3com CoreBuilder 5000 Ethernet Private Line Card User Guide

CoreBuilder™5000 Ethernet

®

Private Line Card
User Guide

http://www.3com.com/

Document Number 17-00439-3
Published May 1997

3Com Corporation
5400 Bayfront Plaza
Santa Clara, California
95052-8145

Copyright © 3Com Corporation, 1997. All rights reserved. No part of this documentation may be
reproduced in any form or by any means, or used to make any derivative work (such as translation,
transformation, or adaptation) without permission from 3Com Corporation. Portions of this document are
reproduced in whole or part with permission from third parties.

3Com Corporation reserves the right to revise this documentation and to make changes in content from
time to time without obligation on the part of 3Com Corporation to provide notification of such revision or
change.

3Com Corporation provides this documentation without warranty of any kind, either implied or expressed,
including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
3Com may make improvements or changes in the products or programs described in this documentation at
any time.

UNITED STATES GOVERNMENT LEGENDS:

If you are a United States government agency, then this documentation and the software described herein
are provided to you subject to the following restricted rights:

For units of the Department of Defense:

Restricted Rights Legend: Use, duplication, or disclosure by the Government is subject to restrictions as set
forth in subparagraph (c) (1) (ii) for Restricted Rights in Technical Data and Computer Software Clause at
48 C.F.R. 52.227-7013.

For civilian agencies:

Restricted Rights Legend: Use, reproduction, or disclosure is subject to restrictions set forth in subparagraph
(a) through (d) of the Commercial Computer Software – Restricted Rights Clause at 48 C.F.R. 52.227-19
and the limitations set forth in the 3Com Corporation standard commercial agreement for the software.
Unpublished rights reserved under the copyright laws of the United States.

If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hardcopy documentation, or on the
removable media in a directory file named LICENSE.TXT. If you are unable to locate a copy, please contact
3Com and a copy will be sent to you.

Federal Communications Commission Notice

This equipment was tested and found to comply with the limits for a Class A digital device, pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this equipment
in a residential area is likely to cause harmful interference, in which case you must correct the interference
at your own expense.

Canadian Emissions Requirements

This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment
Regulations.

Cet appareil numérique de la classe A respecte toutes les exigences du Règlement sur le matériel brouilleur
du Canada.

EMC Directive Compliance

This equipment was tested and conforms to the Council Directive 89/336/EEC for electromagnetic
compatibility. Conformity with this directive is based upon compliance with the following harmonized
standards:

EN 55022 – Limits and Methods of Measurement of Radio Interference
EN 50082-1 – Electromagnetic Compatibility Generic Immunity Standard: Residential, Commercial, and

Light Industry
Warning: This is a Class A product. In a domestic environment, this product may cause radio interference, in

which case you may be required to take adequate measures.
Compliance with this directive depends on the use of shielded cables.

Low Voltage Directive Compliance

This equipment was tested and conforms to the Council Directive 72/23/EEC for safety of electrical
equipment. Conformity with this directive is based upon compliance with the following harmonized
standard:

EN 60950 – Safety of Information Technology Equipment

ii

VCCI Class 1 Compliance

This equipment is in the 1st Class category (information equipment to be used in commercial or industrial
areas) and conforms to the standards set by the Voluntary Control Council for Interference by Information
Technology Equipment aimed at preventing radio interference in commercial or industrial areas.

Consequently, when the equipment is used in a residential area or in an adjacent area, radio interference
may be caused to radio and TV receivers, and so on.

Read the instructions for correct handling.

Fiber Cable Classification Notice

Use this equipment only with fiber cable classified by Underwriters Laboratories as to fire and smoke
characteristics in accordance with Section 770-2(b) and Section 725-2(b) of the National Electrical Code.

UK General Approval Statement

The CoreBuilder 5000 Integrated System Hub and ONline System Concentrator are manufactured to the
International Safety Standard EN 60950 and are approved in the U.K. under the General Approval Number
NS/G/12345/J/100003 for indirect connection to the public telecommunication network.

Trademarks

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may
not be registered in other countries.

3Com, Boundary Routing, CardFacts, EtherLink, LANplex, LANsentry, LinkBuilder, NETBuilder, NETBuilder II,
NetFacts, Parallel Tasking, SmartAgent, TokenDisk, TokenLink, Transcend, TriChannel, and ViewBuilder are
registered trademarks of 3Com Corporation.

3TECH, CELLplex, CoreBuilder, EtherDisk, EtherLink II, FDDILink, MultiProbe, NetProbe, and ONline are
trademarks of 3Com Corporation.

3ComFacts is a service mark of 3Com Corporation.
The 3Com Multichannel Architecture Communications System is registered under U.S. Patent

Number 5,301,303.
AT&T is a registered trademark of American Telephone and Telegraph Company.
Banyan and VINES are registered trademarks of Banyan Systems Inc.
CompuServe is a registered trademark of CompuServe, Inc.
DEC, DECnet, DELNI, POLYCENTER, VAX, VT100, VT220, and the Digital logo are trademarks of Digital

Equipment Corporation.
Hayes is a registered trademark of Hayes Microcomputer Products.
OpenView is a registered trademark of Hewlett-Packard Company.
Intel is a registered trademark of Intel Corporation.
AIX, IBM, and NetView are registered trademarks of International Business Machines Corporation.
Microsoft, MS-DOS, Windows, Windows 95, and Windows NT are registered trademarks of

Microsoft Corporation.
V30 is a trademark of NEC Corporation.
NetWare and Novell are registered trademarks of Novell, Incorporated.

IPX is a trademark of Novell, Incorporated.
OSF and OSF/Motif are registered trademarks of Open Software Foundation, Inc.
ONC, OpenWindows, Solaris, Solstice, Sun, Sun Microsystems, SunNet Manager, and SunOS are trademarks

of Sun Microsystems, Inc.

iii

SPARCstation is a trademark licensed exclusively to Sun Microsystems Inc.
OPEN LOOK is a registered trademark of Unix System Laboratories, Inc.
UNIX is a registered trademark of X/Open Company, Ltd. in the United States and other countries.
Other brand and product names may be registered trademarks or trademarks of their respective holders.

iv

CONTENTS

HOW TO USE THIS GUIDE

Audience 1
Structure of This Guide 1
Document Conventions 2
Related Documents 3

3Com Documents 3
Reference Documents 4

1 INTRODUCTION

CoreBuilder 5000 Ethernet Private Line Card Overview 1-1
Private Line Card Architecture Overview 1-2
Jamming Packets 1-4

Eavesdropping Event Timing 1-4
Intrusion Event Timing 1-5

Security Feature Overview 1-6

Autolearning 1-7
Eavesdropping Protection 1-7
Intrusion Protection 1-7

Theory of Operation 1-7

Ethernet Packet Transmission 1-7
Ethernet Security Issues 1-8

Eavesdropping Protection 1-8
Intrusion Detection 1-10

Where to Go From Here 1-11

2 INSTALLING THE PRIVATE LINE CARD

Precautionary Procedures 2-1
Unpacking Procedure 2-1
Installing a CoreBuilder 5000 Ethernet Private Line Card 2-2
Where to Go From Here 2-3

3 CONFIGURING THE PRIVATE LINE CARD

Security Configuration Overview 3-2
Setting the Module to a Network 3-2
Showing and Configuring Port Parameters 3-3

Showing Port Security 3-4
Configuring Port Autolearning 3-5
Configuring Port Jamming 3-5
Configuring Port Intruder Checking 3-6
Configuring Failsafe 3-6
Configuring Group Codes 3-7

Showing and Configuring Network Parameters 3-8

Showing Network Security 3-8
Configuring Network Autolearning 3-9
Configuring Eavesdrop Protection 3-10
Configuring Source Address Checking 3-10
Configuring Source Port Checking 3-11
Configuring Intruder Jamming 3-12
Configuring Intruder Reporting 3-12

Configuring Intruder Port Disabling 3-13
Enabling Security on the Network 3-13
Security Address Table Information 3-14

Setting a MAC Address Manually 3-15

Showing MAC Addresses 3-16

Saving the MAC Address Table 3-17

Reverting to the Previous MAC Address Table 3-18

Deleting MAC Addresses 3-18
Security Intruder Table Information 3-18

Showing the Intruder Table 3-19

Deleting the Intruder Table 3-19
Where to Go From Here 3-20

vi

4 TROUBLESHOOTING INFORMATION

Troubleshooting Using the Module Status LED 4-1
Troubleshooting PLC Configuration Problems 4-2

Hardware Configuration Problems 4-2

Software Configuration Problems 4-3
Technical Assistance 4-5
Where to Go From Here 4-5

A SPECIFICATIONS

General Specifications A-1
Power Specifications A-1
Environmental Specifications A-2
Mechanical Specifications A-2

B CONFIGURATION EXAMPLES

Providing Eavesdrop Protection with Continuous Autolearn B-1
Providing Maximum Security B-3
Configuring Security for a Complex Network Setup B-7

C TECHNICAL SUPPORT

Online Technical Services C-1

World Wide Web Site C-2

3Com Bulletin Board Service C-2

Access by Analog Modem C-2

Access by Digital Modem C-2
3ComFacts Automated Fax Service C-3
3ComForum on CompuServe Online Service C-3

Support From Your Network Supplier C-4
Support From 3Com Corporation C-5
Returning Products for Repair C-6
Accessing the 3Com MIB C-6
Contacting 3Com Technical Publications C-7

vii

INDEX

3COM CORPORATION LIMITED WARRANTY

viii

FIGURES

1-1 PLC and Media Module Interaction 1-3
1-2 Eavesdropping Event Timing Processing Time 1-4
1-3 Jamming a Packet with Eavesdropping Enabled 1-5
1-4 Eavesdropping Event Timing Processing Time 1-6
1-5 Jamming a Packet with Eavesdropping Enabled 1-6
1-6 Transmitting Packets on an Ethernet Network 1-8
1-7 Transmitting Information on a Secure Network 1-9
1-8 Sample Security Address Table 1-10
1-9 Intruder Transmissions on a Secure Network 1-10

2-1 Installing a CoreBuilder 5000 Private Line Card 2-3
B-1 Less Restrictive Network Security Setup B-2
B-2 Using the PLC to Provide Maximum Network Security B-6
B-3 Complex Network Security Setup B-8

ix

TABLES

3-1 Configuration Overview 3-2

3-2 Port and Related Network Parameters 3-3

4-1 Troubleshooting Using the Module Status LED 4-1

4-2 Troubleshooting Software Conflicts 4-3

A-1 General Specifications A-1
A-2 Power Specifications A-1
A-3 Environmental Specifications A-2
A-4 Mechanical Specifications A-2

B-1 Configuring Parameters to Provide Minimum Security B-2
B-2 Configuring Parameters to Provide Maximum Security B-4
B-3 Security Considerations for a Complex Network Setup B-9

xi

HOW TO USE THIS GUIDE

This guide explains how to install and operate the 3Com
CoreBuilder 5000 Ethernet Private Line Card (referenced throughout this
guide as the private line card or PLC). It also includes information on
configuring this card using a CoreBuilder
Management Module.

Before installing or using the private line card, read Chapters 1, 2, and
3 of this guide for basic installation and operation instructions.

Audience This guide is intended for the following people at your site:

■ Network manager or administrator

■ Hardware installer

™

5000 Distributed

Structure of This Guide

This guide contains the following chapters:

Chapter 1, Introduction – Describes the functions and features of
the CoreBuilder 5000 Ethernet Private Line Card.

Chapter 2, Installing the Private Line Card – Provides detailed
information on unpacking and installing the private line card.

Chapter 3, Configuring the Private Line Card – Explains how to
configure network and port configuration parameters. In addition, this
chapter provides information on the security address table and intruder
table.

Chapter 4, Troubleshooting Information – Provides help in
isolating and correcting problems that may arise when installing or
operating this module.

2 HOW TO USE THIS GUIDE

Appendix A, Specifications – Provides electrical, environmental, and
mechanical specifications for the private line card.

Appendix B, Configuration Examples – Provides detailed examples
on the configuration of your network using the security features
provided by the PLC.

Appendix C, Technical Support – Lists the various methods for
contacting the 3Com technical support organization and for accessing
other product support services.

Index

Document Conventions

The following document conventions are used in this manual:

Convention Indicates Example

Courier text User input In the Agent Information Form, enter

MIS in the New Contact field.

System output After pressing the Apply button, the

Bold command string Path names Before you begin, read the readme.txt

Text in angled
brackets Italic text in
braces

Capitalized text in
plain brackets

Italics Text emphasis,

User-substituted
identifiers

Keyboard entry
by the user

document titles

system displays the message
Transmi tting dat a.

file located in /usr/ snm/a gent s.
In the command above, substitute

<rem_name> with the name of the
remote machine.

Use the following command to show
port details:

SHOW PORT {

Type your password and press
[ENTER].

Ensure that you press the Apply
button after you add the new search
parameters.

slot

.all} VERBOSE

Related Documents 3

Icon Notice Type Alerts you to...

Information note Important features or instructions

Caution Risk of personal safety, system damage, or loss

of data

Warning Risk of severe personal injury

Related Documents This section provides information on supporting documentation,

including:

■ 3Com Documents

■ Reference Documents

3Com Documents The following documents provide additional information on 3Com

products:

CoreBuilder 5000 Integrated System Hub Installation and Operation
Guide – Provides information on the installation, operation, and

configuration of the CoreBuilder 5000 Integrated System Hub. This
guide also describes the principal features of the CoreBuilder 5000
Fault-Tolerant Controller Module.

CoreBuilder 5000 Distributed Management Module User Guide –
Provides information on the CoreBuilder 5000 Distributed
Management Module’s operation, installation, and configuration. This
guide also describes the software commands associated with the
Distributed Management Module.

CoreBuilder 5000 Distributed Management Module Commands Guide –
Describes each management command by providing detailed
information on the command’s format, use, and description.

For a complete list of 3Com documents, contact your 3Com
representative.

4 HOW TO USE THIS GUIDE

Reference Documents The following documents supply related background information:

Case, J., Fedor, M., Scoffstall, M., and J. Davin, The Simple Network

Management Protocol, RFC 1157, University of Tennessee at Knoxville,
Performance Systems International and the MIT Laboratory for
Computer Science, May 1990.

Rose, M., and K. McCloghrie, Structure and Identification of
Management Information for TCP/IP-based Internets, RFC 1155,

Performance Systems International and Hughes LAN Systems, May

1990.

1

INTRODUCTION

This chapter provides introductory information on the 3Com®
CoreBuilder 5000 Ethernet Private Line Card (PLC), including:

■ CoreBuilder 5000 Ethernet Private Line Card Overview

■ Private Line Card Architecture Overview

■ Jamming Packets

■ Security Feature Overview

■ Theory of Operation

■ Where to Go From Here

CoreBuilder 5000
Ethernet Private
Line Card Overview

The CoreBuilder™ 5000 Ethernet Private Line Card is a daughtercard
that you can install on any CoreBuilder 5000 Ethernet Media Module or
CoreBuilder 5000 Distributed Management Module with Ethernet
Carrier (6106M-MGT). The PLC enables you to secure any network to
which the card is assigned. Once assigned to an Ethernet network, you
can configure the PLC to provide:

■ Intrusion protection for all CoreBuilder 5000 Ethernet ports

■ Eavesdropping protection for all CoreBuilder 5000 Ethernet ports

■ MAC address autolearning, including continuous self-management

of address tables

■ Optional port disable when the PLC detects intruders

You must use DMM 2.00 software or above to manage and configure
the PLC.

1-2 INTRODUCTION

Private Line Card Architecture Overview

To provide security for your network, the PLC and media module (or
DMM) must work together. To accomplish this, the PLC and the media
module need to communicate with each other using the:

■ Serial Identification (SID) Line

■ Ethernet Backplane Network

Serial Identification Line – The PLC uses the SID to send security
messages to the media module. Security messages instruct the media

module to either pass or jam a packet. In addition, the PLC uses the
SID to receive slot and port information for each packet that is
transmitted on the backplane.

Ethernet Backplane Network – The PLC uses the Ethernet backplane
network to listen for the destination address of each packet transmitted
on the backplane. The PLC looks up each source and destination
address to ensure it is valid. Once the PLC determines the validity of a
packet, it generates a security message and sends that message to the
media module using the SID.

The combination of these two communication paths enables the PLC
and the media module to effectively provide security for your network
(see Figure 1-1

).

The media module performs a pass or jam of a packet on a per-port
basis.

PLC

Media
module

Private Line Card Architecture Overview 1-3

Serial Identi fication Line

HUB

1

PLC receives the slot and port ident ific ation for
the packet from the media module.

Back plane segment

2

PLC receives the destination
address for the packet from the
media mo dule.

3

PLC generates a security message and sends it to all
media modules attached to the backplane segment.
The media modules then pass or jam the packet
based on the security message.

Media
module

Figure 1-1 PLC and Media Module Interaction

As shown in Figure 1-1, the PLC issues security messages on a per
packet basis to all repeater ports in the hub. Each port interprets the
message and either jams or passes the packet. Jamming packets not
only prevents eavesdropping, but also prevents the successful
transmission of an intruder's packet.

A jammed packet consists of alternating 1s and 0s in place of the
packet data. A jammed packet has the same length as the originally
transmitted packet. A station that receives a jammed packet will
disregard the packet because the cyclical redundancy check (CRC) field
of the packet is incorrect. You can enable or disable jamming on a
per-port basis.

Security processing is done as the packet passes through the system.
Consequently, the PLC adds no additional delay to packet transmissions.

1-4 INTRODUCTION

Jamming Packets Before the PLC instructs a media module to jam a packet, it must first

look up the appropriate source or destination address and transmit the
security message to the media module. The time it takes to process
each request differs depending on whether the media module jams an
intruder packet or provides eavesdropping protection.

The remainder of this section describes packet jamming and packet
event timing, including:

■ Eavesdropping Event Timing

■ Intruder Event Timing

Eavesdropping

Event Timing

Before the PLC instructs the media module to jam a packet, it must first
determine if the port that receives the packet is the intended recipient.
Once the PLC receives the destination address of the packet, it
performs the following:

1 The PLC performs a lookup of the packet destination address and

creates a security message (processing time – 8 bit times).

2 The PLC transmits the security message to all media modules using the

Serial Identification (SID) Line (processing time – 16 bit times).

3 The media module processes the security message and performs a jam

if necessary (processing time – 8 bit times).

To complete the generation of the security message, the entire process
requires a total of 32 bit times. Because the PLC needs to look up the
destination address of the packet, the eavesdropping event timing
begins at the end of the destination address field as shown in

Figure 1-2

.

32 bit times (total processing time)

Figure 1-2 Eavesdropping Event Timing Processing Time

Jamming Packets 1-5

If the security message that the media module generates jams the
packet, the jam occurs after the first 32 bits of the source address field
as shown in Figure 1-3

.

Intrusion Event

Timing

32 bit times (total processing time)

Figure 1-3 Jamming a Packet with Eavesdropping Enabled

Data is jamm ed

Before the PLC instructs the media module to jam a packet, it must first
determine if the source address of the packet that is transmitted
belongs to a valid user.

Once the PLC receives the source address of the packet, it performs the
following:

1 The PLC performs a lookup of the packet source address and creates a

security message (processing time – 11 bit times).

2 The PLC transmits the security message to all media modules using the

Serial Identification (SID) Line (processing time – 16 bit times).

3 The media module processes the security message and performs a jam

if necessary (processing time – 8 bit times).

To complete the generation of the security message, the entire process
requires a total of 35 bit times. Because the PLC needs to look up the
source address of the packet, the intrusion event timing begins at the
end of the source address field as shown in Figure 1-4

.

1-6 INTRODUCTION

35 bit times (total proc es si ng time )

Figure 1-4 Eavesdropping Event Timing Processing Time

If the security message that the media module generates jams the
packet, the jam occurs after the first 35 bits of the source address field
as shown in Figure 1-5

.

Security Feature Overview

35 bit times (total processing time)

Data is Jamm ed

Figure 1-5 Jamming a Packet with Eavesdropping Enabled

This section discusses some of the most commonly used network and
port security features that the PLC provides for your network, including:

■ Autolearning

■ Eavesdropping Protection

■ Intrusion Protection

For more information on these features, refer to Chapter 3,
Configuring the Private Line Card.

Theory of Operation 1-7

Autolearning Network and port autolearning parameters enable the PLC to

automatically learn the MAC address for nodes on your network. Each
address is then stored in a security address table for future reference.
For example, if you set up a new security configuration on your
network, you can use the autolearning feature to quickly learn all valid
users on your network with per-port and network autolearning
enabled. Depending on your configuration, it is possible to have
continuous self-management of your address tables.

Eavesdropping

Protection

Eavesdropping protection prevents all nodes except the intended
recipient from receiving packets transmitted on the network. This
provides administrators with a private line Ethernet that ensures all
communication is successfully transmitted only to the intended recipient
of the packet. Packets transmitted to other nodes are jammed.

Intrusion Protection Intrusion protection prevents intruders from transmitting data to a port

with intrusion protection enabled on a secure network. Only valid
users (that is, users listed in the security address table) can successfully
transmit data on a secure network.

The PLC checks the cyclic redundancy check (CRC) for each packet to
ensure that partial packets are not treated as intruders.

Theory of

This section provides an overview of Ethernet, including:

Operation

■ Ethernet Packet Transmission

■ Ethernet Security Issues

Ethernet Packet

Transmission

Each time a packet is transmitted on an Ethernet network it is
accessible by all nodes on that network. For example, in Figure 1-6
message transmitted from Node A to Node B is received by every node
on the network including the intended recipient. Each node examines
the transmitted packet and if the physical address of the node does not
match the destination address in the packet, the node discards the
packet.

, a

1-8 INTRODUCTION

.

NODE A

PCPrinter

NODE B

Laptop

Figure 1-6 Transmitting Packets on an Ethernet Network

In a standard network, this type of transmission provides an adequate
method for exchanging data between nodes. In a secure environment,
however, this type of transmission is not acceptable.

Ethernet Security

Issues

To provide a secure method of data transfer on an Ethernet network,
you must ensure that you:

■ Prevent eavesdropping

■ Provide intruder detection

By providing both eavesdropping protection and intruder detection you
prevent unwanted listeners from monitoring the transmission of
Ethernet packets and you stop intruders from transmitting packets on
the network.

The remainder of this section describes:

■ Eavesdropping Protection

■ Intrusion Detection

Eavesdropping Protection

Eavesdropping prevents any user, including an intruder, from examining
the contents of a packet destined for another port.

The following example shows a typical use of the CoreBuilder 5000
Private Line Card to provide eavesdropping in a networked
environment.

Theory of Operation 1-9

Preventing

Eavesdropping on a

Secure Network

VALID USER
Port 4.4
04-60-8c-8c-6 1-5a

VALID USER
Port 4.10
04-44-8c-7c-56-4b

As shown in Figure 1-7, all nodes connect to Ethernet Network 2.

Message transmitted from User A to User C

A

B

Ethernet Network 2

C

D

VALID USER
Port 8.6
08-60-8c-7f-61-6f

VALID USER
Port 8.18
08-60-2c-7a-55-7d

Figure 1-7 Transmitting Information on a Secure Network

On the module in slot 4, a CoreBuilder 5000 Private Line Card is
attached and configured to secure Ethernet Network 2. To provide the
minimum amount of security, the network administrator has enabled
eavesdropping.

As a result, when User A transmits data to User C, the following
occurs:

■ User C successfully receives the MAC frame (packet)

■ The packet is jammed at all other ports so Users B and D cannot

examine the packet contents

Because the network administrator enabled eavesdropping, only the
destination address of User C is recognized by the PLC. Consequently,
all other transmitted packets, regardless of whether the intended
recipient is a valid user or intruder, are jammed at the port level.

Figure 1-8
Figure 1-7

represents the Security Address Table associated with
.