Cyclades PR1000 User Manual

Download

Page 1

Cyclades-PR1000

Installation Manual

Access Router

Cyclades Corporation

Page 2

Cyclades-PR1000 Installation Manual Version 1.2 – May 2002 Copyright (C) Cyclades Corporation, 1998 - 2002

We believe the information in this manual is accurate and reliable. However , we assume no responsibility , financial or otherwise, for any consequences of the use of this product or Installation Manual.

This manual is published by Cyclades Corporation, which reserves the right to make improvements or changes in the products described in this manual as well as to revise this publication at any time and without notice to any person of such revision or change. The menu options described in this manual correspond to version 1.9.4 of the CyROS operating system. This manual is printed horizontally in order to match the electronic (PDF) format of the Installation Manual, page per page.

All brand and product names mentioned in this publication are trademarks or registered trademarks of their respective holders.

FCC Warning Statement:

The Cyclades-PR1000 has been tested and found to comply with the limits for Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the Installation Manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the problem at his or her own expense.

Canadian DOC Notice:

The Cyclades-PR1000 does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications.

Le Cyclades-PR1000 n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le règlement sur le brouillage radioélectrique edicté par le Ministère des Communications du Canada.

Page 3

Cyclades-PR1000

CHAPTER 1 HOW TO USE THIS MANUAL ......................................................................................................7

Installation Assumptions ..................................................................................................................................8

Text Conventions.............................................................................................................................................. 8

Icons.................................................................................................................................................................9

Cyclades Technical Support and Contact Information...................................................................................10

CHAPTER 2 WHAT IS IN THE BOX ................................................................................................................12

The V.35/RS-232 Model .......................................................................................................... .......................13

The X.21 Model..............................................................................................................................................14

Horizontal Surfaces........................................................................................................................................15

Vertical Surfaces ............................................................................................................................................16

CHAPTER 3 USING CYROS MENUS .............................................................................................................19

Connection Using the Console Cable and a Computer or Terminal..............................................................19

Special Keys...............................................................................................................................................21

The CyROS Management Utility....................................................................................................................22

CHAPTER 4 STEP-BY-STEP INSTRUCTIONS FOR COMMON APPLICATIONS.........................................24

Example 1 Connection to an Internet Access Provider via Modem..............................................................24

Example 2 A LAN-to-LAN Example Using Frame Relay ..............................................................................33

CHAPTER 5 CONFIGURATION OF THE ETHERNET INTERFACE ..............................................................41

The IP Network Protocol ................................................................................................................................41

IP Bridge.....................................................................................................................................................43

Table of Contents

Page 4

Cyclades-PR1000

Other Parameters........................................................................................................................................... 44

CHAPTER 6 THE SWAN INTERFACE ............................................................................................................45

CHAPTER 7 NETWORK PROTOCOLS...........................................................................................................48

The IP Protocol...............................................................................................................................................49

The Transparent Bridge Protocol...................................................................................................................51

CHAPTER 8 DATA-LINK PROTOCOLS (ENCAPSULATION).........................................................................52

PPP (The Point-to-Point Protocol) .................................................................................................................52

HDLC..............................................................................................................................................................54

Frame Relay...................................................................................................................................................54

X.25 ................................................................................................................................................................60

X.25 with PAD (Packet Assembler/Disassembler).........................................................................................62

CHAPTER 9 ROUTING PROTOCOLS ............................................................................................................63

Routing Strategies............................................................................................................. .............................63

Static Routing .............................................................................................................................................63

Dynamic Routing ........................................................................................................................................63

Static Routes .................................................................................................................................................. 63

RIP Configuration...........................................................................................................................................67

OSPF..............................................................................................................................................................68

OSPF Configuration on the Interface .........................................................................................................70

Table of Contents

Page 5

Cyclades-PR1000

OSPF Global Configurations ......................................................................................................................72

CHAPTER 10 CYROS, THE OPERATING SYSTEM.......................................................................................77

Creation of the host table............................................................................................................................... 77

Creation of user accounts and passwords..................................................................................................... 77

IP Accounting .................................................................................................................................................79

CHAPTER 11 NAT (NETWORK ADDRESS TRANSLATION) ........................................................................80

Types of Address Translation ..................................................................................................................... 82

CHAPTER 12 RULES AND FILTERS .................................................................................................. ............ 86

Configuration of IP Filters...............................................................................................................................86

Traffic Rule Lists.............................................................................................................................................93

CHAPTER 13 IPX (INTERNETWORK PACKET EXCHANGE) ....................................................................100

Enabling IPX.................................................................................................................................................101

Configuring the Ethernet Interface ...............................................................................................................101

Configuring Other Interfaces........................................................................................................................101

PPP........................................................................................................................................................... 101

Frame Relay .............................................................................................................................................102

X.25 ..........................................................................................................................................................102

Routing .........................................................................................................................................................102

The SAP (Service Advertisement Protocol) Table ....................................................................................... 103

Table of Contents

Page 6

Cyclades-PR1000

CHAPTER 14 VIRTUAL PRIVATE NETWORK CONFIGURATION...............................................................104

APPENDIX A TROUBLESHOOTING.............................................................................................................109

What to Do if the Login Screen Does Not Appear When Using a Console. ................................................ 109

What to Do if the Router Does Not Work or Stops Working. ....................................................................... 110

Testing the Ethernet Interface ...................................................................................................................... 111

Testing the WAN Interface ........................................................................................................................... 112

APPENDIX B HARDWARE SPECIFICATIONS .............................................................................................114

General Specifications ................................................................................................................................. 114

External Interfaces ....................................................................................................................................... 115

The WAN Interface ................................................................................................................................... 115

The LAN Interface .................................................................................................................................... 115

The Console Interface .............................................................................................................................. 116

Cables ..........................................................................................................................................................117

The Straight-Through Cable..................................................................................................................... 117

The DB-25 to M.34 Adapter ..................................................................................................................... 118

The X.21 Modem Cable ........................................................................................................................... 119

The Loop-Back Connector .......................................................................................................................120

APPENDIX C CONFIGURATION WITHOUT A CONSOLE ...........................................................................121

Requirements...............................................................................................................................................121

Procedure.....................................................................................................................................................121

INDEX ..............................................................................................................................................................122

Table of Contents

Page 7

Cyclades-PR1000

CHAPTER 1 HOW TO USE THIS MANUAL

Three Cyclades manuals are related to the PR1000.

1 The Quick Installation Manual -- provided with the router , 2 The Installation Manual -- available electronically on the Cyclades web site, 3 The CyROS Reference Guide -- also available electronically on the Cyclades web site.

CyROS stands for the Cyclades Routing Operating System. It is the operating system for all Cyclades Power Routers (PR1000, PR2000, PR3000, and PR4000). The CyROS Reference Guide contains complete information about the features and configuration of all products in the PR line.

CyROS is constantly evolving, and the menus in this manual might be slightly different from the menus in the router . The latest version of all three manuals (and the latest version of CyROS) can be downloaded from Cyclades’ web site. All manuals indicate on the second page the manual version and the corresponding version of CyROS.

This manual should be read in the order written, with exceptions given in the text.

Chapter 2 - What is in the Box Chapter 3 -Using Menus

explains how the router should be connected.

describes CyROS menu navigation.

Chapter 4 -Step-by-Step Instructions for Common Applications - guide to configuration with detailed examples. Chapters 5 to 9- Basic router configuration information for applications that do not fit any of the examples in

chapter 4.

Chapter 10 - CyROS - shows how to set router specific parameters and create lists of hosts and users. Chapter 11 - Network Address Translation - describes CyROS’ NA T implementation.

Chapter 1 - How To Use This Manual

Page 8

Cyclades-PR1000

Chapter 12 - Filters and Rules - demonstrates how to protect your router from undesired traffic. Chapter 13 - IPX - presents the hidden menus available only in routers with IPX activated. Chapter 14 - Virtual Private Network - describes CyROS’ VPN implementation. Appendix A - Troubleshooting - provides solutions and tests for typical problems. Appendix B - Hardware Specifications. Appendix C - Configuration Without a Console.

Installation Assumptions

This Installation Manual assumes that the reader understands networking basics and is familiar with the terms and concepts used in Local Area and Wide Area Networking.

Text Conventions

Common text conventions are used. A summary is presented below:

Convention Description

CONFIG=>INTERFACE=>L A combination of menu items, with the last being either a menu item, a

parameter, or a command. In this example, L lists the interface configuration.

A variable menu item that depends on hardware options or a choice of hardware or software options.

IP Address

Screen Text

A parameter or menu item referenced in text, without path prepended. Screen Text

<ESC>, <Enter> Simbols representing special keyboard keys.

Chapter 1 - How To Use This Manual

Page 9

Cyclades-PR1000

Icons

Icons are used to draw attention to important text.

Icon Meaning Why

What is Wrong? When an error is common, text with this icon will mention the symptoms and

how to resolve the problem.

Where Can I Find More Information?

CyROS contains many features, and sometimes related material must be broken up into digestible pieces. Text with this icon will indicate the relevant section.

Caution! Not following instructions can result in damage to the hardware. Text with

this icon will warn when damage is possible.

Reminder. Certain instructions must be followed in order. Text with this icon will explain

the proper steps.

Chapter 1 - How To Use This Manual

Page 10

Cyclades-PR1000

Cyclades Technical Support and Contact Information

All Cyclades products include limited free technical support, software upgrades and manual updates. These updates and the latest product information are available at:

http://www.cyclades.com ftp://ftp.cyclades.com/pub/cyclades

Before contacting us for technical support on a configuration problem, please collect the information listed belo w.

• The Cyclades product name and model.

• Applicable hardware and software options and versions.

• Information about the environment (network, carrier, etc).

• The product configuration. Print out a copy of the listing obtained by selecting INFO=>SHOW

CONFIGURATION=>ALL.

• A detailed description of the problem.

• The exact error or log messages printed by the router or by any other system.

• The Installation Guide for your product.

• Contact information in case we need to contact you at a later time.

In the United States and Canada, contact technical support by phone or e-mail:

Phone: (510) 770-9727 (9:00AM to 5:00PM PST) Fax: (510) 770-0355 E-mail: support@cyclades.com

Outside North America, please contact us through e-mail or contact your local Cyclades distributor or representative.

10Chapter 1 - How to Use This Manual

Page 11

Cyclades-PR1000

The mailing address and general phone numbers for Cyclades Corporation are:

Cyclades Corporation

Phone: + 01 (510) 770-9727 Fax: + 01 (510) 770-0355

41829 Albrae Street Fremont, CA 94538 USA

11Chapter 1 - How to Use This Manual

Page 12

Cyclades-PR1000

CHAPTER 2 WHAT IS IN THE BOX

The Cyclades-PR1000 comes in two varieties, described below. Both models are accompanied by the following accessories:

• Quick Installation Manual

• Documentation CD containing the complete Installation Manual and the CyROS Reference Guide

• Console Cable and Power Source

• Mounting Kit containing Velcro® Strips and screws.

The Documentation CD also contains a back-up copy of the op Code, in case the preinstalled copy is corrupted in some way.

Chapter 2 - What is in the Box 12

Page 13

Cyclades-PR1000

The V.35/RS-232 Model

Power Source

To Wall Outlet

Back Panel of PR1000

Ethernet

Console

On/Off

WAN

DB-25

Male

Straight-

Through Cable

DB-25

Male

DB-25

Male

M.34

Adaptor

Straight-

Through

Cable

Console Cable Labeled “Conf”

or “Console”

To COM Port

of Computer

RS-232 Modem

with DB-25

Interface

V.35 DSU/CSU

with M.34

Interface

FIGURE 2.1 V .35/RS-232 MODEL

Figure 2.1 shows which cables (purchased separately) should be used for each type of modem and how everything should be connected. The pinout diagrams of these cables are provided in Appendix B of the Installation Manual.

Chapter 2 - What is in the Box 13

Page 14

Cyclades-PR1000

The X.21 Model

Back Panel of PR1000

n/O

WAN

Ethernet

onsole

To COM Port

of Computer

Power Source

DB-25

Console Cable Labeled “Conf”

or “Console”

Male

X.21 Modem

Cable

DB-15

To Wall Outlet

Male

X.21 DSU/CSU

with DB-15

Interface

FIGURE 2.2 X.21 MODEL

Figure 2.2 shows which cable (purchased separately) should be used for an X.21 modem and how everything should be connected. The pinout diagram of this cable appears in Appendix B of the Installation Manual.

Cyclades recommends the use of Category 5, shielded twisted-pair cables for Fast Ethernet connections. The Cyclades-PR1000 comes with rubber pads to prevent it from slipping on a horizontal surface. It may be

necessary to affix the router more securely to either a horizontal or vertical surface. To this end, Velcro® strips and screws have been provided.

Chapter 2 - What is in the Box 14

Page 15

Cyclades-PR1000

Horizontal Surfaces

The Velcro® strips should be used to attach the PR1000 more firmly to a horizontal surface. Remove the backing from the prickly Velcros® and attach them to the router as shown in the figure. Remove the backing from the fuzzy Velcros® and place them on the horizontal surface so they are aligned with the Velcros® on the router .

Cyclades-PR1000

Prickly

Velcro

Fuzzy

Velcro

Horizontal Surface Where the PR1000 Will be Secured

FIGURE 2.3 HOW TO ATT ACH THE VELCRO® STRIPS

Prickly

Velcro

Chapter 2 - What is in the Box 15

Page 16

Cyclades-PR1000

Next, place the PR1000 on the horizontal surface, aligning the fuzzy and prickly Velcros® as shown in Figure 2.4.

Cyclades-PR1000

Horizontal Surface Where the PR1000 Will be Secured

FIGURE 2.4 HOW TO ATT ACH THE PR1000 T O A HORIZONTAL SURF ACE

Vertical Surfaces

There are two slots in the base of the PR1000 to allow it to be affixed to a vertical surface. Screws and nylon fixings (for cement walls) are provided for this purpose.

Make holes 184,8mm (7.27 in) apart on the vertical surface. If using a drill, a 5mm bit should be used. Four millimeters (or a little more than 1/8 in) of the screw should be exposed (not counting the head).

Chapter 2 - What is in the Box 16

Page 17

Cyclades-PR1000

184,8 mm or 7.27 in

FIGURE 2.5 POSITIONING OF SCREWS

Two 5mm Ø Screws

with Nylon Fixings

Screw Slot

Vertical Surface Where

the PR1000 Will be Secured

Chapter 2 - What is in the Box 17

Page 18

Cyclades-PR1000

Place the center of the screw slots over the screws and slide the router down so the screws hold the router in place as shown in Figure 2.6.

Cyclades-PR1000

Vertical Surface Where

the PR1000 Will be Secured

FIGURE 2.6 HOW TO ATTACH THE PR1000 TO A VERTICAL SURF ACE

Note that the PR1000 can be hung with the LEDs facing up or facing down, whichever is more convenient.

Chapter 2 - What is in the Box 18

Page 19

Cyclades-PR1000

Chapter 3 Using CyROS Menus

This chapter explains CyROS menu navigation and special keys. There are three ways to interact with CyROS:

• Traditional menu interface using a console or Telnet session,

• CyROS Management Utility based on interactive HTML pages,

• SNMP (explained in the CyROS Reference Manual).

Connection Using the Console Cable and a Computer or Terminal

The first step is to connect a computer or terminal to the router using the console cable. If using a computer, HyperTerminal can be used in the Windows operating system or Kermit in the Unix operating system. The terminal parameters should be set as follows:

• Serial Speed: 9600 bps

• Data Length: 8 bits

• Parity: None

• Stop Bits: 1 stop bit

• Flow Control: Hardware flow control

none

[PR1000] login : super [PR1000] Password : ****

Cyclades Router (Router Name) – Main Menu

1 – Config 2 – Applications 3 – Logout 4 – Debug 5 – Info 6 – Admin

Select Option ==>

FIGURE 3.1 LOGIN PROMPT AND MAIN MENU

Chapter 3 - Using CyROS Menus 19

Page 20

Cyclades-PR1000

Once the console connection is correctly established, a Cyclades banner and login prompt should appear on the terminal screen. Pressing <ESC> during the boot process will temporarily halt initialization and present several options: IP address of the router , IP address of the boot server, boot from network, MAC address, etc. If the login prompt does not appear, see the first section of the troubleshooting appendix for help. Next, log in. The preset super-user user ID is “super” and the corresponding preset password is “surt”. The password should be changed as soon as possible, as described in chapter 10 of the installation manual and at the end of every example in chapter 4. The login prompts and main menu are shown in Figure 3.1.

All menus have the following elements:

• Title – In the example in Figure 3.1: “Main Menu”.

• Prompt – The text: “Select Option ==>”.

• Options –The menu options, which are selected by number.

• Router Name – The default is the name of the product. Each router can be renamed by the super user for easier identification.

Menus can also be navigated using a short-cut method. This method must be activated first by choosing a shortcut character (“+” in the example that follows) in the CONFIG =>SYSTEM =>ROUTER DESCRIPTION menu. Typing 4+1+1 at the main-menu prompt, for example, is equivalent to choosing option 4 in the main menu (Debug), then choosing option 1 in the debug menu (Trace), then choosing option 1 in the trace menu (Driver Trace). In addition to menus, some screens have questions with letter choices. In the line below, several elements may be identified:

lmi-type((A)NSI, (G)roup of four, (N)one )[A]:

• Parameter description – The name of the parameter to be configured, in this case “lmi-type”.

• Options – Legal choices. The letter in parentheses is the letter that selects the corresponding option.

• Current value – The option in square brackets is the current value.

Pressing <Enter> without typing a new value leaves the item unchanged.

Chapter 3 - Using CyROS Menus 20

Page 21

Cyclades-PR1000

Special Keys

<Backspace> L

<Ctrl+I>

<Ctrl+M>

<Ctrl+H

These keys are used to end the input of a value. These keys are used to cancel a selection or return to the previous menu. In some isolated cases, this key forwards you to the next menu in a series of menus at the same level.

These keys have the expected effect of erasing previously typed characters. When availabl e, this option displa ys the curre nt configuration. For example, i n the Ethernet Interface Menu, “L” displays the Ethernet configurations.

On leaving a menu where a change in configuration was made, CyROS will ask whether or not the change is to be saved:

(D)iscard, save to (F)lash, or save to (R)un configuration:

Selecting

Discard

will undo all changes made since the last time the question was asked. Saving to

Flash

memory makes all changes permanent. The changes are immediately effective and are saved to the configuration vector in flash memory. In this case, the configuration is maintained even after a router reboot. Saving only to the

Run

configuration makes all changes effective immediately, but nothing is saved permanently until explicitly saved to flash (which can be done with the option ADMIN =>WRITE CONFIGURATION=>TO FLASH).

The menus and parameter lists are represented in this manual by tables. The first column contains the menu item or the parameter, and the second column contains its description.

This menu interface is also available via Telnet if one of the interfaces has been connected and configured. The menu interface is the same as that described earlier in this section. Using Telnet instead of a console for the initial Ethernet configuration is discussed in Appendix C of the Installation Manual.

Chapter 3 - Using CyROS Menus 21

Page 22

Cyclades-PR1000

The CyROS Management Utility

After one of the interfaces has been connected and configured, there is another way to interact with CyROS. Type the IP address in the location field in an HTML browser of a PC connected locally or remotely through the configured interface. A super-user ID and password will be requested (these are the same ID and password used with the lineterminal interface). A clickable image of the router back panel will apear, as shown in Figure 3.2.

Cyros Management Utility

Firmware version: Cyclades-PR1000: CyROS V_1.9.5

On/Off

Configuration Menu Interface (Text Mode)

End HTTP session

WAN

Ethernet

Console

FIGURE 3.2 CYROS MANAGEMENT UTILITY HOME PAGE

Chapter 3 - Using CyROS Menus 22

Page 23

Cyclades-PR1000

The link

Configuration Menu Interface

will present an HTML version of the CyROS Main Menu, described

previously. Clicking on an interface will show its current status and some additional information. Clicking on

HTTP Session

will terminate the connection.

End

Chapter 3 - Using CyROS Menus 23

Page 24

Cyclades-PR1000

CHAPTER 4 STEP-BY-STEP INSTRUCTIONS FOR COMMON APPLICATIONS

This chapter provides detailed examples that can be used as models for similar applications. Turn to the example that is closest to your application, read the explanations, and fill in the blank spaces with parameters appropriate to your system. At the end of the section, you should have listed all the parameters needed to configure the router . At that point, read chapter 3 if you have not already , and configure your router with help from later chapters of the Installation Manual, when needed.

Example 1 Connection to an Internet Access Provider via Modem

This section will guide you through a complete router installation for the connection of a LAN to an Internet access provider via PPP. The configuration of NAT (Network Address Translation) will also be shown. Figure 4.1 shows the example system used in this section. Note that this example assumes that the IP address to which the network IP addresses will be translated is assigned dynamically by the Internet Service Provider . For configuration of a known IP address, see the chapter on NAT configuration in the complete Installation Manual. Spaces have been provided next to the parameters needed for the configuration where you can fill in the parameters for your system. Do this now before continuing.

RS-232 Modem

Network IP:

192.168.0.0 Network Mask:

255.255.255.0 ________

Speed: 38.4k

_______

SWAN

PR1000

ETH0

Host

192.168.0.30 _______

192.168.0.11

192.168.0.10 _______

192.168.0.1_______

FIGURE 4.1 CONNECTION TO ACCESS PROVIDER USING A SWAN INTERFACE AND A MODEM

24Chapter 4 - Step-by-Step Instructions

Page 25

Cyclades-PR1000

Please read the entire example and follow the instructions before turning the router on. The router is programmed to log the super user off after 10 minutes of inactivity. All data not explicitly saved to memory is then lost. Collecting the data

while

configuring the router will likely cause delays and

frustration.

STEP ONE The first step is to determine the parameters needed to configure the Ethernet interface (ETH0). The parameters in the Network Protocol Menu (IP) are shown in Figure 4.2. Fill in the blanks for your application in the right-most column. These parameters will be entered into the router later, after all parameters have been chosen. Each parameter in this menu is explained in more detail in chapter 5 of the Installation Manual.

CONFIG=>INTERFACE=>ETHERNET=>NETWORK PROTOCOL=>IP

Parameter Example Your Application

Active or Inactive Active enables IP communication (IPX

and Transparent Bridge are not used in this example).

Interface Numbered

Numbered /Unnumbered Primary IP Address 192.168.0.1 Subnet Mask 255.255.255.0 Secondary IP

0.0.0.0 for none. Address IP MTU Use the preset value, 1500. This

determines whether or not a given IP datagram is fragmented.

this table continued

FIGURE 4.2 ETHERNET NETWORK PROTOCOL MENU PARAMETERS

25Chapter 4 - Step-by-Step Instructions

Page 26

Cyclades-PR1000

Parameter Example Your Application

IP fragmentation -

Yes Ignore Bit DF NAT Local ICMP Port Inactive Incoming Rule List None, filters are not included in this

example. Outgoing Rule List Name

None, filters are not included in this

example. Proxy ARP Inactive IP Bridge Inactive

FIGURE 4.2 ETHERNET NETWORK PROTOCOL MENU PARAMETERS (CONTINUED)

STEP TWO No more parameters are necessary for the Ethernet interface. The other interface to be configured is the SWAN. The SWAN physical media parameters are shown in Figure 4.3. Fill in the values for your application. The SW AN configuration is described in more detail in chapter 6 of the Installation Manual.

CONFIG=>INTERFACE=>SWAN=>PHYSICAL

Parameter Example Your Application

Mode Asynchronous Speed 38.4k

FIGURE 4.3 SWAN PHYSICAL MENU PARAMETERS

26Chapter 4 - Step-by-Step Instructions

Page 27

Cyclades-PR1000

STEP THREE The network protocol parameters, shown in Figure 4.4, are similar to those for the Ethernet interface. Fill in the parameters for your network in the right-most column.

CONFIG=>INTERFACE=>SWAN=>NETWORK PROTOCOL=>IP

Parameter Example Your Application

Active or Inactive Active enables IP communication (IPX and

Transparent Bridge are not used in this example).

Interface Unnumbered/

Numbered Numbered Primary IP Address 0.0.0.0 (This number will be assigned by the

Access Provider dynamically.) Subnet Mask 255.0.0.0 Secondary IP Address 0.0.0.0 for none IP MTU Use the preset value, 1500. This determines

whether or not a given IP datagram is

fragmented. NAT

Global Assigned

because the IP address of the SWAN interface will be assigned dynamically.

Enable Dynamic Local IP Address

Yes, because the IP address of the SWAN interface will be assigned dynamically.

Remote IP Address Type Any Remote IP Address 0.0.0.0 ICMP Port Inactive Incoming Rule List Name None, filters are not included in this example. Outgoing Rule List Name None, filters are not included in this example. Routing of Broadcast

Inactive

Messages

FIGURE 4.4 SWAN NETWORK PROTOCOL (IP) MENU PARAMETERS

27Chapter 4 - Step-by-Step Instructions

Page 28

Cyclades-PR1000

STEP FOUR The Encapsulation parameters for PPP are less straight-forward. Many of them are based on decisions that cannot be shown in a diagram. Fortunately, the choices made here will mostly affect the performance of the link, rather than whether it works or not. Fill in the parameters appropriate for your system, consulting chapter 8 of the Installation Manual for more information if necessary.

CONFIG=>INTERFACE=>SWAN=>ENCAPSULATION=>PPP

Parameter Example Your Application

MLPPP PPP Inactivity Timeout Enable Van Jacobson

No None

so that the connection is never broken. No

IP Header Compression Disable LCP Echo

Requests Edit ACCM No Value. This will depend on the

modem used.

Time Interval to Sen d

Use the preset value, one.

Config Requests Enable Predictor

Compression Connection Type Dial-Out

FIGURE 4.5 PPP ENCAPSULATION MENU PARAMETERS

28Chapter 4 - Step-by-Step Instructions

Page 29

Cyclades-PR1000

STEP FIVE Since a modem is used in the example, the dial-out table must be configured. This is done as shown in Figure 4.6.

CONFIG=>SYSTEM=>MODEMS=>DIAL OUT TABLE=>ADD

Parameter Example Your Application

IP Address Type in any valid IP address not on

the local network. Init String at Dial String atdt+phone number of access

provider. Authentication Method PAP/CHAP/BOTH—depends on the

service provider. Login Name Login name device receiving call is

expecting. Password Password device receiving call is

expecting.

FIGURE 4.6 MODEM DIAL-OUT TABLE PARAMETERS

29Chapter 4 - Step-by-Step Instructions

Page 30

Cyclades-PR1000

STEP SIX T wo static routes must be added to tell the router that all traffic not intended for the local LAN should be sent to the Access Provider . Chapter 9 of the Installation Manual explains static routes and other routing methods available in CyROS. Fill in the spaces in Figures 4.7 and 4.8 with the values for your application.

CONFIG=>STATIC ROUTES=>IP=>ADD ROUTE

Parameter Example Your Application

Destination IP Address This IP address must match

address

given in figure 4.6

the IP

(CONFIG=>SYSTEM=>MODEMS=>

DIAL OUT TABLE=>ADD=>IP

ADDRESS) Subnet Mask The subnet mask for

IP Address

the Destination

255.255.255.255

Gateway or Interface Interface Interface SWAN Is This a Backup Route? No OSPF Advertises This

No Static Route

FIGURE 4.7 STATIC ROUTE MENU PARAMETERS FOR INTERFACE ROUTE

30Chapter 4 - Step-by-Step Instructions

Page 31

Cyclades-PR1000

CONFIG=>STATIC ROUTES=>IP=>ADD ROUTE

Parameter Example Your Application

Destination IP Address Type in the word "DEFAULT". Gateway or Interface Gateway Gateway IP address Use the same value as for

Destination IP Address in the

previous table. Metric 1 Is This a Backup Route? No OSPF Advertises This

No Static Route

FIGURE 4.8 STATIC ROUTE MENU PARAMETERS FOR GATEWAY ROUTE

STEP SEVEN NAT must now be activated. There are two varieties of NAT: Normal and Expanded. This example uses the Normal NAT Mode. The other mode is explained in the chapter on NAT in the Installation Manual.

Menu CONFIG =>SECURITY =>NAT =>GENERAL

Parameter Example Your Application

Nat Status Enabled Nat Mode Normal Disable Port Translation No

FIGURE 4.9 NAT GENERAL PARAMETERS

STEP EIGHT NAT parameters will now be determined for routing outside of the local LAN. Network Address Translation maps the local IP addresses, registered in the local address range menu below, to the one global IP address assigned by the access provider. Local IP addresses not indicated in this menu will be discarded.

31Chapter 4 - Step-by-Step Instructions

Page 32

Cyclades-PR1000

Menu CONFIG =>SECURITY =>NAT =>LOCAL ADDRESS =>ADD RANGE

Parameter Example Your Application

First IP Address 192.168.0.10 Last IP Address 192.168.0.30

FIGURE 4.10 NAT LOCAL ADDRESS RANGE MENU PARAMETERS

The factory preset values for all other NAT parameters are appropriate for this example. STEP NINE

Now that the parameters have been defined, enter into each menu described above, in the order presented (read chapter 3, Using Menus, if you have not done so already). Set the parameters in each menu according to the values you wrote in the figures above. Save the configuration to flash memory at each step when requested — configurations saved in run memory are erased when the router is turned off. If you saved part of the configuration to run memory for some reason, save to flash memory now using the menu option ADMIN =>WRITE CONFIGURATION =>TO FLASH.

STEP TEN The Ethernet interface can be tested as described in the troubleshooting appendix. The SWAN interface can be tested in a similar manner. At this point, you should create a backup of the configuration file (in binary) and print out a listing of the configuration.

Instructions for creating a backup of the configuration file.

Use the menu option ADMIN =>WRITE CONFIGURATION =>TO FTP SERVER. Fill in the IP address of the computer where the configuration file should be saved, the file name, the directory name, and the user account information. This configuration file can later be downloaded with the ADMIN =>LOAD CONFIGURATION =>FTP SERVER option.

Instructions for listing the configuration.

The menu option INFO =>SHOW CONFIGURA TION =>ALL will list to the terminal screen the configuration of the router. This can be saved in a text file and/or printed on a printer.

32Chapter 4 - Step-by-Step Instructions

Page 33

Cyclades-PR1000

Example 2 A LAN-to-LAN Example Using Frame Relay

This section will guide you through a complete router installation for the connection of two LANs via Frame Relay . Figure 4.11 shows the example system used in this section. Spaces have been provided next to the parameters needed for the configuration where you can fill in the parameters for your system. Do this now before continuing.

Network IP: 100.130.130.0

Central Office's

LAN

________

Mask: 255.255.255.0

________

Network IP: 15.0.0.0

_______

Mask :255.255.255.0

Remote Site’s

LAN

________

ETH0

PR1000

200.240.230.2

PR1000

________

100.130.130.1 ________

SWAN

V.35 DSU/CSU ________

_ _ _ 128 Kbps

Connection

Public

Frame Relay

Network

200.240.230.1 ________

Network IP: 200.240.230.0________ Mask :255.255.255.240________

FIGURE 4.11 CENTRAL OFFICE AND REMOTE SITE CONNECTED USING SWAN INTERFACES

33Chapter 4 - Step-by-Step Instructions

Page 34

Cyclades-PR1000

STEP ONE The first step is to determine the parameters needed to configure the Ethernet interface (ETH0). The parameters in the Network Protocol Menu (IP) are shown in Figure 4.12. Fill in the blanks for your application in the right-most column. These parameters will be entered into the router later, after all parameters have been chosen. Each parameter in this menu is explained in more detail in chapter 5 of the Installation Manual.

Menu Parameter Example Your Application

Active or Inactive Active enables IP comm unication (IPX and

Interface Unnum bered Num bered Primary IP Address 100.130.130.1 Subnet Mask 255.255.255.0 Secondary IP Address 0.0.0 .0 for none. IP MTU U se the preset value, 1500. This determines

IP Fragmentation - Ignore Bit DF NAT Global, because NAT is not being used in this

IC MP Po rt In a c tiv e Incoming Rule List None, filters are not included in this example. Outgoing Rule List Nam e None, filters are not included in this examp le. Routing o f Broadcast Messages Proxy ARP Inactive

CON FIG=>INTERFA CE=>E THER NE T=>NETWO RK P RO TOC OL=> IP

Transparent Bridge are not used in this

example).

whether or not a given IP datagram is

fragm ented.

Yes.

example.

Inactive

FIGURE 4.12 ETHERNET NETWORK PROTOCOL MENU PARAMETERS

34Chapter 4 - Step-by-Step Instructions

Page 35

Cyclades-PR1000

STEP TWO No more parameters are necessary for the Ethernet interface. The other interface to be configured is the SWAN in slot 1. The SWAN physical media parameters are shown in Figure 4.13. Fill in the values for your application. The SWAN configuration is described in more detail in chapter 6 of the Installation Manual.

CONFIG=>INTERFACE=>SWAN=>PHYSICAL

Parameter Example Your Application

Mode Synchronous. Clock Source When the interface is connected to a

DSU/CSU, the

Clock Source

External

Media for SWAN Cable V.35 in the example because the DSU/CSU

is V.35. The type of cable is detected by the

router, so if the correct cable is connected to

the DSU/CSU the router will choose this

value as the default.

FIGURE 4.13 SWAN PHYSICAL MENU PARAMETERS

35Chapter 4 - Step-by-Step Instructions

Page 36

Cyclades-PR1000

STEP THREE The network protocol parameters, shown in Figure 4.14, are similar to those for the Ethernet interface. Fill in the parameters for your network in the right-most column.

CONFIG=>INTERFACE=>SWAN=>NETWORK PROTOCOL=>IP

Parameter Example Your Application

Active or Inactive Active enables IP communication (IPX and

Transparent Bridge are not used in this

example). Interface Unnumbered/

Numbered Numbered Primary IP Address 200.240.230.2 Subnet Mask 255.255.255.240 is the mask in the

example. Secondary IP Address 0.0.0.0 for none. IP MTU Use the preset value, 1500. This

determines whether or not a given IP

datagram is fragmented. IP Fragmentation - Ignore

Yes. Bit DF NAT Glo bal, because NAT is not being used in

this example. ICMP Port Inactive Incoming Rule List None, filters are not included in this

example. Outgoing Rule List Name None, filters are not included in this

example. Routing of Broadcast

Inactive Messages

FIGURE 4.14 SWAN NETWORK PROTOCOL (IP) MENU PARAMETERS

36Chapter 4 - Step-by-Step Instructions

Page 37

Cyclades-PR1000

STEP FOUR The Encapsulation parameters for Frame Relay are less straight-forward. Many of them are based on decisions that cannot be shown in a diagram. Fortunately, the choices made here will mostly affect the performance of the link, rather than whether it works or not. Fill in the parameters appropriate for your system, consulting chapter 8 of the Installation Manual for more information if necessary.

CONFIG=>INTERFACE=>SWAN=>ENCAPSULATION=>FRAME RELAY

Parameter Example Your Application

Encapsulation Type Choose RFC1490 unless the router at the

other end of the connection uses the default

Cisco standard. SNAP IP

Inactive

sendin

for the example. The router on the

end must be using the same header type (NLPID or SNAP) as the router on the receiving end.

LMI ANSI for the example. This must also be

the same as the router on the receivin

end.

T391 Ten seconds, the interval between the LMI

Status Enquiry messages.

N391 Six. N392 Three. N393 Four. This value must be larger than N392. Bandwidth Reservation Inactive. Traffic control will not be covered

in this example

FRF-12 - Fragment Size Indicates the size of FRF-12 fragments.

Use default value.

Voice over this link Inactive.

FIGURE 4.15 FRAME RELAY ENCAPSULATION MENU PARAMETERS

37Chapter 4 - Step-by-Step Instructions

Page 38

Cyclades-PR1000

At the end of the parameter list shown above, the DLCI menu appears. Choosing Add DLCI will lead to the parameters shown in Figure 4.16. The <ESC> key used at any time during the Frame Relay encapsulation parameter list will also bring up the DLCI menu. A DLCI entry must be created for every remote Frame Relay network to be contacted. In the example, only one is shown.

CONFIG=>INTERFACE=>SWAN=>ENCAPSULATION=>FRAME RELAY=><ESC>=>ADD DLCI

Parameter Example Your Application

DLCI Number Sixteen. This number is supplied by the

Public Frame Relay network provider.

Frame Relay Address Map

Static,

which maps one IP address to this

DLCI.

IP Address 200.240.230.1 CIR 90 percent. 100 minus this number is the

percentage of total bandwidth that may be discarded if the network is congested.

Enable Predictor Compression

Yes, if Cyclades routers are used on both ends of the link and Predictor Compression is enabled on both routers. This feature is effective only for links running at speeds under 2 Mbps.

Number of Bits for Compression

Sixteen when both routers are of the PR line. Ten must be used if the other router is a PathRouter.

FIGURE 4.16 DLC CONFIGURATION MENU PARAMETERS

38Chapter 4 - Step-by-Step Instructions

Page 39

Cyclades-PR1000

STEP FIVE Now that the central office’s LAN has been defined, a route must be added to tell the router that the remote site’s LAN is at the other end of the line. Creating a static route is the simplest way to do this. Chapter 9 of the Installation Manual explains static routes and other routing methods available in CyROS. Fill in the spaces in Figure 4.17 with the values for your application.

CONFIG=>STATIC ROUTES=>IP=>ADD ROUTE

Parameter Example Your Application

Destination IP Address 15.0.0.0 Subnet Mask 255.255.255.0 Gateway or Interface gateway Gateway IP Address 200.240.230.1 Metric One -- number of routers between router

being configured and the destination IP address.

Is This a Backup Route? No OSPF Advertises This

Static Route

FIGURE 4.17 STATIC ROUTE MENU PARAMETERS

STEP SIX Now that the parameters have been defined, enter into each menu described above, in the order presented (read chapter 3, Using Menus, if you have not done so already). Set the parameters in each menu according to the values you wrote in the figures above. Save the configuration to flash memory at each step when requested — configurations saved in run memory are erased when the router is turned off. If you saved part of the configuration to run memory for some reason, save to flash memory now using the menu option ADMIN =>WRITE CONFIGURATION =>TO FLASH. Be sure to change the superuser password using the menu option CONFIG =>SECURITY => USERS =>MODIFY. The user ID, super, can remain the same, but the password must be changed to avoid unauthorized access.

39Chapter 4 - Step-by-Step Instructions

Page 40

Cyclades-PR1000

STEP SEVEN The Ethernet interface can be tested as described in the troubleshooting appendix. The SWAN interface can be tested in a similar manner. At this point, you should create a backup of the configuration file (in binary) and print out a listing of the configuration.

Instructions for creating a backup of the configuration file.

Instructions for listing the configuration.

The menu option INFO =>SHOW CONFIGURA TION =>ALL will list to the terminal screen the configuration of the router. This can be saved in a text file and/or printed on a printer.

40Chapter 4 - Step-by-Step Instructions

Page 41

Cyclades-PR1000

CHAPTER 5 CONFIGURATION OF THE ETHERNET INTERFACE

The PR1000 has one Ethernet 10/100Base-T interface, provided in a standard RJ-45 modular jack, which should be connected to an Ethernet hub or switch. Use a standard 10/100Base-T straight-through cable (not included). When the Ethernet link is correctly connected, the link LED will be lit. The menus for the Ethernet Interface are independent of the speed of the link.

If your network uses 10Base2 (thin coaxial cable) or 10Base5 (thick coaxial cable), you will need a transceiver to convert between the different Ethernet media. A crossover cable is required for direct connection to a computer (an RJ-45 Ethernet pinout is provided in appendix B). Note: While Cyclades Power Routers work with most standard RJ-45 cable/connectors, shielded Ethernet cables should be used to avoid interference with other equipment .

The parameters in the encapsulation menu are preset at the factory and it is usually not necessary to change them. The first step in the Ethernet configuration is to choose which network protocol to use and assign values to the relevant parameters. Either IP, Transparent Bridge, or IPX (optional) must be activated. In this chapter, IP Bridges are also described. Use the information provided below to set the parameters for the Ethernet interface.

The IP Network Protocol

Some parameters are explained in detail in later chapters. At this point, the preset values provided by the operating system can be accepted and the interface will work at a basic level.

Network Protocol Menu CONFIG =>INTERFACE =>ETHERNET =>NETWORK PROTOCOL =>IP

Parameter Description

Active or Inactive Activates this interface. Interface Unnumbered Unnumbered interfaces are used for point-to-point connections. Assign IP From Interface Primary IP Address Applies to Subnet Mask Applies to

Applies to

Unnumbered

interface to this one.

Numbered Numbered

interfaces. Applies the IP address of another router

interfaces. Address assigned to this interface. interfaces. Subnet mask of the network.

This table is continued.

Chapter 5 - Configuration of the Ethernet Interface 41

Page 42

Cyclades-PR1000

Network Protocol Menu (Continued)

Parameter Description

Secondary IP Address

Applies to

Numbered

interfaces. Indicates a second (or third, etc. up to eight) IP address that can be used to refer to this interface. This parameter and the next are repeated until no value is entered.

Subnet Mask Applies to

Numbered

interfaces. Subnet mask of

Secondary IP Address

IP MTU Assigns the size of the Maximum Transmission Unit for the interface. This determines

whether or not a given IP datagram is fragmented.

NAT Does not apply to Expanded NAT. Determines the type of IP address if NAT is being used.

Use

Global

otherwise. See chapter 11 or the examples in chapter 2 for details on how to

configure NAT.

ICMP Port

Active

causes the router to send ICMP Port Unreachable messages when it receives UDP or TCP messages for ports that are not recognized. This type of message is used by some traceroute applications, and if disabled, the router might not be identified in the traceroute

Inactive

Detailed

Incoming Rule List Detailed Incoming IP Accounting

Outgoing Rule List Name Detailed Outgoing IP

output. However, there are security and performance reasons to leave this option Filter rule list for incoming packets. See chapter 12 for instructions on how this parameter should be set. Applies when a list is selected in the previous parameter. See explanation of IP Accounting in chapter 10. IP Accounting for a rule requires that the parameter CONFIG =>RULES LIST=>IP=>CONFIGURE RULES=>ADD RULE=>ALLOW ACCOUNT PROCESS also be

Yes

. Filter rule list for outgoing packets. See chapter 12 for instructions on how this parameter should be set. Applies when a list is selected in the previous parameter. See explanation of

Incoming IP Accounting

. Accounting Routing of Broadcast Messages

Activating this parameter causes the router to route broadcast messages from the LAN to the WAN and vice-versa. An individual interface can be excluded by setting this parameter

Inactive

, without affecting the broadcast of messages on the other interfaces.

Proxy ARP Causes the router to answer ARP requests with its own MAC address for IP addresses

reachable on another interface.

Chapter 5 - Configuration of the Ethernet Interface 42

Page 43

Cyclades-PR1000

IP Bridge

An IP Bridge is used to divide a network without subnetting. Whenever a subnetwork is created, two IP numbers are lost — one describing the network and the other reserved for broadcast. This does not occur with an IP Bridge.

200.240.240.9

200.240.240.3

200.240.240.2

200.240.240.1

ETH0

PR1000

Link 1

PR3000

..................................

ETH0

200.240.240.8

200.240.240.4

FIGURE 5.1 IP BRIDGE EXAMPLE

Chapter 5 - Configuration of the Ethernet Interface 43

Page 44

Cyclades-PR1000

In Figure 5.1, an example of the use of an IP Bridge is given. From the available IP addresses, the range

200.240.240.4 to 200.240.240.8 is bridged to another physical location. The following parameters apply only for IP Bridge.

Network Protocol Menu (Continued) -- (IP Bridge)

Parameter Description

IP Bridge Activates the IP Bridge functionality. The following parameters apply only if IP Bridge is Initial IP Address to be Bridged

Indicates the start of the range of IP addresses to be transferred to another physical location. This and the next three parameters are repeated in case the bridge is to be

Active

broken up into various sections. Up to 8 sections can be defined. In the example, this

value is 200.240.240.4. Ending IP Address to be Bridged Broadcast Over the

Indicates the end of the range of IP addresses to be transferred to another physical

location. In the example, this value is 200.240.240.8.

Allows propagation of broadcast IP packets over this bridge. Link Bridge Over Link Indicates which link forms the other half of the bridge. In the example, link 1 is used.

Other Parameters

Transparent Bridge is covered in chapter 7 and IPX is covered in chapter 13. The parameters defined in the Routing Protocol and Traf fic Control Menus should be set after reading chapters 9 and 12, respectively. It is probably best to complete the basic configuration of all router interfaces, then return to the routing protocol and traffic control menus after general routing and traffic control strategies have been defined.

Chapter 5 - Configuration of the Ethernet Interface 44

Page 45

Cyclades-PR1000

CHAPTER 6 THE SWAN INTERFACE

This chapter describes how to configure a SWAN interface. The physical link should be set up as shown in chapter 2, according to the type of modem or device at the other end of the connection and the type of SWAN port.

STEP ONE The first step in the SWAN interface configuration is to define its physical characteristics. These parameters are presented in the Physical Menu Table.

Physical Menu CONFIG=>INTERF ACE=>SWAN=>PHYSICAL

Parameter Description

Mode Asynchronous or Synchronous. This parameter is determined by the mode of the

device at the other end of the connection. Clock Source Applies for

Synchr on ous Mo de

. Whether this interface provides clock for the device at the other end of the cable or vice-versa. When the interface is connected to a modem, the

Clock Source

Receive Clock Ap plies for

compare incoming messages with the clock it is generating ( it receives from the sender along with the message (

is always

External

Internal Clock Source

. When this interface provides clock, it can either

) or with the clock

Externa

l is

External

Internal

recommended.

Speed Applies fo r

Internal Clock Source

. Determines at which speed the data will be sent

across the line.

Media for SWAN Cable

Type of cable -- RS-232, V.35 or X.21. Usually the type is cable is detected by the router.

Chapter 6 - Configuration of the SWAN Interface 45

Page 46

Cyclades-PR1000

STEP TWO The second step is to choose a data-link protocol in the Encapsulation menu. There are many encapsulation options on this interface.

For synchronous communication:

• Frame Relay: the Frame Relay Protocol is based on frame switching and constructs a permanent virtual

circuit (PVC) between two or more points.

• X.25: The X.25 Protocol is generally used to connect to a public network. The router can act either as a DTE

or a DCE.

• HDLC: A proprietary alternative to PPP.

For synchronous or asynchronous communication:

• PPP: The PPP (Point-to-Point) protocol is used for leased, dial-up, and ISDN lines. Multilink PPP is also

provided. Information on how to determine the values of the parameters for each data-link protocol is provided in chapter 8. STEP THREE

The third step is to set the Network Protocol parameters. Information for this step is provided in chapter 7.

Chapter 6 - Configuration of the SWAN Interface 46

Page 47

Cyclades-PR1000

STEP FOUR If PPP Encapsulation is being used, a type of authentication should be chosen. This is done in the authentication menu.

Authentication Menu CONFIG=>INTERF ACE=>SWAN=>AUTHENTICA TION

Parameter Description

Authentication Type

Local Server Remote

uses the list of users defined in CONFIG=> SECURITY=>USERS=>ADD.

uses either Radi us or Tacacs to authenticate the user.

is when this interface is considered to be the user and the

other

end of the

connection performs the authentication

Username Applies when Authentication Type is Remote. The username the remote device

expects to receive.

Password Applies when Authentication Type is Remote. The password the remote device

expects to receive.

Authentication Server Applies when

Authenti c atio n Type

Server

. Indicates that eith er a Radius or Tac acs server is used for validation. The location and other parameters of the server must be configured in CONFIG=> SECURITY. See section 4.3 of the CyROS Reference Guide.

Authentication Protocol

Applies when

Authenti c atio n Type

be used for authentication.

Local

Server

. Either PAP or CHAP or both can

STEP FIVE The parameters defined in the Routing Protocol and Traffic Control Menus should be set after reading chapters 9 and 12, respectively. It is probably best to complete the basic configuration of all router interfaces, then return to the routing protocol and traffic control menus after general routing and traffic control strategies have been defined.

Chapter 6 - Configuration of the SWAN Interface 47

Page 48

Cyclades-PR1000

CHAPTER 7 NETWORK PROTOCOLS

The second step in most interface configurations is to choose which network protocol to use and assign values to the relevant parameters. At least one of IP, Transparent Bridge, or IPX (optional, and discussed in chapter 13) must be activated. Use the information provided below to set the parameters for each interface. The Ethernet network protocol menu includes IP bridging and is explained in chapter 5. The SWAN Network Protocol Menu is given in figure 7.1. Note that this menu varies slightly for each interface. Specific information on the options for each interface is provided in the CyROS Reference Guide in the chapter for the interface.

Config

Interface

SWAN

Network Protocol

Transparent Bridge

Active Interface Unnumbered/Numbered Assign IP from Interface Primary IP address Subnet Mask Secondary IP Address Subnet Mask IP MTU NAT ICMP Port Incoming Rule List Name Detailed Incoming IP Accounting Outgoing Rule List Name Detailed Outgoing IP Accounting Routing of Broadcast Messages

Status Port Priority Incoming Rule List Name Outgoing Rule List Name

FIGURE 7.1 NETWORK PROTOCOL MENU TREE FOR THE SWAN INTERFACE

Chapter 7 Network Protocols

Page 49

Cyclades-PR1000

The IP Protocol

If the preset values provided by the operating system are accepted, the interface will work at a basic level. The most common options are explained in the following table.

Network Protocol (IP) Menu CONFIG=>INTERFACE=><LINK>=>NETWORK PROTOCOL=>IP

Parameter Description

Active or Inactive Activates this interface. Interface Unnumbered Unnumbered interfaces can be used for point-to-point connections. Assign IP From Interface Applies to

Unnumbered

interfaces. Applies the IP address of another router

interface to this one. Primary IP Address Applies to Subnet Mask Applies to Secondary IP Address Applies to

Numbered Numbered Numbered

interfaces. Address assigned to this interface. interfaces. Subnet mask of the network.

interfaces. Indicates a second (or third, etc. up to eight) IP address that can be used to refer to this interface. This parameter and the next are repeated until no value is entered.

Subnet Mask Applies to Enable Dynamic Local IP Address

The terminal connected through PAD assigns an IP address to the router for purposes of their connection.

Numbered

interfaces. Subnet mask of

Secondary IP Address

Remote IP Address Type The computer connected through PAD or PPP sends its IP address in the

negotiation package.

Fixed Same Net

: The IP address sent must match the number set in the next parameter.

: The IP address sent must be an address in the network set in the next

parameter.

Any

: The IP address can be any number that does not conflict with any local IP

address.

None

Remote IP Address. If

: Any IP address is accepted. This is not recommended.

Remote IP Address Type

not

None

. Used in conjunction with the previous

parameter.

this table is continued

Chapter 7 Network Protocols

Page 50

Cyclades-PR1000

Network Protocol (IP) Menu (Continued)

Parameter Description

IP MTU Assigns the size of the Maximum Transmission Unit for the interface. This

determines whether or not a given IP datagram is fragmented.

IP Fragmentation - Ignore Bit DF

When this parameter is set to No, the DF (Do Not Fragment) bit in the IP header causes IP to reject a packet that is oversized: the router send s an ICMP message back to the sender. When this parameter is Yes, the DF bit is ignored, the packet is fragmented, and no message is sent back to the sender.

NAT Does not apply to Expanded NAT. Determines the type of IP address if NAT is

being used. Use

Global

otherwise. See chapter 11 or the examples in chapter 4

for details on how to configure NAT.

ICMP Port

Active

Inactive

Incoming Rule List Filter rule list for incoming packets. See chapter 12 for instructions on how this

parameter should be set.

Detailed Incoming IP Accounting

Applies when a list is selected in the previous parameter. See explanation of IP Accounting later in this chapter. IP Accounting for a rule requires that the parameter CONFIG =>RULES LIST=>IP=>CONFIGURE RULES=>ADD RULE =>ALLOW ACCOUNT PROCESS also be

Yes

Outgoing Rule List Name Filter rule list for outgoing packets. See chapter 12 for instructions on how this

parameter should be set.

Detailed Outgoing IP Accounting Routing of Broadcast Messages

Applies when a list is selected in the previous parameter. See explanation of

Detailed Incoming IP Accounting

. Activating this parameter causes the router to route broadcast messages from the LAN to the WAN and vice-versa. An individual interface can be excluded by setting this parameter to

Inactive

, without affecting the broadcast of messages on the other

interfaces.

Chapter 7 Network Protocols

Page 51

Cyclades-PR1000

The Transparent Bridge Protocol

The Transparent Bridge Protocol can be used in conjunction with either IP or IPX. A detailed explanation of its use appears in section 4.6 of the CyROS Reference Guide.

Transparent Bridge Menu CONFIG=>INTERFACE=>SWAN=>NETWORK PROTOCOL=>TRANSPARENT BRIDGE

Parameter Description

Status Activates the Transparent Bridge on this interface. Port Priority For the Spanning Tree Algorithm, a priority is given to each link in the router and to

each router in the network. See CONFIG=>TRANSPARENT BRIDGE =>SPANNING TREE in the CyROS Reference Guide for more information.

Incoming Rule List Name Transparent Bridge rule list name for incoming packets. Note: Rule lists for

Transparent Bridge and IP are created separately. See section 4.7 in the CyROS Reference Guide for instructions on how this rule list is created.

Outgoing Rule List Name Filter rule list name for outgoing packets. See section 4.7 in the CyROS Reference

Guide for instructions on how this rule list is created.

Chapter 7 Network Protocols

Page 52

Cyclades-PR1000

CHAPTER 8 DATA-LINK PROTOCOLS (ENCAPSULATION)

Each encapsulation option is presented in a separate section in this chapter . Not all data-link protocols are available for all interfaces.

PPP (The Point-to-Point Protocol)

PPP is the only encapsulation option than can be either synchronous or asynchronous. It is important to choose between them in CONFIG =>INTERFACE =><LINK> =>PHYSICAL before entering the Encapsulation menu. The menu options depend on this choice. (Note: not all interfaces support both the synchronous and asynchronous modes. In this case, there is no physical menu.)

The configuration of the PPP data-link protocol is confined to one menu, CONFIG =>INTERFACE =><LINK> =>ENCAPSULA TION =>PPP. Information about all the parameters appearing in this menu is provided in the table below. Not all parameters will appear for all interfaces.

PPP Menu CONFIG =>INTERFACE =><LINK> =>ENCAPSULA TION =>PPP

Parameter Description

MLPPP Enables Multilink PPP on this interface. MLPPP is described in the CyROS

Reference Guide for each interface that supports it. Connection Type Applies for Identification for This Bundle Applies for Total Number of lines for

Applies for

MLPPP MLPPP MLPPP

= = =

Yes

. Type of line used on this link.

Yes

and

Yes

. Maximum number of links allowed in the bundle.

Dial-out

Leased

. An integer value.

This Bundle PPP Inactivity Timeout Applies to asynchronous connections only. The connection is closed when

data does not pass through the line for this period of time. Enable Van Jacobson IP Header Compression

Allows the link to receive compressed packets. This type of compression is

useful for low-speed links and/or small packets. It is not recommended for fast

links, as it requires CPU time. Transmit Compressed Packets

Chapter 8 - Data-Link Protocols (Encapsulation)

Applies when

Enable Van Jacobson IP Header Compression

parameter causes the link to send compressed packets.

Yes

. This

Page 53

Cyclades-PR1000

PPP Menu (Continued)

Parameter Description

Disable LCP Echo Requests

LCP (Link Control Protocol) messages are normally exchanged to monitor the status of the link. Disabling these messages reduces traffic, but the link then has no way of

knowing if the other end is still connected. Time Interval to Send Config Requests

Config Request messages are used to negotiate the parameters at the start of a PPP

connection. For a slow line, this time should be increased to allow the reply to return

to the sender. If not, the sender will assume it was lost and send another. Edit ACCM Applies to asynchronous connections only. Permits control character mapping

negotiation on asynchronous links. This is useful when you need to send a control

character as data (e.g. XON/XOFF, Crtl A, etc.) over an asynchronous link and do not

want it interpreted by the modem or other device in the middle. The map is built up

with the following commands.

Clear

Toggle XON/XOFF

Toggle Char

– Resets the ACCM table toggle;

– Add XON/XOFF control characters to the ACCM table;

– Add other control characters to the ACCM tabl e, using their ASCII value. Typing the option once (for example, X), includes it in the table. Typing it again excludes it from the table. More details are given in the CyROS Reference Guide.

Enable Predictor Compression

Enables data compression using the Predictor algorithm. This feature should be enabled only if Cyclades' equipment is being used on both ends of the connection because there is no established standard for data compression interoperability. Data compression is very CPU-intensive, making this feature effective only for links running at speeds under 1Mbps. At higher speeds, the time necessary to compress data offsets the gains in throughput achieved by data compression.

Number of Bits for Compression Connection Type Applies to asynchronous connections only.

Applies when

Predictor Compression Enabled

. Sixteen is fastest, but 10 must be

used if the router on the other end is a PathRouter, for compatibility.

NT-Serial Cable

is a direct connection to a Windows NT computer. This is necessary because NT requires a negotiation before the beginning of the PPP negotiation.

Direct

is used for other connections

using cables or leased lines.

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 54

Cyclades-PR1000

HDLC

This data-link protocol is a proprietary alternative to PPP. It has only one parameter , the

HDLC Keepalive Interval

This is the time interval between transmission of Keepalive messages. The receiver of these messages must send keepalive messages with the same frequency or will be considered inoperative.

Frame Relay

FR supports multiple connections over a single link. Each data link connection (DLC) has a unique DLCI (data link connection identifier). This allows multiple logical connections to be multiplexed over a single channel. These are called Permanent Virtual Circuits (PVCs). The DLCI has only local significance and each end of the logical connection assigns its own DLCI from the available local numbers.

Traffic Control based on Data Link Connection

Traf fic Control as described in chapter 12 can also be performed on a Frame Relay interface for each permanent virtual connection. The parameters in the

Add DLCI

menu are used in the same manner as those described in

chapter 12. More details are available in the CyROS Reference Guide.

STEP ONE The first step is to set the general Frame Relay parameters, those applying to all DLCs. This is done in the Frame Relay Menu. The parameters are shown in the table below . Most of these depend on the standards used by the Frame Relay Network Provider . The Local Management Interface (LMI) Protocol provides services not available in simple Frame Relay . It is used for controlling the connection between the user and the network. It monitors this link, maintains the list of DLCs, and sends status messages about the PVCs. A separate virtual circuit is created to pass this information (DLCI 0). Frame Relay Menu CONFIG=>INTERFACE=><LINK>=>ENCAPSULA TION =>FRAME RELA Y

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 55

Cyclades-PR1000

Parameter Description

Encapsulation Type

RFC1490 - IETF

is the standard used by most equipment. The

Cisco

option should be used

when the PR is communicating with a router configured to use the default Cisco standard.

SNAP IP Indicates that the Sub-Network Access Protocol should be used. The router on the sending

end must be using the same header type (NLPID or SNAP) as the router on the receiving end. See the CyROS Reference Guide for more information.

LMI Selects the Local Management Interface specification to be used.

(defined by the vendors that first implemented Frame Relay),

None

(used for a dedicated FR connection without a network).

ANSI, Group of Four

Q933a

(defined by ITU-T), and

T391 Interval between the LMI Status Enquiry messages. N391 Full Status Polling Counter. Full Status Enquiry messages are sent every N391-th LMI Status

Enquiry message.

N392 Error Threshold. The network counts how many events occur within a given period and

considers an interface inactive when the number of events exceeds a threshold. number of events to be considered and N392 the number of errors within this period. If of the last

N393

events are errors, the interface is deemed inactive. A successful event is the

N393

is the

N392

receipt of a valid Status Enquiry message N393 Monitored Events Count. See the description of Bandwidth

Enables traffic control per DLCI. Traffic control options appear in the Add DLCI Menu.

N392

. This value must be larger than N392.

Reservation Voice Over

Enables the Voice over Frame Relay application. This Link

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 56

Cyclades-PR1000

STEP TWO After configuring the general parameters, each DLC must be defined. An example will be used to demonstrate the procedure. A public Frame Relay network connecting offices in São Paulo, Rio de Janeiro, Salvador , and Recife is shown in Figure 11.1. Each router will have a routing table pairing destination network with router interface and gateway . A Frame Relay Address Map is also created (either statically or dynamically) to associate each DLCI with the destination router IP. For the router in Salvador , the Frame Relay address map will look like this:

DLCI IP

11 200.1.1.1 21 200.1.1.4 81 200.1.1.3

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 57

Cyclades-PR1000

Data link connections are defined in the

Add DLCI

menu, which appears at the end of the Frame Relay parameter list. It can be reached by passing through all parameters or by using the <ESC> key at any point in the parameter list.

São Paulo Network: 192.168.200.0

Router

200.1.1.1

Rio de Janeiro Network: 192.168.201.0

Router

200.1.1.4

200.1.1.2

200.1.1.3

Router

Salvador Network: 192.168.203.0

FIGURE 8.1 PERMANENT VIRTUAL CIRCUITS BETWEEN OFFICES

Chapter 8 - Data-Link Protocols (Encapsulation)

Router

Recife Network: 192.168.202.0

Page 58

Cyclades-PR1000

Add DLCI Menu CONFIG=>INTERFACE =><LINK> =>ENCAPS =>FRAME RELAY =>

<ESC>

=>ADD

DLCI

Parameter Description

DLCI Number Used to identify the DLC. This number is supplied by the Public Frame Relay network

command.

maps the IP

Frame Relay Address Map

provider. The DLCIs are stored in a table which can be seen with the Determines the method used for mapping the remote IP address to the Permanent Virtual Circuit.

Static

maps one IP address to this DLCI.

Inverse ARP

address dynamically, in a manner similar to the ARP table.

IP Address Applies when

Frame Relay Address Map

Static

. Provides the IP address to be used

for static address mapping.

CIR Committed Information Rate, in percentage of total bandwidth (bandwidth defined in

CONFIG=>INTERFACE=>SWAN =>TRAFFIC CONTROL =>GENERAL

=>BANDWIDTH). Traffic above this rate may be discarded if the network is congested. Enable Predictor Compression

Enables data compression using the Predictor algorithm. This feature should be enabled

only if Cyclades' equipment is being used on both ends of the connection because there

is no established standard for data compression interoperability. Data compression is

very CPU-intensive, making this feature effective only for links running at speeds under

1Mbps. At higher speeds, the time necessary to compress data offsets the gains in

throughput achieved by data compression. Number of Bits for Compression

Applies when

Predictor Compression Enabled.

Sixteen is fastest, but 10 must be used if

the router on the other end is a PathRouter, for compatibility. DLCI Priority Level This is the equivalent of CONFIG=>RULES LIST=>IP =>CONFIGURE RULES=>ADD

RULE=>FLOW PRIORITY LEVEL. See the section on traffic control in chapter 12. Reserved Bandwidth

This is the equivalent of CONFIG=>RULES LIST=>IP =>CONFIGURE RULES=>ADD

RULE=>RESERVED BANDWIDTH. Defines what percentage of the CIR for an interface

will be set aside for this DLC. See the section on traffic control in chapter 12. Bandwidth Priority Level

This is the equivalent of CONFIG=>RULES LIST=>IP =>CONFIGURE RULES=>ADD

RULE=>BANDWIDTH PRIORITY LEVEL. See the section on traffic control in chapter

12.

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 59

Cyclades-PR1000

To edit the DLCI table, use the list command (CONFIG=>INTERFACE=><LINK>=>ENCAPSULATION =>FRAME RELAY=>L) to discover the number CyROS has assigned to each table entry. It will not be the same as the DLCI.

Router

DTE

Modem

X.25

Switch / DCE

Modem

DTE

Router

FIGURE 8.2 PUBLIC X.25 NETWORK EXAMPLE

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 60

Cyclades-PR1000

X.25

A Cyclades Router can act either as a DTE (Data-terminal Equipment) connected to a public X.25 network or as a DTE or DCE (Data circuit-terminating Equipment) as part of a private X.25 network. The first case is discussed in this chapter. The second case is described in the CyROS Reference Guide. Both Permanent V irtual Circuits (PVCs) and Switched Virtual Circuits (SVCs) can be defined. A PVC requires that two DTEs be permanently connected.

STEP ONE First, the general X.25 protocol parameters are set in the X.25 Menu. A detailed description of the X.25 parameters and their values for the example is provided in the table below .

X.25 Menu CONFIG=>INTERF ACE=><LINK>=>ENCAPSULATION =>X.25

Parameter Description

X.121 (Local DTE) Address Address assigned to this interface (provided by the public X.25 Network

Provider). Can be up to 15 digits. Switch Mode Active Causes the Router to act as a switch. Incoming Calls Received

Applies when Switch Mode is

Active

. Over the Other X.25 Links With Unknown Destination DTE Can be Forwarded Through This Link Suppress Calling Address

Public X.25 Network:

This parameter must be chosen according to the guidelines given by the Public X.25 Network provider. When activated, the sender's Local DTE address is not included in the Call Request Message.

Inactivity Timeout Time until connection is automatically terminated by the router if there is no

traffic.

Configure as DTE or DCE As mentioned above, the router can act either as the recipient of information

DTE

(

), or as the passer-on of information (

DCE

Public X.25 Network:

Both

routers are DTEs.

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 61

Cyclades-PR1000

X.25 Menu (Continued)

Parameter Description

Number of Virtual Circuits Indicates the maximum number of virtual circuits (total of PVCs and SVCs)

allowed on this interface. The maximum is 128.

Number of Permanent Virtual Circuits

Indicates the number of permanent virtual circuits that will be connected throu gh this interface. This maximum is also 128.

Layer 3 Window Size The layer 3 (packet) level window represents the number of sequentially

numbered packets that can be sent before an acknowledgement must be received. This number may be negotiated if the Window Size Facility is utilized (see last parameter in this table).

Layer 2 Window Size The layer 2 (frame) level window represents the number of sequentially

numbered frames that can be sent before an acknowledgement must be received. The frame numbers are independent of the packet numbers.

Packet Size The packet size to be sent across the interface. This number may be

negotiated if the Packet Size Facility is utilized (see last parameter in this table).

Number of Retries N2 Number of times an information frame can be resent, without response, before

the link is considered down.

TL Time the frame level waits for an acknowledgement for a given frame before re-

sending it.

T2 Time that can elapse, after receiving a frame, until the router must send an

acknowledgement.

T21 Call Request response Timer. After this time has elapsed, the DTE sends a

Clear message.

T23 Clear Request response Timer. After this time has elapsed, the DTE

retransmits the Clear message.

Negotiable Facilities Initiates facility negotiation during virtual circuit creation. Send Facility Determines which facilities are negotiated during virtual circuit creation:

size

is part of the flow control parameters negotiation,

throughput class negotiation, and

N3 Window

(Level 3 Window Size, above) is

Throughput

is part of the

Packet

part of the flow control parameters negotiation.

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 62

Cyclades-PR1000

STEP TWO The next step is to create a static routing table associating each remote X.121 address with an IP address or a TCP Socket location. This is done in the Add DTE menu, which appears at the end of the X.25 parameter list. It can be reached by passing through all X.25 parameters or by using the <ESC> key at any point in the parameter list.

X.25 Add DTE Menu CONFIG=>INTERF ACE=><LINK>=>ENCAPSULATION =>X.25=>

<ESC>

=>Add DTE

Parameter Description

Type of Logical Address IP Address or TCP Socket. Users that intend to use the TCP Socket option should

see the CyROS Reference Guide.

IP Address Applies for

IP Address Type

. IP Address of remote DTE device. X.121(DTE) Address Address of remote DTE device. VC Number Number assigned to this circuit, if it is a PVC. For SVCs, the value should be zero. Enable Predictor Compression

Applies for

IP Address Type

. Enables data compression using the Predictor

algorithm. This feature should be enabled only if Cyclades' equipment is being used on both ends of the connection because there is no established standard for data compression interoperability. Data compression is very CPU-intensive, making this feature effective only for links running at speeds under 1Mbps. At higher speeds, the time necessary to compress data offsets the gains in throughput

achieved by data compression. Number of Bits for Compression

Applies when

Predictor Compression Enabled

. Sixteen is fastest, but 10 must be

used if the router on the other end is a Cyclades PathRouter, for compatibility.

X.25 with PAD (Packet Assembler/Disassembler)

P AD acts as a protocol converter , allowing a user to access the packet-switched network via a serial terminal. This asynchronous connection is then converted into synchronous communication with the router and the network beyond (using the telnet application available in the router). Please see the CyROS Reference Guide for information about this Encapsulation option.

Chapter 8 - Data-Link Protocols (Encapsulation)

Page 63

Cyclades-PR1000

CHAPTER 9 ROUTING PROTOCOLS Routing Strategies

Routing can be done either statically or dynamically.

Static Routing

Static routing is recommended when the network contains a small number of routers and other equipment. When a system is simple and without redundant links, static routing is the simplest option. Even with some redundant links, a multilink circuit can be created for semi-dynamic routing behavior. Multilink circuits are described in section 4.4 of the CyROS Reference Guide.

Dynamic Routing

Dynamic routing is recommended when the network contains a large number or routers with redundant links between them. RIP and OSPF are currently available in the Power Router line. RIP is simpler to configure and is appropriate for systems that are stable (links do not go down often). OSPF is more complicated to configure, requires much more CPU, and is not necessarily available in all equipment in a network. A mixture of RIP, OSPF, and static routes is often used.

Static Routes

Routers used in very small or simple networks may use static routes as the primary routing method. When RIP or OSPF are used, some static routes may still be needed. Configuration of static routes will be explained using two examples.

Chapter 9 - Routing Protocols 63

Page 64

Cyclades-PR1000

Network 2

142.10.0.2

142.10.0.3

142.10.0.4

142.10.0.0 Mask: 255.255.0.0

Router 2

192.168.100.0 Mask: 255.255.255.0

192.168.100.1

142.10.0.1

10.0.0.0

Mask: 255.0.0.0

In the first example, three networks are connected by 2 routers. The routing table for router 1 will automatically include servers A,B,C, and D, as they are direct links. A static route must be created for access to Network 3. This type of route, a be sent to Router 2. Details are given in the parameter table that follows.

Gateway

Router 1

192.168.100.3

10.0.0.3

192.168.100.2

route, tells the router that any message not intended for hosts A, B, C or D should

10.0.0.1

FIGURE 9.1 STATIC ROUTING EXAMPLE 1

10.0.0.2

Network 1

Network 3

Chapter 9 - Routing Protocols 64

Page 65

Cyclades-PR1000

Router 2

Router 1

ETH0

Unnumbered Interfaces

Point-to-Point Connection

Slot 1

10.0.0.3

Slot 3

FIGURE 9.2 STATIC ROUTING EXAMPLE 2

Network 1

ETH0

192.168.100.1

Network 3

Figure 9.2 shows another static routing example to explain the routers is a point-to-point connection. Another network could be created, but is not necessary. Both routers can be assigned unnumbered interfaces, because everything that leaves one router is sent to the other.

To define static routes, enter the menu CONFIG =>STATIC ROUTES =>IP =>ADD ROUTE. A description of the parameters in this menu, with the configuration for Router 1 in the examples above, is given in the table that follows.

Chapter 9 - Routing Protocols 65

Gateway

Interface

parameter . Between the two

Page 66

Cyclades-PR1000

Add Static Route Menu CONFIG =>ST A TIC ROUTES =>IP =>ADD ROUTE

Parameter Description

Destination IP Address

Address that route will lead to. To configure a default route, type "default" for this parameter, otherwise enter 0.0.0.0 in both this and the next parameter.

Both Examples

-- for the static route between Router 1 and Network 3, the IP

address is 192.168.100.0. Subnet Mask Gateway or Interf ac e

Both Examples

Example 1

Example 2

-- the route is to a gateway.

-- the route is to an interface since unnumbered interfaces are being

-- To access all hosts in Network 3, its mask, 255.255.255.0, is used.

used. Gateway IP Address Appl ies onl y wh en pr evi o us par am ete r is

the router. In

Examp le 1

, it is 142.10.0.4.

Interface Applies only wh en pr evious parameter is

N) that will be unnumbered. In

Example 2

Gateway Interface

, it is Slot 1.

. It must be an address visible to

. Select the port (E th ern et or slot Metric Relative cost of this link. Generally measured in number of routers between two IP Is This a Backup

Route? OSPF Advertises This Static Route

addresses. Indicates that this route is used as a backup in a multilink circuit. See section 4.4 for more information about multilink circuits. Static routes defined in the router can be advertised by OSPF. Both this parameter and the parameter CONFIG=>IP=>OSPF=>GLOBAL=>ADVERTISE STATIC

Both Examples

ROUTES must be set to

External Metric Applies when

OSPF Advertises This Static Route

-- 1.

for the route to be advertised.

Yes

is set to

. Defines the metric

Yes

that will be advertised by OSPF.

External Metric-Type A pplies when

OSPF Advertises This Static Route

is set to Yes. For

Type 1

, the total metric of this route is composed of the internal metric (inside the autonomous system) and the external metric (provided in the previous parameter). For

Type 2

, the total

metric of this route is the value provided in the previous parameter.

Chapter 9 - Routing Protocols 66

Page 67

Cyclades-PR1000

RIP Configuration

CyROS supports three basic types of RIP:

1 RIP1 [RFC 1058] 2 RIP2 with broadcast (compatible with RIP1) [RFC 1723] 3 RIP2 with multicast [RFC 1723]

The primary difference between RIP1 and RIP2 is that only RIP2 advertises subnet masks and next hops. If the network contains equipment that understands only RIP1 packets, then RIP1 or RIP2 with broadcast should be used. See RFC 1723, item 3.3 for more details. If only RIP2 is used, RIP2 with multicast is recommended.

Unlike static routes RIP is configured on each interface rather than in a global menu. The menu is the same for all interfaces and its parameters are presented in the table below.

RIP Menu CONFIG =>INTERFACE =>

<LINK>

=>ROUTING PROTOCOL =>RIP

Parameter Description

Send RIP Causes the router to transmit RIP messages. Listen RIP Causes the router to accept RIP messages. RIP2 Authentication Applies if

RIP2

was chosen in the first two options. Activates RIP message

authenticati on wi th a pass wor d. RIP2 Authentication Password

Chapter 9 - Routing Protocols 67

Applies if

RIP2 Authentication

transmitted RIP messages.

Active

. Password used for both received and

Page 68

Cyclades-PR1000

OSPF

The OSPF (Open Shortest Path First) routing protocol is significantly more complicated than RIP . The determination of which protocol is better suited to a given network is beyond the scope of this manual. An example network using OSPF is given in Figure 9.3.

AREA 1

Router 0

Router 1

Link 1

AN AUTONOMOUS SYSTEM

Area Border Routers: R3, R6, R8

AS Boundary Router: R5

Router 2

Router 3

Router 4

AREA 0

(Backbone)

Router 5

Router 6

Router 7

To Another Autonomous System

AREA 2

Virtual Link

AREA 3

Router 8

Router 9

FIGURE 9.3 OSPF EXAMPLE

Chapter 9 - Routing Protocols 68

Page 69

Cyclades-PR1000

First, some definitions:

• An Autonomous System (AS) is a portion of the network that will use a single routing strategy. It is made up of a backbone area and optionally of non-backbone areas.

• OSPF Areas are sub-systems that have identical routing databases. An area generally has no knowledge of the routing databases of other areas.

• The Backbone connects areas and contains any routers not contained in another area.

• An Area Border Router connects areas and contains a separate database for each area it is contained in.

• An Autonomous System Boundary Router (ASBR) connects Autonomous Systems. The other Autonomous System does not necessarily need to use OSPF.

STEP ONE If using OSPF for the first time, sketch the network and determine which routers will make up the backbone and each area. Determine if each router is an area border router or an autonomous system boundary router.

Chapter 9 - Routing Protocols 69

Page 70

Cyclades-PR1000

OSPF Configuration on the Interface

STEP TWO Contrary to most other protocols in CyROS, OSPF must first be configured on each interface, then configured in the CONFIG =>IP =>OSPF menu. Enter into each interface and set the parameters listed in the table.

OSPF Menu CONFIG =>INTERFACE =>

<LINK>

=>ROUTING PROTOCOL =>OSPF

Parameter Description

OSPF on This Interface

Activates OSPF.

Enable Inactive

is used to temporarily disable the OSPF protocol without erasing the parameters set below. This is useful when OSPF is first configured, as the general parameters must be set afterwards in CONFIG=>IP =>OSPF and OSPF cannot functio n wit hou t them .

Parameters that apply only when Advertise This NonOSPF Interface

Causes the router to include this interface in its advertisements through other interfaces (as an external route).

OSPF on This Interface

Disabled

External Metric Defines the metric that will be advertised by OSPF. External Metric Type For

Type 1

, the total metric of this route is composed of the internal metric (inside the

autonomous system) and the external metric (provided in the previous parameter). For

Type 2

Parameters that apply only when

, the total metric of this route is the value provided in the previous parameter.

OSPF on This Interface

Enable

Enable Inactive

Area ID Identifies the area to which the interface belongs. Areas are created here, then later

defined in CONFIG=>IP=>OSPF =>AREA. Has the format of an IP address, but is not linked to any IP address in the system. Small OSPF networks will typically have only one area (the backbone area repre sen te d by 0. 0.0. 0) .

Router Priority Priority used by OSPF in multicast networks to elect the designated router. A priority of

1 will make this router the most likely to be chosen. A priority of 2 will make it second most likely. Set it to 0 (zero) if this router should never be the designated router.

Transit Delay in Seconds

Estimated transit time in seconds to route a packet through this interface. Use the preset value (1) or increase the number for slow links

Chapter 9 - Routing Protocols 70

Page 71

Cyclades-PR1000

OSPF Menu (Continued)

Parameter Description

Retransmit Inte rval in Seconds* Hello Interval in

Time in seconds between link-state advertisement retransmissions for adjacencies belonging to this interface. Time in seconds between the hello packets on this interface.

Seconds* Dead Interval in

Inactivity time (seconds) before a neighbor router is considered down.

Seconds* Poll Interval in Seconds

Time in seconds between the hello packets sent to an inactive, non-broadcast, multiaccess neighbor.

Password* String of up to 8 characters used to authenticate OSPF packages. The use of this

password is enabled in CONFIG =>IP=>OSPF=>AREA=>AUTHENTICATION TYPE

Metric Defines the cost for normal service. For consistent routing, this parameter should be

determined in the same manner for all routers in the OSPF Area. Normally, metric cost is defined as an inverse function of interface throughput (e.g. 1 for 100Mbps, 10 for 10Mbps, 65 for T1, 1785 for 56kbps, etc).

Advertise Secondary IP Address

Causes the router to advertise additional addresses assigned to this interface. These are configured in CONFIG => INTERFACE =><LINK> =>NETWORK PROTOCOL =>IP.

* Inside a given area, these 4 parameters should be the same for all routers.

Chapter 9 - Routing Protocols 71

Page 72

Cyclades-PR1000

OSPF Global Configurations

STEP THREE After completing the OSPF interface configuration for all interfaces (even those that will not use OSPF), navigate to the OSPF Menu, CONFIG=>IP=>OSPF. Enter into the OSPF Global Commands menu and set the parameters as indicated in the table below.

OSPF Global Commands Menu CONFIG =>IP =>OSPF =>GLOBAL

Parameter Description

OSPF Protocol Enables OSPF on all interfaces. Router ID Assigns a unique ID to the router for use by the OSPF protocol. It must be one of the

router's IP add re ss es.

AS Boundary Router An Autonomous System Boundary Router (ASBR) can convert external routes into

OSPF routes. Which external routes is determined through the following parameters.

In the figure, only Router 5 is an ASBR. The following parameters apply only to Originate Default

Router will advertise itself as the Default Gateway (DG).

Autonomous System Boundary Routers

Gateway Advertisement Default Gateway External Metric Default Gateway External Metric-Type

Applies when

Originate Default Gateway Advertisement

is set to

. Defines the

Yes

metric that will be advertised by OSPF.

Applies when

Originate Default Gateway Advertisement

is set to Yes. For

Type 1

total metric of this route is composed of the internal metric (inside the autonomous

system) and the external metric (provided in the previous parameter). For

Type 2

, the , the

total metric of this route is the value provided in the previous parameter. Advertise RIP Routes Routes learned through the RIP protocol will be converted to OSPF as external routes. RIP External Metric Applies when

Adverti se RIP rout e s

is set to

. Defines the metric that will be

Yes

advertised b y OSP F. this table continued

Chapter 9 - Routing Protocols 72

Page 73

Cyclades-PR1000

OSPF Global Commands (Continued)

Parameter Description

Transit Area ID ID of the OSPF Area sandwiched between this router and the backbone. In the figure,

area 2 is the area used to link Router 8 with the Backbone. This ID has the form of an

IP address. Neighbor's ID Router ID of router at end of virtual link. In the example, this will be Router 6. Virtual Link Status Activates the virtual link. Parameters available only when Transit Delay in Seconds Retransmit Interval in Seconds* Hello Interval in

Estimated transit time in seconds to route a packet from Router 8 to Router 6. Use the

preset value (1) or increase the number for slow links.

Time in seconds between link-state advertisement retransmissions for adjacencies

belonging to this interface.

Time in seconds between the hello packets on this interface.

Virtual Li nk Stat us

Active

Seconds* Dead interval in

Inactivity time (seconds) before a neighbor router is considered down. Seconds* Password* String of up to 8 characters used to authenticate OSPF packages. The use of this

password is enabled in CONFIG

=>IP=>OSPF=>AREA=>AUTHENTICATION TYPE.

* Inside a given area, these 4 parameters should be the same for all routers. In the example virtual link, they should be the same as those used for the backbone.

Chapter 9 - Routing Protocols 73

Page 74

Cyclades-PR1000

STEP FOUR The next step is to define the areas created in step two. This is done in the OSPF Area Menu.

Area Menu CONFIG =>IP =>OSPF =>AREA

Parameter Description

Area ID Has the format of an IP address, but is not linked to any IP address in the system. Use

the CONFIG=>IP=>OSPF=>L option to see which areas have been defined, and use

the area ID here. Authentication Type Simple password authentication can be used in OSPF. The authentication type should

be the same for all routers in an OSPF Area. If used, the password for each interface

is set in CONFIG=>INTERFACE=>

=>ROUTING PROTOCOL =>OSPF

=>PASSWORD. Area Range N Status An Area Border Router (ABR) advertises link states for all networks within the area.

The number of such advertisements can potentially be reduced by condensing

different IP net works into a single range. Area Range N Net Address Area Range N Mask Applies when

Applies when

Area Range N Status

Active

Sets the network IP address for the range.

Area Range N Status

Active

. .

Sets the network IP mask for the range.

Chapter 9 - Routing Protocols 74

Page 75

Cyclades-PR1000

STEP FIVE The CONFIG =>IP =>OSPF =>NEIGHBORS menu is required if the router uses OSPF over non-broadcast multiaccess interfaces such as X.25 and Frame Relay . If this is the case, set the parameters described in the following table.

Neighbors Menu CONFIG=>IP =>OSPF =>NEIGHBORS

Parameter Description

Interface Link for which neighbors will be defined. In the OSPF example, consider link 1 of

Router 3. Neighbor's IP The router ID of the neighboring router. For Router 3, link 1, use the router ID of router

Neighbor's Status

Enable

Enable Inactive

includes link in OSPF database.

leaves link in OSPF database, but router at end of link (Router 1 in this

case) no longer passes OSPF information.

Disable

deactivates neighbor link and erases

Neighbor’s IP

Neighbor's Priority Priority used by OSPF in multicast networks to elect the designated router. A priority of

1 will make this router the most likely to be chosen. A priority of 2 will make it second

most likely. Set it to 0 (zero) if this router should never be the designated router. An

example can be seen in Area 1 in the figure -- Router 1 should never be the

Designated Router because it does not have a direct link to Router 2. Either Router 0

or Router 3 should be chosen.

Chapter 9 - Routing Protocols 75

Page 76

Cyclades-PR1000

STEP SIX It is not always possible to connect all areas directly to the backbone. When an area is connected to the backbone only through another area, two virtual links must be created. One from the backbone to the unattached area and one from the unattached area to the backbone. If this occurs in the network containing the router , enter the Virtual Links Menu to configure this link. In the table listing the parameters, the link between Area 3 (router 8) and the backbone is used as an example.

Virtual Links Menu CONFIG =>IP =>OSPF =>VIRTUAL LINKS

Parameter Description

Transit Area ID ID of the OSPF Area sandwiched between this router and the backbone. In the figure,

area 2 is the area used to link Router 8 with the Backbone. This ID has the form of an

Estimated transit time in seconds to route a packet from Router 8 to Router 6. Use the

preset value (1) or increase the number for slow links.

Time in seconds between link-state advertisement retransmissions for adjacencies

belonging to this interface.

Time in seconds between the hello packets on this interface.

Virtual Li nk Stat us

Active

Seconds* Dead interval in

Inactivity time (seconds) before a neighbor router is considered down. Seconds* Password* String of up to 8 characters used to authenticate OSPF packages. The use of this

password is enabled in CONFIG

=>IP=>OSPF=>AREA=>AUTHENTICATION TYPE.

* Inside a given area, these 4 parameters should be the same for all routers. In the example virtual link, they should be the same as those used for the backbone.

Chapter 9 - Routing Protocols 76

Page 77

Cyclades-PR1000

CHAPTER 10 CYROS, THE OPERATING SYSTEM

This chapter explains various operating system features that are not covered in other chapters:

• creation of the host table

• creation of user accounts and passwords

• IP Accounting

Creation of the host table

CyROS allows identification of hosts by name. In the menu CONFIG =>SYSTEM=>HOSTS, each host is assigned a number (1 to 32), and a host name (a maximum of 8 characters). The IP address to be associated with this host name and the port to be used for telnet is then requested. This host name can be used in aplications like ping and telnet, and in some other configuration menus.

Another way to identify hosts by name is to configure access to a DNS Server . This is done in the menu CONFIG =>IP =>DNS CLIENT. The domain name where the router is located and two DNS Server IP addresses are the only parameters.

Creation of user accounts and passwords

Four users are preset:

1 super with the password surt, 2 usr with no password, 3 auto with no password, and 4 pppauto with no password

Chapter 10 - CyROS, the Operating System 77

Page 78

Cyclades-PR1000

Other users can be created and the user “usr” can be assigned a password. The password of the super user should be changed as soon as possible. The menu CONFIG=>SECURITY=>USERS allows addition, deletion, and modification of the list of users. The parameters are:

• User Name,

• Password,

• User Type: Super, Usr, Auto, or PPPAuto,

• User Status: Disabled or Enabled,

• Hosts 1 through 4 (the host names entered here must already exist in the host table).

• Automatic login name for hosts 1 through 4 (only for user of type

auto

)

Then the main menu items for this user are determined:

• Telnet,

• Ping,

• Traceroute,

• PPP,

• SLIP.

Lastly, any restrictions as to how the user may log in are defined:

• Console,

• Terminal,

• PPP Terminal,

• Telnet,

• PAD Terminal.

Chapter 10 - CyROS, the Operating System

Page 79

Cyclades-PR1000

The

super

in the user’s profile. The is connected via telnet directly to the host specified as host 1 in the user profile. If an

user has access to all menus. The

pppauto

user is connected directly to the user via PPP. No menu appears. The

usr

user is shown a menu, upon sucessful login, with the items chosen

auto

automatic login name

is indicated

user

when the auto user is configured, the user is logged in to the remote host directly (though a password may be necessary , depending on the remote host configuration).

IP Accounting

IP Accounting is used to count the total number of packets allowed (or not) to pass through an interface. Statistics are given for packets that meet the criterions defined in a rule. (Traffic Rules are not supported). To see all packets, a special rule list permitting everything can be defined. Rules are described in chapter 12.

Two versions of the IP account table are available for viewing. The result of INFO =>SHOW ACCOUNT TABLE =>SUMMARY is shown below for four filter rules.

IP Accounting Table

Interface Direction Filter List Rule Bytes Packets Ethernet Outgoing generic 0 24876 3072 Ethernet Incoming generic 0 49254 3358 slot 3 Outgoing swan3out 17 21362 3223 slot 3 Incoming swan3in 15 32563 3131

Detailed information can be accessed via SNMP. To use IP Accounting, two parameters must be set. When a rule is created, the parameter CONFIG =>RULES

LIST =>IP =>CONFIGURE RULES =>ADD RULE =>ALLOW ACCOUNT PROCESS must be

Yes

. Additionally, when applying a rule to an interface, the parameter CONFIG =>INTERFACE =>ETHERNET =>NETWORK PROTOCOL =>IP =>DETAILED INCOMING /OUTGOING IP ACCOUNTING must also be Enabled.

Chapter 10 - CyROS, the Operating System 79

Page 80

Cyclades-PR1000

CHAPTER 11 NAT (NETWORK ADDRESS TRANSLATION)

NAT exists to convert local IP addresses into Internet “global” IP addresses. Internet IP addresses are assigned by Internet providers. Due to the explosion of the internet, these numbers are scarce. Certain ranges of IP addresses are reserved for internal use only — they may not have a direct connection to the Internet (for reference, they are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.16.255.255, and 192.168.0.0 - 192.168.255.255). These are used as local IP addresses. Figure 11.1 shows an example of the utility of NAT:

200.240.230.2

PR1000 With

Expanded NAT

Global Address Range

- Network: 200.240.230.224

- Mask: 255.255.255.240

Host

200.200.200.11

200.200.200.10

Router Ethernet Port Primary IP Address: 192.168.0.1 Secondary IP Address: 200.200.200.1

ftp Server

192.168.0.30

192.168.0.5

Networks

192.168.0.0 &

200.200.200.0

WWW

Server

192.168.0.31

FIGURE 11.1 NAT EXAMPLE

In this example, the company has:

• 14 global IP addresses available for NAT, 200.240.230.225 to 200.240.230.238,

• Two networks connected to the router via the Ethernet Interface, one of which will be translated,

Chapter 11 - NAT

Page 81

Cyclades-PR1000

• Two servers that are accessed via the same global IP address, assigned statically.

There are two types of NAT available in CyROS -- Normal NAT and Expanded NAT. This chapter describes Expanded NAT. A description of Normal NAT appears in Chapter 4 of the CyROS Reference Guide.

What is the difference between Expanded and Normal Mode NAT? The Normal Mode is a previous implementation of NAT used in the Power Router line. It has been maintained for backward compatibility. Expanded NAT provides static translation not only from one IP address to another, but from one IP address/port pair to another IP address/port pair.

As a preview, after configuring the router as shown in the example, CONFIG =>SECURITY =>NAT =>L will display:

NAT Enabled NAT mode Expanded Port map translation Enabled UDP Timeout (min) 5 DNS Timeout (min) 1 TCP Timeout (min) 1440 TCP flags Timeout (min) 1

NAT Global Addresses

# address range 1 200.240.230.225 to 200.240.230.238

NAT Local Addresses

# address range 1 192.168.0.0 255.255.255.0 translated

Chapter 11 - NAT

Page 82

Cyclades-PR1000

NAT Static Translation Table

# Global address / port local address / Port Protocol 1 200.240.230.225 / 20 192.168.0.30 / 20 TPC 2 200.240.230.225 / 21 192.168.0.30 / 21 TPC 3 200.240.230.225 / 80 192.168.0.31 / 80 TPC

Types of Address Translation

In dynamic address translation, a pool of global IP addresses is loosely related to a pool of local IP addresses. Mapping of one onto the other is done dynamically whenever a computer on the local network requests a connection to the external network. When the connection is broken, the global IP address is returned to the pool. Hosts connected via dynamic address translation must initiate all connections with the external network.

In static address translation, one global IP address (or global IP address / port pair) is permanently associated with one local IP address (or global IP address / port pair). In the example, the web server is connected to one of the global IP addresses for services on port 80, reducing the IP address pool to 13. Static address translation is used when the connection with the external network is to be initiated from either side — external or internal.

Translation may be done in two ways:

1 Address translation only – each global address is assigned to a single local address when necessary. In the

example, there are only 13 global addresses available and more than 13 hosts . With this type of translation, only 13 servers can connect to the Internet at any given time.

2 Port and address translation — the UDP/TCP port and local IP address are translated as a pair. With this

type of translation, only ONE global address is needed. All hosts can be mapped to the same global IP address. This can be used in our example to allow all hosts in the 192.168.0.0 network access to the Internet at the same time.

Chapter 11 - NAT

Page 83

Cyclades-PR1000

An overview of the NAT menu is shown in the table below. NA T Menu CONFIG =>SECURITY =>NA T

Menu Option Description

General Parameters for enabling NAT and choosing the NAT Mode. Also includes port

translation option.

Global Address The first and last IP addre sses in the range. In the ex ample, these numbers are

200.240.230.225 and 200.240.230.238.

Local Address The local network IP address and network mask, and whether or not the network should

be translated. In the example, these numbers are 192.168.0.0 and 255.255.255.0.

Static Translation Defines a static translation between a global IP address/port pair and a local IP

address/port pair. In the example, three such pairs are defined.

Timeout Definition of inactivity timeouts for UDP, DNS, and TCP dynamic NAT translations.

STEP ONE The first step in the configuration of NAT is to enable NAT and choose the NAT Mode (Normal or Expanded). Only the expanded mode is discussed in this chapter . The normal mode is a previous version of NAT maintained for backwards compatability. See chapter 4 of the CyROS Reference Guide for information about the Normal Mode.

NA T Menu CONFIG =>SECURITY =>NA T =>GENERAL

Menu Option Description

NAT Status Enables NAT. NAT Mode Provides a choice between the previous NAT version (the

Expanded NAT version. If this parameter is changed, all NAT parameters are reset to

the preset values. Disable Port Translation

Disables/enables NAT with port translation. If this parameter is changed while the router

is in use, all the active translations are destroyed, and their entries are removed from the

translation table.

Chapter 11 - NAT

Normal Mode

) and the new

Page 84

Cyclades-PR1000

STEP TWO The parameters in the Timeout Menu are explained in more detail below . The preset values should be appropriate for most applications.

Timeout and Options Menu CONFIG =>SECURITY =>NAT =>TIMEOUT AND OPTIONS

Parameter Description

UDP Timeout Inactivity time required before a UDP translation is removed from the translation table.

An entry is created in the translation table the first time a UDP packet passes through the

interface. Five minutes is a reasonable time. DNS Timeout Inactivity time required before a DNS translation is removed from the translation table. TCP Timeout Inactivity time required before a TCP translation is removed from the translation table.

This time should be relatively long, because under normal conditions TCP connections

are formally disconnected with FIN (No more data from sender) or RST (Reset

Connection) flags. TCP Flags Timeout Inactivity time required, after the receipt of a FIN, RST, or SYN (Synchronize sequence

numbers) flag, before a TCP translation is removed from the translation table. This time

can be relatively short, because after the TCP connection has been closed, there is no

further need for its address translation.

STEP THREE The next step is to define the global address range to which the local addresses will be translated. This is done in the menu CONFIG =>SECURITY =>NAT =>GLOBAL ADDRESSES =>ADD RANGE. The example in Figure 1 1.1 is 200.240.230.225, while the

Last IP Address

is 200.240.230.238.

First IP Address

in the

The local address ranges must also be entered into the router in the menu CONFIG =>SECURITY =>NA T =>LOCAL ADDRESSES =>ADD RANGE. Here, the Network IP Address (192.168.0.0 in the example) and Network Mask (255.255.255.0 in the example) are entered. Since this range is to be translated, the parameter

Range be Translated

should be set to

Yes

. In the example, the network 200.200.200.0 is not to be translated.

Should This

This can be configured by adding a new range and setting the translation parameter to No, or by simply not adding the range.

Chapter 11 - NAT

Page 85

Cyclades-PR1000

STEP FOUR If static translations are to be performed, as described in the example, the parameters in the Static Translation Menu must be set. A brief explanation of each parameter is given in the table.

Static Translation Menu CONFIG =>SECURITY =>NAT =>STATIC TRANSLATION => ADD ENTRY

Parameter Description

Global IP Address One of the addresses assigned by the Internet access provider and included in one of

the NAT global address ranges. Protocol TCP, UDP, ICMP, or any protocol. Global Port Applies to TCP and UDP protocols. The port to be translated on the WAN side. When a

request comes in on port 80 for IP 200.240.230.225 in the example, it is sent to the

server with IP 192.168.0.31, port 80 Local IP Address The IP address of the server (on the LAN, in the example) which is translated to an

Internet IP address. Local Port Applies only when Global Port provided. The port to be translated on the LAN side.

When a request comes in on port 80 for IP 200.240.230.225 in the example, it is sent to

the server with IP 192.168.0.31, port 80.

STEP FIVE After the NAT menu parameters have been set, the NAT property in the Network Protocol Menu of each interface must be configured. In the example, the IP Address of the Ethernet interface is not assigned dynamically. The parameter CONFIG =>INTERFACE =>ETHERNET =>NETWORK PROT OCOL =>IP=>NAT - DYNAMIC ADDRESS ASSIGNMENT should be set to

Inactive

. The IP address of the interface connecting the router to the Internet is also assigned by the super user in the example, rather than dynamically . The parameter CONFIG =>INTERF ACE =>SWAN =>NETWORK PROTOCOL =>IP=>NA T - DYNAMIC ADDRESS ASSIGNMENT would also be set to

Inactive

After NAT has been configured and is running, the menu option INFO =>SHOW STATISTICS =>NAT will show Network Address Translation Statistics.

Chapter 11 - NAT

Page 86

Cyclades-PR1000

CHAPTER 12 RULES AND FIL TERS

There are four basic types of rules:

1 IP filter rules, 2 Radius rules (actually a combination of previously defined IP filter rules), 3 traffic control rules, and 4 transparent bridge rules (similar to IP filter rules, but for applications that use a transparent bridge).

IP filter rules and traffic control rules will be covered in detail in this chapter. See section 4.7 of the CyROS Reference Guide for more information about all four types of rules.

As an introduction, the Rules List Menu Tree is presented in Figure 12.1. First, a rule list is created and named. Second, rules are added to the list and defined.

Configuration of IP Filters

IP Filter rules are a very important part of a network’s firewall. They permit packets into or out of the network depending on the source and destination IP addresses, the source and destination ports, the protocol used, and the ACK bit for TCP packets. The Syslog can be used to monitor the packets that meet the rules applied in this menu.

86Chapter 12 - Filters and Rules

Page 87

Cyclades-PR1000

Config

Rules List

Add Rule List

Edit Rule List

Configure Rules

Clear Rule List

Same as Add Rule List

Rule List Name Add Rule

Delete Rule Edit Rule

Rule List Name Rule Status Rule List Type Default Scope Incoming Rule List Name Outgoing Rule List Name Linked Rule List Name N

Insert as Rule Number Rule Status Scope Rule Priority Level Reserved Bandwidth Bandwidth Priority Level Protocol Source IP Operator IP Address Start Mask IP Address Start IP Address End Destination IP Operator IP Address Start Mask IP Address Start IP Address End Source Port Operator Source Port Start Source Port End Destination Port Operator Destination Port Start Destination Port End Allow TCP connections Allow Account Process Syslog Status

Syslog Level

Chapter 12 - Filters and Rules

FIGURE 12.1 THE RULES LIST MENU TREE

Page 88

Cyclades-PR1000

Slot 1

Exterior Router

Perimeter Network

192.168.0.0

ETH0

192.168.0.2 Slot 1

192.168.0.1 Interior Router

Router

172.16.0.0

192.168.0.3 ETH0

Bastion

Host

10.0.0.0

Extension to Network

FIGURE 12.2 FIREWALL EXAMPLE

Figure 12.2 will be used to show how both an exterior router and an interior router would be configured using the filters available in CyROS.

88Chapter 12 - Filters and Rules

Page 89

Cyclades-PR1000

Exterior Router

The exterior router is the network’s first defense against attacks. For this reason, it is reasonable to prohibit all packets except for those explicitly allowed. This is done by choosing the traffic must be expressly allowed by the rules in the rule list.

DENY

Let

e-mail in

Let

e-mail out

DENY

Default Scope

to be

Deny

. Thus, ALL desired

DENY

FIGURE 12.3 DENY AS DEFAULT SCOPE

Let Telnet

Connections Out

In Figure 12.3, a conceptual equivalent of the interface is shown. All packets except those which fall into the holes in the ball will be denied entry in to or out of the network.

Chapter 12 - Filters and Rules

Page 90

Cyclades-PR1000

Steps necessary to activate filtering on the exterior router in the example:

1 There are two interfaces with two directions each. Filtering on link 1 requires the creation of two rule lists,

called exterior_in and exterior_out. Create them using the menu CONFIG =>RULES LIST =>IP =>ADD RULE LIST and the following parameters:

Rule List T ype = Filter Default Scope = Deny Linked Rule List Name = None

2 Create the rules for each rule list in the order in which they should be evaluated. The order is important and

mis-ordering the rules can cause unexpected results. This is done in the menu CONFIG =>RULES LIST =>IP =>CONFIGURE RULES. The parameters for rules 0 and 1 in the example are shown in Figure 12.4.

3 Link the rule lists to the respective interface parameters in the menu CONFIG =>INTERFACE =>

=>NETWORK PROTOCOL =>INCOMING/ OUTGOING RULE LIST NAME. exterior_in should be set as the incoming rule list name and exterior_out should be set as the outgoing rule list name.

Exterior_in, rule 0, allows a remote computer to connect to the bastion host using the TCP protocol on its SMTP port. Exterior_out, rule 0, allows the Bastion Server to RESPOND to the connection started by the remote computer. To send e-mail

out

, two more rules would be needed. If all the router needs to do is receive e-

mail, the configuration is done. If not, other “holes” must be created in the deny ball. The configuration for “Let e-mail in” is shown in the following figure (obtained by selecting CONFIG =>RULES LIST

=>IP =>L in the menus):

90Chapter 12 - Filters and Rules

Page 91

Cyclades-PR1000

Rules Lists

Rule List Name Rule Default List Linked Status Scope Type Rule List

exterior_in Enabled Deny Filter exterior_out Enabled Deny Filter

-----------------------------------------------------------------------------FILTER_LIST NAME: exterior_in

## PROT OP Source IP Address OP SRC PORT CNX ACC LOG SC STA Destination IP Address DST PORT

0 TCP -- -- Y N - P EN == 192.168.0.3 255.255.255.255 == SMTP

-----------------------------------------------------------------------------FILTER_LIST NAME: exterior_out

## PROT OP Source IP Address OP SRC PORT CNX ACC LOG SC STA Destination IP Address DST PORT

0 TCP == 192.168.0.3 255.255.255.255 == SMTP Y N - P EN

-- --

FIGURE 12.4 OUTPUT FOR IP FILTERING EXAMPLE

Chapter 12 - Filters and Rules

Page 92

Cyclades-PR1000

Interior Router

If an interior router exists in the network, the administrator may decide to use a case, all undesired traffic must be excluded by a rule in the rule list. In Figure 12.5, a conceptual equivalent of the interface is shown.

All packets except those which fall into the holes in the ball will be allowed entry in to or out of the network.

Stop

Forged Packets

PERMIT

Don’t Allow

Access to News

Stop Telnets

From the Outside

(Except Bastion Host)

PERMIT

Default Scope

Permit

. In this

PERMIT

FIGURE 12.5 PERMIT DEF AUL T SCOPE

92Chapter 12 - Filters and Rules

Page 93

Cyclades-PR1000

The configuration for “Stop forged packets” is shown in the following listing:

Rules Lists

Rule List Name Rule Default List Linked Status Scope Type Rule List

Slot1_in Enabled Permit Filter

-------------------------------------------------------------------------------FILTER_LIST NAME: Slot1_in

## PROT OP Source IP Address OP SRC PORT CNX ACC LOG SC STA Destination IP Address DST PORT

0 - == 192.168.0.0 255.255.0.0 -- Y N - D EN

-- --

Slot1_in, rule 0, prohibits any incoming packets with source IP addresses of the internal network. Since the

addresses used for internal networks cannot be routed on the Internet, they cannot be valid unless there is a leak of traffic through another router to the perimeter network.

Imagine that, as shown in the figure, the network is expanded and another range of IP addresses is used (not a subnetwork). Rule 0 in the list Slot1_in will not protect this network. Either another rule can be added to this list, or the new router can filter packets into its area (or both).

Traffic Rule Lists

There are three kinds of traffic rules that can be configured in CyROS. The first two determine a division of bandwidth for traffic flowing out of the router:

Chapter 12 - Filters and Rules

Page 94

Cyclades-PR1000

1 Traf fic Shaping (the division of bandwidth is strictly adhered to), 2 Bandwidth Reservation (the division with the larger priority can steal bandwidth from the others),

An example showing the first two types is given in figure 12.6.

Network of

Client A

50% or more of total bandwidth

INTERNET

Link 3

Link 0

11.11.11.1 Link 2

Link 1

22.22.22.1

33.33.33.1

25% or less of total bandwidth

25% or less

of total bandwidth

Client B

FIGURE 12.6 TRAFFIC RULE EXAMPLE 1

The third determines which services have priority flowing through the router:

3 Service Prioritization.

Client C

94Chapter 12 - Filters and Rules

Page 95

Cyclades-PR1000

An Internet provider has three clients connected to the same router . Client A is larger and without traffic control would overwhelm the router to the exclusion of Clients B and C. The administrator decides to divide the flow out of the router (to the Internet) into three portions: 50% guaranteed for Client A, and the rest divided equally between Clients B and C. Since he does not want to limit Client A needlessly , the bandwidth Client A uses can be increased on demand if the total bandwidth is not being used up by the other two clients. This is Bandwidth Reservation. The two clients with 25% bandwidth each are given lesser, but equal priorities. They can not share bandwidth or steal it from Client A. However , each has the right to 25% of the total bandwidth on link 3 if it is needed. This is Traffic Shaping. Note that this rule list is applied to link 3, and not separately on links 0-2.

Steps for this configuration.

1 Create a Traffic Rule list traffic_1. This is done in the CONFIG =>RULES LIST =>IP => ADD RULE LIST

menu with the

Rule List Type

set to

Traffic

2 Create rules for each of the three source IP addresses. This is done in the CONFIG =>RULES LIST =>IP

=>ADD RULE menu. The parameters for each rule are shown in Figure 12.7. Of the traffic parameters, only the

Reserved Bandwidth

and

Bandwidth Priority

parameters are important in this example.

Flow Priority

not used.

3 Enter into the configuration for link 3 and change the parameter CONFIG =>INTERFACE =>

=>TRAFFIC CONTROL =>GENERAL =>IP TRAFFIC CONTROL LIST = traffic_1.

Note that the bandwidth used for the percentage calculation is that set in CONFIG =>INTERFACE =>

=>TRAFFIC CONTROL =>GENERAL =>BANDWIDTH, and not the actual bandwidth available in the link.

Chapter 12 - Filters and Rules

Page 96

Cyclades-PR1000

Rules Lists Rule List Name Rule Default List Linked

Status Scope Type Rule

List

traffic_1 Enabled Traffic

Filter_list Name traffic_1

Rule 0 Status Enabled Flow priority 0 Rule bandwidth 50% Bandwidth priority 1 Protocol 0 Source IP Operator Equal Source IP start 11.11.11.0 Source IP Mask 255.255.255.0 Destination IP

None Operator Source Port Operator None Destination Port

None Operator

96Chapter 12 - Filters and Rules

Page 97

Cyclades-PR1000

Rule 1 Status Enabled Flow Priority 0 Rule bandwidth 25% Bandwidth priority 2 Protocol 0 Source IP Operator Equal Source IP start 22.22.22.0 Source IP Mask 255.255.255.0 Destination IP

None Operator Source Port Operator None Destination Port

None Operator

Rule 2 Status Enabled Flow Priority 0 Rule bandwidth 25% Bandwidth priority 2 Protocol 0 Source IP Operator Equal Source IP start 33.33.33.0 Source IP Mask 255.255.255.0 Destination IP

None Operator Source Port Operator None Destination Port

None Operator

FIGURE 12.7 OUTPUT SHOWING P ARAMETERS FOR TRAFFIC RULE EXAMPLE 1

Chapter 12 - Filters and Rules

Page 98

Cyclades-PR1000

An example showing the third type of traffic control is given in Figure 12.8. The network administrator wants to prioritize the access to his web server . He also wants to prioritize e-mail sent by his SMTP server , but the priority should be lower. All other traf fic should have the lowest priority . For web server access, the important flow direction is not the user requests, but rather the data requested. The traffic control rule must be placed on link 2. In the case of e-mail, the important flow is the data leaving the e-mail server, and not the acknowledgements back. This is also governed by link 2. (Note: flow control could be placed on the data request packets and the SMTP acknowledgements by associating rules to link 1.)

E-mail Server

Port: Any

Web Server

Port: 80

Requests

Data Requested

FIGURE 12.8 TRAFFIC RULE EXAMPLE 2

Link 2

ACKs Back

PR1000

Link 1

INTERNET

E-mail out

Port: 25 (SMTP)

Port: Any

E-mail Server

Web Client

98Chapter 12 - Filters and Rules

Page 99

Cyclades-PR1000

The configured rules will appear as shown in the following listing.

Rules Lists Rule List

Rule Default List Linked

Name

Status Scope Type Rule

List

web_access Enabled Traffic

Filter_list Name web_access

Rule 0 Rule 1 Status Enabled Status Enabled Flow priority 1 Flow Priority 2 Rule bandwidth 0% Rule bandwidth 0% Bandwidth priority 0 Bandwidth priority 0 Protocol TCP Protocol TCP Source IP Operator None Source IP Operator None Destination IP Operator

None Destination IP

Operator

None

Source Port Operator Equal Source Port Operator None Source Port Start 80 Destination Port

Equal

Operator Destination Port Operator

None Destination Port

Start

SMTP

Note that for this type of traffic control, of the traffic-specific parameters only

Bandwidth

and

Bandwidth Priority

parameters are not important. A system needing all three is conceivable, but

much too complicated to show in this manual.

Chapter 12 - Filters and Rules

Flow Priority

is used. The

Reserved

Page 100

Cyclades-PR1000

CHAPTER 13 IPX (INTERNETWORK PACKET EXCHANGE)

IPX is an alternative to IP, proprietary to Novell. When IPX is activated, many new menus appear to allow configuration of this type of network. IP and IPX can both be active in the router simultaneously, and an interface can have both IP and IPX traffic passing through it. IPX is not discussed in the other chapters of this manual to avoid confusion for those who are using IP.

Server Named “Colombo” Novell Network Management Station Mac Address: 00: 60: 2E: 00: 11: 11

IPX Network

Internal Network Number: 00000003

Number: 00A0B000

PR2000

ETH0

Internal Network

Slot 1

Static Route

Number: 00000001

IPXWAN Network Number: 00B0C000

Internal Network

PR3000

. .

. . . .

. .

. . . .

. .

. . . . . .

. . . .

. . .

Windows Network with Network Number: 00010001

Number: 00000002

Mac Address: 00: 60: 2E: 00: 11: 00

FIGURE 13.1 IPX NETWORK EXAMPLE

Chapter 13 - IPX 100