3Com C36460T, 86-0621-000 User Manual

0 (0)

Enterprise OS Software

Version 11.4 Release Notes

3Com provides a CD-ROM that includes all Enterprise OS software version 11.4 software manuals plus version 11.4 new installation and upgrade manuals. To obtain a hardcopy version of the 11.4 documentation, order part number C36460T.

You can order the documentation CD-ROM using part number 3C6461T.

Additionally, all documentation for Enterprise OS software version 11.4 is located on the 3Com website:

http://infodeli.3com.com/infodeli/tools/bridrout/index.htm

http://www.3com.com/

Part No. 86-0621-000

Published January 2000

3Com Corporation	Copyright © 3Com Corporation, 2000. All rights reserved. No part of this documentation may be
5400 Bayfront Plaza	reproduced in any form or by any means or used to make any derivative work (such as translation,
Santa Clara, California	transformation, or adaptation) without permission from 3Com Corporation.
95052-8145	3Com Corporation reserves the right to revise this documentation and to make changes in content from

	time to time without obligation on the part of 3Com Corporation to provide notiﬁcation of such revision or
	change.
	3Com Corporation provides this documentation without warranty of any kind, either implied or expressed,
	including, but not limited to, the implied warranties of merchantability and ﬁtness for a particular purpose.
	3Com may make improvements or changes in the product(s) and/or the program(s) described in this
	documentation at any time.
	UNITED STATES GOVERNMENT LEGENDS:
	If you are a United States government agency, then this documentation and the software described herein
	are provided to you subject to the following restricted rights:
	For units of the Department of Defense:
	Restricted Rights Legend: Use, duplication, or disclosure by the Government is subject to restrictions as set
	forth in subparagraph (c) (1) (ii) for Restricted Rights in Technical Data and Computer Software Clause at 48
	C.F.R. 52.227-7013. 3Com Corporation, 5400 Bayfront Plaza, Santa Clara, California 95052-8145.
	For civilian agencies:
	Restricted Rights Legend: Use, reproduction, or disclosure is subject to restrictions set forth in subparagraph
	(a) through (d) of the Commercial Computer Software – Restricted Rights Clause at 48 C.F.R. 52.227-19 and
	the limitations set forth in 3Com Corporation’s standard commercial agreement for the software.
	Unpublished rights reserved under the copyright laws of the United States.
	If there is any software on removable media described in this documentation, it is furnished under a license
	agreement included with the product as a separate document, in the hard copy documentation, or on the
	removable media in a directory ﬁle named LICENSE.TXT. If you are unable to locate a copy, please contact
	3Com and a copy will be provided to you.
	The software you have received may contain strong data encryption code that cannot be
	exported outside of the U.S. or Canada. You agree that you will not export/reexport, either
	physically or electronically, the encryption software or accompanying documentation (or copies
	thereof) or any products utilizing the encryption software or such documentation without
	obtaining written authorization from the U.S. Department of Commerce.
	Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may
	not be registered in other countries.
	3Com, AccessBuilder, Boundary Routing, NETBuilder, NETBuilder II, OfﬁceConnect, SuperStack, and
	Transcend are registered trademarks and Edge Server, PathBuilder, and Total Control are trademarks of
	3Com Corporation.
	IBM, AS/400, SNA, and LAN Net Manager are registered trademarks of International Business Machines
	Corporation. Advanced Peer-to-Peer Networking and APPN are trademarks of International Business
	Machines Corporation. DECnet is a registered trademark of Digital Equipment Corporation. AppleTalk is a
	registered trademark of Apple Computer, Inc. NetWare is a registered trademark of Novell, Inc. RealPlayer is
	a trademark of Real Networks. UNIX is a registered trademark in the United States and other countries,
	licensed exclusively through X/Open Company, Ltd. VINES is a registered trademark of Banyan Systems.
	SunOS is a trademark of Sun Microsystems, Inc. XNS is a trademark of Xerox Corporation.
	Other brand and product names may be registered trademarks or trademarks of their respective holders.

CONTENTS

ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Encryption Packages Notice 7
Supported Platforms		8
OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI Release 9
Platforms Not Supported			9
New Features and Feature Enhancements							9
JAVA Runtime Environment				9
VPN and Security Features				9
Routing Support Features				11
Trafﬁc Shaping & QoS Features						14
Dial Service Features			17
Voice & Multiservice Features					17
Network Management Features						18
Transcend VPN Application Suite						21
11.4 Software Packages			23
NETBuilder II Bridge/Router				23
SuperStack II NETBuilder SI				26
PathBuilder S5xx Series Switch						29
PathBuilder S400 Series Switches						32
OfﬁceConnect NETBuilder Bridge/Routers 34
OfﬁceConnect NETBuilder 10/ST						37
SuperStack II NETBuilder Token Ring							40
Upgrade Management Utilities				43
Downloading Upgrade Management Utilities								43
UNIX Files	43
Windows Files		43
Executing
proﬁle.bat	44
Version 11.4 Upgrade Management Utilities								44
Upgrading to 11.4 Utilities with Transcend Upgrade Manager 44
Transcend Enterprise Manager						44
Upgrade Management Notes				45
bcmdiagnose Error Message				45
SuperStack II NETBuilder Token Ring Upgrades								45
bcmdiagnose and HP-UX				45
bcmfdinteg	45
File Conversion Considerations						46
UNIX Platform Symbolic Links					46
Upgrading From Release 8.3 or Earlier							46

Upgrade Link and Netscape Browser Scroll Bars								46
Upgrade Link Window Resizing					47
IBM Protocols and Services Notes 47
APPN	47
APPN Connections to 3174 through Token Ring								47
APPN CP-CP Sessions and SNA Boundary Routing								47
APPN CP-CP Sessions on Parallel TGs						47
APPN DLUr Connections to 3174 Systems							47
BSC and Leased Lines			47
Boundary Routing and NetView Service Point 48
Conﬁguring BSC and NCPs				48
DLSw Circuit Balancing			48
DLSw and CONNectUsage Parameter Default Change									48
DLSw Prioritization 48
DLSw and IBM Boundary Routing in Large Networks 48
Front-End Processor/Frame Relay Access for LLC2 Trafﬁc									49
HPR and ISR Conﬁgurations				49
IBM Boundary Routing Topology Disaster Recovery								49
IBM-Related Services in Token Ring						50
LAN Network Manager with NETBuilder II Systems								51
LLC2 Frames and PPP			52
Maximum BSC Line Speed				52
SHDLC Half-Duplex Mode				52
SDLC	52
SDLC Adjacent Link Stations for APPN						52
Source Route Transparent Bridging Gateway (SRTG) Interoperability 52
SDLC Ports and NetView Service Point						52
UI Response Time With Large SDLC conﬁguration								52
VTAM Program Temporary Fixes					52
ATM Services Notes		53
ATM Emulated LANs			53
ATM LAN Emulation Clients and Large 802.3 Frames									53
ATM Connection Table			53
Deleting ATM Neighbors				53
Source-Route Transparent Gateway						53
WAN Protocols and Services Notes					53
ACCM Not Conﬁgurable				53
Asynch Tunnelling on Serial Ports					53
Automatic Line Detection				53
Auto Start-up Does Not Include Async						54
Bandwidth-on-
Demand Timer Precedence				54
Baud Rates for WAN Ports in DCE Mode							54
BSC Cabling and Clocking				54
Changing the Transfer Mode Parameter Default Value									54
Compression Requirements				54
Dial Idle Timer		55
Disaster Recovery on Ports Without Leased Lines								55

DTR Modems	55
Dynamic Paths	55
Frame Relay Congestion Control 55
History-Based Compression Negotiation Failure								55
History Compression Not Allowed With Async PPP 55
Multilink PPP Conﬁgurations				55
SPID Wizard Detection Errors				56
STP AutoMode Does Not Select the Right Mode								56
Supported Modems		56
Routing Protocols and Services Notes					56
BGP Conﬁguration Files			56
CPU Utilization with XNS Protocol					57
IPX to Non-IPX Conﬁguration Error					57
IPX Routing, Route Receive and Route Advertisement Policies 57
Managing IP Address Assignment					57
NAT Service - Many to One Outbound Translation								57
NAT Service - TCP/UDP Port Mappings						57
OSPF Route Advertisement 57
PIM-Sparse Mode		57
PIM-SM Enterprise OS/Cisco Incompatibility							57
PIM-SM Register Checksum Formats					57
PM-SM Not Supported Over NBMA Media							58
RouteDiscovery	58
VRRP Conﬁguration		58
Network Management System and Services Notes								58
ASCII Boot 58
Boot Cycle Continuous Loop				58
BootP Server and Autostartup				58
Bootptab File	58
Capturing Commands to boot.cfg File						59
Change Conﬁguration and Diagnostic Menu							59
CPU Utilization Statistic			59
File System Error	59
Firmware Conﬁguration			59
Firmware Update		59
IP Quality of Service Bandwidth				59
IP Quality of Service Conﬁguration					59
Multiple Paths to BootP Server				59
Remote Access Default Change				60
Scheduler RunOnBootFail Completion						60
V.25bis Modem Setup			60
Web Link Documentation Path				60
Web Link Login Support			60
Zmodem Time Out		60
VPN Protocols and Services Notes				60
ACE Security Server		60
Total Control Security and Accounting Server Availability 60
Microsoft MPPE Patches and Updates						61

PKI: Entrust CA Installation Notes		61
PPTP Tunnel Security Validation 62
RSA Signature for Phase 1 Authentication			62
Windows NT MS-CHAP Authentication			62
Platform Notes	63
OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI Additional Memory
Requirements	63
Approved DRAM SIMMs 63
Supported PC Flash Memory Cards		64

Line Error Reporting on PathBuilder S5xx Series Switch Statistics Display 64

T3 Bandwidth Limitation	64
MBRI Ownership During Board Swapping		64
Multiport MBRI Module SNMP Management		64
Token Ring+ Modules 64
Token Ring Auto Start-up	64

ENTERPRISE OS SOFTWARE VERSION

11.4 RELEASE NOTES

These release notes provide information on the following topics for Enterprise OS software version 11.4:

	■	Encryption Packages Notice
	■	Supported Platforms
	■	Platforms Not Supported
	■ New Features and Feature Enhancements
	■	11.4 Software Packages
	■	Upgrade Management Utilities
	■	Upgrade Management Notes
	■ IBM Protocols and Services Notes
	■	ATM Services Notes
	■ WAN Protocols and Services Notes
	■ Routing Protocols and Services Notes
	■ Network Management System and Services Notes
	■ VPN Protocols and Services Notes
	■	Platform Notes
	If you have questions about the software, the guides, or these release notes,
	contact 3Com or your network supplier.
	For information on the command syntax used in these release notes, see “About
	This Guide” in Using Enterprise OS Software.

Encryption	The Enterprise OS software version 11.4 may contain strong data
Packages	encryption that cannot be exported outside the United States or Canada.
Notice	It is unlawful to export/re-export or transfer, either physically or
	electronically, the encryption software or accompanying documentation

(or copies thereof) or any product(s) utilizing the encryption software or such documentation without obtaining written authorization from the US Department of Commerce.

Do not place Enterprise OS version 11.4 packages with encryption on networks or servers that are accessible to users outside of the U.S. and Canada.

Software packages with encryption include the following:

■ PathBuilder™ S5xx series switch

Part No. 86-0621-000

Published January 2000

8 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Multiprotocol Router with 40-bit Encryption (PL)

Multiprotocol Router with 56-bit Encryption (PE)

Multiprotocol Router with 128-bit Encryption with 3DES (PS)

■PathBuilder S400 switch

Multiprotocol Router with 40-bit Encryption (ML) Multiprotocol Router with 56-bit Encryption (ME) Multiprotocol Router with 128-bit Encryption with 3DES (MS) IP/IPX/AT Router with 40and 56-bit Encryption (XE) IP/IPX/AT Router with 128-bit Encryption with 3DES (XS)

■NETBuilder II®

Multiprotocol Router with 40-bit Encryption (DL) Multiprotocol Router with 56-bit Encryption (DE) Multiprotocol Router with 128-bit Encryption with 3DES (DS)

■SuperStack® II NETBuilder® SI

IP/IPX/AT Router with 40and 56-bit Encryption (NE) (SI model) IP/IPX/AT Router with 128-bit Encryption with 3DES (NS) (SI model) Multiprotocol Router with 40-bit Encryption (CL) (SI model) Multiprotocol Router with 56-bit Encryption (CE) (SI model) Multiprotocol Router with 128-bit Encryption with 3DES (CS) (SI model)

■SuperStack II NETBuilder

Multiprotocol Router with 56-bit Encryption (TE) (Token Ring models 327 and 527)

■OfﬁceConnect® NETBuilder IP/IPX Router (JW)

IP/IPX Router with 56-bit Encryption (JE)

IP/IPX Router with 128-bit Encryption with 3DES (JS) IP/IPX/AT Router with 40and 56-bit Encryption (NE) IP/IPX/AT Router with 128-bit Encryption with 3DES (NS) Multiprotocol Router with 56-bit Encryption (OE) Multiprotocol Router with 128-bit Encryption with 3DES (OS)

■OfﬁceConnect 10 NETBuilder Router (RW)

Router with 56-bit Encryption (RE)

Router with 128-bit Encryption with 3DES (RS)

Supported Platforms Enterprise OS software version 11.4 is available for the following platforms:

■NETBuilder II

■SuperStack II NETBuilder models 327 and 527

■SuperStack II NETBuilder SI models 43x, 44x, 45x, 46x, 53x, 54x, 55x, and 56x

■OfﬁceConnect NETBuilder models 11x, 12x (K and T variants),13x, 14x (U and ST variants) and 10/ST

Platforms Not Supported

	■ PathBuilder S5xx series switch models S500, S580, S593, S594, S598 and S599
	■ PathBuilder S400
OfﬁceConnect	Due to increased memory requirements, the OfﬁceConnect NETBuilder and
NETBuilder and	SuperStack II NETBuilder SI will be released after the general release of Enterprise
SuperStack II	OS Software version 11.4. The general release will include support for the
NETBuilder SI Release	following platforms: NETBuilder II, SuperStack II NETBuilder Token Ring,
	PathBuilder S50x, S58x, S59x, and PathBuilder S400 devices. Watch for special
	release announcements for the OfﬁceConnect NETBuilder and SuperStack II
	NETBuilder SI devices.
	See “OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI Additional
	Memory Requirements” on page 63 for details about memory requirements for
	the OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI devices.

Platforms Not	The Enterprise OS software version 11.4 does not support the following
Supported	bridge/routers:
	■ Model 227 SuperStack II NETBuilder Router (Ethernet)
	■ Model 427 SuperStack II NETBuilder Router (Ethernet, ISDN)
	■ Model 120 OfﬁceConnect NETBuilder (FRAD)
	■ Model S574 and S578 PathBuilder Switch

New Features and	Enterprise OS is the system software that operates within the NETBuilder and
Feature	PathBuilder WAN products. Enterprise OS devices supported by this release include
Enhancements	the NETBuilder II, SuperStack II NETBuilder, OfﬁceConnect NETBuilder
	bridge/router, PathBuilder S5xx tunnel switch (models S500, S580, S593, S590,
	S594, S598, S599), and the PathBuilder S400 WAN convergence switch.
	This section highlights the new features and enhancements contained within
	Enterprise OS software version 11.4.
JAVA Runtime	With 3Com Enterprise OS software version 11.4, in the /tools/jre subdirectory is
Environment	the MS Windows 95/98/NT version of JRE (Java Runtime Environment) written by
	Sun Microsystems. This JRE archive ﬁle is a self-extracting executable that contains
	the Java virtual machine, runtime class libraries, and Java application launcher that
	are necessary to run programs written in the Java programming language. The JRE
	is needed to run the following Enterprise OS applications:
	■ Voice Wizard in Web Link (embedded web interface) on the PathBuilder S400
	devices
	■ PKI Manager (part of the Transcend VPN Application Suite)
	For more information or to download the UNIX version, see Sun's website:
	http://java.sun.com/products/jdk/1.2/runtime.html
VPN and Security	VPN and Security features provide Public-Key Infrastructure, Non-Broadcast,
Features	Multi-Access (NHRP) for VPN Tunnels, IP Payload Compression Protocol (IPComp),
	and Tunnel Switching Between Different Tunnel Types.

10 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Public-Key Infrastructure (PKI) Implementation

Applications like IP Security (IPsec) and Internet Key Exchange (IKE) employ public-key technology for such security purposes as identifying oneself to remote entities, verifying a remote entity's identity, or initiating secure communications with remote peers. Such applications require a public-key infrastructure (PKI) to securely manage public keys for widely-distributed users or systems. The implementation of PKI is based on the X.509 standard.

New also is PKI Manager, a graphical management application to aid Enterprise OS devices in obtaining PKI certiﬁcates and Certiﬁcate Revocation Lists (CRLs) from various Certiﬁcate Authorities (CAs). PKI Manager works as a proxy between the device and the CA. It is responsible for collecting the certiﬁcate requests from the devices and generating the CA-speciﬁc certiﬁcate request syntax (CRS), which in turn is sent to the CA. After the CA issues the certiﬁcate, PKI Manager retrieves it from the CA and send it to the Enterprise OS device. The CAs that are supported with this ﬁrst release are Verisign and Entrust. The application is currently supported only on Windows NT. See the “Transcend VPN Application Suite” section of this release note for more information.

Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels

With the Non-Broadcast, Multi-Access (NBMA) characteristics of a Point-To-Multi-Point (P2MP) VPN tunnel (also called IP-Over-IP tunnel), an IP packet must be forwarded via a routed tunnel path. These tunnel paths must be conﬁgured statically between each pair of neighbors. All VPN trafﬁc is allowed to ﬂow only through the conﬁgured neighboring paths. This makes routing inefﬁcient since data forwarding may not always be using the best route with the shortest hops. To solve this, the user would have to go to the trouble of conﬁguring a fully-meshed VPN so packets could be forwarded with one hop.

With the Next Hop Resolution Protocol (NHRP) implemented in 11.4, tunnels are now established dynamically. NHRP enhances the Point-To-Multi-Point (P2MP) VPN tunnel by eliminating the need to statically conﬁgure each and every end-point virtual port on the device. NHRP resolves the next hop when forwarding data through tunnels. The Enterprise OS device will “automatically” discover its short cut path for routing, without having to manually conﬁgure every neighboring path.

IP Payload Compression Protocol (IPComp or IPPCP)

Enterprise OS software supports data compression to ease bandwidth problems. However, in previous software releases the compression mechanism was not effective when a data stream was encrypted at layer 3. With 11.4, by using IP Payload Compression Protocol (IPComp), RFC 2393, to ﬁrst reduce the size of the IP datagram by compressing the data, then performing encryption, the size of IP datagrams has been reduced. This is extremely useful when IPsec encryption is applied to IP datagrams, since compression of outbound IP datagrams is done before any IP security processing, and the decompression of inbound IP datagrams is applied after the completion of all IP security processing. Only dynamic negotiations of the IPComp Association (IPCA) via IKE and one compression algorithm (LZS) is supported for 11.4. Any negotiation of IPComp is always combined with a negotiation of ESP, AH, or both.

New Features and Feature Enhancements 11

Tunnel Switching Between Different Tunnel Types

So that tunnel switching between two sessions of different tunnel types can be easily implemented and maintained, Enterprise OS software version 11.4 has been re-structured to support tunnel switching from PPP over Ethernet (PPPoE) to PPTP, and from PPPoE to L2TP. Users can now dial-in through a PPPoE tunnel and “switch out” through a PPTP or L2TP tunnel. This enables the Enterprise OS device to have the ﬂexibility of switching between tunnels of different tunnel types.

Routing Support Routing support features include OSPF External Route Aggregation, Protocol Features Independent Multicast-Sparse Mode (PIM-SM), Multicast Border Router (MBR),

IGMPv2 Enhancements, PPP over Ethernet (PPPoE), Virtual Router Redundancy Protocol (VRRP) for ATM Ethernet LAN Emulation, Virtual Router Redundancy Protocol (VRRP) for Virtual LAN (VLAN), Many-to-One NAT Enhancement, BGP-4 & IPv6 added to multiprotocol packages for OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI, PathBuilder S400 devices, and RSVP and RSVP Proxy added to software packages for OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI and PathBuilder S400 devices.

OSPF External Route Aggregation

With OSPF, the user can import routes from external routing sources (for example, BGP, RIP, static routes, and directly connected networks). These imported routes become OSPF external routes. In some networks, the number of external routes to be advertised can cause trafﬁc congestion on the backbone and subsequently to all areas.

Because version 11.4 aggregates the type5 external routes, the user can deﬁne external route ranges. With user-deﬁned external route ranges, if the external route is within the deﬁned range, only then will the network be advertised. This reduces the number of external routes advertised in the backbone and regular areas.

Protocol Independent Multicast-Sparse Mode (PIM-SM)

The periodic broadcasting of information by DVMRP and MOSPF to identify the location of interested receivers for a speciﬁc multicast session is only useful in networks where bandwidth is plentiful or when there is a large number of senders and receivers for a multicast session. When senders and receivers to multicast sessions are distributed sparsely across a wide area such schemes are not efﬁcient. They waste bandwidth on expensive WAN links and require the maintenance of “routing-state” on routers that are not on the forwarding tree for the multicast session. Protocol Independent Multicast-Sparse Mode (PIM-SM), implemented in 11.4, is an intra-domain multicast routing protocol designed to resolve some of the inadequacies with these other multicast protocols.

PIM-SM is “protocol independent” in that it can work with any unicast routing protocol. It builds a per-group (or per multicast session) shared multicast distribution tree centered at a rendezvous point, and requires receivers to explicitly join to this shared distribution tree prior to receiving data trafﬁc. Since a “shared-tree” mechanism could result in suboptimal paths for data trafﬁc from a source to the receivers of a multicast session, PIM-SM also supports the ability to switch to a source speciﬁc distribution tree if the data trafﬁc warrants it. The implementation of PIM-SM supports IPv4 in this release (IPv6 is not supported in this release).

12 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Multicast Border Router (MBR)

To allow sources and receivers inside multiple autonomous multicast routing domains (each running a different multicast routing protocol -- DVMRP, MOSPF, or PIM-SM) to communicate, the regions must be connected by multicast border routers (MBRs). The primary role of the MBR is to pull down the trafﬁc from one domain to the another domain. This MBR functionality is implemented in the Enterprise OS device to allow the efﬁcient interoperation among independent multicast routing protocols. A common forwarding cache to forward the multicast data packets has been implemented. MBR makes it easier to have a uniﬁed forwarding table for multicast data trafﬁc. The multicast routing protocols will maintain protocol speciﬁc routing states and create forwarding entries in the uniﬁed forwarding table for multicast trafﬁc.

IGMPv2 Enhancements

Adding to the IGMPv1 support, 11.4 will be adding support for IGMPv2 (RFC 2236). Feature enhancements include the following:

■Allowing a host to inform a multicast router when it no longer wants to receive trafﬁc for a given multicast group.

■Deﬁnes a new procedure for electing the multicast querier on a LAN; the multicast router with the lowest IP address is always chosen as the querier.

■Deﬁnes a new type of Query message, called the Group-Speciﬁc Query. This type of message allows a router to transmit a query to a speciﬁc multicast group rather than all groups that reside on a directly attached subnet.

PPP over Ethernet (PPPoE)

With 11.4, PPP over Ethernet (PPPoE) is available to offer a seamless integration of broadband access technology into the existing infrastructure and operational model of remote access. As speciﬁed in the informational RFC 2516, PPPoE encapsulates PPP packets over Ethernet. It is intended for use by a host PC to interact with a broadband modem (e.g. xDSL, cable, and wireless access devices) to achieve access to high-speed data networks. The PPPoE offering is targeted at Carriers, ISPs, and NSPs with an ATM backbone for use in a VPN environment for broadband access.

Ethernet is the most proven, familiar, and cost effective LAN technology that exists today. PPP is the most popular dial-up transport, created to deﬁne negotiating connectivity parameters, authenticate users, dynamically assign IP addresses, and support multiprotocol environments. In a remote dial-up environment, besides the traditional analog and ISDN modems, there are server other high-speed, broadband CPEs being rapidly deployed (for example, xDSL, cable, and wireless access devices). All high-speed, broadband access equipment requires end users to be knowledgeable in their technologies, connectivity, and conﬁguration characteristics. With PPPoE, much of the complexity of these broadband devices is hidden from the user. In addition to ease of conﬁguration and use for the end user, PPPoE also simpliﬁes provisioning, installation, and management for the service provider.

Advantages of PPPoE:

■Supports multiple hosts and users across a dedicated broadband connection and a single ATM or Frame Relay PVC with the same Ethernet infrastructure.

New Features and Feature Enhancements 13

■Provides end users with ease of installation and conﬁguration; no special conﬁguration of the PC or modem is needed.

■Provides services providers with ease of provisioning, services, and management.

■Operates independent of access device (that is, works for xDSL, cable, or wireless devices) which shields end users from the need to learn complicated technologies (for example, ATM).

■Preserves the applications that have been built around Microsoft Windows Dial-Up Networking (DUN). A simple PPPoE client driver is used with an interface and functionality familiar to the user.

Virtual Router Redundancy Protocol (VRRP) for ATM Ethernet LAN Emulation

In addition to supporting Virtual Router Redundancy Protocol (VRRP) on Enterprise OS platforms with Ethernet, Fiber Distributed Data Interface (FDDI), and Token Ring interfaces, 11.4 now supports ATM Ethernet LAN Emulation (ATM LANE).

LANE operates by maintaining a set of mappings from MAC addresses to ATM addresses. When running VRRP on a LANE network, the LANE protocol must be notiﬁed when a new master router is elected so that it can update the MAC address to ATM address mapping within the ELAN for the virtual router's MAC address. In essence, while running VRRP over LANE, a virtual MAC address may change location from one LEC to another.

For more information regarding VRRP, consult the Internet Drafts for VRRP (draft-ietf-vrrp-spec-v2-03.txt) and VRRP Operation over ATM LAN Emulation (draft-ietf-vrrp-lane-01.txt).

Virtual Router Redundancy Protocol (VRRP) for Virtual LAN (VLAN)

In addition to supporting Virtual Router Redundancy Protocol (VRRP) over a physical LAN, with 11.4 comes support for VRRP for the Virtual LAN (VLAN).

A VLAN can be seen as a group of end-stations, perhaps on multiple physical LAN segments that are not constrained by their physical location and can communicate as if they were on a common LAN. With VRRP for VLAN, network operation is ensured since dynamic responsibility for a virtual router is transmitted to one of the VRRP routers on a VLAN.

When VRRP is used over a physical LAN, an owner of the Virtual Router ID (VRID) may change the MAC address to the Virtual MAC (VMAC) address without transitioning to promiscuous mode. For the VLAN implementation, when a VRRP router becomes the master (the router that is forwarding the virtual IP packets), the VLAN interface will always be in promiscuous mode.

Many-to-One NAT Enhancement

When executing large ﬁle transfers with a block size that is greater than the underlying media can handle, IP will fragment the UDP packet. Since only the ﬁrst fragment contains the UDP header (which indicates the source and destination port required by NAT to map to a NAT IP address), the subsequent fragmented packets do not contain the UDP header. This results in NAT not having the UDP ports to map to the NAT IP address. In previous releases, this condition would

14 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

occur during, for example, TFTP ﬁle transfers using Large Blocksize Negotiation (RFC 1783).

Each fragmented packet contains an IP Identiﬁcation (ID) number that is used for re-assembly. When the ﬁrst fragment arrives, the ID is stored in the NAT session that has already been setup for the TFTP ﬁle transfer, so when subsequent fragment’s arrive with no UDP header, a search is made for the session by ID and the relevant IP address. After the session is found, the destination and source ports are known and NAT can translate.

BGP-4 & IPv6 added to Multiprotocol Packages for OfﬁceConnect

NETBuilder & SuperStack II NETBuilder SI & PathBuilder S400 devices

Previously, BGP-4 & IPv6 was available only on the NETBuilder II and PathBuilder S5xx devices. Starting with 11.4, BGP-4 and IPv6 are supported on the OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI (Ethernet only) bridge/routers, as well as on the PathBuilder S400 WAN convergence switch. BGP-4 and IPv6 will be available only on the multiprotocol packages for these platforms.

RSVP & RSVP Proxy added to Software Packages for OfﬁceConnect

NETBuilder & SuperStack II NETBuilder SI & PathBuilder S400 devices

Previously, RSVP was available only on the NETBuilder II and PathBuilder S5xx devices. Starting with 11.4, RSVP and RSVP Proxy are supported on the OfﬁceConnect NETBuilder and SuperStack II NETBuilder SI (Ethernet only) bridge/routers, as well as on the PathBuilder S400 wAN convergence Switch.

Trafﬁc Shaping & QoS Trafﬁc shaping and Quality of Service (QoS) features include Bandwidth on Features Demand with Incoming Trafﬁc, and IP Quality of Service (IPQoS).

Bandwidth on Demand with Incoming Trafﬁc

Bandwidth on Demand is a facility that provides supplementary bandwidth above the normal bandwidth levels speciﬁed by the user whenever trafﬁc congestion is detected. In previous releases, only the transmitted trafﬁc load was used to control this feature; with the 11.4 release, incoming trafﬁc is also monitored. The need to monitor incoming trafﬁc for Bandwidth on Demand appears in such situations as when a router that is connected to an ISP downloads a web-page. The incoming trafﬁc bandwidth consumption would be high; it would be desirable at this point to add more bandwidth to accommodate the desired burst in trafﬁc.

IP Quality of Service (IPQoS)

With the enormous growth in network trafﬁc, robust QoS is required to ensure mission-critical and real-time application trafﬁc will get adequate network resources to traverse the network regardless of the competing demands for bandwidth by other applications.

Policy-based QoS management will enable network managers to control bandwidth allocation and service levels on IP trafﬁc ﬂows. Trafﬁc ﬂows can be metered and policed on a per policy base to ensure its bandwidth consumption does not exceed the deﬁned rate limits. When multiple ﬂows are aggregated into a service class, rate limiting protects conforming ﬂows from the aggressive ﬂows hogging network resources that may lead to a denial of service. Flows can also be policed to ensure correct marking of the IP/TOS-byte in the IP header as per policy.

New Features and Feature Enhancements 15

Given the scalability problems associated with RSVP, the emerging IETF standard for scalable end-to-end QoS–IP Differentiated Service is supported. Incoming trafﬁc ﬂows can be classiﬁed into service classes for each deﬁned QoS policy with the routers providing the service level that corresponds to the Differentiated Services Code Point (DSCP), bits 0-5 in the TOS-byte, via the Class-Based Queue (CBQ) packet scheduler and Random Early Detection (RED) congestion avoidance mechanisms. These queue management policies will only be supported over the slower FR and PPP WAN links.

Brief descriptions of additional QoS features are listed below. For further information on IPQoS, consult RFC 2474 (Deﬁnition of Differentiated Service Field in IP Headers) and RFC 2309 (Recommendations on Queue Management & Congestion Avoidance in the Internet).

■Policy-based QoS Management

Flexible QoS control is conﬁgured via the IPQoS Service as port speciﬁc policies. QoS policies can be applied to the inbound trafﬁc at the ingress port and/or the outbound trafﬁc at the egress port. QoS policies are associated with ﬂows.

Policies are stored in the user-deﬁned precedence order in the QoS policy database. The policy action associated with the ﬁrst matching policy found for the packet will be applied. Flow can be deﬁned as either an aggregated ﬂow or a speciﬁc application ﬂow between two end systems. Flows are classiﬁed via the generic packet classiﬁcation service provided by IP.

A network manager can deﬁne the following types of QoS policy:

■Bandwidth control - If rate limiting is speciﬁed in a QoS policy, the associated trafﬁc ﬂow will be metered and policed. Rate limiting can be applied to trafﬁc transmitted or received on an interface. User may also deﬁne actions, such as forward/discard/remark TOS-byte, to handle trafﬁc that conforms to or exceeds the rate limit.

■TOS control - TOS can be set to a speciﬁed TOS value. This allows incoming packets to be classiﬁed into a small number of DSCP-based classes. TOS-byte can also be remarked for forwarding to another administration domain with a different IP/TOS convention.

■Service class control - A speciﬁc service class can be assigned to a ﬂow independent of the DSCP value in the TOS byte. By default, the 6-bit DSCP value is mapped into a CBQ service class at the outgoing WAN port.

■Trafﬁc redirect - trafﬁc can be redirected at the ingress port.

■IEEE 802.1P Prioritization

When the ingress port is connected to a VLAN-aware switch that does the layer-2 packet classiﬁcation and 802.1P user priority support is enabled on the ingress VLAN port, the 802.1P user priority of the incoming IP packet will determine the IP/TOS value based on the default or user-conﬁgured mapping.

When the egress port is connected to a layer-2 VLAN-aware switch that does not support packet classiﬁcation and 802.1P support is enabled on the egress VLAN port, the IP/TOS value will determine the 802.1P priority of the outgoing packet based on the default or user-conﬁgured mapping

IP trafﬁc can also be classiﬁed via a QoS policy to be tagged with a speciﬁc 802.1P priority.

16ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

■Class-Based Queuing (CBQ) Management

Class-Based Queuing (CBQ) is a link-sharing packet scheduler which is an enhanced version of the existing Protocol Reservation queuing policy. It performs priority scheduling and supports speciﬁc trafﬁc class characteristics, such as the average transfer rate. It supports a hierarchy of service classes, each associated with a set of QoS attributes (such as, average rate, priority, and max delay) and a packet queue to hold packets marked for the service class.

CBQ provides weighted (based on the allocated bandwidth) round robin scheduling when the class is not congested, but switches to the link sharing mode during periods of congestion. It regulates each class queue to its allocated bandwidth, but allows a congested class to borrow bandwidth from its under-utilized parent class.

When a class queue builds up due to packet arriving at higher rate than the class’s allocated bandwidth, CBQ employs a packet drop policy to manage the queue length/latency. By default, the simple “tail drop” is invoked to discard the most recently arrived packet for the congested queue/class. The more effective RED dropper can also be optionally enabled on a CBQ class queue.

CBQ also supports trafﬁc prioritization. Higher priority classes are serviced ﬁrst, classes with the same priority are then serviced based on weighted round robin. Borrowing is allowed only if a class is conﬁgured to allow borrowing from its parents.

The network manager may deﬁne any number of CBQ classes. Policies can be deﬁned that map the DSCP in the TOS-byte to a speciﬁc service class to provide the desired QoS. Initial RSVP support will restrict RSVP ﬂows to the well-known “RSVP” service class.

Given the signiﬁcant per packet overhead, CBQ does not scale well with multi-level class hierarchies and would perform best with a small number of classes in a shallow tree structure on lower speed WAN links.

CBQ will be supported on PPP/FR ports only.

■RED Congestion Avoidance

Random Early Discard (RED) actively manages the queue size by dropping arriving packets using probability as follows. The probability of packet drops increases as the estimated average queue size grows. The average queue size is computed using a simple exponentially weighted moving average estimator. RED starts dropping arriving packets when the queue size exceeds the deﬁned minimum threshold in number of packets), and the drop probability increases linearly with the queue size until the deﬁned maximum threshold (in number of packets) is reached - at which point all arriving packets are dropped.

Weighted Random Early Discard (WRED) implements an additional drop-precedence based preferential discard mechanism. The drop-precedence value is used to determine the minimum and maximum thresholds–such that packets tagged with a higher drop-precedence value has a higher drop probability. The drop-precedence value is determined by the amount of trafﬁc in excess of the rate limit.

RED congestion avoidance scheme actively manages the queue length to efﬁciently reduce both packet drops and queue latency, resulting in lower delay and better service. The random packet drop also effectively breaks up the trafﬁc synchronization due to TCP’s “slow start than speed up” behavior, which

New Features and Feature Enhancements 17

may cause some ﬂows to be locked out of bandwidth if a simple tail drop is employed when the queue becomes full. However, RED works well only with compliant TCP implementations that backs off when network congestion is detected. It has no effect on non-IP or UDP trafﬁc.

RED is supported on CBQ class queues only.

Dial Service Features Dial service features include increased asynchronous baud rate for the all Enterprise OS platforms.

In releases prior to 11.3, the maximum baud rate for asynchronous ports was 57.6 kbps. With the 11.3 release, the maximum baud rate has been increased to 115.2 kbps only for the OfﬁceConnect NETBuilder platform. With the 11.4 release, this feature is expanded to support all other platforms with FlexWAN interfaces. This includes the NETBuilder II with the 4-port HSS module, SuperStack II NETBuilder SI, PathBuilder S5xx, and PathBuilder S400 devices.

Voice & Multiservice Voice and multiservice features include voice over Frame Relay, and voice over Features VPN. These features are currently available on the PathBuilder S400 platform only.

Voice Over Frame Relay (VoFR)

With Frame Relay already providing a ﬂexible and efﬁcient means of transferring data, Voice Over Frame Relay (VoFR) consolidates voice and voice-band data (for example, analog modems and fax messages) with data services. VoFR lowers the cost of calls while increasing the utilization of network resources and maintaining the reliability of an existing Frame Relay network.

With 11.4, VoFR is available in the PathBuilder S400 WAN convergence switch. The VoFR capabilities will handle peer-to-peer (end-user to end-user) VoFR voice call signaling across the network, providing real-time delivery of voice signals without excessive delay.

Features of the 3Com implementation of VoFR:

■All voice payloads are encapsulated in the FRF.11 formats. Voice and data share the same virtual circuit (VC) based on the FRF.11 Annex J (The Use of Reserved Subchannels) capabilities as authored by 3Com.

■Fragmentation can consume CPU processing power resulting in degraded system performance. Unlike other vendors implementation of VoFR, 3Com's proprietary Fragmentation Control Protocol (FCP) is designed to support dynamic fragmentation control to turn on-and-off fragmentation at each communicating endpoint.

■3Com proprietary VoFR signaling based on Q.931allows dynamic call connection and teardown.

■VoFR recovery is built into VoFR signaling to handle system or network outage.

■Voice call establishment is regulated by bandwidth requirements of voice compression between two communicating DSP peers, as well as by the available bandwidth (CIR) of the VC at each end.

■Voice calls between remote ofﬁces can be switched through central site VoFR.

18ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

■Up to 250 calls can be supported within each VC subject to available bandwidth.

■Support for FXS and FXO voice ports.

■Support for FAX data over the voice call.

Voice Over VPN (VoVPN)

Due to the interaction between VPN (L2TP or PPTP) and VoIP when they are sharing the same system IP (sysip) address, voice calls do not get tunneled over L2TP or PPTP. The reason for this is when a VPN tunnel is established with the sysip address, the endpoint's sysip address is in each endpoints routing table. If an application subsequently uses the same address that is used by the tunnel, the routing table would force the packet out on the interface, and not through the tunnel. The packet would leave the device unencapsulated.

To overcome this, voice calls originating from the system will continue to use the sysip address as before (in order to utilize the redundancy feature of the sysip). In addition, the voice call will also have an option to use a different source-destination pair for those calls that need to be tunneled via VPN. After the source address is deﬁned, it is linked to the virtual port that represents the VPN tunnel, allowing the voice call to get tunneled across the VPN.

Network Management Network management features include Upgrade Utilities and Upgrade Link, Web Features Link Enhancements, Autotargeting for SLA Monitoring/Remote Polling, Console Output in Telnet Sessions, Multiple SYSLOG Server Support, Audit Log Messaging

Enhancements. and Domain Name Use in FTP and TFTP Commands.

Upgrade Utilities & Upgrade Link

With the upgrade utilities, you will be able to perform upgrades of all your Enterprise OS devices (NETBuilder, PathBuilder S5xx, and PathBuilder S400 devices) from an older version of software to a newer version. The version you can upgrade to will match your version of the upgrade utilities (for example, with the Upgrade Management Utilities version 11.4, you will be able to upgrade a device running 8.x, 9.x, 10.x, 11.0, 11.1, or 11.2 to any version 9.x, 10.x, 11.0, 11.1, 11.2, 11.3 or 11.4). Engineered to be reliable and simple to use, the utilities can be executed via command line, via the GUI-interface in Transcend® Upgrade Manager, or the GUI-interface in Upgrade Link, or via user-deﬁned scripts.

Enhancements to Upgrades Utilities version 11.4:

■File Transfers via HTTP

■Faster installation of Enterprise OS software images into Upgrade Manager for Windows95

■Flexibility of installing the upgrade ﬁles into a directory besides /usr/3Com

■Added support for PathBuilder S400 WAN convergence switches

Web Link Enhancements

Web Link is an embedded Web-based interface for management of the NETBuilder bridge/router (or PathBuilder S5xx tunnel switch starting with 11.1.1). Web Link is available on all router platforms running version 11.0 or later. To access Web Link, use Netscape 4.08 or later, or Internet Explorer 4.x or later.

New Features and Feature Enhancements 19

■Voice Wizard

Starting with 11.2.2 and with enhancements made in 11.4 for the PathBuilder S400 WAN convergence switch, Web Link provides a new Wizard conﬁguration tool to aid in the conﬁguration of the voice parameters. The Voice Wizard eases the task of conﬁguration by creating a dial plan that can be viewed and later edited.

■Performance Management Currently available statistics are:

■System Performance

■Interface Performance: physical path statistics and port and virtual port statistics

■Protocol Performance: Routing protocols

■IP Routing Protocol: Total IP packets and IP packets per interface

■IPX Routing Protocol: Total IPX packets

■IPX Packets Per Interface

■Frame Relay WAN Protocol

■New Statistics for 11.4

■VPN Performance: VPN tunnels and total active tunnels

■IPsec Performance: Encrypted packets, authenticated packets, encrypted-authenticated, packets and discarded packets

■Voice Performance

■Total Successful Calls

■Total Packets

■Total Bytes

Autotargeting for SLA Monitoring/Remote Polling

In 11.2, Remote Polling was introduced which provided a mechanism to periodically poll a list of up to 100 target devices. By pinging a target list of devices for connectivity, logs could be generated and statistics gathered to measure latency between devices and to determine service levels. Statistics could also be gathered using the 3Com remote polling MIB (3com0019.mib), which can give the statistical result of each poll. The MIB variables can be used with 3rd party applications, like InfoVista to provide service level monitoring, analysis, and reporting. A maximum of 100 target devices can be polled.

In 11.4, the requirement to manually conﬁgure up to 100 target devices that the administrator remotely polls has been eliminated. Four predeﬁned “target groups” will be used:

■RAS targets are automatically added when a RAS user session is established

■VLL targets are automatically added when a virtual leased line is conﬁgured

■Tunnel Peers including PPTP/L2TP/IPIP/DNL are automatically added

■Static targets can still be manually conﬁgured, if desired

20 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Console Output in Telnet Sessions

With 11.4, all system messages can be displayed to a Telnet session as well as through a terminal attached to the local console port. Administrators will be able to view all important status messages from the Telnet session improving manageability.

Audit Log Messaging Enhancements

Many enhancements are added in the 11.4 release regarding the logging of events. These include:

■In previous releases, only one SYSLOG server on the network could be sent the audit log messages from an Enterprise OS device. With 11.4, the administrator can conﬁgure each Enterprise OS device to send it's audit log messages to up to six SYSLOG servers.

■Persistent logging of events across reboots now available across all platforms. Previously this feature was available only for NETBuilder II and PathBuilder S5xx devices (those devices which could support the partial dump feature). With 11.4, the partial dump feature is extended to the stackable devices (OfﬁceConnect NETBuilder, SuperStack II NETBuilder SI, and PathBuilder S400 devices), so reasons for spontaneous failures will be logged both on the device and within audit log messages sent to the SYSLOG server(s).

■To provides a clearer understanding of audit log messages, the format of the messages has been changed. There is a different format for those messages sent to a SYSLOG server vs those saved on the device's local audit log buffer. Redundant information was removed and comprehensive deﬁnitions are provided. A ﬁeld was added to indicate message severity (0-7 indicating Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug).

Changes to audit log messages sent to SYSLOG server(s):

■For the SYSLOG messages, a unique message identiﬁer (starting with 100) has been added. Speciﬁc services have been assigned a range of identifying numbers. For example, 100-199 identiﬁes audit log ﬁle access status messages … dial history messages are 400-499 … IPsec messages are 600-649 … and Web Link messages are 1400-1499.

■A new message format will have identifying labels. The new syntax is as follows:

priority Seq:SeqNumber Sev:Severity From:Entity/Source Msg:Text

Changes to audit log messages saved on the device's local audit log buffer:

■The new message format will have identifying labels. The new syntax is as follows:

<priority> Seq:SeqNumber Date/Time Sev:Severity From:Entity/Source

Msg:Text

■Audit Log Message Filters are now supported. In previous releases, all audit log messages were sent to the designated SYSLOG server. With 11.4, the administrator can set a LogFilter, whereby speciﬁc messages can be sent to speciﬁc SYSLOG servers. Messages can be ﬁltered based on service, priority,

+ 44 hidden pages