Intel ER8100STUS - Express 8100 Router, Express 8100 Reference Manual
Intel Express 8100 Router
Reference Manual
Second edition April 1998
Copyright © 1998, Intel Corporation. All rights reserved.
Intel Corporation, 5200 NE Elam Young Parkway, Hillsboro, OR 97124-6497
Intel Corporation assumes no responsibility for errors or omissions in this manual. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners’ benefit,
without intent to infringe.
ii
Contents
Part I LAN and WAN Links and Services
1 LAN and WAN Services in the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
LAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
WAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
WAN Services and Protocols Available . . . . . . . . . . . . . . . . . . . . . . . . . . 3
General Facilities for WAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Leased Lines Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Point-to-Point Protocol (PPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Peer Authentication using the Challenge Handshake Authentication
Protocol (CHAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Peer Authentication using the Password Authentication Protocol (PAP) 15
3 Frame Relay Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 ISDN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Integrated Services Digital Network (ISDN) in the Intel Express 8100
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ISDN Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ISDN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
ISDN Numbering and Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
BRA and PRA Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
MSN (Multiple Subscriber Number) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
SUB (Sub-addressing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
DDI (Direct Dialing In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Permanent ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
ISDN Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
ISDN Network Interface Reference Configurations . . . . . . . . . . . . . . . . . . . 30
5 X.25 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
X.25 Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
X.25 Services and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
X.25 Packets and Virtual Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
X.25 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 PPP Multilinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
7 Internet Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
I
Part II IP, Novell IPX and Bridging Services
8 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
IP Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
IP Addresses Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
IP Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Internet Control Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IP Filters—Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IP Filter Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Static Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Dynamic Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Examples of Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
RIP-1 and RIP-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
RIP Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Triggered RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Static Routes Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Contents
9 Novell IPX Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Novell Routing Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Internetworking Packet Exchange (IPX) . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Frame Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Novell Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Novell Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Data Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
IPX over WAN Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
IPX WAN Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
IPX Watchdog Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
IPX Serialization Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Sequenced Packet Exchange (SPX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
IPX Data Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
IPX Filters Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
RIP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Service Advertising Protocol (SAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SAP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Static Routes and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuration Example—Cost-Reduced WAN . . . . . . . . . . . . . . . . . . . . . . . 91
10 WAN Bridging Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Introduction to WAN Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
How Bridging Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Forwarding Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Operation of the Bridge in the Intel Express 8100 Router . . . . . . . . . . . 101
Controlled Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
II
Appendices
Contents
Spanning Tree Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Bridging Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Spanning Tree Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Spanning Tree in the Intel Express 8100 Router . . . . . . . . . . . . . . . . . . . 111
Bridge Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
BPDU Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Non-BPDU Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Enabling Bridge Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
A Protocol Bandwidth Overheads and Requirements . . . . . . . . . . . . . . . . 117
B TCP and UDP Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
C Ethernet Type Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
D IP Frame Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
E Novell IPX Frame Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
F Novell IPX Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
III
Preface
Products covered
Acronyms
The following products are covered in this manual:
■
Express 8100 Router with Frame Relay
■
Express 8100 Router with X.25
■
Express 8100 Router with an ISDN S/T port
■
Express 8100 Router with an ISDN U port
BACP Bandwidth Allocation Protocol
BCP Bridging Control Protocol
BECN Backward Explicit Congestion Notification
BPDU Bridging Protocol Data Units
BRA Basic Rate Access
BRI Basic Rate Interface
CBC Cypher Block Chaining
CCITT Comité Consultatif International Télégraphique et Téléphonique
CCP Compression Control Protocol
CHAP Challenge Handshake Authentication protocol
CRC Cyclic Redundancy Check
DCE Data Communication-terminating Equipment
DE Discard Eligibility
DLCI Data Link Connection Identifier
DLCMI Data Link Connection Management Interface (also called LMI)
DN Directory Number
DTE Data Terminal Equipment
DVMRP Distance Vector Multicast Routing Protocol
ECP Encryption Control Protocol
FECN Forward Explicit Congestion Notification
FR Frame Relay
HDLC High-level Data Link Control
ICMP Internet Control Message Protocol
IGMP Internet Group Management Protocol
IP Internet Protocol
IPCP Internet Protocol Control Protocol
IPX Internetwork Packet Exchange
IPXCP Internetwork Packet Exchange Control Protocol
ISDN Integrated Services Digital Network
ITU International Telecommunication Union
LAN Local Area Network
LAPB Link Access Procedure Balanced
LAPF Link Access Procedure for Frame Relay
LCP Link Control Protocol
LSP Link State PDU
MIB Management Information Base
iv
NAT Network Address Translation
NCP Network Control Protocol
PAP Password Authentication Protocol
PING Packet InterNet Groper Function
PDN Public Data Network
PRA Primary Rate Access
PRI Primary Rate Interface
PSDN Packet Switched Data Network
PVC Permanent Virtual Circuit
RIP Routing Information Protocol
RSVP ReSerVation Protocol
SAP Service Advertising Protocol
SLIP Serial Link Internet Protocol
SNAP SubNetwork Access Protocol
SNMP Simple Network Management Protocol
SPX Sequenced Packet Exchange
SVC Switched Virtual Circuit
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
UDP User Data Protocol
WAN Wide Area Network
WWW World Wide Web
Related documents
Novell NetWare Link Services Protocol Specification Rev 1.0.
Novell part No. 100-001708-002.
IPX Router Specification.
Novell part No. 107-000029-001
User Datagram Protocol (UDP).
RFC 768
Trivial File Transfer Protocol (TFTP) revision 2.
RFC 783
Internet Protocol (IP).
RFC 791
Internet Control Message Protocol (ICMP).
RFC 792
Transmission Control Protocol (TCP).
RFC 793
Ethernet Address Resolution Protocol (ARP).
RFC 826
v
Transmission of IP Datagrams Over Public Data Networks
RFC 877
Broadcasting Internet Datagrams.
RFC 919
Broadcasting Internet Datagrams in the Presence of Subnets.
RFC 922
Internet Standard Subnetting Procedure.
RFC 950
Bootstrap Protocol.
RFC 951
Using ARP to Implement Transparent Subnet Gateways.
RFC 1027
Serial Link Internet Protocol (SLIP).
RFC 1055
Routing Information Protocol (RIP).
RFC 1058
Simple Network Management Protocol (SNMP).
RFC 1155
Internet Numbers
RFC 1166
Concise MIB Definitions.
RFC 1212
Management Information Base for Network Management of TCP/IP-Based Internets: MIB II.
RFC 1213
Internet Control Message Protocol (ICMP) Router Discovery Messages.
RFC 1256
Management Information Base for Frame Relay Data Terminal Equipment
(DTE), 1992.
RFC 1315
Internet Protocol Control Protocol (IPCP) for the Point-to-Point Protocol
(PPP).
RFC 1332
vi
Password Authentication Protocol (PAP)
RFC 1334
Multiprotocol Interconnect on X.25
RFC 1356
Multiprotocol Interconnect over Frame Relay Data Terminal Equipment
(DTE), 1993.
RFC 1490
Definition of Managed Objects for Bridges.
RFC 1493
Internetwork Packet Exchange Protocol Control Protocol (IPXCP) for the
Point-to-Point Protocol (PPP).
RFC 1552
Point-to-Point Protocol (PPP) over Integrated Services Digital Networks (ISDN).
RFC 1618
Network Address Translation (NAT)
RFC 1631
Bridge Control Protocol (BCP) for the Point-to-Point Protocol (PPP).
RFC 1638
Link Control Protocol (LCP) for the Point-to-Point Protocol (PPP).
RFC 1661
Point-to-Point Protocol (PPP) over High-level Data Link Control (HDLC).
RFC 1662
Assigned Numbers.
RFC 1700
Multilink Point-to-Point Protocol (PPP)
RFC 1717
Routing Information Protocol (RIP) Version 2
RFC 1723
Requirements for IP Version 4 Routers — regarding subnetting.
RFC 1812
Point-to-Point Protocol (PPP) Data Compression
RFC 1962
vii
Point-to-Point Protocol (PPP) Encryption
RFC 1968
Point-to-Point Protocol (PPP) Stac Data Compression
RFC 1974
Point-to-Point Protocol (PPP) Multilink
RFC 1990
Challenged Handshake Authentication Protocol (CHAP)
RFC 1994
Triggered RIP
RFC 2091
High-level Data Link Control.
ISO/IEC 3309
Link Access Procedure, Balanced (LAPB)
ISO/IEC 7776
X.25 Packet Layer Protocol for Data Terminal Equipment (DTE).
ISO/IEC 8208
Frame Relay User-Network Interface, January 1992.
FRF.1
Frame Relay Multiprotocol Interconnect, December 1992.
FRF.3
Media Access Control (MAC) Bridges.
IEEE/ANSI 802.1D
IEEE/ANSI 802.1G
High-level Data Link Control (HDLC)
ISO 3309
Frame Relaying Bearer Service Architectural Framework and Service Description, 1990.
ANSI T1.606
Frame Relaying Bearer Service, Congestion Management Principles, 1991
Addendum 1.
ANSI T1.606
DSS1 — Signalling Specification for Frame Relay Bearer Service, 1991.
ANSI T1.617
viii
DSS1 — Core Aspects of Frame Protocol for use with Frame Relay Bearer Service, 1991.
ANSI T1.618
Frame Relay Bearer Services, 1991.
ITU-T (CCITT) Recommendation I.233.1
Congestion Management in Frame Relaying Networks, 1991.
ITU-T (CCITT) Recommendation I.370
Basic User-Network Interface — Layer 1 Specification, 1993.
ITU-T (CCITT) Recommendation I.430
Usage of Cause and location in the Digital Subscriber Signalling System No. 1
and the Signalling System No. 7 ISDN User Part, 1993.
ITU-T (CCITT) Recommendation Q.850
ISDN User-Network Interface-Data Link Layer Specification, 1993.
ITU-T (CCITT) Recommendation Q.921
ISDN Data Link Layer Specification for Frame Mode Bearer Services, 1992.
ITU-T (CCITT) Recommendation Q.922
ISDN User-Network Interface Layer 3 Specification for Basic Call Control,
1993.
ITU-T (CCITT) Recommendation Q.931
International Numbering Plan for Public Data Networks
ITU-T (CCITT) Recommendation X.121
Interface Between Data Terminal Equipment (DTE) and Data Circuit-terminating Equipment (DTE) for Terminals Operating in the Packet Mode and
Connected to Public Data Networks by Dedicated Circuits.
ITU-T (CCITT) Recommendation X.25
ix
Part I
LAN and WAN Links and Services
Chapter 1
LAN and WAN Services in the Router
In this chapter
LAN Services
Introduction
This chapter gives an introduction to the LAN and WAN services available in the
different Intel Express 8100 Router versions, and the common facilities available
of the different WAN services. WAN services include leased line, PPP, Frame
Relay, ISDN and X.25 services.
The different WAN services available in the Intel Express 8100 Router are described in the following chapters.
Local Area Networks (LAN) are concerned with the interconnection of distributed computer systems whose physical location is confined to a localized group of
buildings. The main difference between a communication path established via a
LAN and connections made via Public Data Networks/Wide Area Networks
(WAN) is that connections via a LAN allow for higher transmission rates due to
the short physical distances.
1
LAN and WAN Services in the Router
WAN Services
LAN Services concept
The following illustration indicates how LAN Services are embedded in the Intel
Express 8100 Router.
ROUTING (TCP/IP & IPX) and Bridging
LAN SERVICES
LAN Link Control
Protocol Identification
Ethernet
LAN Port
Ethernet services
WAN Services
Introduction
0996
Ethernet is a Local Area Network (LAN) hardware standard that is capable of
linking up to 1,024 nodes (stations) in a bus network. It uses a base-band (singlechannel) communication technique providing for a raw data transmission rate of
either 10 Mbps for 10Base-T or 100Mbps for 100Base-T. Ethernet uses carriersense multiple-access/ collision-detection techniques (CSMA/CD).
Wide Area Network (WAN) services consist of links to remote sites via private
or Public Data Networks (PDNs).
2
WAN Services and Protocols Available
LAN and WAN Services in the Router
WAN Services
WAN services overview
Number of WAN links
supported
WAN services are private or public data networks (PDNs) available to subscribers for interconnecting remote sites. The Intel Express 8100 Router supports:
■
Leased lines
■
Switched (dial-up) connections
■
Point-to-Point Protocol (PPP)—described in “Point-to-Point Protocol
(PPP)”, p. 8
■
Frame Relay services—described in Chapter 3 “Frame Relay Services”, p.
17
■
ISDN connections and services—described in Chapter 4 “ISDN Services”,
p. 20
■
X.25 services—described in Chapter 5 “X.25 Services”, p. 32
■
PPP Multilinks which combine a number of PPP links into a single route
between two sites—described in Chapter 6 “PPP Multilinks”, p. 39
■
Internet Tunnels for routing data via the internet—described in Chapter 7
“Internet Tunnels”, p. 41
The Intel Express 8100 Router supports up to 5 WAN links (Frame Relay, ISDN
or X.25).
Leased lines
A leased line is a permanent physical connection between two Local Area Networks. The costs for the use of a leased line are fixed—that is, they are independent of the amount of data transmitted. A leased line is normally used when there
is a need for constant data flow between two sites.
Dial-up links
Dial-up links (also referred to as switched links or switched lines) are links that
are only established when data requires transmitting over the WAN link and are
similar in operation to a normal telephone connection. Dial-up WAN links require the use of a modem or other WAN connect device designed to establish this
type of connection.
The number for the dial-up WAN link is configured in the modem or WAN connect device (not for ISDN and X.25 links). This is a prerequisite for V.11, V.24,
V.35 and V.36 WAN connections.
General Facilities for WAN Services
Introduction
This section gives an overview and describes the WAN service features common
to all WAN link types available in the Intel Express 8100 Router.
3
LAN and WAN Services in the Router
WAN Services
Data compression
Timecut mode for dialup (switched) links
Data compression is available for all WAN link types to improve the throughput.
PPP and Frame Relay
For PPP links (leased lines, dial-up links and ISDN links) and Frame Relay links,
data compression rates of up to 4:1 can be achieved for text data.
X.25
For X.25 links, data compression rates of up to 4:1 can be achieved for text data.
Note Timecut mode should be selected for dial-up (switched) WAN links.
Operating costs can be excessive otherwise.
When a dial-up (switched) WAN link is in Timecut mode, the link is only activated when there is queued data. Timecut mode should be selected where transmission costs are dependent on the data transferred, the number of data packets
sent or the duration for which the link is active. Timecut mode ensures that the
WAN link is only established when necessary.
Routing protocols such as RIP and IPX send various routing packets between devices to continually assess the topology of the network. If the standard settings
are used for these settings (for example RIP packets are sent every 30 seconds),
timecut WAN links never get the chance to close down. Routing protocol settings
used on timecut WAN links should be set in accordance with this, and there are
other considerations to be made (for example Watchdog Spoofing and RIP and
SAP Filtering—see Chapter 9 “Novell IPX Routing”, p. 71).
Backup links
Backup links are dial-up (switched) links that can be initialized if another link
should fail or has not been established within a defined time interval. Typically,
a primary WAN link is a 2 Mbps leased line connection, the backup WAN link
is a 64 kbps dial-up connection—the costs of the backup link is therefore dependent on how much the link is used.
A WAN link in Backup mode is only used if the primary link should fail, or if a
connection to it was established from a remote source. Backup links can only be
closed down by the router that started the link.
4
LAN and WAN Services in the Router
WAN Services
Timecut backup links
considerations
Timecut mode for backup links must only be used if the backup link runs in parallel to the primary WAN link, that is the main WAN link and the backup WAN
link must run between the same routers as shown in the figure below:
LAN2LAN1
Primary WAN Link
LAN WAN1 WAN2 System
Router A
Intel ExpressRouter9200
®
BackupWANLink
(dial-up)
LAN WAN1 WAN2 System
Router B
Intel ExpressRouter9200
®
1476
Timecut mode MUST NOT be selected for backup links that run via a different
router than the main WAN link as shown below. Problems otherwise occur when
using the backup WAN Link.
LAN 2
LAN 1
LAN WAN1WAN2 System
RouterA
Primary WAN
IntelExpressRouter9200
®
BackupWAN
LAN 2
Link
LAN WAN1WAN2 System
RouterB
LAN WAN1WAN2 System
RouterC
IntelExpressRouter9200
®
IntelExpressRouter9200
®
Link
TheBackup WAN Link mustNot use
timecutmode
LAN 1
Primary WAN
IntelExpressRouter9200
LAN WAN1WAN2 System
RouterA
Primary WAN
®
Link
Link
LAN WAN1WAN2 System
RouterB
LAN WAN1WAN2 System
RouterC
IntelExpressRouter9200
®
Backup
WAN Link
IntelExpressRouter9200
®
LAN 3
1475
5
LAN and WAN Services in the Router
WAN Services
Multiple backup links
Timer Profiles
For ISDN and X.25 services, it is possible to establish multiple backup links for
increased internetwork reliability. This can be a particularly useful feature in
X.25 networks where a number of Switched (dial-up) links can be available.
Link 2
PPP
Leased
Line
Link 4
X.25
Dial Up
Backup for Link 2
Link 5
X.25
Dial Up
Backup for Link 4
Link 6
X.25
Dial Up
Backup for Link 5
1235
In the above example, link 4 is used if the primary link (link 2) should fail, link
5 is used if link 4 should fail and link 6 is used if link 5 should fail.
The Intel Express 8100 Router implements Timer Profiles which offer extensive
facilities to restrict WAN link activity according to a user-defined time profile.
This may be done for security reasons or to reduce the operating costs of WAN
links.
Up to 16 user-defined timer profiles can be defined, any one of which can be selected for use with a WAN link during configuration of the link. Each profile allows you to define access rights on a weekly basis, with a half-hour resolution.
For each link, access can be blocked:
Timer profiles
consideration
■
for outgoing access from the router to the WAN link
■
for both outgoing and incoming access (WAN link disabled outside the times
defined in the timer profile)
For example, for one link using a timer profile, outgoing access may be block,
while for another WAN link using the same timer profile, access may be block
for all data traffic.
Warning When blocking both outgoing and incoming access, the timer pro-
file must be the same in both the routers over the WAN link.
This is particularly important for dial-up (switched) WAN links where operating
costs are dependent on the use of the link.
If the timer profiles are not the same and only one of the routers is denying incoming access at some time, the other router may continually attempt to establish
the WAN link. This can lead to the following problems for the calling router:
■
for dial-up WAN links, excessive operating costs for the WAN link
■
error messages being logged
■
the link being disabled (faulted)
6
LAN and WAN Services in the Router
WAN Services
Example use of a timer
profile
Daily Activity Limit
For example, a timer profile could be set up to deny both incoming and outgoing
access on a WAN link outside normal office hours of 7:30 to 17:30, and to deny
all access at weekends.
Time
Day
Sun
Mon
Tue
Wed
Thu
Fri
Sat
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Access allowed Mon-Fri
between 7.30 and 17.30
1290
The Intel Express 8100 Router has a Daily Activity Limit function which can be
used to control the use, and therefore the cost of operation, of dial-up WAN
Links. The alarm generates an SNMP Trap and can also be set up to close and
lock the associated WAN link when it has been in the Up (for both call directions)
state for the configured time-period within a day (midnight to midnight). That is,
the activity counter is incremented for both incoming and outgoing calls on the
links. If the link has been locked by the Daily Activity Limit, it stays locked until
it is manually reset from Intel Device View.
When a dial-up link has been locked by the Daily Activity Limit, the router does
not permit outgoing calls on the link until the link has been unlocked again from
Intel Device View. However, the link accepts incoming calls, thereby allowing a
remote connection via the link to unlock the link.
7
Leased Lines Links
Chapter 2
In this chapter
The WAN connect protocol used for communicating over leased line WAN connections by the Intel Express 8100 Router is the Point-to-Point Protocol (PPP).
When communicating over leased line connections, PPP runs on top of the Highlevel Data Link Control (HDLC) protocol.
Note PPP is also used for communications over ISDN links (PPP over
ISDN).
This chapter gives an introduction to the Point-to-Point Protocol (PPP) and describes the features of the protocol offered by the Intel Express 8100 Router.
Point-to-Point Protocol (PPP)
Introduction to PPP
The Point-to-Point Protocol (PPP) was designed to enable simultaneous transfer
of network-layer protocols across a point-to-point link. Its main function is to establish a synchronous link connection between routers from any manufacturer.
PPP functions include:
■
encapsulating multi-protocol datagrams
■
establishing, configuring and testing the data-link connection using a Link
Control Protocol (LCP)
■
establishing and configuring bridging and various network-layer communications across the link using Network Control Protocols (NCPs). This is handled by the Internet Protocol Control Protocol (IPCP) for IP, and the
Internetwork Packet Exchange Control Protocol (IPXCP) for IPX and the
Bridging Control Protocol (BCP) for bridging services
■
■
■
authenticating peers using the Challenge Handshake Authentication Protocol
(CHAP) and Password Authentication Protocol (PAP) to ensure that communications are between authorized devices
encrypting and decrypting data transmitted via the link to offer data security
compression/decompression of data to improve the throughput of data
8
Leased Lines Links
Point-to-Point Protocol (PPP)
PPP provides transport services for data packet delivery with low overheads and
high throughput. Frame checking at the link-level offers error detection, but error
recovery is taken care of by higher-layer network protocols.
PPP protocols
Link Control Protocol
(LCP)
Operation of PPP
The following diagram shows how the various PPP protocols are embedded:
Compression
Control Protocol
(CCP)
Network Control Protocols (NCPs)
Internet Protocol
Control Protocol
(IPCP)
Encryption ControlProtocol
Challenge Handshake Authentication
Protocol (CHAP)
Link Control Protocol
Internet Packet
Exchange Control
Protocol (IPXCP)
(ECP)
(LCP)
Bridging
Control
Protocol (BCP)
1233
LCP is the lowest layer in the PPP stack and runs on top of the High-level Data
Link Control protocol (HDLC) or Integrated Services Digital Networks (ISDN).
When the HDLC or ISDN protocol has established the link, LCP runs on top of it.
The following protocols form the basis of PPP:
Encapsulation
Network-layer protocols are encapsulated for transmission over WAN links.
Link Control Protocol (LCP)
The LCP takes care of the link connection.
Challenge Handshake Authentication Protocol (CHAP)
The Challenge Handshake Authentication Protocol (CHAP) is available to offer
security (encrypted password protection) against unauthorized access to a PPP
link.
Password Authentication Protocol (PAP)
The Password Authentication Protocol (PAP) is available as an alternative to
CHAP offering security (password protection) against unauthorized access to a
PPP link.
Encryption Control Protocol (ECP)
Data encryption is available when communicating over PPP links. The Encryption Control Protocol (ECP) negotiates and manages data encryption between the
devices over the link.
9
Leased Lines Links
Point-to-Point Protocol (PPP)
Note Data encryption is only available in certain models of the Intel
Express 8100 Router. Data encryption is not allowed in some
countries by law.
Compression Control Protocol (CCP)
Data compression is available when communicating over PPP links. The Compression Control protocol (CCP) negotiates and manages data compression between devices over the link.
Network Control Protocols (NCPs)
Each Network Control Protocol negotiates and manages a specific network-layer/bridging protocol.
PPP Call Back (PPP
ISDN links)
PPP Call-Back is available for use over PPP ISDN links where the costs of operation of the link can be transferred a specific location.
For example, if someone working from home needs an occasional connection to
the office, the costs of operation for the connection can be transferred to the office by using Call-Back. When the home connection needs to communicate with
the office, they call in to the office Intel Express 8100 Router with a request for
call back and then closes the connection.
Note The router will then return the call. The router must support Call-Back
or the link will not work.
In some cases, Call-Back is used to verify that incoming call is from the authorized address set up for the link.
The Call-Back facility can be used to transfer the cost of operation to either the
local site (this router) or to the remote site.
10
Leased Lines Links
Point-to-Point Protocol (PPP)
Multilink PPP
The Intel Express 8100 Router implements PPP Multilink facilities which allow
multiple PPP links between two sites to be used as a single route. A PPP Multilink allows links to added dynamically (for bandwidth-on-demand) or statically
and has almost the combined bandwidth of the individual links.
PPP Multilinks are described in Chapter 6 “PPP Multilinks”, p. 39.
Data Compression
Data compression
Compression algorithm
used
Requirements for use
Data compression is available when communicating over PPP links, to improve
the throughput.
Both routers over the PPP link must support and be configured for PPP data compression for data compression to be used.
The compression algorithm implemented in the Intel Express 8100 Router is
based on the Stac* algorithm developed by Stac Electronics Inc. Typical compression rates of 4:1 are achieved for text data.
The devices at both end of the PPP link must implement the Compression Control Protocol (CCP) and use the same compression algorithm.
Data compression is negotiated by the CCP whenever the link is established. If
the device over the PPP link does not support the CCP or the same compression
algorithm, compression cannot be used over the link.
Link speeds
Data Encryption
Introduction
Encryption algorithm
used
Data compression can be used on combined link speeds of up to 256 kbps (for
example compression can be used on one PPP link of 256 kbps or on two PPP
links of 128 kbps). The delays involved with compressing the data make it impractical to use at higher link speeds.
The Intel Express 8100 Router offers encryption/decryption of data being transmitted over PPP and Frame Relay links. This offers security in case of interception by an unauthorized source.
Note Data encryption is only available in certain models of the Intel Express
8100 Router which are not available in some countries.
The data encryption algorithm implemented in the Intel Express 8100 Router is
Blowfish with a variable length encryption key (up to 144 bits) with 16 rounds
(encryption steps). The algorithm is used in Cipher Block Chaining (CBC) mode
11
Leased Lines Links
Point-to-Point Protocol (PPP)
which means that the algorithm is used across the entire data stream including the
packet header containing the address and protocol identification, and not only on
a fixed block (packet) size.
Reference for the
encryption algorithm
Requirements for use
Link speeds
Encryption and
compression
The Blowfish encryption algorithm is described in:
Bruce Schneier
Applied Cryptography (John Wiley & Sons)
The devices at both end of the PPP link must implement the Encryption Control
Protocol (ECP) and use the same encryption algorithm.
Data encryption is negotiated by the ECP whenever the link is established. If the
device over the PPP link does not support the ECP or the same encryption algorithm, the link is disconnected and a message is entered in the System Log for the
router—data communications are not allowed on a PPP link intended for secure
communications.
Encryption can be used on all link speeds and can also be used in conjunction
with compression. The algorithm can encrypt at around 1.3 Mbps, which may
cause delays on combined link speeds above this (for example on a 2.0 Mbps
links).
Data encryption can be used together with data compression (see “Data Com-
pression”, p. 11) over a PPP link. Data is first compressed then encrypted. When
encryption is used in connection with data compression over a PPP link, the restrictions on link speeds for data compression apply.
Peer A uthentication using the Challenge Handshake Authentication
Protocol (CHAP)
Introduction to CHAP
Passw ords
12
The Challenge Handshake Authentication Protocol (CHAP) can be used to provide link security against unauthorized access. CHAP uses password encryption
where passwords can be global (used for all PPP links) or selected from a password pool. Separate passwords can be used for incoming and outgoing calls on a
link.
CHAP uses password encryption to authenticate peers; separate passwords can
be used for incoming and outgoing calls. The passwords are used to encrypt random text files which are transmitted over the PPP link (see ‘Challenge handshake
authentication procedure’ following); passwords are therefore never transmitted
directly over a PPP link, and cannot be intercepted and used by unauthorized
sources.
Leased Lines Links
Point-to-Point Protocol (PPP)
Use of passwords
For the correct operation of PPP links using CHAP, the passwords must be configured as follows:
Device 1 (User ID1)
Password A
used for
CHAP requests
Password B
used in reply to
CHAP requests
from User ID2
Request
Reply
Request
Reply
Device 2 (User ID2)
Password A
used in reply
to CHAP requests
from User ID1
Password B
used for
CHAP requests
1338
If Device 1 has Password A configured for CHAP requests on the PPP link, Device 2 must reply to the request using Password A. That is, Password A must be
defined in Device 2 for CHAP replies to Device 1.
Similarly, if Device 2 has Password B configured for CHAP requests on the PPP
link, Device 1 must reply to the request using Password B. That is, Password B
must be defined in Device 1 for CHAP replies to Device 2.
Global (all PPP links)
and Local replies to
CHAP requests
CHAP requests from the
router
A device always tries to reply to a request for authentication from a peer, using
the password defined for the User ID of the peer.
In the Intel Express 8100 Router, a list of passwords for User IDs can be defined
for both the router (global) and for individual PPP links. The passwords in the
global list can be used in reply to CHAP requests from peers on any of the PPP
links to the router. The passwords in the local list can only be used for peers on
the PPP link for which they are defined. The router first tries to find the User ID
of the peer requesting authentication in the local password list and then in the global password list.
In some devices, a common User ID with different passwords are used for communications over a PPP link. In these cases, local User IDs and password should
be defined. Otherwise, global User IDs and passwords can generally be used.
When CHAP requests are enabled, the Intel Express 8100 Router authenticates
the peer over the PPP link whenever the link is established. For on-demand
(switched) PPP links including ISDN links, the router authenticates the peer
whenever the link is brought up.
13
Leased Lines Links
Point-to-Point Protocol (PPP)
Challenge handshake
authentication procedure
The procedure used to authenticate a peer over a PPP link is as follows:
1 The device which is authenticating the peer (Device 1) generates a random
text file (random characters and a random length), and transmits it to the
device to be authenticated (Device 2) over the PPP link. Device 1 also
stores a copy of the random text file which is encrypted using the password
defined for CHAP requests on the link (Password 1).
Encrypted
using
Password 1
Device 1
Random
text file
PPP Link
2 The device receiving the random text file (Device 2) encrypts it using the
Device 2
Device being
authenticated
1335
password (Password 2) defined for requests from Device 1, then transmits
the encrypted text file back to Device 1.
Device 1
PPP Link
Device 2
Encrypted
using
Password 2
Random
text file
1336
14
Leased Lines Links
Devi
Devi
Point-to-Point Protocol (PPP)
3 Device 1 compares the locally encrypted text file with the text file
encrypted by Device 2. If the text files are the same (Password 1 = Password 2) Device 2 is authenticated. Otherwise, Device 2 is not authenticated
and data communications with Device 2 are not allowed.
Peer is
authenticated
Peer is NOT
authenticated
Random
text file
encrypted
Device 1
Random
text file
encrypted
Device 1
ce 1
=
=
PPP Link
Random
text file
encrypted
Device 2
Random
text file
encrypted
Device 2
ce 2
1337
Peer Authentication using the Password Authentication Protocol
(PAP)
Introduction to PAP
The Password Authentication Protocol (PAP) can be used as an alternative to
CHAP to provide link security against unauthorized access. PAP uses simple
password protection against unauthorized access.
PAP versus CHAP
Replies to PAP requests
CHAP uses password encryption to authenticate peers and the passwords are
never transmitted directly over the PPP link, and therefore cannot be intercepted
and used by unauthorized sources. PAP uses simple password protection where
the password is transmitted directly over the link—PAP is therefore not resilient
to link monitoring.
Note For the best security, you should use CHAP rather than PAP for link
access protection wherever possible.
PAP can however be used when it is the only authentication protocol supported
by the remote device.
A device (for example the Intel Express 8100 Router) always tries to reply to a
request for authentication from a peer, using the password defined for the User
ID of the peer.
15
Leased Lines Links
Point-to-Point Protocol (PPP)
PAP requests from the
router
When PAP requests are enabled, the Intel Express 8100 Router authenticates the
peer over the PPP link whenever the link is established. For on-demand
(switched) PPP links including ISDN links, the router authenticates the peer
whenever the link is brought up.
If the device over the PPP link fails to authenticate itself, communications over
the link are not allowed.
16
Frame Relay Services
Chapter 3
Frame Relay in the Intel
Express 8100 Router
Frame Relay
Features
Frame Relay is available in the Express 8100 Router with Frame Relay. The
WAN port must be configured as a Frame Relay port before it can be used for
Frame Relay services.
As Frame Relay uses Permanent Virtual Circuits, a number of Frame Relay links
can be made via the same Frame Relay port. The Intel Express 8100 Router supports up to 5 Frame Relay links.
This chapter gives an introduction to Frame Relay services in the Intel Express
8100 Router.
Frame Relay is an interface specification that provides a signalling and data
transfer mechanism between endpoints (routers) and the network (switches).
Data to be transmitted are encapsulated according to the Multiprotocol Encapsulation Implementation Agreements of the Frame Relay Forum. It provides efficient network services and accommodates burst-intensive applications over wide
area LAN interconnections at rates up to 2.048 Mbps. Frame Relay provides
bandwidth on demand and allows multiple simultaneous data sessions (logical
channels) across a physical Frame Relay port.
Frame Relay can be very cost-effective when used to interconnect several sites.
Frame Relay allows several logical links to different sites across one physical
Frame Relay port.
Features of the Frame Relay protocol include:
■
■
■
■
■
■
■
■
Provides a connection-oriented service
Maintains data sequence
Connects end-systems at data link layer
uses variable length packets
no data link control, no retransmissions
makes use of LAPF core functions
standard multiprotocol encapsulation
reduced costs for internetworking in large networks
17
Frame Relay Services
■
increased interoperability as it complies with international standards
Addressing
Encapsulation
PVC management
Each data packet contains a circuit number, also called a Data Link Connection
Identifier (DLCI), showing which logical channel that the information belongs
to. Frame Relay packets are routed to their destination on the basis of the circuit
numbers contained in the packet.
Note When using Frame Relay, ensure that your network provider allocates
you the necessary DLCI values. DLCI values assigned during Frame
Relay connection, range from 16 up to 991.
Multiprotocol encapsulation according to FRF.3, specifying the protocol contained in the current Information field (I-field). This encapsulation is also specified in RFC-1490 “Multiprotocol Interconnect over Frame Relay Data Terminal
Equipment”, and is compatible with routers from other manufacturers.
Status information between Frame Relay network switches and user devices (for
example routers and bridges) is provided by signalling protocols defined by the
Frame Relay standards committees. These signalling protocols perform the following tasks:
■
providing a ‘heartbeat’ or ‘keep-aliv e’ message e xchange to ensure that links
are available
■
informing about added and removed PVCs
■
providing status of existing PVCs
Frame Relay elements
Frame Relay services may be broken down into three distinct elements:
Frame Relay access equipment
Frame Relay access equipment is customer premises equipment (CPE) which
sends information across the network. This may be, for example, a router, a
bridge, a host computer, and so on.
Frame Relay switching equipment
Frame Relay switching equipment is responsible for the transportation of information across a WAN. This may be, for example, T1 (1.5 Mbps) and E1 (2 Mbps)
packet switches, and so on.
Public Frame Relay services
Public Frame Relay services see the deployment of Frame Relay switches via the
Public Data Network (PDN). If you do not make use of public services (subscribed), private networks may be established. In this case, the private network
must have Frame Relay switching equipment installed.
Note Frame Relay can only be used on high-quality transmission lines dedi-
cated to Frame Relay.
18
Loading...