Intel ER8100STUS - Express 8100 Router, Express 8100 Reference Manual

Intel Express 8100 Router

Reference Manual

Second edition April 1998

Copyright © 1998, Intel Corporation. All rights reserved.
Intel Corporation, 5200 NE Elam Young Parkway, Hillsboro, OR 97124-6497

Intel Corporation assumes no responsibility for errors or omissions in this manual. Nor does Intel make any commitment to update the infor­mation contained herein.

* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners’ benefit,

without intent to infringe.

ii

Contents

Part I LAN and WAN Links and Services

1 LAN and WAN Services in the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

LAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

WAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

WAN Services and Protocols Available . . . . . . . . . . . . . . . . . . . . . . . . . . 3

General Facilities for WAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Leased Lines Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Point-to-Point Protocol (PPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Peer Authentication using the Challenge Handshake Authentication

Protocol (CHAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Peer Authentication using the Password Authentication Protocol (PAP) 15

3 Frame Relay Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 ISDN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Integrated Services Digital Network (ISDN) in the Intel Express 8100

Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

ISDN Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

ISDN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

ISDN Numbering and Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

BRA and PRA Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

MSN (Multiple Subscriber Number) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

SUB (Sub-addressing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

DDI (Direct Dialing In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Permanent ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

ISDN Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

ISDN Network Interface Reference Configurations . . . . . . . . . . . . . . . . . . . 30

5 X.25 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

X.25 Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

X.25 Services and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

X.25 Packets and Virtual Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

X.25 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6 PPP Multilinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

7 Internet Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

I

Part II IP, Novell IPX and Bridging Services

8 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

IP Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

IP Addresses Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

IP Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Internet Control Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

IP Filters—Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

IP Filter Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Static Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Dynamic Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Examples of Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

RIP-1 and RIP-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

RIP Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Triggered RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Static Routes Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Contents

9 Novell IPX Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Novell Routing Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Internetworking Packet Exchange (IPX) . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Frame Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Novell Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Novell Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Data Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

IPX over WAN Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

IPX WAN Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

IPX Watchdog Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

IPX Serialization Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Sequenced Packet Exchange (SPX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

IPX Data Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

IPX Filters Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

RIP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Service Advertising Protocol (SAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

SAP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Static Routes and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configuration Example—Cost-Reduced WAN . . . . . . . . . . . . . . . . . . . . . . . 91

10 WAN Bridging Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Introduction to WAN Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

How Bridging Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Forwarding Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Operation of the Bridge in the Intel Express 8100 Router . . . . . . . . . . . 101

Controlled Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

II

Appendices

Contents

Spanning Tree Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Bridging Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Spanning Tree Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Spanning Tree in the Intel Express 8100 Router . . . . . . . . . . . . . . . . . . . 111

Bridge Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

BPDU Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Non-BPDU Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Enabling Bridge Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

A Protocol Bandwidth Overheads and Requirements . . . . . . . . . . . . . . . . 117

B TCP and UDP Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

C Ethernet Type Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

D IP Frame Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

E Novell IPX Frame Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

F Novell IPX Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

III

Preface

Products covered

Acronyms

The following products are covered in this manual:

■

Express 8100 Router with Frame Relay

■

Express 8100 Router with X.25

■

Express 8100 Router with an ISDN S/T port

■

Express 8100 Router with an ISDN U port

BACP Bandwidth Allocation Protocol
BCP Bridging Control Protocol
BECN Backward Explicit Congestion Notification
BPDU Bridging Protocol Data Units
BRA Basic Rate Access
BRI Basic Rate Interface
CBC Cypher Block Chaining
CCITT Comité Consultatif International Télégraphique et Téléphonique
CCP Compression Control Protocol
CHAP Challenge Handshake Authentication protocol
CRC Cyclic Redundancy Check
DCE Data Communication-terminating Equipment
DE Discard Eligibility
DLCI Data Link Connection Identifier
DLCMI Data Link Connection Management Interface (also called LMI)
DN Directory Number
DTE Data Terminal Equipment
DVMRP Distance Vector Multicast Routing Protocol
ECP Encryption Control Protocol
FECN Forward Explicit Congestion Notification
FR Frame Relay
HDLC High-level Data Link Control
ICMP Internet Control Message Protocol
IGMP Internet Group Management Protocol
IP Internet Protocol
IPCP Internet Protocol Control Protocol
IPX Internetwork Packet Exchange
IPXCP Internetwork Packet Exchange Control Protocol
ISDN Integrated Services Digital Network
ITU International Telecommunication Union
LAN Local Area Network
LAPB Link Access Procedure Balanced
LAPF Link Access Procedure for Frame Relay
LCP Link Control Protocol
LSP Link State PDU
MIB Management Information Base

iv

NAT Network Address Translation
NCP Network Control Protocol
PAP Password Authentication Protocol
PING Packet InterNet Groper Function
PDN Public Data Network
PRA Primary Rate Access
PRI Primary Rate Interface
PSDN Packet Switched Data Network
PVC Permanent Virtual Circuit
RIP Routing Information Protocol
RSVP ReSerVation Protocol
SAP Service Advertising Protocol
SLIP Serial Link Internet Protocol
SNAP SubNetwork Access Protocol
SNMP Simple Network Management Protocol
SPX Sequenced Packet Exchange
SVC Switched Virtual Circuit
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
UDP User Data Protocol
WAN Wide Area Network
WWW World Wide Web

Related documents

Novell NetWare Link Services Protocol Specification Rev 1.0.
Novell part No. 100-001708-002.

IPX Router Specification.
Novell part No. 107-000029-001

User Datagram Protocol (UDP).
RFC 768

Trivial File Transfer Protocol (TFTP) revision 2.
RFC 783

Internet Protocol (IP).
RFC 791

Internet Control Message Protocol (ICMP).
RFC 792

Transmission Control Protocol (TCP).
RFC 793

Ethernet Address Resolution Protocol (ARP).
RFC 826

v

Transmission of IP Datagrams Over Public Data Networks
RFC 877

Broadcasting Internet Datagrams.
RFC 919

Broadcasting Internet Datagrams in the Presence of Subnets.
RFC 922

Internet Standard Subnetting Procedure.
RFC 950

Bootstrap Protocol.
RFC 951

Using ARP to Implement Transparent Subnet Gateways.
RFC 1027

Serial Link Internet Protocol (SLIP).
RFC 1055

Routing Information Protocol (RIP).
RFC 1058

Simple Network Management Protocol (SNMP).
RFC 1155

Internet Numbers
RFC 1166

Concise MIB Definitions.
RFC 1212

Management Information Base for Network Management of TCP/IP-Based In­ternets: MIB II.
RFC 1213

Internet Control Message Protocol (ICMP) Router Discovery Messages.
RFC 1256

Management Information Base for Frame Relay Data Terminal Equipment
(DTE), 1992.
RFC 1315

Internet Protocol Control Protocol (IPCP) for the Point-to-Point Protocol
(PPP).
RFC 1332

vi

Password Authentication Protocol (PAP)
RFC 1334

Multiprotocol Interconnect on X.25
RFC 1356

Multiprotocol Interconnect over Frame Relay Data Terminal Equipment
(DTE), 1993.
RFC 1490

Definition of Managed Objects for Bridges.
RFC 1493

Internetwork Packet Exchange Protocol Control Protocol (IPXCP) for the
Point-to-Point Protocol (PPP).
RFC 1552

Point-to-Point Protocol (PPP) over Integrated Services Digital Networks (IS­DN).
RFC 1618

Network Address Translation (NAT)
RFC 1631

Bridge Control Protocol (BCP) for the Point-to-Point Protocol (PPP).
RFC 1638

Link Control Protocol (LCP) for the Point-to-Point Protocol (PPP).
RFC 1661

Point-to-Point Protocol (PPP) over High-level Data Link Control (HDLC).
RFC 1662

Assigned Numbers.
RFC 1700

Multilink Point-to-Point Protocol (PPP)
RFC 1717

Routing Information Protocol (RIP) Version 2
RFC 1723

Requirements for IP Version 4 Routers — regarding subnetting.
RFC 1812

Point-to-Point Protocol (PPP) Data Compression
RFC 1962

vii

Point-to-Point Protocol (PPP) Encryption
RFC 1968

Point-to-Point Protocol (PPP) Stac Data Compression
RFC 1974

Point-to-Point Protocol (PPP) Multilink
RFC 1990

Challenged Handshake Authentication Protocol (CHAP)
RFC 1994

Triggered RIP
RFC 2091

High-level Data Link Control.
ISO/IEC 3309

Link Access Procedure, Balanced (LAPB)
ISO/IEC 7776

X.25 Packet Layer Protocol for Data Terminal Equipment (DTE).
ISO/IEC 8208

Frame Relay User-Network Interface, January 1992.
FRF.1

Frame Relay Multiprotocol Interconnect, December 1992.
FRF.3

Media Access Control (MAC) Bridges.
IEEE/ANSI 802.1D
IEEE/ANSI 802.1G

High-level Data Link Control (HDLC)
ISO 3309

Frame Relaying Bearer Service Architectural Framework and Service Descrip­tion, 1990.
ANSI T1.606

Frame Relaying Bearer Service, Congestion Management Principles, 1991
Addendum 1.
ANSI T1.606

DSS1 — Signalling Specification for Frame Relay Bearer Service, 1991.
ANSI T1.617

viii

DSS1 — Core Aspects of Frame Protocol for use with Frame Relay Bearer Ser­vice, 1991.
ANSI T1.618

Frame Relay Bearer Services, 1991.
ITU-T (CCITT) Recommendation I.233.1

Congestion Management in Frame Relaying Networks, 1991.
ITU-T (CCITT) Recommendation I.370

Basic User-Network Interface — Layer 1 Specification, 1993.
ITU-T (CCITT) Recommendation I.430

Usage of Cause and location in the Digital Subscriber Signalling System No. 1
and the Signalling System No. 7 ISDN User Part, 1993.
ITU-T (CCITT) Recommendation Q.850

ISDN User-Network Interface-Data Link Layer Specification, 1993.
ITU-T (CCITT) Recommendation Q.921

ISDN Data Link Layer Specification for Frame Mode Bearer Services, 1992.
ITU-T (CCITT) Recommendation Q.922

ISDN User-Network Interface Layer 3 Specification for Basic Call Control,

1993.
ITU-T (CCITT) Recommendation Q.931

International Numbering Plan for Public Data Networks
ITU-T (CCITT) Recommendation X.121

Interface Between Data Terminal Equipment (DTE) and Data Circuit-termi­nating Equipment (DTE) for Terminals Operating in the Packet Mode and
Connected to Public Data Networks by Dedicated Circuits.
ITU-T (CCITT) Recommendation X.25

ix

Part I

LAN and WAN Links and Services

Chapter 1

LAN and WAN Services in the Router

In this chapter

LAN Services

Introduction

This chapter gives an introduction to the LAN and WAN services available in the
different Intel Express 8100 Router versions, and the common facilities available
of the different WAN services. WAN services include leased line, PPP, Frame
Relay, ISDN and X.25 services.

The different WAN services available in the Intel Express 8100 Router are de­scribed in the following chapters.

Local Area Networks (LAN) are concerned with the interconnection of distribut­ed computer systems whose physical location is confined to a localized group of
buildings. The main difference between a communication path established via a
LAN and connections made via Public Data Networks/Wide Area Networks
(WAN) is that connections via a LAN allow for higher transmission rates due to
the short physical distances.

1

LAN and WAN Services in the Router

WAN Services

LAN Services concept

The following illustration indicates how LAN Services are embedded in the Intel
Express 8100 Router.

ROUTING (TCP/IP & IPX) and Bridging

LAN SERVICES

LAN Link Control

Protocol Identification

Ethernet

LAN Port

Ethernet services

WAN Services

Introduction

0996

Ethernet is a Local Area Network (LAN) hardware standard that is capable of
linking up to 1,024 nodes (stations) in a bus network. It uses a base-band (single­channel) communication technique providing for a raw data transmission rate of
either 10 Mbps for 10Base-T or 100Mbps for 100Base-T. Ethernet uses carrier­sense multiple-access/ collision-detection techniques (CSMA/CD).

Wide Area Network (WAN) services consist of links to remote sites via private
or Public Data Networks (PDNs).

2

WAN Services and Protocols Available

LAN and WAN Services in the Router

WAN Services

WAN services overview

Number of WAN links
supported

WAN services are private or public data networks (PDNs) available to subscrib­ers for interconnecting remote sites. The Intel Express 8100 Router supports:

■

Leased lines

■

Switched (dial-up) connections

■

Point-to-Point Protocol (PPP)—described in “Point-to-Point Protocol

(PPP)”, p. 8

■

Frame Relay services—described in Chapter 3 “Frame Relay Services”, p.

17

■

ISDN connections and services—described in Chapter 4 “ISDN Services”,

p. 20

■

X.25 services—described in Chapter 5 “X.25 Services”, p. 32

■

PPP Multilinks which combine a number of PPP links into a single route
between two sites—described in Chapter 6 “PPP Multilinks”, p. 39

■

Internet Tunnels for routing data via the internet—described in Chapter 7

“Internet Tunnels”, p. 41

The Intel Express 8100 Router supports up to 5 WAN links (Frame Relay, ISDN
or X.25).

Leased lines

A leased line is a permanent physical connection between two Local Area Net­works. The costs for the use of a leased line are fixed—that is, they are indepen­dent of the amount of data transmitted. A leased line is normally used when there
is a need for constant data flow between two sites.

Dial-up links

Dial-up links (also referred to as switched links or switched lines) are links that
are only established when data requires transmitting over the WAN link and are
similar in operation to a normal telephone connection. Dial-up WAN links re­quire the use of a modem or other WAN connect device designed to establish this
type of connection.

The number for the dial-up WAN link is configured in the modem or WAN con­nect device (not for ISDN and X.25 links). This is a prerequisite for V.11, V.24,
V.35 and V.36 WAN connections.

General Facilities for WAN Services

Introduction

This section gives an overview and describes the WAN service features common
to all WAN link types available in the Intel Express 8100 Router.

3

LAN and WAN Services in the Router

WAN Services

Data compression

Timecut mode for dial­up (switched) links

Data compression is available for all WAN link types to improve the throughput.

PPP and Frame Relay

For PPP links (leased lines, dial-up links and ISDN links) and Frame Relay links,
data compression rates of up to 4:1 can be achieved for text data.

X.25

For X.25 links, data compression rates of up to 4:1 can be achieved for text data.

Note Timecut mode should be selected for dial-up (switched) WAN links.

Operating costs can be excessive otherwise.

When a dial-up (switched) WAN link is in Timecut mode, the link is only acti­vated when there is queued data. Timecut mode should be selected where trans­mission costs are dependent on the data transferred, the number of data packets
sent or the duration for which the link is active. Timecut mode ensures that the
WAN link is only established when necessary.

Routing protocols such as RIP and IPX send various routing packets between de­vices to continually assess the topology of the network. If the standard settings
are used for these settings (for example RIP packets are sent every 30 seconds),
timecut WAN links never get the chance to close down. Routing protocol settings
used on timecut WAN links should be set in accordance with this, and there are
other considerations to be made (for example Watchdog Spoofing and RIP and
SAP Filtering—see Chapter 9 “Novell IPX Routing”, p. 71).

Backup links

Backup links are dial-up (switched) links that can be initialized if another link
should fail or has not been established within a defined time interval. Typically,
a primary WAN link is a 2 Mbps leased line connection, the backup WAN link
is a 64 kbps dial-up connection—the costs of the backup link is therefore depen­dent on how much the link is used.

A WAN link in Backup mode is only used if the primary link should fail, or if a
connection to it was established from a remote source. Backup links can only be
closed down by the router that started the link.

4

LAN and WAN Services in the Router

WAN Services

Timecut backup links
considerations

Timecut mode for backup links must only be used if the backup link runs in par­allel to the primary WAN link, that is the main WAN link and the backup WAN
link must run between the same routers as shown in the figure below:

LAN2LAN1

Primary WAN Link

LAN WAN1 WAN2 System

Router A

Intel ExpressRouter9200

®

BackupWANLink

(dial-up)

LAN WAN1 WAN2 System

Router B

Intel ExpressRouter9200

®

1476

Timecut mode MUST NOT be selected for backup links that run via a different
router than the main WAN link as shown below. Problems otherwise occur when
using the backup WAN Link.

LAN 2

LAN 1

LAN WAN1WAN2 System

RouterA

Primary WAN

IntelExpressRouter9200

®

BackupWAN

LAN 2

Link

LAN WAN1WAN2 System

RouterB

LAN WAN1WAN2 System

RouterC

IntelExpressRouter9200

®

IntelExpressRouter9200

®

Link

TheBackup WAN Link mustNot use

timecutmode

LAN 1

Primary WAN

IntelExpressRouter9200

LAN WAN1WAN2 System

RouterA

Primary WAN

®

Link

Link

LAN WAN1WAN2 System

RouterB

LAN WAN1WAN2 System

RouterC

IntelExpressRouter9200

®

Backup

WAN Link

IntelExpressRouter9200

®

LAN 3

1475

5

LAN and WAN Services in the Router

WAN Services

Multiple backup links

Timer Profiles

For ISDN and X.25 services, it is possible to establish multiple backup links for
increased internetwork reliability. This can be a particularly useful feature in
X.25 networks where a number of Switched (dial-up) links can be available.

Link 2
PPP
Leased
Line

Link 4
X.25
Dial Up
Backup for Link 2

Link 5
X.25
Dial Up
Backup for Link 4

Link 6
X.25
Dial Up
Backup for Link 5

1235

In the above example, link 4 is used if the primary link (link 2) should fail, link
5 is used if link 4 should fail and link 6 is used if link 5 should fail.

The Intel Express 8100 Router implements Timer Profiles which offer extensive
facilities to restrict WAN link activity according to a user-defined time profile.
This may be done for security reasons or to reduce the operating costs of WAN
links.

Up to 16 user-defined timer profiles can be defined, any one of which can be se­lected for use with a WAN link during configuration of the link. Each profile al­lows you to define access rights on a weekly basis, with a half-hour resolution.
For each link, access can be blocked:

Timer profiles
consideration

■

for outgoing access from the router to the WAN link

■

for both outgoing and incoming access (WAN link disabled outside the times
defined in the timer profile)

For example, for one link using a timer profile, outgoing access may be block,
while for another WAN link using the same timer profile, access may be block
for all data traffic.

Warning When blocking both outgoing and incoming access, the timer pro-

file must be the same in both the routers over the WAN link.

This is particularly important for dial-up (switched) WAN links where operating
costs are dependent on the use of the link.

If the timer profiles are not the same and only one of the routers is denying in­coming access at some time, the other router may continually attempt to establish
the WAN link. This can lead to the following problems for the calling router:

■

for dial-up WAN links, excessive operating costs for the WAN link

■

error messages being logged

■

the link being disabled (faulted)

6

LAN and WAN Services in the Router

WAN Services

Example use of a timer
profile

Daily Activity Limit

For example, a timer profile could be set up to deny both incoming and outgoing
access on a WAN link outside normal office hours of 7:30 to 17:30, and to deny
all access at weekends.

Time

Day

Sun
Mon
Tue
Wed

Thu
Fri
Sat

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Access allowed Mon-Fri
between 7.30 and 17.30

1290

The Intel Express 8100 Router has a Daily Activity Limit function which can be
used to control the use, and therefore the cost of operation, of dial-up WAN
Links. The alarm generates an SNMP Trap and can also be set up to close and
lock the associated WAN link when it has been in the Up (for both call directions)
state for the configured time-period within a day (midnight to midnight). That is,
the activity counter is incremented for both incoming and outgoing calls on the
links. If the link has been locked by the Daily Activity Limit, it stays locked until
it is manually reset from Intel Device View.

When a dial-up link has been locked by the Daily Activity Limit, the router does
not permit outgoing calls on the link until the link has been unlocked again from
Intel Device View. However, the link accepts incoming calls, thereby allowing a
remote connection via the link to unlock the link.

7

Leased Lines Links

Chapter 2

In this chapter

The WAN connect protocol used for communicating over leased line WAN con­nections by the Intel Express 8100 Router is the Point-to-Point Protocol (PPP).
When communicating over leased line connections, PPP runs on top of the High­level Data Link Control (HDLC) protocol.

Note PPP is also used for communications over ISDN links (PPP over

ISDN).

This chapter gives an introduction to the Point-to-Point Protocol (PPP) and de­scribes the features of the protocol offered by the Intel Express 8100 Router.

Point-to-Point Protocol (PPP)

Introduction to PPP

The Point-to-Point Protocol (PPP) was designed to enable simultaneous transfer
of network-layer protocols across a point-to-point link. Its main function is to es­tablish a synchronous link connection between routers from any manufacturer.
PPP functions include:

■

encapsulating multi-protocol datagrams

■

establishing, configuring and testing the data-link connection using a Link
Control Protocol (LCP)

■

establishing and configuring bridging and various network-layer communi­cations across the link using Network Control Protocols (NCPs). This is han­dled by the Internet Protocol Control Protocol (IPCP) for IP, and the
Internetwork Packet Exchange Control Protocol (IPXCP) for IPX and the
Bridging Control Protocol (BCP) for bridging services

■

■

■

authenticating peers using the Challenge Handshake Authentication Protocol
(CHAP) and Password Authentication Protocol (PAP) to ensure that commu­nications are between authorized devices

encrypting and decrypting data transmitted via the link to offer data security
compression/decompression of data to improve the throughput of data

8

Leased Lines Links

Point-to-Point Protocol (PPP)

PPP provides transport services for data packet delivery with low overheads and
high throughput. Frame checking at the link-level offers error detection, but error
recovery is taken care of by higher-layer network protocols.

PPP protocols

Link Control Protocol
(LCP)

Operation of PPP

The following diagram shows how the various PPP protocols are embedded:

Compression

Control Protocol

(CCP)

Network Control Protocols (NCPs)

Internet Protocol

Control Protocol

(IPCP)

Encryption ControlProtocol

Challenge Handshake Authentication

Protocol (CHAP)

Link Control Protocol

Internet Packet

Exchange Control

Protocol (IPXCP)

(ECP)

(LCP)

Bridging

Control

Protocol (BCP)

1233

LCP is the lowest layer in the PPP stack and runs on top of the High-level Data
Link Control protocol (HDLC) or Integrated Services Digital Networks (ISDN).
When the HDLC or ISDN protocol has established the link, LCP runs on top of it.

The following protocols form the basis of PPP:

Encapsulation

Network-layer protocols are encapsulated for transmission over WAN links.

Link Control Protocol (LCP)

The LCP takes care of the link connection.

Challenge Handshake Authentication Protocol (CHAP)

The Challenge Handshake Authentication Protocol (CHAP) is available to offer
security (encrypted password protection) against unauthorized access to a PPP
link.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) is available as an alternative to
CHAP offering security (password protection) against unauthorized access to a
PPP link.

Encryption Control Protocol (ECP)

Data encryption is available when communicating over PPP links. The Encryp­tion Control Protocol (ECP) negotiates and manages data encryption between the
devices over the link.

9

Leased Lines Links

Point-to-Point Protocol (PPP)

Note Data encryption is only available in certain models of the Intel

Express 8100 Router. Data encryption is not allowed in some
countries by law.

Compression Control Protocol (CCP)

Data compression is available when communicating over PPP links. The Com­pression Control protocol (CCP) negotiates and manages data compression be­tween devices over the link.

Network Control Protocols (NCPs)

Each Network Control Protocol negotiates and manages a specific network-lay­er/bridging protocol.

PPP Call Back (PPP
ISDN links)

PPP Call-Back is available for use over PPP ISDN links where the costs of oper­ation of the link can be transferred a specific location.

For example, if someone working from home needs an occasional connection to
the office, the costs of operation for the connection can be transferred to the of­fice by using Call-Back. When the home connection needs to communicate with
the office, they call in to the office Intel Express 8100 Router with a request for
call back and then closes the connection.

Note The router will then return the call. The router must support Call-Back

or the link will not work.

In some cases, Call-Back is used to verify that incoming call is from the autho­rized address set up for the link.

The Call-Back facility can be used to transfer the cost of operation to either the
local site (this router) or to the remote site.

10

Leased Lines Links

Point-to-Point Protocol (PPP)

Multilink PPP

The Intel Express 8100 Router implements PPP Multilink facilities which allow
multiple PPP links between two sites to be used as a single route. A PPP Multi­link allows links to added dynamically (for bandwidth-on-demand) or statically
and has almost the combined bandwidth of the individual links.

PPP Multilinks are described in Chapter 6 “PPP Multilinks”, p. 39.

Data Compression

Data compression

Compression algorithm
used

Requirements for use

Data compression is available when communicating over PPP links, to improve
the throughput.

Both routers over the PPP link must support and be configured for PPP data com­pression for data compression to be used.

The compression algorithm implemented in the Intel Express 8100 Router is
based on the Stac* algorithm developed by Stac Electronics Inc. Typical com­pression rates of 4:1 are achieved for text data.

The devices at both end of the PPP link must implement the Compression Con­trol Protocol (CCP) and use the same compression algorithm.

Data compression is negotiated by the CCP whenever the link is established. If
the device over the PPP link does not support the CCP or the same compression
algorithm, compression cannot be used over the link.

Link speeds

Data Encryption

Introduction

Encryption algorithm
used

Data compression can be used on combined link speeds of up to 256 kbps (for
example compression can be used on one PPP link of 256 kbps or on two PPP
links of 128 kbps). The delays involved with compressing the data make it im­practical to use at higher link speeds.

The Intel Express 8100 Router offers encryption/decryption of data being trans­mitted over PPP and Frame Relay links. This offers security in case of intercep­tion by an unauthorized source.

Note Data encryption is only available in certain models of the Intel Express

8100 Router which are not available in some countries.

The data encryption algorithm implemented in the Intel Express 8100 Router is
Blowfish with a variable length encryption key (up to 144 bits) with 16 rounds
(encryption steps). The algorithm is used in Cipher Block Chaining (CBC) mode

11

Leased Lines Links

Point-to-Point Protocol (PPP)

which means that the algorithm is used across the entire data stream including the
packet header containing the address and protocol identification, and not only on
a fixed block (packet) size.

Reference for the
encryption algorithm

Requirements for use

Link speeds

Encryption and
compression

The Blowfish encryption algorithm is described in:
Bruce Schneier

Applied Cryptography (John Wiley & Sons)

The devices at both end of the PPP link must implement the Encryption Control
Protocol (ECP) and use the same encryption algorithm.

Data encryption is negotiated by the ECP whenever the link is established. If the
device over the PPP link does not support the ECP or the same encryption algo­rithm, the link is disconnected and a message is entered in the System Log for the
router—data communications are not allowed on a PPP link intended for secure
communications.

Encryption can be used on all link speeds and can also be used in conjunction
with compression. The algorithm can encrypt at around 1.3 Mbps, which may
cause delays on combined link speeds above this (for example on a 2.0 Mbps
links).

Data encryption can be used together with data compression (see “Data Com-

pression”, p. 11) over a PPP link. Data is first compressed then encrypted. When

encryption is used in connection with data compression over a PPP link, the re­strictions on link speeds for data compression apply.

Peer A uthentication using the Challenge Handshake Authentication
Protocol (CHAP)

Introduction to CHAP

Passw ords

12

The Challenge Handshake Authentication Protocol (CHAP) can be used to pro­vide link security against unauthorized access. CHAP uses password encryption
where passwords can be global (used for all PPP links) or selected from a pass­word pool. Separate passwords can be used for incoming and outgoing calls on a
link.

CHAP uses password encryption to authenticate peers; separate passwords can
be used for incoming and outgoing calls. The passwords are used to encrypt ran­dom text files which are transmitted over the PPP link (see ‘Challenge handshake
authentication procedure’ following); passwords are therefore never transmitted
directly over a PPP link, and cannot be intercepted and used by unauthorized
sources.

Leased Lines Links

Point-to-Point Protocol (PPP)

Use of passwords

For the correct operation of PPP links using CHAP, the passwords must be con­figured as follows:

Device 1 (User ID1)

Password A

used for

CHAP requests

Password B

used in reply to

CHAP requests

from User ID2

Request

Reply

Request

Reply

Device 2 (User ID2)

Password A

used in reply

to CHAP requests

from User ID1

Password B

used for

CHAP requests

1338

If Device 1 has Password A configured for CHAP requests on the PPP link, De­vice 2 must reply to the request using Password A. That is, Password A must be
defined in Device 2 for CHAP replies to Device 1.

Similarly, if Device 2 has Password B configured for CHAP requests on the PPP
link, Device 1 must reply to the request using Password B. That is, Password B
must be defined in Device 1 for CHAP replies to Device 2.

Global (all PPP links)
and Local replies to
CHAP requests

CHAP requests from the
router

A device always tries to reply to a request for authentication from a peer, using
the password defined for the User ID of the peer.

In the Intel Express 8100 Router, a list of passwords for User IDs can be defined
for both the router (global) and for individual PPP links. The passwords in the
global list can be used in reply to CHAP requests from peers on any of the PPP
links to the router. The passwords in the local list can only be used for peers on
the PPP link for which they are defined. The router first tries to find the User ID
of the peer requesting authentication in the local password list and then in the glo­bal password list.

In some devices, a common User ID with different passwords are used for com­munications over a PPP link. In these cases, local User IDs and password should
be defined. Otherwise, global User IDs and passwords can generally be used.

When CHAP requests are enabled, the Intel Express 8100 Router authenticates
the peer over the PPP link whenever the link is established. For on-demand
(switched) PPP links including ISDN links, the router authenticates the peer
whenever the link is brought up.

13

Leased Lines Links

Point-to-Point Protocol (PPP)

Challenge handshake
authentication procedure

The procedure used to authenticate a peer over a PPP link is as follows:

1 The device which is authenticating the peer (Device 1) generates a random

text file (random characters and a random length), and transmits it to the
device to be authenticated (Device 2) over the PPP link. Device 1 also
stores a copy of the random text file which is encrypted using the password
defined for CHAP requests on the link (Password 1).

Encrypted

using

Password 1

Device 1

Random

text file

PPP Link

2 The device receiving the random text file (Device 2) encrypts it using the

Device 2

Device being

authenticated

1335

password (Password 2) defined for requests from Device 1, then transmits
the encrypted text file back to Device 1.

Device 1

PPP Link

Device 2

Encrypted

using

Password 2

Random

text file

1336

14

Leased Lines Links

Devi

Devi

Point-to-Point Protocol (PPP)

3 Device 1 compares the locally encrypted text file with the text file

encrypted by Device 2. If the text files are the same (Password 1 = Pass­word 2) Device 2 is authenticated. Otherwise, Device 2 is not authenticated
and data communications with Device 2 are not allowed.

Peer is
authenticated

Peer is NOT
authenticated

Random

text file

encrypted

Device 1

Random

text file

encrypted

Device 1

ce 1

=

=

PPP Link

Random

text file

encrypted

Device 2

Random

text file

encrypted

Device 2

ce 2

1337

Peer Authentication using the Password Authentication Protocol
(PAP)

Introduction to PAP

The Password Authentication Protocol (PAP) can be used as an alternative to
CHAP to provide link security against unauthorized access. PAP uses simple
password protection against unauthorized access.

PAP versus CHAP

Replies to PAP requests

CHAP uses password encryption to authenticate peers and the passwords are
never transmitted directly over the PPP link, and therefore cannot be intercepted
and used by unauthorized sources. PAP uses simple password protection where
the password is transmitted directly over the link—PAP is therefore not resilient
to link monitoring.

Note For the best security, you should use CHAP rather than PAP for link

access protection wherever possible.

PAP can however be used when it is the only authentication protocol supported
by the remote device.

A device (for example the Intel Express 8100 Router) always tries to reply to a
request for authentication from a peer, using the password defined for the User
ID of the peer.

15

Leased Lines Links

Point-to-Point Protocol (PPP)

PAP requests from the
router

When PAP requests are enabled, the Intel Express 8100 Router authenticates the
peer over the PPP link whenever the link is established. For on-demand
(switched) PPP links including ISDN links, the router authenticates the peer
whenever the link is brought up.

If the device over the PPP link fails to authenticate itself, communications over
the link are not allowed.

16

Frame Relay Services

Chapter 3

Frame Relay in the Intel
Express 8100 Router

Frame Relay

Features

Frame Relay is available in the Express 8100 Router with Frame Relay. The
WAN port must be configured as a Frame Relay port before it can be used for
Frame Relay services.

As Frame Relay uses Permanent Virtual Circuits, a number of Frame Relay links
can be made via the same Frame Relay port. The Intel Express 8100 Router sup­ports up to 5 Frame Relay links.

This chapter gives an introduction to Frame Relay services in the Intel Express
8100 Router.

Frame Relay is an interface specification that provides a signalling and data
transfer mechanism between endpoints (routers) and the network (switches).
Data to be transmitted are encapsulated according to the Multiprotocol Encapsu­lation Implementation Agreements of the Frame Relay Forum. It provides effi­cient network services and accommodates burst-intensive applications over wide
area LAN interconnections at rates up to 2.048 Mbps. Frame Relay provides
bandwidth on demand and allows multiple simultaneous data sessions (logical
channels) across a physical Frame Relay port.

Frame Relay can be very cost-effective when used to interconnect several sites.
Frame Relay allows several logical links to different sites across one physical
Frame Relay port.

Features of the Frame Relay protocol include:

■

■

■

■

■

■

■

■

Provides a connection-oriented service
Maintains data sequence
Connects end-systems at data link layer
uses variable length packets
no data link control, no retransmissions
makes use of LAPF core functions
standard multiprotocol encapsulation
reduced costs for internetworking in large networks

17

Frame Relay Services

■

increased interoperability as it complies with international standards

Addressing

Encapsulation

PVC management

Each data packet contains a circuit number, also called a Data Link Connection
Identifier (DLCI), showing which logical channel that the information belongs
to. Frame Relay packets are routed to their destination on the basis of the circuit
numbers contained in the packet.

Note When using Frame Relay, ensure that your network provider allocates

you the necessary DLCI values. DLCI values assigned during Frame
Relay connection, range from 16 up to 991.

Multiprotocol encapsulation according to FRF.3, specifying the protocol con­tained in the current Information field (I-field). This encapsulation is also speci­fied in RFC-1490 “Multiprotocol Interconnect over Frame Relay Data Terminal
Equipment”, and is compatible with routers from other manufacturers.

Status information between Frame Relay network switches and user devices (for
example routers and bridges) is provided by signalling protocols defined by the
Frame Relay standards committees. These signalling protocols perform the fol­lowing tasks:

■

providing a ‘heartbeat’ or ‘keep-aliv e’ message e xchange to ensure that links
are available

■

informing about added and removed PVCs

■

providing status of existing PVCs

Frame Relay elements

Frame Relay services may be broken down into three distinct elements:

Frame Relay access equipment

Frame Relay access equipment is customer premises equipment (CPE) which
sends information across the network. This may be, for example, a router, a
bridge, a host computer, and so on.

Frame Relay switching equipment

Frame Relay switching equipment is responsible for the transportation of infor­mation across a WAN. This may be, for example, T1 (1.5 Mbps) and E1 (2 Mbps)
packet switches, and so on.

Public Frame Relay services

Public Frame Relay services see the deployment of Frame Relay switches via the
Public Data Network (PDN). If you do not make use of public services (sub­scribed), private networks may be established. In this case, the private network
must have Frame Relay switching equipment installed.

Note Frame Relay can only be used on high-quality transmission lines dedi-

cated to Frame Relay.

18

Frame Relay Services

Data compression

Data encryption

Advantages of Frame
Relay over leased line
links

Data compression is available when communicating over Frame Relay links, to
improve the throughput on link speeds of up to 256 kbps. Typical compression
rates of 4:1 can be achieved for text data.

Both routers over the Frame Relay link must support and be configured for Frame
Relay data compression before data compression is used.

Intel Express 8100 Routers use the Stac algorithm developed by Stac Electronics
Inc. Typical compression rates of 4:1 are achieved for text data.

The Intel Express 8100 Router offers encryption/decryption of data being trans­mitted over Frame Relay links. This offers security in case of interception by an
unauthorized source.

Note Data encryption is only available in certain models of the Intel Express

8100 Router which are not available in some countries.

Data encryption over Frame Relay links uses the same encryption algorithm and
implementation as for PPP links, see “Data Encryption”, p. 11.

Note Unlike PPP links, Frame Relay links are unable to detect a mismatch in

the encryption keys in the routers over the link. If the encryption keys
are wrong, data will not be un-encrypted and will contain errors (illegal
packets).

Frame Relay uses standardized encapsulation of protocols and it is therefore pos­sible to connect to third-party routers (routers from other manufacturers). When
using Frame Relay, virtual circuits are established allowing for any-to-any con­nectivity. Both of the mentioned features are not available for a leased line.

19

Chapter 4

ISDN Services

Integrated Services Digital Network (ISDN) in the
Intel Express 8100 Router

ISDN in the Intel Express
8100 Router

Point-to-Point Protocol
(PPP)

ISDN links

Basic Rate Access (BRA) ISDN is supported by the following routers:

Express 8100 Router with an ISDN S/T port

which establishes a Basic Rate Interface (BRI) via an ISDN S/T inteface to an
NT-1 termination of the ISDN line

Express 8100 Router with an ISDN U port

which establishes a Basic Rate Interface (BRI) via an ISDN U interface directly
to the incomming ISDN line.

The link protocols used over ISDN links by the Intel Express 8100 Router is the
Point-to-Point Protocol (PPP). PPP is also be used for communicating over
leased line and dial-up (switched) links.

An overview of PPP and the facilities available is given in Chapter 2 “Leased

Lines Links”, p. 8.

For the ISDN Intel Express 8100 Routers, it is possible to configure more ISDN
links (router links) than the number of B-channels available. In this case, ISDN
B-channels can be allocated to ISDN links as follows:

Reserved ISDN B-Channels

ISDN links in the router can be configured to reserve an ISDN B-channel. In this
case, the ISDN link reserving the B-channel always has a B-channel available.
The B-channel reserved by the ISDN link cannot be allocated to another ISDN
link when not in use.

Dynamically allocated ISDN B-Channels

For ISDN links which do not have a reserved ISDN B-channel, a simple link pool
system is used. ISDN B-channels which are not reserved by ISDN links are ob­tained and returned to the B-channel pool as required by the ISDN links.

20

ISDN Concept

ISDN Services

ISDN Concept

What is ISDN?

What ISDN offers

Channel types

ISDN is a digital telecommunications network that allows you to send all kinds
of information, including speech and data, in much the same way as making a
telephone call. The ISDN is digital from end-to-end which improves the data
communications quality and restricted information rate resulting from the use of
analog links together with modems.

CCITT has defined an ISDN as a network, in general evolving from a telephony
Integrated Digital Network (IDN), that provides end-to-end digital connectivity
to support a wide range of services, including voice and non-voice services, to
which you have access by a limited set of standard multi-purpose user-network
interfaces.

ISDN offers multiple 64 kbps or 56 kbps connections on demand with a low error
rate. This can be used in place of leased line WAN links or as a backup to leased
line WAN links. A main advantage of ISDN is that a modem is not required—
the router can be connected directly to the ISDN.

There are two types of channels used in ISDNs:

■

B-channels
64 kbps or 56 kbps full duplex, synchronous channels for data and voice
transfer

■

D-channels
16/64 kbps signalling channels

Connection types

There are two types of connectivity:

Basic Rate Access (2B+D)

This type of connection provides two independent data (B) channels (56 kbps or
64 kbps), and a 16 kbits signalling (D) channel which is provided for communi­cation between the router and the ISDN exchange. It is used to set up and clear
calls for both information channels. This arrangement is called 2B+D and is
equivalent to two independent telephone lines each with a 64 or 56 kbps capacity.
Up to eight terminals can be connected to the line, although only two calls can be
in progress at any one time (each using a B-channel).

Primary Rate Access (30B+D)

This type of connection is used for connecting Private Branch Exchanges (PBX)
to the ISDN. In most countries, Primary Rate Access has 30 B-channels (56 kbps
or 64 kbps) and one D-channel (64 kbps). In the USA and Japan a 23B+D ar­rangement is used.

Note The Intel Express 8100 Routers offer Basic Rate Access (BRA) only.

21

ISDN Services

ISDN Services

ISDN Services

Three types of service

Bearer Services

Tele Services

ISDN services are divided into three categories:

■

Bearer Services

■

Tele Services

■

Supplementary Services

These are the basic transport services which transfer information between the ter­minal/net interface. That is a connection must be set up between two routers be­fore communication can take place. There are two types of Bearer services:

Circuit switched

These are the simplest types of Bearer services. Once a connection is established,
data is transferred over the link (B-channel) at a rate of 64 kbps (or 56 kbits for
some ISDNs).

Packet switched

If the data rate is variable, then it may not be cost-effective to pay for an
end-to-end channel for the duration of the call. In this case, data is sent in packets
and the cost is based, partly, on the volume of traffic rather than the duration of
the call.

These define the way in which certain standardized applications use ISDN. The
following services are defined by CCITT:

Telephony

Provides two-way, real-time speech conversation. There are two types:

22

■

3.1 kHz

■

7 kHz, which provides speech and sound transmission of a much higher
quality than 3.1 kHz telephony

Teletex

Enables subscribers to exchange character-coded documents automatically. It is
much faster than Telex and has a much larger character set.

Telefax 4

Provides high-speed, high-quality facsimile transmission.

Mixed Mode

This is a combination of Teletex and Telefax 4.

Videotex

Provides retrieval and mailbox functions for text and graphic information.

ISDN Services

ISDN Services

Telex

Provides interactive text communication. It is the same as the existing Telex ser­vice. The advantage of using it via ISDN is that it can be provided over an inter­face shared with other services.

Message Handling System (MHS)

Allows you to send and receive electronic mail via a “post box”.

Supplementary Services

A Supplementary Service modifies or supplements a basic service. It may pro­vide additional control functionality or provide information about an ISDN call.
Some of the Supplementary Services available are:

Multiple Subscriber Number (MSN)

Allows more than one number to be assigned to a line. Typically, a block of ten
numbers is assigned with the last number used to select the station.

Sub-addressing (SUB)

Allows you to specify extra addressing information in addition to the ISDN num­ber.

Direct Dialing In (DDI)

Allows an ISDN station to call on an ISPBX directly without the operator.

User-to-User Signalling (UUS)

Allows you to send or receive a limited amount of information to or from another
station over the D-channel in association with an existing call.

Calling Line Identification Presentation (CLIP)

The called party can choose to be presented with the calling party’s ISDN num­ber.

Calling Line Identification Restriction (CLIR)

The calling party can suppress the presentation of his ISDN number to the called
party.

Connected Line Identification Presentation (COLP)

The calling party can be presented with the ISDN number of the called party. It
tells the calling party who actually answers the call (for example if call forward­ing is in operation).

Connected Line Identification Restriction (COLR)

The called party can suppress the presentation of his ISDN number to the calling
party.

Closed User Group (CUG)

Allows a group of users to appear to be in their own private network.

Terminal Portability (TP)

Allows a terminal to be unplugged from one socket on a Basic Rate Access con­nection (S bus) and plugged into another socket on the same S bus without the
call being cleared.

Call Waiting (CW)

Gives notice of an incoming call even if all channels are occupied.

23

ISDN Services

ISDN Numbering and Addressing

Call Hold (HOLD)

Allows you to interrupt a call and return to it later.

Line Hunting (LH)

Allows incoming calls to a specific number to be distributed over a group of
lines.

Call Forwarding (CF)

Causes an incoming call to be sent to another number.

Call Transfer (CT)

Allows either the calling or called party to transfer the call to a third party.

Add on Conference Call (CONF)

Allows additional subscribers to be added to a call to form a conference.

Three-Party Service (3PTY)

Allows you to switch between two calls.

Advice of Charge (AOC)

Gives call charge information.

ISDN Numbering and Addressing

Introduction to ISDN
numbering

E164 format

Like the Public Switched Telephone Network (PSTN), Integrated Services Dig­ital Networks (ISDNs) uses Directory Numbers (DNs) to identify subscribers.
The International Telegraph and Telephone Consultative Committee (CCITT) a
numbering plan for ISDN (Recommendation E164) which specifies how num­bers should be constructed within telephone networks. E164 includes the existing
plan E163 for the PSTN—both ISDN and PSTN numbers can therefore be allo­cated out of the same range of numbers.

Each ISDN directory number specifies a point of connection to the network (an
ISDN line). Each line can, however, support more than one terminal—see “BRA

and PRA Numbering”, p. 26

The number consists of a maximum 15 digits and is divided up in the following
way:

Country Code (CC)

This consists of 1-3 digits.

National Significant Number (NSN)

This consists of between 12-14 digits. This is sub-divided further into a:

■

National Destination Code (NDC)

■

24

Subscriber Number (SN)
In Denmark, for example, the NSN is 8 digits long; NDC = 2 digits and the
SN = 6 digits.

Sub Address (SA)

This consists of between 1-40 digits.

ISDN Services

ISDN Numbering and Addressing

Addressing

Address checking

An incoming call can contain the following address fields:

Calling Party Number

Local Address of the Calling router (address corresponds to the Remote Ad­dress of the

Calling Party Sub-address

Called router).

Local Sub-address of the Calling router (address corresponds to the Remote
Sub-address of the

Called Party Number

Called router).

Local Address of the Called router (address corresponds to the Remote Address

Calling router).

of the

Called Party Sub-address

Local Sub-address of the Called router (address corresponds to the Remote
Sub-address of the

Calling router).

Some of the address fields may be absent depending on the network and supple­mentary services available.
The router accepts the call when both the destination and source address checks
succeed.

To ensure a one-to-one relationship between end devices, a unique ISDN number
is assigned to each link across the ISDN. Incoming calls are only accepted if the
local and remote addresses and sub-addresses match as shown below:

Destination address and
sub-address check

Addresses must match for a call to be accepted

Calling Device Receiving Device

Local Address Remote Address

Remote Address Local Address

Remote sub-address Local Sub-address

Note ISDN addresses can be changed by intermediate ISDN switches in the

ISDN network.

Some of the addresses may not be used by an ISDN variant particular to some
countries (for example the sub-address), in which case the check of that address
is omitted.

The router only accepts an incoming call when the ISDN Remote Address
matches the Local Address, and the Remote Sub-address (if used) matches

Local Sub-address of an ISDN link in the router.

the

25

ISDN Services

ISDN Numbering and Addressing

If a Local Address is not defined for an ISDN link, all incoming addresses are
accepted by the link (the address check is not performed). Similarly, if a

Sub-address

is not defined for an ISDN link, all incoming sub-addresses are

Local

accepted by the link (the sub-address check is not performed).
If the network does not provide the sub-address service, then a

dress

must not be defined (left empty).

Source address check

Source address checking adds security to the WAN link—the router only accepts
an incoming call when the source address matches the
figured for the ISDN link.

ISDN switches may change address prefixes. To support all ISDN implementa­tions, the address check is made from right to left using the number of digits de­fined for the

There are occasions when the source address and/or sub-address is missing from
incoming calls (some ISDN networks do not provide presentation of the source
address in incoming calls). In these cases, the router omits the check of the source
address and accepts the calls—there is no security check on these calls.

BRA and PRA Numbering

More than one terminal
supported by ISDN line

The ISDN Directory Number (DN) specifies a point of connection to the network
(an ISDN line). Each ISDN line, however, can support more than one terminal.
This is done in two different ways:

BRA (Basic Rate Access)

Each ISDN line can support more than one terminal directly.

Local Sub-ad-

Remote Address con-

Remote Address Check parameter.

Either B-channel (if both
are free) for incoming call
(BRA)

Any free B-channel for
incoming call (PRA)

26

PRA (Primary Rate Access)

Each ISDN line can support more than one terminal through an ISPBX (Integrat­ed Services Private Branch Exchange) or multiplexer.

There are therefore a number of mechanisms specified to allow an incoming call
to be directed to a particular terminal on a given line.

Normally a BRI has a single DN and the exchange can use either B-channel (if
both are free) to deliver an incoming call to a terminal.

Normally a PRI has a single DN and the exchange can use any free B-channel for
an incoming call.

MSN (Multiple Subscriber Number)

ISDN Services

ISDN Numbering and Addressing

Different Directory
Number (DN) for each
terminal

Each line is allocated a block of DNs, typically 10, and when there is an incoming
call, the called number is presented to all the terminals on a passive bus.

Each terminal is programmed to respond to a different DN and thus the correct
terminal is able to answer the call.

More than one call at
same time

If the attached device is capable of handling more than one call at the same time,
for example an Intel Express 8100 Router with multiple ISDN links, then it can
be programmed to respond to more than one number.

Calling Line Identification

The Calling Line Identification supplementary service is a country-dependent
default service for EuroISDN. A
work when setting up a call. This is checked by the network and, if valid, passed
on to the

SUB (Sub-addressing)

One or more identifiers
for each terminal

This is the most flexible form of terminal identification. Each terminal on a line
is given one or more identifiers, each of which is a unique string of characters of
your choice.

Each of the terminals on a passive bus has its own sub-address, and all of the ter­minals share the same ISDN number. An Intel Express 8100 Router with multi­ple ISDN links must have a separate sub-address for each ISDN link.

Calling terminal can present its DN to the net-

Called party.

String supplied by caller

In order to specify a particular terminal or an ISDN link in the Intel Express 8100
Router, the caller supplies the appropriate character string to the network when
the call is made.

The network passes this string unchanged (subject to any restrictions on length
and character set) to the called line.

DDI (Direct Dialing In)

ISPBX extension
numbers

This is a facility whereby the last few (typically 3) digits of the Directory Number
(DN) are used to specify which extension of an ISPBX is being called.

The BRA/PRA (or group of BRA/PRAs) to which the ISPBX is connected is al­located a block of numbers.

When there is an incoming call, the last few digits of the number are presented to
the ISPBX to allow it to select the correct extension.

27

ISDN Services

Permanent ISDN

Example

A customer could be allocated all numbers in the range 678000 to 678999.
A call to any of these numbers would be routed to the same BRA/PRA, the ISP-

BX being responsible for directing the call to the appropriate extension, these be­ing numbered from 8000 to 8999.

Calling Line Identification

The Calling Line Identification supplementary service is a default service for Eu­roISDN. For outgoing calls, the ISPBX can provide the DDI number of the orig­inating extension for presentation to the called subscriber.

Permanent ISDN

Permanent ISDN
connections

Signalling

In some countries, Permanent links are available over ISDNs which offer a static
association between two sites without the need for the signalling associated with
normal ISDN links. Permanent link are allocated by the ISDN provider and are
similar to leased line WAN links as they are always available for data transfers.

No signalling or dialing is required for Permanent ISDN connections. Permanent
ISDN links operate on Layer-1 only—Layer-2 and Layer-3 are not used by Per­manent ISDN.

Permanent ISDN link
types available in the
router

The Permanent ISDN link types available in the Intel Express 8100 Routers with
a Basic Rate Interface (BRI) are:

■

■

Permanent ISDN connections using the D-channel are not supported.
These modes of operation for the ISDN Basic Rate Interface are selected on the
Advanced screen for the ISDN port.

ISDN Standards

A common standard

It should be possible to buy a piece of equipment anywhere in the world, plug it
in anywhere in the world and communicate with anywhere in the world. This is
the main goal of ISDN. However, at the present time, a world-wide ISDN stan­dard does not exist. Each country has its own version of an ISDN standard.
Progress is however being made, especially in Europe.

Permanent 64 kbps or 56 kbps
which offers two 64 kbps or 56 kbps Permanent ISDN links which can be to
different sites.

Permanent 128 kbps or 112 kbps
which offers a single 128 kbps or 112 kbps link to another site.

28

ISDN Services

ISDN Standards

ETSI

EuroISDN and National
ISDN-1

ISDN protocol variants
supported

The European Telecommunications Standards Institute (ETSI) was set up to pro­duce European Telecommunications Standards (ETS). Some of these standards
have been designated as NETs (Normes Européen de Télécommunications)
which specify the connection requirements for terminal equipment. The most im­portant are NET 3 and NET 5. These standards are for the type approval of equip­ment for connection to ISDN BRA and PRA respectively.

In 1989, European network operators signed a Memorandum Of Understanding
(MOU) to enable the standardization of services and user-network interfaces, and
international connectivity.

A variety of national standards currently exist for ISDN in Europe. These are
gradually being replaced by ETSI standards to provide a European-wide service.
The situation is similar in the USA, a similar state of affairs exists resulting in the
National ISDN-1 standard.

A number of country-specific variants of ISDN are currently in use around the
world. The ISDN variants supported by the Intel Express 8100 Router are:

■

Euro ISDN (ETSI)
EuroISDN is used in many countries throughout Europe and Asia Pacific
and in Australia.

■

National ISDN-1 (USA)

■

National ISDN-2 (USA)

Service Profile IDs
(SPIDs)

■

AT&T ISDN (USA)

■

Nortel DMS-100 (USA)

■

NTT (Japan)

■

KDD (Japan)

Service Provider IDs (SPIDs) are used by USA ISDN variants only and are used
to identify to the switch the ISDN services provisioned for the terminal. The
SPID is registered at the switch during link establishment.

Network providers which supply NI1 (National ISDN-1) or AT&T ISDN in the
USA require the use of SPIDs for identification of the services provided. For
Northern Telecom DMS-100 ISDN switches, a SPID is required for each B­channel of the BRI. That is, if both B-channels of the BRI are to be used, two
SPIDs are required.

29

ISDN Services

ISDN Network Interface Reference Configurations

ISDN Network Interface Reference Configurations

Purpose

Reference configurations are used to describe various possible physical interfac­es to the ISDN.

TE2

S

TE1

R

TA

RS

NT2 NT1

NT2 NT1

T

Transmission Line

Transmission Line

T

0962

The boxes represent functional groups, each having a set of functions that may
be needed to connect to the ISDN. Reference points (R, S and T) are connections
between functional groups.

The Intel Express 8100 Router with an ISDN S/T port contains the following
physical interfaces:

Express 8100 RouterST

with an ISDN S/T port

30

TE1 NT2 NT1

S

T

ISDN Line

1633

The Intel Express 8100 Router with an ISDN U portcontains the following phys­ical interfaces:

Express 8100 RouterU

with an ISDN U port

TE1 NT2 NT1

S

T

U

ISDN Line

1633

ISDN Services

ISDN Network Interface Reference Configurations

Functional Groups

The functional groups are:

■

NT1/2 (Network Termination)

- NT1 terminates the transmission line from the local exchange

- NT2 handles a variety of functions such as multiplexing and switching

■

TE1/2 (Terminal Equipment)

- TE1 has an ISDN interface and terminates an ISDN call

- TE2 is similar to TE1 but does not conform to ISDN recommendations

■

TA (Terminal Adapter—not required for the Intel Express 8100 Router)
Allows a TE2 to be connected to the ISDN. It performs a conversion

between the signalling and user information formats at the R interface and
the ISDN interface. R interfaces are typically V.24 and X.21 interfaces.

31

X.25 Services

Chapter 5

In this chapter

X.25 is available in the Express 8100 Router with X.25
The WAN port must be configured as an X.25 port before it can be used for X.25

services.
As X.25 uses virtual circuits, a number of links (virtual circuits) can be made via

the same X.25 port.
This chapter gives an introduction to X.25 services in the Intel Express 8100

Router.

X.25 Characteristics

Introduction to X.25

Packet Switched Data
Networks (PSDNs)

X.25 is an internationally agreed protocol for communications between a LAN
device (for example a router connected via a modem) and the Packet Switched
Data Network (PSDN) node. The packet switched data network can be either a
Public Data Network (PDN) or a privately owned network. X.25 is independent
of the internal protocols used within the Packet Switched Data Network (PSDN).
X.25 uses the OSI standard reference model, and defines standards for layers 1,
the physical layer; layer 2, the data link layer and layer 3, the network layer.

Packet Switched Data Networks work on a store-and-forward principle; data
packets received at a node in the PSDN are stored until it is convenient for the
network to forward them. This is a cost-effective arrangement as PDNs need not
reserve network bandwidth for packet switched connections; packets can be for­warded when the bandwidth becomes available. PSDNs can therefore offer com­petitive rates for data transfer.

32

X.25 Services

X.25 Characteristics

X.25 device
characterization

Physical layer

Link layer

At the physical layer (layer 1 of the OSI reference model), X.25 defines LAN
communications devices (for example a router) as Data Terminal Equipment
(DTE) and PSDN nodes as Data Communication-terminating Equipment (DCE).

X.25 X.25

Packet Switc hed

Data Networ k

(PSDN)

DCE

DTEDCEDTE

1226

The X.25 protocol defines the communication interactions between the DTE and
DCE devices, and is independent of the structure and protocols used between the
two DCE devices and over the PSDN.

X.25 specifies the use of full duplex, point-to-point synchronous circuits for the
physical layer.

The primary responsibility of the link layer protocol is to ensure the error-free ex­change of data over a link which has variable delays. The X.25 standard defines
the use of either Link Access Procedure (LAP) or Link Access Procedure, Bal­anced (LAPB) where LAPB is the preferred link layer protocol and is the proto­col implemented in the Intel Express 8100 Router.

Network layer

X.25 network layer (also known as packet layer) services give X.25 its virtual cir­cuit characteristics. In addition to sending and receiving data packets, the net­work layer is responsible for:

■

establishing and clearing virtual circuits across the PSDN

■

recovering from error conditions (reset and restart procedures)

33

X.25 Services and Features

A

X.25 Services

X.25 Services and Features

Service types available

Logical channels

Line speed matching

X.25 allows two basic service access types to a PSDN:

Switched Virtual Circuits (SVCs)

An SVC is a temporary association between two DTEs. This requires that the link
between the DTEs through the PSDN must first be established by making what
is known as a Virtual Call. SVCs are therefore only initiated by a DTE when data
requires transmitting, and are cleared again when the data has been sent. An SVC
is analogous to a dial-up (switched) WAN link between two LANs.

Permanent Virtual Circuits (PVCs)

A PVC is a permanent association between two DTEs; no Virtual Call is required
to initialize the link and the link is not cleared when the data has been sent. A
PVC is analogous to a leased line WAN link.

X.25 uses logical channels when communicating over PSDNs. This means that a
number of logical links (connections) to different remote destinations can be es­tablished via one physical X.25 port. For example, an X.25 port (one number)
with 6 logical channels can communicate with 6 remote destinations simulta­neously.

The store-and-forward nature of PSDNs means that X.25 requires advanced data
flow control and line speed matching. This means that data can be received at a
different speed than it was transmitted. For example, a host at a central site can
be connected via a 56 kbps X.25 connection to several remote sites which are
connected with cheaper 19.2 kbps X.25 connections.

34

Central

Site

Router

ttachment

Logical connection

X.25

56 Kbit/s

Packet Switc hed

Data Networ k

(PSDN)

X.25

19.2 Kbi t/s

X.25

19.2 Kbi t/s

X.25

19.2 Kbi t/s

Remote

Office

Remote

Office

Remote

Office

1228

X.25 Packets and Virtual Calls

X.25 Services

X.25 Packets and Virtual Calls

Supervisory packets

Virtual Call process

In addition to data packets, X.25 uses special supervisory packets to:

■

establish Virtual Calls

■

clear Virtual Calls

■

negotiate packet and window sizes

■

maintain and supervise logical channels across the PSDN

■

recover from error conditions

Many of these X.25 supervisory packets are only used by SVCs.

Virtual Calls are made using supervisory packets to establish virtual circuits
through the PSDN. The Virtual Call process is as follows:

1. The DTE which wishes to establish the Virtual Call sends a Call Request
Packet to the local DCE on the highest free Logical Channel Identifier it has
available for outgoing calls.
The Call Request Packet contains the address of the remote DTE.

2. The PSDN decides if the call is valid; if it is, the DCE forwards the packet to
the appropriate remote DTE via the remote DCE, on the lowest Logical
Channel Identifier available at the remote device.

Calling

DTE

Call

Request

1
2

X.25 X.25

3
4
.
.
n

DCE DCE

Packet Switc hed

Data Networ k

(PSDN)

n

.
.

Called

4
3
2

Incoming

1

DTE

Call

3. If the remote DTE accepts the call, it sends a Call Accepted Packet to the

Logical Channel
Packet Path

1234

DCE (the remote DCE).
The Call Accepted Packet contains the Logical Channel Identifier on which
the call request was received. The association between the Logical Channel
Identifier and the route to the calling DTE has already been established.

35

X.25 Services

X.25 Packets and Virtual Calls

4. The remote DCE forwards the call Accepted Packet across the PSDN to the
local DCE which then passes it to the calling DTE. Again, only the Logical
Channel Identifier from the local DCE to the calling DTE is included in the
packet.

Window size

Packet and window sizes

1
2

DTE

Call

3
4
.
.
n

Calling

Connected

Logical Channel
Packet Path

X.25 X.25

Packet Switc hed

DCE DCE

Data Networ k

(PSDN)

n

.
.

Called

4
3
2

Call

Accepted

1

DTE

1236

The window is the number of packets that may be transmitted without receiving
acknowledgment.

As X.25 is based upon LAPB which is resilient to packet loss, the window size
is used for controlling the flow of packets.

For PVCs, the packet and window sizes used when communicating across the
X.25 network are fixed (static) and are defined by the X.25 service provider (typ­ically packet size of 128 bytes and a window size of 2 packets).

36

For SVCs, some X.25 networks allow negotiation of the packet and window sizes
between the DTE and the DCE. The packet and window sizes used are arrived
upon using an algorithm defined by the X.25 standard. Parameter negotiations
can give more efficient data transfers but be aware that some X.25 network pro­viders charge extra for the negotiation services.

For SVCs across X.25 networks or subscriptions which do not allow negotiation,
the packet and window sizes are fixed (static) and are defined by the X.25 service
provider (typically 128 bytes, 2 packets).

Note The packet and window sizes are only used between a DTE and the

DCE. The packet and window size used at the remote DTE and DCE
can be different.

X.25 Services

X.25 Addressing

Encapsulation

Data packets for transmission over an X.25 link must be encapsulated. The Intel
Express 8100 Router supports the following encapsulation types:

Single-protocol Encapsulation of Datagrams

The Intel Express 8100 Router allows single-protocol encapsulation of IP or IPX
datagrams for transmission over an X.25 link as specified in RFC 1356. Single­protocol encapsulation of IP datagrams also conforms to RFC 877 which is an
older standard which only allows the encapsulation of IP datagrams.
When only IP or IPX packets are to be transmitted over an X.25 link, the single­protocol encapsulation modes reduce the transmission overheads.

Multiprotocol Encapsulation of Datagrams

The Intel Express 8100 Router allows multiprotocol encapsulation of datagrams
for transmission over an X.25 link as specified in RFC 1356. If both IP and IPX
are to be transmitted, multiprotocol transmission must be used. Multiprotocol en­capsulation must also be used if bridging is to be supported over the X.25 link.
For multiprotocol encapsulation:

■

IP packets are encapsulated according to RFC 1356 and are identified using
a Hex CC in the header
RFC 1356 also allows SNAP encapsulation of IP packets which is not sup­ported by the Intel Express 8100 Router.

■

IPX packets are SNAP 8137 encapsulated according to RFC 1356

X.25 Addressing

X.121

X.121 number format

X.25 uses CCITT recommendation X.121 “International Numbering Plan for
Public Data Networks” for addressing within international public data networks.
This recommendation specifies how data network addressing (numbering) can be
implemented along side existing international telephone networks.

An entire X.121 number (address) is known as an International Data Number and
consists of from 5 up to 14 digits. The International Data Number can comprise
the following:

Data Network Identification Code (DNIC)

This consists of 4 digits for international data network addressing. The first 3 dig­its are the Data Country Code (DCC) and identify a specific country. The fourth
digit is known as the network digit and is used to distinguish between different
data network providers (public or private) operating within the country.
Assignment of DCCs is the responsibility of the ITU (previously called the
CCITT). The network digit is assigned nationally.

37

X.25 Services

X.25 Addressing

Network Terminal Number (NTN)

Network addresses within a DNIC (a particular data network provider within a
particular country) are called Network Terminal Numbers (NTNs). NTNs iden­tify a DTE/DCE interface and are assigned by the data network provider. NTNs
can be of variable length up to 10 digits, depending on the network provider.

National Number (NN)

Where, for example, an integrated numbering scheme exists within a country and
different network providers are identified within the national numbering scheme,
National Numbers (NNs) can be used instead of Network Terminal Numbers
(NTNs). As National Numbers already identify a data network provider within
the country, the International Data Number therefore consists of the Data County
Code (DCC) plus the National Number (NN).
Therefore, a International Data Number = DNIC + NTN or DCC + NN.

Sub-addressing

Address checking

Destination address
check

Source address check

This can consist of any remaining digits of the 14 digit X.121 number, and in
some countries it can be used for sub-addressing within the International Data
Number, for addressing a number of devices/nodes located at a single Interna­tional Data Number. This can be used for example, for addressing different links
in the router.

To ensure a one-to-one relationship between end devices, a unique number is as­signed to each link across the PSDN. Incoming calls are only accepted if the local
and remote addresses match, as shown in the table below:

Addresses Must Match for a Call to be Accepted

Calling Device Receiving Device

Local Address Remote Address

Remote Address Local Address

The router only accepts an incoming call when the Remote Address matches

Local Address of an X.25 link in the router.

the

Local Address is not defined for an X.25 link, all incoming addresses are

If a
accepted by the link (the address check is not performed).

Source address checking adds security to the WAN link—the router only accepts
an incoming call when the source address matches the

Remote Address con-

figured for the X.25 link.

38

PPP Multilinks

Chapter 6

In this chapter

Introduction

Channel bundling

Master link

Slave links

Configuration overview

This chapter gives an introduction to PPP Multilinks in the Intel Express 8100
Router.

The ISDN Intel Express 8100 Routers implements PPP Multilink facilities which
allow multiple PPP links between two sites to be used as a single route. A PPP
Multilink allows links to be added dynamically (for bandwidth-on-demand) or
statically and has almost the combined bandwidth of the individual links.

Combining multiple links into a single route (link) is also sometimes known as
channel bundling.

The master link is the PPP Multilink between two sites and consists of the slave
links that make up the Multilink. The master link is the controlling link between
the two sites, and controls (for example) when the multilink is established or not,
data encryption over the link, peer authentication over the link using CHAP, and
so on.

Slave links are individual PPP links that are defined as part of the master link.
These links are ISDN links which correspond to ISDN B-channel links.

The following shows an example of how Multilink is set up in the router:

The ISDN port on the router must first be configured, the Multilink is configured
to combine ISDN slave links, and then the routing protocols (IP and Novell IPX)
and bridging are configured on top of the Multilink as required.

39

ISDN port

ISDN slave link ISDN slave link

PPP Multilink

IP Routing IPX Routing WAN Bridging

PPP Multilinks

Operating modes

The slave links that make a PPP Multilink can be used in two basic operating
modes:

Bandwidth-on-Demand (BOD) Mode

When a slave link of a PPP Multilink is used in Bandwidth-on-Demand mode,
the link is dynamically allocated when the data traffic volume requires its use,
and closed down when not required. This facility offers the most cost-effective
use of dial-up PPP links (including ISDN B-channels) where the cost of opera­tion depend on the time that the link is in use.
Bandwidth-on-Demand can only be done when a slave link is a dial-up
(switched) link such as ISDN B-channels. Leased line PPP links can only be stat­ically allocated, that is they are always available for use by the PPP Multilink.

Slave links

Dynamic slave links

PPP Multilink

Static slave link

1371

The criteria used to open and close Bandwidth-on-Demand links can be:

■

on the amount data awaiting transmission

■

on the amount of received data

■

both the amount of data awaiting transmission and the amount of received
data

Static mode

When a slave link of a PPP Multilink is used in Static mode, the link is always
available for use by the PPP Multilink.

40

Internet Tunnels

Chapter 7

Internet Tunnels

Internet Tunnels are not a direct link via a router port but are secure links estab­lished via the best IP route to an Internet Service Provider (ISP).

Internet
Service

Provider (ISP)

Internet
Service

Provider (ISP)

Internet

T

T

u

u

t

t

n

n

e

e

n

n

n

n

r

e

r

e

e

e

t

t

n

n

I

Link

to ISP

ExpressRouter8100

Status

LAN

WAN Link

WAN Switch

WAN Control

100 Mbps

Test Mode

I

l

l

ExpressRouter8100

Status

LAN

Link

to ISP

WAN Link

WAN Switch

WAN Control

100 Mbps

Test Mode

1625

Internet Tunnels are a cost effective solution to transferring data between remote
sites; IP and IPX routing and bridging are available over the tunnel as with a con­ventional WAN links.
The costs of operation of an Internet Tunnel can be very low when compared to
routing via other WAN link types an ISDN link, especially when transmitting
data over long distances. The throughput of the Internet Tunnel is dependent on
the Internet so can be quite slow at certain times of the day.

Note It is strongly recommended that you use the Setup Wizard in Intel

Device View for Windows to set up your first Internet Tunnel. If other
Internet Tunnels require configuring, use the tunnel configured by the
Setup Wizard as a guide.

41

Internet Tunnels

Internet Tunnel
considerations

The following considerations must be taken into account when setting up an In­ternet Tunnel:

IP Routing using RIP over the Internet Tunnel

When using IP RIP routing over an Internet Tunnel a static host route to the re­mote router via the link from the router to the Internet Service Provider must be
established.

If RIP routing is used without the static host route, the router tries to use the In­ternet Tunnel as the best route to the remote network. The static host route en­sures that the Internet Tunnel is established via the route to the ISP and that all
the data to the remote router is transferred through the Internet Tunnel.

Site Access Security

Access security must be considered when using Internet Tunnels. This can be
achieved using IP filtering to eliminate unauthorized traffic from the link.

Hiding your internal LAN address from the Internet

Dynamic Network Address Translation (NAT) offers the best solution for hiding
your internal LAN from the Internet. See “Network Address Translation

(NAT)”, p. 57.

Data Security using Encryption

The use of data encryption over Internet Tunnels is highly recommended. Private
data being transferred over the public Internet should always be encrypted for se­curity.

The protocol structure of
an Internet Tunnel

Note Data encryption is only available in certain models of the Intel

Express 8100 Router which are available in some countries.

Internet Tunnels have the following protocol stricture:

IP routing IPX routing Bridging

PPP

TCP

IP static host route

42

Internet Tunnels

IP routing services then use the best link to the remote IP network (the link via
the Internet Service Provider). For example, this could be an ISDN link, in which
case the full structure would be

IP routing IPX routing Bridging

PPP

TCP

IP static host route

PPP

ISDN port

Data security over X.25
links application of
Internet Tunnels

To allow data security over X.25 links, Internet Tunnels can be used on top of
them. this offers all the security features supported by PPP (data encryption,
CHAP and PAP) on the X.25 links.

Tunnels adding device

authentication and encryption

security to the X.25 links

Express8100Router

Status

Express Router

Express 8100Router

Express Router

X.25 network

(virtual circuits)

X.25 links

Express8100Router

Express Router

1630

To establish a tunnel over an X.25 link, the X.25 link is set up as normal, together
with an Internet Tunnel to the IP address of the remote router over the X.25 link.
Data security is configured on the tunnel as required. A single static route is then

43

Internet Tunnels

configured on the X.25 link to the IP address of the remote router (see “Static

Routes”, p. 68). Routing and bridging for data over the link are then configured

on the Internet Tunnel.

X.25 port (WAN port configured for X.25)

X.25 link (PVC or SVC) - Up to 2 links -

Static IP route to the IP address of the router over the

X.25 link

Internet Tunnel

IP Routing IPX Routing WAN Bridging

44

Part II

IP, Novell IPX and Bridging Services

IP Routing

Chapter 8

In this chapter

IP Concept

Concept description

Background
knowledge

References

Address assignment

This chapter describes IP Routing services based upon the Routing Information
Protocol (RIP—both RIP-1 and RIP-2 are supported), and using static routes im­plemented in the Intel Express 8100 Router.

In an IP environment, any station connected to an IP network is referred to as a
host. IP Routing is based upon RIP (Routing Information Protocol). When IP
packets are routed, they are routed from a source host to a destination network
without knowing if the destination address exists on the destination network.

It is assumed that you are familiar with the terminology and the protocols used in
IP environments.

See the Preface for a list of Requests for Comments (RFCs) concerning IP rout­ing.

An IP address consists of a network part and a host part. The network part of the
IP address must be globally unique and are assigned by InterNIC (International
Network Information Center). However, addresses are often provided by the net­work provider. For more information about the InterNIC project consult the RFC

1594.

The host part of an IP address is the responsibility of the network manager.

Private networks

BootP broadcasts only

47

In private networks, where connections to other IP networks are not desired, lo­cally assigned network addresses can be used.

In the current IP Routing implementation in the Intel Express 8100 Routers the
only broadcast packets forwarded are BootP broadcasts.

IP Routing

IP Concept

Frame types and type
codes

IP Frame types are described in Appendix D “IP Frame Formats”, p. 126. The
following Ethernet type codes are used in IP environment, also see Appendix C

“Ethernet Type Codes”, p. 121:

Type field Description

0800 DOD Internet Protocol (IP)
0806 Address Resolution Protocol

IP Addresses Structure

Address notation

Network numbers

IP addresses are 32-bit numbers. The most common notation for IP addresses di­vides the 32-bit address into four 8-bit fields and specifies the value of each field
as a decimal number (from
ber field is separated by a period (for example 14.0.65.3). This is called the dotted
decimal notation.

The 32-bit address field consists of a network and a local host part. They are di­vided into different address classes which differ in the number of bits allocated
to the network part and the hosts part (local address) of the address. The value of
the first octet in the IP address defines the address class (classes A, B, C, D).

0 to 255, each representing an 8-bit octet). Each num-

Class A address

Class B address

The class A address comprises a 7-bit network number and a 24-bit local address.
The highest order bit is set to

1234

0. This allows 126 class A networks.

76543210765432107654321076543210
0 Network Local Address

The class B address comprises a 14-bit network number and a 16-bit local ad­dress. The two highest-order bits are set to

1 0. This allows 16,256 class B net-

works.

1234

76543210765432107654321076543210
10 Network Local Address

48

IP Routing

IP Concept

Class C address

Class D address

Addresses available

The class C address comprises a 21-bit network number and a 8-bit local address.
The three highest-order bits are set to

1 1 0. This allows 2,072,640 class C net-

works.

1234

76543210765432107654321076543210
1 1 0 Network Local Address

The class D address is used as a multicast address. The four highest-order bits are

1 1 1 0.

set to

1234

76543210765432107654321076543210
1 1 1 0 Multicast Address

Note No addresses are allowed which have the four highest-order bits set to

1 1 1 1 (also known as class E address).

The following IP addresses are available for the different IP address classes:

Note n = network part of the address,

h = host part of the address.

IP Subnets

Why subnetting?

What is subnetting?

Class Address Range available Notation

A 1.0.0.0 through 126.0.0.0 n.h.h.h

B 128.0.0.0 through 191.254.0.0 n.n.h.h
C 192.0.0.0 through 223.255.254.0 n.n.n.h

D 224.0.0.0 through 239.255.255.255 for multicasts. n.n.n.n

E 240.0.0.0 through 247.255.255.255 reserved. n.n.n.n

The one-level network addressing scheme and the limited number of IP address­es impose limitations on network complexity. Therefore subnetting has been in­troduced.

Subnetting is the process of dividing an IP network with a single IP address into
two or more smaller IP networks (subnetworks). This involves dividing the host
part of the IP address into a subnet number and a host number.

49

IP Routing

IP Concept

Characteristics

How to create
subnets

Subnet masks

An IP subnet functions as an independent network. To a remote network it ap­pears to be a single discrete network.

To create a subnet you must impose a hierarchy on host addresses which allows
for multiple subnets to exist within a single class A, B or C network. It is the high
order bits of the hosts part that specify the subnet. Derive the IP network by
ANDing the IP address with the subnet mask:

1234

76543210765432107654321076543210
Class B address (subnet mask 255.255.0.0)
Network part Local host part
Class B subnet (subnet mask for example 255.255.192.0)
Network part Local host part

An example of the network part looks like this:
Decimal Notation:

16.1.0.1 AND 255.255.192.0 = 16.1.0.0

Hexadecimal Notation: 0x10010001 AND 0xffffc000 = 0x10010000

A subnet mask specifies which part of the host’s address is used to define the sub­net. It is a 32-bit IP address written in dotted-decimal notation with all ones (bi­nary) in the network and subnet part of the IP address.

Note When a subnet mask is used on an IP address, the resulting host part of

the address must not end in zero or 255.

50

IP Routing

IP Concept

Structure of a subnet
mask

Example

The following table shows the structure of a subnet mask, where the field con­taining a 1 is the subnet part and the field containing a 0 is the local hosts part of
the address:

Address (bit no.) Subnet Mask

7 6 5 4 3 2 1 0 hexadecimal decimal

00000000 0 0
10000000 80 128
11000000 C0 192
11100000 E0 224
11110000 F0 240
11111000 F8 248
11111100 FC 252
11111110 FE 254
11111111 FF 255

An example looks like this:

Class C address 193.88.251.1
Class C network 193.88.251.
Class C host .1
Divide the network by two more bits, that is set the subnet mask to

255.255.255.192 to obtain 4 subnetworks:
Subnetworks 193.88.251.0 available for hosts 1 to 62

Address Resolution

Address resolution

Address resolution with
ARP

The process of determining the MAC address (48-bit) from an IP address (32-bit)
is called Address Resolution (AR).

The Address Resolution Protocol (ARP) is used for address resolution of hosts
which have not previously been communicated with (for example, hosts which
have just been switched on and added to the network). When the Intel Express
8100 Router receives an IP data packet which has to be transmitted to a local un-

193.88.251.64 available for hosts: 65 to 126

193.88.251.128 available for hosts: 129 to 190

193.88.251.192 available for hosts: 193 to 254

51

IP Routing

IP Concept

known host, it broadcasts an ARP request packet to all local hosts. Only an active
hosts with the specified IP address reply with an ARP reply packet that contains
its MAC address. The packet exchange with this host is then initiated.

Address resolution with
Proxy ARP

Proxy ARP is used for address resolution of remote hosts situated on another net­work that a local host wants to communicate with. When an ARP request is re­ceived from a remote host, the router having the best route to it sends an ARP
reply packet with its own MAC address to the originator. The ARP request orig­inator then sends its packet to that particular router to initiate the packet transmis­sion to the destination host. Proxy ARP is used if the network contains any hosts
that do not allow the configuration of a primary router.

Internet Control Messages

Introduction

ICMP protocol

Ping function

To control and manage IP connections, the following tools are available:

■

ICMP (Internet Control Message Protocol)

■

PING function (IP Packet InterNet Groper function)

The ICMP (Internet Control Message Protocol) is a protocol that focuses on con­trol and management of IP connections. ICMP messages are generated by routers
detecting a problem within the IP part of the packet header. A router may alert
other routers or inform source/destination hosts using ICMP messages.

The IP Packet InterNet Groper Function (PING) initiates the transmission of
ICMP Echo messages by the router. The PING function can be initiated from In­tel Device View for Windows.

How ICMP and PING
work

A router that receives an ICMP Echo message which was initiated by the PING
function sends an ICMP Echo Reply message to the ICMP Echo message source.

IP Filters—Firewall Protection

Filtering in the Intel
Express 8100 Router

52

The Intel Express 8100 Router implements comprehensive IP filters to restrict
access between networks (firewall protection) and to reduce unnecessary inter­network data traffic to save bandwidth.

Note A good knowledge of IP, the IP protocols (TCP, ICMP and UDP) and

the use of TCP and UDP ports is required before IP filtering can be set
up effectively.

IP Routing

IP Concept

IP packets filtered

Transmit and receive
filters

IP traffic to and from the router can consist of packets being forwarded (routed)
via the LAN and WANs and IP packets to the router itself (RIP, TELNET, SN­MP, TFTP, and so on). Both of these kinds of IP packets can be discarded by the
filters.

Note In order for the router to operate correctly, the necessary packets must

be allowed to pass by the filters.

Filters are defined on a link basis, and separate filters are implemented for trans­mitting (for restricting IP packets leaving the router on a particular link), and re­ceiving (for restricting IP packets entering the router from a particular link).

The above diagram shows how packets are processed by the Receive and Trans­mit filters implemented for different links.

Note Filters must be defined as strictly as possible to eliminate unauthorized

access to services, hosts and networks.

53

IP Routing

IP Concept

Filter criteria

References for Firewall
Protection

Each filter in the Intel Express 8100 Router can be setup to pass or discard IP
packets based on the following criteria:

IP Protocol

A filter can process packets based on all IP protocols, User Data Protocol (UDP),
Transmission Control Protocol (TCP). Filtering can also be based on all TCP
flags or just with the acknowledge (ACK) flag set, Internet Control Message Pro­tocol (ICMP) or another protocol defined by the protocol number.

Source Address

To filter packets entering the router via the link from a specific host or network.

Source Port

To filter packets originating from a single port (for example FTP data, TELNET,
SMTP), from a range of ports or all ports.

Destination Address

A filter can process packets addressed to a host address or a network address.

Destination Port

A filter can process packets addressed to a single port (for example FTP control,
TFTP, SNMP), a range of ports or all ports.

Up to 50 IP filters can be defined for all the IP links.

Defining filters for firewall protection to ensure unauthorized access to services,
networks and hosts can be very complex. Two very good books on the subject
are:

Filtering process

■

Building Internet Firewalls
D. Brent Chapman and Elizabeth D. Zwickey

■

Firewalls and Internet Security
Bill Cheswick and Steve Bellowin

The Intel Express 8100 Router can contain a list of filters for each link for both
transmitting and receiving data via the link. These filters are used to filter IP
packets as follows:

1. When enabled, outgoing IP packets on the link are checked against the Tx
filters sequentially (using the first filter defined, then the second, and so on).
Similarly, incoming IP packets from a link are checked against the Rx Fil­ters.

2. If a filter is found where all the filter criteria match those of the packet, it is
used to pass or discard the packet as setup for the filter. The rest of the filters
are then ignored.

54

IP Routing

IP Concept

3. If no filter entry is found where all the filter criteria match those of the
packet, the default filter action is used to either pass or discard the packet.

Logging filtered packets

IP Filter Example

IP Packet

Filter

1

Pass/
discard

Filter

2

Pass

Pass/
discard

discard

Filter

3

Pass/
discard

Filter

N

Pass/
discard

Default

Action

Pass/
discard

1231

The router allows filtered packets to be logged. This facility can be configured
for both packets filtered by filter entries and packets filtered by the default filter
action. This is a useful tool for troubleshooting the filters to ensure that they are
operating as expected, and for detecting hits on the filters in case of an attack
from an unauthorized source.

Note Logging reduces the performance of the router slightly and should

therefore only be enabled when required—when troubleshooting or
when an attack is suspected.

For packets which are logged, the packet details are recorded in the System Log
for the router which cabn be displayed for Intel Device View for Windows. The
details logged are the source and destination address and port and the IP protocol.

Filter requirement

Host 1 on LAN 1 must have TELNET access to remote Host 2 on LAN 2 (but
Host 2 must not be able to establish a TELNET session onto Host 1).

LAN 1 LAN2

Host 1

LAN WAN1 WAN2 System

Router 1

Leased line

IntelExpressRouter 9200

®

WAN 1 WAN 2

LAN WAN1 WAN2 System

Router 2

IntelExpressRouter 9200

®

Host 2

Telnet Server

1474

55

IP Routing

IP Concept

IP traffic

Filters Required

The TCP/IP traffic to establish a TELNET session from Host 1 to Host 2 is:

Direction Flags

1 > 2 ACK

= 0

2 > 1 ACK

= 1

Source
Add.

Source
Port

Dest.

Host 1 X Host 2 23 TELNET request

Host 2 23 Host 1 X TELNET response

Dest.
Port

Comments

from Host 1 to Host 2.

from Host 1 to Host
2—connect to Port X
(where X > 1023).

1 > 2 ACK

Host 1 X Host 2 23 TELNET command.

= 1

Filters are required in Intel Express 8100 Router 1 to protect LAN 1 from unau­thorized access and so that only Host 1 is allowed to establish a TELNET session
onto Host 2.

The filters required are as follows:

Rx Filter on WAN 1 of Intel Express 8100 Router 1

This filter only allows TCP access from the WAN link from Host 2 to Host 1,
with the ACK flag set (session established), a TELNET Server source port and a
destination port of greater than 1023 (unassigned ports used by TELNET Client).

Parameter Setting

Default Filter Action

Discard

(on Advanced screen)
Action (Filter action) Pass
Protocol TCP
TCP Flags ACK
Src. Address Type Host
Src. Address Host 2’s IP address
Src. Port TELNET
Src. Port Operator ==
Dest. Address Type Host
Dest. Address Host 1’s IP address
Dest. Port Other
Dest. Port Value 1023
Dest. Port Operator >

56

IP Routing

IP Concept

Tx Filter on WAN 1 of Intel Express 8100 Router 1

This filter only allows TCP access to the WAN link from Host 1 to Host 2, with
a source port of greater than 1023 (unassigned ports used by TELNET Client)
and a TELNET Server destination port.

Parameter Setting

Default Filter Action

Discard

(on Advanced screen)
Action (Filter action) Pass
Protocol TCP
TCP Flags All
Src. Address Type Host
Src. Address Host 1’s IP address
Src. Port All
Src Port Value 1023
Src. Port Operator >
Dest. Address Type Host
Dest. Address Host 2’s IP address
Dest. Port TELNET
Dest. Port Operator ==

Note RIP updates are also filtered out by these filters, so dynamic routing

(using RIP) cannot function. This can be overcome by defining addi­tional filters to allow RIP updates to pass. Alternatively, a static route to
LAN 2 can be established in Router 1 and a static route to LAN 1 can
be established in Router 2.

Network Address Translation (NAT)

Introduction to NAT

Network Address Translation (NAT) can be used to translate local (internal) IP
network addresses to remote (external) IP addresses used by devices outside the
internal network. For example, this can be done to connect a site which uses an
unreserved network address to a site which requires a reserved network address
assigned by InterNIC (see “Address assignment”, p. 47), such as the Internet.
NAT can also be used for connecting multiple sites which use the same IP net­work address.

57

IP Routing

IP Concept

Mapping methods

How NAT works

NAT can use one of the following mapping methods:

Static Mapping

Static Mapping can be used to translate an internal network to an equal sized ex­ternal network (for example a class B network to a class B network). Static Map­ping, can also be used to translate individual internal IP addresses to external IP
addresses.
Static Mapping is described in “Static Mapping”, p. 60.

Dynamic Mapping

Dynamic Mapping can be used to translate between IP networks of different siz­es, that is, a large internal network can be translated to smaller external network
or vice versa (for example a class B internal network could be translated to class
C external network addresses).
Dynamic Mapping is described in “Dynamic Mapping”, p. 60.

NAT uses a Network Address Translation table which contains internal and cor­responding external IP addresses. Each entry in the table can be either a network
address, a subnet address or an individual IP address.
For packets from the router, addresses matching entries in the internal list are
translated to the associated external addresses. For packets from the remote rout­er, addresses matching entries in the external list are translated to the associated
internal addresses.

Note The internal and external addresses are NOT source and destination IP

addresses, but are addresses which are translated if they pass through
the router.

When an IP packet is translated by NAT, both the source and destination IP ad­dresses can be translated by different entries in the table, as shown in the follow­ing diagram.

IP packet from internal net

Source

C

Destination

C

A

A

Internal

Address

A
C

External
Address

B
D

D

D

Destination

IP packet from remote network

Source

B

B

1351

For packets from the internal network, address A for either the source or destina­tion IP address is translated to address B, and address C is translated to address D.
For packets from the external network, address B for either the source or desti­nation address is translated to address A, and IP address D is translated to address
C.

58

IP Routing

IP Concept

NAT and routing

NAT on the LAN link

NAT and IP filtering

NAT and RIP updates

For IP packets transmitted from the router, the packet is first routed to the appro­priate LAN or WAN link using the destination address included in the packet
from the source then translated using the NAT table for that link.

For packets from the external network, the IP addresses are translated as they en­ter the router. If they are then transmitted on another link on which NAT is en­abled, the packet is first routed to the appropriate LAN or WAN link using the
destination address (which may already have been translated) then translated
again using the NAT table for the outgoing link.

It is possible to define NAT translation tables for the LAN link but it may be con­fusing to think of the LAN as an external network. NAT on the LAN link works
in exactly the same way as for the WAN links.

When NAT is used in conjunction with IP filtering, for IP packets received by
the router, the packet addresses are first translated by NAT then the packets are
filtered by the IP Rx filters. For IP packets transmitted from the router, the pack­ets are first filtered by the IP Tx filters then the packet addresses are translated
by NAT.

When NAT is used on a link, RIP updates received or sent via the link are dis­carded if they do not match a translation entry in the NAT table. To pass all un­matched RIP updates instead of discarding them, a static entry can be defined
with internal and external IP addresses of

0.0.0.0.

0.0.0.0 and a network mask of

59

Static Mapping

IP Routing

IP Concept

Static Mapping of
network addresses

When using Static Mapping of network addresses, addresses are simply convert­ed by translating the network part of the IP address between the internal and ex­ternal address. The host part of the address remains the same, for example, an
internal class B network address 10.10.4.8 (where 10.10 is the network part of
the address) could be translated to the external class B network address 177.4.4.8.

Router 1
using NAT
with Static

Class B

network

10.10.0.0

Class B
network

Mapping

Internal

IP Address

10.10.2.3

10.10.7.4

10.10.3.9

10.10.6.1

10.10.17.4

10.10.2.1

10.10.28.3

Router 1
using NAT
with Static

Mapping

IntelExpressRouter9200

®

LANWAN1WAN2System

External

IP Address

177.4.2.3

177.4.7.4

177.4.3.9

177.4.6.1

177.4.17.4

177.4.2.1

177.4.28.3

IntelExpressRouter9200

®

LANWAN1WAN2System

Router 2

IntelExpressRouter9200

LANWAN1WAN2System

®

Static NAT for individual
IP addresses

Dynamic Mapping

Dynamic Mapping

177.4.0.0

1473

The above diagram gives an example of Static Mapping between two class B net­work addresses. The internal network address is 10.2.0.0 and the external net­work address is 177.4.0.0. Only the network part of the address is translated.

Entries can be made in the NAT table for individual IP addresses. Internal ad­dresses are simply converted to the corresponding external addresses.
This can be used when Dynamic Mapping is being used, to make internal net­work devices accessible to the external network.

When using Dynamic Mapping, more addresses can be available to either the in­ternal network or the external network. For example, if the internal network is
class B and the external network address is class C, the internal network can have
up to 65,536 network addresses while the external network address only offers

60

IP Routing

IP Concept

up to 256 addresses. In this case, the entire internal address (network and host
part) must be translated to an assigned external address. External addresses are
therefore assigned sequentially as they are required.

Note When using Dynamic Mapping, only internal networks can initiate

communications with external devices. External devices do not know
the address of the internal device until it has been informed of it by a
packet from the device. For this reason, static links must be established
to internal network devices which you wish to make accessible to the
external network.

Up to 65,536

Class B
network

10.2.0.0

addresses

1
2
3
4
5
6
7

Router 1

using NAT

with Dynamic

Mapping

Internal

IP Address

10.2.4.7

10.2.3.1

10.2.8.2

10.2.4.5

10.2.1.3

10.2.4.2

10.2.4.1

IntelExpressRouter 9400

LANPRI

Line

System

ISDN

Quality

External

IP Address

Assigned

177.4.5.1

177.4.5.2

177.4.5.3

177.4.5.4

177.4.5.5

177.4.5.6

177.4.5.7

Communications
between internal and
external addresses
using Dynamic Mapping

Up to 256

addresses

Router 1

using NAT

with Dynamic
Class C
network

177.4.5.0

Mapping

LANPRI

Line

System

ISDN

Quality

IntelExpressRouter 9400

Router 2

LANPRI

Line

System

ISDN

Quality

IntelExpressRouter 9400

1505

The above diagram gives an example using Dynamic Mapping between an inter­nal class B network (address 10.2.0.0) and an external class C network address
(address 177.4.5.0). The full IP address is translated and the internal host ad­dresses are assigned external IP addresses sequentially when they initiate com­munications over the IP link.

When using Dynamic Mapping, only internal devices can initiate communica­tions with external devices. Internal addresses are unknown to the external net­work and a translation address is assigned dynamically whenever an internal
device initiates communications with an external device. Following the initial
communication, external addresses can then communicate with the translated ad­dress for as long as it remains in the NAT table. Internal addresses remain in the
NAT table for at least 1 hour following the last communication—that is, the timer

61

IP Routing

IP Concept

is restarted following every communication. After 1 hour, the address can be re­used for another address translation if required but remains available until it is
reused for another translation.

Static Mapping to
internal addresses for
Dynamic Mapping

Examples of Use

Simple address
translation

When using Dynamic Mapping, only internal devices can initiate communica­tions with external devices. To make specific internal addresses permanently ac­cessible to the external network, Static Mapping to these addresses can be
established. Static Mapping assign a fixed translation address to an internal de­vice address so that communications can also be initiated to the device from the
external network.

A common application of NAT is simple address translation between internal
and external network addresses. This may be done, for example, to avoid renum­bering an entire network which is using an unreserved network number, to be
connected to network which requires reserved network numbers (for example the
internet) assigned by InterNIC (see “Address assignment”, p. 47).

Address translations between networks of the same size is described in “Static

Mapping”, p. 60. Address translations between networks of different size is de-

scribed in “Dynamic Mapping”, p. 60.

62

IP Routing

IP Concept

NAT between networks
with the same network
number

When using NAT, it is possible to have a number of networks which use the same
network number. In this case, an artificial network number must be created to
which packets are addressed. Two entries must be made in the NAT table to con­vert both the source and destination IP address fields of packets transmitted be­tween the two networks (see the following example).

10.0.0.0 10.0.0.0

10.0.0.1

Destination

Source

10.0.0.1

11.0.0.5

Source

Router

1

Destination

11.0.0.5

Internal

Address

10.0.0.1

11.0.0.5

NAT

External
Address

11.0.0.1

10.0.0.5

11.0.0.1

Destination

Router

2

Source

11.0.0.1

10.0.0.5

Source

Destination

10.0.0.5

Translation table entries

For the above example, the entries required in the NAT table are:

■

Entry 1

- Mapping: Static

- Internal Address: 10.0.0.0

- Internal Mask: 255.0.0.0

- External Address: 11.0.0.0

■

Entry 2

- Mapping: Static

- Internal Address: 11.0.0.0

- Internal Mask: 255.0.0.0

- External Address: 10.0.0.0

1352

63

Routing Information Protocol (RIP)

IP Routing

Routing Information Protocol (RIP)

Definition: RIP

RIP-1 and RIP-2

RIP based routing

RIP-1 and RIP-2
standards

Important differences
between RIP-1 and RIP­2

Routing information is exchanged by the Routing Information Protocol (RIP),
which is an Interior Gateway Protocol (IGP) based on a “Distance Vector Algo­rithm”. RIP uses the User Datagram Protocol (UDP) to exchange routing infor­mation.

Routers inform each other about present available paths (router links to other net­works) by RIP updates. These are sent periodically (each 30 seconds) or trig­gered by topology changes. Each router finds the best path to any known remote
network. If a router does not receive an update from an adjacent router for 180
seconds or more, it marks the routes served by the adjacent router as unusable.

The Intel Express 8100 Router supports both RIP-1 and RIP-2. RIP-1 is the orig­inal standard as defined by RFC 1058. RIP-2 is an update of RIP-1 and is defined
by RFC 1723. RIP-1 and RIP-2 must be considered as separate protocols.

The most important differences between RIP-1 and RIP-2 are summarized as fol­lows:

RIP-1 RIP-2

Network addresses must belong to
IP address class A, B or C. Supernet­ting is not allowed and subnetting is
only allowed if the same subnet
mask is used throughout the net­work.

Routing updates do not contain sub­net masks.

Network addresses are classless—vari­able length network masks can be used
allowing supernetting and subnetting.

Routing updates contain subnet masks.

64

RIP-1 RIP-2

R

Rout

IP Routing

Routing Information Protocol (RIP)

RIP and RIP-2 in the
network environment

Routing updates are sent as broad­casts—most network devices listen
to them.

Subnet hiding is only done when
sending routing updates on num­bered links—subnetworks are sum-

Routing updates are sent as multicasts
and many network devices do not lis­ten to them.

No subnet hiding is done. This results
in larger routing tables as all subnet­works are listed.

marized by routers.
Routing updates are not authenti-

cated.

Routing updates are authenticated—
password protection can be set up to
ensure that a routing update cannot be
passed to a router from an unautho­rized source.

Only one of the RIP versions should be used within a region. That is, a subnet­work can be configured to use either RIP-1 or RIP-2 but should not try to use
both. The version of RIP in use should not be allowed on the subnetwork as it
could cause conflicts. This means that all router links within the same subnet
must be configured to use the same RIP version.

Note Different links on a router can use different RIP versions. In this case,

the router performs conversion between the two RIP versions.

outer

IntelExpressRouter9200

®

LAN WAN1 WAN2 System

RIP-1 RIP-1

er

IntelExpressRouter9200

®

LAN WAN1 WAN2 System

RIP-2 not allowed Subnet1

RIP-1

Router performs conversion

IntelExpressRouter9200

Router

RIP-2

RIP-2

RIP-2 RIP-2

IntelExpressRouter9200

®

LAN WAN1 WAN2 System

Router

Router

LAN WAN1 WAN2 System

Router

IntelExpressRouter9200

RIP-2

®

®

LAN WAN1 WAN2 System

LAN WAN1 WAN2 System

between RIP-1 and RIP-2

IntelExpressRouter9200

®

using RIP-1

Subnet 2
using RIP-2

1471

65

IP Routing

Sub

Sub

Routing Information Protocol (RIP)

RIP implementation in
the Intel Express 8100
Router

RIP Metrics

RIP metric

Example of the correct
use of metrics

RIP-1 or RIP-2 is selected on an IP-link basis within the Intel Express 8100 Rout­er during configuration. That is, RIP-1 or RIP-2 is selected for each router link
configured for IP routing services during configuration.

Each router link has an associated RIP metric that may be set between the values
1 and 15. For LAN links the RIP metric is usually set to 1, for WAN links to a
higher value but 1. Each RIP route has an associated metric value. A metric value
higher than 15 means that the network is unreachable. The metric range limits the
maximum diameter of the network.

The following illustration shows the correct use of metrics for route calculations.
When calculating the best route using the metrics, data transmitted from Subnet
1 to Subnet 2 is transmitted over the 2 Mbps links, as the combined metric value
path via the 2 Mbps links (metric = 1 for each link) is smaller than the metric val­ue for path via the 64 kbps link (metric = 4).

Subnet 1

LAN WAN1 WAN2System

2MB

M:1

IntelExpressRouter9200

net 1

64 K

®

M:4

IntelExpressRouter9200

LAN WAN1 WAN2System

IntelExpressRouter9200

®

LAN WAN1 WAN2System

2MB

M:1

®

Subnet 2

2MB

M:1

LAN WAN1 WAN2System

LAN WAN1 WAN2System

IntelExpressRouter9200

IntelExpressRouter9200

®

®

64 K

M:4

2MB

M:1

net 2

LAN WAN1 WAN2System

LAN WAN1 WAN2System

IntelExpressRouter9200

2MB

M:1

IntelExpressRouter9200

®

®

Example of metrics used
incorrectly

1497

If the any of the 2 Mbps links are down, the 64 kbps link is used.

The following example indicates how an inappropriate use of metrics may result
in ineffective use of the available bandwidth. Here, data from Subnet 1 to Subnet
2 is transmitted across a 64 kbps link with metrics set to 3 while two (three) 2
Mbps links are available with their metrics set to 2:

Subnet 1

64 K

IntelExpressRouter9200

M:2

®

LAN WAN1 WAN2S ystem

M:3

LAN WAN1 WAN2S ystem

IntelExpressRouter9200

Subnet 1

2MB

In this example, if the 64 kbps link is down, then the 2 Mbps links are used.

IntelExpressRouter9200

®

LAN WAN1 WAN2S ystem

2MB

M:2

®

Subnet 2

2MB

M:2

LAN WAN1 WAN2S ystem

LAN WAN1 WAN2S ystem

IntelExpressRouter9200

IntelExpressRouter9200

®

®

64 K

M:3

2MB

M:2

Subnet 2

LAN WAN1 WAN2S ystem

2MB

LAN WAN1 WAN2S ystem

IntelExpressRouter9200

M:2

IntelExpressRouter9200

1492

®

®

66

Triggered RIP

IP Routing

Routing Information Protocol (RIP)

Introduction

Triggered RIP

Multiple paths for
triggered RIP

RIP updates over WAN links should be minimized in order to minimize the cost
of operation and maximize the available bandwidth for data communications.
RIP updates can be an additional problem over dial-up (switched) WAN links as
the link can often be brought up just to exchange routing information; the cost of
operation can therefore be excessive.

Standard RIP updates are transmitted between routers at regular intervals (30
seconds) and whenever a network topology change is detected. Triggered RIP
exchange routing information between routers whenever a WAN link is first
brought up to ensure that the routing information tables are synchronized. After
this initial synchronization, triggered RIP only exchanges routing information
when a network topology change is detected. Triggered RIP therefore minimizes
the use of WAN links for the exchange of routing information.

For devices using standard RIP only one path between networks is maintained in
the routing table. If two paths to the same network are found by a device, the path
with the lowest metric is stored or one of the paths is chosen if they have the same
metric. When a device is using triggered RIP, all paths between networks are
stored and secondary paths can be used if the primary path should fail. This is
shown in the following example:

#1 #2

Router 2

(triggered

RIP)

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

Router 3

(triggered

RIP)

LAN WAN1 WAN2 System

IntelExpressRouter 9200

®

Router 1

(triggered

RIP)

LAN WAN1 WAN2 System

IntelExpressRouter 9200

Link 1

(failed)

Metric 1

®

Link 2

Metric 2

In the above diagram, router 1 must know both the paths to network 2. Otherwise,
if Link 1 should fail, the router does not know about the path via link 2.

1350

67

Static Routes

IP Routing

Static Routes

Definition

Purpose

IP RIP routing over PPP
Tunnels

A static route is a permanent entry in the routing table.

The purpose of setting a static route is to create a permanent route to an IP net­work or host. This can be done for the following reasons:

■

to eliminate Routing Information Protocol (RIP) overheads from a link
Eliminating RIP overheads from a link maximizes the available bandwidth
for data transfers. This can be particularly useful for slow WAN links which
could be swamped by the RIP updates. Using static routing to eliminate RIP
is only practical for connecting to a few remote networks.

■

to establish routes to IP networks and hosts which would not otherwise be
reachable using RIP

Two examples of where a static route must be established in order to reach
destinations are given following.

When using IP RIP routing over a PPP Tunnel a static host route to the IP address
of the remote router must be established or the tunnel will not be stable.

68

IP Routing

Static Routes

Remote boot provider

Characteristics

If a remote device (a device connected via a WAN link) is being booted via the
router, a static route must be assigned to the network of the device being booted.

Subnet 1

IntelExpressRouter 9200

®

LAN WAN1 WAN2System

Router

being booted
Static
Route

Express
Router

IntelExpressRouter 9200

®

LAN WAN1 WAN2System

Subnet 2

Boot
Server

1470

A static route is announced to other routers using RIP. A static route is floating
so if another route with lower metric to the destination network is available, the
route with the lowest metrics is taken.

Static routes and
the RIP metrics

The metric used for static routes is assigned a default value by the router which
can be redefined in the configuration program (valid input is from 1 to 15).

69

Static Routes Example

IP Routing

Static Routes

Goal and situation

A connection of subnet 2 and subnet 3 to the internetworks 17.0.0.0, 75.0.0.0 and

126.0.0.0 is desired. Only router X is connected to these internetworks. However,
no connection to the internetworks 17.0.0.0, 75.0.0.0 and 126.0.0.0 via router X
is possible at this point as router X does not run RIP.

Internetworks

126.0.0.0

17.0.0.0

75.0.0.0

Router X

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

Router 1

Router 2

(89.0.1.3)

Subnet 1

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

Solution

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

Router 3

Router 4

IntelExpressRouter 9200

®

LAN WAN1 WAN2 System

Host

Subnet 2

PC

Subnet 3

PC

1469

To establish a connection to the internetworks 17.0.0.0, 75.0.0.0 and 126.0.0.0
for subnets 2 and 3, a static route to the nets 17.0.0.0, 75.0.0.0, 126.0.0.0 via
Router X must be created for both routers 1 and 2. Routers 1 and 2 then announce
these static routes via RIP, meaning that the route to the internetworks 17.0.0.0,

75.0.0.0 and 126.0.0.0 is known by Routers 3 and 4 which make the internet­works reachable from subnets 2 and 3.

70

Novell IPX Routing

Chapter 9

In this chapter

This chapter describes Novell IPX/SPX Routing services in the Intel Express
8100 Router.

Novell Routing Concept

Concept description

Background knowledge

References

Novell protocol overview

Novell IPX routing is based upon a Routing Information Protocol (RIP) and Ser­vice Advertising Protocol (SAP).

Note Note that Novell IPX RIP is not the same as TCP/IP RIP.

Novell IPX calculates the best route to a destination based upon routing time de­lays associated with the links and with the number of hops (intermediate routers)
taken to reach a network.

It is assumed that you have a basic knowledge of IPX and the addressing system
used in Novell IPX.

For further information on IPX, see Novell’s “IPX Router Specification” Part
Number: 107-000029-001.

The following illustration provides an overview of Novell protocols:

Transmission

71

Data

SAPRIP

IPX

0613

Novell IPX Routing

Novell Routing Concept

A short description of these protocols is given here:

Protocol Description

IPX The Internetwork Packet eXchange protocol is based on a net-

work layer datagram without delivery guarantee. This protocol is
used by all the protocols described above.

RIP The Routing Information Protocol is used to gain access to

remote networks and to exchange routing topology information.

SAP The Service Advertising Protocol (SAP) is Novell’s implementa-

tion of name-service. All services (for example, file servers,
printer servers and gateways) announce themselves in periods of
one minute.

Data

For example NCP, SPX or NetBIOS.
Transmis­sion.

Internetworking Packet Exchange (IPX)

Frame Types

Introduction

To change the frame type

Novell supports different types of Ethernet frames. The frame type supported de­pends on the default value of the specific Novell driver.

The different frame type supported by Novell IPX are described in Appendix E

“Novell IPX Frame Formats”, p. 127.

The frame type supported by your PCs can be changed using a program delivered
together with the operating system for your NetWare server. These programs al­low you to configure Ethernet IEEE 802.3, Ethernet IEEE 802.2, Ethernet SNAP
and Ethernet II frames. The program available depends on the version of the
Novell operating system.

Novell Addressing

Address notation

The Novell IPX hexadecimal address notation consists of a 4-byte network num­ber, followed by the 6 byte node-ID (MAC address) and a 2-byte socket number,
for example
work number,

00000001:000080123403:0451, where 00000001 is the net-

000080123403 the node ID and 0451 the socket number.

72

Novell IPX Routing

Novell Routing Concept

Network number
assignment

Sockets reserved by
Novell

A globally unique network number must be assigned to each network connection
of a NetWare* server. Servers and router links attached to the same physical net­work must be configured with the same network number. To simplify network
management, only servers and routers must be configured with a network num­ber, as workstations automatically get their network number assigned by the
server (connection to local server) or router (connection to remote server).

Each service reserved is allocated to a specific socket number. The following
sockets are reserved by Novell:

Socket Numbers Description

File Servers

451h NetWare Core Protocol (NCP) Process

Routers

452h Service Advertising Protocol (SAP) Process
453h Routing Information Protocol (RIP) Process

Workstations

455h Novell NetBIOS Process
456h Diagnostics Process

Novell Metrics

Delays and hops

4000h to 7FFFh Dynamic assigned sockets used by workstations

for interaction with file servers and other network
equipment.

8000h to FFFFh Well-known sockets assigned by Novell.

The Novell metrics are used to calculate the optimal route between networks (for
IPX RIP) and services (for IPX SAP). Novell metrics use the following to calcu­late the best routes:

Delays (Ticks)

The delay is the time associated with sending data via a route, that is, if alterna­tive routes are available the data packet is transmitted via the route that takes the
least time.
The delay is measured in time ticks where 1 second = 18.21 time ticks.

Hops

The hops is the number of intermediate networks that must be passed in order to
reach the destination network. Hops are only used in the unlikely event that two
routes have an identical time tick; the route with the least number of hops is then
be used.

73

Novell IPX Routing

Novell Routing Concept

The hops are also used to discard packets in case of looping, see “Looping pack-

ets” in “Data Transmission”, p. 76.

Metrics for RIP and SAP

Metrics for static IPX
routes and services

Manually calculating
metrics for static routes
and services

Separate metrics (tics and hops) are calculated for dynamic routes (established
using IPX RIP) and dynamic services (established using IPX SAP). These met­rics are calculated automatically by the RIP and SAP protocols.

For static IPX routes and services, the time ticks and hops to networks and ser­vices cannot be calculated by the router. These parameters must therefore be
manually calculated and defined for each static route and service.

When configuring static IPX routes and services, the best way to obtain the met­rics for static routes and services is by enabling dynamic routing (using RIP and
SAP) and reading the metrics from the routing and service table for the router,
see “Establishing static routes and static services” in “Static Routes and Servic-

es”, p. 90. However, in some cases the metrics for a link may need to be calcu-

lated manually.

Note The delay for a route or service is the accumulated delays for all the

paths to the route or service.

The metrics can be calculated manually as follows:

Delays (Ticks)

The delay for a link is associated with the speed (baud rate) of the link and can
simply be calculated as:

Link Delay (ticks) = 1100 / Link Speed (kbps).

For example, a 64 kbps WAN link would have the following delay:

1100 / 64 = 17.2 ticks.

This is only an approximation of the link delay calculated by the router (the rout­er calculation is more complex and would assign a delay of 18). You should
therefore try to use the delay calculated by the router (for the dynamic route or
service you are trying to replace) wherever possible.

Hops

The hops is simply the number of intermediate networks that must be passed in
order to reach the destination network.

74

Novell IPX Routing

Novell Routing Concept

Example

In the Novell metrics example, a data packet is sent from net 1 to net 4 via net 2
and 3, as the Delay (transmission time) is less (transmission speed on Ethernet 10
Mbps) than over the link with a baud rate of 9600 bps.

9600 baud

net 1

LAN WAN1WAN2 System

Router 1

LAN WAN1WAN2 System

Router 2

IntelExpressRouter9200

®

IntelExpressRouter9200

®

IntelExpressRouter9200

®

LAN WAN1WAN2 System

Router 3

IntelExpressRouter9200

®

LAN WAN1WAN2 System

Router 5

IntelExpressRouter9200

®

LAN WAN1WAN2 System

Router 4

Ter minal

Server

CrayCray CrayCray

Server

Server

Ter minal

Server

Data Transmission

Data transmission
process

net 2

net 3

net 4

1 hop (but low transmission speed)

3 hops (but high transmission speed) preferred metrics

→

1468

To send data from a NetWare device to a destination address on an other network,
the following process is initiated:

1. The NetWare device (source address) broadcasts a routing request to all
routers on the Local Area Network (LAN).

2. All local routers with a path to the destination address send a routing
response to the querying workstation.

3. The NetWare device selects the best path and sends the data to the selected
router.

75

Novell IPX Routing

Novell Routing Concept

Looping packets

IPX over WAN Links

Numbered and
unnumbered WAN links

Recommendations for
the use of numbered
links

IPX WAN Protocol

If a packet is looping due to changes in the network topology, the packet is dis­carded on the 16th hop, as the hop count is incremented by every router.

The Intel Express 8100 Router allows IPX WAN links to be either unnumbered
or numbered where an IPX Network Number is assigned to the link. If the WAN
Protocol is not being used, the routers over a WAN link must both be configured
to run the same link type (unnumbered, numbered or unnumbered static). The ne­gotiation of whether to use unnumbered or numbered links by the WAN Protocol
is described in the following section.

If communicating with a router that supports unnumbered links (including all In­tel router products), an unnumbered link should be used to avoid having to assign
a network number to WAN links. If communicating with a router which only
supports numbered links, a numbered link should be used.

The IPX WAN Protocol can be selected for communicating over WAN links to
ensure consistency with the configuration of the router on the other end of the
WAN link. If the IPX WAN Protocol is selected, then it must be configured in
both the routers over the WAN link—see the following section.

IPX WAN Protocol

IPX WAN 2 Protocol

Numbered and
unnumbered WAN links

The Intel Express 8100 Router supports the IPX WAN 2 protocol as defined by
Novell in Novell NetWare Link Services Protocol Specification Rev 1.0, Chapter
3—IPX WAN Version 2, Novell part No. 100-001708-002. The protocol is back­wards compatible with RFC 1634.

The protocol helps ensure consistency between the configuration of the two rout­ers over the WAN link.

The IPX WAN Protocol implemented in the Intel Express 8100 Router supports
both unnumbered and numbered links. When a numbered link is defined, an IPX
Network Number is assigned to the link. When protocol negotiation is taking
place between the routers over a WAN link, unnumbered links are chosen in pref­erence to numbered. Numbered links are only chosen if one or both of the routers
cannot support unnumbered links.

76

Novell IPX Routing

Novell Routing Concept

Negotiation over a WAN
link

IPX Watchdog Packets

Connections to a server

When the WAN link is initialized, the IPX WAN protocol running in the routers
at either end of the WAN Link negotiates various parameters to ensure that the
routers are communicating on the same terms. Negotiation proceeds as follows:

1. Role Determination
During this part of the negotiation, one router is designated as the ‘Slave’
and the other becomes the ‘Master’. If only one of the routers is configured
for a numbered WAN Link, this router becomes Master. If both routers are
configured for the same link type (numbered or unnumbered) the router with
the highest Internal Net Number becomes the Master.

2. Parameter Negotiation
When the roles of the routers have been determined, the Master attempts to
find a protocol (numbered, unnumbered or static) which is acceptable to
both the routers. If it succeeds, it informs the Slave of the protocol selected.
If a numbered link is selected during negotiation, the Master also informs
the Slave of the network number assigned to the link, ensuring that both
routers use the same number for the link.
The Master also informs the Slave of the delay used on the link.

When a client is connected to a server, the session is registered in a table. It is a
function of the server to keep this table up to date when client sessions are estab­lished and terminated.

Watchdog packets

When a client has not communicated with a server within a predefined time in­terval, the server sends out a message to the client to ask if it is still connected.
This message is known as a watchdog packet. Watchdog packets can be sent by
the IPX protocol (IPX watchdog packets) or the SPX protocol (SPX keep-alive
packets—see “Sequenced Packet Exchange (SPX)”, p. 79).

If a client fails to respond to a predefined number of watchdog packets, the ses­sion is terminated at the server.

77

Novell IPX Routing

Novell Routing Concept

IPX watchdog packets
over WAN links

A problem with IPX watchdog packets occurs when communication between cli­ents and a server is over a dial-up (switched) WAN or ISDN link. If a number of
clients are operating over the link, the link may never get the chance to become
inactive and so the operating costs can be high. In addition, if the link is brought
down for some other reason, the client sessions may be terminated prematurely.

Novell

Server

Watchdog

packets

#1

Watchdog
responses

LAN WAN 1WAN 2 System

Router 1

IntelExpressRouter9200

®

WAN

with an on-demand

timecut connection

IntelExpressRouter9200

LAN WAN 1WAN 2 System

Router 2

#2

®

Clients

1466

78

Novell IPX Routing

Novell Routing Concept

IPX watchdog spoofing

To counteract the problem of sending watchdog packets over dial-up (switched)
WAN links, IPX watchdog spoofing can be set up in the router before the WAN
link (on the server’s side). When IPX watchdog spoofing is enabled, the router
answers IPX watchdog packets on behalf of clients. The WAN link is therefore
not activated to send IPX watchdog packets to clients.

#1 #2

Novell

Server

Watchdog

packets

Watchdog

responses

LAN WAN1WAN 2System

Router 1

with watchdog

spoofing

Intel ExpressRouter9200

®

WAN

with an on-demand

timecut connection

Intel ExpressRouter9200

LAN WAN1WAN 2System

Router 2

®

Clients

1467

IPX Serialization Packets

IPX serialization packets

IPX Serialization Packets contain license information and are regularly sent
across a network by NetWare servers (addressed to socket 457). If a server re­ceives a Serialization Packet containing the license number it is using itself, it
complains about license violations.

Discarded by the Intel
Express 8100 Router

As IPX Serialization Packets are sent by NetWare servers at regular intervals,
and do not allow dial-up (switched) WAN links to become inactive—the operat­ing costs can therefore be excessive. For this reason, IPX Serialization Packets
are discarded by the Intel Express 8100 Router.

Sequenced Packet Exchange (SPX)

Sequenced Packet
eXchange (SPX)

SPX is a transport layer protocol which runs on top of the Internetwork Packet
eXchange (IPX) protocol (network layer), and is used to control sessions be­tween network devices across the network. An important function of the SPX
protocol is guaranteed data delivery, as this function is not provided by the IPX
protocol.

79

Novell IPX Routing

Novell Routing Concept

Sequenced Packet eXchange (SPX) is equivalent to the Transmission Control
Protocol (TCP) in the IP protocol suite.

SPX Keep-alive packets

SPX Keep-alive packets
over WAN links

When using IPX/SPX protocol, the keep-alive function is taken care of by the
SPX transport protocol, rather than by the IPX network protocol. As with IPX,
SPX uses keep-alive packets to keep sessions alive—when an established session
has not communicated within a predefined time interval, SPX keep-alive packets
are used to determine if the session is still established. If an established session
fails to respond to a predefined number of SPX keep-alive packets, the session is
terminated. Unlike IPX watchdog packets, SPX keep-alive packets can be sent
by all the network devices in the session.

As with IPX watchdog packets, SPX keep-alive packets can cause problems
when communicating over dial-up (switched) WAN links. If a number of SPX
sessions are established over a WAN link, the link may never get the chance to
become inactive and so the operating costs may be high. In addition, if the WAN
link is brought down by some other reason, the SPX sessions may be terminated
prematurely.

#1 #2

SPX Keep-alive Packets

SPX Keep-alive Responses

SPX Keep-alive Packets

SPX Keep-alive Responses

SPX Keep-alive Packets

SPX Keep-alive Responses

Network

devices

Network

devices

Session 1 Session 1

Session 2 Session 2

Session 3 Session 3

LAN WAN1WAN2System

Router 1

IntelExpressRouter9200

®

WAN

with an on-demand

timecut connection

LAN WAN1WAN2System

Router 2

IntelExpressRouter9200

®

1464

80

Novell IPX Routing

Novell Routing Concept

SPX spoofing

To counteract the problem of sending SPX keep-alive packets over dial-up
(switched) WAN links, SPX spoofing can be set up in the routers over the WAN
link.

Note SPX spoofing must be enabled in both routers over the WAN link for it

to be effective.

When the WAN link is timecut and SPX spoofing is enabled, the router answers
SPX keep-alive packets on behalf of devices over the WAN link. The WAN link
is not activated just to send SPX keep-alive packets.

#1 #2

Session 1 Session 1

Network

devices

Session 2 Session 2

Session 3 Session 3

SPX keep-alive

packets

SPX keep-alive

responses

IntelExpressRouter9200

LAN WAN1WAN2System

Router 1 with

SPX Spoofing

®

with an on-demand

timecut connection

WAN

SPX keep-alive

responses

IntelExpressRouter9200

®

LAN WAN1WAN2System

Router 2 with

SPX Spoofing

Network

devices

SPX keep-alive

packets

1465

Terminating SPX
sessions when SPX
spoofing is enabled

When SPX spoofing is enabled, an SPX session could be maintained in the ses­sion tables of the network devices indefinitely. Most devices have a limited num­ber of SPX sessions that can be established at any time, and redundant sessions
kept alive by SPX spoofing must therefore be avoided. To counter this problem,
a configurable SPX session timeout is initiated for each session which disables
SPX spoofing after a defined time period. Network devices must then respond to
SPX keep-alive packets as usual:

■

If the SPX session is no longer valid it is terminated

■

If the SPX session still valid, it responds to SPX keep-alive packets as usual
and SPX spoofing is then resumed (the SPX spoofing timer is restarted)

At midnight (0:00) SPX spoofing is disabled for all sessions to allow devices to
answer SPX spoofing packets as normal. This is implemented as a fail-safe
mechanism to terminate sessions which are not cleared by the SPX spoofing ses­sion timeout (for example because the SPX session timeout value is set too high).

81

IPX Data Filters

Novell IPX Routing

Novell Routing Concept

IPX data filters

IPX data filters are defined on a link basis in the Intel Express 8100 Router, and
separate filters are implemented for transmit (for restricting IPX packets leaving
the router on a link), and receive (for restricting IPX packets entering the router
from a link).

Note A good understanding of IPX is required before effective filtering can

be set up on the router. Filters must be defined as strictly as possible to
eliminate unauthorized access to services, hosts and networks.

82

Novell IPX Routing

Novell Routing Concept

Filter criteria

Each filter in the Intel Express 8100 Router can be setup to pass or discard IPX
packets based on the following criteria:

Note All the filter criteria defined is used.
Destination Network Addresses

IPX data traffic addressed to a single destination network address, or range of
network addresses specified by the

Destination Network Mask parameters can be filtered.

When the
ets addressed to the single

Destination Network Mask parameter is set to FFFFFFFF, pack-

Destination Network Address specified will be

Destination Network Address and

filtered.
Filtering of packets to destination network addresses is disabled if a

tion Network Address

of 00000000 with a Destination Network Mask

Destina-

of FFFFFFFF is defined (default values). For other values of the Destination

Network Mask

, data packets addressed to a range of network addresses will be
filtered.
For example, with a

Network Address of ABC00000 and a Network Mask:

FFF00000, service information will be filtered from/to all servers on the net­works beginning with ABC.

Destination Node Address

IPX packets addressed to a single device (node) can be filtered. A Destination

Node Address

of 000000000000 disables filtering on the destination node ad­dress.

Destination Socket

IPX packets addresses to specific sockets can be discarded. The most common
IPX sockets (
Other sockets can be filtered by selecting

NCP, NetBios, NLSP and IPX Ping) can be selected from a list.

Other for the Destination Socket

and then entering the socket number Value.

Source Network Addresses

IPX data traffic from a single source network address, or range of network ad­dresses specified by the

Mask

parameters can be filtered.
When the
the single

Source Network Mask parameter is set to FFFFFFFF, packets from
Source Network Address specified will be filtered.

Filtering of packets from source network addresses is disabled if a

work Address

of 00000000 with a Source Network Mask of FFFFFFFF is

defined (default values). For other values of the

Source Network Address and Source Network

Source Net-

Source Network Mask, data

packets from a range of network addresses will be filtered.
For example, with a

Network Address of ABC00000 and a Network Mask:

FFF00000, service information will be filtered from/to all servers on the net­works beginning with ABC.

Source Node Address

IPX packets from a single device (node) can be filtered. A Source Node Ad-

dress

of 000000000000 disables filtering on the source node address.

83

IPX Filters Example

Novell IPX Routing

Novell Routing Concept

Source Socket

IPX packets from a specific source socket can be discarded. The most common
IPX sockets (
Other sockets can be filtered by selecting
then entering the socket number

Packet Type

NCP, NetBios, NLSP and IPX Ping) can be selected from a list.

Other for the Source Socket and

Value.

Specific IPX packet types can be filtered. NCP and SPX packets can be selected
from a list. Other packets types can be filtered by selecting

et Type

and then entering the socket number Value.

Other for the Pack-

Filter requirement

NetWare devices use Diagnostic Request Packets to get information from about
other reachable devices. These packets can be used for testing if a device is reach­able and gathering configuration information about devices.

Diagnostic Request Packets can be broadcast to all devices and require each de­vice to respond and can cause WAN links to become saturated. It is therefore
sometimes desirable to eliminate these diagnostics from WAN links, and this can
be done using the IPX data filters implemented in the Intel Express 8100 Router.

Note IPX ping may be affected by these filters, depending on whether the

implementation of ping in the device which is testing for connectivity,
uses the diagnostics responder.

84

Novell IPX Routing

Routing Information Protocol (RIP)

Filter Required

To discard diagnostic packets from the LAN so that they are not transmitted on
WAN links, set up a filter on the LAN link as follows:

■

Set the default Action for the IPX Rx (receive) LAN filters to Pass to allow
all data traffic to enter the router unless discarded by a filter.

■

Set up an IPX Rx Filter for the IPX LAN link with the following criteria:

- Set the filter

Action to Discard

- Set the Destination Socket Value to 0456 (the NetWare socket
number for diagnostic packets)

Routing Information Protocol (RIP)

Routing Information
Protocol (RIP)

Encapsulation

Routing table

Routing information between routers is exchanged by means of the Routing In­formation Protocol (RIP) initiating the following functions:

■

locates the fastest route

■

retrieves routing information from other routers.

■

Responds to requesting routers

■

informs about the latest internetwork configuration

■

informs about any topology changes in the internetwork

The Intel Express 8100 Router uses ISO-9577 (SNAP) encapsulation when com­municating over WAN Links. When talking to other routers via a WAN Link,
they must also use (or be configured for) ISO-9577 (SNAP) encapsulation.

A routing table contains a map of the entire network topology and is the tool for
routers to provide each other with routing information.

85

Novell IPX Routing

Routing Information Protocol (RIP)

Routing Information

Updating periods

Triggered updates

Routers exchange routing information to inform each other about the network to­pology in the following situations:

■

When powered on, initial broadcasts to directly attached segments and WAN
links are sent.

■

To receive routing information from other routers, Initial Routing Requests
are sent.

■

To inform about each other’s e xistence, periodic broadcasts are typically sent
every minute.

■

Immediately after a network topology change, triggered updates are sent.

Each router sends updated routing information in periods of one minute (by de­fault) on its associated LAN. In case of a router shut-down, all other routers de­lete the routing entry after approximately 3 minutes (or 3 times the normal
interval of 1 minute). This allows a router to miss at least 2 packets in case the
network is heavily loaded. Note that routers never send routing information back
to networks they received the routing information from, as this would create
loops.

A triggered update is routing information exchanged due to changes in the net­work topology, for example if a link fails.

Cost factor

RIP Filtering

Introduction

Implementation

RIP Rx filters

RIP Tx filters

The costs for exchanging routing information on packet switched networks can
be high, as the carrier charges you for every byte transmitted.

Routing information entering and leaving a Intel Express 8100 Router can be fil­tered to remove unwanted routing information. For example, this may be done to:

■

restrict access between certain networks

■

reduce the amount of routing information traffic

RIP filters are implemented for both WAN and LAN links, and are implemented
for both received (Rx) and transmitted (Tx) routing information.

RIP Rx filters can be used to remove selected incoming routing information be­fore it is entered into the routing table for the router. Routing destinations re­moved in this way are not accessible via the router, and the routing information
is not passed on to other routers.

RIP Tx filters can be used to remove selected routing information before it is
passed on to other routers. Routing destinations removed in this way are accessi­ble via the router but the routing information is not passed on to other routers.

86

Service Advertising Protocol (SAP)

Novell IPX Routing

Service Advertising Protocol (SAP)

SAP functions

Service and Object types

How it works

The Service Advertising Protocol (SAP) makes use of IPX and the medium-ac­cess protocols for its transport. SAP provides the following functions:

■

initiates a workstation requests to get information about the name and
address of the nearest server of a certain kind

■

initiates a router requests to get information about the names and addresses
of either all servers, or all servers of a certain kind on the internetwork

■

sends responses to requests originating either from a router or a workstation

■

initiates periodic broadcasts by servers and routers

■

updates the accessible server information

SAP announces services and addresses of Novell NetWare networks. These ser­vice advertisements are collected by a SAP agent in a Server Information Table.

A table indicates different kinds of services and associated objects that are cur­rently known is given in Appendix F “Novell IPX Service Types”, p. 130.

Routers collect and exchange service information about all the services available
on the local network using SAP agents. Workstations that require information
about services available, send a broadcast, for example “get nearest server”. The
local SAP agent then informs them about the nearest file server available.

SAP broadcasts are local broadcasts initiated by servers once a minute and re­ceived by local SAP agents only. That is, the packets are not forwarded beyond
the local segments.

Service advertising

SAP Filtering

Introduction

87

Novell services are offered from devices such as file servers (file transfer), print­er servers (print service) and gateways (protocol conversion). Services are an­nounced on the network. This service advertisement is not used directly by the
end systems, but instead collected by SAP agents located in file servers and rout­ers. SAP agents exchange information with the same method as the Routing In­formation Protocol and are therefore well informed about all active NetWare
servers on the internetwork. A SAP agent is part of an IPX router/server.

Service information entering and leaving a Intel Express 8100 Router can be fil­tered to remove unwanted services. For example, this may be done to:

■

restrict access to servers from certain networks

■

reduce the amount of service information traffic

Novell IPX Routing

Static Routes and Services

Implementation

SAP filters are implemented for both WAN and LAN router links, and are imple­mented for both received (Rx) and transmitted (Tx) service access information.

SAP Rx Filters

SAP Rx Filters can be used to remove selected incoming service access informa­tion before it is entered into the service information table for the router. Services
removed in this way are not be accessible via the router, and the service informa­tion is not passed on to other routers.

SAP Tx Filters

SAP Tx Filters can be used to remove selected service access information before
it is passed on to other routers. Services removed in this way are accessible via
the router but the service information is not passed on to other routers.

Static Routes and Services

Static routes and
services

A static route is a route to a destination network which is always known to the
router and does not need to be announced to the router using the Routing Infor­mation Protocol (RIP). Similarly, a static service is a service which is always
known to the router and does not need to be announced to the router using the
Service Access Protocol (SAP). Static routes and services are still announced to
other routers using RIP and SAP as usual.

Use of static routes and
services over WAN links

By establishing static routes and services over a WAN link and disabling RIP and
SAP, no routing or service information is sent on the WAN link. This maximizes
the available bandwidth for data communications, and for many WAN link types
it reduces the costs of operation. Static routes are often used to prioritise the uses
of WAN links for routing.

Note If RIP and/or SAP is disabled over a WAN link, static routes and ser-

vices to all the networks and services over the WAN link must be estab­lished. The router may not be able to discover them otherwise.

When static routes and services are established, dynamic routing (using RIP and
SAP) is usually disabled. An exception to this is to provide remote access to a
network or service which is not otherwise announced to the router.

88