Nortel Host Tools, R10.0, Annex Communications Server R10.0B, Annex Host Tools R14.2 New Features Manual

Annex Communications Server R10.0B and

Annex Host Tools R14.2 Release Notes

These release notes apply to the following:

❑

The Annex Communications Server Operational Code
Version R10.0

❑

The Annex Host Tools Version R14 .2. 24

❑

Quick2Config Annex R2.3

❑

Annex Manager R2.3

The release notes for Quick2Config Annex can be found by selecting
the Readme notepad icon in the Bay Networks Program Group.

Included in these release notes are the following topics:

❑

New Features

New Features

❑

Special Considerations

❑

Supported Platforms

❑

Known Problems/Lim itations

❑

Problems Resolved wi th this Release

These release notes supersede the notes pr ovided on the distribution
media.

Ease of Use Installation

The installation process has been significantly improved and more
binaries have been added to the distribution media. The new
installation script will give users the following options:

❑

Installing the Annex H os t Tools and/o r Annex Manager 2.3

❑

Extracting only the necessary files from the medium

❑

Editing the necessary system files

1302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Blacklisting and Password Hist or y

Two new security features, user blacklisting and password history,
have been added to the ACP security functionality. The blacklisting
enhancement logs and monitors the number of failed login attempts for
users. The administrator may configure erpcd to disallow a user fr om
logging into the system based on the number of consecutive failed
login attempts, or the total number of failures over a period of time.
An acp_dbm utility was added to access the database used to store
the user's login history. This feature is not enabled by default.

ch_passwd

The ch_passwd utility has been enhanced to keep a history of a user's
passwords and can be configured to prevent a user from setting a
previously used password. This feature is not enabled by default
unless the system uses shadow passwords.

One-to-Many Dynamic Dial-up Routing

The Annex now provides for dynamic dialout to multiple destinations
via a single modem or modem pool.

Chap Security for PPP

This feature allows for the use of encrypted passwords for PPP.

Enigma Security

The Annex can now authenticate a user via the Enigma SafeWord
Authentication Server.

2

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

CIDR

The Annex now supports Classless Interdomain Routing (CIDR),
which provides for supernetting of Class C addresses. Supernetting
allows you to use a subnet mask that is shorter than the intrinsic mask
derived from the class of the Internet address.

IP Basic Security Option (IPSO)

The Annex partially implements this security option by adding the
IPSO classification level to packets generated by telnet or rlogin
running on an Annex dedicated, adaptive, or CLI port.

ACP Port Statistics Logging

This feature tracks the number of packets sent and received and the
total number of bytes sent and received for each session.

TAP Identification Protocol

The Annex now supports this feature as defined in RFC 1413. TAP
Identification Protocol can determine the identity of a user of a
particular TCP connection. Given a TCP port number pair, TAP
returns a character string that identifies the owner of that connection
on the server's system.

Filtering Improvements

Changes have been made to the filter-action algorithm. There are four
filter lists for any interface:

❑

global filter list for input (interface set to the * symbol)

❑

global filter list for output (interface set to the * symbol)

❑

local filter list for input (interface set to other than *)

❑

local filter list for output (interface set to other than *)

302565-A Rev. 00

3

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

When a packet is sent by the Annex, the local output filter is scanned
first, followed by the global output filter list. When a packet is
received by the Annex, the local input filter list is scanned first,
followed by global input fi lter list. For the purposes of the algorithm,
local and global ar e combined into one large list, and input and output
are considered separately.

The algorithm scans each filter, and if the filter conditions match the
packet under consideration, the associated actions are appended to
one of two lists. If the filter is an inclu de, the actions are placed on the
to-do list. If the filter is an exclude, the actio ns are placed on the inhibit
list.

Once the complete list (both local and global) has been scanned, one
more check is done. If at least one include filter with the netact action
was seen (not necessarily matched, just scanned) and there were no
exclude filters with netact, the default action is none, that is, not netact.
If there were no include netact filters scanned or if any exclude netact
filters were seen, the default action is netact. This default is added to
the to-do list. Finally, the inhibit values are subtracted from the
to-do list.

The following are examples of this process:

Example 1

No filters at all; all traffic is activity.

Example 2

in include proto tcp dst_port telnet netact
in include proto icmp discard
out include proto icmp discard

Packets received that are destined for the standard telnet port (23) are
considered activity and may tri gger a dial if the interface is a dial-out
type. No other IP packets are considered activity, and icmp packets
(such as ping) going either way are discarded. (This shows how
include netact works by itself.)

4

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Example 3

out exclude proto udp port_pair router router netact
out include proto tcp dst_port smtp no_start

Packets generated by RIP are not considered acti vity and cannot start
the link. Packets destined for SMTP (email) are considered activity
and will keep an active link up, but will not start a dial. All other
packets are considered activity and will start a dial. (The second filter
could have also specified netact, but that is unnecessary because the
exclude implies that netact is the default.)

Example 4

out exclude dst_address 132.245.33.0/24 netact
out exclude dst_address 132.245.11.0/24 netact

Packets sent to either the 33 or 11 subnets will not be considered
activity. All other packets sent will constitute activity. This
demonstrates how excludes are logically ANDed together.

Example 5

out exclude proto tcp dst_address 132.245.66.0/24 netact
in include proto tcp dst_address 132.245.33.0/24 netact

Packets which the Annex sends over the link that are destined for the
66 subnet are not considered activity. All other packets sent are
considered activity. Packets the Annex receives that are addr essed to
the 33 subnet are also considered activity. No other packets received
are considered activity. (This example is included to illustrate how
input and output filters do not interact.)

Setting a specific include with netact when there is an exclude with
netact for the same destination (in or out) has no effect. The exclude
with netact implies that everything else is activity (so no specific
include is needed) and, if the exclude matches the same packet as an
include, the exclude takes precedence (thus no specific include is
possible).

302565-A Rev. 00

5

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Disallowing VCLI Service

A new syntax is supported in the services file to disallow the
advertising of VCLI service:

service VCLI no

More Information from the stats -o Command

The stats -o command has been modified to give more information.
In the following example, the option key has been set properly for
tn3270 and LAT, but neither is enabled. In the case of LAT, resetting
the disabled_modules parameter will still not enable it because the
loader has disabled it, and the loader takes precedence over
disabled_modules.

admin : show annex disabled_modules
disabled_modules: atalk,ipx,lat,tn3270
admin :

AppleTalk and IPX are not supported in the Communications Server
release. NA and admin always display these modules as disabled.
The CLI stats -o command, however, does not display them at all.

annex: stats -o
KEYED OPTIONS:
MODULES DISABLED
LAT, tn3270
annex:
LAT:
keyed on but disabled by loader
tn3270:
keyed on but disabled by disabled_modules
dialout/RIP/filtering:
keyed off

6

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Rotary Enhancement

You can now specify an Annex rotary that is reachable through the
normal UNIX rlogin protocol. Specify either protocol=rlogin or the
alternate TCP port /513 to enable this feature. (The user name and
terminal type are discarded . Thus, if port_server_security is enabled,
you must enter your user name and passwor d again.) For examples:

rlogin:protocol=rlogin 8-12@jdc
rlogin:8-12@jdc+132.245.33.229/513
rlogin:protocol=rlogin 8-12@jdc+132.245.33.229
rlogin:protocol=rlogin direct_camp_on=never

Year 2000 Compliance

The R10.0B release of software is Year 2000 Compliant for Micro
Annex XL and the Annex 3. R10.0B is Year 2000 compliant when run
self-boot mode or when run on a supported platform. The R14.2.24
host tools are Y ear 20 00 compliant when run on a supported platform.
For more information, refer to SPR 11150 in the Problems Resolv ed

with this R elease section.

Special Considerations

The R10.0 image names are as follows:
R10.0 Communication Servers:

oper.42.enet - Annex3
oper.52.enet - Micro AnnexXL

The Communications Server release does not support IPX and ARAP.
After an Annex boots, the Annex parameter disabled_modules is set
to ATALK and IPX. Annex configuration parameters r elated to these
protocols are in some cases displayed and c an be m odif ied but have
no effect on the operation of the Annex. For more information refer
to Known Problems section.

302565-A Rev. 00

7

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

The smaller image size makes this releas e suitable for use in the
existing base of installed Annex3 and Micro XL hardware.

The following is a list of supported Annex platforms/configurations:

❑

Micro Annex: 2mb ram/1mb flash/8 serial ports

❑

Micro Annex: 2mb ram/1mb flash/16 serial ports

❑

Annex3: 020 mother board/2mb ram max/1mb flash/32
serial ports*

❑

Annex3: 3mb ram/1mb flash/64 serial ports*

❑

Annex3: 4mb ram/1mb flash/64 serial ports

* Memory limited hardware - Some of the older hardware
configurations may be somewhat memory restricted when
used in a heavily loaded environment. These units have a lower
RAM-to-port ratio and are more likely to run out of memory
when an application demands high simultaneous port usage
with slip, ppp, or multiple sessions pe r port.

RAM is used to hold the operational image of the Annex. Loading an
operational image larger in size than its predecessor results in less
available memory for processes and sessions. The Communications
Server image size is slightly smaller than R9.2.7, therefor e upgrading
from R9.2.7 would have no impact on the availabl e RAM of the Annex.
However , if the upgrade is for a memory-limited Annex running R8.0
that is used in a truly loaded envi ronment, the additional size of the
Communications Server image could cause insufficient RAM
conditions to occur.

Disabling modules that are not being used can often free enough RAM
to run in this situation. Disabling modules adds memory to the
available RAM heap by freeing the RAM that was used to store the
operational code of the module being disabled. Refer to the
Administrators's Guide for more information regarding disabling
modules.

8

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Table 1 lists the modules that may be disabled in the Communications

Server release and the appr oximate RAM savings in kilobytes for each
module.

Table 1 RAM Saved by Disabling Modules

Module Disabled Savings

Admin >1
Dialout 4
Ftpd >1
Lat 74
SNMP 81
Slip 9
tn3270 >1
tstty >1
ppp 50
fingerd 2
name server 12
vci 50
edit 23

Memory Usage Example

A CLI port with 2 active telnet sessions requires 13.5k: 4.5k for the
CLI and 9k for the two telnet sessions.

The Annex defaults ports to CLI mode. Setting uninhabited ports to
a mode of UNUSED saves 4.5k per port. Administrators can monitor
memory with the CLI stats command. See the example below and the
Administrators's Guide for more detail.

302565-A Rev. 00

9

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Example:

Memory:
total=3145728
avail=1929944
free=882320
min free=785112
fails=0

total The total installed RAM
avail The total available RAM after an image is loaded
free The current free memory available for general

consumption

min free The lowest value the free pool has obtained since the

Annex was booted
Fails Memory was requested but not available.
When configuring a dialout route, you must set the metric for the

dialout route to exactly the same value as the metric on all the ports
for which the dialout is defined. By default, all metrics are 1.

Supported Platforms

The Distribution media contains binary files for most of the supported
platforms. When the script detects that there are binary files for the
host operating system, it gives you the option of installing the binary
files or loading the source code and compiling the software at a later
time. If there are no binary files available, the script loads the sour ce
code and uses an available compiler on the host system to build the
image. If the script does not identify a compiler on your system, it
ends the installation session.

10

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Table 2 lists the operating system versions supported by R10.0 and

the binary files that are provided on the distribution media.

Table 2 Operating System Support

Operating System Files Available

Sun Microsystems SunOS 4.1.4 Binary files and source code
Sun Microsystems SunOS 4.1.3 Binary files
Solaris 2.5.1 Binary files
Solaris 2.4 Binary files and source code
IBM RS/6000 AIX 4.2 Binary files and source code
Hewlett-Packard HP-UX 10.20 Binary files and source code
Hewlett-Packard HP-UX 10.0 Binary files
Linux 2.0.34 Binary files and source code

Known Problems

The modems.annex file Cardinal V.34, Cardinal 56K, Motorola voice/
modemsurfer 56K, Penril V.34, Practical Perf V.34 and 56K, US
Robotics 56K, Courier V.Everything, andZoom 56K. f you have a
modem from another vendor, you may have to update the
modems.annex file.

Annex Manager R2.3 may incorrectly display IPX and AppleTalk as
enabled software options in the Annex Info dialog box. The
Communications Server release does not support either protocol. This
misinformation only occurs in Annexes that have these protocols
enabled in their current option key setti ng. Obtain ing and loa ding a
new option key eliminates the problem.

When the Motorola V.3400 modem is used with either the Micro
Annex XL or the RA2000, the connection is dropped as soon as DCD
is asserted by the modem. The port must be configured for modem
control and hardware flow control:

❑

control_lines is set to

both

302565-A Rev. 00

11

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

❑ input_flow_control is set to eia
❑ output_flow_cont rol is se t to eia

The modem must be configured as follows:

❑ hardware flow con trol set
❑ DSR alwa ys on
❑ DCD to follow carrier detect
❑ hangup and reset on loss of DTR

For the time being, for cing DCD high works but will cause a problem
with the Annex terminating sessions. Since the Annex will never see
DCD go low, the connections will not be terminated when users exit.

Problems Resolved with this Release

SPR 11150 The acp_logfile is now year 2000 compliant.

The year 2000 is now displayed as "00" rather than "100".
If you are not installing on one of the supported host
platforms and you use the acp_logfile for accounting
purposes, you should be aware that after 991231 (which
represents 1999/12/31) midnight, the entry in the
acp_logfile will appear as 1000101 instead of 000101. If
you have scripts that use this i nformation for accounting,

you need to modify those scripts to handle this properly.
SPR.8900 Dialback now works properly
SPR.8575 The modems.annex file has been updated to support USR

33.6 modems.

SPR.8702 Maximum value for erpcd max_logon parameter is now

1440 minutes.

SPR.9576 Aprint now works properly.

12

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

SPR.10447 Cardinal V.34, Cardinal 56K, Motorola voice/

modemsurfer 56K, Penril V.34, Practical Perf V.34 and
56K, US Robotics 56K, Courier V.Everything, and Zoom
56K.

Features Not Supported in This Release

The following list of featur es are not suppo rted by the R10.0B release
of software. The Annex Administrators Guide for Unix that is sent with
this release of software mentions several features which are not
present in the R10.0B software re lease. Some (but not all) of these
features are listed below:

❑

LP and LPD

❑

TSTTY

❑

TMUX

❑

Embedded RADIUS and RADIUS proxy

❑

IPX

❑

ARAP

❑

Windows NT

302565-A Rev. 00

13