. PFS = [ G1 | G2 | G5 | On | Off ] The PFS keyword specifies whether “perfect forward secrecy,” and additional security parameter, will be used during client sessions. PFS means that every time encryption and /or authentication keys are computed, a new Diffie-Hellman Key Exchange is included. This greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recoverable. G1 specifies that the Group 1 algorithm will be used. G2 specifies that the Group 2 algorithm will be used. Because larger numbers are used by the Group 2 algorithm, it is more secure than Group 1. G5 specifies that the Group 5 algorithm will be used. G5 uses a 1535-bit algorithm. On specifies that the group used in Phase 1 of the IKE negotiation will be used as the group for the PFS Diffie-Hellman Key Exchange. This Phase 1 group setting is configured in the [ IKEPolicy ] section. The default is Off. ExcludeLocalLAN = [ On | Off ] The ExcludeLocalLAN keyword specifies that remote client LAN traffic will not be tunneled. When set to On, this can be used to exclude LAN traffic from tunneling when a wildcard of 0.0.0.0/0 has been used as the IPNet. In order for this to work, the user login in the VPN Client software must also have the Exclude Local LAN from Tunnel checkbox checked. The default is Off. Configuration Section 161 [ VPN Group <Name> ] EncryptMethod = [ Fixed | None | PLE | DES | 3DES ] The EncryptMethod keyword selects the encryption algorithm which will be used for non-IKE client sessions. If None is entered, then the tunnel session will be sent in the clear in both directions. If Fixed is entered, then Personal Level Encryption will be used to scramble the data in both directions using a fixed key. If PLE is entered, then Personal Level Encryption will be used to scramble the data in both directions using a key generated from the encryption secret. If DES is entered, then the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate. If 3DES is selected, then the "Triple DES" algorithm will be used. In 3DES, the data is processed three times, each time with a different 56-bit key. Noted: PLE, DES and 3DES require the specification of an encryption secret for each user in the [ VPN Users ] section. Some VPN devices may not allow 3DES as an option. The default value is None. PPTPAllowed = [ On | Off ] This keyword enables PPTP connections for clients in this VPN Group. The default is Off. Note: Currently, PPTP is only available in Compatible Systems’ Carrier products. PPTPEncryptmethod = [ None | MPPE40 | MPPE128 ] This keyword specifies the method of encryption that will be performed on the data traffic between the PPTP client and the IntraPort. If None is selected, no encryption is performed. If MPPE40 is selected, the IntraPort negotiates CCP (the PPP Compression Control Protocol) with the client, and will only agree to do MPPE40 (Microsoft Point-to-Point Encryption with 40-bit key). If MPPE128 is selected, MPPE with 128-bit key is used for encryption. The default is None. Note: PAP authentication, (PPTPAuth in [ IKE Policy ]) cannot be used with MPPE. Note: MPPE128 is only included with products that support 3DES encryption. AllowL2TP = [ On | Off ] The AllowL2TP keyword enables L2TP connections for client sessions using this configuration. L2TP is a VPN protocol which creates "virtual" PPP sessions between remote Windows computers and a corporate network. L2TP parameters can be set in the [ L2TP General ] section. StartIPAddress = IP Address The StartIPAddress keyword specifies the first IP address to be assigned to client sessions under this VPN Group. This start address will be incremented by one for each new client session, until the 162 Configuration Section [ VPN Group <Name> ] MaxConnections limit is reached. The IP address is freed when the client session is finished. Each of the addresses thus generated must be a valid, unique, and unused IP address. Also, these addresses must not conflict with addresses specified in other VPN Group configurations or with any other IP address within the server. These addresses must be on the internal TCP/IP network and would typically be on the same network as the BindTo interface (e.g., for an IntraPort 2/2+, on the same network as Ethernet 0 or a subinterface thereof). There is no default value for the StartIPAddress keyword. In order for IP-in-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled. StartSubnetMask = IP Address The StartSubnetMask keyword specifies the subnet mask for the IP subnet used by the addresses specified by the StartIPAddress keyword. This keyword is only used on single-Ethernet IntraPorts if the subnet on which the StartIPAddress addresses reside is different from the subnet on which the device’s BindTo Ethernet IP address resides. LocalIPNet = IP Address/bits The LocalIPNet keyword specifies the local network or subnet to be assigned to client sessions under this VPN Group. For each new client session, an available IP address from this network or subnet is assigned to that session, until the MaxConnections limit is reached. The IP address is freed when the client session is finished. This network or subnet must be unused and completely unique in the IP network to which the IntraPort is connected (i.e., not part of any Class C network in use) and may not conflict with address ranges specified in other group configurations. The mask may be between 8 and 30 bits. There is no default value for the LocalIPNet keyword. In order for IPin-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled. If a LocalIPNet is used, then either a dynamic routing protocol or static routes must be configured into the controlling router (e.g., the firewall) in order for traffic to find the LocalIPNet network. AssignIPRADIUS = [ On | Off ] Configuration Section 163 [ VPN Group <Name> ] The AssignIPRADIUS keyword specifies whether a RADIUS server can be used to assign IP addresses to VPN users. If set to Off, then IP addresses will be assigned using the address pool specified by the LocalIPNet or StartIPAddress keywords. If set to On, then communication with a RADIUS server must be configured using the RADIUS section and the RADIUS server must be set up to serve the IP addresses. This can be done using either the builtin RADIUS authentication attribute number 8 or the vendor-specific attribute number 2. If the vendor-specific attribute has been defined, it will take precedence over the built-in RADIUS attribute. This allows a RADIUS server to be used for IP address assignment by both a remote access server and VPN server. If neither type of attribute has been defined, then the IP address will be assigned using the address pool specified by the LocalIPNet or StartIPAddress keywords. IPNet = IP Address/bits The IPNet keyword specifies a range of IP addresses which will be reachable by clients using this configuration. The IPNet keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. For example, an IPNet keyword entered as 192.168.32.0/19 would specify that traffic with all IP addresses from 192.168.32.1 through 192.168.63.255 will be tunneled. As a special case, the entry, 0.0.0.0/ 0, specifies that all IP traffic should be tunneled. To tunnel to only a single host, specify 32 in the bits portion. This keyword may occur multiple times in a section. All of the indicated address ranges will be tunneled. Any communications with an address which is part of one of the networks defined by an IPNet keyword will be tunneled. Communications with any other addresses will occur normally, without tunneling. LocalIPXNet = Number The LocalIPXNet keyword specifies the first local IPX network to be assigned to client sessions under this configuration. This address will be incremented by one for each new client session, until the MaxConnections limit is reached. When a client is connected to the device, the first available IPX address from this range is assigned to that session. The IPX address is freed when the client session is finished. There is no default value for the LocalIPXNet keyword. Each of the addresses thus generated must be a valid, unique, and unused IPX address. Also, these addresses must not conflict with networks specified in other VPN Group configurations or with any other IPX address within the server. In order for IPX-in-IP tunneling to operate with this VPN Group configuration, a group of local IPX addresses must be set using either the LocalIPXNet or a RADIUS server must be configured to serve the addresses and the AssignIPXRADIUS keyword must be enabled. 164 Configuration Section [ VPN Group <Name> ] This keyword replaces the StartIPXAddress keyword. AssignIPXRADIUS = [ On | Off ] The AssignIPXRADIUS keyword specifies whether a RADIUS server can be used to assign IPX addresses to VPN users. If set to Off, then IPX addresses will be assigned using the address pool specified by the LocalIPXNet keyword. If set to On, then communication with a RADIUS server must be configured using the RADIUS section and the RADIUS server must be set up to serve the IPX addresses. This can be done using either the built-in RADIUS authentication attribute number 23 or the vendorspecific attribute number 7. If the vendor-specific attribute has been defined, it will take precedence over the built-in RADIUS attribute. This allows a RADIUS server to be used for IPX address assignment by both a remote access server and VPN server. If neither type of attribute has been defined, then the IPX address will be assigned using the address pool specified by the LocalIPXNet keyword. BlockType20 = [ On | Off ] The BlockType20 keyword specifies how IPX Packet Type 20 is handled for tunnel sessions connected using this VPN Group configuration. In order for certain protocol implementations, like NetBIOS, to function in the NetWare environment, routers must allow a broadcast packet to be propagated throughout an internet. The IPX Packet Type 20 is designated to perform broadcast propagation for these protocols. On prevents these packets from being rebroadcast. This is useful for reducing the bandwidth load on the tunnel. Off allows these propagated packets to be rebroadcast through the tunnel. SaveSecrets = [ On | Off ] The SaveSecrets keyword specifies that all users assigned to this VPN Group configuration will be able to save their shared secret to disk, once it has been entered. This means these users will not be prompted for their secret after their first session. The default is Off. SLAEnableClient = [ On | Off ] The SLAEnableClient keyword specifies that Service Level Agreement (SLA) information will be gathered for tunnel sessions using this VPN Group configuration. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met. SNMP is used to display the gathered information. This requires that SNMP be enabled using the [ SNMP ] section and that Compatible’s private Enterprise MIB be used. The default is Off. VPNGroupDLCI = Number The VPNGroupDLCI keyword maps all tunnel traffic using this VPN Group configuration to a Frame Relay PVC. This can be used as an alternative to using routing to get packets to their destination once they Configuration Section 165 [ VPN Group <Name> ] have been received from the tunnel. This keyword is only valid for IntraPort Carrier devices. The number must be between 16 and 991. SecurIDRequired = [ On | Off ] The SecurIDRequired keyword specifies that all users assigned to this VPN Group configuration will undergo SecurID authentication. SecurID is Security Dynamic’s proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic twofactor authentication. See the [ SecurID ] section for more information. SecurIDUserName = [ On | Off ] The SecurIDUserName keyword specifies whether the users assigned to this VPN Group configuration will have SecurID user names which are different from their VPN User names. If set to On, then all users assigned to this VPN Group configuration will be prompted for their SecurID user name by the IntraPort Client in order for SecurID authentication to take place. If set to Off, then for each user assigned to this VPN Group configuration, the user name entered into the [ VPN Users ] section will also be sent to the ACE/Server for authentication. This means that the names for each user entered in the IntraPort and the ACE/Server must be the same. BackupServer = String The BackupServer keyword specifies the IP address or domain name of an alternate IntraPort. This allows the device, if full, to roll a client over to the specified alternate device. The string must be either an IP address or domain name. If a domain name is used, the IntraPort will resolve the domain name to the appropriate IP address. DNSPrimaryServer = IP Address The DNSPrimaryServer keyword specifies the IP address of a DNS server. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the IntraPort. The IntraPort will take all DNS queries bound for the client’s primary DNS server and send them to the specified address. The IP address should be in standard dotted-decimal notation. DNSSecondaryServer = IP Address The DNSSecondaryServer keyword specifies the IP address of a backup DNS server. A DNSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the IntraPort. The IntraPort will then send all DNS queries destined for the client’s backup DNS server (i.e., one that has a different IP address than the DNSPrimaryServer) to the specified server address. The IP address should be in standard dotted-decimal notation. DNSSplitServer = IP Address 166 Configuration Section [ VPN Group <Name> ] The DNSSplitServer keyword specifies the IP address of a "split" DNS server. This is useful for setups where queries for internal names are handled by one server (the primary server) while queries for external names are handled by another server (the "split" server). In order for the IntraPort to know which server to send the query to, at least one LocalDomainName keyword must be set. A DNSPrimaryServer must also be set in order for this keyword to work. Queries for a secondary server will be handled as usual. The IP address should be in standard dotted-decimal notation. LocalDomainName = String The LocalDomainName keyword specifies a domain name that will be compared to the name in DNS queries to the DNSPrimaryServer in order to determine whether the query is for an internal or external domain. This keyword may appear multiple times within a section in order to specify multiple domains. The string can be between 1 and 255 characters in length. WINSPrimaryServer = IP Address The WINSPrimaryServer keyword specifies the IP address of a WINS server. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the IntraPort. The IntraPort will take all WINS queries bound for the client’s primary WINS server and send them to the specified address. The IP address should be in standard dotted-decimal notation. Note: For proper operation of WINS redirection, Windows client PCs must have a configured WINS server address in their control panel. In cases where non-tunneled access to a WINS server is not required, a dummy address can be used. WINSSecondaryServer = IP Address The WINSSecondaryServer keyword specifies the IP address of a backup WINS server. A WINSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the IntraPort. The IntraPort will then send all WINS queries destined for the client’s backup WINS server (i.e., one that has a different IP address than the WINSPrimaryServer) to the specified server address. If queries are received for a third server address, they will be discarded. The IP address should be in standard dotted-decimal notation. Note: For proper operation of WINS redirection, Windows client PCs must have a configured WINS server address in their control panel. In cases where non-tunneled access to a WINS server is not required, a dummy address can be used. TunnelNetBT = [ On | Off ] Configuration Section 167 [ VPN Group <Name> ] The TunnelNetBT keyword specifies whether Windows NetBT traffic will be tunneled. NetBT is Microsoft’s networking protocol. The default is Off. IPOutFilters = String The IPOutFilters keyword allows a named set of IP packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the [IPFilter <Name> ] section for a definition of the rules that may be included in an IP packet filter. IPInFilters = String The IPInFilters keyword allows a named set of IP packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter. IPXOutFilters = String The IPXOutFilters keyword allows a named set of IPX packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter. IPXInFilters = String The IPXInFilters keyword allows a named set of IPX packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter. Examples This example shows a VPN Group configuration for an IntraPort. The [ IP Ethernet 0 ] section for this device would have an IPAddress keyword and the [ General ] section would have a GatewayAddress keyword 168 Configuration Section [ VPN Group <Name> ] which specify addresses on the 192.168.13.0 IP network. [ VPN Group "Bedrock" ] BindTo MaxConnections LocalIPNet LocalIPXNet IPNet IPNet Transform Transform Transform Configuration Section = = = = = = = = = Ether0 8 192.168.12.0/24 F00D0 192.168.13.0/24 192.168.14.0/24 ESP(DES,SHA) AH(MD5) AH(SHA)+ESP(3DES) 169 [ VPN Group <Name> ] This example shows a VPN Group configuration with DNS servers configured. In this case, DNS queries bound for the primary server, 192.168.9.30, will be examined to see which domain name is contained in the query. If the name is faceplant.compatible.com or foo.bar.tape.stortek.com, the query will be forwarded to the primary DNS server as originally intended. But queries for disk.stortek.com or monkey.wrench.com will be redirected to the split server, 192.168.9.60. Queries bound for the secondary DNS server, 192.168.11.50, will be forwarded to that server unconditionally. [ VPN Group "Cobblestone BindTo MaxConnections LocalIPNet IPNet IPNet Transform DNSPrimaryServer DNSSecondaryServer DNSSplitServer LocalDomainName LocalDomainName County" ] = Ether0 = 4 = 192.168.16.0/24 = 192.168.13.0/24 = 192.168.14.0/24 = ESP(DES,SHA) = 192.168.9.30 = 192.168.11.50 = 192.168.9.60 = "compatible.com" = "tape.stortek.com" See Also [ VPN Users ], [ IP Filter <Name> ], [ IPX Filter <Name> ], [ IKEPolicy ], [ SecurID ], [ SNMP ], [ L2TP General ] 170 Configuration Section edit config COMMAND NAME edit config- Line editor for configuration. SYNOPSIS edit config SYNOPSIS OF LINE EDITOR SUBCOMMANDS append [ <line number> ] delete [ <range> ] print [ <range> ] list [ <range> ] help quit exit range := <line number> | <beginning line number> <ending line number> DESCRIPTION This manual page describes the commands of the complex list editor built into the command line interface. This line editor allows you to manage (create, modify, delete, and view) these lists from the command line interface. Each of these lists, which are special sections of the configuration, has its own unique syntax that is described in its specific man page. The edit config command can also be used as a line editor for the entire configuration. The editor modifies a local buffer of the list which is separate from the configuration buffer that the rest of the command line interface uses. Changes made in the editor are not committed to the command line configuration buffer until they are saved using the exit editor command. It is also possible to end an editing session without saving changes by using the quit editor command. The normal prompt within the editor is: edit config> The editor will delete the list being edited, if it is saved with no lines in the buffer. Comments and blank lines may occur anywhere in a configuration. Comments begin with a pound sign (#) and continue until the end of the line. # This is a comment [ New Section ] # So is this LINE EDITOR SUBCOMMANDS append [ <line number> ] The append subcommand is used to append lines into the buffer. Lines are appended after the specified line number or the current line Management Section 171 edit config if none is specified. When editing a section, line 1 contains the section name, so specify line 1 in the append statement to add lines after the section name. After entering the append subcommand, a brief help message will be displayed and the prompt will change to "Append>". Any lines entered at this prompt will be placed in the editor buffer after the specified line number. To stop adding lines, enter a "." on a line all by itself. Edit config> append 0 Enter lines at the prompt. To terminate input, enter a . on a line all by itself. Append> These lines will be appended Append> at the beginning of the buffer. Append> . Edit config> If an error occurs while appending lines, a diagnostic note will be printed out and the message "Append failed." will be displayed. delete [ <range> ] The delete subcommand is used to delete the specified range of lines in the editor buffer. If only one line number is entered as part of the range, only that line will be deleted. If no range is specified, then the current line is deleted. There is no "undo" command; lines deleted will be lost forever. print [ <range> ] The print subcommand is used to display a range of lines from the editor buffer. If only one line number is entered as part of the range, a full screen will be displayed beginning with the specified line number. If no range is specified, a full screen of lines beginning with the current print line will be displayed. The current print line is the current line for the first print or list subcommand. Subsequent print or list subcommands with no range will display a screenfull beginning with the last line from the previous display. list [ <range> ] The list subcommand has the same behavior as the print subcommand, except that non-printing characters are printed unambiguously. Control characters are printed out as <C-X> (where X is the control character, a tab would be <C-I>, a backspace would be <C-H>, and line feed would be a <C-J>). The delete character is printed out as <DEL>. All other non-printing characters are displayed as <\#> (where # is the character displayed as an octal number). The end of the line is marked with a "$". 172 Management Section edit config Edit 1: 2: Edit config> list 1 2 These lines will be appended$ at the beginning of the buffer.$ config> help The help subcommand displays a short description of valid editor commands. quit The quit subcommand is used to leave the editor and ignore the changes that were made during the current editor session. The editor buffer is discarded and the list in the command line configuration buffer will remain the way it was prior to invoking the editor. If the editor buffer has been modified when issuing the quit subcommand, the editor will ask if it should abandon the changes. exit The exit subcommand will save the editor buffer and leave the editor. When editing some list types, a syntax checker will be run on the list when the editor exits. If errors are reported, the editor will offer a chance to re-edit the list, allowing the reported errors to be corrected. Note: Editor buffers saved using the exit subcommand are only saved into the command line configuration buffer, and are not available for the system to use until after a save command has been issued and the system has been restarted (see save(mgmt)). OPTIONS line number A line number refers to a valid line within the editor buffer ranging from 1 to the last line in the buffer. The append command also accepts 0 as a valid line number. The character "$" is accepted as shorthand for the last line in the editor buffer. The character "." is accepted as shorthand for the current line. range The range option is either one or two line numbers that specify the range of lines that will be acted upon by the command. See the individual command descriptions for details about how the command will use the range if only one line number is specified. SEE ALSO save(mgmt) Management Section 173 [ AppleTalk Filter <Name> ] [ AppleTalk Filter <Name> ] This section allows you to define, edit and name a set of AppleTalk filtering rules. Once a set of rules is defined and named, those rules may be applied to a variety of AppleTalk interpreters to accomplish different types of AppleTalk filtering. Each interpreter looks at a subset of the rules that are suitable for that interpreter. The interpreters available are: general packet filtering, get zone list filtering, zip reply filtering and route (RTMP) filtering. See the [ AppleTalk <Section ID> ] section for information about how to apply these named filters to the different interpreters. This method allows the greatest flexibility since common rules may be established and applied independently to the various types of AppleTalk interpreters. Each of the interpreters is described below. Packet Filtering The Packet Filtering interpreter allows packets being forwarded by the device to be filtered on the input and output side of an interface. The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode, srcskt and dstskt for all packets. For Name Binding Protocol (NBP) request and reply packets, the NBPName, NBPType and NBPZone rules are also used. All other rules are ignored. The keywords InFilters and OutFilters in the [ AppleTalk <Section ID> ] section are used to specify the named set of rules for this interpreter. Get Zone List (GZL) The Get Zone List (GZL) interpreter allows the filtering of outgoing GZL replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. This interpreter will allow control of the zones that are seen on a Macintosh behind a device. The only rules used in this interpreter are the network, net-range and zone rules. All other rules are ignored. The keyword GetZoneFilters in the [ AppleTalk <Section ID> ] section is used to specify the named set of rules for this interpreter. ZIP Reply Filters The ZIP Reply interpreter allows incoming zone names in ZIP reply packets to be filtered. ZIP reply packets are used between routers and access servers to exchange the zone names for the networks kept in their routing tables. These devices are required to maintain a zone list for each of the networks maintained in the AppleTalk routing table and receive the zone name from an upstream router advertising the network. Extended networks allow more than one zone name to be associated with the range, even if it is a single range. Note: If zone filtering for Macintosh end workstations is required, use a Get Zone List filter. If a zone list is restricted in an upstream router with a ZIP reply filter, then the downstream routers will receive the filtered zone list for the network and subsequent downstream routers will also receive the filtered zone list. 174 Configuration Section [ AppleTalk Filter <Name> ] The only rules used in this interpreter are the zone and network rules. The zone rule must be present in the rule for it to be used and the network rule may be used to further qualify the zone name being filtered. The network rule allows a zone name that is duplicated across an AppleTalk network to be filtered for that specific network. All other rules are ignored. The keyword ZIPReplyFilters in the [ AppleTalk <Section ID> ] section is used to specify the named set of rules for this parameter. Routing Filters (RTMP) The Routing Table Maintenance Protocol (RTMP) interpreter allows network numbers in input and output AppleTalk RTMP routing packets to be filtered on an interface. The only rules used in this interpreter are the network and net-range rules. All other rules are ignored. The keywords InRTMPFilters and OutRTMPFilters in the [ AppleTalk <Section ID> ] section are used to specify the named set of rules for this interpreter. The interpreters will not reorder the rules as they are specified before using them. They will be applied sequentially from the first rule to the last. Any filtered information that isn't allowed by the set of rules will be dropped silently. If that information is to be allowed, a final permit rule must be specified: permit There is an interaction between the packet filtering interpreter and the other interpreters which should be considered when defining filter sets. The packet filter interpreter applies its filters to packets as they are received by the device. If not filtered, the packets will then be passed on to the other interpreters. The reverse is true for packets going out. First the ZipReply, GetZoneList filter and RTMP filters are applied, and if the packet is not filtered, it is passed on to the packet filter interpreter before being transmitted. Rules which have been specified using Compatible's CompatiView Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through CompatiView. When the rules are downloaded into the device from CompatiView, they will be encrypted. This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Configuration Section 175 [ AppleTalk Filter <Name> ] Synopsis of AppleTalk Filtering Rules <action> [type exp] [srcnet exp] [dstnet exp] [srcnode exp] [dstnode exp] [srcskt exp] [dstskt exp] [network exp] [net-range exp] [zone exp] [NBPName exp] [NBPType exp] [NBPZone exp] [notify] action ::= permit | deny type exp ::= type <operator> <ATalk packet type number> srcnet exp ::= srcnet <operator> <network number> dstnet exp ::= dstnet <operator> <network number> srcnode exp ::= srcnode < operator > <node address> dstnode exp ::= dstnode < operator > <node address> srcskt exp ::= srcskt <operator> <socket number> dstskt exp ::= dstskt <operator> <socket number> network exp ::= network <operator> <network number> net-range exp ::= net-range <operator> <network range> zone exp ::= zone <operator> <zone name> NBPName exp ::= NBPName <operator> <NBP entity name> NBPType exp ::= NBPType <operator> <NBP entity name> NBPZone exp ::= NBPZone <operator> <zone name> notify ::= log At a minimum, every non-comment line in a filter set must include an action. permit or deny The action permit specifies that packets meeting the conditions should be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter. Options operator The operator parameter is a logical operator used to compare a port number against a filtering rule. The basic action specified in the rule will almost always be accompanied with an option. AppleTalk filter options use some or all of a set of operators to determine whether the filter rule matches the information being examined or not. The following logical operators are supported: eq,==, and = These are acceptable ways of writing an "equality" operator which will match if the value in the packet/information is equal to the value specified in the option expression. lt and < These are acceptable ways of writing a "less than" operator which will match if the value in the packet/information is less than the value specified in the option expression. 176 Configuration Section [ AppleTalk Filter <Name> ] lteq, le, <=, and =< These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the packet/information is less than or equal to the value specified in the option expression. gt and > These are acceptable ways of writing a "greater than" operator which will match if the value in the packet/information is greater than the value specified in the option expression. gteq, ge, >=, and => These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the packet/information is greater than or equal to the value specified in the option expression. ne, <>, and != These are acceptable ways of writing an "inequality" operator which will match if the value in the packet/information is not equal to the value specified in the option expression. The options available for AppleTalk filter rules allow rules to be more narrowly specified to exclude packets or other information based on a number of additional factors. type <operator> <Atalk packet type number> This option allows filtering of the packet type from the AppleTalk DDP header. The packet type value must be between 1 and 255. The numbers of some well-known packet types are listed below. RTMP (1); NBP (2); ATP (3); ECHO (4); RTMP Request (5); ZIP (6); ADSP (7); SNMP (8); IP-in-AppleTalk (22); DECnet-in-AppleTalk (68) srcnet <operator> <network number> This option allows filtering of the source network from the AppleTalk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. dstnet <operator> <network number> This option allows filtering of the destination network from the AppleTalk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. srcnode < operator > <node address> This option allows filtering of the source node from the AppleTalk DDP header. The node value must be between 1 and 253. dstnode < operator > <node address> This option allows filtering of the destination node from the AppleTalk DDP header. The node value must be between 1 and 253. srcskt <operator> <socket number> Configuration Section 177 [ AppleTalk Filter <Name> ] This option allows filtering of the source socket from the AppleTalk DDP header. The socket value must be between 1 and 255. dstskt <operator> <socket number> This option allows filtering of the destination socket from the AppleTalk DDP header. The socket value must be between 1 and 255. network <operator> <network number> This option allows filtering of the network number in Get Zone List, Zip Reply and RTMP packets. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. net-range <operator> <network range> This option allows filtering of GetZoneList and RTMP packets using a network range. Two AppleTalk network numbers separated by a space make up the network range. Each number must be between 1 and 65279. The first number must be less than or equal to the second number. The operator in this option can only be "equality" or "inequality." zone <operator> <zone name> This option allows filtering of the zone name in Get Zone List, Zip Reply and RTMP packets. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approximately equal sign wildcard (Ý) character or a "*". The operator in this option can only be "equality" or "inequality." NBPName <operator> <NBP entity name> This option allows filtering of the NBP name in an NBP request or reply packet. The NBP entity name must be between 1 and 32 characters and enclosed in quotation marks (""). It may contain the approximately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. The operator in this option can only be "equality" or "inequality." NBPType <operator> <NBP entity name> This option allows filtering of the NBP type in an NBP request or reply packet. The NBP entity name must be between 1 and 32 characters and included in quotation marks (""). It may contain the approximately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. The operator in this option can only be "equality" or "inequality." NBPZone <operator> <zone name> This option allows filtering of the NBP zone name in an NBP request or reply packet. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approximately equal sign wildcard (Ý) character or a "*". The operator in this option can only be "equality" or "inequality." 178 Configuration Section [ AppleTalk Filter <Name> ] log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section for more information about logging. Examples The following is an AppleTalk packet filter which denies echo packets (type 4) from network 55, and permits everything else. deny srcnet = 55 type = 4 permit The following is an AppleTalk packet filter which denies NBP lookups for the printer named "Engineering Printer," permits NBP lookups for the printer named "HP Printer" by the NBP zone "Sales," and permits everything else. deny NBPName = "Engineering Printer" permit NBPName = "HP Printer" NBPZone = "Sales" permit The following is an AppleTalk Get Zone List filter. These rules filter what is seen in the Chooser of Macintoshes attached to the network to which the rules are assigned. The example would: deny all zone names from networks 1-10; permit the zone name "Engineering;" deny the zone name "Sales;" permit all networks not equal to 100; and permit everything else. deny net-range = 1 10 permit zone = "Engineering" deny zone = "Sales" permit network != 100 permit The following is an AppleTalk RTMP filter. These rules can be used for either input or output RTMP filters to limit the network numbers that are allowed into the routing table or to be advertised from the device, respectively. The example performs the following actions: deny networks with a number of 100; permit networks between 200 and 300; deny networks numbered greater than 301; and permit everything else. deny network = 100 permit net-range = 200 300 deny network > 301 permit Configuration Section 179 [ AppleTalk Filter <Name> ] The following is an AppleTalk ZIP Reply filter. These rules can be used to restrict the zone names that are returned in ZIP Reply requests from other routers. This limits the zone list in routers behind the interfaces to which these rules are applied. The following example would: deny the zone name "Engineering;" deny the zone name of "Twilight" where the network number is 301 (if there is a zone name of "Twilight" associated with another network number, that would be permitted); and permit everything else. deny zone = "Engineering" deny zone = "Twilight" network = 301 permit See Also [ AppleTalk <Section ID> ], [ Logging ], appletalk(show) 180 Configuration Section [ Auth ] [ Auth ] This section of the configuration defines the PPP remote authentication database. This is a special section of the configuration, meaning that there are no keywords to document. Each line is one entry defining a remote authentication entry. Multi-line entries must have line breaks escaped with a backslash. However, line breaks encapsulated in a double-quoted string are preserved. If the router has been configured to request PAP or CHAP, using the keywords PAPRequest or CHAPRequest in the [ PPP <Section ID> ] section, the database is used to validate authentication responses from the remote peer or user. The database is global to the router. When the router makes an authentication request and receives a response, the router searches this database for a matching name. If the name is found, the password/secret is validated and the success or failure is sent back to the peer. If the name is not found, the router will try to authenticate the name using RADIUS if RADIUS has been enabled (see the [ Radius ] section). If RADIUS is not enabled, the router returns a failure to the peer (or remote user). The authentication database will always supercede the RADIUS database. An optional WAN interface can be specified to define the WAN interfaces on which a database entry is valid. Each authentication entry has the following syntax: <Incoming Name> <Secret/Password> [Dialback=<Callback Script>] [<WAN ports>] Incoming Name The Incoming Name is the remote peer or user’s CHAP or PAP name. It can be 1-255 bytes long and may be quoted strings in order to preserve spaces or embedded line breaks. Secret/Password The Secret/Password is the remote peer or user’s CHAP secret or PAP password. It can be 1-255 bytes long and may be quoted strings in order to preserve spaces or embedded line breaks. Dialback=Callback Script The Callback Script is the optional chat script to be used if callback is desired. A callback mechanism is supported for both CHAP and PAP when a WAN connection is initiated by the remote peer. Dialout does not need to be enabled to use this feature (see the [ Link Config <Section ID> ] section). The script is defined through the [ Chat <Name> ] section. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks. Configuration Section 181 [ Auth ] WAN Ports WAN Ports are used to define the WAN interfaces on which a database entry is considered valid. It may be all, none or a list of portnames, (e.g., WAN 0 WAN 2 WAN 10). If all or none appear in a list of portnames, the first one encountered supercedes all other entries. Examples To specify a database entry for remote peer "Barney" with secret/password "Rubble": [ Auth ] Barney Rubble To add a database entry for remote peer "Barney" with secret/password "Rubble" and optional callback script "dial Fred" (this entry will be valid for connections on port WAN0 only): [ Auth ] Barney Rubble Dialback = "dial Fred" WAN 0 See Also [ PPP <Section ID> ], [ Link Config <Section ID> ], [ Chat <Name> ], [ Radius ], ppp(show) 182 Configuration Section [BGP Route Map <Name> ] [BGP Route Map <Name> ] This section allows you to define, edit and name a BGP route map. BGP route maps are used only by the BGP protocol to filter routes and set certain attributes. Route maps help the administrator influence the route selection process, since BGP uses weight, preference and multi-exit discriminator (MED), among other things, to determine the optimal route. BGP uses the following criteria, in the order presented, to select its best route for a destination: • The most preferred path is the path with the largest weight. • If the weights are the same, the protocol selects the path with the largest local preference. • If the preferences are the same, the protocol selects the path that has the shortest AS path length. • If all paths have the same AS path length, the protocol selects the path with the lowest MED. • If the paths have the same MED, the protocol selects the path from the BGP peer with the lowest Router ID. Route maps are not associated with a particular interface. They are applied in the [ BGP Peer Config <Name> ] section. Note: IP route filters may be used with BGP instead of BGP route maps; however, the matching conditions are more limited, and various parameters such as community, local preference, and weight cannot be set with IP route filters. No input routes will be accepted by the router unless a BGP route map or IP route filter has been defined. To allow all other network numbers not filtered, include the following rule: permit 0.0.0.0 The router checks BGP route maps first, and if the route is denied, the IP route filters will not be checked even if BGPUseIPRFltrs has been enabled in the [ BGP General ] section. BGP routes known to the router will be advertised unless denied by a route map or a route filter. Static, OSPF, RIP and directly connected routes will not be advertised unless specified in the [ BGP Networks ] section or the [ IP Route Redistribution ]w section. This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete route map uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Configuration Section 183 [BGP Route Map <Name> ] Synopsis of IP Routing Mapping Rules <action> <route> direction [ output modifiers | input modifiers ] action ::= permit | deny route ::= <IP address>[/<bits>] [direction] ::= in | out [output modifiers] ::= { ipaddr <IP address>[/<bits> | toas <AS number> } | origin <protocol> | setnhop <IP address> | setmed <MED number> | setasp <AS number> | setcomm <community number> | addcomm <community number> [input modifiers] ::= { ipaddr <IP address>[/<bits> | hasas <AS number> | srcas <AS number> | nhop <IP address> | comm <community number } setpref <preference> | setwt <weight> At a minimum, every non-comment line in a route map must include an action, a route and a direction. Together these components specify a rule that the router will follow when a route meets the condition of the rule. permit | deny These parameters specify the action to be taken when a route meets the condition of the rule. <IP address>[/<bits>] IP addresses can be specified in a variety of ways: a) IP addresses can be specified in normal dotted decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros matches anything and can be used as a wild card in the case where one of the addresses doesn't matter. b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1, 2, 3, 15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address. c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host 184 Configuration Section [BGP Route Map <Name> ] addresses from 192.15.32.1 to 192.15.63.255. A specified bit field will override the default class-based mask generated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match. in | out These parameters allow users to specify the direction for which the rule is applied. Options Output modifiers| { ipaddr <IP address>[/<bits> | toas <AS number> } This modifier limits output rules to routes going to the designated IP address or Autonomous System (AS) number. Only one argument is expected here. If the router only has one peer in a given AS, then ipaddr or toas will accomplish the same result. If the router has multiple peers within a neighboring AS, the IP address of the peer can be used to limit the rule to just that peer, or the AS number can be used to apply the rule to every peer in the AS. The IP address may be specified in any of the ways described above. The AS number is specified as a integer. origin <protocol> This modifier limits output rules to routes originating from the designated protocol. BGP can advertise direct, static, RIP, OSPF, or other BGP routes from its own IP routing table to peers. The possible values are icmp, rip, ripv2, static, OSPF, BGP and direct. Multiple protocols may be listed. setnhop <IP Address> This modifier allows the next hop to be set on the outgoing route. The hop is specified as an IP address in the standard dotted-decimal notation. setmed <MED number> This modifier allows the multi-exit discriminator (MED) to be set on the outgoing route. This is a metric which is used only when there are multiple paths to an AS. The MED is used to set a preference for a particular path to the AS. The MED is specified as an integer. setasp <AS number> This modifier allows the specified AS list to be prepended to the outgoing AS path attribute. Up to 6 AS numbers may be entered. The AS number is specified as a integer. Configuration Section 185 [BGP Route Map <Name> ] setcomm <community number> | This modifier allows a community list to be set on the outgoing route. A community is a group of destinations to which routing decisions can be applied. The community number can be specified with up to 6 community numbers, specified as integers, or can be listed as one of the special communities. The special community noexport (NO_EXPORT) specifies that this route will not be advertised outside a BGP confederation boundary. A BGP confederation is a collection of several AS’s that are advertised as a single AS to all BGP peers which are not members of the confederation. The special community noadv (NO_ADVERTISE) specifies that this route will not be advertised to any BGP peers (including internal peers). The special community noexpsub (NO_EXPORT_SUBCONFED) specifies that this route will not be advertised to external peers. This means that this route can be advertised to internal peers only and will not be advertised outside its AS addcomm <community number> This modifier allows a community list to be prepended on the outgoing route. The parameters can be up to 6 community numbers. The community number can be specified with up to 6 community numbers specified as integers. Input modifiers| ipaddr <IP address>[/<bits> | hasas <AS number> | srcas <AS number> | nhop <IP address> | comm <community number> This modifier, with the exception of hasas, limits input rules to routes originating from the designated IP address, AS number, next hop or community. A BGP route contains information concerning each AS that it has traversed. The hasas parameter specifies that the rule will be applied if the AS path contains the specified AS number anywhere in the AS path. Only one argument is expected here. The IP address may be specified in any of the ways described above. The AS number is specified as a integer. The community number may be specified as an integer. setpref <preference> This allows the preference to be set on incoming routes from the given IP address, AS number, community, or next hop. The preference is specified as a integer. 186 Configuration Section [BGP Route Map <Name> ] setwt <weight> This allows the weight to be set on incoming routes from the given IP address, AS number, community, or next hop. The weight is specified as a integer. Examples In the following example, route 192.61.5.0 will be permitted in if the community attribute contains the community 200, and the preference will be set to 100. In line two, all other routes from Community 200 will also be accepted, but the preference will be set to 300. Routes that do not contain Community 200 will be denied. [ BGP Route Map "mymapin" ] permit 192.61.5.0 in comm 200 setpref 100 permit 0.0.0.0 in comm 200 setpref 300 In the following example, all direct routes specified in the [ BGP Networks ] section will be allowed out to AS number 200, and the MED will be set to 10. In the second line, all routes will be allowed out to AS number 300, but the community value will be set to noadv (NO_ADVERTISE). [ BGP Route Map "mymapout" ] permit 0.0.0.0 out toas 200 origin direct setmed 10 permit 0.0.0.0 out toas 300 setcomm noadv See Also [ IP Route Filter <Name> ], [ BGP Peer Config <Name> ], [ BGP General ], [ BGP Networks ], [ IP Route Redistribution ] Configuration Section 187 [ Chat <Name> ] [ Chat <Name> ] Compatible Systems routers support standard communications chat scripts that let you specify dialing and/or connect sequences between this router and remote routers or terminal servers. All of the chat scripts stored in a router are available for use on any of the router's WAN interfaces. To select the scripts which will be used on a specific interface, use the DialOutScript and DialBackScript keywords in the [ Link Config <Section ID> ] section. These scripts may also be used for user-specific dial-back scripts in the[ Auth ] section. This is a special section of the configuration, meaning that there are no keywords to document. Each section contains a complete chat script uniquely identified by the "Name" portion of the section name. Multiple [Chat <Name> ] sections may exist, each with a unique name. The rules and syntax of chat scripts follow. send and expect There are as many variations of chat scripts as there are specific installation requirements. However, all chat scripts generally follow the same format, which is a series of send and expect statements. Every line in a chat script must start with either send or expect in order to be a valid chat script line. Lines which begin with send will cause all other characters on the line to be output through the WAN interface which is running the script (except escaped control characters, as described below). Lines which begin with expect will cause the router to wait for matching input characters from the WAN interface which is running the script. The router is case-sensitive when examining returned data. When the expected string is long (i.e., Please login:, Please enter your password:, etc.), it may be easier to get an exact match if only part of the expected response is included in an expect statement. (See the ISP example at the end of this section.) Note: The amount of time the router will wait for an expected response is determined by the ScriptTimeout parameter specified in the [ Link Config <Section ID> ] section. Control Characters All control characters are preceded by a backslash character (\). This tells the router that what follows is an escaped character and should not be literally sent on the WAN interface. \r 188 Insert a carriage return. \c Don't add a carriage return to end of line; valid at end of line only. \x Insert a hex digit (range 0x0 to 0xFF). \p Pause for 0.3 seconds. Configuration Section [ Chat <Name> ] \b Send a break character. \<space> Follow the backslash with a space to insert a space; space characters between send or expect commands and the first character of a line are normally stripped. \t Insert a tab. \n Insert a new line. \q Set "quiet mode" - do not log output until another \q encountered. \\ Insert a backslash. Typically, send lines are used to send instructions to the communications device (e.g., modem, CSU/DSU or TA) and/or send information to the remote router or terminal server. If the WAN interface is configured for asynchronous operation, the instructions must be AT commands. If the WAN interface is configured for synchronous operation, the instructions must be V.25bis commands. The following sections give examples of common script instructions. The AT Command Set Most asynchronous devices (e.g., modems and some terminal adapters) expect AT commands from the router in order to dial or perform other functions. Different devices support different subsets of AT commands. To be certain that the AT commands you are using are correct for your device, you must refer to the manual that came with your device. Every AT command is preceded by an "AT" which tells the device that the string is destined for it. Listed below are the most common (and commonly supported) AT commands: ATDT Originate a call by dialing the number sequence which follows this command using tones (note: use a comma in the sequence for a delay). Note: An asynchronous terminal adapter does not use tones to dial ISDN phone numbers. Use ATD to dial ISDN phone numbers. Note: To include a pound sign (#) as part of the number sequence, the sequence must be enclosed in double quotes (""). ATH0 Hang up (note: the final character is a zero). ATM0 Set speaker off (note: the final character is a zero). ATM1 Set speaker on until connect. Configuration Section 189 [ Chat <Name> ] Modems typically provide a response message depending on the success of an attempted call: CONNECT The other end has successfully answered. Note that some modems require a switch to be set correctly to receive text responses (as opposed to result codes). Note: Compatible Systems routers automatically send standard modem setup parameters when an interface’s dialing method is set for AT dialing. To set the dialing method, see the Dialing keyword in the [ Link Config <Section ID> ] section. These setup parameters are adequate for virtually all dial-up applications. In most cases, your modem should work right out of the box. The V.25bis Command Set Different CSU/DSU’s and Terminal Adapters support different subsets of the V.25bis commands. To be certain that the V.25bis commands you are using are correct for your communications device, you should refer to the manual that came with the device. The V.25bis commands use hardware signaling to denote whether the information they are sending is destined for the communications device or the data link itself. Listed below are the most common (and commonly supported) V.25bis commands: CRN Originate a call by dialing the number sequence which follows this command. Note: To include a pound sign (#) as part of the number sequence, the sequence must be enclosed in double quotes (""). CIC Connect an incoming call. Communications devices provide several responses depending on the outcome of an attempted call: CNX The other end has successfully answered. INC An incoming call has been detected. VAL The command received is valid. 190 Configuration Section [ Chat <Name> ] INV The command received is invalid or is not supported (may be followed by an error code). CFI Call Failure Indicator. The call could not be completed. Note: If your router is connected to a device synchronously, make sure to configure the line device to accept V.25bis commands in bitsynchronous format (i.e., within HDLC packets). This is the format Compatible Systems routers use to send V.25bis commands. Examples This script dials through a PBX which requires a 9 to be dialed, followed by a delay in order to access an outside line: [ Chat "PBX Out" ] send atdt 9,13035559000 expect CONNECT To connect to another router via an ISDN line using V.25bis dialing: [ Chat "ISDN V.25" ] send CRN 5554000 expect CNX To connect to an Internet Service Provider using a modem: [ Chat "ISP" ] send atdt 5551000 expect CONNECT expect login: send myname expect ssword: send im4skiingru2 expect connecting Note: As demonstrated in this script, only part of the expected response is included in the expect statement when the expected string is long. This can make it easier to get an exact match. See Also [ Link Config <Section ID> ], [ Auth ], wan(show) Configuration Section 191 [ IP Filter <Name> ] [ IP Filter <Name> ] This section permits sets of IP filtering rules to be defined, edited and identified with specific names. The named set of filtering rules may then be associated with either the IP input or output filtering attributes of an interface (See the [ IP <Section ID> ] section). This allows the router to accomplish IP packet filtering on packets inbound to and outbound from a router. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces. The router does not reorder the rules as they are specified before they are applied against a packet. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any IP packet not explicitly allowed by the rule set is dropped silently. To allow all other packets not filtered, the last rule must be: permit 0.0.0.0 0.0.0.0 ip Due to the nature of the IP protocol, IP packet filtering can be quite complicated. If you are attempting to design and implement a comprehensive set of filters, or an Internet firewall, there are a number of references you should consult. Please see the references cited at the end of this section. This is a special section of the configuration, meaning that there are no keywords to document. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Synopsis of IP Filtering Rules <action> <src IP address> <dst IP address> [ proto ] [ notify ] action ::= permit | deny IP address ::= <IP address>[/<bits>] [proto] ::= IP | TCP [ src <operator> <port> ] [ dst <operator> <port> ] [ <tcp-flags> ] | UDP [ src <operator> <port> ] [ dst <operator> <port> ] | ICMP [ type <operator> <port> ] | GRE | AH | ESP | OSPF | proto <operator> <protocol number> [notify] ::= log | icmp At a minimum, every non-comment line in a filter set must include an action, a source IP address and a destination IP address. Together these components specify the action to be taken when a packet meets the condition of the rule. permit or deny The action permit specifies that packets meeting the conditions should 192 Configuration Section [ IP Filter <Name> ] be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter. <src IP address>[/<bits>] and <dst IP address>[/<bits>] These are the source and destination IP addresses and masks used to filter an IP packet. The router extracts the source and destination address from the IP packet under scrutiny, masks them, and then compares them against the respective address in the filter rule. IP addresses can be specified in many ways: a) IP addresses can be specified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros (0.0.0.0) matches anything and can be used as a wild card in the case where one of the addresses doesn't matter. b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1,2,3,15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address. c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host addresses from 192.15.32.1 to 192.15.63.255. A specified bit field will override the default class mask generated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match. Options Filter rules can accept certain modifiers (proto and notify, as shown in the synopsis at the beginning of this section) which use a set of expression operators to allow information in a packet to be compared to the modifier’s parameters. operator The operator parameter is a logical operator used to compare a port Configuration Section 193 [ IP Filter <Name> ] number against a filtering rule. The following logical operators are supported: eq,==, and = These are allowable ways of writing an "equality" operator which will match a packet if its port number is equal to the port specified in the modifier. lt and < These are allowable ways of writing a "less than" operator which will match a packet if its port number is less than the port specified in the modifier. lteq, le, <=, and =< These are allowable ways of writing a "less than or equal to" operator which will match a packet if its port number is less than or equal to the port specified in the modifier. gt and > These are allowable ways of writing a "greater than" operator which will match a packet if its port number is greater than the port specified in the modifier. gteq, ge, >=, and => These are allowable ways of writing a "greater than or equal to" operator which will match a packet if its port number is greater than or equal to the port specified in the modifier. ne, <>, and != These are allowable ways of writing an "inequality" operator which will match a packet if its port number is not equal to the port specified in the modifier. port The port parameter may be specified as a decimal number between 0 and 65,535. It may also be entered as one of the keywords in the following table. The keywords are followed by their port numbers for your reference. 194 Configuration Section [ IP Filter <Name> ] TCP PORTS: systat (11) netstat (13) ftp-data (20) ftp (21) telnet (23) smtp, mail (25) whois (43) gopher (70) rje (77) pop-2 (109) pop-3 (110) auth (113) nntp, usenet (119) netbios-ssn (139) news (144) rexec (512) rlogin (513) rshell (514) printer, lpd (515) uucp (540) listen, rfs (1025) x, xwin (6000) irc (6667) www,http (80) name (42) bootps (67) bootpc (68) tftp (69) snmp (161) snmp-trap (162) UDP PORTS: biff, comsat (512) rwho (513) syslog (514) talk (517) ntalk (518) route, rip (520) timed (525) mount (635) pcnfs (640) nfs (2049) COMMON UDP AND TCP PORTS: echo (7) discard (9) daytime (13) chargen (19) time (37) dns, domain (53) sunrpc, rpc, portmapper (111) ntp (123) netbios-ns (137) echo-reply (0) dest-unrch (3) src-quench (4) redirect (5) echo, ping (8) time-exceed (11) param-prob (12) time (13) time-reply (14) info (15) info-reply (16) mask (17) netbios-dgm (138) ICMP TYPES: mask-reply (18) Note: RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers. Configuration Section 195 [ IP Filter <Name> ] IP This option specifies that all packets from the source and destination IP address and mask will match this rule. If no particular IP protocol packet type (TCP, UDP, ICMP, GRE, AH, ESP or OSPF) is specified, IP is assumed. The IP protocols, other than IP itself, may be specified as a decimal number or as a keyword. The supported keywords are followed by their protocol numbers for your reference. TCP (6) ICMP (1) AH (51) ESP (50) UDP (17) GRE (47) OSPF (89) TCP [ src <operator> <port> ] [ dst <operator> <port> ] [ <tcp-flags> ] This option allows filtering on TCP (Transmission Control Protocol) packets. A source or destination port may be filtered by using the src and dst specifiers, a logical expression operator and a port. A rule to allow TCP packets with a source port greater than or equal to 1024 and a destination port of 25 (SMTP mail) would look like: permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25 To allow certain sessions out but not in, use the specifier tcp-flags. The only value recognized as tcp-flags is est, which specifies that an external connection to a particular port is not allowed, but two-way traffic established by an internal machine will pass through the device. The device performs this operation by examining the flags in the TCP header. When a session is being established, the first packet only contains the "SYN" flag while subsequent packets contain the "ACK" flag. A permit packet filter rule using the est keyword will not match a packet with only the "SYN" flag and the packet will be dropped. Unless another rule allows it through, the "SYN" packet doesn't reach its destination, no reply will be returned to the sender, and a connection will never be established. See [Chapman 1995] pgs. 8-9 and the examples section found later in this section. UDP [ src <operator> <port> ] [ dst <operator> <port> ] This option allows filtering on UDP (User Datagram Protocol) packets. A source or destination port may be filtered by using the optional src and dst specifiers. A rule to allow UDP packets with a source port greater than 910 and a destination port of 53 (Domain Name System) would look like: permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53 Note: CompatiView uses UDP port 33020. Care should be taken not to deny this port if CompatiView configuration is desired. 196 Configuration Section [ IP Filter <Name> ] ICMP [ type <operator> <port> ] This option allows filtering on ICMP (Internet Control Message Protocol) packets. The ICMP type may be filtered by using the type specifier. A rule to deny ICMP echo request (pings) would look like: deny 0.0.0.0 0.0.0.0 ICMP type = 8 GRE This option allows filtering on GRE (Generic Routing Encapsulation) packets. GRE provides a simple, general purpose mechanism to encapsulate network protocols into IP for the purpose of tunneling across the Internet. Note: If VPN tunneling without authentication is enabled on an interface to which an IP filter is applied, then the filter must specifically permit GRE packets. AH This option allows filtering on AH (Authentication Header) packets. AH is used for authentication of tunneled packets across the Internet. Note: If VPN tunneling with authentication is enabled on an interface to which an IP filter is applied, then the filter must specifically permit AH packets. ESP This option allows filtering on ESP (Encapsulating Security Payload) packets. ESP is used for encryption of tunneled packets across the Internet. Note: If VPN tunneling with encryption only (i.e., no authentication) is enabled on an interface to which an IP filter is applied, then the filter must specifically permit ESP packets. OSPF This option allows filtering on OSPF (Open Shortest Path First) packets. OSPF IP packets carry OSPF routing data. proto <operator> <protocol number> This option allows general filtering of IP protocol numbers that don't have established keywords as specified above. The rule also allows an expression to be specified which allows filtering on ranges of protocol numbers (i.e., proto > 51). notify This option tells the router what to do when a packet matches a particular rule. There is a counter associated with every rule that is incremented whenever a packet matches a rule. Normally, unless a notification option is specified, the matching packet will be silently dropped. The individual notification options are: log The log keyword causes the router to log data about the packet to Configuration Section 197 [ IP Filter <Name> ] syslog when the condition of the rule is met. See the [ Logging ] section for more information. icmp The icmp keyword is only valid on a deny rule and directs the router to return an ICMP notification to the source of the matching packet. Examples Drop all packets with the source host address 192.15.1.10. deny 192.15.1.10 0.0.0.0 Drop all packets with a source network address of 192.15.1.0. All packets from hosts on that network would be denied. deny 192.15.1.0/24 0.0.0.0 Allow only inbound and outbound mail from 192.15.14.1. The input-filter: permit 0.0.0.0 192.15.14.1 TCP src >= 1024 dst = 25 permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 The output-filter: permit 192.15.14.1 0.0.0.0 TCP src = 25 dst >= 1024 permit 192.15.14.1 0.0.0.0 TCP src >= 1024 dst = 25 These sets of rules are intended to filter out all traffic and only allow incoming and outgoing mail to a server inside a net with an IP address of 192.15.14.1. However, these rules aren't enough to prevent an attack from someone with access to port 25. They can initiate a connection to ports greater than 1024 according to the second rule in the input filter. To prevent this from happening, add the est flag to the second rule. So it would look like: permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 est This rule now tells the router to only check TCP packets where the connection is already established. This can be done because TCP packets will only have the "SYN" flag set when a session is being established. After they are established, this flag isn't set. In other words, if a connection is trying to be established for the outside at port 25, the rule won't be applied and the connection can't be established since the packet will be dropped by the default rule. Application To augment the descriptions and examples above, the following application of IP filtering is provided. This application assumes that the example organization has several Class C IP networks including 192.15.9.0, 192.15.10.0 and 192.15.11.0. The organization also has an Internet connection through a separate router on the 192.15.9.0 network. That 198 Configuration Section [ IP Filter <Name> ] network and the rest of the Internet are considered insecure. First, a set of input filter rules to be applied on all packets from the insecure network is defined and shown below as ip-in. The only TCP services this rule set permits access to are SMTP (mail) and NNTP (Usenet news). All break-in attempts (deny's) and permitted news requests are logged. On the UDP side, everything but DNS, NFS, RPC (portmapper), and mount requests are allowed. All other IP traffic is let through. [ IP Filter "ip-in" ] # Explicitly permit these services permit 0.0.0.0 0.0.0.0 tcp dst = smtp permit 0.0.0.0 0.0.0.0 tcp dst = nntp log # Deny access to all other services below port 1024 deny 0.0.0.0 0.0.0.0 tcp dst <= 1024 log # Lock out access to our X Servers permit 0.0.0.0 0.0.0.0 tcp dst < 6000 permit 0.0.0.0 0.0.0.0 tcp dst > 6100 deny 0.0.0.0 0.0.0.0 tcp log # Deny access to specific UDP services deny 0.0.0.0 0.0.0.0 udp dst = dns log deny 0.0.0.0 0.0.0.0 udp dst = nfs log deny 0.0.0.0 0.0.0.0 udp dst = rpc log deny 0.0.0.0 0.0.0.0 udp dst = mount log # Let everything else through permit 0.0.0.0 0.0.0.0 ip In the real world, there are some hosts which are trusted (at least a little) that are on the insecure side of the router. The following rule set permits specific access from that host to the network. In this case, the host, 192.15.9.99, needs access to the secured DNS, telnet and mail services. Telnet is further restricted to only a few hosts on the secure side. This is the gw-host rule set. [ IP Filter "gw-host" ] permit 192.15.9.99 0.0.0.0 udp dst = dns permit 192.15.9.99 192.15.10.{5,15,16} tcp dst = telnet permit 192.15.9.99 0.0.0.0 tcp dst = mail Often there are some hosts from which all packets going through the interface should be filtered. These hosts might be local hosts containing sensitive data that should be considered invisible to the insecure network. Or they might be hosts from the insecure side that have been known to cause trouble in the past. This is the servers rule set. [ IP Filter "servers" ] deny 192.15.11.{100,101} 0.0.0.0 log deny 0.0.0.0 192.15.11.{100,101} log After the first command is entered, whether it is permit or deny, the default Configuration Section 199 [ IP Filter <Name> ] rule says that everything else will be denied. Therefore, a rule permitting everything is required. This is the permit all else rule set. # The router filters everything by default, sometimes # this isn't what we want... [ IP Filter "permit all else" ] permit 0.0.0.0 0.0.0.0 ip Each IP interface in the router may have up to 4 input and output filtering rule sets. Filter sets are associated with an interface in the [ IP <Section ID> ] section. Here is how the rules described above would be applied to the interface of the insecure net. [ IP Ethernet 3 ] Mode = Routed IPAddress = 192.15.9.1 InFilters = servers gw-host ip-in OutFilters = servers "permit all else" In this case, the interface "Ethernet 3" is attached to a small net with a gateway router and a few server hosts that run FTP, mail, DNS, and web servers. The rest of the interfaces are attached to secure internal networks. All traffic to or from the secure hosts 192.15.11.100 and 192.15.11.101 is totally blocked through this interface. All other hosts on the secure side may connect to any service on any insecure host, but the only insecure connections they will receive will be mail and netnews. References [Chapman, 1995] Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly & Associates, 1995. [Cheswick, 1994] Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin. Addison-Wesley Publishing Company, Reading Massachusetts, 1994. See Also [ IP <Section ID> ], [ Logging ] 200 Configuration Section [ IP Route Filter <Name> ] [ IP Route Filter <Name> ] This section allows you to define, edit and name a set of IP route filtering rules. This allows the device to filter inbound IP network numbers received in routing advertisements and outbound routes advertised by the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers as explained later in this section. The device does not reorder the rules as they are specified before applying them against a network number. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any IP network not explicitly allowed by the rules will not be included in the routing table on input or in the routing update on output. To allow all other network numbers not filtered, the last rule must be: permit 0.0.0.0 The exception to this rule is that direct and static routes are always installed and cannot be removed from the routing table using IP route filtering. This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Synopsis of IP Route Filtering Rules <action> <IP address> [direction] [modifiers] [notify] action ::= permit | deny IP address ::= <IP address>[/<bits>] [direction] ::= in | out | both [modifiers] ::= via <protocol> | origin <protocol> | contains <AS number> | metricin | metricout <metric> | from | to <IP address>[/<bits>] | <port identifier string> | <AS number> [notify] ::= log At a minimum, every non-comment line in a filter set must include an action and an IP address. Together these components specify a filter rule that the device will follow when sending and/or receiving IP routing packets. Configuration Section 201 [ IP Route Filter <Name> ] permit or deny The permit action specifies that information from routing packets meeting the conditions should be included in the IP routing table. The deny action specifies that information from routing packets meeting the conditions should not be included in the IP routing table. <IP address>[/<bits>] IP addresses can be specified in a variety of ways: a) IP addresses can be specified in normal dotted decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros matches anything and can be used as a wild card in the case where one of the addresses doesn't matter. b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1, 2, 3, 15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address. c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host addresses from 192.15.32.1 to 192.15.63.255. A specified bit field will override the default class-based mask generated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match. Options in | out | both These parameters specify the packet direction for which the rule is applied. Filter rules specifying in are applied only to incoming routing packets. Filter rules specifying out are applied only to outgoing routing packets. If no direction is specified, both is assumed. via <protocol> This modifier specifies that the rule be applied to routing data being received or transmitted by the routing protocol designated. The possible values are icmp, rip, ripv2, ospf, and bgp. By default, the rule is applied to all routing data. Multiple protocols may be listed, each separated by white space. 202 Configuration Section [ IP Route Filter <Name> ] contains <AS number> This modifier specifies that the rule be applied if the BGP Autonomous System (AS) path contains the specified AS number anywhere in the AS path, which is a record of each AS that a BGP route has traversed.The AS number is specified as an integer. origin <protocol> This modifier limits output rules to routes originating from the designated protocol. The possible values are icmp, rip, ripv2, static, direct, ospf and bgp. By default, the rule applies to all routes regardless of origin. Multiple protocols may be listed, each separated by white space. metricin | metricout <metric> These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. The value must be a decimal number between 1 and 15. from | to <IP address>[/<bits>] | <port identifier string> | <AS number> This modifier narrows the rule to apply only to routes from or to a specific IP address, IP interface, or, if BGP is in use, an AS. If an IP address is specified, it must be in one of the formats discussed above. If a port identifier string is specified, it must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.). If an AS number is specified, it must be an integer. log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section. Examples The following example specifies to permit input only from RIP and only from 198.41.11.1, and output of routing information that originates from RIP, directly connected routes and static routes. [ IP Route Filter "rip-in" ] permit 0.0.0.0 in via rip from 198.41.11.1 permit 0.0.0.0 out origin rip direct static The following example illustrates a BGP route filter. This filter would deny any incoming routes that contained AS 600 anywhere in their AS path. Note the final line in the route filter to prevent unintended filtering of RIP and OSPF routes. [ IP Route Filter "bgp600" ] deny 0.0.0.0 in via bgp contains 600 permit 0.0.0.0 in via rip ospf Configuration Section 203 [ IP Route Filter <Name> ] The route filter is applied in the [ General ] section. [ General ] IPRouteFilters = rip-in bgp600 See Also [ IP <Section ID> ], [ IP Static ], [ IP Filter <Name> ], [ IP Route Redistribution ], [ BGP Route Map <Name> ], [ Logging ], [ General ], ip(show) 204 Configuration Section [ IP Static ] [ IP Static ] This section sets a default IP router and permits the definition of multiple static routes. Static routes provide IP routing information to the device when the device has not been able to determine the correct route for an IP packet using dynamic routing information. The device may also be configured to redistribute a static route via RIP. In cases where the routing metrics (the number of routing hops to a destination) are equal between a static route and a dynamic route, Compatible Systems devices will use the dynamic route. Note: Static routes are more difficult to maintain and are generally not as reliable as dynamically determined routes. We recommend that you use static routing only when the network does not provide adequate routing information through RIP. This is a special section of the configuration, meaning that there are no keywords to document. Each line contains a complete IP static route entry. Each static route consists of a line with the following syntax: <Destination> <Mask> <Gateway/Port> <Metric> [Redist= RIP | OSPF1 | OSPF2 | BGP | none ] Destination A Destination is an IP address for which you wish to provide static routing information. It is usually entered in the standard dotteddecimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers must either be preceded by a "0x" or they must be complete (8 hexadecimal digits, e.g., C6290C00 for 198.41.12.0). If 0.0.0.0 is specified as the Destination, then the route being added is to a default router. The Mask must also be 0.0.0.0. The default router will be used to route packets when the destination network is not known by the device. Note: The "default router" is used as a "route of last resort" when your device cannot determine where an IP packet should be sent. In very simple routing setups, including connecting small networks to the Internet through an Internet Service Provider, a default router entry may be the only routing information required. Mask The Mask field tells the device how much of the destination address entry should be considered when determining the route for a packet. This field has the same format as the Destination field but typically has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route. See the subnet mask description in the [ IP <Section ID> ] section for more information. Configuration Section 205 [ IP Static ] Gateway/Port The Gateway field also has the same format as the Destination option and usually is the address of another router (gateway) which is responsible for packets being sent to the destination address. This field can also be specified as a physical interface of the device you are configuring (e.g., WAN 1.) However, the name of a physical interface cannot be used when that interface is configured for Frame Relay operation. This is because the Frame Relay protocol allows multiple IP addresses to be reached over a single physical interface via different PVCs (permanent virtual circuits.) See the [ Frame Relay <Section ID> ] section for more information. Metric The Metric field specifies the distance or cost to the destination address. The metric is used by the routing process to determine where packets should be sent. It usually corresponds loosely with the number of hops to the destination. A lower value makes this a "better" route. The value entered here must be between 1 and 15 and may correspond to the actual number of hops to the gateway or may be larger to artificially inflate the cost. Note: There are several reasons why you might enter a static route with an inflated metric. If there is more than one route to a destination but the route with the shortest number of hops is over a slow WAN link, you might add a route with an inflated metric to cause the IP traffic to take the "quicker" route. Redist=RIP | OSPF1| OSPF2 | BGP | none The optional Redist field indicates whether a static route should be redistributed. If you leave this field off or if none is specified, the static route will not be redistributed. Only one routing protocol can be selected for redistributing each static route. If RIP is specified, the static route entry will be redistributed into the RIP routing protocol which means that other routers will be able to choose this device as a way to forward packets to the destination address, depending on the metric and what other routes are available. Routing information received via RIP from other routers will be redistributed out other interfaces where RIP processing is enabled. When routes are rebroadcast in this fashion, the metric for this route is increased by 1, which increases the cost of the route. If OSPF1 or OSPF2 is specified, the static route entry will be redistributed into the OSPF routing protocol. The 1 or 2 refer to the two types of external metrics which may be used in OSPF. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that router. A type 1 cost is the sum of both the external cost and the internal cost used to reach that router. 206 Configuration Section [ IP Static ] If BGP is specified, the static route entry will be redistributed into the BGP routing protocol. Examples The first example adds a default route which passes all packets with unknown destinations to WAN 0. This route might be used on a device which has a connection to an Internet Service Provider via PPP through serial interface WAN 0. [ IP Static ] 0.0.0.0 0.0.0.0 Wan 0 1 The next example adds a route to network 198.41.13.0 through the gateway 198.41.9.65. Notice that the metric is 4. That means that if a better dynamic route is found (the metric is less than or equal to 4), this route will not be used. The command also tells the device to include this route in its RIP broadcast. [ IP Static ] 198.41.13.0 255.255.255.0 198.41.9.65 4 Redist=RIP See Also [ IP <Section ID> ], [ IP Route Filter <Name> ], ip(show), [ Frame Relay <Section ID> ] Configuration Section 207 [ IPX Filter <Name> ] [ IPX Filter <Name> ] This section allows you to define, edit and name a set of IPX filtering rules. The named set of filtering rules may then be associated with either the IPX input or output filtering attributes of an interface. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces. The device does not reorder the rules as they are specified before using them. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any IPX packet not explicitly allowed by the rule set is dropped silently. To allow all other packets not filtered, the last rule must be: permit This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Synopsis of IPX Filtering Rules <action> [type exp] [srcnet exp] [dstnet exp] [srcnode exp] [dstnode exp] [srcskt exp] [dstskt exp] [notify] action ::= permit | deny [type exp] ::= type <operator> <IPX packet type> [srcnet exp] ::= srcnet <operator> <network number> [dstnet exp] ::= dstnet <operator> <network number> [srcnode exp] ::= srcnode <operator > <node address> [dstnode exp] ::= dstnode <operator > <node address> [srcskt exp] ::= srcskt <operator> <socket number> [dstskt exp] ::= dstskt <operator> <socket number> [notify] ::= log At a minimum, every non-comment line in a filter set must include an action. permit or deny The action permit specifies that packets meeting the conditions should be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter. Options The basic action specified in the rule will almost always be accompanied by an option. IPX packet filter options use some or all of a set of operators to determine whether the filter rule matches information in a packet or not. operator The operator parameter is a logical operator used to compare a port number against a filtering rule. The following logical operators are supported: 208 Configuration Section [ IPX Filter <Name> ] eq,==, and = These are acceptable ways of writing an "equality" operator which will match if the value in the packet is equal to the value specified in the option expression. lt and < These are acceptable ways of writing a "less than" operator which will match if the value in the packet is less than the value specified in the option expression. lteq, le, <=, and =< These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the packet is less than or equal to the value specified in the option expression. gt and > These are acceptable ways of writing a "greater than" operator which will match if the value in the packet is greater than the value specified in the option expression. gteq, ge, >=, and => These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the packet is greater than or equal to the value specified in the option expression. ne, <>, and != These are acceptable ways of writing an "inequality" operator which will match if the value in the packet is not equal to the value specified in the option expression. The options available for IPX packet filter rules allow rules to be more narrowly specified to exclude all but certain types of packets, packets with a given source network number (srcnet), packets with a specified destination network number (dstnet), packets with a selected source socket number (srcskt), packets with a selected destination socket number (dstskt), packets with a chosen source node address (srcnode), and/or packets with a stated destination node address (dstnode). type <operator> <IPX packet type> This rule allows filtering on the IPX packet type. The IPX packet type is specified as a hex number. The keyword all may be used to specify all packet types. For some versions of NetWare, the packet type field is not a reliable indicator of the type of packet encapsulated by the IPX header. Generally, the source and destination socket fields should be used to implicitly filter the packet type. NetBIOS propagate packets (type 14h) are an exception to this rule. Configuration Section 209 [ IPX Filter <Name> ] srcnet <operator> <network number> This rule allows filtering on the source network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values. dstnet <operator> <network number> This rule allows filtering on the destination network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values. srcskt <operator> <socket number> This rule allows filtering on the source socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. Also, the following keywords may be used for well-known socket numbers: NCP (0451h); SAP (0452h); RIP (0453h); DIAG(0456h) dstskt <operator> <socket number> This rule allows filtering on the destination socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. The keywords listed above for srcskt may also be used. srcnode <operator > <node address> This rule allows filtering on the source node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node address is specified as an Ethernet address, which is six hexadecimal octets separated by dots (.) or colons (:) (e.g., 0.0.A5.0.0.1 or 0:0:A5:0:0:1). The keyword all may be used to specify all node values. dstnode <operator > <node address> This rule allows filtering on the destination node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node address is specified as shown above for srcnode. The keyword all may be used to specify all node values. log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. Examples Drop all packets where the source network number is greater than or equal to 1000 and permit all other packets. [ IPX Filter "deny-1000" ] deny srcnet >= 1000 permit 210 Configuration Section [ IPX Filter <Name> ] Drop all packets from a specific IPX node and network and permit all other packets. [ IPX Filter "beatles" ] deny srcnet = FAB4 srcnode = 0.0.A5.0.0.1 permit Drop all packets where the source socket is a diagnostic packet, log the denial and permit all other packets through. [ IPX Filter "diagnostic" ] deny srcskt = DIAG log permit See Also [ IPX <Section ID> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], [ Logging ], ipx(show) Configuration Section 211 [ IPX Route Filter <Name> ] [ IPX Route Filter <Name> ] This section allows you to define, edit and name a set of IPX route filtering rules. This allows the device to filter inbound IPX network numbers received via broadcast advertisements and outbound routes advertised from the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers as explained later in this section. The device does not reorder the rules as they are specified before applying them against a network number. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any network numbers not explicitly allowed by the rules will not be included in the routing table on input or in the routing update on output. To allow all other network numbers not filtered, the last rule must be: permit network = all This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple IPX route filter sections may exist, each with a unique name. Synopsis of IPX Route Filtering Rules <action> <network exp> [direction] [modifiers] [notify] action ::= permit | deny network exp ::= network <operator> <network number> [direction] ::= in | out | both [modifiers] ::= from | to {<ipx internet address> | <port identifier string>} | metricin | metricout <metric> [notify] ::= log At a minimum, every non-comment line in a filter set must include an action and a network expression. Together these components specify a filter rule that the device will follow when sending and/or receiving IPX RIP packets. permit or deny The permit action specifies that information from routing packets meeting the conditions should be included in the IPX routing table. The deny action specifies that information from routing packets meeting the conditions should not be included in the IPX routing table. network <operator> <network number> This rule allows filtering of the network number from either the inbound or outbound IPX route advertisement. The network exp uses a set of operators to specify the conditions under which the rule will be satisfied. 212 Configuration Section [ IPX Route Filter <Name> ] operator These operators are used to determine whether the filter rule matches information in a RIP packet or not. The following logical operators are supported: eq,==, and = These are acceptable ways of writing an "equality" operator which will match if the value in the routing information is equal to the value specified in the network expression. lt and < These are acceptable ways of writing a "less than" operator which will match if the value in the routing information is less than the value specified in the network expression. lteq, le, <=, and =< These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the routing information is less than or equal to the value specified in the network expression. gt and > These are acceptable ways of writing a "greater than" operator which will match if the value in the routing information is greater than the value specified in the network expression. gteq, ge, >=, and => These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the routing information is greater than or equal to the value specified in the network expression. ne, <>, and != These are acceptable ways of writing an "inequality" operator which will match if the value in the routing information is not equal to the value specified in the network expression. network number This parameter is the IPX network number specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network values. Options in | out | both These parameters specify the direction for which the rule is applied. Filter rules specifying in are applied only to incoming routing packets. Filter rules specifying out are applied only to outgoing routing packets. If no direction is specified, both is assumed. Configuration Section 213 [ IPX Route Filter <Name> ] from | to <ipx internet address> | <port identifier string> This modifier narrows the rule to apply only to routes from or to a specific IPX internet address or IPX interface. The ipx internet address is specified as a hexadecimal network number and node number separated by a dash (e.g., A011-0:0:A5:0:0:1 indicates a node with the hexadecimal network number of A011 and a node address of 0:0:A5:0:0:1). The port identifier string must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.). metricin | metricout <metric> These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. The value must be a decimal number between 0 and 15. log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. Examples The following example specifies a rule to allow routes to be input from any IPX network except network number 7. [ IPX Route Filter "net-7" ] permit network != 7 The following example specifies that routing information should only be accepted from the Ethernet 0 interface. [IPX Route Filter "ether0-only" permit network = ALL from ethernet 0 The "ether0-only" filter would be applied in the [ General ] section. [ General ] IPXRouteFilters = ether0-only See Also [ IPX <Section ID> ], [ IPX Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], [ Logging ], [ General ], ipx(show) 214 Configuration Section [ IPX SAP Filter <Name> ] [ IPX SAP Filter <Name> ] This section allows you to define, edit and name a set of IPX SAP filtering rules. This allows the device to filter inbound IPX servers received via broadcast advertisements and output servers advertised from the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers in the rule. The device does not reorder the rules as they are specified before using them. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any server not explicitly allowed by the rules will not be included in the SAP table or in the SAP update. To allow all other servers not filtered, the last rule must be: permit This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name. Synopsis of IPX SAP Filtering Rules <action> [type exp] [server exp] [network exp] [node exp] [socket exp] [direction] [modifiers] [notify] action ::= permit | deny [type exp] ::= type <operator> <server type> [service exp] ::= server <operator> <server name> [network exp] ::= network <operator> <network number> [node exp] ::= node <operator > <node address> [socket exp] ::= socket <operator> <socket number> [direction] ::= in | out | both [modifiers] ::= from | to {<ipx internet address> | <port identifier string>} | metricin | metricout <metric> [notify] ::= log At a minimum, every non-comment line in a filter set must include an action. permit or deny The permit action specifies that server information meeting the conditions should be inserted into the device’s SAP table. The deny action specifies that server information meeting the conditions should not be included in the device’s SAP table. Options An action alone will not create a useful filter rule (except for setting a default route as noted above). The basic action specified in the rule will Configuration Section 215 [ IPX SAP Filter <Name> ] almost always be accompanied with an option. IPX SAP filter options use some or all of a set of operators to determine whether the filter rule matches information in a packet or not. operator These operators are used to determine whether the filter rule matches information in a SAP packet or not. The following logical operators are supported: eq,==, and = These are allowable ways of writing an "equality" operator which will match if the value in the server information is equal to the value specified in the option expression. lt and < These are allowable ways of writing a "less than" operator which will match if the value in the server information is less than the value specified in the option expression. lteq, le, <=, and =< These are allowable ways of writing a "less than or equal to" operator which will match if the value in the server information is less than or equal to the value specified in the option expression. gt and > These are allowable ways of writing a "greater than" operator which will match if the value in the server information is greater than the value specified in the option expression. gteq, ge, >=, and => These are allowable ways of writing a "greater than or equal to" operator which will match if the value in the server information is greater than or equal to the value specified in the option expression. ne, <>, and != These are allowable ways of writing an "inequality" operator which will match if the value in the server information is not equal to the value specified in the option expression. type <operator> <IPX server type> This option allows filtering of the server type contained in the SAP update tuple. The IPX server type is specified as a hex value. The keyword all may be used to specify all server types. server <operator> <server name> This option allows filtering of the server name contained in the SAP update tuple. The operator in this rule can only be "equality" or "inequality." The server name must be enclosed in quotation marks ("") and be 48 characters or less. 216 Configuration Section [ IPX SAP Filter <Name> ] network <operator> <network number> This option allows filtering of the server network number contained in the SAP table. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network numbers. node <operator> <node address> This option allows filtering of the server node address contained in the SAP table. The operator in this rule can only be "equality" or "inequality." The node address is specified as an Ethernet address. An Ethernet address is specified as six hexadecimal octets separated by colons (:) or dots (.). An example would be 0:0:A5:0:0:1 or 0.0.A5.0.0.1. The keyword all may be used to specify all node addresses. socket <operator> <socket number> This rule allows filtering of the server socket contained in the SAP table. The server socket number is specified as a hex value. The keyword all may be used to specify all socket numbers. in | out | both These parameters specify the packet direction for which the rule is applied. Filter rules specifying in are applied only to incoming server information. Filter rules specifying out are applied only to outgoing server information. This modifier is required since the IPX SAP filtering rules are global to the device. If no direction is specified, both is assumed. from | to <IPX internet address> | <port identifier string> This modifier narrows the rule to apply only to server information from or to a specific IPX internet address or IPX port. The IPX internet address is specified as a hexadecimal network number and node number separated by a dash ( e.g., A0110:0:A5:0:0:1 indicates a node with the hexadecimal network number of A011 and a node address of 0:0:A5:0:0:1). The port identifier string must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.). metricin | metricout <metric> These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, the servers on a particular route can be made more or less attractive. The value must be a decimal number between 0 and 15. log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section. Configuration Section 217 [ IPX SAP Filter <Name> ] Examples In the following example, the "servers" rule set denies server advertisements from network 1ABC0 and servers with the name "Printer" which come into the device on Ethernet 0. It also denies server advertisements from network FAB4 out on Ethernet 1. The final rule is to permit everything else. deny network = 1ABC0 in from ethernet 0 deny service = "Printer" in from ethernet 0 deny network = FAB4 out to ethernet 1 permit The SAP filter is applied in the [ General ] section. [ General ] IPXSAPFilters = servers See Also [ IPX <Section ID> ], [ IPX Filter <Name> ], [ IP Route Filter <Name> ], [ IPX Tunnels ], [ Logging ], [ General ], ipx(show) 218 Configuration Section [ NAT Mapping ] [ NAT Mapping ] This section of the configuration defines the one-to-one translation pairs of the NAT (Network Address Translation) mapping database. These pairs allow the user to provide access from the internal or external network to selected parts of the NAT internal network, such as a web server. This is a special section of the configuration, meaning that there are no keywords to document. Each translation pair has the following syntax: <internal IP address> [ /<bits> | :<port> ] [ -> | = ] <external IP address> [ /<bits> | :<port> ] <internal IP address> This is the IP address on the internal network to be mapped to the external IP address. It must be entered first, followed by " -> " or " = " and the external IP address. The internal IP address must be within the range (or ranges) of IP addresses defined by the InternalRange keyword(s) in the [ NAT Global ] section. IP addresses must be specified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (e.g., 128.138.12.0 includes all devices on the 128.138.12 subnet). <external IP address> This is the IP address on the external network to be mapped to the internal IP address. The external IP address must be within the range of IP addresses defined by the ExternalRange keyword in the [ NAT Global ] section. Note: If only a single external IP address is available for the NAT router, do not map that IP address to an internal IP address because you will no longer be able to communicate with the router. Mapping single ports of the single external IP address to internal IP address:port combinations (e.g., creating access to a web server in the internal NAT network) is acceptable, however. :<port> The :port option allows an individual socket (IP address and port combination) to be mapped as part of a translation pair. Note: An IP address:port combination cannot be paired with an IP address range (even if that range is a single IP address). It can only be paired with another IP address:port combination. /<bits> The /bits option allows a range of IP addresses to be mapped as part of a translation pair. The bits field denotes the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indicate a range from 192.15.32.1 to 192.15.63.255. Configuration Section 219 [ NAT Mapping ] Examples The following example shows one IP address being translated into another. [ NAT Mapping ] 10.5.3.20 -> 198.41.9.194 The following example shows individual sockets (IP address and port combination) being mapped as a translation pair. [ NAT Mapping ] 10.5.3.10:80 -> 198.41.9.195:80 The following example shows a range of IP addresses being mapped as a translation pair. [ NAT Mapping ] 10.5.3.0/29 -> 198.41.9.200/29 See Also [ IP <Section ID> ], ip(show), [ NAT Global ], nat(show) 220 Configuration Section [ VPN Users ] [ VPN Users ] This section of the configuration defines the IntraPort users database. Each line defines an IntraPort user along with that user’s VPN Group configuration and password. Multi-line entries must have line breaks escaped with a backslash. However, line breaks encapsulated in a double quoted string are preserved. When an IntraPort client begins a tunnel session, it transmits the username to the device. If the user is found in this section, the information found in the entry is used to set up the tunnel. RADIUS and LDAP servers can also be used for authentication of VPN users (see the [ Radius ] or [ LDAP Auth Server ] sections). If the username is not found, and a RADIUS or LDAP server has not been configured to perform the authentication, then the tunnel session will not be opened and an error is returned to the client. Each user entry has the following syntax: username Config=<config name> [SharedKey=<Pass Phrase>] [Auth=<Authentication Pass Phrase>] [Encrypt=<EncryptionPass Phrase>] username The username is a string which identifies a unique user. It must be the same as the string entered into that user’s client. The name may be between one and 60 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes. This entry must always be the first on the line. Config=<config name> The Config keyword is required for all users and specifies which [ VPN Group <Name> ] section is used to define the tunneling parameters used by the client. Therefore, the config name must be the same as the Name portion of a [ VPN Group <Name> ] section. Information from that section is sent to the client when the tunnel is opened. SharedKey=<Pass Phrase> The SharedKey keyword is used to generate session keys which are then used to authenticate and/or encrypt each packet received from or sent to the client. This keyword is only valid for VPN groups using IKE. The same key must be entered into the IntraPort Client for the tunnel session to be successfully established. The Pass Phrase may be between 1-255 characters long. Auth=<Authentication Pass Phrase> The Auth keyword is used to generate session keys which are used to authenticate each packet received from or sent to the client. This keyword is only valid for VPN groups using manual key management. The same key must be entered into the IntraPort client in order for authentication to succeed. If the Auth keyword is omitted, then packets are not authenticated for this connection. The Authentication Pass Phrase may be between 1-255 characters long. Encrypt=<Encryption Pass Phrase> Configuration Section 221 [ VPN Users ] The Encrypt keyword is used to generate session keys which are used to encrypt each packet received from or sent to the client. This keyword is only valid for VPN groups using manual key management and either 3DES, DES or PLE encryption. The same key must be entered into the IntraPort client in order for encryption to succeed. The Encryption Pass Phrase may be between 1-255 characters long. Example [ VPN Users ] Fred Config="Bedrock" SharedKey="Wilma" Barney Config="Cobblestone County" SharedKey="Betty" See Also [ Radius ], [ LDAP Auth Server ], [ VPN Group <Name> ], vpn(show) 222 Configuration Section [ VPN Users ] 224 Configuration Section Management Section apply(mgmt) COMMAND NAME apply - Apply a configuration without restarting the device. SYNOPSIS apply [ edited | flash ] DESCRIPTION The apply command is a privileged command that requires supervisor mode to operate. This command allows you to apply a configuration to the device immediately, without restarting the device. Either flash or edited must be specified. This command is only available on the IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and on the IntraGuard Firewall. OPTIONS edited This keyword specifies that an edited (but not saved) configuration will be applied to the device’s current operations. If the edited configuration hasn’t been saved and a restart occurs, the changes will be lost and the device will revert to the configuration in the Flash ROM. flash This keyword specifies that the configuration which is currently in the device’s Flash ROM will be applied to the device’s current operations and will overwrite any runtime changes which have been made. Configurations are saved (or written) to a device’s Flash ROM using either the save or write commands. SEE ALSO save(mgmt), write(mgmt) Management Section 227 bgpenable(mgmt) COMMAND NAME bgpenable, bgpdisable - Disable or enable BGP. SYNOPSIS bgpenable [ all | <IP address> ] bgpdisable [ all | <IP address> ] DESCRIPTION The bgpenable command enables BGP with all peers, if all is specified, or with a specific peer if an IP address is specified. The bgp enable all command can only be used if BGP was previously disabled during this router session. Individual peers can be enabled at any time. The bgpdisable command discontinues a BGP session with a selected peer, or with all peers, without restarting the router. The IP address is specified in the standard dotted-decimal notation for IP addresses. SEE ALSO [ BGP General ], bgp(show) 228 Management Section boot(mgmt) COMMAND NAME boot - Restart the router immediately. SYNOPSIS boot DESCRIPTION The boot command is a privileged command that requires supervisor mode to operate. After issuing this command the router will restart. It will take 10 to 15 seconds before the router will forward packets, and up to a minute before all the routing tables will be stabilized. SEE ALSO enable(mgmt), save(mgmt) Management Section 229 enable(mgmt) COMMAND NAME enable, disable - Enter and leave supervisor mode. SYNOPSIS enable disable DESCRIPTION The enable command is used to enter the system's supervisor mode. There are two modes of operation in the command interface, supervisor and normal modes. All operations that do not modify the system configuration or display critical (security related) information are permitted in normal mode. In normal mode, the command prompt ends in a ">". The enable command will prompt for the password, and if successful, the user will be in supervisor mode. The command prompt for supervisor mode ends with a "#" to indicate that configurations can be modified. Modified configurations are kept in an edit buffer and will not affect the runtime operation of the router. A supervisor session may be terminated or timed out by the system if no user input occurs within 5 minutes. In this case, if a modified configuration buffer exists, it will remain in the system's memory until the system is restarted. Show commands that display configuration information will display the edited copy while in supervisor mode. It is possible to display the currently configured values (stored in non-volatile Flash ROM) by leaving supervisor mode and reentering the show command. If a configuration in the edit buffer has been modified, the command prompt will be preceded by a "*". This occurs whether in supervisor mode or not. To exit supervisor mode, use the disable command. EXAMPLES The following example shows the enabling of supervisor mode. Notice the prompt change after enabling. Main RISC Router> enable Enter Password: password entered here Main RISC Router# 230 Management Section enable(mgmt) The following example shows a configuration session in which the system information is displayed, the domain changed, and then both the edited copy and the flash version is displayed. Main RISC Router# show sys info Administrator: Dave Ballowe Domain Name: Main network RISC Router Router Location: Front office telephone closet Main RISC Router# set sys domain Routers from the planet mars *Main RISC Router# show sys info Administrator: Dave Ballowe Domain Name: Routers from the planet mars Router Location: Front office telephone closet *Main RISC Router# disable *Main RISC Router> show sys info Administrator: Dave Ballowe Domain Name: Main network RISC Router Router Location: Front office telephone closet *Main RISC Router> SEE ALSO exit(mgmt) Management Section 231 exit(mgmt) COMMAND NAME exit, quit - Exit supervisor mode or command parser SYNOPSIS exit quit DESCRIPTION The exit and quit commands both exit supervisor mode. If the session is not in supervisor mode, then the command parser is exited. These commands will terminate a telnet or command line session on a console, returning you to the password prompt. They are different from the exit and quit commands of the line editor (see the edit config section for more information). SEE ALSO enable(mgmt), boot(mgmt), save(mgmt), edit config 232 Management Section help(mgmt) COMMAND NAME help - Display context-sensitive online help information. SYNOPSIS help [ <command string> ] DESCRIPTION A limited amount of online help is available to command line users via the help command. Help information is accessed by typing the help command, by entering incorrect input during normal command entry, or by entering a "?" (question mark) anywhere during command entry. To display help information using the help command, enter help followed by a partial command string. The parser will display context-sensitive help for the portion of the command string that was parsed. If help is entered with no arguments, general help information is displayed along with all top level commands. Help information displayed consists of the valid subcommands of the entered command string. Or, if the command string is a complete command, a usage line with command arguments along with a brief command description will be displayed. Command help is also displayed when the parser detects an error in the user's command input. In this case, an error message followed by help information as described above will be displayed. If enhanced terminal processing mode is enabled (see terminal(set)), the portion of the command line that was successfully parsed will be redisplayed on the next command prompt, and the displayed part will not need to be re-entered. EXAMPLES The following commands are identical: help show show ? Use the help command to get information about management commands. *[ Time Server ]# help ping Ping Ping a remote machine Usage: ping <destination address> | <host name> [ count <count> ] [ timeout <timeout> ] [ datalength <data length>] [spray] [ sourceaddress <source address> | <interface> ] SEE ALSO terminal(set) Management Section 233 interface(mgmt) COMMAND NAME interface - Specify the interface for set commands. SYNOPSIS interface <media> [ <interface number/name> ] DESCRIPTION The interface command is used to select an interface to configure. Most set commands require an interface to be selected prior to modifying the configuration. If you have enabled supervisor mode, using the enable command (see enable(mgmt)), the command prompt will let you know which interface you are configuring. OPTIONS media This parameter specifies the media type that you want to configure. Valid media types vary depending on the device hardware and software configuration. Recognized types include: Ethernet, LocalTalk, WAN, VPN, AUX, and Bridge. If an invalid type is selected, the command will print an error message indicating that there are 0 interfaces of the selected type. interface number/name This optional parameter is used to select the specific interface. This interface number will default to the first interface for the selected type. This argument is an integer or letter. The first interface is number 0 or letter A. EXAMPLES To select the first Ethernet interface, the next three commands are equivalent. interface ethernet interface ethernet a interface ethernet 0 To select the Bridge protocol port. interface bridge SEE ALSO enable(mgmt) 234 Management Section ipxping(mgmt) COMMAND NAME ipxping - Send a Ping request over IPX. SYNOPSIS ipxping <destination address> [ count <count> ] [ timeout <timeout> ] [ datalength <data length>] [spray] DESCRIPTION The ipxping command directs the device to send a ping request over IPX to an IPX address. This command is compatible with the Cisco IPX ping and it is often used to determine if a remote device is reachable. When using the ipxping command to isolate network faults, devices that are nearer should be pinged first. Then, nodes successively further away should be probed. Round-trip times and packet loss statistics are computed. Duplicate and corrupted packets received from the remote node are flagged. Lost packets are flagged as timed out. When the specified number of packets have been sent (and received), a brief summary is displayed. The command can also be terminated with a <CTRL-C>. This command is intended to be used for network testing. Because of the network load imposed by the spray option, it is unwise to use ipxping during normal operation. OPTIONS destination address This required parameter is used to indicate the remote device being pinged. The address is specified as a hexadecimal network number and node number separated by dots (e.g., A011.0.0.A5.0.0.1 indicates a node with the hexadecimal network number of A011 and a node address of 0.0.A5.0.0.1). count This optional keyword specifies the number of ipxping requests to be sent. The default is 1. timeout This optional keyword specifies how long to wait in seconds for a reply from the remote device before timing out the request. The default is 2 seconds. datalength This optional keyword specifies the data length of a packet. The default is 64 bytes. spray This optional keyword directs the ipxping command to output packets as fast as they come back or one every timeout period, whichever is first. For every ipxping request sent a "." is printed, and for every ipxping reply received it is erased. Management Section 235 ipxping(mgmt) EXAMPLES To send 10 ping packets to node 38000.00.00.0c.09.7c.34 with a 1 second timeout: Swizzle Router> ipxping 38000.00.00.0c.09.7c.34 count 10 timeout 1 Packet len 64, seqnum 1 to [38000-00:00:00:0c:09:7c:34] 16 ms. Packet len 64, seqnum 2 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 3 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 4 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 5 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 6 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 7 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 8 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 9 to [38000-00:00:00:0c:09:7c:34] 0 ms. Packet len 64, seqnum 10 to [38000-00:00:00:0c:09:7c:34] 0 ms. 10 pings sent, 10 received (100%) min/max/avg time in milliseconds = 0/16/1 Swizzle Router> Note: If more processing is enabled, output will stop when a screenful of data has been output. If a lot of output is expected, more processing can be disabled using the set terminal nomore command (see terminal(set)). SEE ALSO terminal(set) 236 Management Section ospfenable(mgmt) COMMAND NAME ospfdisable, ospfenable - Disable or enable OSPF. SYNOPSIS ospfenable ospfdisable DESCRIPTION The ospfenable and ospfdisable commands allow the user to temporarily disable or enable the OSPF protocol without restarting the router. The ospfdisable command will cause the router to notify its neighbors that it is "going down." The ospfenable command will allow the router to reestablish the adjacencies with each neighbor from scratch, just as if the router was first coming up. The ospfenable command should be used only after ospfdisable has been used. SEE ALSO [ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], [ IP Route Filter <Name> ], ospf(show) Management Section 237 ping(mgmt) COMMAND NAME ping - Send ICMP Echo Request to IP address. SYNOPSIS ping <destination address> | <host name> [ count <count> ] [ timeout <timeout> ] [ datalength <data length>] [spray] [ sourceaddress <source address> | <interface> ] DESCRIPTION The ping command directs the device to send ICMP (Internet Control Message Protocol) Echo Request messages to an IP address. This command is often used to determine if a remote router or host is reachable. When using the ping command to isolate network faults, hosts that are nearer to the device should be pinged first. Then, nodes successively further away should be probed. Round-trip times and packet loss statistics are computed. Duplicate and corrupted packets received from the remote node are flagged. Lost packets are flagged as timed out. When the specified number of packets have been sent (and received), a brief summary is displayed. The command can also be terminated with a <CTRL-C>. This command is intended to be used for network testing. Because of the network load imposed by the spray option, it is unwise to use ping during normal operation. OPTIONS destination address or host name This required parameter is used to indicate the host name or IP address of the ultimate destination. It can be entered either as a numerical IP address (e.g., 10.1.2.3) or a host name (e.g., hal.acme.com) if a Domain Name Server has been configured (see the [ Domain Name Server ] section). count This optional keyword specifies the number of ICMP Echo Requests to be sent. The default is 1. timeout This optional keyword specifies how long to wait in seconds for a reply from the remote host before timing out the request. The default is 2 seconds. datalength This optional keyword specifies the data length of a packet. The default is 64 bytes. spray This optional keyword directs the ping command to output packets as fast as they come back or one every timeout period, whichever is first. For every Echo Request sent a "." is printed, and for every Echo Reply received it is erased. 238 Management Section ping(mgmt) sourceaddress This keyword specifies which port or address is to be used as the origin of the outbound packet. The value must be an IP address of an associated interface or a port name (i.e., Ethernet 0, WAN 0) on the device. If no sourceaddress is specified, the device will, by default, use the address of the outbound interface as its source. This option allows packets that are sent out via ping to be correctly answered. This option allows the ping command to function over the Internet from a device which uses a private, unroutable WAN address. An example is the case where a Frame Relay link is using a private IP address on the WAN and the user wants to ping across that interface to test connectivity out to the Internet. EXAMPLES To send 10 echo packets to node 10.0.0.1 with a 1 second timeout: Swizzle Router> ping 10.0.0.1 10 1 Packet len 64, seqnum 1 to [10.0.0.1] 0 ms. Packet len 64, seqnum 2 to [10.0.0.1] 0 ms. Packet len 64, seqnum 3 to [10.0.0.1] 0 ms. Packet len 64, seqnum 4 to [10.0.0.1] 0 ms. Packet len 64, seqnum 5 to [10.0.0.1] 0 ms. Packet len 64, seqnum 6 to [10.0.0.1] 0 ms. Packet len 64, seqnum 7 to [10.0.0.1] 0 ms. Packet len 64, seqnum 8 to [10.0.0.1] 0 ms. Packet len 64, seqnum 9 to [10.0.0.1] 0 ms. Packet len 64, seqnum 10 to [10.0.0.1] 0 ms. 10 pings sent, 10 received (100%) min/max/avg time in milliseconds = 0/0/0 Swizzle Router> Note: If more processing is enabled, output will stop when a screenful of data has been output. If a lot of output is expected, more processing can be disabled using the set terminal nomore command (see terminal(set)). SEE ALSO [ Domain Name Server ], terminal(set) Management Section 239 save(mgmt) COMMAND NAME save - Save a new configuration and restart immediately. SYNOPSIS save DESCRIPTION The save command is a privileged command that requires supervisor mode to operate. If the save command is issued and a configuration buffer has not been modified, it will return without doing anything. After issuing the save command, the user will be given a "Y/N" prompt. If "Y" is entered, the edited configuration will be saved to the device’s Flash ROM. During the process, the current contents of the ROM will be saved to RAM, the ROM will be erased, and the contents programmed back into the ROM from RAM. This can take from 30 to 105 seconds, depending on the device type. If power is turned off during this time, the contents of RAM will be erased and the process will be aborted. The device will then restart from its boot loader ROM. If this happens, you must reload the operating software using tftp (see tftp(mgmt)) or CompatiView. Please wait at least five minutes for the device to complete this process. Note: The IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and the IntraGuard Firewall have additional commands which can allow you to save and/or apply a new configuration without restarting the device. See write(mgmt) and apply(mgmt). SEE ALSO enable(mgmt), write(mgmt), apply(mgmt), tftp(mgmt) 240 Management Section sys(mgmt) COMMAND NAME sys - Miscellaneous system operations. SYNOPSIS sys attach sys detach sys connect <Wan Port Number> [ force ] sys dropline <Wan Port Number> [ <tries> ] sys upline <Wan Port Number> sys write <port name> [ <message to be sent>... ] sys echo sys date sys debug DESCRIPTION This is a collection of commands that perform miscellaneous system related functions. sys attach This command re-attaches the user to a modified configuration buffer. Although multiple command line sessions may be active at once on a system, there may only be one supervisor session active on the system and there is only one command line configuration buffer allocated in the system. This buffer contains the modified configuration before it is saved using the save command (see save(mgmt)). A supervisor session may be terminated or timed out by the system if no user input occurs within 5 minutes. In this case, if a modified configuration buffer exists, it will remain in the system's memory until the system is restarted. By using the sys attach command all of the previous configuration buffer’s information is remembered as if it were entered in the current session. In addition, the command parser will notify a supervisor that a modified buffer exists on the first command that will change the configuration. At this point the user will have the opportunity to overwrite the previous configuration buffer and discard all previous changes; to attach to the previous configuration buffer and add the new change to it; or to cancel the new change and leave the previous configuration buffer as it was. sys detach A modified buffer that is not associated with any terminal session is considered detached. It is possible to detach from a modified configuration buffer by issuing the sys detach command. It is also possible to detach from a modified configuration buffer by issuing the exit command (see exit(mgmt)). Management Section 241 sys(mgmt) sys connect This command is used on a WAN interface to connect to a modem and verify the system connection to the modem by issuing modem commands directly from the telnet or terminal session. sys dropline This command instructs the device to abruptly terminate an existing connection when a WAN interface has an on-demand connection configured. sys upline This command will instruct the device to initiate a connection on a WAN interface which has an on-demand connection configured. sys write This command sends a message to another telnet or terminal session. The show os processes command can be used to display the names of other terminal sessions. In this display, sessions will be listed as "CLI @XXX", where XXX is the name of the terminal associated with the session. Use that name as the name of the interface to write to. sys echo This command simply repeats the arguments passed to it. This can be used to determine how escape characters and various command arguments will be interpreted. sys date This command displays the date and time if the time server has been enabled (see the [ Time Server ] section). sys debug This command is used to turn on system debugging. Note: This command is not enabled in production releases and should only be used when instructed to do so by a CompatibleSystems Technical Support Engineer. OPTIONS WAN Port Number This parameter must be entered as a number corresponding to the WAN interface starting with 0 (WAN A is 0, and WAN B is 1). force The keyword force is used to force an attempt to connect with a modem on a WAN interface even if another connection is already in progress or if the WAN link is up. port name This parameter specifies an interface name (e.g., CON, PTY1, ...) that a brief message should be sent to. 242 Management Section sys(mgmt) message to be sent This parameter can be any string that should be sent to another terminal session. SEE ALSO save(mgmt), exit(mgmt), os(show), [ Time Server ] Management Section 243 tftp(mgmt) COMMAND NAME tftp - Enable/disable system software downloading using TFTP. SYNOPSIS tftp enable [ < timeout > ] [ <TFTP client IP address > ] tftp disable DESCRIPTION The tftp enable command permits downloading of system software to a device using Trivial File Transfer Protocol (TFTP) from a remote IP host. Downloading through TFTP won't be permitted unless this command is executed from either a console or from a remote host that is telnetted into the device. This command asks for the device's password and will establish a window of opportunity for TFTP downloading to the device only from the remote IP host specified. The default window is 60 seconds. If entering this command from the console, or from a host other than the host from which the TFTP will originate, the TFTP client IP address must be specified. Transfer configuration files to and from the device using an ASCII mode transfer. The remote file name must be the device type followed by ".cfg". The following chart shows the different device types and sample configuration file names. DEVICE TYPE SAMPLE FILE NAME Risc Router rr4000s.cfg, rr3500r.cfg, etc. MicroRouter mr1200i.cfg, mr2200r.cfg, etc. IntraPort VPN Access Server IntraPort2+.cfg, IntraPortEnterprise.cfg, IntraPortCarrier.cfg, etc. IntraGuard Firewall IntraGuard.cfg VSR Multigigabit Switching Router VSR.cfg It is also possible to create a text-based configuration file and use CompatiView to transfer the file to and from the device. This method uses a secure transfer mechanism, preventing the configuration from being observed while it is in transit to the device. See the CompatiView Reference Guide for more information. The tftp disable command is used to cancel a previous enable command. OPTIONS timeout This is the amount of time, in seconds, that TFTP downloading to the device will be permitted from the established IP host. The default is 60 seconds. 244 Management Section tftp(mgmt) TFTP client IP address This is the remote IP address from which a TFTP download can be established. This option is required if issuing the tftp enable command from the console or from a host other than the host from which the TFTP will originate. The default is the IP address of the telnet host. EXAMPLES Following is an example of a tftp enable command from a remote host via telnet. tftp enable Following is an example of a tftp enable command issued from the console. tftp enable 60 192.15.0.1 Management Section 245 traceroute(mgmt) COMMAND NAME traceroute - Print the route that packets take to a network host. SYNOPSIS traceroute <destination address>|<host name> [nonames] [probes<#probes>] [ timeout<timeout>] [hops<#hops>] [ sourceaddress<source address> | <interface>] DESCRIPTION The traceroute command directs the device to send UDP test packets to each intermediate hop along the route to the requested IP address or host name. This command is used for network testing when there are difficulties in reaching a selected host. Each node along the route to the host is probed with a test UDP packet, and should return an ICMP packet to the device. The device displays round-trip times and IP addresses/host names for each node. If a node does not respond within the timeout period, a timeout is indicated in the display by an asterisk. OPTIONS destination address or host name This required parameter is used to indicate the host name or IP address of the ultimate destination. It can be entered either as a numerical IP address (e.g., 10.1.2.3) or a host name (e.g., hal.acme.com) if a Domain Name Server has been configured (see the [ Domain Name Server ] section). nonames This optional keyword directs the command to print out only numerical IP addresses for each node along the route. If this keyword is not present, both the IP address and the host name of each intermediate hop will be displayed. probes This optional keyword specifies the number of probes to be launched at each intermediate machine. Valid probe counts are 1, 2, or 3. The default is 3 probes. timeout This optional keyword specifies the amount of time which the device will wait before declaring that the response has timed out. The default timeout is 1 second. If excessive timeouts are occurring during the traceoute, the process can be terminated by entering a <CTRL-C> at the keyboard. hops This optional keyword specifies the maximum number of hops the traceroute command will use in an attempt to reach the end destination. The default is 40 hops. This should be sufficient for most applications. 246 Management Section traceroute(mgmt) sourceaddress This keyword specifies which port or address is to be used as the origin of the outbound packet. The value must be an IP address of an associated interface or a port name (i.e, Ethernet 0, WAN 0) on the device. If no sourceaddress is specified, the device will, by default, use the address of the outbound interface as its source. This option allows packets that are sent out via traceroute to be correctly answered. This option allows the traceroute command to function over the Internet from a device which uses a private, unroutable WAN address. An example is the case where a Frame Relay link is using a private IP address on the WAN and the user wants to traceroute across that interface to test connectivity out to the Internet. EXAMPLES The following illustrates a traceroute to the host "hal.acme.com" using the default parameters. The round-trip time is reported in increments of 16 ms, anything less will be reported as 0 ms. Note that node 4 did not respond to any of the UDP packets in the allotted time. This could indicate excessive congestion on that node at the time of the probes. MyRouter> tr hal.acme.com Traceroute to hal.acme.com IP Address = 10.1.2.3 3 probes per hop, 1 sec timeout, 40 hops max 1 12.5.6.8 (saturn.abc.com) 16ms 16ms 0ms 2 13.80.3.18 (neptune.def.com) 128ms ** 64ms 3 4.100.6.30 (mercury.ghi.com) 160ms 340ms 176ms 4 ********** ** ** ** 5 138.42.2.1 (pluto.jkl.com) 48ms 192ms 208ms 6 10.1.2.3 (hal.acme.com) 48ms 64ms 48ms Destination reached in 6 hops If there is no Domain Name Server, the name lookup can be disabled with the nonames option. The timeout can be increased in an attempt to get a response from node 4: MyRouter> tr hal.acme.com nonames 2 3 10 Traceroute to hal.acme.com IP Address = 10.1.2.3 2 probes per hop, 3 sec timeout, 10 hops max 1 12.5.6.8 16ms 16ms 2 13.80.3.18 128ms 64ms 3 4.100.6.30 160ms 176ms 4 15.3.80.4 1600ms 1760ms 5 138.42.2.1 192ms 208ms 6 10.1.2.3 48ms 64ms Destination reached in 6 hops Note: If more processing is enabled, output will stop when a screenful of data has been output. If a lot of output is expected, more processing can be disabled using the set terminal nomore command (see terminal(set)). SEE ALSO [ Domain Name Server ], terminal(set) Management Section 247 vpn tunnel(mgmt) COMMAND NAME vpn tunnel up, vpn tunnel down - Establish or tear down a LAN-to-LAN tunnel. SYNOPSIS vpn tunnel up <vpn port> vpn tunnel down <vpn port> DESCRIPTION The vpn tunnel up command directs the device to establish a VPN LANto-LAN tunnel for a specified VPN port without restarting the device. In order for this command to work, the KeyManage keyword must be set to Initiate in the [ Tunnel Partner <Section ID> ] for the VPN port. The vpn tunnel down command directs the device to shut down a VPN LAN-to-LAN tunnel for a specified VPN port. The show vpn runtime command will display a list of all currently active VPN tunnels (see vpn(show)). SEE ALSO [ Tunnel Partner <Section ID> ], vpn(show) 248 Management Section write(mgmt) COMMAND NAME write - Write an edited configuration to Flash ROM without restarting the device. SYNOPSIS write DESCRIPTION The write command is a privileged command that requires supervisor mode to operate. This command allows you to write a configuration to the device’s Flash ROM without restarting the device. The changes which were made to the configuration will not be applied until the device is restarted. If the write command is issued and a configuration buffer has not been modified, it will return an error message indicating that no configuration changes have been made. This command is only available on the IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and on the IntraGuard Firewall. SEE ALSO save(mgmt), apply(mgmt) Management Section 249 ip arp(add) COMMAND NAME add ip arp - Add a static IP ARP cache entry. SYNOPSIS add ip arp <IP address> <Ethernet address | DLCI> DESCRIPTION This command adds a static Address Resolution Protocol (ARP) entry to the device's ARP cache. The entry will not be timed out of the cache as is done with dynamic ARP entries. The entry will reside in the ARP cache until the device is rebooted; it cannot be saved in Flash ROM for subsequent installation ARP is used to map high level IP addresses to physical addresses. The physical address may be either an IEEE Ethernet address or a Frame Relay DLCI which can be converted into a Frame Relay Q.922 hardware address. IP ARP is described in RFC 826. OPTIONS IP address This option specifies an IP address to be associated with the hardware address in the ARP cache. It should be a legal IP address specified in dotted decimal format. Ethernet address This option specifies an IEEE Ethernet address to be associated with the IP address in the ARP cache. It should be six hexadecimal octets separated by colons (:) or dots (.) ( i.e., 0:0:A5:0:0:1 or 0.0.A5.0.0.1). DLCI This option specifies a DLCI address to be associated with the IP address in the ARP cache. The device will translate the DLCI into a Frame Relay Q.922 hardware address. The DLCI number must be between 16 and 1007. EXAMPLES add ip arp 192.15.8.100 add ip arp 192.15.8.100 add ip arp 192.15.1.100 0.0.A5.0.0.1 0:0:A5:0:0:1 16 SEE ALSO arp(show), arp(reset), [ Frame Relay <Section ID> ] 250 Management Section ip route(add) COMMAND NAME add ip route - Add static IP route. SYNOPSIS add ip route <destination> <mask> <gateway/wan port> <metric> [Redist= RIP | OSPF1 | OSPF2 | BGP | none ] DESCRIPTION The add ip route command is used to add runtime static entries to the IP routing table. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the[ IP Static ] section. The route(s) must be saved with the save command (see save(mgmt)). Static routes are used to provide information to the device about where IP packets should be sent when the device itself has not been able to determine a correct route for them using dynamic routing information. In cases where the routing metrics (i.e., the number of routing hops to a destination) are equal between a static route and a dynamic route, Compatible Systems devices will use the dynamic route. Note: Static routes are more difficult to maintain and are generally not as reliable as dynamically-determined routes. We recommend that you use static routing only when the network does not provide adequate routing information through RIP. OPTIONS destination A destination option is usually entered in the standard dotted decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers must either be preceded by a "0x" or they must be complete (8 hexadecimal digits, e.g., C6290C00 for 198.41.12.0). If 0.0.0.0 is specified as the destination, then the route being added is to a default router. The mask must also be 0.0.0.0. The default router will be used to route packets when the destination network is not known by the device. mask The mask option tells the device how much of the destination address entry should be considered when determining the route for a packet. This field has the same format as the destination field but typically has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route. gateway/wan port The gateway/wan port option also has the same format as the destination option and usually is the address of another router (gateway) which is responsible for packets being sent to the destination address or network. Management Section 251 ip route(add) This field can also be specified as a physical interface of the device you are configuring (e.g., WAN A or just "0") when the interface is unnumbered. However, the name of a physical interface cannot be used when that interface is configured for Frame Relay operation. This is because the Frame Relay protocol allows multiple IP addresses to be reached over a single physical interface via different PVCs (permanent virtual circuits). See the [ Frame Relay <Section ID> ] section for more information. metric The metric option specifies the distance or cost to the destination. The metric is used by the routing process to determine where packets should be sent. It usually corresponds loosely with the number of hops to the destination. A lower value makes this a "better route." The value entered here must be between 1 and 15 and may correspond to the actual number of hops to the gateway or may be larger to artificially inflate the cost. There are several reasons why you might enter a route with an inflated metric. If there is more than one route to another destination but the route with the shortest number of hops is over a slow WAN link, you might add a route to cause the IP traffic to take the "quicker" route. Redist=RIP | OSPF1| OSPF2 | BGP | none If the optional Redist parameter is specified, this route will be redistributed into the specified routing protocol. If you leave this field off or if none is specified, the static route will not be redistributed. Only one routing protocol can be selected for redistributing each static route. If RIP is specified, the static route entry will be redistributed into the RIP routing protocol which means that other routers will be able to choose this device as a way to forward packets to the destination address, depending on the metric and what other routes are available. Routing information received via RIP from other routers will be redistributed out other interfaces where RIP processing is enabled. When routes are rebroadcast in this fashion, the metric for this route is increased by 1, which increases the cost of the route. If OSPF1 or OSPF2 is specified, the static route entry will be redistributed into the OSPF routing protocol. The 1 or 2 refer to the two types of external metrics which may be used in OSPF. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that router. A type 1 cost is the sum of both the external cost and the internal cost used to reach that router. If BGP is specified, the static route entry will be redistributed into the BGP routing protocol. 252 Management Section ip route(add) EXAMPLES The first example adds a default route which passes all packets with unknown destinations to WAN 0. This route might be used on a device which has a connection to an Internet Service Provider through WAN 0. add ip route 0.0.0.0 0.0.0.0 0 1 The next example adds a route to network 198.41.13.0 through the gateway 198.41.9.65. Notice that the metric is 4. That means that if a better dynamic route is found (the metric is less than or equal to 4), this route will not be used. The command also tells the device to include this route in its RIP broadcast. If the device is restarted or the configuration is saved, this route will not be retained. add ip route 198.41.13.0 255.255.255.0 198.41.9.65 4 redist=RIP SEE ALSO [ IP Static ], [ IP <Section ID> ], ip(show), save(mgmt), [ Frame Relay <Section ID> ] Management Section 253 chat(edit) COMMAND NAME edit chat - Create and edit chat scripts. SYNOPSIS edit chat [ <chat script name> ] DESCRIPTION Compatible Systems devices support standard communications chat scripts that let you specify dialing and/or connect sequences between this device and remote routers or terminal servers. The rules and syntax of chat scripts are documented in the [ Chat <Name> ] section. New or existing chat scripts can be entered or viewed using the device’s built-in line editor. See edit config for a description of this line editor. SEE ALSO [ Chat <Name> ],edit config 254 Management Section filter(edit) COMMAND NAME edit filter - Create and edit protocol filtering rules. SYNOPSIS edit filter appletalk <name> edit filter ip <name> edit filter iprouting <name> edit filter ipx <name> edit filter ipxrouting <name> edit filter ipxsap <name> DESCRIPTION The edit filter commands allow you to create or edit new or existing protocol-specific filters using the device’s built-in line editor. See edit config for a description of this line editor. Note: Rules that have been specified using Compatible's CompatiView Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through CompatiView. When the rules are downloaded into the router from CompatiView, they will be encrypted. The edit filter appletalk command allows you to define, edit and name sets of AppleTalk filtering rules. The rules and syntax of AppleTalk filters are documented in the [ AppleTalk Filter <Name> ] section. The edit filter ip command allows you to define, edit and name sets of IP packet filtering rules. The rules and syntax of IP packet filters are documented in the [ IP Filter <Name> ] section. The edit filter iprouting command allows you to define, edit and name a set of IP route filtering rules. The rules and syntax of IP route filters are documented in the [ IP Route Filter <Name> ] section. The edit filter ipx command allows you to define, edit and name a set of IPX packet filtering rules. The rules and syntax of IPX packet filters are documented in the [ IPX Filter <Name> ] section. The edit filter ipxrouting command allows you to define, edit and name a set of IPX route filtering rules. The rules and syntax of IPX route filters are documented in the [ IPX Route Filter <Name> ] section. The edit filter ipxsap command allows you to define, edit and name a set of IPX SAP filtering rules. The rules and syntax of IPX SAP filters are documented in the [ IPX SAP Filter <Name> ] section. SEE ALSO edit config, [ AppleTalk Filter <Name> ] , [ IP Filter <Name> ], [ IP Route Filter <Name> ], [[ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ] Management Section 255 appletalk(reset) COMMAND NAME reset appletalk - Delete AppleTalk routing parameters. SYNOPSIS reset appletalk statistics reset appletalk routing { <network number> | all } reset appletalk cache { <network number> | all } DESCRIPTION The reset appletalk commands delete runtime AppleTalk parameters. reset appletalk statistics This command resets the DDP (Datagram Delivery Protocol) tallies kept for AppleTalk. reset appletalk routing This command deletes AppleTalk dynamic routing table entries. Direct connect entries cannot be deleted. To delete an entry, the network number of the route must be specified or all will delete all dynamic entries. The show appletalk routing command will display the routing table. reset appletalk cache This command deletes entries from the AppleTalk fast-routing cache. Use the show appletalk cache command to display the cache (see appletalk(show)). OPTIONS network number This is the AppleTalk network number of the entry to delete. It must be between 1 and 65279. In the case of networks specified by a range, use the beginning number of the range. all This option specifies that all the tables the command pertains to should be deleted. SEE ALSO [ AppleTalk <Section ID> ], [ AppleTalk Tunnels ], appletalk(show), interface(mgmt) 256 Management Section arp(reset) COMMAND NAME reset arp - Delete ARP table entries. SYNOPSIS reset arp [ <address> | all ] DESCRIPTION This command removes entries from the Address Resolution Protocol (ARP) cache. Normally, dynamic entries are timed out after 20 minutes and static entries remain in the cache until the device is restarted. This command is useful when new hardware using the same higher level protocol address is replaced on a network. It is necessary since the previous hardware address is retained in the ARP mapping cache. OPTIONS address This is the high-level address associated with the hardware address in the ARP cache to be deleted. It must be either a legal IP address specified in dotted- decimal format or an AppleTalk address specified as net:node. all This option specifies that all entries, dynamic and static, be deleted from the ARP cache. EXAMPLES reset arp 192.15.100.1 reset arp 35000:1 reset arp all SEE ALSO arp(show), ip arp(add) Management Section 257 bgp(reset) COMMAND NAME reset bgp peer - Reset BGP session. SYNOPSIS reset bgp peer [ all | <IP address> ] DESCRIPTION The reset bgp peer command is used to reset a BGP session with a specific peer or, if all is specified, with all peers. The IP address specifies a particular peer. Its value should be entered in dotted-decimal format. EXAMPLES This example resets the BGP session with a single peer. reset bgp peer 205.14.128.1 SEE ALSO [ BGP General ], bgp(show) 258 Management Section config(reset) COMMAND NAME reset config - Reset configuration with current or factory settings. SYNOPSIS reset config [ default ] DESCRIPTION The reset config command is used to reset the current configuration information in the router. This command should be used during editing if you wish to erase all of your changes and return to the configuration information stored in the Flash ROM. If used with the optional default parameter (and this must be spelled out completely), the configuration information will be set to factory defaults. This command takes effect immediately. However, most changes will not take effect within the device until you issue the save command (see save(mgmt)). EXAMPLES To clear all changes in the presently edited configuration, type: reset config To set the editing configuration to factory defaults, type: reset config default SEE ALSO save(mgmt) Management Section 259 decnet(reset) COMMAND NAME reset decnet - Delete DECnet parameters. SYNOPSIS reset decnet routing <DECnet node> | all DESCRIPTION The reset decnet routing command removes one or all entries from a router's DECnet routing table. The DECnet routing table is updated by DECnet routing messages. If you delete a valid route, it will appear again in the table when the next routing message is received. OPTIONS DECnet node This is the DECnet area and DECnet node address in dotted decimal notation. all Using all for this option will reset the entire DECnet routing table for the router. EXAMPLES The following example removes a single DECnet node from the routing table. reset decnet routing 1.10 SEE ALSO [ DECnet <Section ID> ], [ DECnet Global ], decnet(show) 260 Management Section ip(reset) COMMAND NAME reset ip - Reset/Delete IP routing table entries, statistics, and UDP broadcast relays. SYNOPSIS reset ip routing { all | <IP address> [ <mask >] } reset ip statistics reset ip cache [ all | <IP address> ] DESCRIPTION The reset ip commands are used to reset or clear IP routing parameters, relays and statistics. The reset ip routing command is used to remove entries from the routing table. These can be static routes configured previously or dynamic routes picked up via RIP. If the optional all parameter is specified, all dynamic routes are purged from memory and the router "relearns" them. Use of the command with the other options removes specific entries. The reset ip statistics command resets all of the IP statistic tallies to zero. This is helpful if you are debugging an IP problem and want to watch IP statistics accrue from the current time. The reset ip cache command clears entries from the IP portion of the fastrouting cache. If the optional all parameter is specified, all entries are purged from memory and the router will "relearn" them. OPTIONS all This option specifies that all the tables the command pertains to should be deleted. IP address The IP address is the destination host IP address or network address for the entry to be deleted. Its value should be entered in dotteddecimal format. mask The mask is the subnet mask for this entry. EXAMPLES This example removes a routing table entry for a host route from both the runtime and configuration. reset ip routing 198.41.12.2 255.255.255.255 SEE ALSO ip(show), ip route(add) Management Section 261 ipx(reset) COMMAND NAME reset ipx - Delete IPX parameters. SYNOPSIS reset ipx routing { <network number> | all } reset ipx cache { <network number> | all } reset ipx sap { <network number:node> | all } DESCRIPTION The reset ipx commands delete permanent and runtime IPX parameters. reset ipx routing This command deletes IPX dynamic routing table entries. Direct connect entries cannot be deleted. To delete a specific entry, the network number of the route must be specified or all will delete all dynamic entries. reset ipx cache This command deletes entries from the IPX fast-routing cache. reset ipx sap This command deletes an IPX SAP (Service Advertising Protocol) server entry from the dynamic table kept by the router. The router's SAP entry cannot be deleted because this entry is needed to manage the router using IPX as a transport. OPTIONS network number This option specifies the hexadecimal IPX network number of the entry to delete. Must be between 1 and FFFFFFFE. node This option specifies the server node address of the entry to delete. This number is specified as an Ethernet address. An Ethernet address is specified as six hexadecimal octets separated by dots (.) or colons (:). An example would be 0.0.A5.0.0.1 or 0:0:A5:0:0:1. all This option specifies that all the parameters the command pertains to should be deleted. SEE ALSO [ IPX <Section ID> ], ipx(show) 262 Management Section ospf nbr(reset) COMMAND NAME reset ospf nbr - Reset OSPF adjacency with a neighbor. SYNOPSIS reset ospf nbr [ all | <IP address> ] DESCRIPTION The reset ospf nbr command resets the adjacency with just one OSPF neighbor, or, if all is specified, with all neighbors. This command allows the OSPF protocol to continue running while ending an adjacency with the specified neighbor(s). This router will immediately set up new adjacencies with the specified neighbor(s). This command can be particularly useful if two neighbors are hung up during the adjacency establishment process. The address provided can be either the IP address the neighbor has on its interface with this router, or the neighbor's Router ID (which is the largest IP interface address associated with that router). EXAMPLES This example removes the adjacency with a single neighbor. ospf reset nbr 192.41.10.1 SEE ALSO [ IP <Section ID> ], ospf(show) Management Section 263 resevent(reset) COMMAND NAME reset resevent - Clear restart event information. SYNOPSIS reset resevent DESCRIPTION The reset resevent command clears restart event information from the router's memory. A restart condition occurs when the router detects an error condition from which is cannot gracefully recover. The router stores the error and other memory registers in a "safe" place in memory and then automatically restarts. After restart, information relevant to the restart condition can be accessed by the show os resevent command (see os(show)). You may also clear the restart information by powering the router off and back on again. SEE ALSO os(show) 264 Management Section securid secret(reset) COMMAND NAME reset securid secret - Delete the shared SecurID secret SYNOPSIS reset securid secret { <IP address> | all } DESCRIPTION The reset securid secret command deletes the SecurID secrets stored in memory on an IntraPort VPN Access Server. The first time an IntraPort contacts an ACE/Server, they exchange a secret based in part on the IntraPort’s IP address. Any major changes to the IntraPort’s configuration (such as changing its IP address) will mean that the IntraPort and the ACE/Server will no longer be able to communicate. To get around this, you must use the reset securid secret command on the IntraPort and also uncheck the Sent Node Secret checkbox in the ACE/ Server’s Add Client Dialog Box (which can be accessed using the Add Client option under the Client menu). After both of these steps have been completed, the two devices will do a new secret exchange and will be able to communicate again. OPTIONS IP Address This option limits the command to apply only to the secret for a specific ACE/Server using its IP address. It must be a legal IP address specified in dotted-decimal format. all This option specifies that the secrets for all ACE/Servers should be deleted. SEE ALSO [ SecurID ], securid(show) Management Section 265 statistics(reset) COMMAND NAME reset statistics - Clear router statistics. SYNOPSIS reset statistics ethernet reset statistics memory reset statistics appletalk reset statistics ip reset statistics serial [ <WAN port> ] reset statistics csu [ <WAN port> ] reset statistics connect [ <WAN port> ] reset statistics ds3 [ <WAN port> ] reset statistics hssi [ <WAN port> ] reset statistics ppp [ <WAN port> ] reset statistics frelay [ <WAN port> ] [ <DLCI> ] reset statistics radius DESCRIPTION These commands clear statistics kept by the device. The statistics cleared by each of the commands are described below. reset statistics ethernet This command clears Ethernet statistics which are displayed by the show ethernet statistics command. reset statistics memory This command clears buffer usage statistics which are displayed by the show os memory command. reset statistics appletalk This command clears AppleTalk statistics which are displayed by the show appletalk statistics command. reset statistics ip This command clears IP, UDP, and ICMP statistics which are displayed by the show ip statistics command. reset statistics serial This command clears WAN serial statistics which are displayed by the show wan serial statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared. reset statistics csu This command clears WAN CSU statistics which are displayed by the show wan csu statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared. reset statistics connect This command clears WAN connection statistics which are displayed by the show wan connect statistics command. By specifying the 266 Management Section statistics(reset) optional WAN port parameter, only the statistics for that port will be cleared. reset statistics ds3 This command clears WAN DS3 statistics which are displayed by the show wan ds3 statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared. reset statistics hssi This command clears WAN HSSI statistics which are displayed by the show wan hssi statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared. reset statistics ppp This command clears WAN PPP statistics which are displayed by the show ppp statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared. reset statistics frelay This command clears Frame Relay statistics which are displayed by the show frelay statistics command. By specifying the optional WAN port and DLCI parameters, only the statistics for that port and/or DLCI will be cleared. reset statistics radius This command clears the RADIUS authentication and accounting statistics displayed by the show radius statistics command. SEE ALSO statistics(show) , ethernet(show), system(show), os(show), appletalk(show), ip(show), wan(show), ppp(show), frelay(show), radius(show), save(mgmt) Management Section 267 bridge(set) COMMAND NAME set bridge - Modify bridge parameters. SYNOPSIS set bridge on [ <spigot priority> [ <path cost> ] set bridge off set bridge mode [ Ieee | Learning ] [ <table size> [ <aging time> ] set bridge spanning priority <bridge priority> set bridge spanning maxage <time> set bridge spanning hello <time> set bridge spanning fdelay <time> set bridge filter permit set bridge filter deny set bridge filter add < protocols > set bridge filter remove < protocols > DESCRIPTION These commands are used to configure runtime bridging information within the router. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Bridging <Section ID> ] and [ Bridging Global ] sections. The set bridge on, set bridge off, and set bridge filter commands set interfacespecific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). The other commands set global bridging parameters. The bridging code in the router is enabled by two switches. Each interface has an individual switch to enable bridging for that interface explicitly, and there is a global switch telling the low-level forwarding code to enter the bridging routines. Two commands set the global bridging switch on – set bridge mode and set bridge on. If global bridging was previously disabled, you must save the configuration and reboot the router to turn bridging on. The only way to disable global bridging is to turn off all of the bridge interfaces, using the set bridge off command. When the last interface is disabled, the global bridging switch will be turned off. Individual interfaces may be enabled or disabled without affecting the status of other interfaces with respect to bridging. The set bridge mode command selects the global operating mode for the bridge. Ieee | Learning The Ieee mode configures the bridge to support the IEEE 802.1D Spanning Tree algorithm. The Spanning Tree algorithm is used by bridges to detect loops (i.e., two or more pathways to the same 268 Management Section bridge(set) destination) and "prune" them into a tree-like, loop-free topology by establishing a root bridge and then calculating the best path from each bridge to the root bridge. Traffic is then forwarded only along this path. If the network to which the bridge is attaching contains loops, Spanning Tree must be enabled to prevent packet duplication. The Learning mode configures the bridge for operation with the Spanning Tree algorithm disabled. Learning mode should only be used on networks without active loops. Note: Because the set bridge mode command sets global parameters, it isn't possible to turn on Ieee (Spanning Tree) or Learning for individual interfaces. When the mode is Ieee, the root bridge dictates the parameters for the whole network. BRIDGE SPANNING These commands are used to configure the IEEE 802.1D Spanning Tree Algorithm parameters within the bridge. The set bridge spanning commands are used to set global Spanning Tree parameters. The commands are described below. set bridge spanning priority This command sets the bridge priority. The bridge priority is combined with the bridge's Ethernet address to create an 8-byte Bridge ID. The Spanning Tree algorithm uses the Bridge ID to determine the root bridge for a network. The numerically lowest Bridge ID on a network will be the root bridge for that network. There will only be one root bridge on a network. set bridge spanning maxage This command sets the maximum age, which is used to determine when a Spanning Tree configuration packet is considered stale and its information is discarded. The default value is 20 seconds; values may range from 6 to 40. set bridge spanning hello This command sets the hello time, which is the interval between Spanning Tree configuration packets sent by the bridge. The default value is 2 seconds; values range from 1 to 10. set bridge spanning fdelay This command sets the forward delay. The forward delay is the time between state transitions on the spigot (bridge interface). It will also be used as the aging time during periods of topology change on the network. The default value is 15 seconds; values may range from 4 to 30. Because all bridges on a Spanning Tree network will use the same values for all timer parameters, all bridges use timer values set by the root bridge. To change the values of the timer parameters for the network, set the values on the root bridge, or make the current bridge the root bridge by lowering Management Section 269 bridge(set) the value of the bridge priority. The bridge enforces the following relationships between the timer values mentioned above: 2 x (fdelay - 1 second) >= maxage maxage >= 2 x (hello + 1 second) BRIDGE FILTERING The current implementation of bridging will by default bridge any protocol not being routed, and it has a limited capability to filter or restrict the traffic to and/or from a port based on the packet's protocol. There are two levels of protocol filtering that occur within the bridging code based on routed protocols and also explicit bridge protocol filtering. In this filtering scheme, the decision to route or filter a packet based on routing takes precedence over explicit bridge filtering. If a port is configured to route a packet for a protocol, all of that protocol's packets received on the port which are not routed will be discarded by the bridge. In order to bridge a particular protocol, routing for that protocol must be turned off for both receiving and transmitting interfaces. The set bridge filter commands configure the bridge protocol filtering. Each interface has a filtering list to which protocols may be added or removed using the set bridge filter add or set bridge filter remove commands. The set bridge filter permit and set bridge filter deny commands tell the bridge whether to permit or restrict (deny) packets in the interface's protocol filter list. OPTIONS spigot priority The spigot priority parameter sets the IEEE 802.1D Spanning Tree protocol port priority parameter. This parameter is used to give precedence to an interface within the bridge. The port priority is combined with the interface number to create a Bridge ID. The interface with the lowest Bridge ID (numerically) will have precedence over interfaces with higher Bridge IDs. The default is 128; valid values range from 0 to 255. path cost The path cost parameter sets the IEEE 802.1D Spanning Tree protocol path cost, which is the cost of using an interface and is used by the bridge to compute the distance from the root bridge. It may be used to artificially change the topology of a Spanning Tree network. The default value of 100 is recommended by the IEEE specification for 10 Mbit Ethernet interfaces; valid values range from 1 to 65535. 270 Management Section bridge(set) table size The table size parameter sets the maximum number of address entries in the bridge's Ethernet address cache. The bridge will only allocate as many entries as it needs, allocating more as the table becomes full up to the table size number of entries. The default value is 1200 entries; valid values range from 256 to 16,384. aging time The aging time parameter sets the time in seconds that address cache entries can remain in the address cache without receiving a packet before the entry will be removed from the bridge. The default value is 300 seconds; valid values range from 10 to 100,000. bridge priority The bridge priority parameter is a numerical value that is used to select the root bridge on a network. Setting the bridge priority to 0 should make the local bridge the root bridge. The default value is 32,768; valid values range from 0 to 65,535. time The time parameter is a value in seconds. Defaults and ranges are described above in the description of the individual commands. protocols The protocols parameter is used by the set bridge filter add and set bridge filter remove commands to modify the bridge protocol filtering database. Enter any number of protocols to be added or removed. The interface currently recognizes the IP, IPX, ATP1 (AppleTalk Phase 1), ATP2 (AppleTalk Phase 2), and Decnet keywords. EXAMPLES The following example will turn bridging on between Ethernet ports A and B for protocols other than currently routed protocols. interface ethernet a set bridge on interface ethernet b set bridge on To turn bridging off, for each interface on which bridging is enabled: interface ethernet a set bridge off interface ethernet b set bridge off To turn Spanning Tree on: set bridge mode ieee To set the root bridge and change the hello time for the network: set bridge spanning priority 0 set bridge spanning hello 4 Management Section 271 bridge(set) NOTES It is possible to receive an error message indicating that an invalid priority or path cost has been entered when enabling an interface for the first time when using the set bridge on command. Re-enable the interface using the following parameters: set bridge on 128 100 This will set appropriate default parameters for the interface priority and path cost. SEE ALSO [ Bridging <Section ID> ], [ Bridging Global ], bridge(show), save(mgmt), interface(mgmt), enable(mgmt) 272 Management Section ppp quality(set) COMMAND NAME set ppp quality - Set Point-to-Point Protocol (PPP) link quality parameters. SYNOPSIS set ppp quality echo on set ppp quality echo off set ppp quality echo interval <seconds> set ppp quality echo threshold <misses> <total> DESCRIPTION These commands are used to configure runtime link quality parameters within the device. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ PPP <Section ID> ] section. All of these commands set interfacespecific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). To monitor the quality of a WAN link, echo packets are sent out at a specified interval and the responses are counted. The link will be dropped if the number of missed packets out of the total echo packets sent exceeds the specified parameters. The link can then be re-established with a (hopefully) better quality line, or, if a multilink is being used, data can be diverted away from the downed link. (See the [ Multilink PPP <Name> ] section for more information on multilinks.) Echo packets will not affect the inactivity timer of a dialup connection. The set ppp quality echo commands are described below: set ppp quality echo on This command enables link quality testing for the current interface. set ppp quality echo off This command disables link quality testing for the current interface. set ppp quality echo interval This command is used to set the frequency in seconds at which echo packets will be sent. This command also sets the amount of time in which an echo response must be received in order not to be counted as missed. The seconds value must be in the range of 1 to 255 seconds. The default is 1 second. set ppp quality echo threshold This command is used to set the desired quality of the WAN link. The misses option sets the number of echo reply packets that must be missed out of the last total echo packets sent for the link to be dropped. The misses parameter can have a value of 1-32 and must be less than or equal to total. The default is 8. The total parameter can have a value of 1-32 and must be greater than or equal to misses. The default is 32. Management Section 273 ppp quality(set) EXAMPLES The following commands will turn on runtime echo link quality testing for port WAN 0. Echo packets will be sent every 5 seconds. If 3 out of the last 30 echo packets are missed, the link will be dropped: interface wan 0 set ppp quality echo interval 5 set ppp quality echo threshold 3 30 set ppp quality echo on SEE ALSO [ PPP <Section ID> ], [ Multilink PPP <Name> ], interface(mgmt), ppp(show) 274 Management Section smds(set) COMMAND NAME set smds keepalive - Enable or disable SMDS keepalive. SYNOPSIS set smds keepalive off set smds keepalive on [ <polling frequency> ] DESCRIPTION These runtime commands are used to enable or disable keepalive for SMDS. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ SMDS <Section ID>] section. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). When keepalive is enabled, the router periodically polls the SMDS switch. If the switch does not respond within 60 seconds the router will declare the SMDS link down and stop sending packets over it. Use set smds keepalive on to enable keepalive on the interface where SMDS is activated. Use set smds keepalive off to shut keepalive off on the interface where SMDS is activated. Turning keepalive off will automatically declare the SMDS link up. OPTIONS polling frequency This option sets the interval to be used to poll the SMDS switch. The default value is 5 seconds. The allowed range is 0 to 30 seconds. Choosing a value of 0 seconds is equivalent to shutting keepalive off. EXAMPLES The following example will activate keepalive on interface WAN 0 and set the polling frequency to 10 seconds. interface wan 0 set smds keepalive on 10 To turn keepalive off: interface wan 0 set smds keepalive off SEE ALSO interface(mgmt), enable(mgmt), [ SMDS <Section ID>] smds(show), save(mgmt) Management Section 275 system log(set) COMMAND NAME set system log - Set global system logging parameters. SYNOPSIS set system log off set system log on set system log level <log level> set system log aux set system log noaux set system log remote <syslog IP addr> <local facility> set system log noremote set system log clear set system log port [ enable | disable ] <port> DESCRIPTION The set system log commands set runtime logging parameters. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Logging ] section. The system log facility is used to pass configuration, error, and debug information to the device administrator. Log messages can be saved in an internal buffer, sent to the AUX port, or sent to a UNIX-style syslog facility. Messages stored in the internal buffer can be viewed later by the show system log command (see system(show)) or from the Windows or Macintosh CompatiView managers. Logging can be configured to use one or more of the logging facilities. The set system log commands are described below: set system log off This command disables all logging in the device. set system log on This command enables logging to the internal buffer. It also enables AUX port logging and syslog logging if they are configured on using the set system log aux and set system log remote commands, respectively. set system log level This command determines the detail of messages logged. The level applies to all types of logging. set system log aux This command enables logging to the AUX serial port. The default serial rate for the AUX port is 9600 baud. The global logging on/off setting takes precedence over this setting. <CTRL -Z> at the console will toggle this setting. set system log noaux This command disables logging to the AUX serial port. This is the default. <CTRL-Z> at the console will toggle this setting. 276 Management Section system log(set) set system log remote This command enables logging to a remote UNIX-style syslog daemon. See syslog(sys) on the remote host for details on configuring syslog. The global logging on/off setting takes precedence over this setting. set system log noremote This command disables logging to a remote syslog daemon. This is the default. set system log clear This command clears the internal log buffer. set system log port This command specifies the ports for which log messages will be generated. This is used to limit the number of messages generated. OPTIONS log level The log facility has 7 levels of log detail: 0/Emergency means that you will receive logging information only when the system is unusable. These log messages will help indicate the source of the problem. 1/Alert reports only alert and emergency messages. An alert message requires immediate attention. 2/Critical reports critical, alert and emergency messages. A critical condition requires immediate attention. 3/Error reports exception cases pertaining to violations of protocols or other operational rules. Such violations may include illegal packets and improper command syntax. 4/Warning reports problems which may need a response. Examples include network number conflicts and resource allocation problems. If Warning messages are repeated, they require a response. 5/Notice reports information that may be useful on a day-today basis by an administrator but generally does not require any response. Examples include login/logout, serial line resets, and LAN-to-LAN connections. This setting is suitable for most conditions. 6/Info reports routine information, such as WAN network connect and disconnect messages. 7/Debug reports every action of the device and should not be used on a day-to-day basis since it generates a large number of log messages. Management Section 277 system log(set) Emergency is the least verbose level but contains the most important messages. Debug is the most verbose level. Debug level is useful for getting detailed information on dialing chat scripts and link activity. The default level is Notice. syslog IP addr The IP address on the host running syslog. Enter in the standard dotted decimal notation. local facility A value between 0-7 which determines the syslog facility to which log messages are sent. The remote syslog daemon should be configured to accept messages sent to LOCALx, where x is equal to the value configured here. [ enable | disable ] enable specifies that log messages will be generated for the port. disable stops the generation of log messages for the specified port. port The port number. EXAMPLES The following commands will turn on runtime logging at level DEBUG (7). Log messages will go to the internal buffer and to the AUX port. set system log level debug set system log aux set system log on To turn off logging in the saved config: set system log off SEE ALSO system(show), [ Logging ] 278 Management Section terminal(set) COMMAND NAME set terminal - Set command line terminal settings. SYNOPSIS set terminal width <columns> set terminal height <rows> set terminal more set terminal nomore set terminal enhanced set terminal noenhanced set terminal erase [ bs | del ] set terminal print [ numbers | letters ] DESCRIPTION These commands are used to configure runtime terminal settings that define the way that the command parser interacts with the user. If more than one session is active at a given time, they can have different terminal settings. Typically, these commands only affect the current parser session. However, the default settings of the erase character, more processing, and enhanced mode can be configured and permanently remembered between sessions by being in supervisor mode when the command is issued (see enable(mgmt)). The status of the current terminal configuration can be displayed with the show version command (see version(show)). The commands of the set terminal command are described below. set terminal width This command is used to set the terminal width. This variable is only used for informational purposes in this release of the command parser. The default is 80 columns, but it may also be set by the telnet client, if the client supports it. set terminal height This command is used to set the terminal height. The command parser uses the height variable to determine screen sizes, especially in conjunction with the set terminal more option described below. The default is 24 rows, but it may also be set by the telnet client, if the client supports it. set terminal more and set terminal nomore The command parser supports "more" processing of all displayed output. With set terminal more enabled, displayed output longer than the configured terminal height will be paused and a "--more--" prompt will be displayed. To display the next screen of data, enter a <SPACE>. To display only the next line of data, enter a <RETURN>. Any other input terminates the output and the next command prompt will be displayed. The set terminal nomore command disables this feature. The default is set terminal more. Management Section 279 terminal(set) set terminal enhanced and set terminal noenhanced The command parser supports an "enhanced" mode. With set terminal enhanced enabled, if the parser cannot decipher the input entered or an invalid option was entered for a command, the parser will redisplay the portion that was successfully parsed. The set terminal noenhanced disables this feature. The default is set terminal enhanced. set terminal erase This command sets the parser's erase character. Only <BACKSPACE> and <DELETE> are supported as erase characters. The default is <BACKSPACE>. set terminal print This command tells the parser whether interfaces should be displayed with numbers or letters. The default is numbers. OPTIONS columns This option is used by the set terminal width command to enter the width of screen in characters. rows This option is used by the set terminal height command to enter the height of the screen in lines. bs This option sets the erase character to <BACKSPACE>. del This option sets the erase character to the <DELETE> key. numbers This option sets the parser to display interfaces as numbers. letters This option sets the parser to display interfaces as letters. SEE ALSO version(show), save(mgmt), enable(mgmt), [ Command Line ] 280 Management Section wan connect(set) COMMAND NAME set wan connect - Set runtime Wide Area Network (WAN) connection parameters. SYNOPSIS set wan connect mode dedicated [ <connect script> ] set wan connect mode alwaysup <connect script> [ Incoming_allowed ] set wan connect mode dialup [ in | out | both ] <connect script> DESCRIPTION The set wan connect mode commands are used to configure runtime connection characteristics for the current WAN interface. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Link Config <Section ID> ] section. These commands set interfacespecific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). Note: The default for RS-232 interfaces is dialup. The default for V.35 interfaces is dedicated. set wan connect mode dedicated This command is used for links that are available regardless of traffic activity and do not need dialing commands. set wan connect mode alwaysup This command should be used for links which require dialing commands to be issued. An alwaysup link will stay up regardless of the activity on the link. If the link drops for any reason, it will be brought back up immediately. An alwaysup link requires that your communications device (modem, CSU/DSU, TA, etc.) be set to raise the DCD (Data Carrier Detect) line when a connection is established, and drop it when the connection is terminated. set wan connect mode dialup This command should be used for links which require dialing commands to be issued. A dialup link will be brought up and down based upon the activity on the link. A dialup link requires that your communications device (modem, CSU/DSU, TA, etc.) be set to raise the DCD (Data Carrier Detect) line when a connection is established, and drop it when the connection is terminated. For interfaces set to dialup, there are certain maintenance packets for each protocol (IP, IPX, etc.) which will not cause an inactive link to be dialed. This is a security measure that keeps intruders out and allows on-demand links to be useful. OPTIONS connect script This is the name of the chat script used for outgoing connections. Management Section 281 wan connect(set) Incoming_allowed This option enables answering of incoming calls. in | out | both These options set how the device will handle an on-demand link. The in option allows the device to accept incoming on-demand PPP connections from other routers or end-node clients. The out option specifies that incoming packets from another interface on this device will initiate a dialing sequence if the link is not already connected. If the link is already connected, then the packets will simply be forwarded. The both option allows the device to perform both functions. EXAMPLES Set WAN 0's runtime configuration to a dialup in/out connection using connect script "dial out": interface wan 0 set wan connect mode dialup both "dial out" SEE ALSO wan(show), interface(mgmt), [ Link Config <Section ID> ], [ Chat <Name> ] 282 Management Section wan csu(set) COMMAND NAME set wan csu - Set internal CSU parameters. SYNOPSIS set wan csu loopback dte [ local | framer | off ] set wan csu loopback local [ line | payload | off ] set wan csu loopback remote [ line | v54 | off ] set wan csu loopback accept [ line | v54 | all | none ] DESCRIPTION The set wan csu loopback commands are used to configure runtime parameters for the CSU on the current WAN interface. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ T1 Interface <Section ID> ] section. These commands set interfacespecific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan csu loopback dte This command configures the device to perform DTE (Data Terminal Equipment) loopback, which is a diagnostic test of the internal CSU/ DSU and the local DTE. DTE loopback will loop data between the device's serial driver and its internal CSU/DSU. local | framer | off The framer option tests the device’s DTE by looping data out the device’s serial driver back into the serial receiver at the input to the internal DSU. The local option tests the entire CSU/DSU by looping data out the device’s serial driver back into the serial receiver through the internal CSU/DSU. The off option disables DTE loopback. The default value is off. set wan csu loopback local This command configures the device to perform local loopback, which is a diagnostic line test which forces the device's CSU to loop data received from the network back out to the network. line | payload | off During line loopback, all data, including framing and overhead bits, is immediately looped once it is received off the T1 line. During payload loopback, data is stripped of framing and overhead bits before being passed through all the CSU's circuitry before it is looped back. The off option disables local loopback. The default value is off. set wan csu loopback remote This command enables you to put the far end T1 terminal into loopup. It manipulates the CSU on the remote end of your connection by Management Section 283 wan csu(set) sending out a specific bit pattern which is recognized by the remote CSU. Compatible Systems devices support two different loopup sequences. You may need to check the far end unit to see which sequences are supported and enabled. line | v54 | off The line option initiates the transmission of the inband loopup code specified by AT&T 64211. (This is only done in conjunction with the phone company.) The v54 option activates the transmission of a V.54 loopup pattern. The off option disables remote loopback. The default value is off. set wan csu loopback accept This command directs your local device to recognize a loopup code sent by a remote device. line | v54 | all | none The line option directs the device to recognize the inband loopup code specified by AT&T 64211. (This is only done in conjunction with the phone company.) The v54 option directs the device to recognize the V.54 loopup pattern. The all option directs the device to recognize both loopup patterns. If the none option is selected,the device will not recognize any loopback code sent by a remote device. The default is all. SEE ALSO wan(show), interface(mgmt), [ T1 Interface <Section ID> ] 284 Management Section wan ds3(set) COMMAND NAME set wan ds3 - Set internal CSU parameters. SYNOPSIS set wan ds3 loopback dte on set wan ds3 loopback dte off set wan ds3 loopback local on set wan ds3 loopback local off set wan ds3 loopback remote on set wan ds3 loopback remote off DESCRIPTION The set wan ds3 loopback commands are used to configure runtime parameters for the CSU on the current DS3 WAN interface. When the system is rebooted, the parameters will revert to the last saved values. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan ds3 loopback dte on This command configures the device to perform DTE (Data Terminal Equipment) loopback, which is a diagnostic test of the internal CSU/ DSU and the local DTE. A more thorough test can be performed by connecting the transmit and receive connectors with a single DS3 cable. set wan ds3 loopback dte off This command disables DTE loopback. set wan ds3 loopback local on This command configures the device to perform local loopback, which is a diagnostic line test which forces the device's CSU to loop data received from the network back out to the network. set wan ds3 loopback local off This command disables local loopback. set wan csu loopback remote on This command enables you to put the far end DS3 terminal into loopup. It manipulates the CSU on the remote end of your connection by sending out a specific bit pattern which is recognized by the remote CSU. set wan csu loopback remote off This command disables remote loopback. The default value is off. SEE ALSO wan(show), interface(mgmt), [ DS3 Interface <Section ID> ] Management Section 285 wan hssi(set) COMMAND NAME set wan hssi - Set HSSI interface parameters. SYNOPSIS set wan hssi loopback localdte set wan hssi loopback localline set wan hssi loopback remote set wan hssi loopback off set wan hssi clock [ external | internal ] DESCRIPTION The set wan hssi loopback commands are used to send commands to the DCE (usually a CSU/DSU) on the current HSSI interface. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan hssi loopback localdte This command issues a command over the HSSI interface instructing the DCE to loop back data from the DTE back to the DTE. This command is useful for testing the integrity of the HSSI line. Many CSU/DSU manufacturers will also refer to this as a Channel-side loopback. While the CSU/DSU is in this mode, a network administrator can verify that the connection between the local interface and the CSU/ DSU is working properly by configuring the connection for PPP (see the [ PPP <Section ID> ] section) and seeing if the wan port goes into "magic loopback." In most cases, magic loopback can be verified by performing a show statistics hssi command and then checking if the counters for input and output packets rise without any errors accumulating. set wan hssi loopback localline This command issues a command over the HSSI interface instructing the DCE to loop back data from the network port (usually a DS3 interface) back out the network port. This command is useful for testing the line from the local CSU/DSU to the remote device. Many CSU/DSU manufacturers will also refer to this as a Line-side loopback. While the CSU/DSU is in this mode, a network administrator can verify that the connection between the local CSU/DSU and the remote device is working properly by configuring the connection for PPP (see the [ PPP <Section ID> ] section) and seeing if the WAN port on the remote device goes into "magic loopback." Magic loopback can be verified using the instructions in the set wan hssi loopback localdte command. 286 Management Section wan hssi(set) set wan hssi loopback remote This command is very similar to the set wan hssi loopback localline command except that it's the remote CSU/DSU which will be put into a line-side loopback. Also, the result of the command will be that the local interface that you performed this function on will go into "magic loopback" if the network port is configured for PPP (see the [ PPP <Section ID> ] section). This command is useful for testing the line from the local device through to the remote CSU/DSU. Magic loopback can be verified using the instructions in the set wan hssi loopback localdte command. set wan csu loopback remote off This command disables all loopback commands. The set wan hssi clock command sets whether the interface will use its own internal clock or obtain the clock from the DCE. This is a runtime parameter which means when the system is rebooted, the configuration will revert to the last saved values. The internal option specifies that an internal 33 Mb clock is used. Internal clocking should only be used when testing between two back-to-back HSSI ports connected via a NULL-modem cable. The external option specifies that the clock provided by the DCE is used. Always use external clocking when attached to a CSU/DSU. The default is external. SEE ALSO wan(show), interface(mgmt), [ PPP <Section ID> ], [ HSSI Interface <Section ID> ] Management Section 287 all(show) COMMAND NAME show all - Show summary of router parameters, variables and statistics. SYNOPSIS show all [ Verbose ] DESCRIPTION The show all command displays most of the system configuration and status. The information displayed by this command is displayed by other show commands. Please refer to the referenced commands for specific information about the displayed information. The information displayed varies with the hardware platform and the software configuration. The following is a list of the information displayed: General Information This section displays general system configuration information. The same information is displayed with the show version verbose command. IP Configuration This section displays the IP routing configuration. The same information is displayed with the show ip config command. IPX Configuration This section displays the IPX routing configuration. The same information is displayed with the show ipx config command. AppleTalk Configuration This section displays the AppleTalk routing and tunnel configurations. The same information is displayed with the show appletalk config and show appletalk tunnels commands. DECnet Configuration This section displays the DECnet routing configuration. The same information is displayed with the show decnet config command. WAN/PPP Configuration This section displays the WAN port and PPP protocol configuration. The same information is displayed with the show wan serial config, show wan connect config, and show ppp lcp commands. STEP Configuration This section displays the STEP configuration. The same information is displayed with the show step config command. Bridge/Spanning Tree Configuration This section displays the bridge and Spanning Tree protocol configuration. The same information is displayed with the show bridge config and show bridge spigots commands. 288 Management Section all(show) Runtime Status This section displays the runtime status of the various system interfaces. The same information is displayed with the show os netif command. OPTIONS Verbose This option causes the command to display even more information. SEE ALSO version(show), ip(show), ipx(show), appletalk(show), decnet(show), wan(show), ppp(show), vpn(show), bridge(show), os(show) Management Section 289 appletalk(show) COMMAND NAME show appletalk - Show AppleTalk configuration parameters. SYNOPSIS show appletalk config [ Ethernet | Localtalk | WAN | VPN ] [<port>] [ Status ] show appletalk runtime [ Ethernet | Localtalk | WAN | VPN ] [<port>] show appletalk zones show appletalk filters [ Ethernet | Localtalk | VPN ] [ <port> ] show appletalk tunnels [ Ip | Filters ] show appletalk routing [ Verbose ] show appletalk nbp show appletalk cache show appletalk statistics DESCRIPTION The show appletalk commands display configured and runtime AppleTalk parameters. show appletalk config The show appletalk config command will display the AppleTalk configuration parameters for all of the interfaces. For more information about how to set the parameters see the [ AppleTalk <Section ID> ] section. Port Ether0 Ether0 Ether1 Ether1 Ether2 Ether2 Ether3 Ether3 Bridge Bridge Wan 0 Phase 1 2 1 2 1 2 On 1 2 1 2 Seed Netnum Node Zone Name ** Disabled ** On 35000 - 35030 n/a Hardware ** Disabled ** On 2300 - 2400 186 Swizzle Net ** Disabled ** 45000 - 45030 n/a Printer-Engineering ** Disabled ** ** Disabled ** ** Disabled ** ** Disabled ** Unnumbered Remote Address: 0:0 <Trigger> NBP Filters: Port Ether0 Ether0 Ether1 Ether1 Ether2 Ether2 Ether3 Ether3 Bridge Bridge Wan 0 290 Phase 1 2 1 2 1 2 1 2 1 2 Stay in Lookups zone? In Out ** Disabled ** Off Off Off ** Disabled ** Off Off Off ** Disabled ** Off Off Off ** Disabled ** ** Disabled ** ** Disabled ** ** Disabled ** Off Off Off Tilde Devices LaserWriters Off Off Off Off Off Off Off Off Management Section appletalk(show) Appletalk Zone List: Software Hardware Engineering Swizzle Net Red-Net Printer-Engineering The information shown is: Port This identifies the AppleTalk interface. Ethernet interfaces can have three virtual AppleTalk networks associated with them. Phase This identifies the type of AppleTalk network. On Ethernet, this identifies the virtual AppleTalk networks on the physical wire. Seed This displays the seed status of the AppleTalk interface. Possible seed identifiers are Seed, Auto or Non [seed]. If the interface is off, ** Disabled ** is displayed. On a WAN interface, the possible seed identifier can be Unnumbered. Netnum This is the network number configured when the interface is configured as a seed port. Node This is the AppleTalk node number configured as the initial guess for the router when doing the AppleTalk address probing at startup. This value isn't necessarily the same as the value being used by the router after doing the address probing at startup. Zone Name This is the zone name configured when the interface is configured as a seed port. WAN Ports On WAN interfaces, additional information shows the Remote Node Address as (net:node) and the RTMP update method, (Trigger or Periodic). Filters The filter configuration shows all NBP filters that have been configured into the router. Appletalk Zone List This shows the AppleTalk zone list configured for any seeded Ethernet Phase 2 interfaces on the router. The default zone is shown in the main section of the display. This shows only extra zones entered with the Zone keyword in the [ AppleTalk <Section ID> ] section. Management Section 291 appletalk(show) ANSP Backward compatibility: This shows whether ANSP compatibility mode is enabled or disabled. show appletalk runtime This command shows the AppleTalk parameters that are currently running in the router. The format of this information is the same as that shown above for the show appletalk config command except this information may be different than the configured information due to the dynamic nature of AppleTalk routing. The information will reflect the runtime status of the AppleTalk networks that are connected to the router. show appletalk zones This shows the AppleTalk zone list configured for any seeded Ethernet Phase 2 interfaces on the router. See the [ AppleTalk <Section ID> ] section for an explanation of adding zone names to a zone list. show appletalk filters For all AppleTalk interfaces, this shows the NBP filters that are configured in the router. See the [ AppleTalk <Section ID> ] section for an explanation of adding NBP filters to an AppleTalk interface of the router. NBP Filters: Port Ether0 Ether0 Ether1 Ether1 Ether2 Ether2 Ether3 Ether3 Bridge Bridge Phase 1 2 1 2 1 2 1 2 1 2 Stay in Lookups zone? In Out ** Disabled ** Off On Off Off Off Off Off Off Off ** Disabled ** ** Disabled ** ** Disabled ** ** Disabled ** ** Disabled ** ** Disabled ** Tilde Devices LaserWriters Off Off Off Off Off Off AppleTalk Packet Filters: Apple VPN0 (1) 1: permit network = 200 Matches: 122015 2: permit network = 210 Matches: 121954 3: permit network = 220 Matches: 121954 4: permit network = 230 Matches: 0 5: permit network = 666 Matches: 122013 show appletalk tunnels This command shows the AppleTalk-in-IP tunneling parameters. See the [ AppleTalk Tunnels ] section for an explanation of configuring 292 Management Section appletalk(show) AppleTalk tunnels. The following is output from the show appletalk tunnels command. Tunnel Partners: 198.41.11.106 No filtered nets entered, all nets are recognized show appletalk routing This command shows the current AppleTalk routing table. The directly connected AppleTalk networks are shown first, followed by the dynamic routes discovered via the RTMP protocol. An AppleTalk routing table is shown below. Directly connected routes: Network Gateway Port 3456 3456:34 Wan 0 55400 - 55400 55400:63 Eth 0 P2 Dynamic routes discovered via RTMP: Network Gateway Port 1 - 1 55400:21 Eth 0 P2 2 - 2 55400:21 Eth 0 P2 3 - 3 55400:21 Eth 0 P2 5 55400:21 Eth 0 P2 6 55400:21 Eth 0 P2 8 - 8 55400:21 Eth 0 P2 Zones: Kahunet-too 10 - 30 55400:21 Eth 0 P2 Zones: Main Phase2-2 50 55400:21 Eth 0 P2 100 55400:21 Eth 0 P2 200 - 200 55400:21 Eth 0 P2 210 55400:21 Eth 0 P2 220 55400:21 Eth 0 P2 275 55400:21 Eth 0 P2 Hop Age Flgs Zone Name 0 0 0d00 Invisible Zone 0 0 0f00 Eng.Lab Phase 2 Hop Age Flgs Zone Name 3 0 0f00 P2Ether1 A5BEEF55 3 0 0f00 P2Ether2 A5BEEF56 3 0 0f00 P2Ether3 A5BEEF57 3 0 0d00 Main Ethernet 3 0 0d00 Backbone Phase1 4 0 0f00 Kahunet 3 0 0f00 Main Phase2-1 Server Zone 3 0 0d00 Net Modem 3 0 0d00 Main LocalTalk 4 0 0f00 DemoNet Zone 5 0 0d00 DemoNet Zone 5 0 0d00 DemoNet Zone 4 0 0d00 demo-dialinremote-zone The routing table is shown is two sections. The first is the network information for the directly connected networks. The second section shows the dynamic routes obtained through RTMP packets on the directly connected networks. The information shown in the routing table is explained below. Network This is the network number of the AppleTalk route. For extended networks, the lower and upper numbers of the range are shown. Gateway This is the AppleTalk address (net:node) of the router responsible for the network. Packets bound to that network are sent to the router at that address to be forwarded. For the entries shown in the direct-connect section, this is the AppleTalk address of the router. Port This is the interface through which the route was received and identifies the interface where the gateway is located. Management Section 293 appletalk(show) Hop This is the number of hops to the network. It represents the number of routers that a packet will traverse until it reaches the network. The hop count cannot be greater than 16 on an AppleTalk internet. Age This is the age of the route in terms of AppleTalk aging parameters. A value of 1 represents a "suspect" state, meaning that the gateway router hasn't broadcasted information about the route within the last 10 seconds. Since this router's aging timer and the peer router's RTMP timers (every 10 seconds) are not in sync, it is common to see the age of a route set to 1. A value of 2 or 3 represents 20 and 40 seconds after the route has become "suspect." When the age becomes 3, the route is deleted. Flgs These are internal flags used by the router to maintain the routing tuple. Zone Name These are the zone names associated with the route. If the route is non-extended, this is the only zone name shown. If the route is extended, this is the default zone name, and if there are more zones, they are shown in groups of three on subsequent lines below the tuple. show appletalk nbp This command shows the NBP registration table currently running in the router. The information includes the name, type, zone and socket number the service is registered on. show appletalk cache This command shows the AppleTalk fast-routing cache available in Compatible’s Ethernet-to-Ethernet routers. This fast-routing cache enables this class of router to route at full Ethernet wire speed. show appletalk statistics This command shows AppleTalk DDP statistics for packets destined for the router or forwarded by the router. Currently, this command is disabled for the MicroRouter 1000R. OPTIONS Ethernet | Localtalk | WAN | VPN This option allows selective display of information about a specific type of interface. When a type is specified, all the interfaces of that type are shown in the command’s output. port This option allows selective display of information about a specific interface (i.e., Ethernet 0, WAN 0, etc.). 294 Management Section appletalk(show) Status This option specifies that the AppleTalk runtime information be shown. It is the same output as that shown for the show appletalk runtime command. IP | Filters These options allow selective display of AppleTalk-in-IP tunneling parameters. IP specifies that the IP numbers of the tunneling partners be shown. Filters specifies that the filtered AppleTalk network numbers be shown. Verbose This shows detailed information about the AppleTalk routing table. This includes more information about the status of the zones, interpretation of the routing flags and internal routing table information. SEE ALSO appletalk(reset), [ AppleTalk <Section ID> ], [ AppleTalk Tunnels ] Management Section 295 arp(show) COMMAND NAME show arp - Show Address Resolution Protocol (ARP) cache. SYNOPSIS show arp DESCRIPTION This command shows the contents of a router's Address Resolution Protocol cache. This cache holds the mapping between a high-level protocol address and the physical address. The physical address may be either an IEEE Ethernet address, SMDS station address or a Frame Relay DLCI which can be converted into a Frame Relay Q.922 hardware address. ARP entries are added to the cache either dynamically through the use of ARP on an Ethernet LAN, SMDS Wan or IARP (Inverse ARP) on Frame Relay. They also may be added statically with the add arp command. The following is output from the show arp command: B# 0 13 14 15 Protocol Address IP 198.41.9.1 IP 198.41.8.1 IP 198.41.9.12 IP 198.41.9.30 Age Hardware Addr 0 aa:00:04:00:0d:04 0 c303.444.9531 0 00:00:a5:2f:20:00 0 08:00:20:08:cc:0d Type Interface Dynam Ethernet A Dynam Wan0 Dynam Ethernet A Dynam Ethernet A The information shown is: B# This is the hash bucket number of the cache entry. Hashing is used to index the cache to allow fast searching for an entry. Protocol This identifies the high-level protocol address in the entry. The possible protocol represented in the cache are IP, AppleTalk and IPX (only on Frame Relay). Address This is the high-level protocol address. IP addresses are shown in dotted-decimal notation. AppleTalk addresses are shown as net:node. IPX addresses, only on Frame Relay interfaces, are also show as net:node. Age This is the age of the ARP entry in minutes. After 20 minutes the entry is timed out and deleted. Entries added statically or through IARP on Frame Relay aren't aged and will always have an age of zero. Hardware Addr This is the physical address that the high-level address resolves to. If the entry is an IEEE Ethernet hardware address, it is shown with six octets separated by colons. If the entry is an SMDS station address, it is shown with 8 octets separated by dots. If the physical address is from a Frame Relay interface, it will be 296 Management Section arp(show) displayed as a DLCI address.The hardware address will sometimes report "incomplete" if there is a misconfiguration of the physical address or of the hardware itself. These age out after two minutes. Interface This is the router’s interface through which the hardware address can be reached. SEE ALSO ip arp(add), arp(reset) Management Section 297 bgp(show) COMMAND NAME show bgp - Show BGP (Border Gateway Protocol) configuration, statistics and databases. SYNOPSIS show bgp rtcount show bgp routes [ IP address ] show bgp peers show bgp timers show bgp mem show bgp config show bgp stats show bgp networks show bgp aggregates DESCRIPTION The show bgp commands display extensive information about the BGP database, configuration, and dynamic memory usage. show bgp rtcount The show bgp rtcount command displays a summary of the number of routes in the BGP Routing database. This command can be useful if there is a very large number of routes and you want to know how many without printing them all out. BGP Routing Database Entries In Use Added In IP routing table: 51548 78694 BGP route heads: 51548 78702 IP Routing Table Entries: Removed 27146 27154 51561 show bgp routes The show bgp routes command displays the best route in the BGP routing database for each destination. The BGP routing database may contain routes that are not in the router's IP routing table; a BGP route will not be present in the IP routing table if the router did not have an entry for the next hop on that route. The IP address option can be used to limit the output to a single route. BGP Best Routes List 1 2 3 4 5 6 7 8 9 10 11 12 13 14 298 Network/Mask 128.128.0.0 129.129.0.0 130.130.0.0 131.131.0.0 134.134.0.0 135.135.0.0 139.139.0.0 140.140.0.0 141.141.0.0 142.142.0.0 147.147.0.0 149.149.0.0 150.150.0.0 151.151.0.0 Bits Pref Weight Next Hop AS Path /16 100 100 199.45.133.101 3404 1 1 /16 100 100 199.45.133.101 3404 1 1239 1673 1133 559 /16 100 100 199.45.133.101 3404 1 1 5727 7474 7570 /16 100 100 199.45.133.101 3404 1 1 1236 /16 100 100 199.45.133.101 3404 1 1239 1760 4983 /16 100 100 199.45.133.101 3404 3561 3561 4293 /16 100 100 199.45.133.101 3404 1 1239 568 1913 1569 /16 100 100 199.45.133.101 3404 1 1239 7170 374 /16 100 100 199.45.133.101 3404 1 1239 3739 3739 3739 /16 100 100 199.45.133.101 3404 3561 3561 577 549 808 /16 100 100 199.45.133.101 3404 3561 3561 5400 2856 /16 100 100 199.45.133.101 3404 1 1 3749 /16 100 100 199.45.133.101 3404 3561 3561 3786 6068 /16 100 100 199.45.133.101 3404 1 1239 174 Management Section bgp(show) 15 152.152.0.0 16 155.155.0.0 17 158.158.0.0 18 161.161.0.0 19 164.164.0.0 20 165.165.0.0 /16 100 100 199.45.133.101 3404 1 1 286 1891 /16 100 100 199.45.133.101 3404 1 701 702 8413 1913 1564 /16 100 100 199.45.133.101 3404 3561 3561 /16 100 100 199.45.133.101 3404 1 1239 174 /16 100 100 199.45.133.101 3404 1 701 7633 /16 100 100 199.45.133.101 3404 1 701 5713 Network/Mask Bits This is the Classless Interdomain Routing (CIDR) notation of the BGP routes. Pref This is the local preference of the route. The higher the local preference, the more preferred the route. Weight This is the weight of the route. The higher the weight, the more preferred the route. Next Hop This is the next hop on the route. AS Path The complete AS path is shown, with the source AS being the one farthest to the right. Each AS which passes the route on will prepend its own AS to the AS path attribute. show bgp peers The show bgp peers command displays information about the configured BGP peers of this router. ======================================================= =================== BGP PEER STATUS ------------------------------------------------------------------------Int AS Router IP TCP Enable BGP Ext Number ID Address Socket Status State ------------------------------------------------------------------------Ext 23456 0.0.0.0 198.14.13.18 0 Off IDLE Ext 34567 198.41.11.6 198.14.12.6 82 On ESTABL. Int 11129 0.0.0.0 198.41.11.17 0 Off IDLE Int 11129 0.0.0.0 198.41.11.2 0 On ACTIVE =============================================================== =========== Int/Ext This indicates whether this is an internal or external peer. An internal peer has the same AS number as the router itself. AS Number This is the number of the AS to which the peer belongs. Management Section 299 bgp(show) Router ID This is the router ID, which is the largest IP interface address associated with the peer router. The router ID is not known until the peer contacts the router, so if the BGP State is IDLE, ACTIVE, or CONNECT, this parameter might be 0. IP Address This is the IP address of the peer. TCP Socket This is the socket number the router has internally assigned to the connection. Enable Status This indicates whether the router will currently accept a connection request from this peer. The peer can be brought up as enabled by setting the peer to On in the BGP Peer List section. Also, the peer can be dynamically enabled or disabled using the bgpenable or bgpdisable commands (see bgpenable(mgmt)). When the Enable Status is Off, the BGP State is always IDLE. BGP State This is the connect state of the peer. ESTABLISHED indicates that a BGP session is currently active with this peer. In the IDLE state, the router will not accept connections from the peer. This state is entered briefly after a connection has timed out, to prevent too-rapid up-and-down transitions of peers. In the ACTIVE state, the router is listening on its server port for connection requests from the peer. In the CONNECT state, the router has sent out an active TCP connection request to the peer. In the OPENSENT and OPENCONFIRM states, the two peers are exchanging preliminary packets in order to establish their BGP session. If the exchanges are successful, the peers will enter the ESTABLISHED state. The peers must continue to exchange periodic keepalive packets to remain in the established state, unless the negotiated hold time is 0. show bgp networks The show bgp networks displays the list of internal networks to be advertised to external BGP peers. BGP NETWORKS: Address 198.41.11.0 209.14.128.0 300 2 Mask 255.255.255.0 255.255.255.0 Management Section bgp(show) show bgp stats The show bgp stats command displays statistics about packet types received from and sent to BGP peers, and the current uptime of the peer. Open messages: Keepalive messages: Notify messages: Received 8 4069 0 Sent 58 4124 0 BGP External Peer 198.41.11.6 state ESTABLISHED 6 peer sessions, current uptime 2 days 16 hrs 40 mins 19 secs 0 updates received 78791 updates sent, last at 6 secs BGP Internal Peer 198.41.9.2 state ESTABLISHED 1 peer sessions, current uptime 2 days 20 hrs 42 mins 28 secs 88791 updates received, last at 7 secs 0 updates sent show bgp timers The show bgp timers command displays the current time in seconds left on each timer associated with each peer. ==================================================================== BGP TIMERS -------------------------------------------------------------------Peer Address Status State Timers -------------------------------------------------------------------198.41.9.2 Enabled ESTABLISHED Send KEEPALIVE pkt: 2 secs HOLD timer expires: 121 secs 198.14.13.2 Enabled ACTIVE Next CONNECT attempt: 16 secs 199.13.12.3 Enabled IDLE AUTO ENABLE: 112 secs 198.41.9.3 Disabled IDLE No timers active ==================================================================== Peer Address This is the IP address of the peer. Status This indicates whether the router will currently accept a connection request from this peer. When the Status is Disabled, the State is always IDLE. State This is the connect state of the peer. If the peer is in ESTABLISHED state, the KEEPALIVE timer and the HOLD timer are displayed. If the peer is in ACTIVE state, the CONNECT timer is displayed. If the peer is in IDLE state but enabled, the AUTO ENABLE timer will be displayed. If the peer is IDLE and disabled, no timers are active until the bgpenable command is issued (see bgpenable(mgmt)). Timers The KEEPALIVE timer indicates how many seconds until the router will send another keepalive packet to the peer. Management Section 301 bgp(show) The HOLD timer indicates how many seconds until the HOLD timer for the peer will expire. The HOLD timer is set every time the router receives either an update or a keepalive packet from the peer. If the HOLD timer expires, the router will declare the peer down, transition the peer to IDLE state, and set the AUTO ENABLE timer. The CONNECT and AUTO ENABLE timers both indicate how many seconds remain until the router will once again try to contact the peer. The CONNECT timer is used when the peer is in ACTIVE state; in this state, the router will accept an incoming connection request from the peer before the CONNECT time expires. The AUTO ENABLE timer is used when the peer is in IDLE state; in this state, the router will not accept a connection request from the peer until the AUTO ENABLE time has expired. When the AUTO ENABLE time expires, the peer will transition back into the ACTIVE state. The purpose of the AUTO ENABLE timer is to prevent peer sessions from going up and down at too fast a rate. Once a peer session has been interrupted for some reason, the peer is held down for a short period before a new session will be allowed. show bgp mem The show bgp mem command displays detailed dynamic memory usage information for BGP. ROUTING DATABASE DYNAMIC MEMORY USAGE -----------------------------------------------------------Memory Block Allocs Deallocs Size (bytes) -----------------------------------------------------------ip radix nodes 1976180 ip routing entries 4332132 bgp ip routes 78709 27149 bgp routes 78717 27157 2062400 bgp int change 0 0 0 bgp aggregates 0 0 0 bgp agg paths 0 0 0 bgp timers 12 0 384 ------------------------------------------------------Peer 198.41.9.2 bgp path entries 78728 27168 1443680 bgp transmit queues 0 0 0 bgp PA strings 28151 21181 1784320 bgp PA hdr entries 28151 21181 529720 bgp rejected routes 0 0 0 bgp rej entries 0 0 0 bgp history entries 0 0 0 -----------------------------------------------------------Total Size 12128816 ------------------------------------------------------------ 302 Management Section bgp(show) show bgp config The show bgp config command displays user-configured values that are currently being used by the protocol. BGPEnabled Router ID BGP AS Number BGP Local Preference Use IP Route Filters Route Reflector Server Redistribute Redistribute Redistribute Redistribute Redistribute Yes 205.14.128.2 100 100 Yes No RIP routes into BGP is disabled OSPF routes into BGP is disabled Static routes into BGP is disabled BGP routes into OSPF is disabled BGP routes into RIP is disabled BGP Peer 205.14.128.1 Startup State AS Number Peer Weight Cfg Hold Time Retry Time Advertise Default Reflector Client Input Route Map Output Route Map BGP Peer 198.41.11.213 Startup State AS Number Peer Weight Cfg Hold Time Retry Time Advertise Default Reflector Client Input Route Map Output Route Map Inactive 110 2000 180 45 Yes No rmapin rmapout Active 100 1000 180 65 No No None None show bgp aggregates The show bgp aggregates command displays the routes which have been configured to be aggregated to external peers. Aggregation will only occur when an instance of the route appears in the IP routing table. BGP AGGREGATES: 195.41.0.0/16 SEE ALSO [ IP <Section ID> ], [ IP Route Redistribution ], bgpenable(mgmt), [ BGP Peer Config <Name> ], [ BGP Peer List ], [ BGP Aggregates ], [ BGP Networks ], bgp(show), bgp(reset) Management Section 303 bridge(show) COMMAND NAME show bridge - Display bridging configuration and status. SYNOPSIS show bridge cache show bridge statistics show bridge spigots show bridge config [ Status ] show bridge spanning DESCRIPTION This manual page describes the show commands that are used to display bridging information within the router. show bridge cache This command will display the bridge's Ethernet address cache. The cache table contains hashed Ethernet addresses that are looked up to determine where to forward a particular packet. The first line of the display contains statistics about the hashing performance of the bridge. The rest of the display is the contents of the cache. Sample output from this command is shown below. Station Addr 01:80:c2:00:00:00 00:05:02:a0:ab:0c 00:05:02:20:73:58 00:00:a5:72:7e:01 00:05:9a:20:a5:96 00:00:a5:00:19:00 00:00:a5:86:a2:00 00:60:97:cc:3a:d2 00:00:a5:86:a2:01 00:00:a5:5d:6e:00 08:00:07:b4:88:7d 00:00:a5:c7:82:00 00:05:a8:00:48:1d 00:05:a8:00:44:1f 00:05:9a:20:59:18 00:00:a5:c0:a3:00 aa:00:04:00:62:06 00:05:02:80:a7:56 00:05:02:00:f5:77 00:05:02:60:45:a8 08:00:07:d7:56:12 00:00:c0:e2:9f:e8 00:60:08:11:99:38 00:00:c0:90:d6:f3 00:00:a5:f2:45:00 09:00:07:00:00:b7 aa:00:04:00:bc:06 00:05:02:60:79:a6 00:05:a8:00:04:c5 00:05:a8:00:88:67 ff:ff:ff:ff:ff:ff 09:00:07:ff:ff:ff 00:e0:29:0e:05:f4 304 Spigot Span Tree Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Router Eth 0 Router Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Rtr Mcast Eth 0 Eth 0 Eth 0 Eth 0 Brdcast Rtr Mcast Eth 0 Pkt Cnt 1 65 2387 144 84 481 2 826 1 562 3823 5929 145 14710 4138 577 78895 60 79 32698 3598 2 3 399 6907 1 2207 7064 2891 10644 1 1 413 Bucket 0 7 11 13 19 25 36 36 37 51 65 69 85 91 97 99 100 113 130 141 147 149 176 181 183 183 186 191 193 239 255 255 255 Flags <Perm> <Current> <Current> <Current> <Current> <Current> <Perm> <Current> <Perm> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <Current> <> <Current> <Current> <Current> <Perm> <Current> <Current> <Current> <Current> <Perm> <Perm> <Current> Management Section bridge(show) Station Addr The Ethernet address that has been detected on the network. Spigot The bridge spigot that was most recently associated with the Ethernet address. The router's addresses are listed as Router or Rtr Mcast. Pkt Cnt The number of packets received from the station while the entry has been in the cache. If a station has timed out, the packet count from that station is cleared. Bucket The hash bucket in which the Ethernet address has been placed. Hash buckets range from 0 to 255. Flags Currently there are two caching flags displayed: Current and Perm. Current indicates that the most recent packet has been received from the station in less than half of the aging interval. Perm indicates that the entry is considered permanent and will never be timed out. show bridge statistics This command displays bridge statistics on a per spigot basis. Sample output from this command is shown below. Statistic Type Discard Packets In 0 Filtered 0 Bridge 0 Blocked 0 Protocol 0 Routed Protocol 0 No Hash Entry 0 Routed 0 Forwarded 0 Packets Out Broadcast Flooded 161618 0 0 Eth 0 181903 161618 9652 66 0 151899 0 16991 3294 Eth 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 Wan 0 0 0 0 0 0 0 0 0 0 0 0 0 Statistic Type There are two main statistic types for the show bridge statistics command, Packets In and Packets Out. These two types tally the number of packets received and transmitted per bridge spigot. The statistic types are described below: Packets In The total number of packets received by the bridge spigot. Received packets are broken down into the Filtered, Routed and Forwarded subtypes. Management Section 305 bridge(show) Filtered The total number of packets which the bridge received and discarded. The subtypes of this type are Bridge, Blocked, Protocol, Routed Protocol and No Hash Entry. Bridge The number of packets discarded because the transmitting and receiving stations are on the same bridge spigot. Blocked The number of packets discarded as a result of the Spanning Tree algorithm. Packets will be blocked if the spigot state is blocked, listening, or learning. Protocol The number of packets discarded because of protocol filtering. Routed Protocol The number of packets discarded because the protocol is currently being routed on this port, and the packet was not addressed to the station address of the router. No Hash Entry The number of packets discarded because the bridge was out of hash table entries. This tally should be 0; if it isn't, increase the allocation of hash table entries using the [ Bridging Global ] section. Routed Packets listed as routed were handed to the router input routines and were dispatched by the router switching routines. Forwarded The number of packets that have been forwarded by the bridge. Packets Out The total number of packets transmitted by the bridge spigot. Transmitted packets are broken down into the Broadcast and Flooded subtypes. These two subtypes will not add up to the total number of transmitted packets on this spigot. Broadcast This tally is the number of broadcast packets that were transmitted by this bridge spigot. Flooded This tally is the number of flooded packets that were trans306 Management Section bridge(show) mitted by this bridge spigot. Flooded packets are transmitted out all spigots by the bridge, like broadcast packets. They include multicast packets, and those packets with unknown or new destination Ethernet addresses. show bridge spigots This command displays the status of the bridge spigots, including current filtering masks. A bridge spigot is a physical or a virtual interface on the bridge. This command is mostly used to debug bridging problems and displays raw information of several important internal bridging parameters. Sample output from this command is shown below. Spigot Discard Eth 0 Eth 1 Wan 0 Wan 1 Router Rtr Mcast Brdcast Flood Span Tree Port ID ff00 8001 2 3 4 4d 4e 4f 50 51 Pmask 0 7ffffffe 0 0 3 ffffffff 0 0 0 0 Rpmask 0 a 0 0 3 ffffffff 0 0 0 0 State Flags 60 Forwarding 72 Disabled 10 Disabled 0 Disabled 0 62 60 60 60 60 Spigot This is the bridge spigot name; all spigots configured will be listed by this display. Port ID The Port ID is a Spanning Tree parameter. The Port ID is the spigot number combined with its priority. Pmask The hexadecimal value of the protocol mask in effect for the spigot. Rpmask The hexadecimal value of the router protocol mask which indicates the protocols that are being routed for a spigot. State The Spanning Tree state for the spigot. Flags The hexadecimal value of the spigot flags. show bridge config This command displays the current bridge configuration as stored in Flash ROM, or if a modified configuration exists in the command loop edit buffer, its information is displayed. The show bridge config command with the optional Status parameter displays the runtime parameters used by the system at the time the command is issued. The same parameters (with potentially different values) are displayed by Management Section 307 bridge(show) all variations of these show bridge commands. Sample output from the show bridge config command is shown below. Global Bridge Parameters: Hash Table Size: 1024 Table Aging Time: 300 seconds Spanning tree parameters: Bridge Bridge ID Priority Max Age Hello Fwd Dly Flash values 8000-00:00:a5:86:a2:00 32768 0 2 15 Port Ether0 Ether1 Wan0 Wan1 Priority 128 disabled disabled disabled Path Cost 100 Flags <On> Port Ether0 Ether1 Wan0 Wan1 Filters IPX, Atalk P1, Atalk P2, DECnet disabled disabled disabled The first part of the display contains the Global Bridge Parameters. The Hash Table Size and Table Aging Time values are displayed. If no bridging is enabled, this is all that will be displayed. The next section displays the global Spanning Tree Parameters. Many of these values are only valid if the bridge is the root bridge. All bridges on a Spanning Tree bridged network use the values set by the root bridge. If Spanning Tree is not enabled, no parameters will be displayed. Parameters for the physical ports on the router are displayed last. These parameters include filter settings, priorities, and path costs. show bridge spanning This command displays the IEEE Spanning Tree configuration of the bridge. If Spanning Tree is disabled, no information will be displayed by this command. Sample output from this command is shown below. Spanning tree Bridge Configured Root Bridge parameters: Bridge ID Priority 8000-00:00:a5:86:a2:00 32768 8000-00:00:a5:5d:6e:00 32768 Root Bridge?: Root Path Cost: Root Port: No 200 Eth 0 (1) Spanning tree port parameters: Spigot Port ID State Priority Eth 0 8001 Forwarding 128 Eth 1 2 Disabled 0 Wan 0 3 Disabled 0 Wan 1 4 Disabled 0 Spigot Eth 0 Eth 1 Wan 0 Wan 1 308 Max Age Hello Fwd Dly 20 2 15 20 2 15 Path Cost 100 0 0 0 Designated Root Cost Designated Bridge Port ID 8000-00:00:a5:5d:6e:00 100 8000-00:00:a5:f2:45:00 8001 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 2 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 3 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 4 Management Section bridge(show) The first section displays global Spanning Tree parameters for the bridge and the root bridge on the network. The values used by the bridge are those of the root bridge. Also displayed are a flag indicating if the bridge is the root bridge; the root path cost; and the root port on the bridge. See the [ Bridging Global ] section for descriptions of what the parameter values are and how to become the root bridge on the network. The next section displays the port parameters for spigots that are part of the Spanning Tree algorithm. The values displayed are the runtime values. The fields are described below: Spigot The bridge spigot name. Port ID The hexadecimal value of the Spanning Tree port ID for a spigot. The port ID is a combination of the spigot number and its priority. Lower numbers have higher priority. State The Spanning Tree state for the port. Possible states include: Listening, Learning, Forwarding, Blocked, and Disabled. Other states are possible, but have the same meaning as Disabled. The states have the following definitions: Listening In this state, a bridge spigot has just been enabled, and is preparing to participate in the Spanning Tree network. The bridge only learns of neighboring bridges and will not forward any packets or learn any addresses. Learning In this state, the bridge spigot has just left the Listening state, but it still isn't forwarding packets. Station addresses are learned and added to the address cache. Forwarding This state is the normal operating mode. Station addresses are learned and packets are forwarded. Blocked In this state, the spigot doesn't participate in the bridged network except to listen to Spanning Tree packets. This state is entered anytime that a loop is detected by the Spanning Tree algorithm. Management Section 309 bridge(show) Disabled In this state, the spigot has been disabled by the administrator, and it is not included in the Spanning Tree computation in any way. Priority The priority of the spigot. Path Cost The path cost of a spigot, used to compute the cost/distance from the root bridge. Designated Root The root bridge as reported by the configuration packets received by the spigot. Cost The cost reported is the distance to the root bridge on the network attached to the spigot. Designated Bridge and Port ID These two parameters indicate the bridge with the highest priority on a network segment and the ID of the port with which it is attached. SEE ALSO [ Bridging Global ], [ Bridging <Section ID> ], os(show), enable(mgmt) 310 Management Section config(show) COMMAND NAME show config - Display device's text-based configuration and default parameters. SYNOPSIS show config [ <options>... ] [ <section name> ] list [ <options>... ] DESCRIPTION The show config command is used to display various aspects of a textbased configuration that is stored in the device or being modified. For information about the format and syntax of the configuration, please refer to the manual page for each section of the configuration. The list command is valid only when in the configuration editor, and is used to display the section being edited. It accepts the same options as the show config command. For more information about the configuration editor, see the configure section. In addition to simply displaying a configuration, these commands can be used to: check configurations for errors; display the device's default configuration or differences between the current configuration and the default configuration; flatten port hierarchies; display the line and section where a value was found; and for several other miscellaneous functions. A configuration can be displayed using one of the two basic modes, raw and cooked. Raw Mode Raw mode is the default way a configuration or section of a configuration will be displayed. In this mode, the configuration will be displayed exactly as it is stored in the device's permanent configuration memory, or, in the case of an edited configuration, as it exists in the edit buffer. Cooked Mode When a configuration is displayed using cooked mode, the device will run the raw configuration through a parser to check the values in the configuration. This mode is called "cooked" because the data being displayed has been prepared for display. When editing a configuration, it is possible to run the configuration through the same parsers that the device uses to initialize itself. Use the existing show * config commands (e.g., show ip config) to run these parsers. OPTIONS section name The section name must be a valid configuration section and must be fully spelled out in order to be found. If no section name is specified, the entire device configuration will be displayed. Management Section 311 config(show) Options (General) All options specified must be specified with the full option name. Abbreviated options will be interpreted as a part of the section name, resulting in a syntax error. help The help option is used to generate a message showing all of the options available and a short description of how the option is used. This is entered as show config help. list The list option will generate a list of section names known to the device. Not all devices understand all sections listed in this manual, because configuration information is dependent on which features a device has. This is entered as show config list. Options (Raw Mode) Raw mode is the default mode for displaying a configuration or a section of the configuration. No special option exists to enable this display mode. number The number option will cause line numbers to be printed as the configuration is displayed. This is entered as show config number [<section name> ]. Options (Cooked Mode) Cooked mode is used to display different aspects of the configuration. In cooked mode, the configuration will be reformatted and reordered, and comments will be stripped out of port-specific and general configuration sections. Cooked mode must be enabled using the cook option. cook The cook option tells the command to display the configuration in "cooked" mode. Once the cook option has been specified, the configuration parser will be run causing the configuration to be checked for errors as it is being displayed. The following options may be used with the cook option to tailor the display or find out different information. all The all option tells the command to display all possible variables in each section, whether they exist in your configuration or not. Normally the cooked mode display command will display configured values and important default keywords and values. defaults The defaults option causes only default values built into the device to be displayed. Use this option to display the factory 312 Management Section config(show) default configuration. This option may be used with the all option to display all keywords and values built into the device. mark The mark option is useful to highlight the differences between the current configuration and the device's defaults. If a keyword's value differs from the default, the default value will be printed out as a comment on the line. This option may not be used with the defaults option. origin If default sections are used in a hierarchical configuration, the origin command is useful to determine from which line and section a value was found. verbose[#] The verbose option is used to generate verbose parser output. This is useful only when trying to determine why a configuration parameter is being set to a mysterious value. You may optionally specify different levels of information ranging from level 1 to 7. Level 7 is the most verbose. EXAMPLES The following example displays a raw version of a configuration section. *[ IP Wan 0 ]# list [ IP Wan 0 ] RIPVersion Numbered IPAddress SubnetMask IPBroadcast RemoteAddress Updates = = = = = = = V1 # Turnn RIP on TRUE 31.0.0.5 255.0.0.0 31.255.255.255 0.0.0.0 periodic The next example shows the same section cooked. *[ IP Wan 0 ]# list cook [ IP Wan 0 ] Mode = Routed IPAddress = 31.0.0.5 SubnetMask = 255.0.0.0 IPBroadcast = 31.255.255.255 RIPVersion = V1 OutFilters = InFilters = Numbered = On Updates = Periodic RemoteAddress = 0.0.0.0 Notice that the comments have been removed and the configuration has been reformatted. Also notice that several additional keywords have been added to the display. The additional keywords are considered important variables and as such they are displayed in cooked configurations. Management Section 313 config(show) The following example shows the same configuration displayed using the mark option. *[ IP Wan 0 ]# list cook mark [ IP Wan 0 ] Mode = Routed IPAddress = 31.0.0.5 SubnetMask = 255.0.0.0 IPBroadcast = 31.255.255.255 RIPVersion = V1 OutFilters = InFilters = Numbered = On Updates = Periodic RemoteAddress = 0.0.0.0 # Default => 0.0.0.0 # Default => 0.0.0.0 # Default => 0.0.0.0 # Default => None # Default => Off # Default =>Triggered The next sequence of commands illustrates the use of hierarchies and the origin option. *[ IP Wan 0 ]# configure ip wan default Section 'ip wan default' not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IP Wan Default ]# mode = bridged *[ IP Wan Default ]# list [ IP Wan Default ] Mode = Bridged *[ IP Wan Default ]# show config cook origin ip wan 0 # TBM Parser: Looking for: IP Wan 0: Mode # Found in Cfg Buffer, line 231, section 'IP Wan Default' [ IP Wan 0 ] # TBM Parser: Looking for: IP Wan 0: Mode # Found in Cfg Buffer, line 231, section 'IP Wan Default' Mode = Bridged # TBM Parser: Looking for: IP Wan 0: IPAddress # Found in Cfg Buffer, line 26, section 'IP Wan 0' IPAddress = 31.0.0.5 # TBM Parser: Looking for: IP Wan 0: SubnetMask # Found in Cfg Buffer, line 27, section 'IP Wan 0' SubnetMask = 255.0.0.0 # TBM Parser: Looking for: IP Wan 0: IPBroadcast # Found in Cfg Buffer, line 28, section 'IP Wan 0' IPBroadcast = 31.255.255.255 Display continues for a while... *[ IP Wan Default ]# Notice in the preceding display, the value of the Mode keyword is set to Bridged even though it is not set in the [ IP Wan 0 ] section. The display shows which line and in which section all of the keywords were found. SEE ALSO configure 314 Management Section decnet(show) COMMAND NAME show decnet - Show DECnet configuration parameters. SYNOPSIS show decnet config show decnet routing DESCRIPTION The show decnet commands provide information on the configured and operating state of a router for DECnet operation. show decnet config This command provides information on the configured values for DECnet operation of a router. The following is the output from the show decnet config command: Global Decnet Parameters: Area: 1 Node: 1000 Max Address: Hello Tmr: 30 Routing Tmr: 120 Port Ethernet A WAN A Bridge State On On Off 1023 Hello Tmr Routing Tmr 30 120 The information shown from the show decnet config command is: Area A DECnet area is a logical grouping of DECnet nodes. It may include one or more physical network segments. The area information, along with the node number, uniquely identifies the router on the network. Node A DECnet node number uniquely identifies the router in the DECnet area. Max Address This is the maximum number of addresses allowed in the DECnet area. This value is configured into the router and should be consistent between routers in the same DECnet area. Hello Tmr DECnet hello messages tell end nodes which routers are available to route packets. The global value (shown at the top of the output) defines how often (in seconds) the router will send these messages on its LAN ports. Specific values for WAN ports are shown in the port-by-port listing. Routing Tmr DECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. The global value (shown at Management Section 315 decnet(show) the top of the output) defines how often (in seconds) the router will send these messages on its LAN ports. Specific values for WAN ports are shown in the port-by-port listing. Port This item identifies the interface on the router to which the rest of the line's information pertains. State The DECnet state on an interface can either be On or Off. If it is On, the interface will participate in DECnet routing. If it is Off, the interface will not route DECnet information. show decnet routing This command shows the runtime status of the DECnet routing table in a router. The following is the output from the show decnet routing command: Dest 1.1 1.10 1.13 1.321 1.666 1.801 1.1000 Cost 4 4 8 4 4 4 0 Hops TTL 1 52 1 33 2 1 82 1 83 1 69 0 Prio Interface Gateway or end node Address Ethernet B aa:00:04:00:01:04 (enode 1.1) 1 Ethernet A aa:00:04:00:0a:04 (lvl1r 1.10) Ethernet A aa:00:04:00:0a:04 (gtway 1.10) 1 Ethernet A aa:00:04:00:41:05 (lvl1r 1.321) 1 Ethernet A aa:00:04:00:9a:06 (lvl1r 1.666) 1 Ethernet B aa:00:04:00:21:07 (lvl1r 1.801) 1 Local aa:00:04:00:e8:07 (lvl1r 1.1000) The information shown from the show decnet routing command is: Dest This is the address of a DECnet end node, router or gateway. The format is area.node. Cost This is the cost metric for the route. DEC defines an Ethernet as having a cost of 4. Compatible Systems routers also set the cost of all WAN interfaces to 4. Hops This is the number of routers between this router and the destination. TTL This is the time to live value in seconds for the route. This value is counted down from the arrival of a routing message from the next hop router. Prio This is the priority value for the next hop router on the route. This value is used to decide which router is the "designated router" on a segment. Compatible Systems routers default to a priority of 1, which is the lowest priority. Interface This is the interface on the router through which this route will be found. 316 Management Section decnet(show) Gateway or End Node Address The address for all ports of the router is shown first. DECnet modifies a device's assigned Ethernet address and assigns the same address to all ports. The type of node is then shown in parentheses, along with its gateway's DECnet address (or its own DECnet address if it is directly connected). Descriptions of the node types follow. enode This is an end node. lvl1r This is a level-one router. A level-one router routes DECnet within the local area. gtway This is an address behind a gateway. SEE ALSO [ DECnet Global ], [ DECnet <Section ID> ] Management Section 317 ethernet(show) COMMAND NAME show ethernet - Show Ethernet statistics and related parameters. SYNOPSIS show ethernet addresses show ethernet statistics DESCRIPTION The show ethernet commands display information specifically about the Ethernet ports in the device. show ethernet addresses This command displays the hardware address of the Ethernet chip for each interface. This can be helpful in debugging network problems. The following is output from the show ethernet addresses command for a two-port router: Ethernet Address: Ethernet Address: 00:00:a5:77:2c:00 00:00:a5:77:2c:01 show ethernet statistics This command displays tallies for all ports returned from the Ethernet chip(s) for various types of conditions and exceptions. The following is output from the show ethernet statistics command. The number of columns will vary depending on the number of Ethernet interfaces. Statistic Type Packets In Packets Out CRC Errors Frame Errors Overruns Underruns Loopback Pkts Missed Pkts Receive Error Transmit Error Post Send Bad Length Receive Int Transmit Err Int Collisions Rcv Desc Exhaust Rcv Buf Exhaust RBA Exceeded Bad RDA Hung Transmit Iface discard Ether0 390095 334093 0 0 0 0 0 0 0 2 334095 0 389222 0 0 0 0 0 0 0 0 Ether1 337345 291833 0 0 0 0 0 0 0 0 291833 0 337182 0 0 0 0 0 0 0 0 As this display suggests, many of the statistics should be zero. The Statistic Types and what they mean are described below: 318 Management Section ethernet(show) Packets In This is the total number of packets taken in on this interface. Packets Out This is the total number of packets sent out this interface. CRC Errors This is the number of packets that contained CRC (Cyclical Redundancy Check) errors on packets received. Frame Errors This is the number of packets that had frame alignment errors on packets received. Overruns This is the number of receive FIFO (First In First Out) overruns detected. FIFO is a method of queuing packets. Underruns This is the number of transmit FIFO underruns detected. Loopback Pkts This is the number of loopback packets received. Missed Pkts This is the number of packets missed due to buffer overflow. Receive Error This is the number of packets where an error was detected in the packet header. Transmit Error This is the number of packets that were not sent due to a transmit error. Post Send This is the number of packets queued to be sent. It should be nearly the same as, if not identical to, Packets Out. Bad Length This is the number of packets received that had an invalid length. Receive Int This is the number of times that the processor was interrupted to receive a packet. It should be nearly the same as, if not identical to, Packets In. Transmit Err Int This is the number of processor interrupts for transmit errors. Collisions This is the number of packet collisions detected during packet transmission. Management Section 319 ethernet(show) Rcv Desc Exhaust This is the number of times that the received descriptors were exhausted. Rcv Buf Exhaust This is the number of times that the receive buffer area was exceeded. RBA Exceeded This is the number of packets received that were oversized (greater than 1514 bytes). Bad RDA This is the number of times a bad receive descriptor array was detected. Hung Transmit This is the number of times a transmitter hang was detected and reset. Iface discard This is the number of packets discarded when the router transmit resources were exhausted. Cntr Oflow This is the number of times the Ethernet chip counters were exceeded. SEE ALSO [ Ethernet Interface <Section ID> ] 320 Management Section firewall(show) COMMAND NAME show firewall - Display firewall configuration and status. SYNOPSIS show firewall ports show firewall paths show firewall rejects [ Verbose ] show firewall proto show firewall sessions [ Verbose ] show firewall statistics DESCRIPTION This manual page describes the show commands that are used to display information about the IntraGuard Firewall. show firewall ports This command will display the firewall’s ports. Sample output from this command is shown below. Port Eth 0 Eth 1 Eth 2 Firewall Flags 00000000 00000000 00000000 00000000 Port This is a list of the firewall’s interfaces. The Firewall interface is the bridge interface. Flags This shows special flags which apply to the interface. A flag of 00000001 indicates that packets coming from that port will not be checked by the device. This flag should only appear on the Firewall (bridge) interface. A flag of 00000002 indicates that no packets from that port will be permitted in or out. This flag will only appear if the interface has not been assigned to a path. Management Section 321 firewall(show) show firewall paths This command displays the status of the firewall paths. Paths define a route for packets through the firewall. Each path has two endpoints, which are inside interfaces ("Input") and outside interfaces ("Output"). Sample output from this command is shown below. Path Green-Red Yellow-Red Green-Yellow Input Eth 0 Eth 0 Eth 0 Open > Eth 1 Firewall Firewall FPlcy 3 4 3 Output -> Eth 2 -> Eth 1 -> Firewall -> Eth 2 -> Eth 2 -> Eth 1 Flags 00023110 00023100 00023110 Path Number 1 2 3 Bckt Path 18 Green-Red 19 Green-Yellow 20 < Multiplexed 50 Yellow-Red 66 Green-Red 67 Green-Yellow Path This is the path name; all paths configured will be listed by this display. FPlcy This is the security policy assigned to the path. Possible policies include: 1/Blocked, 2/Strict, 3/Standard, 4/Lenient, and 5/ Open. The policies have the following definitions: 1/Blocked This is the most secure policy, which does not allow packets in or out along the path. It is the equivalent of physically separating the internal and external networks. The Blocked policy can be used to create a very restrictive policy set using the additional configuration options. 2/Strict This is a restrictive policy set. A small set of outgoing client sessions are permitted through the firewall and all incoming server sessions are excluded. 3/Standard This is the default policy set. Almost all outgoing client sessions are permitted, and almost all incoming server sessions are excluded. The only exceptions to those rules are that the BGP and X Windows protocols are excluded from going in or out of the firewall and the IPSec protocol is permitted in. 4/Lenient This a less secure policy. All outgoing client sessions are permitted and some incoming server sessions are permitted. 322 Management Section firewall(show) 5/Open This an insecure policy set. Everything is permitted through the firewall, thereby turning the firewall into a transparent bridge. Flags These indicate the protocols permitted in or out along the path, the path’s security configuration. Path Number This is the number assigned to the path by the firewall. Input This is the interface which is serving as the inside interface on the path. Typically, the inside interface is the secure side of the path. Output This is the interface which is serving as the outside interface on the path. Typically, the outside interface is the less secure side of the path. Bckt This is the hash index used for looking up paths in the firewall’s internal databases. show firewall sessions This command displays the current sessions on each path in the firewall. Sample output from the show firewall sessions command is shown below. 'Green-Red' Session Table: Session Bckt IP Proto Flags Usage Cnt 192.168.4.51:1187 -> 192.168.4.60:23 303 TCP 00010002 181 192.168.4.33:520 -> 224.0.0.9:520 331 UDP 00020000 81 192.168.4.61:520 -> 224.0.0.9:520 359 UDP 00020000 9 'Yellow-Red' Session Table: Session Bckt IP Proto 'Green-Yellow' Session Table: Session Bckt IP Proto 192.168.4.33:520 -> 224.0.0.9:520 331 UDP 192.168.4.61:520 -> 224.0.0.9:520 359 UDP Flags Usage Cnt Flags Usage Cnt 00020000 81 00020000 9 Session This shows the IP addresses for each session and indicates whether it is an outgoing client session (->) or an incoming server session (<-). Bckt This is the has index used for looking up the session in the firewall’s internal databases. IP Proto This indicates the IP protocol of the session. Values may be Management Section 323 firewall(show) TCP, UDP, ICMP, GRE, OSPF, or IPSec. It may also be IP followed by a space and the assigned protocol number. Flags This shows the flags which currently apply to the session and indicate such things as whether the session is active, whether it is a permanent session, whether either side has shut down, and whether it has received input packets or output packets. Usage Cnt This is a counter for how many times packets have gone through for the session. show firewall rejects This command displays a summary of information about rejected sessions. Sample output from the show firewall rejects command is shown below. 'Green-Red' Reject Table: Session Bckt IP Proto 192.168.5.12:* <- 192.168.5.2:* 15 ICMP 192.168.5.227:113 <- 195.241.48.131:51566 75 TCP 192.168.5.227:23369 <- 193.207.1.1:25 76 TCP 192.168.5.227:23716 <- 209.27.23.188:25 98 TCP 208.251.158.137:3783 <- 192.168.5.30:4606 114 TCP 208.251.158.137:3782 <- 192.168.5.30:21 136 TCP 192.168.5.52:32768 <- 192.168.5.30:53 152 UDP 192.168.5.227:113 <- 194.183.166.3:4672 157 TCP 192.168.5.103:6101 <- 192.168.5.12:43601 159 TCP 192.168.171.14:137 <- 205.199.222.115:137 164 UDP 192.168.5.103:6101 <- 192.168.5.12:43608 166 TCP 192.168.5.103:6101 <- 192.168.5.12:43609 167 TCP 192.168.5.103:6101 <- 192.168.5.12:43610 168 TCP 192.168.5.103:6101 <- 192.168.5.12:43611 169 TCP 192.168.5.103:6101 <- 192.168.5.12:43612 170 TCP 'Yellow-Red' Reject Table: Session Bckt IP Proto 192.168.5.31:520 <- 192.168.5.8:520 72 UDP 192.168.5.31:138 <- 192.168.5.24:138 348 UDP 'Green-Yellow' Reject Table: Session Bckt IP Proto Flags Usage Cnt 0008000a 15 00080008 1 00080008 2 0008000a 2 00080008 1 00080008 1 00080008 4 00080008 2 00080008 1 00080008 3 00080008 1 00080008 1 00080008 1 00080008 1 0008000a 1 Flags Usage Cnt 0008000a 10 0008000a 2 Flags Usage Cnt Session This shows the IP addresses for the rejected session and indicates whether it is an outgoing client session (->) or an incoming server session (<-). Bckt This is the hash index used for looking up the session in the firewall’s internal databases. IP Proto This indicates the IP protocol of the rejected session. Values may be TCP, UDP, ICMP, GRE, OSPF, or IPSec. It may also be IP followed by a space and the assigned protocol number. Flags This shows the flags which currently apply to the session and indicate such things as whether it has received input packets or 324 Management Section firewall(show) output packets. Usage Cnt This is a counter for how many times packets have been discarded for the rejected session. The timer for the counter is set in the [ Firewall Globals ] section. The counter will be cleared when the timer expires. show firewall proto This command displays the prototypes which are allowed in and out along each path. The display includes both the pushbutton configuration and the Allow Ports/Protocols configuration. Sample output from the show firewall proto command is shown below. 'Green-Red' Pushbutton Configuration: Protocols/Services permitted in: (Masks -> 06080e0a 00000004) HTTP, SMTP, DNS, CSC Management, NTP (NetTime), ARP, IP Security, RIP, BGP Protocols/Services permitted out: (Masks -> 0ffdffff 00000007) FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS, CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio, H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF, BGP, Other UDP, Other TCP, Non IP 'Yellow-Red' Pushbutton Configuration: Protocols/Services permitted in: (Masks -> 062a060b 00000006) FTP, HTTP, SMTP, DNS, CSC Management, NTP (NetTime), X Windows, ARP, IP Security, ISAKMP, BGP, Other UDP Protocols/Services permitted out: (Masks -> 0ffdffff 00000007) FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS, CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio, H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF, BGP, Other UDP, Other TCP, Non IP 'Green-Yellow' Pushbutton Configuration: Protocols/Services permitted in: (Masks -> 04000000 00000000) ARP Protocols/Services permitted out: (Masks -> 0dfdffff 00000007) FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS, CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio, H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF, Other UDP, Other TCP, Non IP 'Green-Red' Non Pushbutton Protocol/Service Configuration: Session Bckt IP Proto Flags Usage Cnt TCP port 548 <IN, OUT> 132 TCP 00000076 2 'Yellow-Red' Non Pushbutton Protocol/Service Configuration: Session Bckt IP Proto Flags Usage Cnt 'Green-Yellow' Non Pushbutton Protocol/Service Configuration: Session Bckt IP Proto Flags Usage Cnt Management Section 325 firewall(show) show firewall statistics This command displays global firewall and path-specific statistics since the device was last booted. Sample output from this command is shown below. Global Statistics: Invalid Port Open MUX Active Ses 0 103277 408 Dynamic Memory Usage: Ses in use Ses allocated 408 736 Bad Path Mcast/Bcast Max Ses 1 828637 701 Ses free Total Ses 328 296391 Green-Red 6123770 261 5383 0 Yellow-Red 1683 0 1656 0 Green-Yellow 19116 0 1065 0 1250745 0 0 0 0 904367 433351 0 0 0 0 399503 105329 0 0 0 0 105329 Timeouts Inactivity TCP SYN TCP FIN TCP Resets 176027 128789 44833 2401 35685 27 16 11 0 0 556 556 0 0 0 Active Ses Max Ses Ses Err Ses Missing 407 700 0 0 0 1 0 0 1 1 0 0 Pkts Thru Frag ok ARP Non IP Pkts Bad Src Bad Min Non Dropped IP hdr Route Frag Frag IP Global Statistics This section displays global firewall statistics. The statistic types are described below: Invalid Port The number of sessions which attempted a connection with an interface which wasn’t included in any path. The value should usually be 0. Open MUX The number of sessions between open multiplexed (Open MUX) interfaces. These are any interfaces which have the same setting on a path (i.e., any interfaces which are designated as inside interfaces on the same path are Open MUX; similarly, interfaces which are designated as outside interfaces on the same path are also Open MUX). Active Ses The total number of active sessions on the firewall. 326 Management Section firewall(show) Bad Path The number of sessions which attempted a connection to a bad path. This may occasionally happen at startup. Mcast/Bcast The number of multicast and broadcast packets received since boot. Max Ses The maximum number of simultaneous active sessions which have occurred on the firewall. Dynamic Memory Usage This section displays the dynamic memory usage The statistic types are described below. Ses in use A tally of the active sessions on the firewall. This should be very close, if not identical to, Active Ses. Ses allocated The number of available sessions on the firewall, based on memory allocation. This number should always be slightly above Max Ses. Ses free The number of allocated sessions which are not in use. As sessions are timed out, the Ses free will increase; as new sessions are established, the Ses free will decrease. If there appear to be too many or too few sessions available, the session timers may need to be adjusted. Session timers are set using the [ Dynamic Firewall Globals ] section. Total Ses The total number of sessions since boot. The next section of statistics displays path-specific information. Pkts Thru The total number of packets transmitted along the path. Frag Ok The number of fragmented packets which were allowed through. ARP The number of ARP packet which were allowed through. Non IP The number of non-IP packets which were allowed through. Management Section 327 firewall(show) Pkts Dropped The total number of packets which were discarded. Bad IP hdr The number of packets discarded due to errors in the IP header. Src Route The number of source routed packets which were discarded. Bad Frag The number of overlapping fragmented packets which were discarded. Min Frag The number of fragmented packets which were discarded because they were smaller than the minimum size allowed in the configuration. Non IP The number of non-IP packets (e.g., IPX and AppleTalk ) which were discarded based on the security policy. Timeouts The total number of sessions timed out. Inactivity The number of sessions timed out due to inactivity. TCP SYN The number of sessions timed out due to incomplete TCP session establishment negotiation. TCP FIN The number of sessions timed out due to incomplete TCP session teardown negotiation. TCP Resets The number of sessions timed out due to a TCP reset. A TCP reset is an abnormal session termination causing an instantaneous abort. Active Ses The total number of active sessions on the path. Max Ses The number of the most simultaneous active sessions which have occurred on the path. Ses Err The number of times the firewall encountered an error when trying to free a session. 328 Management Section firewall(show) Ses Missing The number of times the firewall couldn’t find a session when trying to free it. OPTIONS Verbose This option causes the command to display even more information. SEE ALSO [ Dynamic Firewall Globals ], [ Dynamic Firewall Logging ], [ Dynamic Firewall Path <Name> ] Management Section 329 frelay(show) COMMAND NAME show frelay - display Frame Relay configuration and status. SYNOPSIS show frelay config show frelay dlci show frelay pvc [ port ] [ dlci ] show frelay stats [ port ] [ dlci ] DESCRIPTION The show frelay commands are used to display Frame Relay configuration adn statistics within the router. show frelay config shows the status of the Frame Relay configuration for each physical port of the router. This includes whether it is on or off, which local maintenance protocol is configured, and the interval for exchanging the local maintenance packets. The following is the output from a show frelay config command. Port Wan0 Wan1 Maint annexD Off Poll MTU 10 1500 DLCI n/a show frelay dlci shows the configured DLCI (Data Link Connection Identifier) mappings. These are DLCI’s that have been configured with their specific protocol address mappings. The following is the output from a show frelay dlci command. Wan0 DLCI Configuration DLCI IP AppleTalk DECnet 101 10.1.2.2 Off Off 103 10.1.2.3 Off Off 102 10.1.2.4 Off Off 100 10.1.2.5 Off Off IPX IARP IARP IARP IARP show frelay pvc shows the status of the PVCs (Permanent Virtual Circuits) that have been picked up from the Frame Relay switch through local maintenance packets. It shows the status of the PVC, the Q.922 physical address and DLCI value for the PVC, the total number of input and output packets, a reference and use count, and the up time of the PVC. If no port number is specified, then the known PVC for all ports will be shown. If a port is specified, then the PVCs for that specific port are shown. If a dlci is specified in conjunction with a port, the status of the PVC will be shown that includes the above data along with an expanded list of packet statistics. This expanded list includes tallies for input and output fragmented packets, FECN and BECN packets and packets that have been discarded. Certain dlci numbers are used for maintenance protocols (i.e., 0 is used for ANSI 330 Management Section frelay(show) Annex-D, and 1023 is used for LMI). The following is the output from a show frelay pvc command. Wan0 Frame Relay PVC DLCI State Type Interface Flags Q.922 Ref Use Active (D:H:M:S) 102 Inactive User ni_wan0 21 1861 1 3018 0:00:00:00 101 Active User ni_wan0 21 1851 3 112944 10:03:49:38 16 Active User ni_wan0 21 0401 667 59709 2:08:22:58 0 Active Maint ni_wan0 41 0001 1 175562 10:03:50:02 show frelay stats shows an expanded list of Frame Relay packet tallies, described above, for each port of the router. If a port is specified, then only the extended Frame Relay packet tallies for that port are shown. If a dlci is specified in conjunction with a port, then the extended Frame Relay packet tallies for that PVC or DLCI are shown. SEE ALSO [ Frame Relay <Section ID> ] Management Section 331 history(show) COMMAND NAME show history - Show Command history. SYNOPSIS show history DESCRIPTION The show history command is used to display the last commands entered in the current command loop session. The command history is displayed from the oldest command to the newest command. The command history has room for 650 bytes of command history, or about 40 commands. When the buffer fills up, older commands are removed to make room for more recent ones. All commands stored in the buffer are displayed by the show history command. COMMAND LINE EDITING The command loop parser supports command line editing. By using this mechanism, whole commands from the history buffer can be retrieved, or a complex set of commands can be retrieved and modified to eliminate most retyping. The edit config command has two separate history buffers: one for editor commands and another for text input using the append command. There is no way to display the history in these buffers, but the complete editing functionality described below is supported. On a VT100 or ANSI terminal, the up and down keyboard arrow keys may be used to scroll through the history buffer. The left and right arrow keys may be used to move the cursor position on the current command. Keyboard input will be inserted at the position of the cursor, pushing the rest of the command to the right. There is no overstrike mode. Characters to the left of the cursor may be deleted by pressing either the delete or backspace key. An entire line may be deleted by entering a <CTRL-U> or <CTRL-C>. A more powerful "emacs" style of editing is also available for users without access to compatible arrow keys or users who are familiar with emacs or other emacs-style command line implementations. The command search functions <CTRL-S> and <CTRL-R> are not implemented. A complete summary of valid commands for both styles is listed below. Both editing styles are active and recognized at the command prompt. VT100/ANSI KEYPAD EDITING Key Sequence Command action Left Arrow Cursor back one character Right Arrow Cursor forward one character Down Arrow Go forward in history Up Arrow Go backward in history to previous command Backspace Delete previous character 332 Management Section history(show) Delete Delete previous character Ctrl U Erase line and start over Ctrl C Interrupt input EMACS-STYLE EDITING Key Sequence Command action Ctrl A Beginning of line Ctrl B Cursor back one character Ctrl C Interrupt input Ctrl D Delete forward character Ctrl E End of line Ctrl F Cursor forward one character Ctrl H Delete previous character Ctrl K Kill (delete) rest of line Ctrl L Redraw line Ctrl N Go forward to the next line Ctrl P Go backward to the previous line Ctrl Q Enter next character literally Ctrl U Erase line and start over DEL Same as Ctrl H Note: Entering passwords, input to other command prompts, and input to subcommands will not show up in the command history. Incorrect and partial input will show up. SEE ALSO help(mgmt), edit config Management Section 333 ip(show) COMMAND NAME show ip - Show IP configuration and related data. SYNOPSIS show ip config [ Ethernet | Localtalk | VPN | WAN ] [ <port> ] [ Status ] show ip filter show ip routing [ Direct | Dynamic <protocol> | Static | Default | Configured] [ <IP address> <subnet mask> ] show ip protocol show ip cache show ip statistics show ip rtcount DESCRIPTION The show ip commands display information about the configured and runtime IP parameters and IP routes. They can also show information about the status of the IP ARP cache and IP statistics. show ip config The show ip config command will display the IP configuration parameters for all of the interfaces. For more information about how to set the parameters see the [ IP <Section ID> ] section. The following is the output from a show ip config command for a RISC Router 3400R. Addresses Port IP Addr Subnet Broadcast Flags Ethernet 0 192.168.11.6 255.255.255.224 192.168.11.31 <OSPF:Active> <RIP:in,V2> Ethernet 1 ** Disabled ** Bridge ** Disabled ** Wan0 Unnumbered interface <Rip_out,Rip_in> Remote Address: 0.0.0.0 <> Wan1 disabled Wan2 Unnumbered interface <Rip_out,Rip_in> Remote Address: 192.168.9.18 <> Wan3 163.179.16.33 255.255.255.0 163.179.16.255 <Rip_out,Rip_in> Remote Address: 163.179.16.2 <> Ethernet parameters are displayed with one line, while WAN and LocalTalk interfaces are displayed with two, unless disabled. The column headings are described below. 334 Management Section ip(show) Port This column usually displays all of the physical interfaces. The exception is for devices that also do bridging. In that case, the bridge "port" is also listed. While bridging is usually associated with Ethernet interfaces, it is logically different to the device. If a WAN interface is Unnumbered, WAN interfaces are noted as such. IP Addr This is the IP address assigned to this interface. If there is no IP address assigned, it is designated as an unnumbered interface. Subnet This is the subnet mask that is being used by this interface. Broadcast This is the broadcast address which this interface will use. Options These are the IP options set for this interface. These include information on the status of routing protocols, Proxy ARP, etc. Remote Address This is the remote address, if configured, for this interface. The address itself is actually displayed in the second line of the WAN output under the Broadcast column. If the optional parameters Ethernet, LocalTalk, VPN or WAN are used, only interfaces of that type will be shown. The display can be further restricted with the use of the port option. The optional Status parameter shows the present runtime information. If the configuration has been changed, the values displayed when this parameter is used will be different from those displayed without it. show ip filter The show ip filter command will display the runtime IP protocol filters for all of the interfaces. The following is the output from a show ip filter command. Filter Spec: test (1) 1: permit 0.0.0.0/00000000 -> 0.0.0.0/00000000 Protocol: ==45 Matches: 0: show ip routing The show ip routing command will display the IP routing table presently being used by the device. This information is useful for determining if the device is connected to the networks desired and to find out if there are routes to networks directly attached. The output is displayed in four main sections. The first is the Directly Connected Routes. These are the routes installed based upon the Management Section 335 ip(show) configuration information as well as internal routes that the device uses for routing packets sent directly to it. The second section lists runtime Static Routes. These are routes defined by the user. The third section, Dynamic Routes, lists routes picked up from other devices on the network. The last section, Configured IP Routes, shows permanently configured static routes. Output from the show ip routing command follows. Directly Connected Routes: Destination Mask Refs 127.0.0.1 FFFFFFFF 1 192.168.9.31 FFFFFFFF 1 192.168.9.0 FFFFFFFF 1 192.168.9.8 @FFFFFFFF 1 192.168.9.18 @FFFFFFFF 1 192.168.9.0 FFFFFFE0 1 163.179.16.255 FFFFFFFF 1 163.179.16.0 FFFFFFFF 1 163.179.16.33 @FFFFFFFF 1 163.179.16.0 FFFFFF00 1 255.255.255.255 @FFFFFFFF 1 Static Routes: Destination Mask Gateway Uses 0 4812 0 2820 27 45253 0 0 0 2036 1737 Type STIF STIF STIF Local Stat STIF STIF STIF Local STIF Local Interface Local Local Local Local Wan2 Ethernet0 Local Local Local Wan3 Local Metric Refs Uses Type Interface Dynamic Routes: Destination Mask Gateway Metric Refs Uses Type TTL Interface DEFAULT 199.45.130.49 1 1 52724 RIP 176 Wan0 192.168.8.0 FFFFFF00 192.168.9.1 3 1 2682 RIP 171 Ethernet0 192.168.9.128 FFFFFFE0 192.168.9.1 1 1 0 RIP 171 Ethernet0 192.168.9.224 FFFFFFE0 192.168.9.1 5 1 1603 RIP 171 Ethernet0 192.168.9.64 FFFFFFE0 192.168.9.1 3 1 0 RIP 171 Ethernet0 192.168.9.32 FFFFFFE0 192.168.9.1 3 1 1502 RIP 171 Ethernet0 192.168.10.0 FFFFFF00 192.168.9.1 5 1 8756 RIP 171 Ethernet0 199.45.130.24 FFFFFFE0 199.45.130.49 1 1 0 RIP 175 Wan0 163.179.0.0 FFFFFF00 192.168.9.6 1 1 0 RIP 154 Ethernet0 Total Routes in use: @Mask -> Host route 24 Configured IP Routes: Destination Mask DEFAULT Default Router = <not set> *Type -> Redistribute Gateway Metric 192.168.200.1 1 IFnum 0 Wan0 The column headings are described below. Destination This is the network or host which a route has been defined for. Mask This is the subnet mask associated with the destination. Gateway This is the gateway (or router) where packets for the destination are to be sent. Metric This is the number of routers between this device and the destination. Values will be between 1 and 16. If a metric count is 16, the route is timed out and will be purged from the table. 336 Management Section ip(show) Refs This is the internal count of references to the route displayed. Uses This is the number of IP packets routed to the destination by this device. Type This is the method by which the route was "discovered." Possible types include RIP, RIP V2, OSPF and BGP. Src/TTL This is the Time To Live for the route in seconds, or, if the router is a BGP router, this shows the source of the packet. A TTL value of 999 means that the timeout is infinite and will never be timed out. Most BGP routes are IGP, which means they originated in an interior gateway protocol. The other possibilities are EGP (exterior gateway protocol) or Incomplete , which usually indicates a static route. Interface This is the interface that packets for this destination will be forwarded on. If the optional parameters Direct, Dynamic, Static, Default, or Configured are used, the display will be abbreviated. If the Dynamic option is used, the display may be further restricted by using the protocol modifier. The protocol options are RIP, OSPF, BGP or ICMP. This is of greatest use on routers which are running BGP, since it enables you to display just OSPF, RIP, or ICMP routes without getting a full BGP routing table display. (A router running full BGP can have over 50,000 BGP routes.) An IP address and subnet mask can be used to show a single IP route. show ip protocol The show ip protocol command can be used to display a summary of the configuration of each IP routing protocol, as shown in the following example. Note that BGP is enabled globally, not per interface like OSPF and RIP. IP PROTOCOL CONFIGURATION Wan0 : Wan1 : Ether0: Ether1: BGP: OSPF:passive OSPF:passive OSPF:disabled OSPF:active 2 configured peers: IP PROTOCOL PRECEDENCE: Management Section RIP:disabled,V2 RIP:disabled,V2 RIP:in,out,V2 RIP:disabled,V2 1 external, 1 internal (1) ospf (2) rip (3) static 337 ip(show) ROUTING PROTOCOL REDISTRIBUTION RIP to OSPF: disabled Default to OSPF: disabled OSPF to RIP: disabled BGP to OSPF: disabled BGP to RIP: disabled RIP to BGP: enabled OSPF to BGP: enabled show ip cache The show ip cache command displays information about IP addresses presently in the fast-routing cache. An example of the show ip cache command is given below. Destination Last Used 192.168.11.50 361247 192.168.9.226 360677 192.168.11.10 360909 192.168.9.30 360677 Ethernet Address Iface Use cnt 00:00:a5:71:2c:00 Eth3 1381589 00:00:a5:f1:54:00 Eth2 195745 02:60:8c:dd:af:58 Eth1 106912 aa:00:04:00:0a:04 Eth0 18048 Destination This is the IP address of the destination. Ethernet Address This is the MAC-level Ethernet address. Iface This is the interface through which the device communicated with this destination. Use cnt This is the number of packets sent to this destination. Last Used This is the time (relative to the start of the device and measured in clock ticks) of the last use of this entry. show ip statistics The show ip statistics command displays information about various IP tallies. The display is split up into sections based on whether the statistic is IP, ICMP, or UDP. The values are all defined as MIB variables and can also be obtained by using an SNMP Management station. For more information, see RFC 1213 "Management Information Base for Network Management of TCP/IP-based internets: MIB-II." Unless otherwise indicated, these tallies are only for packets directed to the device. 338 Management Section ip(show) Received Transmitted Other ------------------------ ------------------------ ---------------------IP: Packets 111638 Packets 2218 Fragmentation Delivered 5999 Forwarded 1 Success 0 (datagrams) 102700 Creates 0 Errors Errors Failures 0 Bad Header 30 No route 0 Reassembly Proto Unkn 721 Success 0 Bad Address 0 Requests 0 Timeouts 30 Discards 0 Discards 0 Failures 0 ICMP: Packets Errors Dest Unreach Time Exceeded Parameter Err Source Quench Redirect Echo Echo Reply Timestamp Tstamp Reply Addr Mask Amask Reply UDP: Packets Errors IP: 0 0 0 0 0 0 0 0 0 0 0 0 0 Packets Errors Dest Unreach Time Exceeded Parameter Err Source Quench Redirect Echo Echo Reply Timestamp Tstamp Reply Addr Mask Amask Reply 5856 Packets 0 1769 0 1738 30 0 0 1 0 0 0 0 0 0 4088 No Ports 1 Packets The total number of datagrams received, including errors, or number of datagrams received from the IP stack to be transmitted. The Received packets tally is for all packets which have passed through the device. Delivered The number of datagrams delivered to the IP stack. Forwarded (datagrams) This is the number of packets forwarded by this device. The datagrams tally is for all packets which have passed through the device. Errors These tallies are for all packets passing through the device. Bad Header The number of datagrams discarded due to errors in the header. Proto Unkn The number of datagrams discarded because they contained an unknown protocol. Bad Address The number of datagrams discarded due to an invalid IP address. Management Section 339 ip(show) Discards The number of datagrams discarded for other reasons. Fragmentation The number of datagrams sent that had to be fragmented. Success The number of datagrams fragmented successfully. Creates The number of fragmented datagrams created. Failures The number of datagrams that could not be fragmented and were discarded. Reassembly The number of IP fragments received that needed to be reassembled. Success The number of IP fragments successfully reassembled. Requests The number of reassembly requests. Timeouts The maximum number of seconds which received fragments are held while they are awaiting reassembly by the device. Failures The number of IP fragments not successfully reassembled. ICMP: Packets The number of ICMP packets sent or received. Errors The number of ICMP packets not sent because of errors or received with errors. Dest Unreach The number of ICMP destination unreachable messages sent or received. Time Exceeded The number of ICMP packets sent or received that timed out. Parameter Err The number of ICMP parameter problem packets sent or received. Source Quench The number of ICMP source quench packets sent or received. Redirect The number of ICMP redirects sent or received. 340 Management Section ip(show) Echo The number of echo requests sent or received. Echo Reply The number of echo replies sent or received. Timestamp The number of ICMP timestamp request packets sent or received. Tstamp Reply The number of ICMP timestamp replies sent or received. Addr Mask The number of ICMP address mask requests received. Amask Reply The number of ICMP address mask replies sent. UDP: Packets Total number of datagrams delivered to UDP users. Errors Number of UDP datagrams not delivered because of an error. No Ports The number of UDP datagrams received for which there was no application at the destination port. show ip rtcount The show ip rtcount command will display the total number of routes currently in the IP routing table, including both BGP and non-BGP routes. This command is particularly useful if there are a very large number of routes. An example of the show ip rtcount command is given below. Number of routes in IP Routing Table: 1008 Number of routes in BGP Routing Database: 980 OPTIONS port The port option restricts the command to only display information about the interface specified. The port can be specified either as the letter or number of the interface. SEE ALSO [ IP <Section ID> ], [ IP Filter <Name> ], [ IP Route Filter <Name> ], [ IP Static ], ip route(add), ip arp(add) Management Section 341 ipx(show) COMMAND NAME show ipx - Show IPX configuration parameters. SYNOPSIS show ipx config [ Ethernet | Wan ] [ <port> ] [ Status ] show ipx runtime [ Ethernet | Wan ] [ <port> ] show ipx routing [ Verbose ] show ipx servers [ Verbose ] show ipx tunnels [ IP | Filters ] show ipx cache show ipx filter DESCRIPTION The show ipx commands display configured and runtime IPX parameters. show ipx config This command shows the IPX parameters that are configured into the Flash ROM of a device. The output from the command looks like: Port Ethernet 0 Wan 0 Wan 1 Wan 2 Wan 3 Timers RIP SAP Frame Seed Net Flags 60 60 Ether TypeII Seed 2001 <> 802.3 (RAW) Auto 2002 802.2 (LLC) Non SNAP Off 60 60 Unnumbered net <> Remote Net: 0 <RTR> 60 60 Unnumbered net <> Remote Net: 0 <RTR,Trigger> 60 60 Unnumbered net <> Remote Net: 0 <RTR,Trigger> 60 60 Unnumbered net <> Remote Net: 0 <RTR,Trigger> The information shown is: Port This identifies the physical IPX interface. Timers (RIP and SAP) These values show how often the router sends out IPX RIP (Routing Information Protocol) and IPX SAP (Service Advertising Protocol) packets on the network segment attached to this interface. The RIP packets sent out on this interface contain routing information about networks for which this device is responsible. The SAP packets sent out on this interface contain information about services (such as servers, printers, etc.) for which this device is responsible. The default timer is 60 seconds for both. 342 Management Section ipx(show) Frame For Ethernet interfaces, this shows the IPX frame type. On WAN interfaces, this shows whether the interface is numbered or unnumbered. A numbered interface means that there is a nonzero network number configured on the interface. An unnumbered interface means that the network doesn't have a number associated with it and is considered half-routed. Seed This displays the seed status of the IPX interface and frame type. Possible seed identifiers are Seed, Auto or Non [seed]. If the interface is off, Off is displayed. On a WAN interface the possible seed identifier can be Unnumbered. Net This is the network number configured when the interface is a seed port. It is shown as a hexadecimal value. Flags On WAN interfaces, the RIP update method is shown as either Triggered or Periodic. RTR indicates that PPP should negotiate the router name option. Remote Net On WAN interfaces, additional information is shown about the remote net address. show ipx runtime This command shows the IPX parameters that are currently running in the device. The format of this information is the same as that shown above for the show ipx config command. The information reflects the runtime status of the IPX networks that are connected to the device and may differ from the configured information. show ipx routing This command shows the current IPX routing table. An IPX routing table is shown below: Directly Connected Routes: Net Nmbr Refs Uses Flags 1 1 2147 0 2 1 3423 0 3 1 1884 0 dade0 1 2397 0 deaf 1 4705 0 Management Section Iface Eth 1 Eth 1 Eth 1 Eth 1 Eth 0 343 ipx(show) Dynamic Routes: Net Nmbr Gateway Ref Uses Metric 10001 deaf - aa:00:04:00:32:04 1 1431 1 2001 deaf - aa:00:04:00:32:04 1 511 1 6000 deaf - aa:00:04:00:32:04 1 0 2 6001 deaf - aa:00:04:00:32:04 1 1533 2 500 deaf - aa:00:04:00:32:04 1 511 3 d00d1e deaf - 00:00:a5:cc:5e:00 1 0 1 33210 deaf - aa:00:04:00:32:04 1 0 2 deadf00d deaf - 00:00:a5:71:2c:00 1 2052 1 cafe6000 deaf - aa:00:04:00:32:04 1 0 2 cafe deaf - aa:00:04:00:32:04 1 1533 3 face0ff deaf - aa:00:04:00:32:04 1 917 2 TTL Flgs 158 0 158 0 158 0 158 0 158 0 144 0 158 0 162 0 158 0 158 0 158 0 Iface Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 The routing table is shown in two sections. The first is the network information for the Directly Connected Routes. The second section shows the Dynamic Routes obtained through IPX RIP packets on the directly connected networks. The information shown in the routing table is explained below. Net Nmbr This is the network number of the IPX route shown as a hexadecimal value. Gateway This is the IPX address (net - node) of the device responsible for the network. Packets bound for the network are sent to the device at that address to be forwarded. Refs This is the internal count of references to the route displayed. Uses This is the number of IPX packets routed to the destination by this device. Metric The metric is the number of routers between this device and the destination. Values will be between 1 and 16. If a metric count is 16, the route is timed out and will be purged from the table. TTL This is the Time To Live for the route in seconds. Flags These are internal flags used by the router to maintain the routing table. Iface This is the interface through which the route was received and also identifies the interface where the gateway is located. 344 Management Section ipx(show) show ipx servers This command shows the current IPX SAP (Service Advertising Protocol) table. An IPX SAP table is shown below: Type 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 1466 4 Name Net Address Port Hops RR3400R_A5BAAB95(EN... face0ff-00:00:a5:ba:ab:95::33017 2 Crossroads 10001-aa:00:04:00:32:04::33016 2 goldy's Local Micro... 2-00:00:a5:63:54:00::33019 3 goldy's nugget 2-00:00:a5:52:98:01::33020 3 Red Bridge 10001-00:00:a5:c7:3b:00::33020 3 Jericho cafe-00:00:a5:52:35:00::33020 4 frame relay guy 1-00:00:a5:a7:3c:00::33019 2 Span Bridge deadf00d-00:00:a5:f8:3b:00::33020 3 Dieter's bridge deadf00d-00:00:a5:51:b6:00::33020 3 Bob's Router 1-00:00:a5:1c:5c:00::33019 5 Grunion 6001-00:00:a5:56:5b:00::33019 4 Bagwanh 6001-00:00:a5:95:5f:00::33018 2 Lanfear 6001-00:00:a5:be:ef:a0::33017 4 TGINAMR deaf-00:00:a5:be:ef:22::33017 2 Yet Another RISC Ro... deaf-aa:00:04:00:b7:07::33020 1 COMPATISAURUS 500-00:00:00:00:00:01::1105 3 TTL 35 135 135 135 135 135 170 166 166 135 135 135 135 165 999 135 Iface Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 1 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 Eth 0 The information shown in the SAP table is explained below. Type This is the server type. Name This is the server name. Net Address This is the IPX address (net - node) of the server. Port This is the port or socket number where the server is listening. Hops This is the number of hops away that the server is from this device. Values will be between 1 and 16. If a hop count is 16, the server is timed out and will be purged from the table. TTL This is the Time To Live for the service in seconds. A value of 999 means that the timeout is infinite and will never be timed out. Iface This is the interface through which information about the service was received and also identifies the interface where the service is located. show ipx tunnels This command shows the IPX-in-IP tunneling parameters. show ipx cache This command shows the IPX fast-routing cache available in Compatible's Ethernet-to-Ethernet routers. This fast-routing cache enables this class of router to route at full Ethernet wire speed. Management Section 345 ipx(show) show ipx filter This command shows the runtime IPX protocol filters for all of the interfaces. OPTIONS Ethernet | Wan This option allows selective display of information about a specific type of interface. When a type is specified, all the interfaces of that type are shown in the command's output. port This option allows selective display of information about a specific interface. Status This option specifies that the IPX runtime information be shown. It is the same output as that shown for the show ipx runtime command. Verbose This shows additional detailed information about the IPX routing and SAP tables. IP | Filters These options allow selective display of IPX-in-IP tunneling parameters. IP specifies that the IP numbers of the tunneling partners be shown. Filters specifies that the filtered IPX network numbers be shown. SEE ALSO [ IPX <Section ID> ], [ IP Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ] 346 Management Section l2tp(show) COMMAND NAME show l2tp - Show L2TP configuration and users. SYNOPSIS show l2tp config show l2tp users DESCRIPTION The show l2tp commands display information about the L2TP configuration and users. show l2tp config The show l2tp config command will display the configured L2TP parameters, L2TP system parameters (WHICH ARE WHAT?), and provides a list of LAC peers. Following is sample output from a show l2tp config command. L2TP Configured Parameters: Authenticate Tunnels: TRUE Do Hidden AVP's: FALSE Receive Window Size: 0 L2TP System Parameters: Hello Interval: 60 seconds Retransmission Interval: 10 seconds Maximum Retransmission Count: 5 System Acknowledgement Timeout: 10 seconds Configured L2TP LAC Peers bungie: jump l2tpmax: letmein L2TP Configured Parameters This displays current L2TP configuration parameters. Authenticate Tunnels This indicates whether the IntraPort server has been configured to authenticate tunnels. If this is True, then the L2TP negotiation between the LAC peer and the IntraPort will use a CHAP-like tunnel authentication mechanism. If this is False, then no authentication of remote peers will be done. Do Hidden AVP’s This indicates whether the IntraPort server has been configured to hide certain types of L2TP control message data, known as AVPs. If this is True, then the LACPeer secret will be used encrypt the data. Receive Window Size This indicates the number of control messages the peer can send before waiting for an acknowledgment. This number Management Section 347 l2tp(show) will only be sent to the remote peer (i.e., the LAC) if this number has been set to something other than the default of 0. Otherwise, the remote peer will assume a window size of 4 messages. L2TP System Parameters This displays L2TP fixed system parameters. These settings are not configurable. They help control how L2TP tunnels will be setup. Configured L2TP LAC Peers This displays a list of the configured LAC peers. The peer name is listed first, followed by the secret. show l2tp users The show l2tp users command will display active L2TP client sessions. Following is sample output from a show l2tp users command. =============================================== ACTIVE L2TP CALL SESSIONS =============================================== LAC peer name skytrail, LAC IP address 198.41.11.199 Local tunnel id 1, Remote tunnel id 17 Call sessions in this tunnel: Username l2tpuser: port VPN1, assigned IP address 192.168.190.1 local call id 32, remote call id 1 SEE ALSO [ L2TP General ] 348 Management Section mppp(show) COMMAND NAME show mppp statistics - Show Multilink PPP (MPPP) configuration parameters and statistics. SYNOPSIS show mppp statistics DESCRIPTION The show mppp statistics command displays MPPP-specific information about the state of your multilink ports. Parameters are set in the [ Multilink PPP <Name> ] section of the router configuration file. show mppp statistics produces the following output: Mlink Section Primary WAN Ports Configured Ports Up Packets In Packets In - FS Packets Out Fragments In Fragments Drop Dup Fragments Lost Fragments Sequence Reset Min Sequence Next Rx Seq Next Tx Seq Home-Office 0 2 2 361 355 3225 0 0 0 2 0 440 442 3225 Each of the statistics is described below. Mlink Section This is the name used to describe the multilink section of the configuration. Primary WAN This is the WAN port number that the router uses to get higherlevel configuration parameters. In the above example, the primary WAN is WAN 0. All higher-level protocol information will be taken from WAN 0 in this router's configuration. Therefore, section [ IP WAN 0 ] defines IP parameters for the entire bundle. Ports Configured This is the total number of ports configured in this multilink bundle. Ports Up This is the total number of ports that have successfully negotiated Multilink PPP. Packets In This is the number of packets received on this multilink bundle. Management Section 349 mppp(show) Packets In - FS This is the number of packets received whole and in order. No resequencing was necessary. Packets Out This is the number of packets sent onto the multilink bundle. Fragments In This is the number of partial packets received on the multilink bundle. Fragments Drop This is the number of fragments dropped due to corruption of some kind. Dup Fragments This is the number of duplicate sequence numbers on the multilink bundle. Lost Fragments This is the number of fragments assumed lost because of improper sequence order. Sequence Reset This is the number of times the router needed to reset its sequence number space. Min Sequence This is the smallest last sequence number seen over all ports in the multilink bundle. Next Rx Seq This is the next sequence number expected on the multilink. Next Tx Seq This is the next sequence number to be used on the multilink. Note: If show mppp statistics produces no output, then Multilink PPP is probably misconfigured. Check to see that the name given for the [ Multilink PPP <Name> ] section is less than 16 characters. Also check that MPEnabled is set to TRUE and that the Bundle parameter is set. Finally, make sure that the Mode parameter in the [ Link Config <Section ID> ] section is set to PPP for each of the WAN ports included in the multilink bundle. SEE ALSO [ Multilink PPP <Name> ], [ Link Config <Section ID> ], wan(show) 350 Management Section nat(show) COMMAND NAME show nat - Show NAT configuration parameters and related data. SYNOPSIS show nat config show nat map show nat sessions show nat statistics show nat address_db DESCRIPTION The show nat commands provide information on the configured and operating state of a router’s NAT (Network Address Translation) variables. show nat config This command shows the current configuration of the NAT variables, including the NAT mapping translation pairs and the NAT map database, which are explained in more detail below. The following is the output from the show nat config command: NAT functionality enabled (On/Off): On NAT Response to external ICMPs (On/Off): On Communicate w/ Router through IP Ports (On/Off): On Configured Ports: Ether0 UDP timeout period (sec.): 300 TCP timeout period (sec.): 86400 TCP SYN timeout period (sec.): 180 TCP FIN timeout period (sec.): 180 Entered Internal range(s): 10.5.3.0/27 Entered External range(s): 198.41.9.219 198.41.9.195 198.41.9.194 Entered Pass Thru range(s): 198.41.9.{205-210} [ NAT Map Database ] Total Number of Entries in NAT Map Database: 2 -------------------------------------------------Internal External LineNo. <IPaddress[/Mask or :Port]> -> <IPaddress[/ Mask or :Port]> 1 <10.5.3.11:80> -> <198.41.9.195:80> 2 <10.5.3.20/32> -> <198.41.9.194/32> show nat map This command shows the one-to-one address translation pairs currently entered in the router, or displays a message that no one-toone address pairs are presently entered in the NAT map database. Management Section 351 nat(show) The following is the output from the show nat map command: Nat_2220> show nat map [ NAT Map Database ] Total Number of Entries in NAT Map Database: 1 -------------------------------------------------Internal External LineNo. <IPaddress[/Mask or:Port]> -> <IPaddress[/Mask or:Port]> 1 <10.5.3.20/32> -> <198.41.9.194/32> This display is read as the internal address (10.5.3.20) which is translated to/from the external address (198.41.9.194). Packets addressed to 198.41.9.194 from the Internet will be accepted by the router, translated to the destination address 10.5.3.20 and sent to the internal NAT network by the router. show nat sessions This command displays the translation sessions currently active in the router’s NAT software. The following is the output from the show nat sessions command: Active Map Remote Proto Hashes ------------------------------------ -------------------- ------ -------Time Since: Created Last Activity -------------------------------10.5.3.20:0 ->198.41.9.194:0 198.41.9.200:0 ICMP 221/907 124.33 114.33 10.5.3.20:0 ->198.41.9.194:0 198.41.9.215:0 ICMP 236/922 105.00 104.00 10.5.3.10:29841 ->198.41.9.219:29841 198.41.9.30:53 UDP 255/976 33.93 33.50 10.5.3.10:1899 ->198.41.9.219:1899 198.41.9.12:80 TCP 983/680 25.67 0.16 10.5.3.10:1900 ->198.41.9.219:1900 198.41.9.12:80 TCP 984/681 30.24 15.83 Active Map This is the IP address:port internal-to-external address translation. If the translation is not to or from a specific port, then the port value will be 0. Remote This is the location on the external Internet communicating with the workstation or router in the internal NAT network. Proto This is the protocol the session is translating. Current values for this column are ICMP, UDP, and TCP, or the actual number of the other IP protocols. Hashes This is the information used by the software to store and locate the translation sessions in the NAT internal database. Time Since:Created This is the time, in seconds, since the session was created. 352 Management Section nat(show) Time Since:Last Activity This is the time, in seconds, since the session was last used to translate an IP packet. show nat statistics This command displays the total number of sessions the router has created since it was lasted booted, how many are currently active and the status of those sessions which are no longer active. The following is the output from the show nat statistics command: Total Sessions: Filtered: 38 0 Currently Active: 0 Properly Removed: 33 Sessions Timed Out: SYN Timeouts: FIN Timeouts: Inactivity: 5 0 0 5 Sessions Reset: Invalid Cache: No Resources: Stale ACK: 2 0 0 0 Total Sessions This is the total number of NAT sessions created to translate IP packets since the router was last booted. Filtered Filtered currently has no values defined. Currently Active This is the number of sessions presently being used by the router to translate packets. Properly Removed This is the number of sessions removed from the NAT session database as a result of FIN and ACK packets being exchanged between the workstation/router on the NAT network and the workstation/router on the Internet. The IP session is terminated and the NAT session doing the address translation is likewise removed from the NAT hash database. Note: The sum of the values for Currently Active, Properly Removed, and Sessions Timed Out should be equal to the value for Total Sessions. Management Section 353 nat(show) Sessions Timed Out This is the number of NAT sessions removed from the NAT hash database as a result of a time limit being exceeded. There are three types of time outs: SYN Timeouts This occurs when a SYN packet in a session does not receive a response within the time limit defined by the TCP SYN timeout period. FIN Timeouts This occurs when a FIN packet in a session does not receive a response within the time limit defined by the variable TCP FIN timeout period. Inactivity This occurs when a session has not been used for any IP address translations in the time limit defined by either the UDP timeout period or the TCP timeout period. Note: Currently, all non-TCP NAT sessions use the UDP timeout period for their inactivity timeout limits. Sessions Reset This is the tally of the NAT session for which an RST packet was sent. Invalid Cache, No Resources, and Stale ACK currently have no values defined. show nat address_db This command displays all of the IP addresses being used by the router for Network Address Translation. The following is the output from the show nat address_db command: Network Address Translation Address Database Address Tree Level IP Address IP Mask Flags ------------------- ------------------ ---------- --------+ 10.5.3.0 0xffffffe0 0x00000001 ++ 10.5.3.11 0xffffffff 0x00000019 ++ 10.5.3.20 0xffffffff 0x00000009 + 198.41.9.192 0xffffffe0 0x00001000 ++ 198.41.9.194 0xffffffff 0x0000000a ++ 198.41.9.195 0xffffffff 0x0000001a ++ 198.41.9.205 0xffffffff 0x00000004 ++ 198.41.9.206 0xffffffff 0x00000004 ++ 198.41.9.207 0xffffffff 0x00000004 ++ 198.41.9.208 0xffffffff 0x00000004 ++ 198.41.9.209 0xffffffff 0x00000004 ++ 198.41.9.210 0xffffffff 0x00000004 ++ 198.41.9.219 0xffffffff 0x00000002 Flag Legend: INTERNAL: 0x0001, MAPPED: 0x0002, PassThru: 0x0004 1 to 1: 0x0008, PORT in MAP_DB: 0x0010, PLACEHOLDER: 0x1000 354 Management Section nat(show) Address Tree Level This is the search depth of the IP addresses in the database. Each plus sign (+) indicates a deeper level within the address tree. IP Address This is either an internal or external IP address which is being used by the router for NAT. The Flags indicate which type of address it is. IP Mask This is the hexadecimal representation of the mask associated with each address. Flags This shows all flags which apply to each IP address in the NAT Address Database. The flags are defined briefly in the "Flag Legend" at the end of the display. SEE ALSO [ NAT Global ], [ NAT Mapping ] Management Section 355 os(show) COMMAND NAME show os - Show the device's Operating System parameters. SYNOPSIS show os processes show os memory [Verbose] show os dump <address> [ <nbytes> ] show os netif [ <if number> ] [Verbose] show os resevent show os timeq show os tcp DESCRIPTION These commands show the device's Operating System parameters. show os processes This command shows the process table for the device. show os memory This command shows the current status of the memory allocation in the device. Free memory as well as the allocation of packet buffers is shown. show os dump This command allows arbitrary memory of the device to be dumped in hexadecimal format to the terminal. show os netif This command shows the current status of the internal network interface structures. There is one network interface structure for every type of network encapsulation done by the device (i.e., Ethernet SNAP, Ethernet Type II, PPP, Frame Relay, etc.) show os resevent This command shows detailed information about the status of the device when the last restart event occurred. A "restart event" will occur when the device reaches a condition where it can't proceed. The restart event information can be cleared using the reset resevent command. show os timeq This command shows the time queue required to implement IEEE Spanning Tree bridging. See the bridge(show) section and the [ Bridging Global ] section. show os tcp This command shows TCP connection state information. OPTIONS address This is the memory location to be dumped, specified as a hexadecimal 356 Management Section os(show) address. Addresses of invalid memory locations may cause a bus error which will cause a restart event and restart the device. nbytes This is the number of bytes of memory to dump. The default is 320 bytes. if number This is the internal network interface number. Verbose This keyword shows more detail about the memory allocation or the internal network interface structures. SEE ALSO resevent(reset), bridge(show), [ Bridging Global ] Management Section 357 ospf(show) COMMAND NAME show ospf - Show OSPF configuration, statistics and databases. SYNOPSIS show ospf rtrid show ospf config show ospf stats show ospf mem show ospf if [ verbose ] show ospf nbr show ospf rt show ospf all show ospf db [ all | rtr | net | sum | ext ] DESCRIPTION The show ospf commands display extensive information about the OSPF database, configuration, and dynamic memory usage. show ospf rtrid The show ospf rtrid command displays the router ID, which is the largest IP interface address associated with the router. The router ID is calculated only at boot time, or when OSPF has been re-enabled using the ospfenable command (see ospfenable(mgmt)). Following is sample output from a show ospf rtrid command. OSPF Router ID for this router is 198.41.11.202 show ospf config The show ospf config command displays user-configured values that are currently being used by the protocol. Following is sample output from a show ospf config command. OSPF PER-INTERFACE CONFIGURATION IP Ethernet Intface 198.41.11.201 assign to area 0.0.0.0 Interface is Active Interface Cost = 10, Router Priority = 1 Hello Interval = 10, Router Dead Interval = 40 Transit Delay = 1, Retransmit Interval = 5 IP Ethernet Interface 74.0.0.1 assigned to area 0.0.0.0 Interface is Active Interface Cost = 10, Router Priority = 1 Hello Interval = 10, Router Dead Interval = 40 Transit Delay = 1, Retransmit Interval = 5 IP Ethernet Interface 73.0.0.1 assigned to area 0.0.0.0 Interface is Active Interface Cost = 10, Router Priority = 1 Hello Interval = 10, Router Dead Interval = 40 Transit Delay = 1, Retransmit Interval = 5 IP Ethernet Interface 77.0.0.1 assigned to area 0.0.0.0 Interface is Active Interface Cost = 10, Router Priority = 1 Hello Interval = 10, Router Dead Interval = 40 Transit Delay = 1, Retransmit Interval = 5 358 Management Section ospf(show) OSPF VIRTUAL LINK CONFIGURATION None OSPF AREA CONFIGURATION Area ID: 0.0.0.0 Net Ranges defined for this area: None ROUTING PROTOCOL REDISTRIBUTION Redistribute RIP routes into OSPF is disabled Redistribute BGP routes into OSPF is disabled Redistribute OSPF routes into RIP is disabled This displays configured settings for each interface, including the IP address of the interface, the area the interface is assigned to, and whether the interface is an active or passive OSPF interface. Interface Cost This is the configured cost assigned to this interface. Router Priority This is the configured priority assigned to this interface. Hello Interval This is the interval, in seconds, the interface sends out "keepalive" packets to let other routers know this interface is up. Router Dead Interval This is the interval, in seconds, the router’s neighbors will wait without receiving a "keepalive" packet from this router before they assume this router is down. Transit Delay This is the amount of time added to the age of Link State Update packets before transmission. Retransmit Interval This is the interval, in seconds, the interface will delay before retransmitting Link State Update packets. The display also includes any configured settings for OSPF virtual links, the Area ID and any net ranges set for the area and the routing protocol redistribution settings. show ospf mem The show ospf mem command displays OSPF dynamic memory usage. Management Section 359 ospf(show) Following is sample output from a show ospf mem command. -----------------------------------------------------------OSPF DATABASE STATIC MEMORY USAGE: 36882 bytes OSPF DATABASE DYNAMIC MEMORY USAGE Memory Block Allocs Deallocs In Use Size Total -----------------------------------------------------------ospf_intf 2 0 2 874 1748 ospf_nbr 4 0 4 118 472 ospf_nbr_node 4 0 4 20 80 ospf_nh_block 4 0 4 20 80 ospf_lsdb 419 323 96 74 7104 ospf_rtr_lsa 178 173 5 var 216 ospf_stub_lsa 2 0 2 24 48 ospf_net_lsa 36 35 1 var 44 ospf_sum_lsa 350 340 10 28 280 ospf_ase_lsa 3027 2949 78 36 2808 ospf_route 6 4 2 46 92 ospf_netrange 0 0 0 28 0 ospf_rtinfo 82 2 30 80 2400 ospf_dbsum 6 6 0 12 0 ospf_hdr 6 6 0 1422 0 ospf_ack_hdrq 156 156 0 28 0 ospf_ack_intf 3503 3503 0 28 0 ospf_nbrlist 70 70 0 12 0 ospf_lsreq 94 94 0 24 0 ospf_lsdblist 3660 3660 0 16 0 -----------------------------------------------------------Total In Use 15130 ------------------------------------------------------------ show ospf stats The show ospf stats command shows OSPF packet statistics. This shows how many of each of the five types of OSPF packets have been received and sent: Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment. Discarded packets are not errors; an example of a discarded packet would be a multicast for Designated Routers when this router is not the Designated Router or Backup Designated Router. Following is sample output from a show ospf stats command. OSPF Packet Statistics Received Hello Packets: 29371 Database Description Packets: 13 Link State Request Packets: 0 Link State Update Packets: 327 LS Acknowledgment Packets: 275 Total Packets: 30811 Packets discarded: Packet errors: Sent 5880 16 9 34 279 6218 825 0 If "Packet errors" is nonzero, a detailed breakdown of each type of packet error will be displayed. In the example below, the router is reporting a Hello timer interval mismatch with one of the routers on 360 Management Section ospf(show) the network, which will cause the two routers to be unable to establish an adjacency. OSPF Packet Statistics Hello Packets: Database Description Packets: Link State Request Packets: Link State Update Packets: LS Acknowledgment Packets: Total Packets: Packets discarded: Packet errors: Hello timer mismatch: Received 26 11 1 17 6 63 Sent 19 11 4 4 10 48 0 2 2 show ospf if The show ospf if command displays the OSPF interface database. The verbose option can be used to display more information. Following is sample output from a show ospf if command. OSPF IP Interfaces Interface Ether0 is Active Cost: 5 State: NOT DR OR BDR Type: BROADCAST Priority: 1 Designated Router: 198.41.11.205 Backup Designated Router: 198.41.11.204 Timers: Hello: 10 Dead: 40 Retrans: 5 Neighbors: Down 0 Att 0 Init 0 2Way 3 ExStart 0 Exch 0 Loading 0 Full 2 Interface Ether1 is Active Cost: 5 State: NOT DR OR BDR Type: BROADCAST Priority: 1 Designated Router: 198.41.11.17 Backup Designated Router: 198.41.11.6 Timers: Hello: 10 Dead: 40 Retrans: 5 Neighbors: Down 0 Att 0 Init 0 2Way 0 ExStart 0 Exch 0 Loading 0 Full 2 Cost This is the cost of using this interface. An OSPF router will choose the path with the lowest cost to enter into its routing table. State This indicates whether this router is the Designated Router or the Backup Designated Router. Type This indicates the interface’s type. Broadcast interfaces are LAN/ Ethernet interfaces. Point-to-Point interfaces are WAN interfaces Management Section 361 ospf(show) running PPP. Point-to-Multipoint interfaces are WAN interfaces running Frame Relay. Priority This indicates the router’s priority. The priority is used to determine whether the router is eligible to become the Designated Router or the Backup Designated Router for the LAN. A priority of 0 means that the router is not eligible. The router with the highest priority becomes the Designated Router. Designated Router This is the IP address of the Designated Router. Backup Designated Router This is the IP address of the Backup Designated Router. Timers This displays the timer settings for this interface. The Hello and Dead timers for each connected router must match or the routers will not be able to communicate. Neighbors This shows the number of current neighbors in each state of the neighbor negotiation process. Down, Att (attempting connection), Init (initializing connection), ExStart (starting to exchange database information), Exch (in the process of exchanging database information), and Loading (requesting Link State Advertisements from each other) are transient states and should only appear at startup. 2WAY indicates that this router and the neighbor have completed their neighbor negotiation. FULL indicates that the neighbor is the Designated Router or the Backup Designated Router. show ospf nbr The show ospf nbr command displays an abbreviated list of current neighbors and their state. Following is sample output from a show ospf nbr command. ----------------------------------------------------------------OSPF Neighbors ================================================================= Ether0 RtrID: 198.41.11.200 Addr: 198.41.11.200 State: 2WAY Ether0 RtrID: 198.41.11.202 Addr: 198.41.11.202 State: 2WAY Ether0 RtrID: 198.41.11.203 Addr: 198.41.11.203 State: 2WAY Ether0 RtrID: 198.41.11.204 Addr: 198.41.11.204 State: FULL Ether0 RtrID: 198.41.11.205 Addr: 198.41.11.205 State: FULL Ether1 RtrID: 198.41.11.6 Addr: 198.41.11.6 State: FULL Ether1 RtrID: 198.41.11.17 Addr: 198.41.11.17 State: FULL ----------------------------------------------------------------- Rrt ID This is the neighbor’s router ID, which is the largest IP interface address associated with the router. 362 Management Section ospf(show) Addr This is the IP address of the neighbor. State This is the current state of the neighbor negotiation process between this router and the neighbor. Unless the router is just starting up, the state should either be 2WAY or FULL. FULL indicates that the neighbor is the Designated Router or the Backup Designated Router. 2WAY indicates that this router and the neighbor have completed their neighbor negotiation. show ospf rt The show ospf rt command displays the ABR (Area Border Router) and ASBR (Autonomous System Border Router) routes. An Area Border Router is a router which has interfaces in more than one area. An Autonomous System Border Router is a router which acts as a gateway between OSPF and other routing protocols (e.g., RIP, BGP, etc.). Following is sample output from a show ospf rt command. AREA 0: AS Border Routes: None Area Border Routes: 78.0.0.1 Area 0 Cost Nexthop: 75.0.0.5 76.0.0.2 Area 0 Cost Nexthop: 75.0.0.3 75.0.0.2 Area 0 Cost 10 AdvRouter 78.0.0.1 Interface: 75.0.0.2 10 AdvRouter 76.0.0.2 Interface: 75.0.0.2 0 AdvRouter 75.0.0.2 AREA 2: AS Border Routes: None Area Border Routes: 75.0.0.2 Area 2 Cost 0 AdvRouter 75.0.0.2 SUMMARY AS Border Routes: None show ospf all The show ospf all command displays the entire OSPF Link State Database. show ospf db The show ospf db commands display various portions of the OSPF Link State Database. If the all option is used, the router, net and summary databases will be displayed. If the rtr option is used, the router Link State Database will be displayed. If the net option is used, the network Link State Database will be displayed. If the sum option is used, the summary Link State Database will be displayed. If the ext option is used, the Management Section 363 ospf(show) external Link State Database will be displayed. Following is sample output from a show ospf db command. OSPF Router, Net and Summary Databases: Area 10: STUB AdvRtr: 198.41.11.202 Len: 24 Age: 3600 Seq: 00000000 Router: 198.41.11.192 Mask: 255.255.255.240 Network: 198.41.11.192 STUB AdvRtr: 198.41.11.202 Len: 24 Age: 2084 Seq: 00000000 Router: 79.0.0.0 Mask: 255.0.0.0 Network: 79.0.0.0 RTR AdvRtr: 198.41.11.193 Len: 36 Age: 1199 Seq: 80000d6b RouterID: 198.41.11.193 Area Border: On AS Border: Off Connect Type: TRANS NET Cost: 10 DR: 198.41.11.193 Address: 198.41.11.193 Nexthops(1): 198.41.11.193 Interface: 198.41.11.202 RTR AdvRtr: 198.41.11.194 Len: 36 Age: 393 Seq: 8000063f RouterID: 198.41.11.194 Area Border: Off AS Border: Off Connect Type: TRANS NET Cost: 10 DR: 198.41.11.193 Address: 198.41.11.194 Nexthops(1): 198.41.11.194 Interface: 198.41.11.202 NET AdvRtr: 198.41.11.193 Len: 44 Age: 1200 Seq: 80000034 Router: 198.41.11.193 Mask: 255.255.255.240 Network: 198.41.11.192 Attached Router: 198.41.11.193 Attached Router: 198.41.11.194 Attached Router: 198.41.11.200 Attached Router: 198.41.11.202 Attached Router: 198.41.11.203 Nexthops(1): 198.41.11.193 Interface: 198.41.11.202 SUM NET AdvRtr: 198.41.11.193 Network: 192.168.40.0 Nexthops(1): 198.41.11.193 Len: 28 Age: 1486 Seq: 80000026 Mask: 255.255.255.0 Cost: 20 SUM NET AdvRtr: 198.41.11.193 Network: 192.168.41.0 Nexthops(1): 198.41.11.193 Len: 28 Age: 1486 Seq: 80000026 Mask: 255.255.255.0 Cost: 20 SUM NET AdvRtr: 198.41.11.193 Network: 192.168.42.0 Nexthops(1): 198.41.11.193 Len: 28 Age: 1486 Seq: 80000026 Mask: 255.255.255.0 Cost: 20 Interface: 198.41.11.202 Interface: 198.41.11.202 Interface: 198.41.11.202 SEE ALSO [ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], ospfenable(mgmt) 364 Management Section ppp(show) COMMAND NAME show ppp - Show Point-to-Point Protocol (PPP) configuration parameters. SYNOPSIS show ppp lcp [Status] show ppp quality [Status] show ppp auth show ppp compression show ppp statistics DESCRIPTION The show ppp commands display PPP-specific information about the WAN interfaces. show ppp lcp This command displays LCP (Link Control Protocol) parameters configured for the WAN interfaces. For each WAN interface, flags for Want and Allow are displayed along with the Async-CharacterControl-Map (ACCM). The output is shown below. Wan 0: Want=5ac<ACCM,AUTH,MAGIC,PFC,ACFC,PAP> Allow=1a4<ACCM,MAGIC,PFC,ACFC> ACCM Mask=0<> Want The Want flags are parameters that the device requests of the remote end. Allow The Allow flags are parameters that the device will agree to accept from the remote end if requested. ACCM Mask The ACCM Mask is a 32-bit hexadecimal value which has a bit set for each control character requested to be mapped by the remote end. The value can be decoded starting from the least significant bit. See the [ PPP <Section ID> ] section for more information about the ACCM mask. If the optional Status parameter is used, the display will show the runtime settings for the interface(s). show ppp quality This command displays the settings for the sending of echo packets. The output follows. Port Wan 0 Wan 1 Wan 2 Wan 3 Proto Off Off ECHO ECHO Management Section Interval Off 11 Threshold 21/ 30 365 ppp(show) Port The Port is the name of the WAN interface. Proto Presently, the Proto column will have one of two values. A value of Off indicates that this interface is set for Frame Relay and the parameter cannot be set. A value of ECHO indicates that the ECHO protocol is selected (which is used in PPP). Interval The Interval is the frequency, in seconds, at which each echo will be sent. It is also the amount of time in which an echo response must be received in order not to be counted as missed. A value of Off indicates that the ECHO protocol is disabled. Threshold The Threshold is a set of numbers indicating the number of echo packets that must be missed out of the last number received before an error is reported. If the optional Status parameter is used, the display will show the runtime settings for the interface(s). show ppp auth This command displays the authentication database used by PAP and CHAP. Because password and security information is shown, you will be prompted for the password. The following is an example of the information displayed. Enter Password: Port Proto Status Name Wan 0 PAP Off CHAP Off Wan 1 PAP Allow Mickey CHAP Allow Donald Wan 2 PAP Want CHAP Want Betty Wan 3 PAP Both Howdy CHAP Both Graendal of the Foresaken Authentication Database: Name Password Script Mask Barney Rubble Fred 000f Password Mouse Duck Doody One Chat dial The first portion of the output displays information specific to each of the WAN interfaces. For more information on how to set these parameters see the [ PPP <Section ID> ] and [ Auth ] sections. The column headings are described below. Port This is the name of the WAN interface. 366 Management Section ppp(show) Proto The Proto column will always have PAP and CHAP for interfaces configured for PPP. If the interface is configured for Frame Relay or is turned off, it will say disabled. Status The Status values will be Want, Allow, Both or Off. Off means that PPP authentication has not been configured for this interface. Allow means that the device will allow the remote device to negotiate the protocol and will respond. Want means that the device will ask the other end to negotiate the protocol and require a response. Both means that the device will ask the other end to negotiate the protocol and respond if the other end sends a protocol request. Name For the PAP protocol, the Name column will only have a value if the Status is Allow or Both. For the CHAP protocol, a Status of Want, Allow or Both will have a Name entry. Password The Password is the PAP password or CHAP secret to be used during authentication. There will only be an entry here if PAP is set to Allow or Both, or if CHAP is set to Allow or Both. The second part of the output displays Authentication Database entries. This table is consulted if PAP or CHAP is set to Want or Both. These entries can be used for any or all of the interfaces. Name The Name column will have an entry if PAP is set for Want or Both or if CHAP is set for Allow for the interface(s) designated by the Mask (see below). Chat Script The Chat Script specifies the name of the chat script to be used for dial-back. Mask The Mask is a hexadecimal value specifying the ports on which this entry should be used. Each bit in the 32-bit value corresponds to a WAN interface (the least significant bit corresponding to WAN 0). In the output above the Mask of 000f tells the device to use this entry for WAN interfaces 0, 1, 2, and 3 (bits 0, 1, 2, 3). Management Section 367 ppp(show) show ppp compression This command displays the settings for PPP data compression. Port Wan 0 Wan 1 Wan 2 Wan 3 Compression Off Off Off Compatible Systems Sequenced Predictor Port The Port is the name of the WAN interface. Compression The current PPP compression algorithm is shown. Possible values are Off and Compatible Systems Sequenced Predictor. show ppp statistics This command displays packet statistics for the WAN interface(s). Stats in out discard compressI compressO compressID compressOD Wan0 25 12691 0 0 0 0 0 Each of the statistics is described below. in The number of packets received by this interface's PPP stack. out The number of packets sent by this interface's PPP stack. discard The total number of packets discarded due to an error by this interface's PPP stack. compressI The number of input packets to this interface's CCP decompressor. This value is zero if PPP data compression is not negotiated for this link. compressO The number of output packets from this interface's CCP compressor. This value is zero if PPP data compression is not negotiated for this link. compressID The number of packets discarded by this interface's CCP decompressor. This value is zero if PPP data compression is not negotiated for this link. 368 Management Section ppp(show) compressOD The number of packets discarded by this interface's CCP compressor. This value is zero if PPP data compression is not negotiated for this link. SEE ALSO [ PPP <Section ID> ], [ Auth ], wan(show) Management Section 369 radius(show) COMMAND NAME show radius - Show RADIUS parameters. SYNOPSIS show radius config show radius statistics DESCRIPTION show radius config This command shows the current settings for RADIUS parameters. RADIUS Authentication Accounting Secret Server Primary Secondary State UDP On 1645 On 1646 'Homer Simpson' IP address 1.2.3.4 9.8.7.6 Attempts 5 5 The first section shows general RADIUS parameters. State Valid states are On and Off. UDP This is the UDP port that will be used for authentication or accounting. Any valid UDP port value can be used. The defaults are 1645 for authentication and 1646 for accounting. Secret This shows the secret shared between the RADIUS client and server. It is a string of 1-31 bytes. The server must be configured with the same client secret. The second section shows parameters related to the primary and secondary RADIUS servers. IP address This is the IP address of the RADIUS server. An address of 0.0.0.0 for the secondary server indicates that it has been disabled. Attempts This value shows the number of attempts to be made at transmitting a packet to the RADIUS server. If a response is not received from the primary server in the specified number of attempts, the secondary server (if enabled) will be used. 370 Management Section radius(show) show radius statistics The show radius statistics command displays packet statistics for the RADIUS client. Authentication Primary Secondary Errors No Match Timeouts Holdq xmit 1 0 0 Accounting Primary Secondary Errors No Match Timeouts Holdq xmit 3 0 0 Users Wan0 Wan1 Wan2 Wan3 Name Inactive Inactive Wilber Inactive retry 0 0 rcv 1 0 0 0 retry 0 0 rcv 3 0 0 0 0 0 0 0 Session ID 01234567-00000001 Secs 138 Authentication and Accounting statistics are described below: Primary This is the number of packets transmitted to or received from the primary server. Secondary This is the number of packets transmitted to or received from the secondary server. Errors This is the number of packets that had errors while being transmitted or received. No Match This is the number of packets that were received but didn't have a matching packet on the transmit hold queue. Timeouts This is the number of packets that did not get a response from the primary or secondary servers. Holdq This is the number of packets that are being transmitted to a server but have not received a response. Management Section 371 radius(show) xmit This is the number of packets sent to a server. It does not include retries. retry This is the number of retry packets sent to a server. rcv This is the number of packets received from a server. User statistics are described below: Name This is the name of the user currently using this port. Inactive means the port is not being used. Session ID This ID is unique per user session. It is recorded in the server detail file and is used for matching accounting start and stop records. Secs This is the number of seconds the current user has been connected. SEE ALSO [ Radius ] 372 Management Section routing(show) COMMAND NAME show routing - Show protocol routing tables. SYNOPSIS show routing appletalk [ Verbose ] show routing ip [ Dynamic | Static | Default ] show routing decnet show routing ipx DESCRIPTION All of the show routing commands are alternative ways to get routing table information for each of the protocols. show routing appletalk See show appletalk routing in appletalk(show) for a detailed description. show routing ip See show ip routing in ip(show) for a detailed description. show routing decnet See show decnet routing in decnet(show) for a detailed description. show routing ipx See show ipx routing in ipx(show) for a detailed description. SEE ALSO appletalk(show), ip(show), decnet(show), ipx(show) Management Section 373 securid(show) COMMAND NAME show securid - Show SecurID statistics and server information. SYNOPSIS show securid secrets show securid statistics DESCRIPTION show securid secrets This command shows all the ACE/Servers with which an IntraPort VPN Access Server has exchanged secrets. The first time an IntraPort contacts an ACE/Server, they exchange a secret based in part on the IntraPort’s IP address. SecurID node secrets are stored for the following: Server Address Source Address 192.168.10.102 192.168.10.65 Server Address This shows the server address for all the servers that the IntraPort has exchanged secrets with and has stored in memory. Source Address This is the IP address of the interface on the IntraPort that the packets destined for the ACE/Server are going out. show securid statistics The show securid statistics command displays basic statistics for messages received by an IntraPort which were sent by an ACE/Server. More detailed usage statistics are available through the ACE/Server. SecurID Statistics Total Packets In Bad Packets In Packets Out Access Granted Access Denied Next Code Required New PIN Required Server Timeouts 0 0 0 0 0 0 0 0 Total Packets In This is the total number of packets from the ACE/Server which were received by the IntraPort. Bad Packets In This is the number of error packets received from the ACE/ Server by the IntraPort. If this is a large number, then it may indicate a security problem on the network (e.g., packet "spoofing"). Packets Out This is the total number of packets sent from an IntraPort to the ACE/Server. 374 Management Section securid(show) Access Granted This is the number of user logins which were successfully completed. Access Denied This is the number of user logins which were denied. Next Code Required This is the number of times the ACE/Server asked a user for the next token code number. New PIN Required This is the number of times the ACE/Server asked a user for a new PIN. Server Timeouts This is the number of packets that did not get a response from the ACE/Server. SEE ALSO [ SecurID ], securid secret(reset) Management Section 375 smds(show) COMMAND NAME show smds - Show SMDS (Switched Multi-megabit Data Service) configuration and status. SYNOPSIS show smds config show smds runtime show smds state show smds statistics DESCRIPTION The show smds commands display information about the configurations and the state of SMDS. show smds config The show smds config command will display the SMDS configuration parameters for all the ports where SMDS is activated. The following is the output from a show smds config command. Port Station Address Wan0 C111.1111.1111.FFFF KeepAlive 10 Wan1 C222.2222.2222.FFFF KeepAlive Off IPmulticast E303.4444.4444.FFFF E303.5555.5555.FFFF Each of the statistics is described below. Port This column displays the physical interfaces where SMDS is activated. Station Address This is the SMDS station address assigned by the service provider to the SMDS link for this interface. IPmulticast This is the IP multicast address assigned to this interface. It is the same as the SMDS group address assigned by the SMDS provider to the link for this port. KeepAlive This shows whether keepalive is activated or not and what the polling frequency is. show smds runtime The show smds runtime command will display the current SMDS configuration parameters for the particular WAN ports. The runtime values should be the same as those shown by the show smds config command. show smds state The show smds state command will display the state of the SMDS link for every port. The state can be Up or Down. A dash (–) is used to 376 Management Section smds(show) indicate that SMDS is not configured for that port. Output from a show smds state command is given below. State Wan0 Up Wan1 - show smds statistics The show smds statistics command will display SMDS statistics. Output from a show smds statistics command is given below. Stats in out heartbeat in heartbeat out discard BA err HE err tag err IN addr err Out Lngth err Out Addr err Out WAN err Ctrl/Data err RSRV err Encap. err Unkwn pkt err Wan0 14831 27667 0 16 20 0 0 0 0 0 0 0 0 0 0 0 Wan1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Each of the statistics is described below. in The number of packets with SMDS encapsulation that have been received through that particular WAN port. out The number of packets with SMDS encapsulation that have been transmitted through that particular WAN port. heartbeat in The number of keepalive answer packets received from the SMDS switch. heartbeat out The number of keepalive poll packets sent by the router to the SMDS switch. discard The number of packets with SMDS encapsulation that have been discarded from that particular WAN port. The number of discarded packets should be equal to the total number of err packets. The various err tallies signify encapsulation errors and may indicate an incorrect configuration or a problem with the SMDS switch. Management Section 377 smds(show) For statistics about the physical port that is sending or receiving SMDS encapsulated packets, use the show statistics serial command. SEE ALSO statistics(show), [ SMDS <Section ID>] 378 Management Section statistics(show) COMMAND NAME show statistics - Show device statistics. SYNOPSIS show statistics ethernet show statistics memory show statistics ip show statistics bridge show statistics tcp show statistics appletalk show statistics serial show statistics connect show statistics ppp show statistics frelay [ <port> ] [ <DLCI> ] show statistics smds show statistics radius show smds statistics show statistics step show statistics mppp DESCRIPTION These commands display statistics kept by the device. The statistics displayed are described on separate man pages. Below is a brief description of the statistics commands and a reference to the man pages with more complete descriptions. show statistics ethernet This command displays ethernet statistics including packet counts and a tally of errors encountered. See ethernet(show) for a detailed description. show statistics memory This command displays unallocated system memory and packet buffer usage statistics. See os(show) for a detailed description. show statistics ip This command displays IP, UDP, and ICMP statistics. See ip(show) for a detailed description. show statistics bridge This command displays bridge forwarding and filtering statistics. See bridge(show) for a detailed description. show statistics tcp This command displays TCP statistics. These statistics are not shown by any other command. Management Section 379 statistics(show) show statistics appletalk This command displays AppleTalk statistics. See appletalk(show) for a detailed description. show statistics serial This command displays WAN serial statistics. See wan(show) for a detailed description. show statistics connect This command displays WAN connection statistics. See wan(show) for a detailed description. show statistics ppp This command displays WAN PPP statistics. See ppp(show) for a detailed description. show statistics frelay This command displays Frame Relay statistics. See frelay(show) for a detailed description. show statistics smds This command displays SMDS (Switched Multi-megabit Data Service) statistics. See smds(show) for a detailed description. show statistics radius This command displays statistics for RADIUS authentication and accounting. See radius(show) for a detailed description. show statistics step This command displays information about active STEP tunnel connections. See vpn(show) for a detailed description. show statistics mppp This command displays MPPP-specific information about the state of the Multilink ports. See mppp(show) for a detailed description. SEE ALSO statistics(reset), bridge(show), ethernet(show), system(show), os(show), appletalk(show), ip(show), wan(show), ppp(show), frelay(show), smds(show), radius(show), vpn(show), mppp(show) 380 Management Section system(show) COMMAND NAME show system - Show system parameters and statistics. SYNOPSIS show system ethernet addresses show system ethernet statistics show system localtalk show system serial [ Status ] show system log config show system log buffer [ Delta ] [ <lines> ] show system hardware show system info show system uptime DESCRIPTION The show system commands display system-related parameters, status and statistics. Much of the information displayed by these commands is also displayed by the show version command. Interface display information: The show system ethernet, show system localtalk, and show system serial commands all display information about the physical interfaces of the system. show system ethernet addresses This command displays the Ethernet (MAC) addresses of all Ethernet interfaces in the system. If DECnet is enabled, the MAC address will be the same DECnet-assigned address of each interface. show system ethernet statistics This command displays current statistics for each Ethernet interface. The displayed counters include transmit and receive packets, receive interrupts and error conditions. show system localtalk This command displays LocalTalk statistics. show system serial This command displays the configuration of the serial ports. The Status option shows the runtime configuration of the serial ports. System log information: These commands display the configuration and contents of the system log. show system log config This command displays the runtime and edited log configuration. Configuration information includes the system-wide log level and output options for the log messages. Log messages can be sent to the AUX port (system console) or to a remote syslog Management Section 381 system(show) daemon. All messages with a higher priority than the log level will be stored in an internal log buffer. show system log buffer This command displays the contents of the internal log buffer. The lines option limits the display to the most recent log messages up to the specified number of lines. The display will normally timestamp the messages with the time in seconds since boot or with the actual time if the system time server has been set (see the [ Time Server ] section). With the optional keyword Delta, the messages will be displayed in a delta format where the interval between log messages is shown. System administrative/contact information: The show system info command displays administrative information about the system. This is informational data that will be returned to automated network queries from SNMP or certain AppleTalk echo requests (see the [ SNMP ] section for more information). Miscellaneous system information: The show system hardware command displays the hardware configuration of the system, and the show system uptime command displays the length of time the router has been running. SEE ALSO version(show), [ SNMP ], [ Time Server ] 382 Management Section version(show) COMMAND NAME show version - Show vital statistics of router. SYNOPSIS show version [ Verbose ] DESCRIPTION The show version command combines the output of many show system commands and displays it along with additional information. The following information is displayed: •Static system configuration information, such as the hardware configuration, software version/build date and the system Ethernet addresses. •Information indicating when and how the software configuration in flash was last modified. •The system up time, time server configuration and, if the time server is configured, the current date and time. •Per-session terminal configuration information, including the screen size, the erase character, parser setting, and the more processing status (see the [ Command Line ] section for more information). Optionally displayed information includes: •System administrative information (also displayed by show system info). •System log configuration (also displayed by show system log). OPTIONS Verbose This option causes the command to display additional information about the router, including system administration information and log configuration information. EXAMPLE The typical output of the show version command: Main RISC Router> show version Main RISC Router - System Status Software Version: SW Build Date: Hardware: Last Configuration Date: Configuration File: Ethernet Address: Ethernet Address: Up Time: 39 secs Terminal settings: hanced Parser, More On Time Server: Main RISC Router> RISC Router 3000E v2.1.0 b10 1/4/95 10:05 512K Flash ROM, 1024K RAM 1/30/95 8:38:51 Main RISC Router Config 00:00:a5:77:2c:00 00:00:a5:77:2c:01 45 days 23 hours 39 minutes 80x24, Erase <BS>, Non-Endisabled SEE ALSO system(show), [ Command Line ] Management Section 383 vpn(show) COMMAND NAME show vpn - Show VPN configuration and user information. SYNOPSIS show vpn config [ VPN <port> ] show vpn runtime [ VPN <port> ] show vpn users [ all ] [ <name> ] show vpn statistics DESCRIPTION The show vpn commands display information about the configured and runtime VPN parameters. show vpn config The show vpn config command will display the VPN configuration parameters for all of the interfaces. Note: If STEP configuration parameters have been set in the device, then you may issue either the show step config or the show vpn config command in order to display the STEP configuration. STEP is Compatible System’s older, proprietary tunnel establishment protocol. STEP parameters are not recommended for new configurations, but if they have already been set in the device, they are supported. The following is the output from a show vpn config command for a LAN-to-LAN VPN router. Iface VPN0 VPN1 VPN2 VPN3 Tunnel Partner ** Disabled ** ** Disabled ** ** Disabled ** 192.168.180.2 BindTo Port Auth Encrypt Ether0 On Fixed The following is the output from a show vpn config command for an IntraPort. Iface VPN0 VPN1 VPN2 VPN3 VPN4 VPN5 VPN6 VPN7 Client 192.168.22.33 10.123.234.98 Waiting for Client Waiting for Client Waiting for Client Waiting for Client Waiting for Client Waiting for Client Connection Connection Connection Connection Connection Connection The column headings are described below. Note that the columns other than Iface and Tunnel Partner are only used for interfaces which currently have an active connection. Iface For the IntraPort, this is the name of the interface described. 384 Management Section vpn(show) While the device allows up to eight client connections, fewer may be configured and this will be reflected in the number of interfaces shown. For LAN-to-LAN VPN, this is the name of the VPN tunnel connection described. Tunnel Partner or Client For the IntraPort, this is the IP address of the client computer, which is typically an address assigned by an Internet Service Provider. For LAN-to-LAN VPN connections, this is the statically assigned IP address of the tunnel partner. BindTo Port For the IntraPort, this is the port to which the client has connected. For LAN-to-LAN VPN, this is the port to which the tunnel partner has connected. The BindTo Port determines the IP address to which the client or the tunnel partner connects. Auth On indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel. Encrypt This shows whether or not the tunnel session is encrypted. None indicates that the tunnel session will be sent in the clear in both directions. Fixed indicates that Personal Level Encryption will be used to scramble the data in both directions using a fixed key. PLE indicates that Personal Level Encryption will be used to scramble the data in both directions using a key generated from the encryption secret. DES indicates that the DES algorithm is being used. Note: In compliance with U.S. encryption export laws, products shipped outside North America do not support the PLE or DES encryption options. User This column is only for the IntraPort and shows the name of the user connected to this tunnel. Management Section 385 vpn(show) show vpn runtime The show vpn runtime command will display the VPN parameters that are currently running in the device. The following is the output from a show vpn runtime command for an IntraPort. Iface VPN0 VPN1 VPN2 VPN3 VPN4 VPN5 VPN6 VPN7 Tunnel Partner 192.168.22.33 10.123.234.98 Waiting for Client Waiting for Client Waiting for Client Waiting for Client Waiting for Client Waiting for Client BindTo Auth Encrypt User Port Ether0 On None Harold Ether0 On Fixed Maude Connection Connection Connection Connection Connection Connection show vpn users The show vpn users command will display configured parameters for currently connected IntraPort users. Following is sample output from a show vpn users command. User Name Fred Betty Auth MD5 MD5 Encrypt None Fixed IPX Client Network Address B00B00 10.41.11.43 B00B01 192.168.1.22 Local Address 192.168.179.100 192.168.179.101 Descriptions of the column headings follow. User Name The name of the VPN user. Auth MD5 indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel. Compatible Systems devices use MD5-based authentication. None indicates that no packet-by-packet authentication is being performed. Encrypt This shows whether or not the tunnel session is encrypted. None indicates that the tunnel session will be sent in the clear in both directions. Fixed indicates that Personal Level Encryption will be used to scramble the data in both directions using a fixed key. IPX Network The IPX network number being used by this client during this session. This number is assigned by the IntraPort based on the StartIPXNet keyword in the[ VPN Group <Name> ] section. Client Address The IP address of the client computer, which is typically an address assigned by an Internet Service Provider. 386 Management Section vpn(show) Local Address The IP network address being used by this client during this session. This number is assigned by the IntraPort based on the StartIPAddress keyword in the [ VPN Group <Name> ] section. show vpn statistics This command shows information about active VPN tunnel connections. Stats Wrapped Unwrapped BadEncap BadAuth BadEncrypt rx IP rx IPX rx Apple rx Other rx Err tx IP tx IPX tx Apple tx Other tx Err VPN0 16008 89030 0 0 0 87980 1050 0 0 0 16008 0 0 0 0 VPN1 153 170 0 0 0 160 10 0 0 0 141 12 0 0 0 VPN2 437 410 0 0 0 190 220 0 0 0 206 231 0 0 0 VPN3 29 28 0 0 0 28 0 0 0 0 29 0 0 0 0 Each of the statistics is described below. Wrapped The total number of packets encapsulated. For the IntraPort, this is the number of packets sent to the client computer. For LAN-toLAN VPN, this is the number of packets sent to the tunnel partner. Unwrapped The total number of packets de-encapsulated. For the IntraPort, this is the number of packets received by the IntraPort from the client computer. For LAN-to-LAN VPN, this is the number of packets received by the local device from the tunnel partner. BadEncap The number of packets found with bad encapsulation. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse. BadAuth The number of packets where authentication failed. This usually indicates that the shared authentication secret is incorrect on one end of the tunnel. BadEncrypt The number of packets where encryption failed. This usually indicates that the shared encryption secret is incorrect on one end Management Section 387 vpn(show) of the tunnel. rx IP The number of IP packets received. rx IPX The number of IPX packets received. rx Apple The number of AppleTalk packets received. rx Other The number of other packets received. rx Err The number of packets with errors received. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse. tx IP The number of IP packets transmitted. tx IPX The number of IPX packets transmitted. tx Apple The number of AppleTalk packets transmitted. tx Other The number of other packets transmitted. tx Err The number of packets which could not be transmitted as IPSec packets. This error is very unusual and probably indicates a bad VPN configuration or possibly a problem with the device software. OPTIONS VPN<port> This option restricts the command to only display information about the VPN port specified. all This option displays information on all users, whether or not they are currently connected. name This option shows information only for the specified user. SEE ALSO [ VPN Users ], [ VPN Group <Name> ] 388 Management Section wan(show) COMMAND NAME show wan - Show Wide Area Networking parameters. SYNOPSIS show wan config show wan connect config [ Status ] show wan connect statistics show wan serial config [ Status ] show wan serial statistics show wan mode [ Status ] show wan state show wan csu config [ Status ] show wan csu statistics show wan ds3 config show wan ds3 statistics show wan hssi config show wan hssi statistics DESCRIPTION show wan config The show wan config command displays all of the relevant information about how the WAN interface(s) have been configured. The output is split into a number of sections, each of which can be displayed with other show wan commands. WAN modes: Port Mode WAN0 Frame Relay WAN1 Frame Relay WAN2 PPP WAN3 PPP Connect Info: Port Mode Dial Delay Retry WAN 0 Dedctd 0 0 WAN 1 Dedctd 0 0 WAN 2 Dedctd 0 0 WAN 3 Dedctd 0 0 Serial Port WAN 0 WAN 1 WAN 2 WAN 3 AUX 0 Info: Type TX Clk Sync Ext Sync Ext Async n/a Async n/a Async n/a Management Section ConnectOut Inactivity n/a n/a Callback Chat 0 0 - n/a Baud Rate n/a n/a 115200 115200 9600 rt=8000<Out> rt=8000<Out> rt=28000<Out,DIOK> 0 - n/a Flags rt=28000<Out,DIOK> 0 Fcntl n/a n/a HW HW None Flags =0<> =0<> =1<DIOK> =1<DIOK> =0<> 389 wan(show) PPP WAN WAN WAN Lcp Info: 0 Off 1 Off 2: Want=1a4<ACCM,MAGIC,PFC,ACFC> Allow=1a4<ACCM,MAGIC,PFC,ACFC> ACCM Mask=0<> WAN 3: Want=1a4<ACCM,MAGIC,PFC,ACFC> Allow=1a4<ACCM,MAGIC,PFC,ACFC> ACCM Mask=0<> PPP Data Compression: Port Compression WAN 0 Off WAN 1 Off WAN 2 Off WAN 3 Predictor1 Frame Relay Maintenance Info: Port Maint Poll MTU WAN0 annexD 5 1500 WAN1 LMI 10 1500 WAN2 Off WAN3 Off Frame Relay DLCI Info: Port WAN 0 DLCI Configuration DLCI IP AppleTalk 20 IARP IARP Port WAN 1 DLCI Configuration DLCI IP AppleTalk 16 200.30.9.1 IARP Port WAN 2 DLCI Configuration Off Port WAN 3 DLCI Configuration Off IPX IARP IPX IARP show wan connect config The show wan connect config command displays parameters used to make a connection for each of the WAN interfaces. The display shows two lines for each interface. If the optional Status parameter is used, the runtime status will be displayed. Port Mode Dial ConnectOut Delay Retry Inactivity WAN 0 Always V25bs coop rt=48002<DCD,Out,DOOK> 2 5 n/a WAN 1 Dedctd 15 5 n/a WAN 2 Dialup AT 15 5 10 WAN 3 Always AT netcom rt=48002<DCD,Out,DOOK> 15 5 n/a Callback Chat 30 30 - Flags rt=8000<Out> rt=20000<DIOK> 30 60 Mode Values will be Always for always up connections, Dedctd for dedicated connections, and Dialup for on-demand dialup. 390 Management Section wan(show) Dial This is the dialing method used. Values will be AT for Hayes AT Command Set dialing, V25bs for V.25bis synchronous dialing, or "–" for dedicated connections that do not need to dial. ConnectOut This is the name of the chat script to be used to originate a connection. See the [ Chat <Name> ] section for more information about chat scripts. Callback This is the name of the chat script to be used for a dial-back connection. See the [ Chat <Name> ] section for more information about chat scripts. Flags The Flags indicate runtime flags set for this interface. The Flags are indicated numerically and are decoded inside the "<" and ">" characters. Values for the Flags include DCD when the carrier has been detected, Dial when the device is dialing, In when the current connection was initiated by an incoming call, Out when the current connection was initiated by an outgoing call, DIOK when the interface is configured for dial-in, DOOK when the interface is configured for dial-out, and Ucnnt if the interface is presently in the user connect state. Delay This is the period of time that the device will wait between attempts to connect. Retry This is the number of times the device will try to establish a new connection or reconnect to one that has gone down. If the mode is "always up" the device will retry this many times and then reinitialize and begin the cycle again. "On demand" devices will try this many times and then wait for the next event to cause it to dial again. Inactivity This is the amount of time in minutes that the device will wait before closing the connection due to inactivity. Chat The Chat timeout value is the maximum amount of time in seconds for the chat script to complete. If it does not complete, the connection is dropped. Management Section 391 wan(show) show wan connect statistics The show wan connect statistics command displays timers and counters specific to the connections made by the WAN interface(s). Stats inact cur cnnt avg cnnt tot cnnt dial try dial out dial in Wan0 0:00 0:00:00:02 0:00:00:17 0:01:08:28 229 229 0 Wan1 0:00 0:00:00:08 0:00:00:32 0:01:08:27 125 125 0 Wan2 0:00 0:00:00:03 0:00:00:39 0:01:12:05 109 109 0 Wan3 0:00 0:00:00:05 0:00:00:39 0:01:12:05 109 109 0 Below is a description of the different statistical categories. inact This is the present value of the inactivity disconnect timer. A value of 0:00 usually indicates a connection that is synchronous, always up, or dedicated. cur cnnt This is the amount of time that the current connection has been up. avg cnnt This is the average amount of time that the device has stayed connected for each connection made. tot cnnt This is the total amount of time that the device was in a connected state. dial try This is the total number of dial-out tries attempted. dial out This is the number of successful dial-out connections. dial in This is the number of successful dial-in connections. show wan serial config The show wan serial config command displays hardware-specific configuration information about the WAN interface(s). If the optional Status parameter is used, the runtime status will be displayed. The output of the command will look something like the following: Port WAN 0 WAN 1 WAN 2 WAN 3 AUX 0 392 Type TX Clk Sync Ext Sync Int Async n/a Async n/a Async n/a Baud Rate n/a 1544000 115200 57600 9600 Fcntl n/a n/a HW HW None Flags =2<DOOK> =8<IntTxClk> =1<DIOK> =2<DOOK> =0<> Management Section wan(show) A description of the column headings is given below: Port This is the name of the interface. Type The Type will be either Sync for synchronous operation, Async for asynchronous operation, or Off if the interface is not turned on. TX Clk The TX Clk column has values when the interface is set to synchronous mode only. It will have either Ext to indicate that the device receives the transmit clock signal externally or Int if the device is providing the transmit clock. The n/a value is displayed for asynchronous interfaces. Baud Rate The Baud Rate is the serial speed for asynchronous links and synchronous links where the transmit clock is internal. See the [ RS232 Interface <Section ID> ] and/or [ V.35 Interface <Section ID> ] sections for information about available rates. Fcntl The Fcntl is the flow control assigned to each interface. Values will be None if no flow control is configured, HW for hardware (RTS/CTS), XON/XOFF for software, and n/a when there is no need for any (as in a sync connection). Flags The Flags indicate special options configured for this interface. The Flags are indicated numerically and are decoded inside the "<" and ">" characters. The three flags that you can expect to see are IntTxClk when synchronous interfaces are set for internal transmit clock, DIOK when the interface is configured for dialin, and DOOK when the interface is configured for dial-out. Management Section 393 wan(show) show wan serial statistics The show wan serial statistics command displays packet and physical layer statistics for the WAN interface(s). Most of these tallies are error conditions and should normally be 0. If they are not, check the descriptions below. If the tally is an error condition, the physical connections should be scrutinized for problems. Stats in pkts out pkts tot disc crc overruns framing oversize abort break PPP flag sw fc in unalign fr2long rx_busy tx_gltch rx_gltch underrun cts_lost cd_lost sp_int nullptr noIbuf unknown Wan0 3446870 3849662 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Wan1 0 21701 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Wan2 2050 2881 5095 5095 0 0 0 9 0 9701 0 0 0 0 0 0 0 0 0 0 0 0 0 Wan3 55920 2910 0 0 0 0 0 0 0 46306 0 0 0 0 0 0 0 0 0 0 0 0 0 Each statistic is described below. in pkts The number of packets received by this interface. out pkts The number of packets sent by this interface. tot disc The total number of packets discarded due to an error. crc The number of packets received with CRC Frame Check Errors. overruns The number of overrun errors. framing The number of framing errors. oversize The number of oversized packets received. abort The number of abort events logged by the serial chip. An abort is 394 Management Section wan(show) defined as more than seven 1s in a row in the datastream. This is an error found on synchronous lines of an HDLC connection. break The number of break events logged by the serial chip. PPP flag The number of PPP flags received on PPP connections. There will usually be two flags per packet. sw fc in The number of software flow control (Xon/Xoff) bytes received. unalign The number of packets received with alignment errors while in HDLC mode. The packet size was not a multiple of 8 bits. fr2long The number of packets that exceed the maximum frame length. rx_busy The number of times the serial processor receives a packet and does not have a buffer to allocate to it. This statistic may be nonzero since it may get one occurrence during startup. tx_gltch The number of times the serial processor detects a glitch in the TX clock during HDLC mode. rx_gltch The number of times the serial processor detects a glitch in the RX clock during HDLC mode. underrun The number of times the serial processor detected a transmission underrun in HDLC mode. cts_lost The number of times the Clear-to-Send (CTS) signal was negated during transmission. cd_lost The number of times the Data Carrier Detect (DCD) signal was negated during reception. sp_int The number of times the serial processor detected a spurious interrupt. Nothing is in the interrupt register. nullptr The number of null pointers encountered in the interrupt routine. noIbuf The number of times the serial processor fails to get a Pbuf in asynchronous mode. Management Section 395 wan(show) unknown The number of errors with an unknown tally type. asi rst The number of times the async receive serial driver was reset due to overloading. asi wrap The number of times the async receive buffer wrapped. This is informational only and not an error. asi waits The number of async transmit packets which needed to wait for an async-HDLC conversion buffer. This is not an error but is an indication of heavy transmit traffic. asi oflow The number of times the async receive buffer overflowed. This is an indication of very heavy receive traffic. show wan mode The show wan mode command displays the present operating mode for each of the WAN interfaces. Presently, the modes supported are Frame Relay, PPP, SMDS and Off. If the optional Status parameter is used, then the runtime status of the interfaces will be displayed. Below is an example of the output of the command. Port WAN0 WAN1 WAN2 WAN3 Mode Frame Relay Frame Relay PPP PPP show wan state The show wan state command displays the status of each WAN interface and its connection statistics. State Connect FRmaint PPP IP IPX Atalk DECnet Stats inact cur cnnt avg cnnt tot cnnt dial try dial out dial in Wan0 Cnnt Up Wan0 0:11 0:00:00:16 0:00:00:18 0:01:06:18 221 221 0 Wan1 Cnnt Up Wan1 0:11 0:00:00:10 0:00:00:32 0:01:06:17 121 121 0 Wan2 Cnnt Nego Down Down Down Down Wan2 0:11 0:00:00:33 0:00:00:39 0:01:09:55 105 105 0 Wan3 Cnnt Up Up Up Up Down Wan3 0:11 0:00:00:35 0:00:00:39 0:01:09:55 105 105 0 The first block of statistics displays the current state of each interface by protocol. Except for Connect, each protocol will have a value of 396 Management Section wan(show) Up, Down, Nego (for negotiating), or "-" for not applicable. Connect The Connect state is the status of the physical level connection. Values include: Cnnt indicating that the interface is connected and is able to communicate with the equipment attached to it, Check when the device is checking the interface to see if it can communicate with the attached device, UCnnt when the interface is in User Connect mode, Idle when the link is available but is not being used, CIn when there is an incoming connection in progress, COut when there is an outgoing connection in progress, Drop when the connection is in the process of being dropped, and Off if the interface is disabled. FRmaint This is the status of the Frame Relay maintenance protocol for each interface. PPP This is the status of PPP for each interface. IP This is the status of the IP protocol for each interface. IPX This is the status of the IPX protocol for each interface. Atalk This is the status of the AppleTalk protocol for each interface. DECnet This is the status of the DECnet protocol for each interface. The second set of statistics displays the connection information about each interface. The values are explained in the show wan connect statistics. show wan csu config The show wan csu config command displays parameters used to configure WAN interfaces equipped with an internal T1 CSU. The display consists of one line for each interface. The values displayed correspond to the titles in the column headings. If the optional Status parameter is used, the runtime status will be displayed. Port Clock Frame Code Start/#/Cont Rate DataInv LBO PRM_TX LineLUP V54LUP Wan0 Slave ESF B8ZS 1/24/cont 64k no 0dB Yes Yes No Wan1 n/a Port This is the name of the interface. Clock This is the transmit clock source. Values will be Slave for most applications where the unit is located on the customer premise and T1 service is provided by an ISP. In Slave mode, the CSU Management Section 397 wan(show) will receive its clock from the network. The only other option for Clock is Master, where the CSU uses an internal clock to transmit data. Master mode may be useful when a custom network is being constructed or when two Compatible Systems T1 routers are attached to each other back-to-back (one unit would be the master, the other the slave). Frame This is the T1 frame format. Values will be ESF for "Extended Super Frame" format or D4, which is commonly referred to as "Super Frame" format. Code This is the T1 line coding. Values will be B8ZS for "Bipolar Eight Zero Substitution" and AMI for "Alternate Mark Inversion." Note: If the line coding is set to B8ZS (the preferred line code format), then the Start/#/Cont and Rate can be set to any value. If line coding is set to AMI, then either the Rate must be set to 56K or alternating channels must be selected for Start/#/Cont. See the [ T1 Interface <Section ID> ] section for more information. Start/#/Cont Values describe the range of DS0 channels used and whether they are contiguous (cont) or alternating (alt). Rate This is the data rate per DS0 channel. Values are either 64K or 56K. DataInv This tells whether data is being inverted. LBO Values for "Line Build Out" can be 0dB, -7.5dB, -15dB, or 22.5dB. See the [ T1 Interface <Section ID> ] section for more information. PRM_TX This tells whether Performance Report Messages are being transmitted. LineLUP This tells whether the CSU will turn on network loopback in response to an ATT Line Loopup pattern from the remote CSU. V54LUP This tells whether the CSU will turn on network loopback in response to a V.54 Loopup pattern from the remote CSU. show wan csu statistics The show wan csu statistics command displays runtime statistics 398 Management Section wan(show) related to the device's internal CSU and the T1 line. Wan0 CSU Stats: T1 signal : carrier=OK sync=OK rx level=+2db to -7.5db Alarms sent : yellow=FALSE/0 blue=FALSE/0 Alarms received : yellow=FALSE/1 blue=FALSE/0 Loopback @ DTE : framer=off local=off Loopback @ Local T1: LineLUP=en V54LUP=dis V.54=off line=off payload=off Loopback @ Remote T1: V.54=off line=off BERT : pattern='no pat' sync=FALSE Errors LCV PCV OOF ESF FDL Stats T1.403 TR54016 Errors 1 sec Total 0 44 0 37 0 8 45 TX 1194023 0 0 RX 0 0 0 T1.403 PRM data for previous 1194024 seconds: G1 G2 G3 G4 G5 G6 SE FE Curr F F F F F F F F Curr-1 F F F F F F F F Curr-2 F F F F F F F F Curr-3 F F F F F F F F TX Tot 35 1 0 0 0 0 0 0 RX Tot 0 0 0 0 0 0 0 0 LV F F F F 36 0 SL F F F F 0 0 LB F F F F 0 0 The statistics display several internal boolean variables including: T1 signal: carrier - are we receiving a T1 bit stream? If this is not OK then the line is probably disconnected, the line is cut, or the upstream T1 source has stopped transmitting. T1 signal: sync - are we receiving valid framing? If this is not OK and the carrier is OK, it usually means framing is set incorrectly. Alarms sent or Alarms received yellow - A yellow alarm indicates that there is a remote loss of signal and informs the local user that the locally generated transmission is not being received at the destination. blue - A blue alarm usually indicates that a loss of signal has been detected by a signal regenerator somewhere between the T1 terminal at the remote end and the local device. It is an all 1s signal in order to maintain clock recovery. Loopback @ DTE: This is a diagnostic test of the internal CSU/DSU and the local Data Terminal Equipment (DTE) which will loop data between the router's serial driver and its internal CSU/DSU. framer tests the router’s DTE by looping data out the router’s serial driver back into the serial receiver at the input to the Management Section 399 wan(show) internal DSU. local tests the entire CSU/DSU by looping data out the router’s serial driver back into the serial receiver through the internal CSU/DSU. Loopback @ Local T1: This is a diagnostic line test which forces the router's CSU to loop data received from the network back out to the network. LineLUP - will we accept an AT&T line loopup signal? V54LUP - will we accept a V.54 loopup signal? V.54 - are we receiving a V.54 loopup pattern? line - During line loopback, all data, including framing and overhead bits, is immediately looped once it is received off the T1 line. payload - During payload loopback, data is stripped of framing and overhead bits before being passed through all the CSU's circuitry before it is looped back. Loopback @ Remote T1: This feature enables you to put the far end T1 terminal into loopup. It manipulates the CSU on the remote end of your connection by sending out a specific bit pattern which is recognized by the remote CSU. Compatible Systems devices support two different loopup sequences. You may need to check the far end unit to see which sequences are supported and enabled. V.54 - are we transmitting a V.54 loopup pattern to the CSU on the remote end of the connection? line - are we transmitting an AT&T line loopup pattern to the CSU on the remote end of the connection? (This is only done in conjunction with the phone company.) BERT: - The unit includes an internal Bit Error Rate Test (BERT) receiver. pattern - this indicates the type of test pattern being received, if any. sync - this indicates whether the BERT chip is in sync with the pattern. If one of the standard test patterns is received and the value for sync is true, the unit is out of service. Errors This displays a tally of the number of errors seen in the last second along with the total number. LCV These are Line Code Violations (historically known as Bipolar Violations). 400 Management Section wan(show) PCV These are Path Code Violations. In ESF mode, this is the number of CRC errors. In D4 mode, this is the number of signalling frame bit errors. OOF These are Out Of Frame errors. In ESF mode, this is the number of frame bit errors. In D4 mode, this is the number of terminal frame bit errors. ESF This tallies the total of PCV + OOF errors (in ESF mode only). FDL Stats FDL statistics include information about the number of Performance Report Messages sent and received since the device has been up. If the device was too busy to process a PRM or couldn't send one, an error is recorded. This is not a line error and does not indicate a problem. It indicates, however, that the PRM data displayed may be inaccurate. T1.403 PRM T1.403 PRM data displays information regarding Performance Report Messages sent and received over each of the last 4 seconds (Curr, Curr-1, etc.) and the totals transmitted and received since the device was last booted. If one of the following events occurred in one of the previous 4 seconds, a T (TRUE) would appear in the corresponding column: G1 - 1 CRC error occurred. G2 - 2 to 5 CRC errors occurred. G3 - 6 to 10 CRC errors occurred. G4 - 11 to 100 CRC errors occurred. G5 - 101 to 319 CRC errors occurred. G6 - more than 319 CRC errors occurred. SE - Severely Errored frame event occurred. FE - Frame Bit Error occurred. LV - Line Code Violation occurred. SL - Elastic store Slip occurrence. LB - Chip entered Loopback mode. Note: In ESF mode, the CSU performs T1 line CRC generation and checking. This is independent of and a completely different CRC calculation from that displayed in show wan serial statistics. Management Section 401 wan(show) show wan ds3 config The show wan ds3 config command displays all of the relevant information about how the WAN interface(s) have been configured. DS3 0 Line State DATA Invert DS3 Subrate CRC Length Clocking Line Build Out Up Off 44.210 Mbs 32 bit Internal Short show wan ds3 statistics The show wan ds3 statistics command displays runtime statistics related to the device's internal CSU and the DS3 line. Statistic Type Packets In Packets Out Tx discards heldoff Code Violations Pulse Density Lo CRC errors RX Overflows Frame len errors RX Aborts TX underflow TX len errors TX Aborts sent RX Busy RX FIFO full TX FIFO full DS3 EF SA DS3 LOS DS3 OOF DS3 AIS Rcvd DS3 IDLE Rcvd DS3 EF NSA DS3 CEF DS3 LOOPA DS3 LOOPD DS3 Line Loop DS3 Norm Op Spurious Int DS3 0 308315 309232 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Statistic Type The interface for which statistics are being displayed. Packets In The number of packets received by this interface since powerup or since the statistics were reset using the reset wan ds3 stats command (see statistics(reset)). Packets Out The number of packets sent by this interface since powerup or 402 Management Section wan(show) since the statistics were reset using the reset wan ds3 stats command (see statistics(reset)). Tx discards The number of outgoing packets discarded due to an error. heldoff The number of packets held off due to a busy interface. Code Violations The count of D3RC cycles for which CV is high. Pulse Density Lo The number of Loss of Signal interrupts received from the framer. CRC errors The number of packets received with CRC Frame Check Errors. RX Overflows The number of times the receive buffer overflowed. This is an indication of very heavy receive traffic. Frame len errors The number of times a frame over the maximum frame length was received. RX Aborts The number of abort events logged by the serial chip. An abort is defined as more than seven 1s in a row in the datastream. TX underflow The number of times the transmitter was in the middle of a transmission and the Tx FIFO did not have data to send out. TX len errors The number of times transmission of a packet greater than the maximum allowed size was attempted. TX Aborts sent The number of abort events sent by the interface. An abort is defined as more than seven 1s in a row in the datastream. RX Busy The number of times no Buf was available for a received packet. RX FIFO full The number of packets received which were bigger than the Framer’s Rx FIFO. TX FIFO full The number of packets received which were bigger than the Framer’s Tx FIFO. Management Section 403 wan(show) DS3 EF SA The number of Equipment Failure, Service Affecting messages received from the remote device. DS3 LOS The number of Loss of Signal messages received from the remote device. DS3 OOF The number of Out Of Frame Detected messages received from the remote device. DS3 AIS Rcvd The number of yellow alarm messages received from the remote device. A yellow alarm indicates that there is a remote loss of signal and informs the local user that the locally generated transmission is not being received at the destination. DS3EF NSA The number of Equipment Failure, Non Service Affecting messages received from the remote device. DS3 CEF The number of Common Equipment Failure messages received from the remote device. DS3 LOOPA This is the number of times Loopback Activate requests have been received from the remote device. DS3 LOOPD The number of Loopback De-activate requests have been received from the remote device. DS3 Line Loop The number of times the remote end has gone into loopback. DS3 Norm Op The number of times the remote end has returned to normal operation after being in loopback. Spurious Int The number of times the serial processor detected a spurious interrupt. Nothing is in the interrupt register. 404 Management Section wan(show) show wan hssi config The show wan hssi config command displays all of the relevant information about how the WAN interface(s) have been configured. Local loop CSU/DSU loop CRC Length Clocking CA (CSU ready) Clock Present HSSI 0 Off Off 32 bit External On Yes show wan hssi statistics The show wan hssi statistics command displays tallies from the HSSI interface for various types of conditions and exceptions. Statistic Type Packets In Packets Out Tx discards Tx Heldoff Rx discards PCI Bus Error Transmit Error Tx Too Long Deferred Receive Error Rx Overflow Length Error Desc Len Err Illegal Length CRC Error HSSI 0 25622 21531 0 0 0 0 0 0 0 0 0 0 0 0 0 Statistic Type The interface for which statistics are being displayed. Packets In The number of packets received by this interface since powerup or since the statistics were reset using the reset wan hssi stats command (see statistics(reset)). Packets Out The number of packets sent by this interface since powerup or since the statistics were reset using the reset wan hssi stats command (see statistics(reset)). Tx discards The number of outgoing packets discarded due to an error. Tx Heldoff The number of packets held off due to a busy interface. Rx discards The number of incoming packets discarded due to an error. PCI Bus Error The number of times a PCI Bus error has occurred on this Management Section 405 wan(show) interface. Transmit Error The number of packets that were not sent due to a transmit error. Tx Too Long The number of transmit packets discarded due to a length error. Deferred This indicates the number of times the 21140 processor had to defer a transmit because the carrier was asserted. Receive Error The number of packets where an error was detected in the packet header. RX Overflow The number of times the receive buffer overflowed. This is an indication of very heavy receive traffic. Length Error The number of packets received that had an invalid length. Desc Len Error The number of length errors detected in the 21140 processor’s buffer descriptors. Illegal Length The number of packets received that had an invalid length (either too long or too short). CRC Error The number of packets that contained CRC (Cyclical Redundancy Check) errors on packets received. SEE ALSO ppp(show), statistics(reset), [ Chat <Name> ], [ Frame Relay <Section ID> ], [ DS3 Interface <Section ID> ], [ HSSI Interface <Section ID> ], [ RS232 Interface <Section ID> ], [ V.35 Interface <Section ID> ], [ T1 Interface <Section ID> ], [ Link Config <Section ID> ], [ PPP <Section ID> ] 406 Management Section Appendix A: Default Sections and Default Values Appendix A: Default Sections and Default Values The device reads the configuration in a hierarchical manner. If a parameter value has been configured in a port-specific configuration section, that value is used. If the value is not found, a search is performed on the default section for that physical interface and specified protocol. If the parameter is still not found (or if the default section is absent), the search proceeds through the default section for that interface type and protocol. Finally, the default for the protocol is checked, followed by the device's default value for that parameter. For instance, if the device or CompatiView is trying to determine the value for RipOut (outgoing RIP) for Ethernet interface 1, subinterface 2, it will first look for a RipOut parameter in the [ IP Ethernet 1.2 ] section. If not found, it will search the following sections [ IP Ethernet 1 Default ] [ IP Ethernet Default ] [ IP Default ] in that order. If any of these sections are not present, the next one in the list is used. If the RipOut parameter is not found in any of these sections, the device's default value will be used. The device's default value may be found in the Installation Guide that came with your device. It is also possible to use the configuration editor built into the device to find the default values. For more details, see the configure section. One convenient method for finding out where a particular value was found is to use the show config cook origin command from the console or from a telnet session. See the configure section for further information. The configure section has many options that are useful for displaying the configuration and checking the syntax of a configuration. In the rest of this Appendix are the keywords which may be used in default sections. For information on allowed values, see the section of the manual for that protocol. Some of these sections have an optional interface number in the section name. This interface number is represented below as [Inum]. [ IP Default ] # Parameters entered in this section serve as defaults # for all interfaces. Mode RIPVersion RIPOut RIPIn SplitHorizon Configuration Section 407 Appendix A: Default Sections and Default Values SubnetMask OutFilters InFilters [ IP Ethernet [Inum] Default ] # Parameters entered in this section serve as defaults # for all Ethernet interfaces. Allowed parameters include # all parameters in the [ IP Default ] section. ProxyARP UDPFlood Relay [ IP WAN [Inum] Default ] # Parameters entered in this section serve as defaults # for all WAN interfaces. Allowed parameters include all # parameters in the [ IP Default ] section. Numbered Updates VJHeaderComp IPCPAddr [ IP LocalTalk [Inum] Default ] # Parameters entered in this section serve as defaults # for all LocalTalk interfaces. Allowed parameters include # only the following parameters in the [ IP Default ] # section; RIPOut, Relay, and, SubnetMask. Mode ForwardingPort FirstIPAddress NumDynamic NumStatic SubnetIPAddress [ IPX Default ] Mode RIPTimer SAPTimer BlockType20 OutFilters InFilters [ IPX Ethernet Default ] # Allowed parameters include all parameters in the # [ IPX Default ] section. FrameTypeII FrameRaw Frame8022 FrameSNAP 408 Configuration Section Appendix A: Default Sections and Default Values [ IPX WAN Default ] # Allowed parameters include all parameters in the # [ IPX Default ] section. Numbered Updates NodeProxy [ AppleTalk Default ] Mode Seed OutFilters InFilters OutRTMPFilters InRTMPFilters GetZoneFilters ANSP [ AppleTalk Phase1 Ethernet Default ] # Allowed parameters include all parameters in the # [ AppleTalk Default ] section. LockOut LockIn LWFilter TildeFilter StIZFilter [ AppleTalk Phase2 Ethernet Default ] # Allowed parameters include all parameters in the # [ AppleTalk Default ] section. LockOut LockIn LWFilter TildeFilter StIZFilter [ AppleTalk WAN Default ] # Allowed parameters include all parameters in the # [ AppleTalk Default ] section. Numbered Updates NodeProxy [ AppleTalk LocalTalk Default ] # Allowed parameters include all parameters in the # [ AppleTalk Default ] section. LockOut LockIn LWFilter TildeFilter StIZFilter Phase1 Configuration Section 409 Appendix A: Default Sections and Default Values [ DECnet Ethernet Default ] Mode [ DECnet WAN Default ] Mode HelloTimer RoutingTimer [ Bridging Ethernet Default ] Mode SpanningTreeBridged UnknownProtocolsBridged PortPriority PathCost [ Bridging WAN Default ] Mode SpanningTreeBridged UnknownProtocolsBridged PortPriority PathCost [ Link Config WAN Default ] Mode ConnectMode DialOut DialIn AlwaysUp DropInact Dialing DialOutScript DialBackScript DialTries RetryDelay ScriptTimeout DCDCheck BackupEnableDelay BackupDisableDelay BackupInitDelay [ PPP WAN Default ] Compress EchoPackets EchoInterval EchoDrop EchoThreshold ACCM ACCMVal AddrCompress ProtoCompress Magic CHAPRequest CHAPRespond CHAPName CHAPSecret 410 Configuration Section Appendix A: Default Sections and Default Values CHAPReevalDelay PAPRequest PAPRespond PAPName PAPPassword [ Frame Relay Default ] MaintProtocol MTU PollingFreq HomeDLCI [ RS232 Interface Default ] LinkType FlowCntl TxInternal Baud [ V.35 Interface WAN Default ] TxInternal Baud [ T1 Interface WAN Default ] DS0Start DS0Count ContiguousChannels LineBuildOut LineFraming LineEncoding InvertData ChannelDataRate ClockSource TransmitPRM ReceiveATTLoopUps ReceiveV54LoopUps Configuration Section 411 Appendix B: Configuration Variable Types Appendix B: Configuration Variable Types There are four basic types of values used in keyword-value pairs in a router configuration. They are label, number, IP address, and string. Each type is described below. Label A label is a string of letters, underscores, dashes, and/or numbers with no spaces. Keywords which expect labels are documented with all allowed labels. For example, the Mode keyword for IP configurations can have a label value of Routed, Bridged, or Off. Keywords with Boolean values will accept any version, such as On/Off, True/False, 1/0, or Yes/No. Number A number value may be entered as a decimal number or as a hexadecimal number preceded by 0x. Some numbers (e.g., IPX network numbers) must be hexadecimal and do not need a leading 0x. IP Address An IP address is entered in dotted-decimal notation (e.g., 192.116.12.1) where each 1- to 3- digit number is between 0 and 255. String A string consists of a sequence of allowed characters and recognized escape sequences enclosed in double quotes. The allowed characters are all printable ASCII characters except for the backslash (\) and double quote (") characters. In addition, the tab and new line characters are allowed inside the double quotes. The escape sequences which are recognized are: \n Insert a new line. \t Insert a tab. \<space> Follow the backslash with a space to insert a space. \" Insert a " (double quote). \<octal digits> Insert a single control character by entering its ASCII code as an octal number. \<new line> Continue a long line of input across multiple lines. The new line will be converted to a single space character. \\ Insert a backslash. 412 Configuration Section Appendix B: Configuration Variable Types If a string is continued onto a second or succeeding line, there must be whitespace at the beginning of the line. Thus, AdminName="This text is on line 1 This text is on line 2.\ This text is also on line 2." is allowed whereas, AdminName="This text is on line 1 This text is on line 2.\ This text is also on line 2." is an error. Some keyword values may be a combination of more than one of the above types. In these cases, the different values are separated by whitespace. In order for a string to be differentiated in this case, the entire string should be enclosed in double quotes. Configuration Section 413 Appendix B: Configuration Variable Types 414 Configuration Section INDEX A ANSP 76 Appendix A Default Sections and Default Values 407 Appendix B Configuration Variable Types 412 AppleTalk AppleTalk Filter Section 174 AppleTalk Section 23 AppleTalk Tunnels Section 32 Auth Section 181 B DECnet Section 47 Default Sections 407 Values 407 DLCI 71 DNS 50 Domain Name Server Section 50 DS3 Interface Section 51 E Ethernet Interface Section 70 F Frame Relay Section 71 BGP Peer Config Section 37 BGP Peer List Section 39 Examples 40 Bridging Global Section 43 Bridging Section 41 G C Hierarchical Parsing of Sections 407 Chat Scripts Chat Section 188 Clock Command Line Section 46 Comments, in a configuration 9 CompatiView 1 Compression PPP Packet Header 130 Configuration Editor 15 configure Command 407 Control Characters in Chat Scripts 188 D DECnet Global Section 48 Index General Section 75 General Sections 8 H I IKE Policy Section 80 IKE Settings for LAN-to-LAN tunnels 151– ?? for the IntraPort (Phase 1) 80 for VPN Groups 160 for VPN Users 221 Introduction 1 IP Addresses 412 IP Filter Section 192 IP Loopback Section 82 Examples 82 IP Protocol Precedence Section 84 415 Index Examples 84 IP Route Filter Section 201 IP Section 88 IPSec Gateway, configuring 77 IPX Filter Section 208 IPX Route Filter Section 212 IPX SAP Filter Section 215 IPX Section 99 IPX Tunnels Section 104 P K R Keywords Multi-line Values 413 Radius Section 133 Radius Settings configuration section 133 for an IntraPort 164 RS232 Interface Section 137 L L2TP Configuring 106 Displaying information 347 LDAP Auth Server Section 108 Examples 109 LDAP Config Section 110 Line Editor commands 171 Link Config Section 112 Link Control Protocol 130 Link Quality 129 Logging Section 117 M Multilink PPP Section 119 N Name of device, Setting 75 NAT Global Section 121 NAT Mapping Section 219 Numbers 412 O OSPF Area Section 125 416 Password, Setting 75 Port-Specific Sections 7 PPP Section 129 Q quit command in Configuration Editor 232 S Saving Configurations 10 Section Titles 9 SecurID Section 139 Sequenced Predictor Compression 129 show bgp commands 298 show wan commands 389 SMDS Section 140 SNMP Community String Section 143 SNMP Section 141 SNMPTrap Section 144 Static Entries IP Routes, configuring 205 Strings 412 System Clock, Setting 149 System Password, Setting 75 T T1 Interface Section 145 Time Server Section 149 Transferring Configurations to the Router 10 Index Index Tunnel Partner Section 151 Tunnels VPN Users Configuring 221 V V.35 Interface Section 158 Van Jacobson Header Compression 94 Variable Types 412 Multi-line Values 413 String 412 VPN Client tunnels, configuring 159 Users, configuring 221 VPN Users Section 221 W WAN Examples Dial Out Connection 115 Frame Relay Dedicated 115 PPP Dedicated 115 Z Zone Names Setting 25 Index 417