3Com C36460T, 86-0621-000 User Manual

Enterprise OS Software Version 11.4 Release Notes
3Com provides a CD-ROM that includes all Enterprise OS software version 11.4 software manuals plus version 11.4 new installation and upgrade manuals. To obtain a hardcopy version of the 11.4 documentation, order part number C36460T.
You can order the documentation CD-ROM using part number 3C6461T. Additionally, all documentation for Enterprise OS software version 11.4 is
located on the 3Com website:
http://infodeli.3com.com/infodeli/tools/bridrout/index.htm
http://www.3com.com/
Part No.
86-0621-000
Published January 2000
3Com Corporation 5400 Bayfront Plaza Santa Clara, California 95052-8145
Copyright © 3Com Corporation, 2000. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty of any kind, either implied or expressed, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
UNITED STATES GOVERNMENT LEGENDS:
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following restricted rights:
For units of the Department of Defense:
Restricted Rights Legend: Use, duplication, or disclosure by the Government is subject to restrictions as set
forth in subparagraph (c) (1) (ii) for Restricted Rights in Technical Data and Computer Software Clause at 48 C.F.R. 52.227-7013. 3Com Corporation, 5400 Bayfront Plaza, Santa Clara, California 95052-8145.
For civilian agencies:
Restricted Rights Legend: Use, reproduction, or disclosure is subject to restrictions set forth in subparagraph
(a) through (d) of the Commercial Computer Software – Restricted Rights Clause at 48 C.F.R. 52.227-19 and the limitations set forth in 3Com Corporation’s standard commercial agreement for the software. Unpublished rights reserved under the copyright laws of the United States.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
The software you have received may contain strong data encryption code that cannot be exported outside of the U.S. or Canada. You agree that you will not export/reexport, either physically or electronically, the encryption software or accompanying documentation (or copies thereof) or any products utilizing the encryption software or such documentation without obtaining written authorization from the U.S. Department of Commerce.
Unless otherwise indicated, 3Com registered trademarks are register ed in the United States and may or may not be registered in other countries.
3Com, AccessBuilder, Boundary Routing, NETBuilder, NETBuilder II, OfficeConnect, SuperStack, and Transcend are registered trademarks and Edge Server, PathBuilder, and Total Control are trademarks of 3Com Corporation.
IBM, AS/400, SNA, and LAN Net Manager are registered trademarks of International Business Machines Corporation. Advanced Peer-to-Peer Networking and APPN are trademarks of International Business Machines Corporation. DECnet is a registered trademark of Digital Equipment Corporation. AppleTalk is a registered trademark of Apple Computer, Inc. NetWare is a registered trademark of Novell, Inc. RealPlayer is a trademark of Real Networks. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. VINES is a registered trademark of Banyan Systems. SunOS is a trademark of Sun Microsystems, Inc. XNS is a trademark of Xerox Corporation.
Other brand and product names may be registered trademarks or trademarks of their respective holders.
C
ONTENTS
E
NTERPRISE
Encryption Packages Notice 7 Supported Platforms 8
OfficeConnect NETBuilder and SuperStack II NETBuilder SI Release 9 Platforms Not Supported 9 New Features and Feature Enhancements 9
JAVA Runtime Environment 9
VPN and Security Features 9
Routing Support Features 11
Traffic Shaping & QoS Features 14
Dial Service Features 17
Voice & Multiservice Features 17
Network Management Features 18
Transcend VPN Application Suite 21
11.4 Software Packages 23
NETBuilder II Bridge/Router 23
SuperStack II NETBuilder SI 26
PathBuilder S5xx Series Switch 29
PathBuilder S400 Series Switches 32
OfficeConnect NETBuilder Bridge/Routers 34
OfficeConnect NETBuilder 10/ST 37
SuperStack II NETBuilder Token Ring 40 Upgrade Management Utilities 43
Downloading Upgrade Management Utilities 43
UNIX Files 43
Windows Files 43
Executing
profile.bat 44
Version 11.4 Upgrade Management Utilities 44
Upgrading to 11.4 Utilities with Transcend Upgrade Manager 44
Transcend Enterprise Manager 44 Upgrade Management Notes 45
bcmdiagnose Error Message 45
SuperStack II NETBuilder Token Ring Upgrades 45
bcmdiagnose and HP-UX 45
bcmfdinteg 45
File Conversion Considerations 46
UNIX Platform Symbolic Links 46
Upgrading From Release 8.3 or Earlier 46
OS S
OFTWARE
V
ERSION
11.4 R
ELEASE
N
OTES
Upgrade Link and Netscape Browser Scroll Bars 46 Upgrade Link Window Resizing 47
IBM Protocols and Services Notes 47
APPN 47 APPN Connections to 3174 through Token Ring 47 APPN CP-CP Sessions and SNA Boundary Routing 47 APPN CP-CP Sessions on Parallel TGs 47 APPN DLUr Connections to 3174 Systems 47 BSC and Leased Lines 47 Boundary Routing and NetView Service Point 48 Configuring BSC and NCPs 48 DLSw Circuit Balancing 48 DLSw and CONNectUsage Parameter Default Change 48 DLSw Prioritization 48 DLSw and IBM Boundary Routing in Large Networks 48 Front-End Processor/Frame Relay Access for LLC2 Traffic 49 HPR and ISR Configurations 49 IBM Boundary Routing Topology Disaster Recovery 49 IBM-Related Services in Token Ring 50 LAN Network Manager with NETBuilder II Systems 51 LLC2 Frames and PPP 52 Maximum BSC Line Speed 52 SHDLC Half-Duplex Mode 52 SDLC 52 SDLC Adjacent Link Stations for APPN 52 Source Route Transparent Bridging Gateway (SRTG) Interoperability 52 SDLC Ports and NetView Service Point 52 UI Response Time With Large SDLC configuration 52 VTAM Program Temporary Fixes 52
ATM Services Notes 53
ATM Emulated LANs 53 ATM LAN Emulation Clients and Large 802.3 Frames 53 ATM Connection Table 53 Deleting ATM Neighbors 53 Source-Route Transparent Gateway 53
WAN Protocols and Services Notes 53
ACCM Not Configurable 53 Asynch Tunnelling on Serial Ports 53 Automatic Line Detection 53 Auto Start-up Does Not Include Async 54 Bandwidth-on-
Demand Timer Precedence 54 Baud Rates for WAN Ports in DCE Mode 54 BSC Cabling and Clocking 54 Changing the Transfer Mode Parameter Default Value 54 Compression Requirements 54 Dial Idle Timer 55 Disaster Recovery on Ports Without Leased Lines 55
DTR Modems 55
Dynamic Paths 55
Frame Relay Congestion Control 55
History-Based Compression Negotiation Failure 55
History Compression Not Allowed With Async PPP 55
Multilink PPP Configurations 55
SPID Wizard Detection Errors 56
STP AutoMode Does Not Select the Right Mode 56
Supported Modems 56 Routing Protocols and Services Notes 56
BGP Configuration Files 56
CPU Utilization with XNS Protocol 57
IPX to Non-IPX Configuration Error 57
IPX Routing, Route Receive and Route Advertisement Policies 57
Managing IP Address Assignment 57
NAT Service - Many to One Outbound Translation 57
NAT Service - TCP/UDP Port Mappings 57
OSPF Route Advertisement 57
PIM-Sparse Mode 57
PIM-SM Enterprise OS/Cisco Incompatibility 57
PIM-SM Register Checksum Formats 57
PM-SM Not Supported Over NBMA Media 58
RouteDiscovery 58
VRRP Configuration 58 Network Management System and Services Notes 58
ASCII Boot 58
Boot Cycle Continuous Loop 58
BootP Server and Autostartup 58
Bootptab File 58
Capturing Commands to boot.cfg File 59
Change Configuration and Diagnostic Menu 59
CPU Utilization Statistic 59
File System Error 59
Firmware Configuration 59
Firmware Update 59
IP Quality of Service Bandwidth 59
IP Quality of Service Configuration 59
Multiple Paths to BootP Server 59
Remote Access Default Change 60
Scheduler RunOnBootFail Completion 60
V.25bis Modem Setup 60
Web Link Documentation Path 60
Web Link Login Support 60
Zmodem Time Out 60 VPN Protocols and Services Notes 60
ACE Security Server 60
Total Control Security and Accounting Server Availability 60
Microsoft MPPE Patches and Updates 61
PKI: Entrust CA Installation Notes 61 PPTP Tunnel Security Validation 62 RSA Signature for Phase 1 Authentication 62 Windows NT MS-CHAP Authentication 62
Platform Notes 63
OfficeConnect NETBuilder and SuperStack II NETBuilder SI Additional Memory Requirements 63
Approved DRAM SIMMs 63 Supported PC Flash Memory Cards 64 Line Error Reporting on PathBuilder S5xx Series Switch Statistics Display 64 T3 Bandwidth Limitation 64 MBRI Ownership During Board Swapping 64 Multiport MBRI Module SNMP Management 64 Token Ring+ Modules 64 Token Ring Auto Start-up 64
E
NTERPRISE
11.4 R
These release notes provide information on the following topics for Enterprise OS software version 11.4:
Encryption Packages Notice
Supported Platforms
Platforms Not Supported New Features and Feature Enhancements
11.4 Software Packages
Upgrade Management Utilities Upgrade Management Notes
IBM Protocols and Services Notes
ATM Services Notes WAN Protocols and Services Notes
Routing Protocols and Services Notes
Network Management System and Services Notes VPN Protocols and Services Notes
Platform Notes
ELEASE
OS S
OTES
N
OFTWARE
V
ERSION
Encryption Packages Notice
Part No. 86-0621-000 Published January 2000
If you have questions about the software, the guides, or these release notes, contact 3Com or your network supplier.
For information on the command syntax used in these release notes, see “About This Guide” in
The Enterprise OS software version 11.4 may contain strong data encryption that cannot be exported outside the United States or Canada. It is unlawful to export/re-export or transfer, either physically or electronically, the encryption software or accompanying documentation (or copies thereof) or any product(s) utilizing the encryption software or such documentation without obtaining written authorization from the US Department of Commerce.
Do not place Enterprise OS version 11.4 packages with encryption on networks or servers that are accessible to users outside of the U.S. and Canada.
Software packages with encryption include the following:
PathBuilder™ S5xx series switch
Using Enterprise OS Software .
NTERPRISE
E
OS S
OFTWARE
8
V
ERSION
11.4 R
ELEASE
N
OTES
Multiprotocol Router with 40-bit Encryption (PL) Multiprotocol Router with 56-bit Encryption (PE) Multiprotocol Router with 128-bit Encryption with 3DES (PS)
PathBuilder S400 switch Multiprotocol Router with 40-bit Encryption (ML) Multiprotocol Router with 56-bit Encryption (ME) Multiprotocol Router with 128-bit Encryption with 3DES (MS) IP/IPX/AT Router with 40- and 56-bit Encryption (XE) IP/IPX/AT Router with 128-bit Encryption with 3DES (XS)
NETBuilder II
®
Multiprotocol Router with 40-bit Encryption (DL) Multiprotocol Router with 56-bit Encryption (DE) Multiprotocol Router with 128-bit Encryption with 3DES (DS) SuperStack
®
II NETBuilder
®
SI IP/IPX/AT Router with 40- and 56-bit Encryption (NE) (SI model) IP/IPX/AT Router with 128-bit Encryption with 3DES (NS) (SI model) Multiprotocol Router with 40-bit Encryption (CL) (SI model) Multiprotocol Router with 56-bit Encryption (CE) (SI model) Multiprotocol Router with 128-bit Encryption with 3DES (CS) (SI model)
Supported Platforms
SuperStack II NETBuilder Multiprotocol Router with 56-bit Encryption (TE) (Token Ring
models 327 and 527)
OfficeConnect
®
NETBuilder IP/IPX Router (JW) IP/IPX Router with 56-bit Encryption (JE) IP/IPX Router with 128-bit Encryption with 3DES (JS) IP/IPX/AT Router with 40- and 56-bit Encryption (NE) IP/IPX/AT Router with 128-bit Encryption with 3DES (NS) Multiprotocol Router with 56-bit Encryption (OE) Multiprotocol Router with 128-bit Encryption with 3DES (OS)
OfficeConnect 10 NETBuilder Router (RW)
Router with 56-bit Encryption (RE) Router with 128-bit Encryption with 3DES (RS)
Enterprise OS software version 11.4 is available for the following platforms:
NETBuilder II
SuperStack II NETBuilder models 327 and 527 SuperStack II NETBuilder SI models 43x, 44x, 45x, 46x, 53x, 54x, 55x, and 56x
OfficeConnect NETBuilder models 11x, 12x (K and T variants),13x, 14x (U and ST variants) and 10/ST
Platforms Not Supported 9
PathBuilder S5xx series switch models S500, S580, S593, S594, S598 and S599 PathBuilder S400
OfficeConnect
NETBuilder and
SuperStack II
NETBuilder SI Release
Platforms Not Supported
New Features and Feature Enhancements
Due to increased memory requirements, the OfficeConnect NETBuilder and SuperStack II NETBuilder SI will be released after the general release of Enterprise OS Software version 11.4. The general release will include support for the following platforms: NETBuilder II, SuperStack II NETBuilder Token Ring, PathBuilder S50x, S58x, S59x, and PathBuilder S400 devices. Watch for special release announcements for the OfficeConnect NETBuilder and SuperStack II NETBuilder SI devices.
See “OfficeConnect NETBuilder and SuperStack II NETBuilder SI Additional Memory Requirements” on page 63 for details about memory requirements for the OfficeConnect NETBuilder and SuperStack II NETBuilder SI devices.
The Enterprise OS software version 11.4 does not support the following bridge/routers:
Model 227 SuperStack II NETBuilder Router (Ethernet) Model 427 SuperStack II NETBuilder Router (Ethernet, ISDN)
Model 120 OfficeConnect NETBuilder (FRAD) Model S574 and S578 PathBuilder Switch
Enterprise OS is the system software that operates within the NETBuilder and PathBuilder WAN products. Enterprise OS devices supported by this r elease include the NETBuilder II, SuperStack II NETBuilder, OfficeConnect NETBuilder bridge/router, PathBuilder S5xx tunnel switch (models S500, S580, S593, S590, S594, S598, S599), and the PathBuilder S400 WAN convergence switch.
JAVA Runtime
Environment
VPN and Security
Features
This section highlights the new features and enhancements contained within Enterprise OS software version 11.4.
With 3Com Enterprise OS software version 11.4, in the /tools/jre subdirectory is the MS Windows 95/98/NT version of JRE (Java Runtime Environment) written by Sun Microsystems. This JRE archive file is a self-extracting executable that contains the Java virtual machine, runtime class libraries, and Java application launcher that are necessary to run programs written in the Java programming language. The JRE is needed to run the following Enterprise OS applications:
Voice Wizard in Web Link (embedded web interface) on the PathBuilder S400
devices PKI Manager (part of the Transcend VPN Application Suite)
For more information or to download the UNIX version, see Sun's website: http://java.sun.com/products/jdk/1.2/runtime.html
VPN and Security features provide Public-Key Infrastructure, Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels, IP Payload Compression Protocol (IPComp), and Tunnel Switching Between Different Tunnel Types.
NTERPRISE
E
OS S
OFTWARE
10
V
ERSION
11.4 R
ELEASE
N
OTES
Public-Key Infrastructure (PKI) Implementation
Applications like IP Security (IPsec) and Internet Key Exchange (IKE) employ public-key technology for such security purposes as identifying oneself to remote entities, verifying a remote entity's identity, or initiating secure communications with remote peers. Such applications require a public-key infrastructure (PKI) to securely manage public keys for widely-distributed users or systems. The implementation of PKI is based on the X.509 standard.
New also is PKI Manager , a graphical management application to aid Enterprise OS devices in obtaining PKI certificates and Certificate Revocation Lists (CRLs) from various Certificate Authorities (CAs). PKI Manager works as a proxy between the device and the CA. It is responsible for collecting the certificate requests from the devices and generating the CA-specific certificate request syntax (CRS), which in turn is sent to the CA. After the CA issues the certificate, PKI Manager retrieves it from the CA and send it to the Enterprise OS device. The CAs that are supported with this first release are Verisign and Entrust. The application is currently supported only on Windows NT. See the “Transcend VPN Application Suite” section of this release note for more information.
Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels
With the Non-Broadcast, Multi-Access (NBMA) characteristics of a Point-To-Multi-Point (P2MP) VPN tunnel (also called IP-Over-IP tunnel), an IP packet must be forwarded via a routed tunnel path. These tunnel paths must be configured statically between each pair of neighbors. All VPN traffic is allowed to flow only through the configured neighboring paths. This makes routing inefficient since data forwarding may not always be using the best route with the shortest hops. To solve this, the user would have to go to the trouble of configuring a fully-meshed VPN so packets could be forwarded with one hop.
With the Next Hop Resolution Protocol (NHRP) implemented in 11.4, tunnels are now established dynamically . NHRP enhances the Point-To-Multi-Point (P2MP) VPN tunnel by eliminating the need to statically configure each and every end-point virtual port on the device. NHRP resolves the next hop when forwarding data through tunnels. The Enterprise OS device will “automatically” discover its short cut path for routing, without having to manually configure every neighboring path.
IP Payload Compression Protocol (IPComp or IPPCP)
Enterprise OS software supports data compression to ease bandwidth problems. However, in previous software releases the compression mechanism was not effective when a data stream was encrypted at layer 3. With 11.4, by using IP Payload Compression Protocol (IPComp), RFC 2393, to first reduce the size of the IP datagram by compressing the data, then performing encryption, the size of IP datagrams has been reduced. This is extremely useful when IPsec encryption is applied to IP datagrams, since compression of outbound IP datagrams is done before any IP security processing, and the decompression of inbound IP datagrams is applied after the completion of all IP security processing. Only dynamic negotiations of the IPComp Association (IPCA) via IKE and one compression algorithm (LZS) is supported for 11.4. Any negotiation of IPComp is always combined with a negotiation of ESP, AH, or both.
New Features and Feature Enhancements 11
Tunnel Switching Between Different Tunnel Types
So that tunnel switching between two sessions of different tunnel types can be easily implemented and maintained, Enterprise OS software version 11.4 has been re-structured to support tunnel switching from PPP over Ethernet (PPPoE) to PPTP, and from PPPoE to L2TP. Users can now dial-in through a PPPoE tunnel and “switch out” through a PPTP or L2TP tunnel. This enables the Enterprise OS device to have the flexibility of switching between tunnels of different tunnel types.
Routing Support
Features
Routing support features include OSPF External Route Aggregation, Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Border Router (MBR), IGMPv2 Enhancements, PPP over Ethernet (PPPoE), Virtual Router Redundancy Protocol (VRRP) for ATM Ethernet LAN Emulation, Virtual Router Redundancy Protocol (VRRP) for Virtual LAN (VLAN), Many-to-One NA T Enhancement, BGP-4 & IPv6 added to multiprotocol packages for OfficeConnect NETBuilder and SuperStack II NETBuilder SI, PathBuilder S400 devices, and RSVP and RSVP Proxy added to software packages for OfficeConnect NETBuilder and SuperStack II NETBuilder SI and PathBuilder S400 devices.
OSPF External Route Aggregation
With OSPF, the user can import routes from external routing sources (for example, BGP, RIP, static routes, and directly connected networks). These imported routes become OSPF external routes. In some networks, the number of external routes to be advertised can cause traffic congestion on the backbone and subsequently to all areas.
Because version 11.4 aggregates the type5 external routes, the user can define external route ranges. With user-defined external route ranges, if the external route is within the defined range, only then will the network be advertised. This reduces the number of external routes advertised in the backbone and regular areas.
Protocol Independent Multicast-Sparse Mode (PIM-SM)
The periodic broadcasting of information by DVMRP and MOSPF to identify the location of interested receivers for a specific multicast session is only useful in networks where bandwidth is plentiful or when there is a large number of senders and receivers for a multicast session. When senders and receivers to multicast sessions are distributed sparsely across a wide area such schemes ar e not ef ficient. They waste bandwidth on expensive WAN links and require the maintenance of “routing-state” on routers that are not on the forwarding tree for the multicast session. Protocol Independent Multicast-Sparse Mode
11.4, is an intra-domain multicast routing protocol designed to resolve some of the inadequacies with these other multicast protocols.
(
PIM-SM), implemented in
PIM-SM is “protocol independent” in that it can work with any unicast routing protocol. It builds a per-group (or per multicast session) shared multicast distribution tree centered at a rendezvous point, and r equires r eceivers to explicitly join to this shared distribution tree prior to receiving data traffic. Since a “shared-tree” mechanism could result in suboptimal paths for data traffic from a source to the receivers of a multicast session, PIM-SM also supports the ability to switch to a source specific distribution tree if the data traffic warrants it. The implementation of PIM-SM supports IPv4 in this release (IPv6 is not supported in this release).
NTERPRISE
E
OS S
OFTWARE
V
ERSION
11.4 R
ELEASE
N
OTES
Multicast Border Router (MBR)
To allow sources and receivers inside multiple autonomous multicast routing domains (each running a different multicast routing pr otocol -- DVMRP, MOSPF, or PIM-SM) to communicate, the regions must be connected by multicast border routers (MBRs). The primary role of the MBR is to pull down the traffic from one domain to the another domain. This MBR functionality is implemented in the Enterprise OS device to allow the efficient interoperation among independent multicast routing protocols. A common forwarding cache to forwar d the multicast data packets has been implemented. MBR makes it easier to have a unified forwarding table for multicast data traffic. The multicast routing protocols will maintain protocol specific routing states and create forwarding entries in the unified forwarding table for multicast traffic.
IGMPv2 Enhancements
Adding to the IGMPv1 support, 11.4 will be adding support for IGMPv2 (RFC
2236). Feature enhancements include the following:
Allowing a host to inform a multicast router when it no longer wants to receive
traffic for a given multicast group.
12
Defines a new procedure for electing the multicast querier on a LAN; the
multicast router with the lowest IP address is always chosen as the querier.
Defines a new type of Query message, called the Group-Specific Query. This
type of message allows a router to transmit a query to a specific multicast group rather than all groups that reside on a directly attached subnet.
PPP over Ethernet (PPPoE)
With 11.4, PPP over Ethernet (PPPoE) is available to offer a seamless integration of broadband access technology into the existing infrastructure and operational model of remote access. As specified in the informational RFC 2516, PPPoE encapsulates PPP packets over Ethernet. It is intended for use by a host PC to interact with a broadband modem (e.g. xDSL, cable, and wireless access devices) to achieve access to high-speed data networks. The PPPoE offering is targeted at Carriers, ISPs, and NSPs with an ATM backbone for use in a VPN environment for broadband access.
Ethernet is the most proven, familiar , and cost ef fective LAN technology that exists today. PPP is the most popular dial-up transport, created to define negotiating connectivity parameters, authenticate users, dynamically assign IP addresses, and support multiprotocol environments. In a remote dial-up envir onment, besides the traditional analog and ISDN modems, there are server other high-speed, broadband CPEs being rapidly deployed (for example, xDSL, cable, and wireless access devices). All high-speed, broadband access equipment requires end users to be knowledgeable in their technologies, connectivity, and configuration characteristics. With PPPoE, much of the complexity of these broadband devices is hidden from the user. In addition to ease of configuration and use for the end user, PPPoE also simplifies provisioning, installation, and management for the service provider.
Advantages of PPPoE:
Supports multiple hosts and users across a dedicated broadband connection
and a single ATM or Frame Relay PVC with the same Ethernet infrastructure.
New Features and Feature Enhancements 13
Provides end users with ease of installation and configuration; no special
configuration of the PC or modem is needed.
Provides services providers with ease of provisioning, services, and
management.
Operates independent of access device (that is, works for xDSL, cable, or
wireless devices) which shields end users from the need to learn complicated technologies (for example, ATM).
Preserves the applications that have been built around Microsoft Windows
Dial-Up Networking (DUN). A simple PPPoE client driver is used with an interface and functionality familiar to the user.
Virtual Router Redundancy Protocol (VRRP) for ATM Ethernet LAN Emulation
In addition to supporting Virtual Router Redundancy Protocol (VRRP) on Enterprise OS platforms with Ethernet, Fiber Distributed Data Interface (FDDI), and Token Ring interfaces, 11.4 now supports ATM Ethernet LAN Emulation (ATM LANE).
LANE operates by maintaining a set of mappings from MAC addresses to ATM addresses. When running VRRP on a LANE network, the LANE protocol must be notified when a new master router is elected so that it can update the MAC address to ATM address mapping within the ELAN for the virtual router's MAC address. In essence, while running VRRP over LANE, a virtual MAC address may change location from one LEC to another.
For more information regarding VRRP, consult the Internet Drafts for VRRP (draft-ietf-vrrp-spec-v2-03.txt) and VRRP Operation over ATM LAN Emulation (draft-ietf-vrrp-lane-01.txt).
Virtual Router Redundancy Protocol (VRRP) for Virtual LAN (VLAN)
In addition to supporting Virtual Router Redundancy Protocol (VRRP) over a physical LAN, with 11.4 comes support for VRRP for the Virtual LAN (VLAN).
A VLAN can be seen as a group of end-stations, perhaps on multiple physical LAN segments that are not constrained by their physical location and can communicate as if they were on a common LAN. With VRRP for VLAN, network operation is ensured since dynamic responsibility for a virtual router is transmitted to one of the VRRP routers on a VLAN.
When VRRP is used over a physical LAN, an owner of the Virtual Router ID (VRID) may change the MAC address to the Virtual MAC (VMAC) address without transitioning to promiscuous mode. For the VLAN implementation, when a VRRP router becomes the master (the router that is forwarding the virtual IP packets), the VLAN interface will always be in promiscuous mode.
Many-to-One NAT Enhancement
When executing large file transfers with a block size that is greater than the underlying media can handle, IP will fragment the UDP packet. Since only the first fragment contains the UDP header (which indicates the source and destination port required by NAT to map to a NAT IP address), the subsequent fragmented packets do not contain the UDP header. This results in NAT not having the UDP ports to map to the NAT IP address. In previous releases, this condition would
14 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES
occur during, for example, TFTP file transfers using Large Blocksize Negotiation (RFC 1783).
Each fragmented packet contains an IP Identification (ID) number that is used for re-assembly. When the first fragment arrives, the ID is stored in the NAT session that has already been setup for the TFTP file transfer, so when subsequent fragment’s arrive with no UDP header, a search is made for the session by ID and the relevant IP address. After the session is found, the destination and source ports are known and NAT can translate.
BGP-4 & IPv6 added to Multiprotocol Packages for OfficeConnect NETBuilder & SuperStack II NETBuilder SI & PathBuilder S400 devices
Previously, BGP-4 & IPv6 was available only on the NETBuilder II and PathBuilder S5xx devices. Starting with 11.4, BGP-4 and IPv6 are supported on the OfficeConnect NETBuilder and SuperStack II NETBuilder SI (Ethernet only) bridge/routers, as well as on the PathBuilder S400 WAN convergence switch. BGP-4 and IPv6 will be available only on the multiprotocol packages for these platforms.
RSVP & RSVP Proxy added to Software Packages for OfficeConnect NETBuilder & SuperStack II NETBuilder SI & PathBuilder S400 devices
Previously, RSVP was available only on the NETBuilder II and PathBuilder S5xx devices. Starting with 11.4, RSVP and RSVP Proxy are supported on the OfficeConnect NETBuilder and SuperStack II NETBuilder SI (Ethernet only) bridge/routers, as well as on the PathBuilder S400 wAN convergence Switch.
Traffic Shaping & QoS
Features
Traffic shaping and Quality of Service (QoS) features include Bandwidth on Demand with Incoming Traffic, and IP Quality of Service (IPQoS).
Bandwidth on Demand with Incoming Traffic
Bandwidth on Demand is a facility that provides supplementary bandwidth above the normal bandwidth levels specified by the user whenever traffic congestion is detected. In previous releases, only the transmitted traffic load was used to contr ol this feature; with the 11.4 release, incoming traffic is also monitor ed. The need to monitor incoming traffic for Bandwidth on Demand appears in such situations as when a router that is connected to an ISP downloads a web-page. The incoming traffic bandwidth consumption would be high; it would be desirable at this point to add more bandwidth to accommodate the desired burst in traffic.
IP Quality of Service (IPQoS)
With the enormous growth in network traffic, robust QoS is required to ensure mission-critical and real-time application traffic will get adequate network resources to traverse the network regardless of the competing demands for bandwidth by other applications.
Policy-based QoS management will enable network managers to control bandwidth allocation and service levels on IP traffic flows. Traffic flows can be metered and policed on a per policy base to ensure its bandwidth consumption does not exceed the defined rate limits. When multiple flows are aggregated into a service class, rate limiting protects conforming flows from the aggressive flows hogging network resources that may lead to a denial of service. Flows can also be policed to ensure correct marking of the IP/TOS-byte in the IP header as per policy.
New Features and Feature Enhancements 15
Given the scalability problems associated with RSVP, the emerging IETF standard for scalable end-to-end QoS–IP Differentiated Service is supported. Incoming traffic flows can be classified into service classes for each defined QoS policy with the routers providing the service level that corresponds to the Differentiated Services Code Point (DSCP), bits 0-5 in the TOS-byte, via the Class-Based Queue (CBQ) packet scheduler and Random Early Detection (RED) congestion avoidance mechanisms. These queue management policies will only be supported over the slower FR and PPP WAN links.
Brief descriptions of additional QoS features are listed below. For further information on IPQoS, consult RFC 2474 (Definition of Differentiated Service Field in IP Headers) and RFC 2309 (Recommendations on Queue Management & Congestion Avoidance in the Internet).
Policy-based QoS Management
Flexible QoS control is configured via the IPQoS Service as port specific policies. QoS policies can be applied to the inbound traffic at the ingress port and/or the outbound traffic at the egress port. QoS policies are associated with flows.
Policies are stored in the user-defined precedence order in the QoS policy database. The policy action associated with the first matching policy found for the packet will be applied. Flow can be defined as either an aggregated flow or a specific application flow between two end systems. Flows are classified via the generic packet classification service provided by IP.
A network manager can define the following types of QoS policy:
Bandwidth control - If rate limiting is specified in a QoS policy, the associated
traffic flow will be metered and policed. Rate limiting can be applied to traffic transmitted or received on an interface. User may also define actions, such as forward/discard/remark TOS-byte, to handle traf fic that conforms to or exceeds the rate limit.
TOS control - TOS can be set to a specified TOS value. This allows incoming
packets to be classified into a small number of DSCP-based classes. TOS-byte can also be remarked for forwarding to another administration domain with a different IP/TOS convention.
Service class control - A specific service class can be assigned to a flow
independent of the DSCP value in the TOS byte. By default, the 6-bit DSCP value is mapped into a CBQ service class at the outgoing WAN port.
Traffic redirect - traffic can be redirected at the ingress port.
IEEE 802.1P Prioritization
When the ingress port is connected to a VLAN-aware switch that does the layer-2 packet classification and 802.1P user priority support is enabled on the ingress VLAN port, the 802.1P user priority of the incoming IP packet will determine the IP/TOS value based on the default or user-configured mapping.
When the egress port is connected to a layer-2 VLAN-aware switch that does not support packet classification and 802.1P support is enabled on the egress VLAN port, the IP/TOS value will determine the 802.1P priority of the outgoing packet based on the default or user-configured mapping
IP traffic can also be classified via a QoS policy to be tagged with a specific
802.1P priority.
16 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES
Class-Based Queuing (CBQ) Management
Class-Based Queuing (CBQ) is a link-sharing packet scheduler which is an enhanced version of the existing Protocol Reservation queuing policy. It performs priority scheduling and supports specific traffic class characteristics, such as the average transfer rate. It supports a hierarchy of service classes, each associated with a set of QoS attributes (such as, average rate, priority, and max delay) and a packet queue to hold packets marked for the service class.
CBQ provides weighted (based on the allocated bandwidth) round robin scheduling when the class is not congested, but switches to the link sharing mode during periods of congestion. It regulates each class queue to its allocated bandwidth, but allows a congested class to borrow bandwidth from its under-utilized parent class.
When a class queue builds up due to packet arriving at higher rate than the class’s allocated bandwidth, CBQ employs a packet drop policy to manage the queue length/latency. By default, the simple “tail drop” is invoked to discard the most recently arrived packet for the congested queue/class. The more effective RED dropper can also be optionally enabled on a CBQ class queue.
CBQ also supports traffic prioritization. Higher priority classes are serviced first, classes with the same priority are then serviced based on weighted round robin. Borrowing is allowed only if a class is configured to allow borrowing from its parents.
The network manager may define any number of CBQ classes. Policies can be defined that map the DSCP in the TOS-byte to a specific service class to provide the desired QoS. Initial RSVP support will restrict RSVP flows to the well-known “RSVP” service class.
Given the significant per packet overhead, CBQ does not scale well with multi-level class hierarchies and would perform best with a small number of classes in a shallow tree structure on lower speed WAN links.
CBQ will be supported on PPP/FR ports only.
RED Congestion Avoidance
Random Early Discard (RED) actively manages the queue size by dropping arriving packets using probability as follows. The probability of packet drops increases as the estimated average queue size grows. The average queue size is computed using a simple exponentially weighted moving average estimator. RED starts dropping arriving packets when the queue size exceeds the defined minimum threshold in number of packets), and the drop probability increases linearly with the queue size until the defined maximum threshold (in number of packets) is reached - at which point all arriving packets are dropped.
Weighted Random Early Discard (WRED) implements an additional drop-precedence based preferential discard mechanism. The drop-precedence value is used to determine the minimum and maximum thresholds–such that packets tagged with a higher drop-precedence value has a higher drop probability. The drop-precedence value is determined by the amount of traffic in excess of the rate limit.
RED congestion avoidance scheme actively manages the queue length to efficiently reduce both packet drops and queue latency, resulting in lower delay and better service. The random packet drop also effectively breaks up the traffic synchronization due to TCP’s “slow start than speed up” behavior, which
New Features and Feature Enhancements 17
may cause some flows to be locked out of bandwidth if a simple tail drop is employed when the queue becomes full. However, RED works well only with compliant TCP implementations that backs off when network congestion is detected. It has no effect on non-IP or UDP traffic.
RED is supported on CBQ class queues only.
Dial Service Features Dial service features include increased asynchronous baud rate for the all
Enterprise OS platforms. In releases prior to 11.3, the maximum baud rate for asynchronous ports was
57.6 kbps. With the 11.3 release, the maximum baud rate has been increased to
115.2 kbps only for the OfficeConnect NETBuilder platform. With the 11.4 release, this feature is expanded to support all other platforms with FlexWAN interfaces. This includes the NETBuilder II with the 4-port HSS module, SuperStack II NETBuilder SI, PathBuilder S5xx, and PathBuilder S400 devices.
Voice & Multiservice
Features
Voice and multiservice features include voice over Frame Relay, and voice over VPN. These features are currently available on the PathBuilder S400 platform only.
Voice Over Frame Relay (VoFR)
With Frame Relay already providing a flexible and efficient means of transferring data, Voice Over Frame Relay (VoFR) consolidates voice and voice-band data (for example, analog modems and fax messages) with data services. VoFR lowers the cost of calls while increasing the utilization of network resources and maintaining the reliability of an existing Frame Relay network.
With 11.4, VoFR is available in the PathBuilder S400 WAN convergence switch. The VoFR capabilities will handle peer-to-peer (end-user to end-user) VoFR voice call signaling across the network, providing real-time delivery of voice signals without excessive delay.
Features of the 3Com implementation of VoFR:
All voice payloads are encapsulated in the FRF.11 formats. Voice and data share
the same virtual circuit (VC) based on the FRF.11 Annex J (The Use of Reserved Subchannels) capabilities as authored by 3Com.
Fragmentation can consume CPU processing power resulting in degraded
system performance. Unlike other vendors implementation of VoFR, 3Com's proprietary Fragmentation Control Protocol (FCP) is designed to support dynamic fragmentation control to turn on-and-off fragmentation at each communicating endpoint.
3Com proprietary VoFR signaling based on Q.931allows dynamic call
connection and teardown.
VoFR recovery is built into VoFR signaling to handle system or network
outage.
Voice call establishment is regulated by bandwidth requirements of voice
compression between two communicating DSP peers, as well as by the available bandwidth (CIR) of the VC at each end.
Voice calls between remote offices can be switched through central site
VoFR.
18 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES
Up to 250 calls can be supported within each VC subject to available
bandwidth.
Support for FXS and FXO voice ports.
Support for FAX data over the voice call.
Voice Over VPN (VoVPN)
Due to the interaction between VPN (L2TP or PPTP) and VoIP when they are sharing the same system IP (sysip) address, voice calls do not get tunneled over L2TP or PPTP. The reason for this is when a VPN tunnel is established with the sysip address, the endpoint's sysip address is in each endpoints routing table. If an application subsequently uses the same address that is used by the tunnel, the routing table would force the packet out on the interface, and not through the tunnel. The packet would leave the device unencapsulated.
To overcome this, voice calls originating from the system will continue to use the sysip address as before (in order to utilize the redundancy feature of the sysip). In addition, the voice call will also have an option to use a different source-destination pair for those calls that need to be tunneled via VPN. After the source address is defined, it is linked to the virtual port that represents the VPN tunnel, allowing the voice call to get tunneled across the VPN.
Network Management
Features
Network management features include Upgrade Utilities and Upgrade Link, Web Link Enhancements, Autotargeting for SLA Monitoring/Remote Polling, Console Output in Telnet Sessions, Multiple SYSLOG Server Support, Audit Log Messaging Enhancements. and Domain Name Use in FTP and TFTP Commands.
Upgrade Utilities & Upgrade Link
With the upgrade utilities, you will be able to perform upgrades of all your Enterprise OS devices (NETBuilder , PathBuilder S5xx, and PathBuilder S400 devices) from an older version of software to a newer version. The version you can upgrade to will match your version of the upgrade utilities (for example, with the Upgrade Management Utilities version 11.4, you will be able to upgrade a device running
8.x, 9.x, 10.x, 11.0, 11.1, or 11.2 to any version 9.x, 10.x, 11.0, 11.1, 11.2, 11.3 or 11.4). Engineered to be reliable and simple to use, the utilities can be executed via command line, via the GUI-interface in Transcend
®
Upgrade Manager, or the
GUI-interface in Upgrade Link, or via user-defined scripts. Enhancements to Upgrades Utilities version 11.4:
File Transfers via HTTP
Faster installation of Enterprise OS software images into Upgrade Manager for
Windows95
Flexibility of installing the upgrade files into a directory besides /usr/3Com
Added support for PathBuilder S400 WAN convergence switches
Web Link Enhancements
Web Link is an embedded Web-based interface for management of the NETBuilder bridge/router (or PathBuilder S5xx tunnel switch starting with 11.1.1). Web Link is available on all
router platforms running version 11.0 or later. To
access Web Link, use Netscape 4.08 or later, or Internet Explorer 4.x or later.
New Features and Feature Enhancements 19
Voice Wizard
Starting with 11.2.2 and with enhancements made in 11.4 for the PathBuilder S400 WAN convergence switch, Web Link provides a new Wizard configuration tool to aid in the configuration of the voice parameters. The Voice Wizard eases the task of configuration by cr eating a dial plan that can be viewed and later edited.
Performance Management
Currently available statistics are:
System Performance
Interface Performance: physical path statistics and port and virtual port
statistics
Protocol Performance: Routing protocols
IP Routing Protocol: Total IP packets and IP packets per interface
IPX Routing Protocol: Total IPX packets
IPX Packets Per Interface
Frame Relay WAN Protocol
New Statistics for 11.4
VPN Performance: VPN tunnels and total active tunnels
IPsec Performance: Encrypted packets, authenticated packets,
encrypted-authenticated, packets and discarded packets
Voice Performance
Total Successful Calls
Total Packets
Total Bytes
Autotargeting for SLA Monitoring/Remote Polling
In 11.2, Remote Polling was introduced which provided a mechanism to periodically poll a list of up to 100 target devices. By pinging a target list of devices for connectivity, logs could be generated and statistics gathered to measure latency between devices and to determine service levels. Statistics could also be gathered using the 3Com remote polling MIB (3com0019.mib), which can give the statistical result of each poll. The MIB variables can be used with 3rd party applications, like InfoVista to provide service level monitoring, analysis, and reporting. A maximum of 100 target devices can be polled.
In 11.4, the requirement to manually configure up to 100 target devices that the administrator remotely polls has been eliminated. Four predefined “target groups” will be used:
RAS targets are automatically added when a RAS user session is established
VLL targets are automatically added when a virtual leased line is configured
Tunnel Peers including PPTP/L2TP/IPIP/DNL are automatically added
Static targets can still be manually configured, if desired
20 ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES
Console Output in Telnet Sessions
With 11.4, all system messages can be displayed to a Telnet session as well as through a terminal attached to the local console port. Administrators will be able to view all important status messages from the Telnet session improving manageability.
Audit Log Messaging Enhancements
Many enhancements are added in the 11.4 release regarding the logging of events. These include:
In previous releases, only one SYSLOG server on the network could be sent the
audit log messages from an Enterprise OS device. With 11.4, the administrator can configure each Enterprise OS device to send it's audit log messages to up to six SYSLOG servers.
In previous releases, only one SYSLOG server on the network could be sent the
audit log messages from an Enterprise OS device. With 11.4, the administrator can configure each Enterprise OS device to send it's audit log messages to up to six SYSLOG servers.
Persistent logging of events across reboots now available across all platforms.
Previously this feature was available only for NETBuilder II and PathBuilder S5xx devices (those devices which could support the partial dump feature). With
11.4, the partial dump feature is extended to the stackable devices (OfficeConnect NETBuilder, SuperStack II NETBuilder SI, and PathBuilder S400 devices), so reasons for spontaneous failures will be logged both on the device and within audit log messages sent to the SYSLOG server(s).
To provides a clearer understanding of audit log messages, the format of the
messages has been changed. There is a different format for those messages sent to a SYSLOG server vs those saved on the device's local audit log buffer. Redundant information was removed and comprehensive definitions are provided. A field was added to indicate message severity (0-7 indicating Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug).
Changes to audit log messages sent to SYSLOG server(s):
For the SYSLOG messages, a unique message identifier (starting with 100)
has been added. Specific services have been assigned a range of identifying numbers. For example, 100-199 identifies audit log file access status messages … dial history messages are 400-499 … IPsec messages are 600-649 … and Web Link messages are 1400-1499.
A new message format will have identifying labels. The new syntax is as
follows:
priority Seq:SeqNumber Sev:Severity From:Entity/Source Msg:Text
Changes to audit log messages saved on the device's local audit log buffer:
The new message format will have identifying labels. The new syntax is as
follows:
<priority> Seq:SeqNumber Date/Time Sev:Severity From:Entity/Source Msg:Text
Audit Log Message Filters are now supported. In previous releases, all audit log
messages were sent to the designated SYSLOG server. With 11.4, the administrator can set a LogFilter, whereby specific messages can be sent to specific SYSLOG servers. Messages can be filtered based on service, priority,
Loading...
+ 44 hidden pages