text-based configuration and command line management ... · pdf filetext-based configuration...

Text-Based Configuration and Command Line Management

Reference Guide

Compatible Systems Corporation4730 Walnut Street

Suite 102Boulder, Colorado 80301

303-444-9532800-356-0283

http://www.compatible.com

Text-Based Configuration and Command Line Management Reference Guide. This document supports Router software version 4.5 and IntraPort version 5.1.X

© Copyright 2000, Compatible Systems CorporationAll rights reserved. All product names and trademarks are the property of their respective organizations.

Part number: A00-1641

Compatible Systems Support:

Phone: (303) 444-9532(800) 356-0283

FAX: (303) 444-9595E-mail: [email protected] site: http://www.compatible.com

TABLE OF CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15[ AppleTalk <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23[ AppleTalk Tunnels ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32[ BGP Aggregates ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34[ BGP General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35[ BGP Networks ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36[ BGP Peer Config <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37[ BGP Peer List ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39[ Bridging <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41[ Bridging Global ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43[ Command Line ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46[ DECnet <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47[ DECnet Global ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48[ Domain Name Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50[ DS3 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51[Dynamic Firewall Globals ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52[Dynamic Firewall Logging ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54[Dynamic Firewall Path <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . 57[ Ethernet Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . 70[ Frame Relay <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71[ General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75[ HSSI Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79[ IKE Policy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80[ IP Loopback ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81[ IP Protocol Precedence ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82[ IP Route Redistribution ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83[ IP <Section ID> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86[ IPX <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97[ IPX Tunnels ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102[ L2TP General ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104[ LDAP Auth Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106[ LDAP Config <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108[ Link Config <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110[ Logging ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115[ Multilink PPP <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Table of Contents i

Table of Contents

[ NAT Global] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119[ OSPF Area <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123[ OSPF Virtual Link <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . 125[ PPP <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127[ Radius ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131[ RS232 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . 135[ SecurID ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137[ SMDS <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138[ SNMP ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139[ SNMP CommunityString <Name> ] . . . . . . . . . . . . . . . . . . . . . . 141[ SNMP Trap <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142[ T1 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143[ Time Server ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147[ Tunnel Partner <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . 149[ V.35 Interface <Section ID> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . 156[ VPN Group <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157edit config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168[ AppleTalk Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171[ Auth ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178[BGP Route Map <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180[ Chat <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185[ IP Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189[ IP Route Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198[ IP Static ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202[ IPX Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205[ IPX Route Filter <Name> ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209[ IPX SAP Filter <Name> ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212[ NAT Mapping ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216[ VPN Users ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218apply(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223bgpenable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224boot(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225enable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226exit(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228help(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229interface(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230ipxping(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231ospfenable(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233ping(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

ii Table of Contents

Table of Contents

save(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236sys(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237tftp(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240traceroute(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242vpn tunnel(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244write(mgmt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245ip arp(add) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246ip route(add) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247chat(edit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250filter(edit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251appletalk(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252arp(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253bgp(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254config(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255decnet(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256ip(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257ipx(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258ospf nbr(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259resevent(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260securid secret(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261statistics(reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262bridge(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264ppp quality(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269smds(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271system log(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272terminal(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275wan connect(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277wan csu(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279wan ds3(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281wan hssi(set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282all(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284appletalk(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286arp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292bgp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294bridge(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300config(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307decnet(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311ethernet(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314firewall(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Table of Contents iii

Table of Contents

frelay(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326history(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328ip(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330ipx(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338l2tp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343mppp(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345nat(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347os(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352ospf(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354ppp(show). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361radius(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366routing(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369securid(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370smds(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372statistics(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375system(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377version(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379vpn(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380wan(show) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385Appendix A: Default Sections and Default Values . . . . . . . . . . . . 403Appendix B: Configuration Variable Types . . . . . . . . . . . . . . . . . 408Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

iv Table of Contents

Introduction

Introduction

Purpose and Scope of this ManualThe TEXT-BASED CONFIGURATION AND COMMAND LINE MANAGEMENT REFERENCE GUIDE is intended for use by the system administrator who will configure and maintain a Compatible Systems networking device. This manual includes information on the Command Line interface and documentation of the text-based configuration for most Compatible Systems devices.

Note: The only Compatible Systems devices which do not support text-based configuration are the RISC Router 3000E and the MicroRouter 1000R. Users should consult the Command Line Reference Guide which was shipped with their router for configuration and management information.

Each device is shipped with an Installation Guide which includes instal-lation instructions and offers basic configuration parameters which will be appropriate for many network applications.

For the latest documentation on Compatible Systems products, including the most current version of this manual, visit the Technical Support section of our Web site at http://www.compatible.com.

Creating Configurations with CompatiViewAll of the products in the Compatible Systems networking family can be managed from a single remote management platform called CompatiView. CompatiView provides a Graphical User Interface (GUI) and is by far the easiest way to create a configuration for a device. See the CompatiView Reference Guide for information on how to use CompatiView.

Introduction to Command Line Management and Text-Based Configura-tion

The Command Line Manager features text-based configuration and allows you to configure and manage the device and perform various network diagnostic functions.

Sessions can be established by directly attaching a terminal or a computer running terminal emulation software to the system Console port (the RISC Router 3000E console port is "LocalTalk/Serial A"). This connection is at 9600 Baud, 8 bits, and no parity.

Sessions can also be established by connecting via telnet to an IP address of the device. See the Installation Guide for your device for more information.

Both methods of establishing a session require that the system passwords be entered before any commands can be entered.

Configuration Section 1

Introduction

The default passwords as shipped from the factory are letmein. It is strongly recommended that the password be changed using the [ General ] section. Once the passwords are set, the same passwords are used by Com-patiView.

Modes of OperationThere are two modes of operation in the Command Line interface, supervisor and normal modes.

All operations that do not modify the system configuration or display critical (security related) information are permitted in normal mode. This mode of operation is protected by the password. In normal mode, the command prompt ends in a ">".

Supervisor mode is protected with the enable password. If no enable password has been configured, then the regular password will be used. There are two ways to enter supervisor mode. If a privileged command is entered, the user will be prompted for the enable password, and if successful, the user will be in supervisor mode. The other way is to use the enable command (see enable(mgmt)). The command prompt for supervisor mode ends with a "#". If there is no activity for 5 minutes, supervisor mode will time out.

Types of CommandsThere are two basic types of commands, configuration commands and management commands.

Note: Some of the commands described in this manual may not exist on every system. Some of the commands are hardware-specific; if the hardware platform has no WAN interfaces, commands that are WAN- specific will not exist. Other commands are related to software features such as bridging that may not be available with all releases.

The charts on the following pages show how the commands and configura-tion sections are grouped within this manual.

2 Configuration Section

Introduction

r s -

l-

e

CONFIGURATION COMMANDS

A text-based configuration is a collection of section headings followed bykeywords or other data which define device settings. The configuration commands allow you to edit, create and manage these sections.

configure This command enters the configuration editor which allows you to add omodify configuration variables using keyword and value pairs and ensurethat they are syntactically correct. As an added benefit, within the configuration editor, all of the management commands are still available. The folowing sections are configured using the configure command:

[ AppleTalk <Section ID> ][ AppleTalk Tunnels ][ BGP Aggregates ][ BGP General ][ BGP Networks ][ BGP Peer Config <Name> ][ BGP Peer List ][ Bridging <Section ID> ][ Bridging Global ] [ Command Line ][ DECnet <Section ID> ][ DECnet Global ][ Domain Name Server ][ DS3 Interface <Section ID> ][ Dynamic Firewall Globals ][ Dynamic Firewall Logging ][ Dynamic Firewall Path <Name>][ Ethernet Interface <Section ID> ][ Frame Relay <Section ID> ][ General ][ HSSI Interface <Section ID> ][ IKE Policy ][ IP Loopback ][ IP Protocol Precedence ][ IP Route Redistribution ]

[ IP <Section ID> ][ IPX <Section ID> ][ IPX Tunnels ][ L2TP General ][ LDAP Auth Server ][ LDAP Config <Name> ][ Link Config <Section ID> ][ Logging ][ Multilink PPP <Name> ] [ NAT Global ] [ OSPF Area <Name> ][ OSPF Virtual Link <Name> ][ PPP <Section ID> ][ Radius ][ RS232 Interface <Section ID> ][ SecurID ][ SMDS <Section ID> ][ SNMP ][ SNMP CommunityString <Name> ][ SNMP Trap <Name> ][ T1 Interface <Section ID> ][ Time Server ][ Tunnel Partner < Section ID> ][ V.35 Interface <Section ID> ][ VPN Group Config <Name> ]

edit config This two-word command allows you to create and manage complex listssuch as filter and chat sections. These special sections do not have key-word and value pairs. The edit config command can also be used as a lineditor for the entire configuration. The list that follows includes sections which are configured using the edit config command. Some of these sec-tions can also be configured using the edit command (see the edit sectionunder Management Commands).

[ AppleTalk Filter <Name> ][ Auth ][ BGP Route Map <Name> ][ Chat <Name> ][ IP Filter <Name> ][ IP Route Filter <Name> ]

[ IP Static ][ IPX Filter <Name> ][ IPX Route Filter <Name> ][ IPX SAP Filter <Name> ][ NAT Mapping ][ VPN Users ]


Introduction

MANAGEMENT COMMANDS

The management commands allow you to perform a variety of diag-nostic and management operations. In this manual, the management commands are broken down into the following sections, and the commands are alphabetized within the sections:

mgmt Miscellaneous man-agement commands that don't fit into other sections.

apply - Apply config without restartbgpenable - enable BGPboot - Restart the deviceenable - Enable privileged commandsexit - Exit the command loop parserhelp - Display context-sensitive online help infointerface - Set current interfaceipxping - Ping a remote machine over ipxospfenable - Enable OSPFping - Ping a remote machinesave - Save edited configsys - Various system related commandstftp - Initiate TFTP software downloadstraceroute - Route tracing to remote machinevpn tunnel - Establish or tear down a LAN-to-LAN tunnel.write - Write config to Flash

add Runtime commands to add IP entries.

ip arp - Add a static IP ARP cache entryip route - Add a static IP route

edit Commands to edit complex lists and the format of those lists. Note: The function of these "legacy" com-mands is duplicated by the edit config com-mand.

chat - Create and edit chat scriptsfilter - Create and edit protocol filter sections

reset Commands to delete items from tables and simple lists, and com-mands to manage con-figurations and statistics kept by the system.

appletalk - AppleTalk statistics and tablesarp - Delete ARP table entriesbgp - Reset BGP sessionconfig - Restore flash config deleting any changesdecnet - Delete DECnet routing table entriesip - Reset IP statistics and tablesipx - Delete entries from IPX tablesospf nbr- Reset OSPF adjacency with a neighborresevent - Clear restart event informationsecurid- Reset SecurID secretstatistics - Reset statistics


Introduction

Command ParsingCommands are parsed as a sequence of words on a single line of input. A long line may be split by escaping the new line (see below). The commands and subcommands are compared with the minimal set of characters needed to form a unique command. If extra characters beyond the unique subset are entered, they must also match.

Escape sequences (\x) are provided to embed control characters and other input. The following escape sequences are supported:

\nInsert a new line.

set Commands to set cer-tain runtime configura-tion parameters.

bridge - Set bridge config parametersppp - Set PPP protocol settingssmds - Enable or disable SMDS keepalivesystem - Set system parametersterminal - Set Terminal parameterswan - Set WAN and AUX port hardware param-eters

show Commands to display tables and configura-tion parameters.

all - Complete configurationappletalk - AppleTalk config, status and statis-ticsarp - ARP tablebgp - BGP config and statisticsbridge - Bridge config, status and statisticsconfig - Show device configurationdecnet - DECnet config and routingethernet - Ethernet informationfirewall - Firewall config and statisticsfrelay - Frame Relay config and statisticshistory - Command historyip - IP config and statisticsiprouting - Runtime IP route filtersipx - IPX config and routingipxrouting - Runtime IPX route filtersipxsap - Runtime IPX SAP filtersl2tp - L2TP config and statisticsmppp - Mulitlink PPP config and statisticsnat - NAT config and statisticsos - Operating system informationospf - OSPF config and statisticsppp - PPP informationradius - Radius config and statisticsrouting - Routing tablessecurid- SecurID statistics and serverssmds - SMDS config and statisticsstatistics - Statisticssystem - General system informationversion - General device infovpn - VPN config and statisticswan - WAN port information


Introduction

\tInsert a tab.

\ <space>Follow the backslash with a space to insert a space.

\" Insert a " (double quote).

\<octal digits>Insert a single control character by entering its ASCII code as an octal number.

\<new line>Continue a long line of input across multiple lines. The new line will be converted to a single space character.

\\Insert a backslash.

White space between command arguments is truncated to a single space after parsing. Embedded spaces and tab characters may be entered using the following rule.

"<text in quotes...>" White space (spaces and tabs) may be preserved by placing text in quotes. No escape sequences are expanded except \".

The sys echo command may be used to test command parsing rules. See sys(mgmt) for a more complete description.

MODIFYING CONFIGURATIONSConfiguration modification is a privileged operation that requires the user to be in supervisor mode. After a command modifies a configuration, sub-sequent command prompts will be preceded by a star (*).

Most commands that modify configurations only modify a local configura-tion buffer which must be saved using the save command (see save(mgmt)). The effects of the few commands which can modify a runt-ime system configuration will only be remembered until the system is restarted. There are some runtime commands which do not have equivalent permanent configurations.

Because there is only one configuration buffer for the system, only one per-son can modify a configuration at any time. The second person who tries will get a message letting them know this and they will not be able to edit. If a telnet session is disconnected, it is possible to attach to the modified configuration using the sys attach command (see sys(mgmt)). Configuration Sections

All sections are uniquely identified by their section name. All section names begin with a fixed string. However, some section names also have variable portions. In this manual, each manual page will have the


Introduction

section name in the upper left or right hand corner of the page. The section name will appear within square brackets ([ ]), as in the device’s configuration.

In the manual, section names with variable portions will appear with the variable portion contained in angle brackets (< >) as follows:

[ Chat <Name> ]

[ IP <Section ID> ]

As illustrated, the variable portion of the section name may be a name or a section ID.

The sections which expect names require a character string to uniquely identify the object being defined in that section. The name must be between one and 16 alphanumeric characters, including any spaces. If the name includes spaces or special characters, it must be enclosed in quotes (""). Section names are not case-specific.

The sections which expect a section ID require a port identifier string. For more information on valid section IDs see Appendix A - Default Sections and Default Values.

Within the device’s configuration, a complete section name, including the variable portion, must be unique. Duplicate section names are ignored by the device and only the first occurrence is used.

There are three types of sections: port-specific sections, general sections, and special sections.

Port-Specific Sections

Port-specific sections of the device’s configuration are used to configure parameters for a specific interface (e.g., WAN 0, Ether-net 0, STEP 0, etc.) or type of interface if using the device’s hier-archical parsing capabilities (e.g., WAN, Ethernet, STEP, AppleTalk, etc.). For more information on hierarchical parsing, see Appendix A. If the device is a multislot product such as a VSR or IntraPort Enterprise, both the slot number and the inter-face number must be given, separated by a colon (e.g., Ethernet 0:0 indicates Slot 0, Ethernet 0, while Ethernet 0:1 indicates Slot 0, Ethernet 1). If no slot number is indicated, then Slot 0 is as-sumed.

All port-specific sections require a section ID as part of the sec-tion name. They are the only sections which have a section ID. The data in port-specific sections is made up of keyword and val-ue pairs. The device uses hierarchical parsing.


Introduction

General SectionsGeneral sections of the device’s configuration are also collections of keyword and value pairs, but they differ from port-specific sec-tions in that they do not configure a port and there is no hierarchi-cal parsing of sections. The settings in general sections are usually global to the device.

Special SectionsSpecial sections of the device’s configuration are different from the other two types of sections in that they have no keyword and value pairs. These sections are configured using the edit config command instead of the configure command. The data portion of a special section is unique to each section type. The manual page for each of these sections describes the syntax of the data in the section and its usage. Special sections generally are filter lists, chat scripts, or other databases that don't lend themselves to the constraints of the keyword and value pairs.

KeywordsEach manual page of a port-specific or general section contains a brief description of the section as a whole, followed by a list of all of the keywords that are valid in that section.

The keywords are paired up with a value, usually on a single line of the configuration. Some keywords want specific values (i.e., labels); others want arbitrary text strings as values. Keywords are separated from their values by an equal sign (=).

Keyword = Some Value

On each manual page describing keywords, the keyword is in bold and the type of value that it expects is listed. Arbitrary text strings are in italics.

IPAddress = IP Address

Labels are enclosed in square brackets ([ ]) and are separated by a vertical bar ( | ), meaning you can use one of the values.

Mode = [ Routed | Bridged | Off ]

The keyword and value pair is followed by a description of the keyword’s function.


Introduction

Configuration Syntax for General and Port-Specific SectionsA section contains a unique section title which is enclosed in square brack-ets ([ ]), followed by the data in the section.

[ Some Section Title ]The datain the section

A section title must begin in the first column of a line in the configuration in order to be parsed correctly. If the section begins in any other column, it will be ignored and its data will be included with the previous section.

A section may contain blank lines or comments and continues from its title until the next section title.

[ This is one section ]and

itsdata[ Here is another section ]and itsdata

[ This is an invalid section]its data will beincluded with the previous section

CommentsComments and blank lines may occur anywhere in a configuration. If you create your own configuration files, you are encouraged to make them as readable as possible.

Comments begin with a pound sign (#) and continue until the end of the line.

# This is a comment[ New Section ] # So is this

Keyword/Value PairsIf a section has keyword and value pairs, the keyword portion of the value pair must begin in column 1 at the beginning of a line in the data portion of that section. Some keywords may occur multiple times in the same section, but most may not. Of those that may not, only the first keyword/value pair in that section will be recognized; later ones will be ignored.

Keywords with Boolean values will accept any version, such as On/Off; True/False; 1/0; Yes/No.

The keyword must be fully spelled out, but its case does not matter. An equal sign (=) is used to separate the keyword from its value. Any amount of white space may be used between the equal sign and the keyword and/or value. The following keywords all have valid syntax.

keyword1 = valuekeyWORD2=valueKEyWorD3 =value


Introduction

See Appendix B - Configuration Variable Types for more informa-tion on values and variable types.

An example configuring the IP protocol on Ethernet 0 follows:

[ IP Ethernet 0 ]Mode = RoutedIPAddress = 198.41.12.1SubnetMask = 255.255.255.0IPBroadcast = 198.41.12.255

# RIP is defined belowRIPVersion = V1 # V1 means version 1 of RIP.RIPOut = TRUERIPIn = TRUE

Syntax of Special SectionsThe data in special sections may contain comments and blank lines like any other section, only they do not have keyword/value pairs. These sections are configured using the edit config command. For specific syntax infor-mation about a given special section, see its manual page.

The following example shows how to define a chat script named "simple script."

[ Chat "simple script" ]send ATDT 5551212expect CONNECT

Saving a ConfigurationCompatible Systems products use Flash ROM technology to store their operating software and configuration parameters. Flash ROMs can be rewritten tens of thousands of times and will maintain the information which has been written in them regardless of whether they are powered on or not.

Once a configuration is complete, the save command is needed to save the new or modified configuration from the configuration buffer to Flash ROM and restart the device to have the new configuration take effect (see save(mgmt)).

Note: Turning off a device in the middle of a save/restart will cause it to lose its operating software. Please wait at least 5 minutes before deciding that the save command has failed.

Transferring Configurations to the DeviceAll devices support a secure TFTP mechanism to transfer configuration files to and from the device. TFTP is disabled on the device by default and must be enabled using the tftp command from a console or telnet session (see tftp(mgmt)). Transfer configuration files to and from the device using an ASCII mode transfer. The remote file name must be the device type followed by ".cfg". So for a RISC Router 4000S, the file name would be


Introduction

rr4000s.cfg and for a MicroRouter 1200i, the file name would be mr1200i.cfg.

It is also possible to create a text-based configuration file and use Compa-tiView to transfer the file to and from the device. This method uses a secure transfer mechanism, preventing the configuration from being observed while it is in transit to the device. See the CompatiView Reference Guide for more information.


Configuration Section

configure

COMMAND NAMEconfigure - Configuration editor to modify, delete, or add parameters.

SYNOPSISconfigure [ <section name> ]

SYNOPSIS OF CONFIGURATION EDITOR SUBCOMMANDSlist [ <options>... ] delete <keyword> <keyword> <value> <keyword> ? ? exit

DESCRIPTIONThis manual page describes the subcommands and usage of the device's configuration editor. The configuration editor is the primary way to manage (create, modify, display, and delete) configuration parameters from the command line interface of the device. The only other way is to edit the configuration with the edit config command. The configuration editor simplifies the process of creating configurations from the console or telnet and will ensure a syntactically correct configuration.Note: The edit config command must be used to configure special sections

of the configuration, which includes tables and complex lists. See the edit config section for more information.

The configuration editor is entered by selecting a section of the configu-ration to modify. If the section doesn't exist in the configuration, the configuration editor will ask if you want to add the section. To indicate that you are in the configuration editor, the command line prompt will change to the section name followed by a pound sign (#). For example, when modifying parameters for the section IP WAN 0, the prompt would be:

[ IP WAN 0 ]#

The new prompt indicates that you are modifying the IP WAN 0 section of the configuration using the configuration editor. All of the subcommands of the configuration editor will now work to modify, display, delete or create configuration parameters.The primary function of the configuration editor is to add or modify config-uration variables. These variables are entered as keyword and value pairs. The configuration editor will only permit valid keywords to be added to the section being edited. Additionally, it checks to make sure that the value being entered for the keyword is a valid type and within the prescribed ranges defined by the device.When a configuration variable has been changed with the configuration editor, the command line's configuration buffer will be changed. It is possible to reset the configuration buffer to what is stored in the permanent

Management Section 15

configure

configuration memory or to the default settings by using the reset config command (see config(reset)). Once all changes to the configuration are complete, the save command is needed to save the modified configuration to the permanent configuration storage and restart the device so that the new configuration takes effect (see save(mgmt)).The configuration editor has an extensive help facility that tries to guide you through your configuration. The help information for keywords will specify what type of value is expected and other information about the keyword. This is the ? command.Within the configuration editor, all of the regular management commands are still available. For instance, if you are modifying the section IP WAN 0 and you want to see what the device's IP configuration would look like with your new changes, you can still use the show ip config command to display that information without leaving the configuration editor. This is true of all other management commands.The configuration editor can also be used to convert old binary configu-ration data to the new text-based format. The configure command will automatically convert an old configuration to the new format if an old configuration is detected.

OPTIONSSection NameThe section name is an optional parameter to the configure command. If you are already in the configuration editor and no section name is specified, the configuration editor will tell you the name of the section you are currently editing and the line on which it can be found in the configu-ration buffer.Otherwise, if no section name is specified, the configuration editor will inform you that you have not specified a section and will prompt for a section name.

My Test Router# configureYou have not selected a section.Enter '?' for a list of section names, 'help' for in-formation about the configure command.

Enter section name (or '?', 'help'):

At this point, a list of section names can be retrieved, or a short help message can be displayed.

Enter section name (or '?', 'help'): help

Configuration parameters are grouped into "sections."To change parameters using the configuration editor,the section has to be selected using the configurecommand.

Usage: configure <section name>

16 Management Section

configure

Examples:configure ip ethernet 0configure ppp wan 1configure general

After you have selected the section, the prompt willbe the name of the section. At this point parameterscan be configured. Use the "list" command to displayparameters already configured or "?" for a list ofvalid keywords.

My Test Router#

By entering a "?" at the section name prompt, a list of configurable sections will be generated by the configuration editor. You may choose from this list. The section name must be one of the valid configuration sections for the device, and it must be fully spelled out. No abbreviations to the section name are permitted.When a section name has been successfully entered, either at the section name prompt or when entering the configure command, you will be in the configuration editor. The following example shows the results of success-fully entering the configuration editor.

My Test Router# configure ip wan 0

Configure parameters in this section by entering:

<Keyword> = <Value>

To find a list of valid keywords and additional helpenter "?"

[ IP WAN 0 ]#

At this point all subcommands of the configuration editor will be accepted.SUBCOMMANDS

The following subcommands are only valid from within the configuration editor. Using them at any other time will result in either a parsing error or an invalid usage message. Unlike other vendors' interfaces, all of the management commands are available within the configuration editor.Only the subcommands unique to the configuration editor are described below. For information about the other commands, see each command’s specific manual page.List

The list subcommand will display the section that is currently being modified by the configuration editor. The list subcommand has many options that can be used to display different aspects of the configuration section.The list subcommand and its options are fully described in a separate manual page. See config(show) for more information.


configure

Delete The delete subcommand is used to delete a keyword and its associated value from the configuration. Most keywords may only appear one time in a section, and in those cases, the delete subcommand will simply display the configuration entry and the line it was found on. You will then be asked if you want to delete it.[ IP WAN 0 ]# delete ripoutDelete 'RIPOut = TRUE',from line 31? y*[ IP WAN 0 ]#

In the case of keywords that may (and actually do) appear multiple times within a section, each instance will be prompted as in the previous example until no more instances of the keyword exist in the section. You may delete any, all or none of the keyword/value pairs.The command will continue through all instances of the keyword regardless of your input.If you only want to change a configured value for a keyword, then it is not necessary to use the delete subcommand. The normal keyword entry procedures described in the following section will both change and create new keywords.

Keyword/Value EntryIn the configuration editor, additions and modifications to the configu-ration are made by using keyword and value pairs. The real strength of the configuration editor is the ability to enter keywords in a section and ensure that the value associated with the keyword is syntactically correct. To get a list of keywords for a section, enter a ? after the section name. A keyword and value may be entered as it would appear in the configuration.

keyword = value

Unlike section names, keywords may be abbreviated to a unique subset of characters at the beginning of the keyword. Labels and values in general may not be abbreviated.Note: The configuration editor will insert the full, unabbreviated keyword

into the configuration. The configuration editor provides this service as a convenience. Labels and section names must not be abbreviated in configurations or parsing errors will occur during router initial-ization.

The value may be entered as a question mark (?) to find out additional information about the keyword.*[ IP WAN 0 ]# ripin = ?The keyword 'RIPIn' expects Boolean values:

Default: OnValid Values: True/False, On/Off, 1/0, or Yes/No.


configure

Similar information is displayed when an invalid value is entered. *[ IP WAN 0 ]# ripout = fooCommand Line: 1: Boolean parse failed, 'foo'The value 'foo' is invalid.

The keyword 'RIPOut' expects Boolean values:Default: On

Valid Values: True/False, On/Off, 1/0, or Yes/No.

When a value is accepted, the new keyword will be inserted in the section directly below the section name, before any other items in the section. If the keyword already exists in the section, the value will be replaced, leaving the keyword where it was in the section.If a keyword may appear more than once in a section, like the Zone keyword in an AppleTalk section, each keyword/value pair will be added to the section. If you want to change such a value, you must first delete the value and then add the new value.

Help FacilitiesWithin the configuration editor, several help facilities exist. To find out about valid keywords and configuration editor subcommands, enter a question mark (?).*[ Time Server ]# ?Valid keywords for the 'Time Server' section:

EnabledServerAddressAdjust Adjustment in minutes

from server

Other useful commands:delete <keyword> Delete a keyword in this

sectionlist Display the contents of

current section<keyword> = ? Display more information

about a keywordhelp Information about other commands

Exiting the Configuration EditorThere is really no reason to exit the configuration editor, since all management commands are available from within the configuration editor. However, if you want to leave the editor, enter exit at the prompt.

*[ Time Server ]# exitLeaving section editor.*My Test Router#

CommentsComments and blank lines may occur anywhere in a configuration. If you create your own configuration files, you are encouraged to make them as readable as possible.


configure

Comments begin with a pound sign (#) and continue until the end of the line.

# This is a comment[ New Section ] # So is this

EXAMPLESIn the following example session, the IP interface in a router will be configured. The router currently has the default configuration for IP.My Test Router> sh ip config

AddressesPort IP Addr Subnet BroadcastFlagsEther0 disabledEther1 disabledBridge 198.41.12.1 255.255.255.0 198.41.12.255<RIP:out,in>Wan0 Unnumbered interface<RIP:disabled>

Remote Address: 0.0.0.0 <>Wan1 Unnumbered interface<RIP:disabled>

Remote Address: 0.0.0.0 <>

In this example we will set an IP address for Ethernet 0 and disable the bridge interface. We will start by disabling the IP bridge interface.My Test Router> configure ip bridgeEnter Password: password entered here...Section 'ip bridge' not found in the config.Do you want to add it to the config? y


<Keyword> = <Value>

To find a list of valid keywords and additional help en-ter "?"

*[ IP Bridge ]#

Notice that the section was not found in the configuration. The configu-ration editor prompts to see if the section should be added. Also now that we have selected a section, the router prompt has changed. The star (*) preceding the prompt indicates that the configuration has been modified.Now we can disable the interface.

*[ IP Bridge ]# mode = off*[ IP Bridge ]# list[ IP Bridge ]Mode = Off*[ IP Bridge ]#


configure

The show ip config command verifies that the interface has been disabled.*[ IP Bridge ]# show ip config

AddressesPort IP Addr Subnet BroadcastFlagsEther0 disabledEther1 disabledBridge disabledWan0 Unnumbered interface<RIP:disabled>

Remote Address: 0.0.0.0 <>Wan1 Unnumbered interface<RIP:disabled>

Remote Address: 0.0.0.0 <>

Note: The actual router interfaces are still running as before the changes were made. No changes take effect until they are saved using the save command (see save(mgmt)). Until saved, all changes are made in a separate buffer.

Enable the Ethernet 0 interface, using the following command sequence.*[ IP Bridge ]# configure ip ethernet 0Section 'ip ethernet 0' not found in the config.Do you want to add it to the config? y

Configure parameters in this section by entering:<Keyword> = <Value>

To find a list of valid keywords and additional helpenter "?"

*[ IP Ethernet 0 ]# mode = routed*[ IP Ethernet 0 ]# ipaddr = 10.0.0.1*[ IP Ethernet 0 ]# subnet = 255.255.255.0*[ IP Ethernet 0 ]# list[ IP Ethernet 0 ]SubnetMask = 255.255.255.0IPAddress = 10.0.0.1Mode = Routed*[ IP Ethernet 0 ]#

The preceding example shows the minimal set of parameters needed to enable an IP router interface. The show ip config command verifies the configuration.

*[ IP Ethernet 0 ]# show ip configAddresses

Port IP Addr Subnet BroadcastFlagsEther0 10.0.0.1 255.255.255.0 10.0.0.255<RIP:out,in>Ether1 disabledBridge disabledWan0 Unnumbered interface


configure

<RIP:disabled>Remote Address: 0.0.0.0

<>Wan1 Unnumbered interface<RIP:disabled>

Remote Address: 0.0.0.0<>

Notice that the RIP routing protocol and broadcast address are configured, even though they are not explicitly listed in the configuration.The list subcommand has a cooked mode to display all of the important parameters in the configuration. By adding the cook and mark options the list subcommand will tell us parameters that we have entered which are different from the router's default values. See config(show) for a complete description of these and other features.

*[ IP Ethernet 0 ]# list cook mark[ IP Ethernet 0 ]Mode = Routed # Default=> BridgedIPAddress = 10.0.0.1 # Default=> 0.0.0.0SubnetMask = 255.255.255.0 # Default=> 0.0.0.0IPBroadcast = 0.0.0.0RIPVersion = V1OutFilters =InFilters =

Now that we are satisfied with the configuration, it must be written to the permanent configuration storage area in the router. The save command initiates that process and restarts the router (see save(mgmt)).

*[ IP Ethernet 0 ]# saveSave configuration to flash and restart router? y

(Router writes configuration information and re-starts....)

Note: Turning off a device in the middle of a save/restart will cause it to lose its operating software. Please wait at least 5 minutes before deciding that a download has failed to be stored in Flash ROM.

SEE ALSOedit config, config(reset), config(show), save(mgmt)


[ AppleTalk <Section ID> ]

[ AppleTalk <Section ID> ]This section is used to configure AppleTalk parameters for a device. Compatible Systems devices support AppleTalk Phase 1 and AppleTalk Phase 2, and "transitional routing" between the two. AppleTalk Phase 1 is an earlier version of the AppleTalk protocol. We recommend that all new AppleTalk installations use AppleTalk Phase 2.

Keywords recognized in this section are described below.Mode = [ Routed | Bridged | Off ]

The Mode keyword describes the method the device is to use to handle AppleTalk packets when received by the device.Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server. If the device is a router, packets are forwarded by looking up the network address in the device’s routing table maintained by AppleTalk RTMP (Routing Table Maintenance Protocol). If the device is a VPN access server (IntraPort class) packets are forwarded to the virtual private network depending on the access parameters and settings of the users that are attached to the server. It will use the routing table maintained by RTMP to forward packets from the virtual private network to the local area network.Bridged enables the port of a router to be attached to a bridged network and forward packets based on the physical address using the router’s bridge cache maintained through the IEEE Spanning Tree Protocol or through active listening. The VPN access servers do not support this mode. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an Apple-Talk address to the router using the Appletalk Phase 2 Bridge section if it is to be managed by CompatiView using the AppleTalk protocol while bridging.Off disables the port of the device. If Off is specified, then AppleTalk packets received on the interface will be silently discarded.

Seed = [ Seed | Auto | NoSeed ]The Seed keyword specifies whether the interface will function as the seed Ethernet interface for the attached network. When set to Seed, the interface provides network number and zone information to the network attached to the interface. The network number and zone name must be specified using keywords documented later in this section. Before seeding, the device will listen to the network for existing network number and zone information. This existing information takes precedence over the configured information if found to be different.



Auto specifies that the AppleTalk interface be an autoseed interface. Autoseed means the device will listen for a network range being set by another router on the segment connected to this interface and use this range if it exists. If it doesn't discover a range, the device will automat-ically generate a valid number using the AppleTalk Routing Table discovered by listening for 15 seconds.NoSeed specifies that the AppleTalk interface be a non-seed interface. NoSeed means the device will listen for an AppleTalk network range being set by another router on the segment connected to this interface and use this range if it exists. It will wait indefinitely until a range is set by another router on the segment.

NetLower = NumberThe NetLower keyword specifies the lower network number in a range of AppleTalk network numbers for a seed Ethernet interface, or the single network number for a numbered WAN interface. This keyword is ignored if the interface isn't configured as either a seed Ethernet interface or numbered WAN interface.The network number must be between 1 and 65,279. Each network number will support up to 253 node addresses. For all types of Ethernet interfaces being seeded, the NetLower and the NetUpper keywords must be specified. For Phase 2 Ethernet interfaces, the two values may be equal. For Phase 1 Ethernet interfaces, they must be equal.Accidental selection of an AppleTalk network number (or range of numbers) which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which AppleTalk network numbers are in use, and where. The show apple-talk command can help in tracking your network configuration (seeap-pletalk(show)).

NetUpper = NumberThe NetUpper keyword specifies the upper network number in a range of AppleTalk network numbers for a seed Ethernet interface. This keyword is ignored if the interface isn't configured as a seed Ethernet interface. The network number must be between 1 and 65,279. Each network number will support up to 253 node addresses. For all types of Ethernet interfaces being seeded, the NetLower and the NetUpper keywords must be specified. For Phase 2 Ethernet interfaces, the two values may be equal, but for Phase 1 Ethernet interfaces, they must be equal.Accidental selection of an AppleTalk network number (or range of numbers) which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which AppleTalk network numbers are in use, and where. The show apple-talk command can help in tracking your network configuration (see appletalk(show)).



Node = NumberThe Node keyword lets you provide a suggestion for the node number the device should use when performing its dynamic node probing when starting up. On WAN interfaces it specifies the exact number to be used for the AppleTalk node number since dynamic node probing isn't performed on WAN interfaces. The value must be between 1 and 253. On Frame Relay WAN interfaces a unique node number must be assigned to the interface.Note: Since AppleTalk on Ethernet claims node numbers dynamically

at start up, assigning known AppleTalk node numbers to an inter-face can make it easier to diagnose network problems using a network packet monitor.

DefZone = StringThe DefZone keyword defines the default AppleTalk zone name for Phase 2 Ethernet interfaces and the single zone name that can be defined for WAN and Phase 1 interfaces. This keyword must be used on Phase 2 and Phase 1 interfaces configured to seed, and on WAN interfaces configured to be numbered, otherwise it will be ignored.Zone names may be up to 32 characters in length and may include spaces. If you wish to add other zones to the zone list for the extended network (Phase 2 only), use the Zone keyword in this section.

Zone = StringThe Zone keyword lets a zone list be specified for extended (Phase 2) interfaces. Only extended Ethernet interfaces (Phase 2 Ethernet) which you set to seed can have zone lists specified for them. Use this keyword multiple times to define a complete zone list for the interface. This keyword will be ignored if specified in a nonextended (Phase 1 or WAN) interface.Typically, zone names are chosen which have some significance to the physical location or the corporate purpose of the network segment. An example would be "Accounting Department" or "Administration." These names will appear in the Chooser for Macintoshes on the network.Note that this keyword is not used to specify the interface's zone name. The keyword DefZone, documented in this section, allows specifica-tion of either the default zone name for an extended interface (Phase 2) or the interface’s zone name for a nonextended interface (Phase 1).

Numbered = [ On | Off ]The Numbered keyword specifies whether the wide area network connected to this interface will have an AppleTalk network number associated with it. If On is specified, then you must set an AppleTalk network number and zone for this WAN interface. See the NetLower and DefZone keywords.Many wide area network connections are simple point-to-point links.



These links do not generally require a network number because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. You generally do not need a numbered WAN interface if you are using the PPP transport protocol.In contrast, Frame Relay networks may have a number of participating routers connected through a single physical interface. Because of this, use of the Frame Relay transport protocol requires a numbered WAN interface.

Updates = [ Periodic | Triggered ]The Updates keyword specifies the way in which the device sends AppleTalk RTMP information over the link. When updates are designated as Periodic, the device will send RTMP packets over the link every 10 seconds. These periodic update packets will cause a WAN interface set for dial-on-demand operation to either stay up indefinitely or to continuously dial, connect, and then drop the connection. When updates are designated as Triggered, the device will modify the standard AppleTalk RTMP behavior for this interface to send Apple-Talk RTMP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router.

RemoteNet = NumberThe RemoteNet keyword specifies the AppleTalk net number to be assigned through PPP to a remote end node dialing into a device. This keyword along with the RemoteNode keyword allows a complete AppleTalk internet address to be specified. This address is used to provide proxy services which allow the client machine to participate as a node on one of the device's local networks.Remote end node functionality allows single client machines to use the WAN interface on a router to connect to the LAN serviced by the router.If the WAN interface is numbered, the network number specified must be the same as the network number specified in the NetLower and NetUpper keywords for the WAN interface.

RemoteNode = NumberThe RemoteNode keyword specifies the AppleTalk node number to be assigned through PPP to a remote end node dialing into a router. This keyword along with the RemoteNet keyword allows a complete AppleTalk internet address to be specified. This address is used to provide proxy services which allow the client machine to participate as a node on one of the router's local networks. This number must not be the same as the value specified in the Node keyword.



NodeProxy = [ On | Off ]The NodeProxy keyword specifies that the device dynamically reserve an AppleTalk address on Ethernet for the WAN interface. This proxy address will be used if the remote PPP AppleTalk implementation requires address negotiation (which is typical of end nodes). If you wish to seed the proxy address to a specific network or node number, use the RemoteNet and RemoteNode keywords. NodeProxy can only be specified on an unnumbered WAN interface.

OutFilters = StringThe OutFilters keyword allows the named AppleTalk packet filter to be associated with the output filter interpreter of the interface. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter inter-preter will process the sets in the order specified.The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode and srcskt. For Name Binding Protocol (NBP) request and reply packets the NBPName, NBPType and NBPZone rules are also used. All other rules are ignored. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk Packet filtering rules.

InFilters = StringThe InFilters keyword allows the named AppleTalk packet filter to be associated with the input filter interpreter of the interface.Up to four filter sets may be specified, each enclosed in double quotes and sepa-rated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter inter-preter will process the sets in the order specified.The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode and srcskt. For NBP request and reply packets the NBPName, NBPType and NBPZone rules are also used. Up to four filter sets may be specified, each enclosed in double quotes and sepa-rated by white space.All other rules are ignored. See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules.



OutRTMPFilters = StringThe OutRTMPFilters keyword allows the named AppleTalk filters to be associated with the output RTMP (Routing Table Maintenance Protocol) filter interpreter of the interface. RTMP tuples (AppleTalk network numbers) originating on the interface will be filtered with these rules.The only rules used in this interpreter are the network and net-range rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules.

InRTMPFilters = StringThe InRTMPFilters keyword allows the named AppleTalk filters to be associated with the input RTMP filter interpreter of the interface. RTMP tuples (AppleTalk network numbers) received on the interface will be filtered with these rules.The only rules used in this interpreter are the network and net-range rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules.

GetZoneFilters = StringThe GetZoneFilters keyword allows the named AppleTalk filters to be associated with the Get Zone List (GZL) filter interpreter of the interface. The interpreter allows the filtering of outgoing GZL replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. This interpreter will allow control of the zones that are seen on a Macintosh behind a device.The only rules used in this interpreter are the network, net-range and zone rules. All other rules are ignored.Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk packet filtering rules.



ZIPReplyFilters = String The ZIPReplyFilters keyword allows the named AppleTalk filters to be associated with the ZIP reply filter interpreter of the interface. The ZIP reply interpreter allows incoming zone names in ZIP reply packets to be filtered. ZIP reply packets are used between routers and access servers to exchange the zone names for the networks kept in their routing tables. These devices are required to maintain a zone list for each of the networks maintained in the AppleTalk routing table and receive the zone name from an upstream router advertising the network. Extended networks allow more than one zone name to be associated with the range, even if it is a single range. Note: If zone filtering for Macintosh end workstations is required, use

a Get Zone List filter. If a zone list is restricted in an upstream router with a ZIP reply filter, then the downstream routers will receive the filtered zone list for the network and subsequent downstream routers will also receive the filtered zone list.

The only rules used in this interpreter are the zone and network rules. All other rules are ignored. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See [ AppleTalk Filter <Name> ] for a definition of the AppleTalk Packet filtering rules.

LockOut = [ On | Off ]The LockOut keyword specifies an NBP filter that is applied to the physical network segment connected to the interface. Specifying On causes the device to drop any NBP lookups which are destined for this physical segment. This will protect devices on the segment from access by users on other segments.

LockIn = [ On | Off ]The LockIn keyword specifies an NBP filter that is applied to the physical network segment connected to the interface. Specifying On causes the device to drop any NBP lookups which originate on this network segment destined for another network segment. The effect will be that users will not have access through the device to network devices on other segments.

LWFilter = [ On | Off ]The LWFilter keyword allows a LaserWriter filter to be enabled for the interface. A LaserWriter filter protects all LaserWriters in the AppleTalk zone configured for the interfaces from NBP lookup by computers in other AppleTalk zones. The effect is that LaserWriter devices in the DefZone will only be visible to Macintoshes on networks with the same zone name across your AppleTalk internet.



TildeFilter = [ On | Off ]The TildeFilter keyword allows a tilde filter to be enabled for the interface. A tilde filter protects all devices in the AppleTalk zone configured for this interface's network segment whose names end with a tilde character (~) from NBP lookup by computers in other Apple-Talk zones. The effect is that ~ devices in the DefZone will only be visible to Macintoshes on networks with the same zone name across your AppleTalk internet.

StIZFilter = [ On | Off ]The StIZFilter keyword allows a stay-in-zone AppleTalk zone filter to be enabled for the interface. Stay-in-zone filtering means the device will not forward NBP lookups which are directed from the AppleTalk zone configured for this interface's network segment to any other zone. The effect is that you will only see devices on other networks with the same zone name across your AppleTalk internet.This filter is applied based on logical AppleTalk zones rather than on physical segments. On nonextended networks (Phase 1), zone filters are applied for the AppleTalk zone configured for the network segment. On extended networks (Phase 2) they are applied to the AppleTalk default zone configured for the network segment.

ExamplesThe following example shows a typical AppleTalk Configuration for Ethernet interfaces.

[ AppleTalk Phase 2 Ethernet 0 ]Mode = RoutedSeed = SeedNetLower = 4000NetUpper = 4100Node = 100DefZone = "The 4000 Club"Zone = "Accounting"

The same configuration can be viewed with the show appletalk config command, as follows.

Port Phase Seed Netnum Node Zone NameEther0 1 ** Disabled **Ether0 2 On 4000 - 4100 100 The 4000 ClubEther1 1 ** Disabled **Ether1 2 Auto n/aBridge 1 ** Disabled **Bridge 2 ** Disabled **Wan0 Unnumbered interface

Remote Address: 0:0 <Trigger>Wan1 Unnumbered interface

Remote Address: 0:0 <Trigger>



NBP Filters:Stay in Lookups Tilde Laser-

Port Phase zone? In Out Devices WritersEther0 1 ** Disabled **Ether0 2 Off Off Off Off OffEther1 1 ** Disabled **Ether1 2 Off Off Off Off OffBridge 1 ** Disabled **Bridge 2 ** Disabled **Wan0 Off Off Off Off OffWan1 Off Off Off Off Off

Appletalk Zone List:Accounting

AARP Timeout: 0

See Alsoappletalk(show), [ AppleTalk Filter <Name> ], [ Bridging <Section ID> ], [ Bridging Global ]


[ AppleTalk Tunnels ]

[ AppleTalk Tunnels ]This section is used to modify AppleTalk tunneling parameters. An AppleTalk tunnel is a "virtual" AppleTalk network running between tunnel peers. Tunnel peers are defined by their IP addresses. This protocol was originally developed by Cayman Systems and is most commonly referred to as Cayman Tunnels.Note: Newer STEP tunneling is available for AppleTalk-in-IP tunneling.

This includes authentication and encryption features not available in regular AppleTalk tunnels. See the [ Tunnel Partner <Section ID> ] section for more information.

AppleTalk-in-IP tunneling is sometimes needed when a network is limited to IP traffic only, either because there are routers elsewhere on the network which do not route AppleTalk protocols, or for administrative reasons. AppleTalk-in-IP tunneling provides a solution for this problem by sending AppleTalk information across an IP internet by encapsulating AppleTalk information in IP packets. AppleTalk networks that are connected via a tunnel will communicate as if they are on the same network even though they are separated by an IP-only Ethernet backbone or internet.Note: You must set up both ends of every tunnel. Therefore, you must

repeat this setup with the other router(s) you want as participants in the tunnel.

The keywords recognized in this section are described below.Tunnel = IP Address

The Tunnel keyword specifies the IP address of the tunneling interface of each tunnel peer with which this router will communicate using an AppleTalk-in-IP tunnel. There must be one entry for each tunnel peer and you may enter up to 32 different tunnel peers.Note: You must configure the other tunnel peer router(s) with the IP

address of tunneling interface on this router for the tunnel to be functional.

Filter = NumberThe Filter keyword controls which of the AppleTalk networks acces-sible through tunnels are actually made available by this router. This is done by applying the filter list to the AppleTalk RTMP packets which are received through the tunnel from other tunnel peers. Without any tunnel filters, all of the AppleTalk networks known to your tunnel peer list of routers will be advertised at this end.You can enter up to 96 different AppleTalk tunnel filters in each router.

FilterType = [ Recognize | Ignore ]The FilterType keyword tells the router how it should treat the list of AppleTalk network numbers you have entered using the Filters keyword.


[ AppleTalk Tunnels ]

If you specify Recognize, only the configured AppleTalk network numbers will be allowed through the tunnel and installed in this router's routing table.If Ignore is specified, all AppleTalk network numbers except the configured values will be allowed through the tunnel and installed in the routing table.

ExamplesTo create an AppleTalk-in-IP tunnel to 198.248.55.1 and filter out AppleTalk network number 57.

[ AppleTalk Tunnels ]Tunnel = 198.248.55.1Filter = 57FilterType = ignore

See Also[ AppleTalk <Section ID> ],[ Tunnel Partner <Section ID> ], appletalk(show)


[ BGP Aggregates ]


[ BGP Aggregates ]This section defines a list of networks which are to be aggregated before being advertised to external peers. The router's IP routing table must contain the networks which are a subset of the aggregate in order for the aggregate to be advertised. Only the aggregate, and not the individual routes, will be advertised to external peers. Internal peers will receive the individual routes if they originated outside the Autonomous System. Internal peers do not exchange internal routes via BGP. Keywords recog-nized in this section are described below. AddrAndMask = IP address [ mask ]

The AddrAndMask keyword specifies the IP address and subnet mask of the network to be aggregated. The IP address is entered in the standard dotted-decimal notation for IP addresses. The mask field is the subnet mask of the network. The mask is entered in dotted-decimal format and has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route. If a mask is not provided, an all 255’s mask will be assumed.This keyword may appear multiple times within this section in order to specify several different networks to be aggregated.

ExamplesIn the following example, the single route 198.41.8.0/22 will be advertised to BGP external peers. Without the BGP Aggregates entry, the four networks would be advertised separately.

[ BGP Aggregates ]AddrAndMask = 198.41.8.0 255.255.252.0

See Also[ BGP Networks ], [ IP Route Redistribution ]

[ BGP General ]


[ BGP General ]This section is used to modify parameters that affect the way BGP (Border Gateway Protocol) operates. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. BGPEnabled = [ On | Off ]

The BGPEnabled keyword turns on BGP globally on the router. If no peers have been configured in the[ BGP Peer Config <Name> ] section, BGP will not operate on the router, even if BGPEnabled is set to On. The default is Off.

BGPAS = NumberThe BGPAS keyword specifies the Autonomous System (AS) to which this router belongs. An Autonomous System is a collection of networks under a common administration sharing a common routing strategy. Autonomous Systems are subdivided by Areas. An Autono-mous System must be assigned a unique 16-bit number by the Amer-ican Registry for Internet Numbers (ARIN). It is not required to apply for an AS number to run BGP if an installation has only one Internet Service Provider. The ISP should provide an AS in that case. However, an "official" AS number is required for a multi-homed installation where more than one ISP is used. The BGPAS number is a required parameter.

BGPLocPref = NumberThe BGPLocPref keyword sets the local preference of this router. The local preference is exchanged among routers in the same AS and is an indication about which path is preferred to exit the AS. A path with a higher local preference is more preferred. The number must be within the range of 0 to 65,535. The default is 100.

BGPUseIPRFltrs = [ On | Off ]The BGPUseIPRFltrs keyword sets whether the router will use IP route filters instead of BGP route maps. BGP uses BGP route maps to filter routes and set attributes. If no BGP route maps have been config-ured in the [ BGP Route Map <Name> ] section, the router will auto-matically use any configured IP route filters (see the [ IP Route Filter <Name> ] section).

Examples

BGPEnabled = OnBGPAS = 1BGPLocPref = 100BGPUseIPRFltrs = Off

See Also[ BGP Peer Config <Name> ], [ BGP Route Map <Name> ], [ IP Route Filter <Name> ], [ BGP Peer List ], [ IP Route Redistribution ], [ BGP Aggregates ], [ BGP Networks ], bgp(show), bgp(reset, bgpenable(mgmt)

[ BGP Networks ]


[ BGP Networks ]This section defines a list of routes which will be advertised as originating inside the Autonomous System this router belongs to. These may be directly connected routes, static routes, RIP routes or OSPF routes. The route must be contained in the router's IP routing table or it will not be advertised. To advertise local networks which are not in the router's own IP routing table, they must be added as static routes.Note: The only way to get directly connected routes advertised into BGP is

to include them in this list. Static, RIP and OSPF routes can also be imported into BGP by using route redistribution. See the [ IP Route Redistribution ] section for more information.

Keywords recognized in this section are described below. LocalNet = IP address [ mask ]

The LocalNet keyword specifies a route to be advertised as originating inside the Autonomous System to which this router belongs. The IP address is entered in the standard dotted-decimal notation for IP addresses. The optional mask parameter tells the router how many bits of the IP routing table entry to match against the LocalNet IP address. This is not necessarily the actual mask of the network you wish to advertise because subnet masks more specific than Class C are automatically truncated. This truncation is not the same as aggregation, and only applies to internal networks, and only to masks more specific than Class C. For route aggregation, use the [ BGP Aggregates ] section. See the examples for more information.If a mask is not provided, an all 255’s mask will be assumed.

ExamplesIn the following example, the router has subnets 198.41.9.32, 198.41.9.64, and 198.41.9.96, all with mask 255.255.255.224. To get BGP to advertise one 198.41.9.0/24 network, the LocalNet entry would look like this:

[ BGP Networks ]LocalNet = 198.41.9.32 255.255.255.255

The router will match only the 198.41.9.32 entry due to the mask. It will advertise the network as 198.41.9.0/24, since it automatically truncates subnet masks more specific than Class C. However, if you provided a mask of 255.255.255.0, the 198.41.9.0/24 net would be advertised three times, since all three of the subnets would match the LocalNet entry.

See Also[ BGP General ],[ IP Route Redistribution ], [ BGP Aggregates ]

[ BGP Peer Config <Name> ]

[ BGP Peer Config <Name> ]This section defines configuration parameters for a single BGP peer or for a group of BGP peers of this router. Any two routers that have opened a TCP connection to each other for the purpose of exchanging BGP routing information are known as peers. Peer configurations are assigned to this router’s peers in the [ BGP Peer List ] section. A peer configuration should only be used for more than one peer if all the same parameters are desired. Keywords recognized in this section are described below.InputRouteMap = String

The InputRouteMap keyword allows a named BGP Route Map or IP Route Filter to be used for this peer configuration. No input routes will be accepted by the router unless a BGP route map or IP route filter has been defined. Route maps are configured in the [ BGP Route Map <Name> ] section. IP route filters are configured in the [ IP Route Filter <Name> ] section.

OutputRouteMap = StringThe OutputRouteMap keyword allows a named BGP Route Map or IP Route Filter to be used for this peer configuration. Route maps are configured in the [ BGP Route Map <Name> ] section. IP route filters are configured in the [ IP Route Filter <Name> ] section.

NextHopSelf = [ On | Off ]The NextHopSelf keyword sets whether the router will advertise itself as the next hop to the routes it advertises to this peer. The default is Off.

EBGPMultihop = [ On | Off ]The EBGPMultihop keyword allows routers which are not directly connected to be peers.BGP usually requires external peers to be directly connected. If EBGPMultihop is set to On, the router must also have a route to the external peer that is not directly connected in order to establish a connection. The default is Off.

PeerWeight = NumberThe PeerWeight keyword assigns an internal rating to the peer. Peers with a higher weight are preferred when multiple routes exist to the same destination. The number must be within the range of 0 to 65,535 The default is 100.

PeerRetryTime = NumberThe PeerRetryTime keyword is the amount of time, in seconds, between retries to establish a connection to configured peers which have gone down for some reason. If a peer is down but its state is set to On, the router will continually try to contact the peer every PeerRetry-Time seconds. The value must be at least 10 seconds. The default is 30.

PeerHoldTime = NumberThe PeerHoldTime keyword is the interval, in seconds, the router will wait for an update or keepalive packet from the peer before declaring


[ BGP Peer Config <Name> ]

the peer down. The hold time is actually negotiated between peers, which will use the smaller of the two hold times proposed. The value must be either zero or at least 3 seconds. If the negotiated hold time interval is zero, then periodic keepalive packets will not be sent. The default is 180.

BGPUseLoopback = [ On | Off ]The BGPUseLoopback keyword allows the router’s Loopback address to be used as the IP source in TCP packets to that peer rather than a specific IP address of one of its interfaces. A LoopbackAddress must be specified in the [ IP Loopback ] section.The peer must have a route to the loopback address via normal IP routing procedures. If the address is not on a subnet already known to the peer, it must be added via a static route. The Loopback address is normally only used for internal peers, since external peers are usually directly connected. The default is Off.

AdvertiseDefault = [ On | Off ]The AdvertiseDefault keyword sets whether the default route to this peer will be advertised to other peers. The default is Off.

ExamplesThe following example shows both a sample BGP Peer List and BGP Peer Config sections. In the example, Peers 198.41.11.213 and 206.14.128.2 use BGP Peer Config "Peer 1," and Peer 205.14.128.1 uses BGP Peer Config "Peer 2."

[ BGP Peer List ]BGPPeer = On 198.41.11.213 100 Peer 1BGPPeer = On 205.14.128.1 110 Peer 2BGPPeer = On 206.14.128.2 120 Peer 1

[ BGP Peer Config "Peer 1" ]InputRouteMap = bgpin1OutputRouteMap = bgpout1PeerHoldTime = 180PeerRetryTime = 65PeerWeight = 1000

[ BGP Peer Config "Peer 2" ]wInputRouteMap = bgpin2OutputRouteMap = bgpout1PeerHoldTime = 180PeerRetryTime = 45PeerWeight = 2000

See Also[ BGP General ], [ BGP Route Map <Name> ], [ IP Route Redistribution ], [ BGP Peer List ], [ IP Loopback ], bgp(show)


[ BGP Peer List ]

[ BGP Peer List ]This section defines a list of configured peers for this router. Routers that exchange BGP information are called BGP peers. A router may have both external peers in other Autonomous Systems (AS’s), and internal peers within its own AS. Routers establish BGP sessions using the TCP protocol. Upon startup of a new BGP session, BGP peers will exchange their full routing tables, and then only incremental updates are sent as the routing table changes. The router will not establish a BGP connection with any router not on this list. If there is no BGP Peer List, BGP will not be enabled even if BGPEn-abled is set to On in the [ BGP General ] section. The keywords recognized in this section are described below.BGPPeer = String

The BGPPeer keyword specifies a BGP peer for this router. The string has the following syntax:On | Off <IP Address> <AS Number> [ Peer Config ID ]On | Off

This parameter determines whether the router will try to establish a BGP session with the peer at start-up. As long as this parameter is set to Off, the peer will not be contacted at start-up, although the router can still establish a BGP session with this peer when the bgpenable command is issued (see bgpenable(mgmt)). The next time the router is booted, the peer will come up in the Off state.

IP AddressThis specifies the IP address of the interface which will be a BGP peer for this router. The router will contact the peer using this IP address. The router must have the network of the supplied IP address in its routing table in order for the session to be estab-lished. External peers should be directly connected to the router (usually over a WAN link). Internal peers do not need to be directly connected. The IP address is entered in the standard dotted-decimal notation for IP addresses.

AS NumberThis specifies the number of the Autonomous System (AS) of the BGP peer. The router determines if a peer is internal or external based on the AS number of the peer, since internal peers have the same AS number as the router itself.

Peer Config IDThis optional parameter specifies the number of the BGP Peer Configuration to which this peer will belong. A BGP Peer Config-uration is a section where various peer-specific BGP configu-ration items may be set. It is configured using the [ BGP Peer Config <Name> ] section. A BGP Peer Configu-


[ BGP Peer List ]

ration section may be used for more than one peer only if all the same parameters are desired.

ExamplesThe following example shows both a BGP Peer List and a BGP Peer Con-fig section. In the example, Peers 198.41.11.213 and 206.14.128.2 use BGP Peer Config "Peer 1" , and Peer 205.14.128.1 uses BGP Peer Config "Peer 2".

[ BGP Peer List ]BGPPeer = On 198.41.11.213 100 1BGPPeer = On 205.14.128.1 110 2BGPPeer = On 206.14.128.2 120 1



See Also[ BGP General ], [ BGP Peer Config <Name> ], bgpenable(mgmt), bgp(show)


[ Bridging <Section ID> ]

[ Bridging <Section ID> ]This section is used to modify parameters that affect how bridging and the IEEE Spanning Tree algorithm operate on each bridge interface. Bridging of specific protocols on an interface is set in that protocol’s configuration section. (See the [ AppleTalk <Section ID> ], [ DECnet <Section ID> ], [ IP <Section ID> ] and [ IPX <Section ID> ] sections.) Keywords recog-nized in this section are described below. Mode = [ On | Off ]

The Mode keyword turns bridging on or off for this interface. To enable bridging on an interface, the Mode keyword in the [ Bridging Global ] section must also be set to either Learning or IEEE. See the examples below for more details.

UnknownProtocolsBridged = [ On | Off ]The UnknownProtocolsBridged keyword indicates whether unknown protocols which the device does not route (such as NetBEUI and DEC LAT) will be bridged on this interface. The default is On.

PortPriority = NumberThe PortPriority keyword sets the IEEE 802.1D Spanning Tree protocol port priority parameter. This parameter is used to give prece-dence to an interface within the bridge. The port priority is combined with the interface number to create a Port ID. The interface with the lowest Port ID (numerically) will have precedence over interfaces with higher Port IDs. Values range from 0 to 255.

PathCost = NumberThe PathCost keyword sets the IEEE 802.1 Spanning Tree protocol path cost parameter. This parameter sets the cost of using an interface and is used by the bridge to compute the distance from the root bridge. It may be used to artificially change the topology of a Spanning Tree network. The default value of 100 is recommended by the IEEE spec-ification for 10 Mbit Ethernet interfaces. Values range from 1 to 65535.

ExamplesThe following example shows a sample bridging configuration, and some interaction between this section and other configuration sections.

## Bridging Configuration#[ Bridging Global ]Mode = IEEE# Make sure that Bridging is on

[ Bridging Ethernet 0 ]Mode = OnPathCost = 100

[ Bridging Ethernet 1 ]Mode = OnPortPriority = 1


[ Bridging <Section ID> ]

## Bridge IP and Appletalk#[ IP Default ]Mode = Bridged

[ Appletalk Default ]Mode = Bridged

It is important to remember that bridging must be turned on for the whole device in addition to turning it on in the individual interface sections. For example, to bridge IP traffic on Ethernet 0, the following parameters must be set.

[ Bridging Global ]Mode = IEEE

[ Bridging Ethernet 0 ]Mode = On

[ IP Ethernet 0 ]Mode = Bridged

If all interfaces for a particular protocol are being bridged and you would like to manage the system using that protocol family, then that protocol must be Routed on the bridge port. For example, if AppleTalk is bridged on all interfaces and you want to use CompatiView on a Macintosh to configure the device, configure the AppleTalk bridge port this way:

[ AppleTalk Phase 2 Bridge ]Mode = Routed

If IP is bridged on all interfaces and you want to use CompatiView or telnet to the device, configure the IP bridge port as follows. When configured this way, you can telnet to the IP address noted.

[ IP Bridge ]Mode = RoutedIPAddress = 192.15.1.1SubnetMask = 255.255.255.0

See Also[ Bridging Global ], bridge(show), bridge(set), [ AppleTalk <Section ID> ], [ DECnet <Section ID> ], [ IP <Section ID> ], [ IPX <Section ID> ]


[ Bridging Global ]

[ Bridging Global ]This section is used to modify parameters that affect the way bridging and the IEEE Spanning Tree algorithm operate. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. Mode = [ IEEE | Learning | Off ]

The Mode keyword specifies whether bridging will be enabled and how it will be configured for the system as a whole. To disable bridging, set the mode to Off. The bridge supports two operating modes: IEEE and Learning. The IEEE mode configures the bridge to support the IEEE 802.1D Spanning Tree algorithm. The Spanning Tree algorithm is used by bridges to detect loops (i.e., two or more pathways to the same destina-tion) and "prune" them into a tree-like, loop-free topology by estab-lishing a root bridge and then calculating the best path from each bridge to the root bridge. Traffic is then forwarded only along this path. If the network to which the bridge is attaching contains loops, Spanning Tree must be enabled to prevent packet duplication. The Learning mode configures the bridge for operation with the Span-ning Tree algorithm disabled. The bridge listens to all network traffic and builds an Ethernet address cache of the devices on each interface. When a bridge receives a packet on one interface which is destined for an address on another interface, it looks up the destination in its address cache. If it has an entry, it forwards the packet directly to the appro-priate interface. If it doesn’t have an entry, it forwards the packet to all interfaces except the one from which it was received. If there is a loop in the network topology, a bridge that doesn’t employ the Spanning Tree algorithm will endlessly forward the same packet back and forth on its interfaces because it cannot detect the loop formed by the second pathway. Learning mode should only be used on networks without active loops. Note: Because the parameters in this section are global to the device,

it isn't possible to turn on IEEE (Spanning Tree) or Learning for individual interfaces. When the mode is IEEE, the root bridge dictates the parameters for the whole network.

AgingTime = NumberThe AgingTime keyword sets the time that entries can remain in the bridge’s Ethernet address cache. Each time the bridge receives traffic for an address, the aging timer is reset for that address. If no traffic comes through for the address and the aging time expires, the entry is purged. The default value is 300 seconds. Values range from 10 to 100,000 seconds.


[ Bridging Global ]

HashTableSize = NumberThe HashTableSize keyword sets the maximum number of address entries in the bridge's Ethernet address cache. The bridge only allocates as many entries as it needs, up to the limit specified in this parameter. The default value is 1024. Values range from 256 to 16,384.

BridgePriority = NumberThe BridgePriority keyword is used by the Spanning Tree algorithm to calculate the root bridge. The bridge priority is combined with the bridge's Ethernet address to create an 8-byte bridge ID. The Spanning Tree algorithm uses the bridge ID to determine the root bridge for a network. The numerically lowest bridge ID on a network will be the root bridge for that network. There will only be one root bridge on a network. The IEEE recommended default value is 32,768; values range from 0 to 65,535.

MaxAge = NumberThe MaxAge keyword is used to determine when a Spanning Tree configuration packet is considered stale and its information is discarded. The default value recommended by the IEEE specification is 20 seconds; values range from 6 to 40 seconds.

HelloTime = NumberThe HelloTime keyword sets the interval between Spanning Tree configuration packets sent by the bridge. The default value recom-mended by the IEEE specification is 2 seconds; values range from 1 to 10.

ForwardDelay = NumberThe ForwardDelay keyword sets the time that a bridge will spend determining whether or not to include an interface in the network’s Spanning Tree. If included, the interface will spend this same amount of time listening to network traffic and building its address cache before it begins forwarding packets. It is also used as the aging time during periods of topology change on the network. The recommended default value is 15 seconds; values range from 4 to 30 seconds.

ExamplesThe following example shows a bridge configuration for a network with an unstable topology. By setting the Spanning Tree parameters to the minimum values, the topology changes will be detected quicker at the expense of more Spanning Tree protocol traffic on the network.

[ Bridging Global ]Mode = IEEEAgingTime = 300HashTableSize = 1024MaxAge = 6HelloTime = 1ForwardDelay = 4


[ Bridging Global ]

To set this as the root bridge, set the bridge priority to a lower value. [ Bridging Global ]BridgePriority = 1000

See Also[ Bridging <Section ID> ], bridge(show), bridge(set)


[ Command Line ]


[ Command Line ]This section is used to configure terminal settings that define the way that the command parser interacts with the user. The command parser is accessed via telnet or the AUX/console. Keywords recognized in this section are described below.Enhanced = [ On | Off ]

The Enhanced keyword allows control over the "enhanced" parsing mode that is supported by the command parser. If Enhanced is On and the command parser cannot decipher the input entered or an invalid option was entered for a command, the parser will redisplay the portion that was successfully parsed. The default is On.

Erase = [ BackSpace | Delete ]The Erase keyword sets the command parser's erase character. Normally, BackSpace and Delete are recognized by the command parser for erasing characters. However, when using the line editing feature or with some prompts from the command parser, the two erase characters above aren't recognized and the erase character selected by this keyword takes effect. The default is BackSpace.

More = [ On | Off ]The More keyword specifies "more" processing of all displayed output. If More is On, displayed output that is longer than the config-ured terminal height will be paused and a "--more--" prompt will be displayed. To display the next screen of data, enter a <SPACE>. To display only the next line of data, enter a <RETURN>. Any other input terminates the output and the next command prompt will be displayed. The default is On.

PrintPortLabel = [ Numbers | Letters ]The PrintPortLabel keyword tells the parser whether interfaces should be displayed with numbers or letters. Both letters and numbers are recognized as input to the command parser. The default is Numbers.

Width = NumberThe Width keyword sets the terminal width. The Width is the number of characters per line. The default is 80 characters.

Height = NumberThe Height keyword sets the terminal height. The Height is the number of lines displayed. This value is used by the "more" processor. The default is 24 lines.

Examples[ Command Line ]Enhanced = On # Enable "Enhanced" modeErase = Delete

See Alsoterminal(set)

[ DECnet <Section ID> ]


[ DECnet <Section ID> ]This section controls how DECnet packets are handled on each router interface. Compatible Systems routers support DECnet Phase IV intra-area routing. Keywords recognized in this section are described below. Mode = [ Routed | Bridged | Off ]

The Mode keyword specifies whether DECnet Phase IV packets will be routed across the interface, bridged across the interface, or ignored on the interface. If Bridged is specified, bridging must also be enabled for the interface in the [ Bridging <Section ID> ] section. If Bridged or Off are specified, the HelloTimer and RoutingTimer are ignored.

HelloTimer = NumberThe HelloTimer keyword tells the router how frequently it should send DECnet hello messages on a WAN interface. DECnet hello messages tell end nodes which routers are available to route packets. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). This timer value is also inserted into hello messages themselves. Once an end node has received a hello message from a router, it begins to track the availability of that router. If an end node does not hear an additional hello message within 3 timer periods, it assumes that this router is no longer available. Note: For dial-on-demand links, this parameter should be set to the

longest period practical, since the router will dial the remote end each time one of these packets is sent.

RoutingTimer = NumberThe RoutingTimer keyword tells the router how frequently it should send routing messages on a WAN interface. DECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). The default is 120.Note: For dial-on-demand links, this parameter should be set to the

longest period practical, since the router will dial the remote end each time one of these packets is sent.

Examples[ DECnet WAN 0 ]Mode = RoutedHelloTimer = 30RoutingTimer = 120

See Also[ DECnet Global ], decnet(show), [ Bridging <Section ID> ]

[ DECnet Global ]

[ DECnet Global ]This section controls how DECnet packets are handled for the router. Compatible Systems routers support DECnet Phase IV intra-area routing. Keywords recognized in this section are described below.Enabled = [ On | Off ]

The Enabled keyword controls how DECnet packets will be handled by the router. If Enabled is On, then DECnet packets received on any interface in the router which also has DECnet turned on will be routed to the correct interface. In addition, individual interfaces must be set to route packets in the [ DECnet <Section ID> ] section. If Enabled is set to Off, DECnet routing will be turned off globally in the router, and DECnet settings for individual interfaces will be ignored.

Area = NumberThe Area keyword assigns this router to a DECnet area. A DECnet area may include one or more physical network segments. The area information is specific to this individual router and, along with the node number, uniquely identifies it on the network. The area number must be within the range of 1 to 63 and is a required parameter.

Node = NumberThe Node keyword assigns this router a DECnet node number. Each device in a DECnet area must have a unique node number. The node number is specific to each router or workstation and, along with the area number, uniquely identifies it on the network. The node number must be within the range of 1 to 1023. Note: Using the same area and node combination as an address for two

different devices can cause problems on your network that are difficult to diagnose. You should carefully track the assignment of this information for devices on your DECnet network.

HelloTimer = NumberThe HelloTimer keyword tells the router how frequently it should send DECnet hello messages on its LAN interfaces. DECnet hello messages tell end nodes which routers are available to route packets. Valid values range from 1 to 8191 seconds (approximately 2 hours and 15 minutes). This timer value is also inserted into hello messages themselves. Once an end node has received a hello message from a router, it begins to track the availability of that router. If an end node does not hear an additional hello message within 3 timer periods, it assumes that this router is no longer available.

RoutingTimer = NumberThe RoutingTimer keyword sets how frequently the router should send routing messages on its LAN interfaces. DECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. Valid values range from 1 to 8191 seconds (approximately


[ DECnet Global ]

2 hours and 15 minutes). The DECnet Hello and RoutingTimer values for individual WAN interfaces are set with the HelloTimer and RoutingTimer keywords in the [ DECnet <Section ID> ] section.

Maxnode = NumberThe Maxnode keyword sets the maximum number of node addresses allowed for this particular DECnet area. Valid values range from 1 to 1023. By limiting the number of addresses, a network administrator can limit the size of the internal routing table and the size of the routing messages sent to other routers. Generally, all routers on the network should be consistent and use the same value for this parameter. This number should be at least as large as the highest node number assigned to this router or any other workstation on the network.

Examples[ DECnet Global ]Enabled = OnArea = 1Node = 1000

See Also[ DECnet <Section ID> ], decnet(show)


[ Domain Name Server ]


[ Domain Name Server ]This section is used to list the addresses of the primary and secondary domain name servers used by the router for Domain Name Service (DNS) name lookups. DNS allows the device to report DNS names instead of raw IP addresses when using the traceroute command, and also allows the ping command to be optionally issued with a DNS name. (See the traceroute(mgmt) and the ping(mgmt) sections for further information.) A primary name server must be specified in order to use DNS lookup. The keywords recognized in this section are described below.PrimaryServer = IP Address

The PrimaryServer keyword specifies the IP address of the primary domain name server.

SecondaryServer = IP AddressThe SecondaryServer keyword specifies the IP address of the secondary domain name server(s). If no response is received from the primary name server, then the secondary servers are used. Up to 2 secondary servers may be added to the configuration.

Examples[ Domain Name Server ]PrimaryServer = 10.0.0.101SecondaryServer = 10.0.0.142SecondaryServer = 10.0.0.130

See Alsoping(mgmt), traceroute(mgmt)

[ DS3 Interface <Section ID> ]


[ DS3 Interface <Section ID> ]This section sets configuration parameters for an internal DSU on the specified WAN interface. DS3 digital transmission has a data capacity of 44.736 Mbps (referred to as Data Speed 3 or DS3). Keywords recognized in this section are described below.LineBuildOut = [ Short | Long ]

The LineBuildOut keyword should be set based on the distance between the device and the DS3 terminal located in your building. Cable lengths from 0 - 100 feet require that LineBuildOut be set to Short. Cable lengths from 101 - 900 feet require that LineBuildOut be set to Long.

Clocking = [ Internal | External ]The Clocking keyword configures whether the DSU will use its own internal clock or obtain the clock from the network to use for the DSU’s DS3 transmit signal towards the network. In Internal mode, an internal clock is used. In External mode, the clock derived from the DS3 receive signal is used. The default is Internal mode. Verify this setting with your ISP.

DS3SubRate = [ 3_158 | 6_316 | 9_474 | 12_632 | 15_790 | 18_948 | 22_106 | 25_264 | 28_422 | 31_580 | 34_738 | 37_896 | 41_054 | 44_210 ]The DS3SubRate keyword specifies the data rate for the CSU/DSU. This can be used to set the throughput to match the bandwidth provided by your NSP (Network Service Provider). The values are specified in megabits per second, using an underscore ( _ ) as the decimal point (e.g., 3_158 is 3.158 Mbps). Both ends of the DS3 connection must have the same rate specified. Unless the remote end is a Larscom CSU/DSU (or equivalent) or another Compatible Systems DS3 interface, the default setting of 44_210 must be used.

InvertData = [ On | Off ]The InvertData keyword allows the user to invert data. Data inversion can be used to meet pulse density requirements. Always set to Off unless otherwise instructed by your ISP. If a DSU at one end of a DS3 line inverts its data, then the DSU at the other end must do the same.

CRC = [ 16 bit | 32 bit ]The CRC keyword configures whether the DSU will use a 16-bit or 32-bit frame check sequence. Both ends of a DS3 connection must use the same CRC (Cyclical Redundancy Check) setting. The default is 16 bit.

Examples[ DS3 Interface Wan 0 ]LineBuildOut = LongCRC = 16 bit

See Also[ Link Config <Section ID> ], wan(show), wan ds3(set)

[Dynamic Firewall Globals ]

[Dynamic Firewall Globals ]This section sets global timers for Compatible Systems IntraGuard Firewall devices. The keywords for this section are described below. SYNTimer = Number

The SYNTimer keyword sets the number of seconds the firewall will wait without receiving a response to a SYN TCP packet before clearing a TCP session. The SYN flag is included in the header of the first couple of TCP packets and indicate that a session is being established. If the SYNTimer is set too low, half-open sessions may accumulate. If the SYNTimer is set too high, there may not be enough time to complete the handshake and establish a session. Values may range from 0 to 120. The default is 20 seconds.

FINTimer = Number The FINTimer keyword sets the number of seconds the firewall will wait without receiving a response to a FIN TCP packet before clearing a TCP session. TCP specifies that for a session to be fully closed down, both ends of the connection must send out a FIN packet. If the FINTimer is too high, half-shut sessions may accumulate. If the FINTimer is too low, sessions may be shut down too quickly. Values may range from 0 to 120. The default is 10 seconds.

TCPTimeout = Number The TCPTimeout keyword sets the number of seconds the firewall will wait before shutting down an inactive TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 172,800 seconds (48 hours).

UDPTimeout = Number The UDPTimeout keyword sets the number of seconds the firewall will wait before shutting down an inactive non-TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 60 seconds.

HalfShutTimer = Number The HalfShutTimer keyword sets the number of seconds the firewall will wait to close down a half-shut, inactive TCP session. TCP speci-fies that for a session to be fully closed down, both ends of the connec-tion must send out a FIN packet. If the firewall has not received a FIN packet from the other end and there has been no activity during the specified length of time, the firewall will clear the session. Values may range from 0 to 0xFFFFFFFF. The default is 120 seconds. Setting a value of 0 will disable the timer.

DynamicTimer = Number The DynamicTimer keyword sets the number of seconds the firewall will wait before shutting down an inactive dynamic session. Dynamic sessions are created by the firewall to allow TCP sessions or non-TCP packets to come through the firewall. The firewall does this by moni-toring packet headers and data, and then opening permitted sessions only when necessary. Values may range from 0 to 300. The default is 60 seconds.


[Dynamic Firewall Globals ]

RejectTimer = Number The RejectTimer keyword sets the number of seconds the firewall will keep track of rejected packets after the packet flow has ended. The fire-wall tallies the different types of rejected packets and summarizes the information in a display using the show firewall rejects command (see firewall(show)). Values may range from 0 to 0xFFFFFFFF. The default is 120 seconds. If the RejectTimer is set to 0, the firewall will log every rejected packet individually, without summarizing them in a tally.

ExamplesThis example shows the default settings.

[ Dynamic Firewall Globals ]SYNTimer = 20FINTimer = 10TCPTimeout = 172800UDPTimeout = 120HalfShutTimer = 300DynamicTimer = 60RejectTimer = 120

See Also[ Dynamic Firewall Logging ], [ Dynamic Firewall Path <Name> ], [ NAT Mapping ], [ NAT Global ], firewall(show)


[Dynamic Firewall Logging ]

[Dynamic Firewall Logging ]This section sets the level at which specific events are logged on Intra-Guard Firewall devices. The IntraGuard “tags” the log messages associated with each type of event with the specified log level. The eight logging levels are listed below in descending order of importance.

• Off• 0/Emergency• 1/Alert• 2/Critical• 3/Error• 4/Warning• 5/Notice• 6/Info• 7/Debug

The event log messages will appear in the log buffer (or wherever log messages are being sent), only if the global log level is at the same level or a lower level of importance. This allows you to closely monitor certain events while excluding events you do not wish to closely monitor from the log. Logging parameters for the device, including the global log level, are set in the [ Logging ] section. The keywords for this section are described below. Rejects = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice |

Info | Debug ] The Rejects keyword sets the level at which Reject messages will be logged. A Reject message is created by the firewall whenever an IP packet is rejected for any reason. The default is Info.

TCP_EST_Reject = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ]

The TCP_EST_Reject keyword sets the level at which TCP_EST_Reject messages will be logged. These messages are created by the firewall whenever an established TCP session is rejected. These messages are also created when a TCP session for which the firewall has not seen the SYN flag is established. This is a feature enabled using the PermitEstTCP keyword in the [ Dynamic Firewall Path <Name> ] section. The default is Error.

Sessions = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ]

The Sessions keyword sets the level at which Sessions messages will be logged. These messages are created by the firewall whenever an IP session is established. The default is Error.

TearDown = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ]

The TearDown keyword sets the level at which TearDown messages



General = [ Off | 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ]

The General keyword sets the level at which General messages will be logged. General messages are created when errors occur within the IntraGuard. This might include running out of memory or internal state errors, and should be infrequent. The default is Critical.

ExamplesThe following example shows the default logging configuration for the IntraGuard firewall.

[ Dynamic Firewall Logging ]Rejects = InfoTCP_EST_Reject = ErrorSessions = ErrorTearDown = WarningIP_Timeouts = WarningTCP_Timeouts = AlertTCP_Resets = NoticeICMP_Resets = NoticeTCP_SYN = CriticalTCP_FIN = CriticalRedirects = CriticalGeneral = Critical

If the following global logging settings were in place, then the only firewall messages which would not appear in the log would be Rejects (which are set to Info, one level below Notice).

[ Logging ]Enabled = OnLevel = Notice

See Also[ Dynamic Firewall Globals ], [ Dynamic Firewall Path <Name> ], [ Logging ], firewall(show)


[Dynamic Firewall Path <Name> ]

[Dynamic Firewall Path <Name> ]This section sets parameters for paths on an IntraGuard Firewall. Paths define a route for packets through the firewall. Each path has two endpoints – inside interfaces and outside interfaces. Typically, the inside interfaces are secure while the outside interfaces are less secure. These paths are directional, meaning packets travel out along the path from the inside interface to the outside interface and in along the path from the outside interface to the inside interface.

There are three pre-set paths in the IntraGuard firewall. Each of the three paths already has a name, a security policy and interface definitions. The default settings of each pre-set path are shown below.

[ Dynamic Firewall Path "Green-Red" ]SecurityPolicy = StandardInsideInterfaces = "Ether 0"InsideInterfaces = "Bridge"OutsideInterfaces = "Ether 2"

[ Dynamic Firewall Path "Yellow-Red" ]SecurityPolicy = StandardInsideInterfaces = "Ether 1"OutsideInterfaces = "Ether 2"

[ Dynamic Firewall Path "Green-Yellow" ]SecurityPolicy = LenientInsideInterfaces = "Ether 0"InsideInterfaces = "Bridge"OutsideInterfaces = "Ether 1"

The Name portion of the section name can be changed to anything between one and 126 alphanumeric characters.

The keywords for this section are described below. INTERFACE ASSIGNMENTS

InsideInterfaces = Port identifier string The InsideInterfaces keyword sets the specified interface to serve as the inside end of the path. This is typically the secure side of the path. This keyword may appear multiple times within this section in order to specify multiple interfaces.

OutsideInterfaces = Port identifier string The OutsideInterfaces keyword sets the specified interface to serve as the outside end of the path. This is typically the insecure side of the path. This keyword may appear multiple times within this section in order to specify multiple interfaces.

SECURITY POLICYSecurityPolicy = [ Blocked | Strict | Standard | Lenient | Open ]

The SecurityPolicy keyword sets the general security policy for the path. Each security policy has an associated list of protocol-specific pushbutton settings that determine how the interfaces along the path will handle each protocol’s packets. Each security policy can be used



as-is, or can be used as the basis for a customized policy by using the pushbutton settings.

Blocked is the most secure policy, which does not allow packets in or out along the path. It is the equivalent of physically separating the internal and external networks. The Blocked policy can be used to create a very restrictive policy set using the additional configuration options.

Strict is a restrictive policy set. A small set of outgoing client sessions are permitted through the firewall and all incoming server sessions are excluded.

Standard is the default policy set. Almost all outgoing client sessions are permitted and almost all incoming server sessions are excluded. The only exceptions to those rules are that the BGP and X Windows protocols are excluded from going in or out of the firewall.

Lenient is a less secure policy. All outgoing client sessions are permitted and some incoming server sessions are permitted.

Open is an insecure policy set. Everything is permitted through the firewall, thereby turning the firewall into a transparent bridge.



The SecurityPolicy keyword controls a list of pushbutton protocol settings for the path. These settings specify how a protocol will be handled on the path. These keywords can be changed individually to create a customized security policy. The chart below shows the different protocol-specific settings for each security policy.

PROTOCOLPUSHBUTTONS

PROTOCOLTYPE

PORTS USED

SECURITY POLICYBlkd Strict Std. Len. Open

BGPUse TCP 179 None None None Both BothBSDUse TCP 512, 513, 514 None None Out Out BothCompatiViewUse UDP 33020 None Out Out Both BothDNSUse TCP, UDP 53 None Out Out Both BothFTPUse TCP 21 None Out Out Both BothH323Use TCP 1720 None None Out Out BothICMPUse ICMP 1 None None Out Out BothIPSecUse ICMP 50, 51 None Out Out Both BothIRCUse TCP 6667 None None Out Out BothLPRUse TCP 515 None None Out Out BothMailUse TCP 25 None Out Out Both BothNFSUse UDP 635, 340, 2049 None None Out Out BothNetBIOSUse TCP, UDP 137, 138 None None Out Out BothNewsUse TCP 119 None None Out Out BothNonIPUse TCP, UDP undefined None None Out Out BothOSPFUse ICMP 89 None None Out Out BothPOPUse TCP 109, 110 None None Out Out BothRIPUse UDP 520 None None Out Out BothRealAudioUse TCP 7070 None None Out Out BothSunRPCUse TCP, UDP 111 None None Out Out BothTelnetUse TCP 23 None Out Out Out BothTFTPUse UDP 69 None Out Out Out BothTunnelUse ICMP 47 None None Out Out BothWebUse TCP 80, 8000, 8080 None Out Out Both BothXWinUse TCP 6000, 6010 None None None In BothISAKMPUse UDP 500 None Out Out Both BothGopherUse TCP 70 None Out Out Out BothNTPUse UDP 123 None None Out Both BothOtherTCPUse TCP undefined None None Out Out BothOtherUDPUse UDP undefined None None Out Both BothOtherUse undefined undefined None None Out Both Both



In indicates that a protocol will be allowed through to the inside inter-face(s) of a path. Out indicates that a protocol will be allowed through to the outside interface(s) of a path. None indicates that a protocol will be allowed neither in nor out. Both indicates that a protocol will be allowed both in and out.

Changing the SecurityPolicy keyword for a path automatically changes the pre-set protocol pushbuttons to reflect the new security policy. However, any protocol pushbutton which has been changed individually will main-tain its setting rather than change to reflect a new policy (e.g., changing the WebUse keyword to Both means it will keep that setting no matter what the security policy).

PUSHBUTTON OPTIONSBGPUse = [ None | In | Out | Both ]

The BGPUse keyword defines how BGP (Border Gateway Protocol) packets will be handled on the path. BGP is the routing protocol between Internet backbone routers.

BSDUse = [ None | In | Out | Both ] The BSDUse keyword defines how BSD packets will be handled on the path. BSD is the UC Berkeley remote execution and terminal session protocol. RSH, RCP, RLogin, and RExec are the protocols supported.

CompatiViewUse = [ None | In | Out | Both ] The CompatiViewUse keyword defines how CompatiView packets will be handled on the path. CompatiView is Compatible System’s GUI manager. This option also defines handling for earlier versions of STAMP, Compatible System’s tunnel authentication protocol.

DNSUse = [ None | In | Out | Both ] The DNSUse keyword defines how DNS (Domain Name Service) packets will be handled on the path. DNS is the protocol which trans-lates IP addresses into hostnames and hostnames into IP addresses.

FTPUse = [ None | In | Out | Both ] The FTPUse keyword defines how FTP (File Transfer Protocol) packets will be handled on the path. Dynamic sessions are created for file transfers using the PASV and PORT commands.

H323Use = [ None | In | Out | Both ] The H323Use keyword defines how H323 packets will be handled on the path. H323 is a video and audio conferencing protocol.

IPSecUse = [ None | In | Out | Both ] The IPSecUse keyword defines how IPSec (Internet Protocol Security) packets will be handled on the path. Both encrypted (ESP) and authen-ticated (AH) packets are supported.

IRCUse = [ None | In | Out | Both ] The IRCUse keyword defines how IRC (Internet Relay Chat Protocol) packets will be handled on the path.



LPRUse = [ None | In | Out | Both ] The LPRUse keyword defines how LPR packets will be handled on the path. LPR is a network printing protocol.

MailUse = [ None | In | Out | Both ] The MailUse keyword defines how SMTP (Simple Mail Transfer Protocol) packets will be handled on the path. This protocol is used to send mail between servers.

NFSUse = [ None | In | Out | Both ] The NFSUse keyword defines how NFS (Network File Sharing Protocol) packets will be handled on the path. To permit NFS In, it may be necessary to set SunRPCUse to In as well.

NetBIOSUse = [ None | In | Out | Both ] The NetBIOSUse keyword defines how NetBIOS packets will be handled on the path. NetBIOS is Microsoft’s file sharing protocol.

NewsUse = [ None | In | Out | Both ] The NewsUse keyword defines how NNTP (Network News Transfer Protocol) packets will be handled on the path.

NonIPUse = [ None | In | Out | Both ] The NonIPUse keyword defines how non-IP packets will be handled on the path. This would include other protocols such as AppleTalk and IPX.

OSPFUse = [ None | In | Out | Both ] The OSPFUse keyword defines how OSPF (Open Shortest Path First) packets will be handled on the path. OSPF is a link state routing protocol.

POPUse = [ None | In | Out | Both ] The POPUse keyword defines how POP packets will be handled on the path. POP is a mail client protocol. This protocol allows users to receive mail.

RIPUse = [ None | In | Out | Both ] The RIPUse keyword defines how RIP (Routing Information Protocol) packets will be handled on the path.

RealAudioUse = [ None | In | Out | Both ] The RealAudioUse keyword defines how Internet Real Audio Protocol packets will be handled on the path. Real Audio is an audio and video conferencing protocol.

SunRPCUse = [ None | In | Out | Both ] The SunRPCUse keyword defines how SunRPC (Sun’s Remote Procedure Call Protocol) packets will be handled on the path. The SunRPC Protocol is used by NFS and other UNIX utilities to get the server’s port address.

TelnetUse = [ None | In | Out | Both ] The TelnetUse keyword defines how Telnet packets will be handled on the path. Telnet is a virtual terminal protocol.



TFTPUse = [ None | In | Out | Both ] The TFTPUse keyword defines how TFTP (Trivial File Transfer Protocol) packets will be handled on the path.

TunnelUse = [ None | In | Out | Both ] The TunnelUse keyword defines how GRE (General Router Encapsu-lation) packets will be handled on the path. GRE packets are IP-encap-sulated tunneled packets. This option does not work with non-STEP tunnels (e.g., STAMP tunnels), which are enabled using the Compati-ViewUse keyword.

WebUse = [ None | In | Out | Both ] The WebUse keyword defines how HTTP (Hypertext Transfer Protocol) packets will be handled on the path. HTTP is the World Wide Web protocol. This option affects only HTTP packets; Telnet and FTP must be enabled individually to allow users to reach FTP sites or Telnet via the web. See the TelnetUse and FTPUse keywords.

XWinUse = [ None | In | Out | Both ] The XWinUse keyword defines how X Windows packets will be handled on the path. X Windows is the UNIX GUI.

GopherUse = [ None | In | Out | Both ] The GopherUse keyword defines how Gopher packets will be handled on the path. Gopher is a file transfer and browsing protocol.

ISAKMPUse = [ None | In | Out | Both ] The ISAKMPUse keyword defines how ISAKMP (Internet Security Association Key Management Protocol) packets will be handled on the path. ISAKMP is the VPN (Virtual Private Network) key management protocol used by Compatible’s VPN products.

NTPUse = [ None | In | Out | Both ] The NTPUse keyword defines how NTP (Network Time Protocol) packets will be handled on the path.

OtherTCPUse = [ None | In | Out | Both ] The OtherTCPUse keyword defines how all other TCP-based proto-cols will be handled on the path.

OtherUDPUse = [ None | In | Out | Both ] The OtherUDPUse keyword defines how all other UDP-based proto-cols will be handled on the path.

OtherUse = [ None | In | Out | Both ]The OtherUse keyword defines how IP packets which are not included in the other pushbutton options will be handled on the path.

ALLOW PORTS/PROTOCOLSThese options allow you to specify any port or protocol which isn’t already a pushbutton option. All pushbutton settings take precedence over the Allow Ports/Protocols options. For example, if the OtherTCPUse pushbutton option is set to In, then it would be unnecessary to specify any particular TCP port using the TCPInPort option below.



TCPInPort = Port numberThe TCPInPort keyword specifies that a TCP port number will be allowed in along the path. This applies only to TCP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

TCPOutPort =Port numberThe TCPOutPort keyword specifies that a TCP port number will be allowed out along the path. This applies only to TCP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535.This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

UDPInPort =Port numberThe UDPInPort keyword specifies that a UDP port number will be allowed in along the path. This applies only to UDP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

UDPOutPort = Port numberThe UDPOutPort keyword specifies that a UDP port number will be allowed out along the path. This applies only to UDP ports not listed in the pushbutton options. The Port may be specified as a decimal number between 0 and 65,535. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

IPInProto = Protocol numberThe IPInProto keyword specifies that an IP protocol number will be allowed in along the path. The Protocol may be specified as may be specified as a decimal number or as a keyword. This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

IPOutProto = Protocol numberThe IPOutProto keyword specifies that an IP protocol will be allowed out along the path. The Protocol may be specified as may be specified as a decimal number or as a keyword.This keyword may appear multiple times within the configuration to specify more than one port. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.



IP PACKET FILTERSThere are two types of static IP packet filters which can be used on the fire-wall. These filters are applied after the pushbutton settings and the Allow Ports/Protocols options. Remember that when applying static IP filter sets, the final rule should always be

permit 0.0.0.0 0.0.0.0 ip

OrFilterOut = String The OrFilterOut keyword allows a named set of IP packet filtering rules to be associated with the outside interface(s) of the path. OrFil-terOut allows the device to accomplish packet filtering on packets that will be forwarded out this interface. "Or" filters are typically used to permit certain packets. These filters are checked only for those protocols or ports which have been denied by a pushbutton or Allow Ports/Protocols setting. For example, if TelnetUse has been set to None, then an "Or" filter can be used to permit Telnet sessions from a particular site which you trust. Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

OrFilterIn = String The OrFilterIn keyword allows a named set of IP packet filtering rules to be associated with the inside interface(s) of the path. OrFilterIn allows the device to accomplish packet filtering on packets that will be forwarded along this interface. "Or" filters are typically used to permit certain packets. These filters are checked only for those protocols or ports which have been denied by a pushbutton or Allow Ports/Protocols setting. For example, if TelnetUse has been set to None, then an "Or" filter can be used to permit Telnet sessions from a particular site which you trust. Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

AndFilterOut = String The AndFilterOut keyword allows a named set of IP packet filtering rules to be associated with the outside interface(s) of the path. AndFil-terOut allows the device to accomplish packet filtering on packets that will be forwarded out this interface. "And" filters are typically used to deny certain packets, so they are checked only for those protocols or ports which have been permitted by a pushbutton, Allow Ports/Protocol setting or an "Or" filter.



Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

AndFilterIn = StringThe AndFilterIn keyword allows a named set of IP packet filtering rules to be associated with the inside interface(s) of the path. AndFil-terIn allows the device to accomplish packet filtering on packets that will be forwarded along this interface. "And" filters are typically used to deny certain packets, so they are checked only for those protocols or ports which have been permitted by a pushbutton, Allow Ports/Protocol setting or an "Or" filter.Any packet not explicitly allowed by the rule set is dropped. Up to four filters may be listed in the value for this keyword, but only one keyword may exist in this section. See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

OTHER PATH SETTINGSSendTCPReset = [ On | Off ]

The SendTCPReset keyword sets whether the device will send a TCP reset message to the client when a TCP session has been rejected. The default is Off.

SynRejectOnly = [ On | Off ] The SynRejectOnly keyword sets whether the device will limit itself to sending TCP reset messages only when a TCP packet containing the SYN flag has been rejected. This can be useful when ICMP redirects are being sent , which could cause sessions to terminate prematurely. The default is On.

SendICMPReset = [ On | Off ] The SendICMPReset keyword sets whether the device will send an ICMP message to the client when an IP or UDP packet has been rejected. The default is Off.

ICMPtoTCPsession = [ On | Off ] The ICMPtoTCPsession keyword sets whether the device will send an ICMP message to the client when a TCP packet has been rejected. This is in addition to sending a TCP reset message, if it has been enabled using the SendTCPReset. The default is Off.

PermitEstTCP = [ On | Off ] The PermitEstTCP keyword sets whether the path will permit TCP sessions for which the IntraGuard did not see the SYN flag. The SYN flag is included in the header of the first couple TCP packets and indi-cates that a session is being established. Setting PermitEstTCP to On allows established connections to continue after rebooting the device, but it is also a less secure option. The default is Off.



ResetRedirects = [ On | Off ] The ResetRedirects keyword sets whether the device will terminate sessions on a firewall path where ICMP redirects have been sent. ICMP redirects are generated when a device cannot route a packet correctly on its own. The affect can be that three firewall paths will be created to route the packet correctly, two of which will not be needed after the first packet gets delivered. The default is Off.

MinIPFragLen = NumberThe MinIPFragLen keyword sets the minimum acceptable length of IP packets. Raising the minimum packet length can be useful in preventing "frag" attacks, which can take advantage of the use of partial header information in fragmented packets. The IntraGuard protects against overlapping fragmentation attacks, even when the MinIPFragLen is set to the minimum value of 40. Values may range between 40 and 1,500. The default is 40.

RejectSRCRoute = [ On | Off ] The RejectSRCRoute keyword sets whether the device will reject source-routed IP packets. The default is On.



d" ]ardr 0"ge"r 2"dedededededededededededededededededededededededede

ExamplesThe following examples show the default path settings for the IntraGuard firewall.

[ Dynamic Firewall Path "Yellow-Red" ]SecurityPolicy = StandardInsideInterfaces = "Ether 1"OutsideInterfaces = "Ether 2"BGPUse = OutsideBSDUse = OutsideCompatiViewUse = OutsideDNSUse = BothFTPUse = OutsideH323Use = OutsideICMPUse = OutsideIPSecUse = OutsideIRCUse = OutsideLPRUse = OutsideMailUse = BothNFSUse = OutsideNetBIOSUse = OutsideNewsUse = OutsideNonIPUse = OutsideOSPFUse = OutsideOtherTCPUse = OutsideOtherUDPUse = OutsidePOPUse = OutsideRIPUse = OutsideRealAudioUse = OutsideSunRPCUse = OutsideTelnetUse = OutsideTFTPUse = OutsideTunnelUse = OutsideWebUse = BothXWinUse = NoneISAKMPUse = BothGopherUse = OutNTPUse = BothOtherTCPUse = OutOtherUDPUse = OutOtherUse = OutSendTCPReset = OnSynRejectOnly = OnSendICMPReset = OnICMPtoTCPsession = OffPermitEstTCP = OffResetRedirects = OffMinIPFragLen = 40RejectSRCRoute = OnAndFilterOut =AndFilterIn =OrFilterOut =OrFilterIn =

[ Dynamic Firewall Path "Green-ReSecurityPolicy = StandInsideInterfaces = "EtheInsideInterfaces = "BridOutsideInterfaces = "EtheBGPUse = OutsiBSDUse = OutsiCompatiViewUse = OutsiDNSUse = OutsiFTPUse = OutsiH323Use = OutsiIPSecUse = OutsiIRCUse = OutsiLPRUse = OutsiMailUse = OutsiNFSUse = OutsiNetBIOSUse = OutsiNewsUse = OutsiNonIPUse = OutsiOSPFUse = OutsiOtherTCPUse = OutsiOtherUDPUse = OutsiPOPUse = OutsiRIPUse = OutsiRealAudioUse = OutsiSunRPCUse = OutsiTelnetUse = OutsiTFTPUse = OutsiTunnelUse = OutsiWebUse = OutsiXWinUse = NoneISAKMPUse = OutGopherUse = OutNTPUse = BothOtherTCPUse = OutOtherUDPUse = OutOtherUse = OutSendTCPReset = OnSynRejectOnly = OnSendICMPReset = OnICMPtoTCPsession = OffPermitEstTCP = OffResetRedirects = OffMinIPFragLen = 40RejectSRCRoute = OnAndFilterOut =AndFilterIn =OrFilterOut =OrFilterIn =



[ Dynamic Firewall Path "Green-Yellow" ]SecurityPolicy = LenientInsideInterfaces = "Ether 0"InsideInterfaces = "Bridge"OutsideInterfaces = "Ether 1"BGPUse = OutsideBSDUse = OutsideCompatiViewUse = BothDNSUse = BothFTPUse = BothH323Use = OutsideICMPUse = OutsideIPSecUse = BothIRCUse = OutsideLPRUse = OutsideMailUse = BothNFSUse = OutsideNetBIOSUse = OutsideNewsUse = OutsideNonIPUse = OutsideOSPFUse = OutsideOtherTCPUse = OutsideOtherUDPUse = OutsidePOPUse = OutsideRIPUse = OutsideRealAudioUse = OutsideSunRPCUse = OutsideTelnetUse = OutsideTFTPUse = OutsideTunnelUse = OutsideWebUse = BothXWinUse = InsideISAKMPUse = OutGopherUse = OutNTPUse = OutOtherTCPUse = OutOtherUDPUse = BothOtherUse = BothSendTCPReset = OnSynRejectOnly = OnSendICMPReset = OnICMPtoTCPsession = OffPermitEstTCP = OffResetRedirects = OffMinIPFragLen = 40RejectSRCRoute = OnAndFilterOut =AndFilterIn =OrFilterOut =OrFilterIn =



In the following example, an application which uses UDP port 8565 is allowed in and TCP sessions for which the firewall has not seen the SYN flag will be allowed.

[ Dynamic Firewall Path "Green-Red" ]UDPInPort = 8565PermitEstTCP = On

See Also[ Dynamic Firewall Globals ], [ Dynamic Firewall Logging ], [ IP Filter <Name> ], firewall(show)


[ Ethernet Interface <Section ID> ]


[ Ethernet Interface <Section ID> ]This section configures the serial characteristics of the device’s 10/100BaseT Ethernet interface(s). This section does not apply to standard 10 Mbps Ethernet interfaces. Keywords recognized in this section are described below.Speed = [ 10meg | 100meg | Auto ]

The Speed keyword provides a way to manually set the speed at which the interface will operate. Normally, the 10/100BaseT interface will autonegotiate the speed with the Ethernet hub or switch. If the autone-gotiation is unsuccessful, this keyword can be used to force the setting. The default is Auto.

Duplex = [ Full | Half | Auto ]The Duplex keyword provides a way to manually configure whether the interface will operate in full duplex or half duplex mode. Normally, the 10/100BaseT interface will autonegotiate with the Ethernet hub or switch. If the autonegotiation is unsuccessful, this keyword can be used to force the setting. In Full duplex mode, the interface can successfully transmit data at the same time the switch is transmitting data, which effectively doubles the possible transmission speed. Full duplex requires the use of Category 5 cable and an Ethernet switch which supports full duplex. In Half duplex mode, data can only be transmitted in one direction (by the interface or by the hub) at a given time. The default is Auto.

ExamplesIn the following example, the Ethernet interface will be forced to 100 Mbps and half duplex mode.

[ Ethernet Interface Ethernet 0 ]Speed = 100megDuplex = Half

See Alsoethernet(show)

[ Frame Relay <Section ID> ]

[ Frame Relay <Section ID> ]This section is used to configure Frame Relay parameters for either the interface specified or for multiple interfaces using the default sections as explained in Appendix A. The keywords in this section are described below.

MaintProtocol = [ AnnexD | AnnexA | LMI | Static ]The MaintProtocol keyword allows you to specify which Frame Relay maintenance protocol is used on the WAN interface. The main-tenance protocol is used to send link status and virtual circuit informa-tion between Frame Relay switches and other devices (such as routers) that communicate with them.AnnexD is an ANSI standard and is the most commonly used standard in the United states. AnnexD is the default maintenance protocol. AnnexA is a CCITT European standard. LMI was developed by a vendor consortium and is also known as the "consortium" management interface specification. It is still used by some carriers in the United States. Static is a method for using WAN broadcast media (e.g., satellite ground stations) to emulate a Frame Relay network. Do not use this setting for normal Frame Relay switch communications.

PollingFrequency = NumberThe PollingFrequency keyword specifies the interval at which the router polls the Frame Relay switch using the maintenance protocol you have selected.The router is required to periodically poll the Frame Relay switch at the remote end of the communications link in order to determine whether the link is active. If any three out of four polls go unanswered by the switch, the router will assume the Frame Relay link is down. Every sixth poll, the router requests a full status packet from the switch in order to update its table of active permanent virtual circuits. The interval is specified in seconds and must be between 5 and 30. The default is 10.

MTU = NumberThe keyword MTU allows the MTU (Maximum Transfer Unit) to be configured for the Frame Relay connection. The MTU value must be between 262 and 1700 bytes (except for the MicroRouter 900i and MicroRouter 1000R; the MTU value for these units must be between 262 and 1500 bytes). The default is 1500.

HomeDLCI = NumberThe HomeDLCI keyword allows the specification of a DLCI (Data Link Connection Identifier) number for the link when the maintenance protocol is Static. The number is the DLCI value for the router being



configured. Each router attached to the emulated network must have a unique DLCI.

DLCI = StringThe keyword DLCI specifies how a network protocol address is mapped to a DLCI on the Frame Relay PVC (Permanent Virtual Circuit). Based on information exchanged between the router and the Frame Relay switch through the maintenance protocol, the router will know the hardware address (the DLCI in this case) but not the protocol address of the remote end of a new PVC. For the PVC to be usable, the router must map the protocol address to the DLCI address either stati-cally or dynamically. The default mapping for all protocols is IARP (Inverse ARP), which allows dynamic mapping and is more flexible and easier to configure than static mapping. IARP, as documented in RFC 1293, functions much like ARP in that when a PVC is first signalled, the Frame Relay station sends out an address request packet. IARP differs from ARP in that the request is for the protocol address rather than the hardware address and is targeted rather than broadcast. When the far end of the PVC receives the request, it replies with the targeted protocol address and the PVC is usable. If a station with multiple protocol addresses assigned to a single interface receives an IARP request, it replies with the host address. This address must be within the requesting station’s subnet. If the two stations aren’t on the same subnet, the receiving station won’t respond and the PVC will remain unusable.

DLCI also allows you to create static mappings for the different proto-cols by specifying the protocol address. The string has the following format:

<DLCI Number> IP=[<IPAddr>|IARP] Apple=[<Net:Node>|IARP] IPX=[<Net:Node>|IARP] DECnet= [<Area.Node>|IARP]

DLCI Number is the decimal address (16-991) which uniquely identi-fies this end of a PVC. A DLCI number will be provided to you by your Frame Relay carrier for each end of each PVC. The protocols' keywords are used to specify which protocols are being mapped. Possible values are: IP, IPX, Apple or DECnet. When static addressing is used, the protocol addresses for the different protocols have the following formats: The IPAddr is the IP address at the remote end of the PVC. It should be a dotted decimal IP address (i.e., 10.1.1.1). If the interface is subnetted, both ends of the PVC must be mapped within the same IP subnet. Static mapping must be used with an IP subinterface (i.e.,



virtual ports) implementation, because IARP can only resolve a phys-ical port, not a logical subinterface on that port.The Apple arguments Net:Node are a combination of the AppleTalk net and node numbers of the router’s WAN interface at the remote end of the PVC (i.e., 33333:2). Net is a decimal AppleTalk net number in the range 1-65279. Node is a decimal AppleTalk node number in the range 1-253.The IPX arguments Net:Node are the IPX net and node numbers of the router’s WAN interface at the remote end of the PVC (i.e., FACE0FF:0.0.A5.0.0.1). Net is a hex IPX net number in the range 1-FFFFFFFE. The Node number is an IPX node number specified as a 6-byte hex number separated by dots (.) and represents an Ethernet address.Note: The IPX node address at the remote end is generally a

"borrowed" Ethernet address from one of the remote router’s Ethernet interfaces. There is no addressing conflict because the actual Ethernet interface is on a network with a different IPX network number.

The DECnet arguments Area.Node are the DECnet area and node numbers of the router at the remote end of the PVC (i.e. 1.2). The Area is a DECnet area in the range 1-63. The Node number is a DECnet node number in the range 1-1023. The DECnet Area.Node pair is tradi-tionally separated by a dot rather than a colon. The DLCI keyword is valid for port-specific Section ID sections only. It cannot be specified in a default section.

Compress = [ FRF.9_STAC | Off ]The Compress keyword specifies whether Stac LZS compression will be used. LZS compression uses an algorithm to build a history of frequently repeated groups of 8-bit characters and creates shorter bit patterns to represent them. Compatible Systems’ current implementa-tion of LZS does not support more than one history. It uses a sequence number and LCB (Longitudinal Check Byte) for error detection.By choosing the Off option, compression is disabled. The default is Off.

PollingFrequency = NumberThe PollingFrequency keyword specifies the interval at which the router polls the Frame Relay switch using the maintenance protocol you have selected.The router is required to periodically poll the Frame Relay switch at the remote end of the communications link in order to determine whether the link is active. If any three out of four polls go unanswered by the switch, the router will assume the Frame Relay link is down. Every sixth poll, the router requests a full status packet from the switch in



order to update its table of active permanent virtual circuits. The interval is specified in seconds and must be between 5 and 30. The default is 10.

ExamplesSet DLCI 16 to Inverse ARP IP on the link.

DLCI=16 IP=IARP

Set DLCI 16 to Inverse ARP all protocols recognized on the link. DLCI=16 IP=IARP IPX=IARP Apple=IARP DECnet=IARP

Set DLCI 16 to map the protocols to the addresses shown. DLCI=16 IP=10.1.1.1 IPX=DEAF:0.0.A5.0.0.1 Apple=10:1DECnet=1.2

See Also[ Link Config <Section ID> ], [ IP <Section ID> ], frelay(show), Appendix A


[ General ]

[ General ]This section is used to modify global device parameters such as the device name, password, route filters, and other informational data. Keywords recognized in this section are described below. DeviceName = String

The DeviceName keyword sets the system name. The maximum name length is 32 characters.

Password = StringThe Password keyword is used to set the device password. The pass-word is required for logging into the device using a console or as a telnet client. This login level will allow a user to display tables and statistics, but does not permit a user to view or make any changes to the configuration. The password is stored as clear text and may have a maximum length of 8 characters.

EnablePassword = StringThe EnablePassword keyword is used to set the password which enables supervisor mode. The password is required for viewing or making changes to the device’s configuration. If no EnablePassword is created, then the Password will be used. The password is stored as clear text and may have a maximum length of 8 characters.

RadiusLogin = [ On | Off ]The RadiusLogin keyword allows telnet and console logins to be authenticated with a RADIUS server. If RadiusLogin is On, the device will not perform internal password authentication using the Password or the EnablePassword. Only RADIUS authentication will be done, so communication with a RADIUS server must be set up using the [ Radius ] section. The RadiusShowName and RadiusEn-ableName keywords must also be set and the RADIUS server must have two password and name pairs configured so that the two different levels of access can be provided. The default is Off.

RadiusShowName = StringThe RadiusShowName keyword sets the user name which will be sent to a RADIUS server for authentication. If this name and the entered password are validated, then the user will be able to display statistics and tables, but will not be able to view or make changes to the config-uration. The string may be between 1 and 16 characters.

RadiusEnableName = StringThe RadiusEnableName keyword sets the user name which will be sent to a RADIUS server for authentication. If this name and the entered password are validated, then the user will be able to view and make changes to the configuration. The string may be between 1 and 16 characters.


[ General ]

TelnetFilter = StringThe TelnetFilter keyword allows a named set of IP packet filtering rules to be applied to all Telnet packets which come into the device. This can be used to block unauthorized Telnet access to the device.Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space.If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

ANSPCompatible = [ On | Off ]The ANSPCompatible keyword allows the device to be configured for networks where earlier versions of Compatible Systems' Macintosh-based security "INIT" (called ENS in those versions) are still in use. With compatibility On, both ANSP and ENS Macintosh "CDEVs" will operate correctly on the network. Slightly more network traffic will be generated during network name lookups using this option.

AppleTalkPhase2Timeout = NumberThe AppleTalkPhase2Timeout keyword is used to set the timeout for the AARP (Apple Address Resolution Protocol) address claim which probes made at device startup time. The value specified will be added to the standard 2 seconds. This may be necessary on AppleTalk networks which include WAN bridges. On these networks, it may take longer than 2 seconds for a node on the far side of a WAN bridge connection (logically still on the same AppleTalk internet) to respond to an AARP address claim made by the device, therefore leaving an opportunity for a duplicate address to be used by the device.

IPBlockSourceRouting = [ On | Off ]The IPBlockSourceRouting keyword is used to block source-routed IP packets through the device.

IPLogSourceRouting = [ On | Off ]The IPLogSourceRouting keyword is used to log source-routed packets that have been blocked. This keyword is only valid if the IPBlockSourceRouting keyword has been enabled.

IPRouteFilters = StringThe IPRouteFilters keyword is used to set the IP Route filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IP route filtering rules are specified in the [ IP Route Filter <Name> ] section.


[ General ]

IPXRouteFilters = StringThe IPXRouteFilters keyword is used to set the IPX Route filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IPX route filtering rules are specified in the [ IPX Route Filter <Name> ] section.

IPXSAPFilters = StringThe IPXSAPFilters keyword is used to set the IPX SAP filter list. More than one filter may be listed in the value for this keyword, but only one keyword may exist in the configuration. IPX SAP filtering rules are specified in the [ IPX SAP Filter <Name> ] section.

RIPv2Password = StringThe RIPv2Password keyword sets the password used to authenticate IP routing information sent and received by RIP version 2. The string may be between 1 and 16 characters.

ConfiguredOn = StringThe ConfiguredOn keyword is set by the device to the current time when a configuration is saved. If no time server is configured, the device will set the string to "Time server not configured." (See the [ Time Server ] section.)

ConfiguredFrom = StringThe ConfiguredFrom keyword is set by the device when a configura-tion is saved.

ConfigFile = StringThe ConfigFile keyword is set by the management software and exists for informational purposes only. It can be used to help track the source (e.g., a file name) of a configuration.

DeviceType = StringThe DeviceType keyword is set by the device when a configuration is saved. It is needed by CompatiView to determine what type of device a configuration is for.

IPSecGateway = IP AddressThe IPSecGateway keyword specifies the IP address that will be used as the gateway to the Internet for IPSec traffic. This keyword may only be used on multi-Ethernet VPN Access Servers (e.g., the IntraPort 2/2+). For those devices, this keyword is required only when the device is set to operate in parallel with your existing firewall as the IPSec component of your security system. There is no default value.


[ General ]

ExamplesThe following example shows a default General section.

[ General ]DeviceType = MicroRouter 2220RConfiguredOn = 02/28/99 14:54:40ConfiguredFrom = Command Line, from ConsoleDeviceName = "INI Old Router"Password = letmein

The following example shows a device which has RADIUS authentication enabled.

[ General ]DeviceType = MicroRouter 2220RConfiguredOn = 03/30/99 16:33:27ConfiguredFrom = Command Line, from ConsoleDeviceName = "ROR 2220"RadiusLogin = OnRadiusShowName = LRicardoRadiusEnableName = Lucy

See Also[ Radius ], [ IP Route Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], version(show), [ Time Server ]


[ HSSI Interface <Section ID> ]


[ HSSI Interface <Section ID> ]This section sets configuration parameters for the specified HSSI WAN interface. The HSSI interface has a data capacity of 44.736 Mbps (referred to as Data Speed 3 or DS3). Keywords recognized in this section are described below.Clocking = [ Internal | External ]

The Clocking keyword configures whether the interface will use its own internal clock or obtain the clock from the DCE to use for the interface’s transmit signal towards the network. In Internal mode, an internal 33 Mb clock is used. Internal clocking should only be used when testing between two back-to-back HSSI ports connected via a NULL-modem cable. In External mode, the clock provided by the DCE (usually a CSU/DSU) is used. Always use external clocking when attached to a CSU/DSU. The default is External mode. Verify this setting with your ISP.

CRC = [ 16 bit | 32 bit ]The CRC keyword configures whether the DSU will use a 16-bit or 32-bit frame check sequence. Both ends of a DS3 connection must use the same CRC (Cyclical Redundancy Check) setting. The default is 16 bit.

Examples[ HSSI Interface Wan 0 ]Clocking = ExternalCRC = 16 bit

See Also[ Link Config <Section ID> ], wan hssi(set), wan(show)

[ IKE Policy]

[ IKE Policy]This section is used to set certain Internet Security Association Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) parameters for an IntraPort VPN Access Server or VPN router. These settings control how the IntraPort server and client or LAN-to-LAN tunneling devices will initally identify and authenticate each other so that tunnel sessions can then be established. This initial negotiation is referred to as Phase 1. Phase 2 IKE negotiation sets how the IntraPort server and client will handle individual tunnel sessions. Phase 2 IKE negotiation parameters for the IntraPort Client and server are set in the [ VPN Group <Name> ] device. Phase 2 negotiation parameters for LAN-to-LAN tunnels may be set in the [ Tunnel Partner <Section ID> ] section.These Phase 1 security parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below.Protection = [ MD5_DES_G1 | MD5_3DES_G1 | MD5_DES_G2 |

MD5_3DES_G2 | MD5_DES_G5 | MD5_3DES_G5 | SHA_DES_G1 | SHA_3DES_G1 | SHA_DES_G2 | SHA_3DES_G2 | SHA_DES_G5 | SHA_3DES_G5 |

The Protection keyword specifies a protection suite for the ISAKMP/IKE negotiation between the IntraPort server and client, or between VPN routers which have been configured as LAN-to-LAN tunneling devices. This keyword may appear multiple times within this section, in which case the IntraPort server or VPN router will propose all of the specified protection suites. The IntraPort client or tunnel peer will accept one of the options for the negotiation.The first piece of each option is the authentication algorithm to be used for the negotiation. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5.The second piece is the encryption algorithm. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data.The third piece is the Diffie-Hellman group to be used for key exchange. Because larger numbers are used by the Group 2 (G2) algo-rithm, it is more secure than Group 1 (G1). Group 5 (G5) uses a 1536-bit algorithm and is more secure than Group 1 or Group 2.

PPTPAuth = [ PAP | CHAP | MSCHAP1 | MSCHAP2 ]This keyword specifies ONLY one allowed method of authentication for PPTP client connections. If PAP is specified, clear text passwords are passed. If CHAP is specified, MD5 hashes, or "signatures" are used to authenticate passwords.If MSCHAP1 is specified, Microsoft Chal-


[ IKE Policy]

lenge Authentication Protocol version1, which uses a hash, will be used to authenticate. If MSCHAP2 is specified, Microsoft Challenge Authentication Protocol version 2 will be used to authenticate.Note: We recommend that you check to see which protocols are

supported by your client before making your selection.Examples

[ IKE Policy]Protection = MD5_DES_G1Protection = SHA_3DES_G5

See Also[ VPN Group <Name> ], [ Tunnel Partner <Section ID> ]


[ IP Loopback ]

[ IP Loopback ]This section allows a Loopback address to be specified for the router. This is used only by the BGP protocol. The keywords recognized in this section are described below.LoopbackAddress = IP Address

The LoopbackAddress keyword specifies the IP address of the Loop-back interface on the router. This can be used to provide a separate IP address for the router which is not tied to one of its IP interfaces. The IP address is specified in standard dotted-decimal notation.

Examples[ IP Loopback ]LoopbackAddress = 192.168.55.23

See Also [ BGP Peer Config <Name> ]


[ IP Loopback ]


[ IP Protocol Precedence ]


[ IP Protocol Precedence ]This section sets the precedence order the router will follow in including routes in its routing table when multiple IP routing protocols are in use on the network. The keywords recognized in this section are described below.Precedence = [ ospf rip static | ospf static rip | rip ospf static | rip static ospf

| static ospf rip | static rip ospf ] The Precedence keyword sets the precedence order for including OSPF, RIP and static routes in its routing table. If a router has OSPF, RIP and Static route advertisements for the same IP route, this keyword allows it to make a determination as to which route to install in its IP routing table.This section is only relevant if there is more than one possible route to a destination. For example, if there are no OSPF or RIP routes to a destination but there is a static route, that route will be installed even if the precedence is ospf rip static. If there is a configured static route to a destination for which there was a RIP or OSPF route with greater precedence, that static route will be automatically re-installed if the RIP/OSPF route goes away. For BGP-capable routers, BGP will always be first in the precedence order. Note: An exception to the precedence rule is an OSPF external (i.e.,

type ASE) route. OSPF external routes will be overwritten by a RIP or static route, regardless of the precedence. This is because OSPF external routes originally come from another protocol, usually RIP or static. If the router is running both RIP and OSPF, but another router on the network is redistributing RIP into OSPF, the RIP routes would be overwritten by OSPF external routes without this exception. In order to get the RIP routes via OSPF external routes, simply turn off the RIPin keyword in the [ IP <Section ID> ] on the router, and it will then install the routes as OSPF externals.

Examples[ IP Protocol Precedence ]Precedence = ospf rip static

See Also[ IP <Section ID> ], [ OSPF Area <Name> ], [ IP Route Redistribution ], [ IP Static ]

[ IP Route Redistribution ]

[ IP Route Redistribution ]This section sets global configuration parameters which allow the redistri-bution of routes from one dynamic IP routing protocol into another. This allows the RIP, OSPF and BGP protocols to co-exist and exchange routing information. Redistribution of static routes can be set using the [ IP Protocol Precedence ] section.Note: Route redistribution is global to the device. For instance, if a router

is running OSPF on Wan 0 and Ethernet 0 and RIP on Ethernet 1, setting the RIPtoOSPF keyword to On will cause the router to advertise its RIP routes to all its OSPF neighbors on Wan 0 and Ethernet 0. In order to exclude external advertisements into Ethernet 0 in this example, you would need to configure Ethernet 0 as an OSPF Stub Area using the [ OSPF Area <Name> ]section. Individual routes may be excluded from redistribution with IP Route Filters using the [ IP Route Filter <Name> ] section, or, in the case of OSPF or RIP into BGP, using the [ BGP Route Map <Name> ] section.

The keywords recognized in this section are described below.OSPFRouteAggregation = [ On | Off ]

The OSPFRouteAggregation keyword sets whether static and RIP routes will be consolidated along class boundaries before they are advertised into OSPF. If the router has a split subnet coming into the device from different interfaces, OSPFRouteAggregation should be set to Off. Note: Aggregation of BGP routes is done using the

[ BGP Aggregates ] section; OSPFRouteAggregation is only used for importing static and RIP routes into OSPF.

RIPToOSPF = String The RIPToOSPF keyword sets whether the router will redistribute RIP routes into the OSPF routing domain. The string has the following syntax:True | False [ 1 | 2 <metric> ]True | False

This parameter sets whether the router will redistribute RIP routes into OSPF.

1 | 2 <metric>This optional parameter allows the metric, or cost, on the two types of external OSPF routes to be incremented or decremented. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that route. A type 1 cost is the sum of both the external cost and the internal cost used to reach that route. The default is type 2. The metric parameter sets the external cost to be used. The value can be a number between 1 and 32,767. The default is 10.

Note: For a type 1 route, the internal costs along the routing path will be added to this cost to get the total cost of the route.



DefaultIntoOSPF = String The DefaultIntoOSPF keyword sets whether the router will redis-tribute default routes into the OSPF routing domain. The string has the following syntax:True | False [ 1 | 2 <metric> ]True | False

This parameter sets whether the router will redistribute default routes into OSPF. Redistributing a static or RIP default route into OSPF is specified separately, due to the special nature of a default route. If this is not set, or if False is specified, a RIP or BGP default route will not be advertised into the OSPF domain even if non-default routes from that protocol are being redistributed.

1 | 2 <metric>This optional parameter allows the metric, or cost, on the two types of external OSPF routes to be incremented or decremented. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that route. A type 1 cost is the sum of both the external cost and the internal cost used to reach that route. The default is type 2. The metric parameter sets the external cost to be used. The value can be a number between 1 and 32,767. The default is 10.

Note: For a type 1 route, the internal costs along the routing path will be added to this cost to get the total cost of the route.

OSPFToRIP = String The OSPFToRIP keyword sets whether the router will redistribute OSPF routes into the RIP routing domain. The string has the following syntax:True | False [ <metric> ]True | False

This parameter sets whether the router will redistribute OSPF routes into RIP. If True is specified, RIP will simply pick up the OSPF routes along with any other routes it is going to advertise.

<metric>This optional parameter allows the metric, or cost, on routes to be incremented or decremented. The value can be a number between 1 and 32,767. The default is 1.

BGPToOSPF = String The BGPToOSPF keyword sets whether the router will redistribute BGP routes into the OSPF routing domain. The string has the following syntax:True | False [ <metric> ]True | False

This parameter sets whether the router will redistribute BGP routes into OSPF.



Note: The full Internet BGP routing table of some 50,000+ routes cannot be redistributed into OSPF. Only up to 1000 BGP routes will be accepted.


BGPToRIP = String The BGPToRIP keyword sets whether the router will redistribute BGP routes into the RIP routing domain. The string has the following syntax:True | False [ <metric> ]True | False

This parameter sets whether the router will redistribute BGP routes into RIP. If True is specified, RIP will simply pick up the BGP routes along with any other routes it is going to advertise.

Note: The full Internet BGP routing table of some 50,000+ routes cannot be redistributed into RIP. Only up to 1000 BGP routes will be accepted.


RIPToBGP = [ On | Off ] The RIPToBGP keyword sets whether the router will redistribute RIP routes into the BGP routing domain. BGP will provide its own hop count in its route advertisements.

OSPFToBGP = [ On | Off ] The OSPFToBGP keyword sets whether the router will redistribute OSPF routes into the BGP routing domain. BGP will provide its own hop count in its route advertisements.

ExamplesRouteAggregation = OffRIPToOSPF = True 2 10DefaultIntoOSPF = True 2 10OSPFtoRIP = True 1

See Also[ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ],[ IP Protocol Precedence ], [ IP Static ], [ BGP General ], [ BGP Networks ], [ IP Route Filter <Name> ], [ BGP Route Map <Name> ], ospf(show)


[ IP <Section ID> ]

[ IP <Section ID> ]This section sets parameters that control how IP packets are handled on each interface of the device. Compatible Systems devices support IP Version 4 routing. All references to IP on this manual page refer to this set of protocols. The keywords of the IP section are described below. Mode = [ Routed | Bridged | Brouted | Off ]

The Mode keyword describes the method the device is to use to handle IP packets when received by the device.Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server.Bridged enables the port of a router and specifies that it is attached to a bridged network and will forward packets based on the physical address using the router’s bridge cache, which is maintained through the IEEE Spanning Tree Protocol or through active listening. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an IP address to the router using the [ IP Bridge ] section if it is to be managed by either CompatiView, telnet or SNMP using the IP protocol while bridging.Brouted is only available on WAN interfaces and allows the device to accept both bridged and routed IP packets over the interface. This is particularly useful for Frame Relay networks with multiple PVCs attached to the same physical WAN interface. The Brouted mode allows the device to demultiplex the packet stream for processing by the bridge or router modules as appropriate.Off disables the port of the device. If Off is specified, then IP packets received on the interface will be silently discarded.

IPAddress = IP AddressThe IPAddress keyword specifies the IP address for this interface. Every network interface on an IP internetwork must have a unique IP address that identifies that interface to other devices on the internet-work. Part of this address identifies the network segment the interface is connected to, and the remainder uniquely identifies the interface itself. Most IP networks use subnetting in order to subdivide a large network into smaller logical subnetworks. The subnet mask address is used to tell the device what part of the IP address identifies the network segment (the "network" portion), and what part identifies individual interfaces (the "host" portion). Additionally, an IP subinterface may be assigned to a port. IP subinter-faces allow the device to service more than one IP address range on a single physical network segment. A subinterface may be specified by adding a decimal point to the primary interface (e.g., WAN 1.1,


[ IP <Section ID> ]

Ethernet 2.1, etc.) A port’s primary interface is always assumed to be .0, although it will not appear as such in the configuration editor (i.e., it will appear as WAN 1 or Ethernet 2, etc.). Because a routed IP packet does not contain any information regarding which networks it has passed across, the router must associate all IP packets received from a physical segment with the primary interface connected to the segment. As a result of this, the only IP parameters which may be set for subinterfaces greater than .0 are IPAddress, SubnetMask, and IPBroadcast.Note: Subinterfaces are only allowed on WAN ports configured for

Frame Relay operation. They are not allowed on WAN ports configured for PPP. Frame Relay DLCIs (Data Link Connection Identifiers) must be statically mapped when subinterfaces are in use because IARP (Inverse ARP) can only resolve a physical port, not a logical subinterface on that port. See the [ Frame Relay <Section ID> ] section for more information.

SubnetMask = IP AddressThe SubnetMask keyword specifies the IP subnet mask for this inter-face. There are three "classes" of subnetted IP networks: A, B and C. Each class uses a different amount of the 32-bit IP address for the network and host portions. These classes may also be further divided (subnetted) by increasing the number of bits used for the network portion and reducing the number of bits used for the host portion. Class A addresses use 8 bits for the network portion and 24 for the host portion, Class B addresses use 16 bits for the network portion and 16 for the host portion, and Class C addresses use 24 bits for the network portion and 8 bits for the host portion. Example: Assuming that you want a single network for all of the avail-able host addresses, the corresponding subnet masks would be as follows: 255.0.0.0 for Class A, 255.255.0.0 for Class B, and 255.255.255.0 for Class C.

IPBroadcast = IP AddressThe IPBroadcast keyword specifies the IP broadcast address of this interface. The IPBroadcast keyword is used to tell the device what address to use to send any IP broadcast messages. The standard broadcast address has all 1 bits set in the host portion of the address. A few networks use all zeroes for the broadcast address. If you are unsure which type your network uses, check with your network administrator. If you do not set a broadcast address, the device will derive one from the IP address you entered and the subnet mask.

RIPVersion = [ V1 | V2 | None ]The RIPVersion keyword specifies which version of the Routing Information Protocol (RIP) is used by the router. RIP is used by routers to exchange information between themselves about the most effective


[ IP <Section ID> ]

path for forwarding packets between various end points. RIP is the most widely used routing protocol on IP networks. All gateways and routers that support RIP periodically broadcast routing information packets. These RIP packets contain information concerning the networks that the routers and gateways can reach, as well as the number of routers/gateways that a packet must travel through to reach the destination address. RIP version 1 (V1) will send and accept RIP packets and will then peri-odically update its routing table with the information provided from these packets. On a large network, an up-to-date routing table will enhance network performance, since the router will always be aware of the optimal path to use when sending packets.RIP version 2 (V2) is an enhancement of RIP version 1 which allows IP subnet information to be shared among routers, and provides for authentication of routing updates. When RIP V2 is chosen, the router will use the multicast address 224.0.0.9 to send and/or receive RIP V2 packets for this network interface. As with RIP V1, the routing table will be periodically updated with information provided in these packets. It is recommended that on any segment where all routers can use the same IP routing protocol, RIP V2 be used. If one or more routers on a segment must use RIP V1, then all other routers on that segment should also be set to use RIP V1. If None is specified for this keyword, the router will not update its routing table and should always direct traffic to addresses for which it does not have a route (addresses not on one of the networks connected to its interfaces) to the "gateway/port" defined in the [ IP Static ] section. It will then be the responsibility of that router to direct the packets to the correct address. Note: Some routers, in particular those designed to create very large

corporate backbones, may use other routing protocols such as OSPF (Open Shortest Path First). These routers can simulta-neously use RIP to communicate with smaller routers, or each of the smaller routers can be set to use one of these backbone routers as their default gateway/port.

NatMap = [ On | Off ]The NatMap keyword, when set to On, enables this interface to perform Network Address Translation. NAT should only be enabled for this interface if it is to serve as the external NAT port.

RIPOut = [ On | Off ]The RIPOut keyword, when set to On, allows the interface to send RIP.

RIPIn = [ On | Off ]The RIPIn keyword, when set to On, allows the interface to receive RIP.


[ IP <Section ID> ]

SplitHorizon = [ SplitHorizon | PoisonReverse | None ]The SplitHorizon keyword specifies the technique used by RIP to avoid routing loops and allow smaller update packets. SplitHorizon specifies that when sending a RIP update out a particular network inter-face, it never includes routing information acquired from that interface. PoisonReverse is a variation of the Split Horizon technique that spec-ifies that all routes should be included in an update out a particular interface. It also sets the metric to infinity for those routes acquired over that interface. One drawback is that routing update packet sizes will be increased when using Poison Reverse. If None is selected, all routes are included in an output packet regard-less of where they originated and will use a normal metric value.

ProxyARP = [ On | Off ]The ProxyARP keyword is used to allow the network portion of a group of IP addresses to be shared between several physical network segments. An example would be sharing one Class C address range between two physical Ethernets. The ARP protocol itself provides a way for devices on an IP network to create a mapping between physical (i.e., Ethernet) addresses and logical IP addresses. Proxy ARP makes use of this mapping feature by instructing a device to answer ARP requests as a "proxy" for the IP addresses behind one of its interfaces. The device which sent the ARP request will then correctly assume that it can reach the requested IP address by sending packets to the physical address that was returned to it. This technique effectively hides the fact that a network has been (further) subnetted. If ProxyARP is On, then when an ARP request is received on this interface, the address is looked up in the IP routing table (applying the normal rules of IP routing). If the forwarding interface for the route isn't the one the ARP request was received on and doesn't resolve to the IP default route, the device will answer (i.e., become a proxy for) the ARP request. If ProxyARP is Off, then the device will only respond to ARP requests received for its own IP interface address.Note: Using Proxy ARP requires an in-depth understanding of the

workings of the IP protocol, along with careful manipulation of the IP subnet masks for the interfaces on a router. A more straight-forward method of achieving similar results is to use bridging when using a multiprotocol router.

Relay = StringThe Relay keyword is used to add a relay agent for User Datagram Protocol (UDP) broadcast packets. Normally, the router will not forward UDP broadcast packets. However, many network applications use UDP broadcasts to configure addresses, hostnames, and other information. If hosts using these protocols are not on the same network segment as the servers providing the information, the hosts will not


[ IP <Section ID> ]

receive a response without enabling a relay agent on the interface. By enabling an IP relay on an interface, the router is instructed to forward UDP broadcast packets to the relay server specified by an IP address in the string. It is common for BOOTP and DHCP clients to broadcast on their local segments looking for a server to assign them an IP address. This feature of the router allows the BOOTP and DHCP server to reside on segments which are non-local to the client. The syntax of the string is as follows: <relay-address> [ <ports/protocols> ] relay-address

A relay-address is the IP address of the server that will receive the relayed packet. The address is entered in the standard dotted decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers should be preceded by a "0x".

ports/protocolsThe ports/protocols parameter specifies the service which will be relayed. Multiple services may be entered. Services may be entered as a number from 1 to 65535 to specify the UDP port being relayed. They may also be entered as one of the following keywords: DHCP, TFTP, DNS, NTP (Network Time Protocol, port 123), NB_NS (NetBIOS Name Server, port 137), NB_DG (NetBIOS Datagram, port 138), and BOOTP. Multiple port names and numbers must be separated by white space.

By default, if no ports/protocols are specified then the following proto-cols are forwarded:

• Domain Name Service (UNIX named), UDP port 53. • BOOTP Server, UDP port 67.• Dynamic Host Configuration (DHCP), UDP port 67. • Trivial File Transfer (TFTP), UDP port 69.

Up to four IP relays may be installed per interface using separate keywords. Distinct ports/protocols may be specified for each relay-address. The UDP broadcast packet will be forwarded to each relay-address which exists for the service specified in the packet. To see a sample IP relay, see the Examples at the end of this section.

OutFilters = StringThe OutFilters keyword allows a named set of IP packet filtering rules to be associated with the output side of the interface. OutFilters allows the device to accomplish packet filtering on packets that will be forwarded out this interface. Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space.


[ IP <Section ID> ]

If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

InFilters = StringThe InFilters keyword allows a named set of IP packet filtering rules to be associated with the input side of the interface. InFilters allows the device to accomplish packet filtering to packets that are received on this interface. Any packet not explicitly allowed by the rule set is dropped silently. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space.If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword.See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

Numbered = [ On | Off ]The Numbered keyword specifies whether the wide area network connected to this interface will have an IP address associated with it. On indicates that the WAN interface will have a numbered interface. Off indicates that the WAN interface will be unnumbered. Many wide area network connections are simple point-to-point (PPP) links. These links do not generally require numbered WAN interfaces because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. In contrast, Frame Relay networks may have a number of participating devices connected through a single physical interface. Because of this, a WAN interface set for Frame Relay must be set up in one of two ways. It can be set as a numbered interface, which requires that an IP address, subnet mask, and IP broadcast address also be set; or, it can be set as an unnumbered interface, which requires that you set the Point-ToPointFrame keyword to On and set the local DLCI (Data Link Connection Identifier) using the InterfaceDLCI keyword.Note: If you are connecting the device to an Internet Service Provider

using PPP, you may be required to use a numbered interface for compatibility reasons. Check with their technical support staff.

PointToPointFrame = [ On | Off ]The PointToPointFrame keyword specifies whether a WAN interface is part of a point-to-point Frame Relay link. If setting up an unnum-bered Frame Relay connection, this must be set to On. This is in contrast with numbered Frame Relay links, which may have a number of participating devices connected through a single physical interface.When set to On, the device will recognize that the link is not multi-point and that a static frame Relay DLCI will be specified for the PVC. The device will not perform any dynamic Inverse ARP for the PVC


[ IP <Section ID> ]

(Permanent Virtual Circuit), as it would for a numbered Frame Relay link. A static DLCI must also be set for the interface using the Inter-faceDLCI keyword.

InterfaceDLCI = numberThe InterfaceDLCI keyword specifies the DLCI that is the local endpoint for an unnumbered Frame Relay link. This provides a mapping between the protocol address and the physical (hardware) address on the link. This keyword must be set when a Frame Relay link is being set as an unnumbered interface. The number can be between 16 and 991, and will be provided to you by your Frame Relay carrier.

Updates = [ Periodic | Triggered ]The Updates keyword specifies the way in which the device sends RIP information over its link When updates are designated as Periodic, the device will use the stan-dard RIP protocol, which sends RIP packets over the link every 30 seconds. If periodic update packets are sent across a dial-on-demand link, this will cause a WAN interface to stay up indefinitely. When updates are designated as Triggered, the device will modify the standard RIP behavior for this interface to send RIP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router.

VJHeaderComp = [ On | Off ]The VJHeaderComp keyword specifies whether to use Van Jacobson Header Compression (VJHC) on the WAN link. VJHC is a standard method of reducing the amount of redundant IP header information which is transferred over a wide area connection. VJHC reduces the size of the IP header to as few as three bytes. There is a trade-off between the amount of time it takes to compress the header information, and the amount of time it would take to simply send it in native form across the WAN link. Note: A general rule of thumb for Compatible Systems devices would

be to use VJHC on uncompressed links at up to 56K rates, but to turn it off at higher speeds or if other means of compression (such as the V.42 compression built into modems) are in use. A few simple FTP transfer tests over your particular WAN setup will yield a more exact answer.

IPCPAddr = [ On | Off ]The IPCPAddr keyword specifies whether the device's configured IP address is to be sent to the remote PPP client on initial IPCP (IP Control Protocol)/PPP negotiations. On causes the device to send its address to the remote PPP client. Some vendors (e.g., Xyplex) require this in order to establish proper IP routing across the PPP link. If the WAN interface is configured as numbered, the WAN IP address is sent. If the interface is configured as unnumbered, Ethernet 0's IP address is sent.


[ IP <Section ID> ]

RemoteAddress = IP AddressThe RemoteAddress keyword specifies the IP address that will be served to a client PPP machine when dialing into the device. Besides defining a method for router-to-router communication, PPP defines a method for individual client machines to dial in to an inter-face. Once a client machine has connected to an interface in this fashion, the device provides proxy services which allow the client machine to participate as a node on one of the device's local networks. If remote node operation is desired, the WAN interface would usually be set up as an Unnumbered interface, and the RemoteAddress would then be set to an unused IP address from the device’s Ethernet network(s). Alternatively, if the interface is set to Numbered, an unused address from the interface’s host range may be used.

GatewayAddress = IP AddressThe GatewayAddress keyword specifies the IP address that will be used as the default router for IP traffic leaving the device. The gateway address will be used to route packets when the destination network is not known by the device. This keyword may only be used for the single Ethernet interface on the IntraPort VPN Access Server, and is required for proper operation. There is no default value.

DirectedBroadcast = [ On | Off ]The DirectedBroadcast keyword sets whether the interface will forward network-prefix-directed broadcasts. This is a security feature which can help prevent your network from being used as an interme-diary in certain kinds of attacks which use ICMP echo traffic (pings) or UDP echo packets with fake (i.e., “spoofed”) source addresses to inun-date a victim with erroneous traffic. The default is Off.

OSPFenabled = [ On | Passive | Off ]The OSPFenabled keyword sets how the interface will function on a network utilizing OSPF (Open Shortest Path First). OSPF uses a link-state algorithm in order to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each router’s usable interfaces and reachable neighbors.Unlike RIP updates, OSPF link-state database updates are only sent when routing changes occur, instead of periodically, and the link-state database is updated instantly rather than gradually as stale information is timed out. Also, routing decisions are based on "cost" which is an indication of the overhead required to send packets across a certain interface. The cost of an interface is calculated based on link bandwidth rather than the number of hops to the destination. The cost can also be configured to specify preferred paths. If On is specified, the interface will serve as an active interface on an OSPF network. This router will establish adjacencies with other routers. Adjacent routers exchange database information with the


[ IP <Section ID> ]

Designated Router, which then floods the information to all other routers in their area.If Passive is specified, the interface will not send out Hello packets and thus will not establish any adjacencies with other routers on that network, even if they are running OSPF. A Passive interface will, however, have its network advertised to other OSPF networks. This can be used to have a non-OSPF interface’s network advertised into OSPF. A Passive interface must also be associated with an OSPF Area.If Off is specified, the interface's network is not advertised to the router's other interfaces.

OSPFareaID = [ <Number> | <IP address> ]The OSPFareaID keyword sets the area to which this interface belongs. An area is a generalization of an IP subnetted network. It can be specified as a number between 0 and 0xFFFFFFFF or as an IP address in dotted-decimal notation. Area 0 is the backbone area and is the default setting. All routers within an area have the same link-state database. An inter-face can only belong to one area, although different interfaces on a router can belong to different areas, making the router an Area Border Router. Area Border Routers disseminate routing information or routing changes between areas. The other routers which are connected to this router on this interface must also be configured with the same OSPFareaID in order for the routers to communicate.

OSPFcost = Number The OSPFcost keyword specifies the priority of one particular path over another path. An OSPF router will choose the gateway with the lowest cost to enter into its routing table. To give preference to a path, set a lower cost on that interface. The value can be a number between 1 and 65,535. The default is 10.

OSPFRtrPri = Number The OSPFRtrPri keyword sets the router priority and is only used on multi-access networks such as LANs. This establishes whether the router is eligible to become the Designated Router for the LAN. The Designated Router is the single router within an area which broadcasts the Link State Advertisement for the area. A priority of 0 means that the router is not eligible. The router with the highest priority becomes the Designated Router, however, if a router with a lower priority is the Designated Router and a new router with a higher priority comes on-line, the Designated Router will not change. The value can be a number between 0 and 255. The default priority is 1; if all routers have the same priority, they will negotiate with each other for the Designated Router election. At least one router on a LAN must have a priority greater than 0 in order for OSPF to work, since there must be a Designated Router.


[ IP <Section ID> ]

AuthKey = StringThe AuthKey keyword sets the OSPF packet authentication key. In order to use authentication, the OSPFAuthType for this interface's area should be set to Simple in the [ OSPF Area <Name> ] section. The authentication key must match for each router connected to the interface and belonging to the area. The string may be between one and 8 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes.

HelloInterval = Number The HelloInterval keyword sets the interval, in seconds, that the router sends out OSPF keepalive packets which let other routers know the router is up. The value must be greater than one. The default settings of 10 seconds for a LAN and 30 seconds for a point-to-point connection are recommended for most applications.

RtrDeadInterval = Number The RtrDeadInterval keyword sets the length of time, in seconds, that OSPF neighbors will wait without receiving an OSPF keepalive packet from a neighbor before assuming the router is down. The value must be at least twice the HelloInterval. The default is 40 seconds on a LAN and 120 seconds for a point-to-point connection.Note: The HelloInterval and RtrDeadInterval for each connected

router must match or the routers will not be able to communicate. If you change the defaults on one router, you must change them on all attached routers within an area.

Transdelay = Number The Transdelay keyword sets the amount of time added to the age of OSPF Link State Update packets before transmission. It is the esti-mated number of seconds to transmit a packet over the interface. The value can be between 1 and 65,535 seconds. The default is 1.

RetransInterval = Number The RetransInterval keyword sets the interval, in seconds, between retransmission of Link State Update packets. The value can be between 2 and 65,535 seconds. The default is 5.

ExamplesThis example shows an IP configuration for Ethernet interface 0 on a 4000S.

[ IP Ethernet 0 ]Mode = RoutedIPAddress = 192.168.9.1SubnetMask = 255.255.255.224IPBroadcast = 192.168.9.31RIPVersion = V1


[ IP <Section ID> ]

This example shows an IP configuration for Ethernet interface 3 on a 4000S. The configuration specifies an input filter set, RIP to output only, and an IP relay to 192.15.2.1 for DNS, BOOTP, DHCP and TFTP requests.

[ IP Ethernet 3 ]Mode = RoutedIPAddress = 192.15.1.1SubnetMask = 255.255.255.0RIPVersion = V1RIPOut = ONRIPIn = OFFInFilters = "no-ftp" "permit-all"Relay = 192.15.2.1 DNS BOOTP DHCP TFTP

This example shows an IP configuration for Ethernet interface running OSPF.

[ IP Ethernet 0 ]Mode = RoutedIPAddress = 198.41.9.1SubnetMask = 255.255.255.224IPBroadcast = 198.41.9.31OSPFenabled = OnOSPFAreaID = 0OSPFcost = 10OSPFRtrPri = 1AuthKey = "Franny"HelloInterval = 10RtrDeadInterval = 40

This example shows a WAN interface set as an unnumbered Frame Relay interface. The link configuration is included.

[ IP Wan 0 ]Mode = RoutedNumbered = OffPointToPointFrame = OnInterfaceDLCI = 500

[ Link Config Wan 0 ]ConnectMode = DedicatedMode = FrameRelay

See Also[ IP Static ], [ IP Filter <Name> [ IP Route Filter <Name> ], [ General ], [ Frame Relay <Section ID> ], ip(show), [ Bridging Global ], [ Bridging <Section ID> ], [ NAT Mapping ], [ NAT Global ], [ OSPF Area <Name> ]


[ IPX <Section ID> ]

[ IPX <Section ID> ]This section sets parameters that control how IPX packets are handled on each interface of the device. The keywords in this section are described below.Mode = [ Routed | Bridged | Off ]

The Mode keyword describes the method the interface is to use to forward IPX packets through the device. Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server. If the device is a router, packets are forwarded by looking up the network address in the device’s routing table maintained by IPX RIP (Routing Information Protocol). If the device is a VPN access server (IntraPort class) packets are forwarded to the virtual private network depending on the users that are attached to the server. It will use the routing table maintained by RIP to forward packets from the virtual private network to the local area network.Bridged enables the port of a router to be attached to a bridged network and forward packets based on the physical address using the router’s bridge cache maintained through the IEEE Spanning Tree Protocol or through active listening. The VPN access servers do not support this mode. If Bridged is specified, bridging must be enabled globally in the router in the [ Bridging Global ] section and on the interface in the [ Bridging <Section ID> ] section. It is possible to assign an IPX address to the router using the [IPX Bridge] section if it is to be managed by CompatiView using the IPX protocol while bridging.Off disables the port of the device. If Off is specified, then IPX packets received on the interface will be silently discarded.

RipTimer = NumberThe RipTimer keyword allows the IPX RIP (Routing Information Protocol) timer to be set on the interface. This value specifies the interval, in seconds, the device sends out IPX RIP packets on the network segment attached to this interface. The RIP packets sent out on this interface contain routing information about networks for which this interface is responsible. The number can be between 1 and 180 seconds. The default is 60.

SapTimer = NumberThe SapTimer keyword allows the IPX SAP (Service Advertising Protocol) timer to be set on the interface. This value specifies the interval, in seconds, the device sends out IPX SAP packets on the network segment attached to this interface. The SAP packets sent out on this interface contain information about services (such as servers, printers, etc.) for which this interface is responsible. The number can be between 1 and 180 seconds. The default is 60.



BlockType20 = [ On | Off ]The BlockType20 keyword specifies how IPX Packet Type 20 is handled on the interface. In order for certain protocol implementations, like NetBIOS, to function in the NetWare environment, routers must allow a broadcast packet to be propagated throughout an internet. The IPX Packet Type 20 is designated to perform broadcast propagation for these protocols.When a device receives this packet, it rebroadcasts it across all inter-faces, except the one it received it on, and includes the network number of that interface in the data portion of the packet. The IPX Router Spec-ification from Novell notes that Type 20 packets should not be propa-gated across slower links (line X.25 and asynchronous links) with bandwidths of less than 1 Mbps.On prevents these packets from being rebroadcast out an interface. This is useful for on-demand WAN links where the link may be brought up as a result of this packet. Off allows these propagated packets to be rebroadcast out the interface.

OutFilters = StringThe OutFilters keyword allows a named set of IPX packet filtering rules to be associated with the output side of the interface. Up to four filter sets may be specified, each enclosed in double quotes and sepa-rated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.Packets being transmitted on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter inter-preter will process the sets in the order specified.See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter.

InFilters = StringThe InFilters keyword allows a named set of IPX packet filtering rules to be associated with the input side of the interface. Up to four filter sets may be specified, each enclosed in double quotes and separated by white space. If no string is specified, then the keyword is ignored by the parser. This feature can be used to turn off a filter set (or sets) without deleting the keyword.Packets being received on the interface will be compared against the filter list(s) specified. Any packet not explicitly allowed by the rule set is dropped silently. When more than one set is defined, the filter inter-preter will process the sets in the order specified. See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter.



FrameTypeII = [ Seed | Auto | NoSeed | Off ]FrameRaw = [ Seed | Auto | NoSeed | Off ]Frame8022 = [ Seed | Auto | NoSeed | Off ]FrameSNAP = [ Seed | Auto | NoSeed | Off ]

Compatible Systems routers support four IPX frame types, and will perform routing between frame types. The four frame types supported are Frame Type II, Frame Raw, Frame 8022, and Frame SNAP. Each Ethernet interface may be configured to simultaneously handle any or all of the frame types. The seed parameter defines what the device is to do with the network information (with respect to the frame type) when starting up.Seed tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it does not discover a number in use, the device will use the configured IPX network number to set the network number for the segment.Auto tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it doesn't discover a number in use, the device will automati-cally generate a valid number using its routing tables. NoSeed tells the device to listen for an IPX network number being set by another router (including Novell software routers residing on servers) on the segment connected to this interface and use this number if it exists. If it doesn't discover a number in use, the device will wait indefinitely until a number is set by another router on the segment.Off means that the device will neither listen for, nor send, packets with the specified frame type on this interface.

Numbered = [ On | Off ]The Numbered keyword specifies whether the wide area network connected to this interface will have an IPX network number associ-ated with it. If numbered is On then you must set an IPX network number for this WAN interface. On WAN interfaces it is only neces-sary to specify the network number and not the frame and seed param-eters as you do with Ethernet interfaces.Many wide area network connections are simple point-to-point links. These links do not generally require a network number because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end. You generally do not need a numbered WAN interface if you are using the PPP transport protocol.In contrast, Frame Relay networks may have a number of participating routers connected through a single physical interface. Because of this, use of the Frame Relay transport protocol requires a numbered WAN interface.



Updates = [ Periodic | Triggered ]The Updates keyword specifies the way in which the device sends RIP information over the link. When updates are designated as Periodic, the device will send RIP packets over the link at the time interval defined by the RIPTimer keyword. These periodic update packets will cause a WAN interface set for dial-on-demand operation to either stay up indefinitely or to continuously dial, connect, and then drop the connection. When updates are designated as Triggered, the device will send RIP packets only when there has been an update to its routing table infor-mation, or when it has detected a change in the accessibility of the next hop router.

NodeProxy = [ On | Off ]Besides defining a method for router-to-router communication, PPP defines a method for individual client machines to dial in to an inter-face. Once a client machine has connected to an interface in this fashion, the device provides proxy services which allow the client machine to participate as a node on one of the device's local networks. The NodeProxy keyword allows the device to dynamically reserve an IPX address on the Ethernet for the WAN interface. This proxy address will be used if the remote PPP IPX implementation requires address negotiation (which is typical of end nodes).

RemoteNet = Hex numberThe RemoteNet keyword specifies an IPX address that is set aside for remote nodes (such as dial-in users accessing the LAN remotely). This net number is set to an IPX network number from the device's Ethernet interface(s). Values for this number may range from 1 to FFFFFFFE.

Net = Hex numberThe Net keyword is a number that must be assigned if the interface is being configured for Frame Relay. This number is assigned to the device's WAN interface, and must be an unused IPX network number. Values for this number may range from 1 to FFFFFFFE.

FrameTypeIINet = Hex numberFrameRawNet = Hex numberFrame8022Net = Hex numberFrameSNAPNet = Hex number

Ethernet interfaces that have frame types set to Seed must be assigned a net number. These numbers are eight-digit hexadecimal numbers that uniquely identify the network segment connected to this interface. Values range from 1 to FFFFFFFE.Accidental selection of an IPX network number which is already in use on another network segment may cause hard-to-diagnose problems. You should carefully track which IPX network numbers are in use, and where they are located in your configuration.



ExamplesThe following shows an Ethernet interface with the 802.2 frame type set for seed.

[ IPX Ethernet 1 ]Mode = RoutedFrameTypeIINet = 0FrameRawNet = 0Frame8022Net = CAFEF00DFrameSNAPNet = 0FrameTypeII = OffFrameRaw = OffFrame8022 = SeedFrameSNAP = Off

See Also[ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], ipx(show), [ Bridging <Section ID> ], [ Bridging Global ]


[ IPX Tunnels ]

[ IPX Tunnels ]This section is used to modify IPX tunneling parameters. An IPX tunnel is a "virtual" IPX network running between tunnel peers. Tunnel peers are defined by their IP addresses. IPX over IP/UDP tunneling is defined and specified by RFC 1234 "Tunneling IPX traffic through IP networks." Note: Newer VPN tunneling is available for IPX-in-IP tunneling. This

includes authentication and encryption features not available in regular IPX tunnels. See the [ Tunnel Partner <Section ID> ] section for more information.

IPX over IP tunneling is sometimes needed when a network is limited to IP traffic only, either because there are routers elsewhere on the network which do not route IPX protocols, or for administrative reasons. IPX-in-IP tunneling provides a solution for this problem by sending IPX information across an IP Internet by encapsulating IPX information in IP packets. IPX networks that are connected via a tunnel will communicate as if they are on the same network even though they are separated by an IP-only Ethernet backbone or internet. Note: You must set up both ends of every tunnel. Therefore, you must

repeat this setup with the other router(s) you want as participants in the tunnel.

Keywords recognized in this section are described below. Tunnel = IP Address

The Tunnel keyword specifies the IP addresses of the tunnel peers with which this router will communicate using IPX-in-IP tunneling. There must be one entry for each tunnel peer and you may enter up to 32 different tunnel peers.

TunnelNet = NumberThe TunnelNet keyword is used to specify the unique IPX network number for the virtual IPX network created by the tunnels. Each member of the tunnel peer group to which this router belongs must use the same IPX network number. The number must be specified as a hex value in the range of 1 to FFFFFFFE.

BindTo = Port identifier stringThe BindTo keyword is used to specify which Ethernet or bridge inter-face is attached to the local side of the tunnel. Use the associated IP address of this interface when configuring a remote device partici-pating in an IPX-in-IP tunnel with this router.

Filter = NumberFor administrative reasons, there may be a need to limit the IPX networks that will pass through the tunnel. Compatible Systems routers (except 1000Rs) support filters to the tunnels you have defined. These filters control which IPX networks are accessible through the tunnel.


[ IPX Tunnels ]

The filter list specified by the Filter keyword is applied to the IPX RIP packets which are received through the tunnel from other tunnel peers. Without any tunnel filters, all of the IPX networks will be advertised. There must be one entry for each IPX network filter and you can enter up to 96 different filters. Numbers must be specified as a hex value in the range of 1 to FFFFFFFE.

FilterType = [ Recognize | Ignore ]The FilterType keyword specifies how the router should treat the list of IPX network numbers you have configured with the Filter keyword. If the type specified is Recognize, only the configured IPX network numbers will be allowed through the tunnel and installed in this router's routing table. If it is Ignore, all IPX network numbers except the configured values will be allowed through the tunnel and installed in this router's routing table.

ExamplesThe example below shows the configuration of both ends of an IPX tunnel. This first example is the local configuration. It restricts the tunneled IPX traffic to the 747 and 777 IPX networks.

## Local Router IPX Tunnel Configuration[ IPX Tunnels ]FilterType = RecognizeTunnelNet = 707BindTo = Ethernet 0Tunnel = 10.0.0.1Filter = 777Filter = 747

## IP Ethernet 0 Configuration[ IP Ethernet 0 ]Mode = RoutedIPAddress = 10.0.1.1SubnetMask = 255.255.255.0

The remote configuration is included for comparison. ## Remote Router IPX Tunnel Configuration[ IPX Tunnels ]TunnelNet = 707BindTo = BridgeTunnel = 10.0.1.1

## IP Bridge Configuration[ IP Bridge ]Mode = RoutedIPAddress = 10.0.0.1SubnetMask = 255.255.255.0

See Also[ IPX <Section ID> ], [ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ Tunnel Partner <Section ID> ], ipx(show)


[ L2TP General ]

[ L2TP General ]This section is used to set how L2TP will operate. L2TP is a VPN protocol which creates "virtual" PPP sessions between remote Windows computers and a corporate network. L2TP is only available in the IntraPort 2/2+, IntraPort Enterprise and IntraPort Carrier VPN Access Servers.In general, a remote user connects to an ISP which acts as an LAC (L2TP Access Concentrator) and encapsulates the packets in IP before sending them over the Internet to the IntraPort. The IntraPort acts as an LNS (L2TP Network Server) and strips off the encapsulation before sending the packets on to the network. Certain software packages can also be used to allow a remote user’s PC to act as its own LAC, opening an individual tunnel between the PC itself and the LNS. An example of this is the RouterWare VPN Client. In order for a remote user to connect to an IntraPort using L2TP, the user’s VPN Group Configuration must have the AllowL2TP keyword set to On (see the [ VPN Group <Name> ] section). There also must be an entry for that user in the [ VPN Users ] section, unless a RADIUS server is being used for authentication. If a RADIUS server is being used, then the user must be entered in the RADIUS server’s user database. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described below. ReceiveWindowSize = Number

The ReceiveWindowSize keyword sets the number of control messages the peer can send before waiting for an acknowledgment. This number will only be sent to the remote peer (i.e., the LAC) if this number has been set to something other than the default of 0. Other-wise, the remote peer will assume a window size of 4 messages.

TunnelAuth = [ On | Off ]The TunnelAuth keyword sets whether the IntraPort server will accept L2TP connection requests from anonymous peers. If this is set to Off, then no authentication of remote peers will be done. This is an insecure option since the device will accept any connection request. If this is set to On, then the L2TP negotiation between the LAC and the IntraPort will use a CHAP-like tunnel authentication mechanism, so there must be an LACPeer keyword configured for any remote peer who is to have access using L2TP. The default is On.

HiddenAVPs = [ On | Off ]The HiddenAVPs keyword sets whether certain types of L2TP control message data, known as AVPs, will be hidden, via encryption, during tunnel setup. This includes passwords and user IDs. This can only be set to On when the TunnelAuth keyword is set to On because the LACPeer secret is used to encrypt the data.


[ L2TP General ]

LACPeer = StringThe LACPeer keyword sets the name and secret for an LAC peer. If the TunnelAuth keyword has been set to On, then there must be an entry for an LACPeer in order for a remote peer (and, secondarily, an L2TP user) to connect to the IntraPort. The string has the following syntax:<Peer Name> <Secret> Peer Name

This parameter specifies the remote LAC peer’s name which will be used to authenticate the peer to the IntraPort.

Secret This specifies the secret which will be used to authenticate the peer and the IntraPort to each other. This secret must also be configured in the remote peer in order for the authentication to work.

Examples

[ L2TP General ]ReceiveWindowSize = 0TunnelAuth = OnHiddenAVPs = OffLACPeer = bungie jumpLACPeer = l2tpmax letmein

See Also[ VPN Group <Name> ], [ VPN Users ], l2tp(show)


[ LDAP Auth Server ]

[ LDAP Auth Server ]This section configures LDAP (Lightweight Directory Access Protocol) parameters into a device. LDAP can be used for VPN user authentication. It can also be used to serve configurations to a Compatible Systems device using the [ LDAP Config <Name> ] section.LDAP authentication is done only if the user cannot be found in the authen-tication database first (see the [ VPN Users ] section)or in a RADIUS server if one has been configured (see the [ Radius ] section.) The device acts as a client and exchanges packets with an LDAP server Each section specifies an LDAP server and some information about the VPN attributes to be served. The Name portion of the section name uniquely identifies this section. Keywords recognized in this section are described below.LDAPAuthEnabled = [ On | Off ]

The LDAPAuthEnabled keyword enables or disables this section. If this is set to On, then the settings from this section will be used to get VPN user authentication information from an LDAP server. If this is set to Off, then no settings from this section will be used. The default is Off.

PrimaryServer = StringThe PrimaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary LDAP server which contains the authentication information.

PrimaryPasswd = StringThe PrimaryPassword keyword is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long.

base = StringThe base keyword specifies the portion of the LDAP tree where the authentication information is located. The value may be up to 32 char-acters long.

VPNGroupAttr = StringThe VPNGroupAttr keyword specifies the attribute name given to the VPN group attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this attribute, so you must specify one. If no value is given for the VPNGroupAttr the device will assume the attribute name is "vpngroupattr".The value may be up to 32 characters long.

VPNSecretAttr = StringThe VPNSecretAttr keyword specifies the attribute name given to the VPN shared secret attribute which has been defined in the LDAP server. There are no standard attributes defined by LDAP for this


[ LDAP Auth Server ]

attribute, so you must specify one. If no value is given for the VPNSecretAttr the device will assume the attribute name is "shared-secret".The value may be up to 32 characters long.

timeout = NumberThe timeout keyword timeout is the number of seconds the device will wait for a response from the LDAP server.The value must be between 0 and 255 seconds. A value of 0 will disable the timeout. The default is 10.

Examples[ LDAP Auth Server ]LDAPauthenabled = OnPrimaryServer = compatisecure.compatible.comPrimaryPasswd = letmeinbase = "ou=people, o=compatible.com"VPNgroupattr = vpngroupVPNsecretattr = sharedsecrettimeout = 10Priority = 3

See Also[ LDAP Config <Name> ], [ VPN Users ] ,[ Radius ]


[ LDAP Config <Name> ]

[ LDAP Config <Name> ]This section configures LDAP (Lightweight Directory Access Protocol) parameters into a device. LDAP can be used to serve configurations to a Compatible Systems device. It can also be used for VPN user authenti-cation using the [ LDAP Auth Server ] section.Each [ LDAP Config <Name> ] section specifies an LDAP server and some information about the configuration to be served. The configuration can be a full IntraPort configuration, or just a portion of one. When new configurations are added to the Intraport, the device’s configuration is rebuilt to include the one that was just added. The Name portion of the section name uniquely identifies this section. Keywords recognized in this section are described below.LDAPEnabled = [ On | Off ]

The LDAPEnabled keyword enables or disables this section. If this is set to On, then the settings from this section will be used to get a configuration from an LDAP server. If this is set to Off, then no settings from this section will be used. The default is Off.

PrimaryServer = StringThe PrimaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary LDAP server which contains the configuration.

PrimaryPassword = StringThe PrimaryPassword keyword is used to authenticate the device to the primary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long.

SecondaryServer = StringThe SecondaryServer keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the secondary LDAP server. If no response is received from the primary LDAP server, then this secondary server is used.

SecondaryPassword = StringThe SecondaryPassword keyword is used to authenticate the device to the secondary LDAP server. If this is not set, then the device will attempt an anonymous bid to the server. The value may be up to 32 characters long.

base = StringThe base keyword specifies the portion of the LDAP tree where the configuration is located. The value may be up to 32 characters long.

rdn = StringThe rdn keyword specifies the relative distinguished name used in the LDAP server to identify the entry which contains the configuration.


[ LDAP Config <Name> ]

The value may be up to 32 characters long.timeout = Number

The timeout keyword timeout is the number of seconds the device will wait for a response from the LDAP server.The value must be between 0 and 255 seconds. A value of 0 will disable the timeout. The default is 10.

Priority = NumberThe Priority keyword specifies which configurations take precedence. When new configurations are added to the Intraport, the device’s configuration is rebuilt to include the one that was just added. If a new configuration contains a section which contains a higher priority than one already in place, the new keywords are added above the keywords already there. That way, higher priority sections will take precedence.The config stored in flash has the lowest possible priority (65536). The value may range from 0 and 65536. The highest priority is 0. The default is 10.

Examples[LDAP Config IP WAN ]LDAPEnabled = TRUEPrimaryServer = compatisecure.compatible.comPrimaryPasswd = letmeinSecondaryServer = 198.41.11.139SecondaryPasswd = ldapisfunbase = "o=compatible.com"rdn = "cn=netlist config"timeout = 10Priority = 3

See Also[ LDAP Auth Server ]


[ Link Config <Section ID> ]

[ Link Config <Section ID> ]This section is used to configure the WAN protocol and connection param-eters for a given interface. The keywords for this section are described below. Note: If multiple WAN interfaces are being configured for a multilink,

each interface to be included in the bundle must have the same connection parameters. (See the [ Multilink PPP <Name> ] section for more information on multilinks.)

Mode = [ FrameRelay | PPP | SMDS | Off ]The Mode keyword enables this interface for either FrameRelay, PPP or SMDS as a low-level communications protocol. To disable all activity on this interface, set to Off.

ConnectMode = [ Dedicated | DialUp ]The ConnectMode keyword determines how the router will maintain the WAN link. Dedicated is used for links that are available regardless of traffic activity. DialUp is used for links that are brought up and down based upon the activity on the link. Since DialUp links require dialing commands to be issued, your communications device (modem, CSU/DSU, TA, etc.) must be set to raise the DCD (Data Carrier Detect) and/or DSR (Data Set Ready) lines when a connection is established, and drop it when the connection is terminated. Whether a connection can be initiated by this router, another router (or remote node client), or both, is set using the DialIn and DialOut keywords.For interfaces set to DialUp, there are certain maintenance packets for each protocol (IP, IPX, etc.) which will not cause an inactive connec-tion to be dialed. This is a security measure that keeps intruders out and allows on-demand links to be useful.

DialIn = [ On | Off ]The DialIn keyword allows the router to accept incoming on-demand PPP connections from other routers or end node clients. If DialIn is set to On, then the ConnectMode must be set to DialUp.

DialOut = [ On | Off ]The DialOut keyword tells the router whether traffic forwarded from other interfaces on the router will cause an on-demand connection to be established on this interface. If DialOut is On, incoming packets from another interface on this router will initiate a dialing sequence if the link is not already connected. If the link is already connected, then the packets will simply be forwarded. If DialOut is Off, then incoming packets from another interface on this router will be dropped if the link is not already connected. If DialOut is set to On, then the Connect-Mode must be set to DialUp.



AlwaysUp = [ On | Off ]The AlwaysUp keyword should be used for links which require dialing commands to be issued. When AlwaysUp is On, the link will stay up regardless of the activity on the link. If the link drops for any reason, it will be brought back up immediately. DialOut must also be enabled for AlwaysUp links.AlwaysUp requires that your communications device (modem, CSU/DSU, TA, etc.) be set to raise the DCD (data carrier detect) line when a connection is established, and drop it when the connection is termi-nated.

DropInact = NumberThe DropInact keyword sets the amount of time, in minutes, that an idle DialUp connection will stay up. Only outgoing WAN traffic resets the inactivity timer. PPP control packets and network "keepalive" packets do not reset the inactivity timer. If DropInact is set to 0, the link will not be brought down due to inactivity. This is useful for the incoming side of an AlwaysUp link.

Dialing = [ AT | V.25bis ]The Dialing keyword sets the dialing method which will be used for a DialUp connection on this interface. The type of communications equipment determines the dialing method. In general, asynchronous modems use AT dialing, while dialed synchronous CSU/DSU's and ISDN TA's generally use V.25bis dialing. The commands used in your chat scripts should match the dialing method selected.

DialOutScript = Chat script nameThe DialOutScript keyword specifies the name of the chat script used for outgoing connections. If ConnectMode is DialUp, then a chat script must be selected. DialOutScript will be executed whenever dialing is initiated. If ConnectMode is Dedicated, then a chat script may be selected for WAN devices which require one. This script will be run when the router starts up and again whenever communications are lost for some reason. The script can also be used to provide a set of required connect responses to a device (such as a terminal server) at the other end of the dedicated line. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks. See [ Chat <Name> ] for more information about chat scripts.

DialBackScript = Chat script nameThe DialBackScript keyword is the name of the chat script used if dial-back security is required. If DialBackScript is enabled, any incoming calls to this interface will be dropped and the DialBack-Script will be used to initiate an outgoing connection. DialOut does not need to be on to use DialBackScript. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks. See [ Chat <Name> ] for more information about chat scripts. You may also enforce dial-back security on selected connections by



using the PPP authentication dial-back mechanism. See the [ Auth ] section for more information

DialTries = NumberThe DialTries keyword determines the number of connection attempts the router will make after an unsuccessful connection effort. If Dial-Tries attempts fail, DialUp links will stop trying to connect until new network activity is routed to the WAN interface. AlwaysUp and Dedi-cated connections will immediately start a new connection cycle if DialTries attempts fail. Values range from 1 to 255.

RetryDelay = NumberThe RetryDelay keyword sets the time to wait between dialing attempts. Values range from 1 to 255 seconds.

ScriptTimeout = NumberThe ScriptTimeout keyword sets the length of time, in seconds, that the chat script will wait for an expected string.

DCDCheck = [ On | Off ]The DCDCheck keyword is used to disable/enable the DCD (Data Carrier Detect) signal check. AT dialing uses the "at&c" Hayes command to verify that the WAN serial cable shipped with the router is being used. If your modem doesn't support the "at&c" command, set DCDCheck to Off.

BackupInterface = [ <WAN port> | None ]The BackupInterface keyword is the name of the WAN port to use as the backup interface for failover. This allows the router to divert traffic to a secondary interface (known as failing over) if a line problem is detected. The designated interface must be a PPP connection and can be specified as the backup for only one interface. The backup interface may be a DialUp or Dedicated connection. When the router has determined that the primary link is down, it will redirect the primary interface's traffic to the backup link. For PPP connections, the link is determined to be down when the echo protocol has failed. This means that echo protocol must be enabled on the PPP link(s). PPP failure determination can be controlled by the EchoDrop and EchoThreshold keywords. See the [ PPP <Section ID> ] section for more information about the keywords. For Frame Relay connections, the link is considered down when the maintenance DLCI is not functioning, when all user DLCI’s become inactive, or when no user DLCI’s appear. The backup interface must be configured to support whichever proto-cols the user wants to be redirected while in failover mode. In addition, the backup interface must be set as an unnumbered interface for each of the selected protocols. The router will only send and receive redi-rected routing packets over this interface; all others will be suppressed.



BackupInitDelay = NumberThe BackupInitDelay keyword is the time, in seconds, to wait before checking the link state of the primary interface after the router has been powered on. This will prevent the router from triggering failover mode while the primary interface is attempting to establish an initial link.

BackupEnableDelay = NumberThe BackupEnableDelay keyword is the time, in seconds, to wait before attempting to bring up the backup interface once the router has determined that the primary link is down. This is used to keep the router from bringing up the backup link too soon if the primary link has an intermittent connection.

BackupDisableDelay = NumberThe BackupDisableDelay keyword is the time, in seconds, to wait before attempting to switch packets back to the primary link and bring down the backup link once the router has determined that the primary link is operational. This is used to keep the router from switching out of failover mode too soon if the primary link has an intermittent connection.

ExamplesThis router's ports 0, 1, and 2 have been set up for three different configura-tions.

WAN 0 is set to PPP Dedicated. [ Link Config WAN 0 ]ConnectMode = DedicatedMode = PPP

WAN 1 is set to Frame Relay Dedicated. [ Link Config WAN 1 ]ConnectMode = DedicatedMode = FrameRelay

WAN 2 is set to DialOut. The chat script is included. [ Link Config WAN 2 ]DropInact = 10DialOutScript = OutChatDialIn = OFFDialOut = ON

[ Chat "OutChat" ]send atdt 9,555-1212expect CONNECTexpect login:send MyLoginexpect sword:send MyPasswordexpect beginning

To designate WAN 2 as the backup interface when WAN 0 fails, wait 2



minutes after power up before checking for link failure, and wait 10 seconds after link failure before redirecting traffic to WAN 2:

[ Link Config WAN 0 ]BackupInterface = WAN 2BackupInitDelay = 120BackupEnableDelay = 10

See Also[ Multilink PPP <Name> ], [ Chat <Name> ], [ Frame Relay < Section ID> ], [ PPP <Section ID> ], [ SMDS <Section ID>], [ DS3 Interface <Section ID> ], [ RS232 Interface <Section ID> ], [ V.35 Interface <Section ID> ], [ Auth ], wan(show)


[ Logging ]

[ Logging ]This section is used to pass configuration, error and debug information to the device administrator. Log messages are cached in an internal buffer, sent to the AUX serial port, or sent to a UNIX-style syslog facility. Messages stored in the buffer can be viewed later by the show system log command (see system(show)) or from the Windows or Macintosh Compa-tiView managers. If the device is restarted, the log messages stored in the buffer are lost. Keywords recognized in this section are described below.Enabled = [ On | Off ]

The Enabled keyword enables or disables all logging in the device. If enabled, log messages are stored in an internal buffer. Other output options are described below.

Level = [ 0 - 7 | Emergency | Alert | Critical | Error | Warning | Notice | Info | Debug ]

The Level keyword determines the detail of messages logged.0/Emergency means that you will receive logging information only when the system is unusable. These log messages will help indicate the source of the problem.1/Alert reports only alert and emergency messages. An alert message requires immediate attention.2/Critical reports critical, alert and emergency messages. A critical condition requires immediate attention.3/Error reports exception cases pertaining to violations of protocols or other operational rules. Such violations may include illegal packets and improper command syntax.4/Warning reports problems which may need a response. Examples include network number conflicts and resource allocation problems. If Warning messages are repeated, they require a response.5/Notice reports information that may be useful on a day-to-day basis by an administrator but generally does not require any response. Exam-ples include login/logout, serial line resets, and LAN-to-LAN connec-tions. This setting is suitable for most conditions.6/Info reports routine information, such as WAN network connect and disconnect messages.7/Debug reports every action of the device and should not be used on a day-to-day basis since it generates a large number of log messages.The value applies to all log messages generated by the device, regard-less of where the message is output or from which interface it was generated.

LogToAuxPort = [ On | Off ]The LogToAuxPort keyword enables logging to the AUX serial port.A <Ctrl-Z> entered at the console will toggle this setting in the runtime device parameters.


[ Logging ]

LogToSysLog = [ On | Off ]The LogToSysLog keyword enables logging to a remote UNIX-style syslog daemon. See syslog.conf(5) or syslogd(8) on the remote host for details on configuring syslog.

SyslogFacility = [ Local0 | Local1 | Local2 | Local3 | Local4 | Local5 | Local6 | Local7 ]

The SyslogFacility keyword sets the syslog facility to which remote log messages are sent.

SyslogIPAddress = IP AddressThe SyslogIPAddress keyword specifies the IP address of the remote syslog daemon.

DisabledPorts = [ <port string> | None ]The keyword DisabledPorts is used to specify ports for which no log messages will be generated. This keyword is used to limit the number of messages generated. If None is specified, log messages will be generated for all ports.

ExamplesThis sets the logging to Info level and sends the log to the auxiliary port.

[ Logging ]Enabled = OnLevel = InfoLogToAuxPort = OnDisabledPorts = WAN 1 Ethernet 2

See Alsosystem(show)


[ Multilink PPP <Name> ]

[ Multilink PPP <Name> ]This section is used to configure Multilink PPP (MPPP) parameters for multiple WAN interfaces. MPPP allows multiple physical links to be combined into a "bundle" which provides a virtual link with greater bandwidth than a single link. Note: Each interface included in the bundle must be of the same type (i.e.,

V.35, synchronous, etc.). The interfaces do not need to be set at the same speed, however, the speed of the multilink will only be twice as fast as the slowest interface (or three times as fast if three interfaces are included, etc.).

Keywords recognized in this section are described below.MPEnabled = [On | Off]

The MPEnabled keyword is used to specify whether multilink bundling will function on the router.

Bundle = WAN portsThe Bundle keyword is used to list each of the physical WAN inter-faces included in the bundle (e.g., WAN 0, WAN 1, WAN 2, etc.).

Primary = WAN port The Primary keyword is used to specify which interface in the bundle should be used by the router to configure the network protocol for the multilink.

ShortSeq = [On | Off]The ShortSeq keyword allows the router to use an abbreviated sequence number in its multilink headers. Note: While the shorter header can enhance performance slightly,

routers from other vendors may not be compatible with this feature. The default is Off.

MPQual = [On | Off]The MPQual keyword allows the router to use echo packets on each of the physical ports in the bundle to determine whether individual links are up. If one link in a bundle goes down, the router can divert data away from that port; however, if the primary port goes down, the entire link will go down even if MPQual is enabled. If MPQual is Off, any individual link in the bundle can bring down the entire multilink. The default is On. Parameters for echo packets are defined in the [ PPP <Section ID> ] section.


[ Multilink PPP <Name> ]

ExamplesIn the following example, WAN 0 and WAN 1 are part of the “home office” multilink bundle. WAN 0 provides the configuration parameters for the upper layer protocol.

[ Multilink PPP "home office" ]MPEnabled = onBundle = wan 0 wan 1Primary = wan 0ShortSeq = offMPQual = on

See Also[ Link Config <Section ID> ], [ PPP <Section ID> ]


[ NAT Global]

[ NAT Global]This section is used to modify parameters that affect the way NAT (Net-work Address Translation) operates. NAT allows internal networks which use private IP addresses to be translated into a valid external global IP address (or addresses). (See RFC 1918 "Address Allocation for Private Internets" for more information about private IP addresses.) This can allow a private network to provide Internet access through a single "official" IP address. It can also function as a minimal firewall by limiting access to the internal network from external networks while allowing the internal net-work easy access to the Internet.These parameters are global to the device and are not associated with a par-ticular interface. Keywords recognized in this section are described below.Note: For WAN interfaces, the "official" IP address must be assigned stati-

cally from the router’s configuration. The WAN interface performing NAT cannot have its IP address dynamically assigned by a dialup-PPP negotiation.

Enabled = [ On | Off ] The Enabled keyword, when set to On, allows the router to perform NAT translations between the internal and external networks. The default is Off. Note: NAT must also be enabled for the external NAT port in the [ IP <Section ID> ] section for NAT to function on the router.

InternalRange = IP address rangeThe InternalRange keyword defines the address range of the internal NAT network. This range will be translated into the range of IP addresses defined by the ExternalRange keyword. It can be a single IP address or a range of addresses. The InternalRange must be part of the same IP network as the internal NAT port. The address range may be specified in several different ways: a) IP address(es) can be specified in normal dotted-decimal notation.

If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet).

b) An inclusive range of addresses can be specified using a "dash notation" in the form of #.#.#.{# -#}. For example, 10.5.3.{1-30} would be parsed as the IP addresses 10.5.3.1, 10.5.3.2, ..... 10.5.3.29, and 10.5.3.30 (and every IP address in between). Each of these parsed addresses would have a mask of /32 or 255.255.255.255

c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1).

d) A bit field can also be used to indicate a range of addresses by


[ NAT Global]

denoting the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indi-cate a range from 192.15.32.1 to 192.15.63.255.

This keyword may appear multiple times within this section in order to specify several different ranges.

ExternalRange = IP address rangeThe ExternalRange keyword defines the address range of the external NAT network. This range will be translated into the range of IP addresses defined by the InternalRange keyword. It can be a single IP address or a range of addresses, but they must be valid global Internet addresses and the value(s) must be routable on the network.If only a single Internet IP address is available, then the External-Range must be the same as the IP address on the IP port communi-cating with the Internet. In this case, care must be taken not to create a one-to-one translation pair using this IP address in the [ NAT Mapping ] section. If a range of addresses is specified, the NAT software makes the deci-sion about which Internet address is assigned to outgoing packets.The ExternalRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges.

PassThruRange = IP address rangeThe PassThruRange keyword defines an address range which may pass through the external NAT port without being translated. This is used when the NAT router has an IP interface (or interfaces), in addi-tion to the NAT internal port and NAT external port, which is connected to part of the local network which is configured with global IP addresses.Note: If an IP address or range of addresses is included in both the

ExternalRange and PassThruRange, NAT will treat the IP address(es) as being members of the ExternalRange only.

The PassThruRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges.

UDPTimeout = NumberThe UDPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active non-TCP NAT session. Values may range from 0 to 3600 seconds (1 hour). A value of zero will cause non-TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 300 seconds (5 minutes).


[ NAT Global]

TCPTimeout = NumberThe TCPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active NAT session for TCP. The value may range from 0 to 172,800 seconds (48 hours). A value of zero will cause TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 86,400 seconds (24 hours).

TCPSynTimeout = NumberThe TCPSynTimeout keyword specifies the amount of time to lapse without a response to a SYN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).

TCPFinTimeout = NumberThe TCPFinTimeout keyword specifies the amount of time to lapse without a response to a FIN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).

RouterAddr = [On | Off]The RouterAddr keyword, when set to On, allows communication with the router through the IP addresses of the router's ports. This allows the user to communicate with the router (e.g., establish a telnet session with the router). The default is On.

RespondICMP = [ On | Off ] The RespondICMP keyword, when set to On, allows external work-stations/routers to ping workstations/routers in the internal NAT network if a one-to-one translation pair in the [ NAT Mapping ] section will allow such a translation. The default is On. The worksta-tion/router on the internal NAT network will not be allowed to respond to a ping if RespondICMP is Off.

ExamplesThe following example shows an internal subnetted network which has Internet access through 198.41.9.219. The internal network will also be able to respond to pings from external devices if a one-to-one translation pair has been configured in the [ NAT Mapping ] section.

[ NAT Global ]Enabled = OnInternalRange = 10.5.3.0/27ExternalRange = 198.41.9.219RespondICMP = On


[ NAT Global]

The following example shows another internal subnetted network which has Internet access through a range of Internet addresses. The internal net-work will not be able to respond to pings from external devices.

[NAT Global ]Enabled = OnInternalRange = 10.5.3.0/29ExternalRange = 198.41.9.200/29RespondICMP = Off

See Also[ IP <Section ID> ], ip(show), [ NAT Mapping ], nat(show)


[ OSPF Area <Name> ]

[ OSPF Area <Name> ]This section defines configuration parameters for an OSPF area. An area is a generalization of an IP subnetted network within an Autonomous System (AS). An AS is a collection of networks under a common administration sharing a common routing strategy. All routers within an area have the same link-state database. An interface can only belong to one area, although different interfaces on a router can belong to different areas, making the router an Area Border Router. Area Border Routers dissem-inate routing information or routing changes between areas. The Name portion of the section name is an integer or IP address. If more than one area is configured within an AS, then one of these areas has to be area 0, which is the backbone. The backbone has to be physically connected to all other areas. The only exception is for virtual links, which are explained in the [ OSPF Virtual Link <Name> ] section. When designing networks it is good practice to start with area 0 and then expand into other areas later on.The keywords recognized in this section are described below.OSPFAuthtype = [ None | Simple ]

The OSPFAuthtype keyword specifies whether the router will perform authentication of Link State Advertisements received from other routers. If Simple is specified, then you need to specify an authentication password using the Authkey keyword in the [ IP <Section ID> ] section for any interface which is associated with this area. If None is specified, no authentication will be done on Link State Advertisements. None is the default.

StubArea = [ On | Off ] The StubArea keyword sets whether this area will function as a stub area. A stub area is an area which cannot receive external advertise-ments, which means RIP or static routes will not be redistributed into this area. If routing from a stub area to external routes (i.e., non-OSPF routes) is needed, a default route must be set. A stub area may not be a transit area for a virtual link. Note: The backbone area (area 0) cannot be designated as a stub area.

StubDefaultCost = NumberThe StubDefaultCost keyword sets the cost of the default route which will be used by routers within the stub area to route to external destina-tions. The value can be a number between 0 and 65,535.

NetRange = String The NetRange keyword can be used to consolidate routing informa-tion at area boundaries, or to hide routing information from routers outside the area. Net ranges only apply to inter-area networks; if all the routers are in one area, any defined net ranges will not be used by the router. This keyword may appear multiple times within the configura-tion in order to specify several different ranges.


[ OSPF Area <Name> ]

The string has the following syntax:{ On | Off <IPAddress > <IP Subnet Mask > } [ Advertise |

DoNotAdvertise ]On | Off

On specifies that a Net Range is being used. Off indicates that a Net Range is not being used.

IPAddress This is the IP address of the Net Range.

IP Subnet Mask This is the subnet mask of the Net Range.

Advertise | DoNotAdvertise This is an optional parameter. If Advertise is specified, the net range will be advertised to other areas. If DoNotAdvertise is specified, the network in the net range will not be advertised to other areas.

Note: DoNotAdvertise only applies to OSPF routes and not to routes learned from external protocols using IP route redistribution. External routes must be excluded by using route filtering. (See the [ IP Route Redistribution ] section.)

ExamplesThis example shows a Net Range being used to consolidate information for subnets 198.41.9.32, 198.41.9.64, 198.41.9.96 and 198.41.9.128, all of which have a subnet mask of 255.255.255.224.

OSPFAuthtype = "None"StubArea = OffNetRange = On 198.41.9.0 255.255.255.0 Adver-tise

See Also[ IP <Section ID> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], [ IP Route Filter <Name> ], ospf(show)


[ OSPF Virtual Link <Name> ]

[ OSPF Virtual Link <Name> ]This section defines configuration parameters for an OSPF Virtual Link. Configuring a virtual link is the only way to allow an area which is not contiguous to the backbone area (area 0) to operate. The virtual link must be configured in both routers which are providing the tunnel to the backbone. These two routers do not need to be physically connected, but they must share a common area called the "transit area." The Name portion of the section name is the Router ID of the virtual neighbor and is entered as an IP address. The Router ID of the virtual neighbor is the largest IP interface address associated with that router. You can request the Router ID of the virtual neighbor by issuing the command show ospf rtrid command (see ospf(show)). The keywords recognized in this section are described below.LinkActive = [ On | Off ]

The LinkActive keyword specifies whether an OSPF virtual link will operate. On activates the virtual link. Off deactivates the virtual link.

TransitArea = Area ID The TransitArea keyword designates the area that is to function as the transit area. The transit area is the area number assigned to the tunnel “between” the two routers of the virtual link. Each router must have at least one interface attached to the transit area. The Area ID can be spec-ified as a number between 0 and 0xFFFFFFFF or as an IP address in dotted-decimal notation.

VirtTransDelay = Number The VirtTransDelay keyword sets the amount of time added to the age of Link State Update packets before transmission. It is the esti-mated number of seconds to transmit a packet over the virtual link. The value can be between 1 and 65,535 seconds. The default is 4.

VirtRetrans = Number The VirtRetrans keyword sets the interval, in seconds, between retransmission of Link State Update packets across the virtual link. The value can be between 2 and 65,535 seconds. The default is 30.

VirtHelloInt = NumberThe VirtHelloInt sets the interval, in seconds, that the router sends out "keepalive" packets across the virtual link to let the other end of the link know the router is up. The value must be greater than 10 seconds. The default is 30.

VirtRtrDeadInt = NumberThe VirtRtrDeadInt keyword sets the length of time, in seconds, that this router will wait without receiving a "keepalive" packet from the other end of the virtual link before assuming it’s down. The value must be at least twice the VirtHelloInterval. The default is 4 times the VirtHelloInterval.Note: The VirtHelloInterval and VirtRtrDeadInterval for each end


[ OSPF Virtual Link <Name> ]

of the virtual link must match or the virtual link will not function. If you change the settings on one router, you must change them on the other.

VirtAuthKey = StringThe VirtAuthKey keyword sets the OSPF packet authentication key for the virtual link. The authentication key must be the same for both ends of the virtual link. The string may be between one and 8 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes.

ExamplesThis example shows a virtual link which uses the default settings.

LinkActive = OnTransitArea = 2VirtRetrans = 30VirtTransDelay = 4VirtHelloInt = 30VirtRtrDeadInt = 120VirtAuthKey = "Zooey"

See Also[ IP <Section ID> ], [ OSPF Area <Name> ], [ IP Route Redistribution ], ospf(show)


[ PPP <Section ID> ]

[ PPP <Section ID> ]This section is used to set Compression, Link Quality, LCP and Authenti-cation parameters. The keywords in this section are described below.

COMPRESSION The Compression Control Protocol (CCP) is used to negotiate the method for compressing data before it is passed across a PPP link. Sequenced Predictor is proprietary to Compatible Systems devices. It requires a Compatible Systems device at the remote end. Compress = [ SeqPred | Stac | Off ]

The Compress keyword specifies whether compression will be used. The remote device must also be enabled to use the same compression algorithm to successfully negotiate compression over the PPP link. SeqPred specifies that the Sequenced Predictor Compression Control Protocol (CCP) algorithm will be used for outgoing data. Stac specifies that Stac LZS compression will be used. LZS compres-sion uses an algorithm to build a history of frequently repeated groups of 8-bit characters and creates shorter bit patterns to represent them. Compatible Systems’ current implementation of LZS does not support more than one history. It uses only a sequence value check byte for error detection.By choosing the Off option, compression is disabled. The default is Off.

LINK QUALITY To monitor the quality of a WAN link, echo packets are sent out at a specified interval and the responses are counted. The link will be dropped if the number of missed packets out of the total number of echo packets exceeds the specified parameters. The link can then be re-established with a (hopefully) better quality line, or, if a multilink is being used, data can be diverted away from the downed link. (See the [ Multilink PPP <Name> ] section for more information on multilinks.) Echo packets will not affect the inactivity timer of a dialup connection. EchoPackets = [ On | Off ]

The EchoPackets keyword sets the device to perform link quality testing for the current interface. When EchoPackets is On, echo packets will be regularly sent and the line quality will be monitored.

EchoInterval = NumberThe EchoInterval keyword sets the time, in seconds, between echo packets. EchoInterval also sets the amount of time in which an echo response must be received in order not to be counted as missed. The value must be in the range of 1 to 255 seconds.

EchoDrop = NumberThe EchoDrop keyword sets the number of echo reply packets that must be missed out of the last EchoThreshold echo packets sent for the link to be dropped. The value must be in the range of 1 to 32.



EchoThreshold = NumberThe EchoThreshold keyword defines the sample size of echo reply packets that the device examines for missed packets. The value must be in the range of 2-32.

LINK CONTROL PROTOCOL The Link Control Protocol (LCP) parameters are used to determine the options to be negotiated by PPP LCP. The default settings will work with the vast majority of PPP implementations. ACCM = [ On | Off ]

The ACCM keyword is used to configure the Asynchronous Character Control Map (ACCM). Communications devices on WAN links sometimes (but not normally) use ASCII characters in the range 0x0-0x1F hex as control characters. Without an ACCM mechanism, data in the range 0x0-0x1F could be erroneously interpreted as control characters. If devices on the WAN link are known to use control characters, the bit corresponding to each used control character should be set in ACCMVal. ACCM is only used for asynchronous links.Note: If you set Flow Control to XOn_ XOff in the [ RS232 Interface <Section ID> ] section for this WAN interface, the characters for XOn and XOff will automatically be escaped by the device.

ACCMVal = NumberThe ACCMVal keyword specifies a 32-bit hexadecimal number containing bits set for the ACCM corresponding to the control charac-ters used. The least significant bit of the ACCM mask corresponds to ASCII character NULL (0).

AddrCompress = [ On | Off ]The AddrCompress keyword enables the compression of the 2-byte address and control field of the PPP packet header.

ProtoCompress = [ On | Off ]The ProtoCompress keyword enables the compression of the upper byte of the protocol field of the PPP packet header.

Magic = [ On | Off ]The Magic keyword causes PPP to detect a loopback connection by checking a magic value in the PPP header.

AUTHENTICATION The following keywords are used to configure the type of authentication to be used during the establishment of a PPP connection. CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are supported. Both CHAP and PAP require the exchange of packets between the PPP peers. A device can request authentication and/or respond to authentication requests. If both CHAP and PAP are configured as "request," the LCP negotiation will attempt to negotiate CHAP first. If CHAP is not accepted,



the negotiation will then attempt PAP. If the device requests authentication and the remote peer doesn't accept, the LCP negotiation phase will not complete and the link will not come up. Devices that request PAP or CHAP must have an authentication database entry (see the [ Auth ] section) or RADIUS authentication enabled (see the [ Radius ] section) for the remote peer. PAP uses a 2-way handshake for authentication. For example, assume Router1 requests PAP and Router2 will respond to PAP. After PPP LCP negotiation, Router2 will send an authentication request to Router1 containing its PAPName and PAPPassword (see below). Router1 uses either its internal database or RADIUS to validate the request and returns an authentication "success" or "failure" packet. The link will be dropped if the validation fails. CHAP uses a 3-way handshake for authentication. A shared secret combined with the message-digest hash algorithm (MD5) is used for message passing. For example, assume Router1 requests CHAP and Router2 will respond to CHAP. After PPP LCP negotiation, Router1 will send a challenge containing a random number to Router2. Router2 feeds the random number and the shared secret to MD5 and sends the MD5 output, along with Router2’s CHAPName, to Router1 as its response. When Router1 receives a response, the response is validated by first checking for Router2’s CHAPName in the authentication database. If the name is found, the validation is done by checking the MD5 output from Router2. If it’s not found, and RADIUS is enabled, the RADIUS server is used to validate the response. If the validation is good, Router1 sends a "success" packet to Router2. Otherwise, a "failure" packet is returned, and the link is dropped. Router1 will use the same method to re-authenticate Router2 every minute for as long as the link is up. These packets do not affect the inactivity timeout of an on-demand (dialup) link. Whereas PAP sends both the name and password across the link, CHAP only sends the name and an encrypted response. Because the secret is never passed across the link, CHAP is considered a more secure method of authentication than PAP.CHAPRequest = [ On | Off ]

The CHAPRequest keyword sets the device to request CHAP authen-tication from the remote peer. If CHAPRequest is On, the CHAP-Name for this device must be configured. In addition, there must be an entry in the internal authentication database for the remote peer, or RADIUS authentication must be configured.

CHAPRespond = [ On | Off ]The CHAPRespond keyword sets the device to accept CHAP authen-tication requests from the remote peer. If CHAPRespond is On, the CHAPName and CHAPSecret for this device must be configured, and the remote peer must have an entry for this device in its internal authentication database, or RADIUS authentication must be config-ured.



CHAPName = StringThe CHAPName keyword is used to identify the requesting or responding device. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required secret.

CHAPSecret = StringThe CHAPSecret keyword is used by CHAP for creating the encrypted authentication response. It is only required for devices which need to respond to CHAP challenges. The challenging peer must have an authentication database entry or RADIUS entry with the responding device’s CHAPName and this secret value. It can be up to 255 characters long.

PAPRequest = [ On | Off ]The PAPRequest keyword is used to request PAP authentication from the remote peer. The requesting device must be configured with an entry in its internal authentication database for the remote peer, or it must be configured to use RADIUS authentication.

PAPRespond = [ On | Off ]The PAPRespond keyword sets the device to accept PAP authentica-tion requests from the remote peer. The name and password expected by the remote peer must be specified.

PAPName = StringThe PAPName keyword is used to identify the sender of PAP authen-tication packets. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required password.

PAPPassword = StringThe PAPPassword keyword is used by PAP in conjunction with the name to uniquely identify the remote peer. The value may be up to 255 characters long.

Examples[ PPP WAN A ]Compress = OffCHAPRequest = TRUECHAPName = "This is my name."AddrCompress = OFFEchoDrop = 8EchoThreshold = 32

See Also[ Auth ], [ Radius ], [ RS232 Interface <Section ID> ], [ Multilink PPP <Name> ]


[ Radius ]

[ Radius ]This section is used to configure RADIUS parameters into a device. RADIUS can be used for remote access authentication using PAP or CHAP and for remote access accounting. RADIUS authentication is done only if the peer or remote user cannot be found in the authentication database first (see the [ Auth ] and/or [ VPN Users ] sections for more information.) The device acts as a client and exchanges packets with a RADIUS server running on an external host. An optional secondary server can be configured. The secondary server will be used if the retries limit is reached when sending packets to the primary server. Compatible Systems devices conform to the following IETF RADIUS RFC drafts: draft-ietf-radius-radius-02.txt and draft-ietf-radius-accounting-02.txt. Any server used with Compatible Systems devices must also conform to these RFC drafts. Possible sources for a RADIUS server are Livingston, Ascend or Merit. Keywords recognized in this section are described below. PrimAddress = String

The PrimAddress keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com) of the primary RADIUS server.

PrimRetries = NumberThe PrimRetries keyword sets the number of times the device will attempt to contact the primary RADIUS server. Values may range from 1 to 10 with a default value of 5. The device uses a back-off algorithm while retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5.

Secret = StringThe Secret keyword is set to a shared secret used by the device and RADIUS server to validate packets exchanged between them. This secret must match the client secret configured in the RADIUS server. The string can be from 1 to 31 ASCII characters in length. Note: When the UseChap16 keyword is set to On, the Secret may not be more than 16 ASCII characters.

BindTo = Port StringThe BindTo keyword specifies which interface on this device will have its IP address used as a source address for all packets sent to the RADIUS server. The IP address for the specified interface must be configured in the RADIUS server as the client address.

Challengetype = [ CHAP | PAP | Challenge ]The Challengetype keyword allows you to specify which type of RADIUS challenge is used to validate the VPN Client to the RADIUS server. CHAP specifies that the user is sent a CHAP challenge. PAP specifies that the user is sent a PAP challenge. If PAP is selected, a PAPAuthSecret must be specified. The default is CHAP.


[ Radius ]

PAPAuthSecret = StringThe PAPAuthSecret keyword is set to a secret used by an IntraPort VPN Access Server and VPN Client to authenticate and encrypt packets exchanged between them before they are passed on to the RADIUS server. This is used only when PAP is specified in the Chal-lenge keyword. IntraPort Client software users will be prompted for both this secret and their regular RADIUS password. The string can be from 1 to 255 ASCII characters in length.

UseChap16 = [ On | Off ]When the UseChap16 keyword is On, CHAP challenges to the RADIUS servers are limited to 16 bytes. Older RADIUS servers cannot handle longer challenges.

PrimUseSecret = [ On | Off ]When the PrimUseSecret keyword is On, the device includes the secret in the hash it uses to encrypt packets sent to the primary RADIUS server. Since older RADIUS servers did not include the secret in their hash, it's been made a configurable option in Compatible Systems’ devices.

SecAddress = StringThe SecAddress keyword sets the IP address (e.g., 192.168.9.99), or fully qualified domain name (e.g., monkey.wrench.com), of the secondary RADIUS server. If no response is received from the primary RADIUS server after PrimRetries, then this secondary server is used. If no response is received from the secondary server after SecRetries, the device will return a "failure" packet to the peer and the link will be dropped.

SecRetries = NumberThe SecRetries keyword sets the number of times the device will attempt to contact the secondary RADIUS server. Values may range from 1 to 10 with a default value of 5. The device uses a back-off algo-rithm while retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5.

SecUseSecret = [ On | Off ]When the SecUseSecret keyword is On, the device includes the secret in the hash it uses to encrypt packets sent to the secondary RADIUS server. Since older RADIUS servers did not include the secret in their hash, it's been made a configurable option in Compatible Systems’ devices.

Accounting = [ On | Off ]If the Accounting keyword is On, each time a user logs into the device, a record of their login is sent to the RADIUS server where it is cata-logued.


[ Radius ]

Authentication = [ On | Off ]The Authentication keyword specifies whether the device will exchange user authentication information with a RADIUS server. If On is specified, the RADIUS server will be used for authentication.

AcctPort = NumberThe AcctPort keyword defines which UDP port the device will use to send RADIUS accounting information to the RADIUS server. The default is 1646. The port number may be changed in certain situations for security reasons.

AuthPort = NumberThe AuthPort keyword defines which UDP port the device will use to exchange RADIUS authentication information with the RADIUS server. The default is 1645. The port number may be changed in certain situations for security reasons.

VPNPassword = NumberThe VPNPassword keyword sets the attribute number for the VPN tunnel secret. The tunnel secret is a shared secret between the IntraPort Client and the RADIUS server which is used for authentication of tunnel connections. This attribute number must also be set up in the RADIUS server’s dictionary file. The value may range between 64 and 191. The default is 69.

VPNGroupInfo = NumberThe VPNGroupInfo keyword sets the attribute number for the VPN group configuration. The group configuration defines tunneling profiles for a group of one or more IntraPort Client users. This attribute number must also be set up in the RADIUS server’s dictionary file. The value may range between 64 and 191. The default is 77.

VPNRealIP = NumberThe VPNRealIP keyword sets the attribute number for the reporting of the actual IP address of an IntraPort user. If this number has been set both here and in the RADIUS server’s dictionary file, then the actual IP address of a user will be reported by the IntraPort Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 66.

VPNAssignedIP = NumberThe VPNAssignedIP keyword sets the attribute number for the reporting of the IP address which the IntraPort server assigns to an IntraPort user. If this number has been set both here and in the RADIUS server’s dictionary file, then the assigned IP address will be reported by the IntraPort Client software and will be recorded by the RADIUS server. The value may range between 64 and 191. The default is 67.


[ Radius ]

ExamplesEnable RADIUS accounting and authentication using both a primary and secondary server. The shared secret is "Homer Simpson."

[ Radius ]PrimAddress = 192.168.12.9SecAddress = 192.168.12.8Secret = "Homer Simpson"Authentication = OnAccounting = On

See Also[ Auth ], [ VPN Users ], [ PPP <Section ID> ]


[ RS232 Interface <Section ID> ]

[ RS232 Interface <Section ID> ]This section is used to configure characteristics of the router's RS-232 interfaces. Keywords recognized in this section are described below.LinkType = [ Async | Sync ]

The LinkType keyword is used to set the type of serial connection for the current interface. RS-232 interfaces can be configured for asyn-chronous or synchronous operation.

FlowCntl = [ None | Hardware | Xon_Xoff ]The FlowCntl keyword is used to set the serial flow control method for the current interface. Flow control is used to prevent either the router or the devices it is connected to from sending data faster than the other device can process. Hardware flow control uses signal wires built into the RS-232 interface to throttle the connection. Hardware flow control is generally more reliable and should be used whenever possible. Select Hardware to enable hardware flow control. Not all devices support hardware flow control; those that don't use soft-ware flow control, which can be selected with the Xon_Xoff option. Software flow control uses special characters in the data stream to throttle the connection. Select None to disable flow control.

TxInternal = [ On | Off ]The TxInternal keyword is used to tell the router to source a synchro-nous clock. The vast majority of configurations will have this set to Off. Normally, the circuit provider, the DSU, or the ISDN TA will be configured to supply the transmit data clock. The On value is normally used when creating a NULL connection between two routers. RS-232 interfaces on some routers must also have a hardware jumper changed to supply the transmit data clock (check the Installation Guide for the specific device.) The receive data clock is always an input to the router.

Baud = [ 2400 | 9600 | 14400 | 19200 | 38400 | 56000 |57600 | 64000 | 115200 | 128000 | 230400 | 256000 ]The Baud keyword specifies the asynchronous data rate or the transmit clock baud rate used when internal clocking is enabled. Not all values are available on all devices. Check the Installation Guide for the specific device for the appropriate setting.

ExamplesWan 0 is set to synchronous TxInternal 128000.

[ RS232 Interface WAN 0 ]Baud = 128000LinkType = SyncTxInternal = On


[ RS232 Interface <Section ID> ]

Wan 1 is set to asynchronous 115200 Hardware Flow Control.[ RS232 Interface WAN 1 ]Baud = 115200LinkType = AsyncFlow Control = Hardware

See Alsowan(show), statistics(show), [ Link Config <Section ID> ]


[ SecurID ]


[ SecurID ]This section is used to configure SecurID parameters into an IntraPort VPN Access Server. All IntraPort servers and the IntraPort Client software are SecurID-ready. SecurID is Security Dynamic’s proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic two-factor authentication. Keywords recognized in this section are described below. Enabled = [ On | Off ]

If the Enabled keyword is On, SecurID authentication of users will be enabled on the server.

EncryptionType = [ DES | SDI ]The EncryptionType keyword selects the encryption algorithm for data exchanged between the IntraPort and the ACE/Server. DES spec-ifies that the DES algorithm will be used to scramble the data in both directions. SDI specifies that Security Dynamic’s propriety algorithm will be used. The default is DES.

Port = numberThe Port keyword defines which UDP port on the ACE/Server will be used to exchange information. The default is 5500. The value may range between 1 and 65,535.

PrimaryServer = IP AddressThe PrimaryServer keyword sets the IP address of the primary ACE/Server.

BackupServer = IP AddressThe BackupServer keyword sets the IP address of the secondary ACE/Server. If no response is received from the primary ACE/Server after the Timeout period, then this secondary server is used.

Timeout = numberThe Timeout keyword sets the number of seconds the device will wait before trying the backup ACE/Server. The default is 5. The value may range between 1 and 75.

BindTo = Port StringThe BindTo keyword specifies which interface on this device will have its IP address used as a source address for all packets sent to the SecurID server. The IP address for the specified interface must be configured in the RADIUS server as the client address.

Examples[ SecurID ]Enabled = OnEncryptionType = DESPrimaryServer = 192.168.12.8BackupServer = 192.168.41.2Timeout = 5BindTo = Ethernet 0:0

See Also[ VPN Group <Name> ], securid(show), securid secret(reset)

[ SMDS <Section ID> ]


[ SMDS <Section ID> ]This section is used to configure SMDS (Switched Multi-megabit Data Service) parameters for either the interface specified or for multiple inter-faces using the default sections as explained in Appendix A. SMDS is a connectionless, packet-switched service that offers LAN-to-LAN connec-tivity across a wide area at up to 1.544 Mbps. SMDS is enabled in the [ Link Config <Section ID> ] section. Keywords recognized in this sec-tion are described below.StationAddress = String

The StationAddress keyword is used to configure the SMDS physical station address. The address is assigned by the service provider and follows the E.164 format (i.e., 64-bit/15-digit addressing). The station address must start with the letter C and be followed by at least 10 digits.The missing digits will be filled in with F. The address should be entered exactly as it is assigned by the service provider.

IPMulticast = StringThe IPMulticast keyword is used to configure the IP multicast address. This address is the SMDS group address assigned by the service provider and follows the E.164 format. The multicast address must start with the letter E and be followed by at least 10 digits. The missing digits will be filled in with F. The address should be entered exactly as it is assigned by the service provider.

PollingFrequency = NumberThe PollingFrequency keyword specifies the interval that the router uses to poll the SMDS switch. The interval is specified in seconds and must be between 0 and 30. If the switch does not respond to the polling, the router will eventually declare the SMDS link down and start drop-ping packets designated for that interface. A value of 0 will disable the polling mechanism. Disabling the polling mechanism will automati-cally declare the SMDS link up. Note: The keepalive mechanism is also referred to as "heartbeat exchange" in the SMDS literature.

ExamplesThe following is an example of a valid StationAddress setting:

StationAddress = C130.3302.1310

The following is an example of IPMulticast setting:IPMulticast = E130.3302.4139

See AlsoAppendix A, [ Link Config <Section ID> ]

[ SNMP ]

[ SNMP ]This section permits parameters to be defined for SNMP (Simple Network Management Protocol) management of the device. The keywords for this section are described below.Enabled = [ On | Off ]

The keyword Enabled allows SNMP management of the device to be completely enabled or disabled. When set to Off, no SNMP manage-ment will be allowed by the device.

SetsEnabled = [ On | Off ]The SetsEnabled keyword controls whether SNMP sets can be applied to a device.

TrapsEnabled = [ On | Off ]The TrapsEnabled keyword controls whether SNMP traps will be reported by the device when trap conditions are encountered.Compatible Systems devices support the following SNMP Traps (as outlined in RFC 1157):

coldStart - this will be generated when a restart to save a config-uration or software download is accomplished.warmStart - this will be generated when a restart event is received.linkDown - this will be generated from a WAN interface when a link is dropped due to abnormal conditions, such as lost carrier, lost PVC, etc. linkUp - this will be generated from a WAN interface when a link which was lost due to abnormal conditions comes back up. authenticationFailure - this will be generated when a protocol message is not properly authenticated.

AdminName = StringThe keyword AdminName allows the administrator name of the device to be specified. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 characters in length and contain special characters as outlined in Appendix B.The administrator name usually specifies who is responsible for the equipment. Items that can be included might be the administrator's name, phone number, office number, etc.

Domain = StringThe keyword Domain allows the domain name of the device to be specified. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 characters in length and contain special characters as outlined in Appendix B.


[ SNMP ]

The domain name usually has network-specific information about the device. Items that can be specified include the device's DNS name, its TCP/IP domain, or the cable segment or subnet that it is connected to. This variable is independent from the actual DNS record for the device and is used to provide information to external managers.

Location = StringThe Location keyword allows the location of the device to be speci-fied. This information is returned when queried for SNMP System Information by an SNMP console. The string can be up to 255 charac-ters in length and contain special characters as outlined in Appendix B.The location usually has information about where the equipment is physically located. The building, room and rack are examples of infor-mation that could be specified for this parameter.

Examples[ SNMP ]Enabled = OnSetsEnabled = OnTrapsEnabled = OnAdminName = "Velma Dinkley"Domain = "velma’s 2270"Location = "Upstairs"

See Also[ SNMP CommunityString <Name> ], [ SNMP Trap <Name> ]


[ SNMP CommunityString <Name> ]


[ SNMP CommunityString <Name> ]This section permits parameters to be defined for SNMP (Simple Network Management Protocol) Community Strings. SNMP Community Strings are groups of administrators who have access to the device via an SNMP console. The Name portion of the section name should be a string associated with an administrator (or administrators). This string is included in every message and is used, along with the IP address(es) configured below, for access authentication. The default name is "Public," which allows any Community String to have access to this device. Once you have set an SNMP Commu-nityString Name section, access will be limited to the named Community String.The keywords for this section are described below.Access = [ Read | ReadWrite | None ]

The Access keyword specifies the type of access the administrator(s) within the Community String will have to this device. If None is chosen, the Community String will have no access. If Read is speci-fied, the Community String will receive information such as Traps, but can not do Sets. If ReadWrite is specified, the Community String can both perform Sets to, and receive Traps from, this device.

IPAddress = IP AddressThe IPAddress keyword sets the IP address, or addresses, of the SNMP console(s) which will have access to this device. The address is used, along with the Community String, for access authentication. Up to four IP addresses may be entered. They should be entered in standard IP dotted-decimal notation (e.g., 198.41.9.1). An address with all zeros (0.0.0.0) can be used as a wild-card to allow the specified Community String access from any console.

ExamplesIn the following examples, the Community String "Info Services" is allowed full access to the device, while the Community String "Tech Support" is allowed read-only access from any console.

[ SNMP CommunityString "Info Services" ]Access = ReadWriteIPAddress = 192.168.41.95IPAddress = 192.168.41.3IPAddress = 192.168.41.2IPAddress = 192.168.5.5

[ SNMP CommunityString "Tech Support" ]Access = ReadIPAddress = 0.0.0.0

See Also[ SNMP ], [ SNMP Trap <Name> ]

[ SNMP Trap <Name> ]


[ SNMP Trap <Name> ]This section permits parameters to be defined for SNMP (Simple Network Management Protocol) Traps. SNMP Traps are messages sent by the device to an SNMP console. The Name portion of the section name should be the IP address of the SNMP console to which the device will transmit a Trap message whenever one is generated. It should be entered in standard IP dotted-decimal notation (e.g., 198.41.9.1).The keywords for this section are described below.Name = String

The Name keyword is the name of the Community String on the SNMP console to which the Trap message will be sent. This Commu-nity String is a string associated with an administrator (or administra-tors) who have access to the SNMP console.

ExamplesIn the following examples, the Community String "Info Services" will receive SNMP Traps at 192.168.41.2, while "Tech Support" can receive Traps at any console.

[ SNMP Trap "0.0.0.0" ]Name = "Tech Support"

[ SNMP Trap "192.168.41.2" ]Name = "Info Services"

See Also[ SNMP ], [ SNMP CommunityString <Name> ]

[ T1 Interface <Section ID> ]

[ T1 Interface <Section ID> ]This section sets configuration parameters for an internal CSU on the specified WAN interface. T1 digital transmission has a data capacity of 1.544 Mbps (referred to as Data Speed 1 or DS1). Fractional T1 refers to a standard T1 line that has been divided into 24 channels of 64Kbps (referred to as DS0) each, with only one or more channels enabled for a particular user. The channels are sold individually or in groups, up to a desired bandwidth (e.g., four channels would provide a data capacity of 256Kbps), at a lower cost than a full T1 line.Note: T1 lines are available from local telcos with two options that can

generally be specified by a user: framing format and line encoding. Since tariffs and procedures vary across the country, users may pay a premium for ESF framing and B8ZS line encoding (see below). While cost and availability are always determining factors, users should opt for ESF line framing and B8ZS line encoding whenever possible, because they offer greater bandwidth and additional features.

Since many of the parameters for this section are dependent upon the service provided by the telco or ISP, users may need to contact them to find out the appropriate specifications. Keywords recognized in this section are described below. DS0Start = Number

The DS0Start keyword selects which channel the T1 stream will start on when using Fractional T1 transmission. Valid values range from 1 to 24. When using the entire T1 line, this value should be 1. Both ends of a WAN connection must be configured with the same DS0Start number.

DS0Count = NumberThe DS0Count keyword defines the number of DS0s that will be used with Fractional T1 transmission. Values range from 1 to 24. When using the entire T1 line, this value should be 24. Both ends of a WAN connection must be configured with the same DS0Count number.

ContiguousChannels = [ On | Off ]The ContiguousChannels keyword specifies whether the CSU will use contiguous or alternating channels. If more than 12 channels are defined by the DS0Count variable or when using the entire T1 line, then ContiguousChannels must be configured On. Alternating chan-nels can be used to meet pulse density requirements when using a 64Kbps channel rate with AMI line coding (see below). Both ends of a WAN connection must be configured with the same value for Contig-uousChannels.

LineBuildOut = [ 0db | -7.5db | -15db | -22.5db ]The LineBuildOut keyword should be set based on the length of your T1 line. Setting this value to 0db specifies that you want to transmit at the maximum level. Users who don't know the length of their line and



haven't been told to use a specific value by their service provider should set LineBuildOut to 0db. Other settings may be necessary if so instructed by the telco or T1 line supplier. If setting this value based on the receive signal level, use the following rules:

LineFraming = [ ESF | D4 ]The LineFraming keyword may be set to ESF for Extended Super Frame, or D4 for Super Frame. D4 is an older framing format and may be the only one available in some areas. ESF is the preferred format because it offers a Facility Data Link which can provide performance monitoring, error checking and other features. Both ends of a WAN connection must be configured with the same LineFraming format.

LineEncoding = [ B8ZS | AMI ]The LineEncoding keyword may be set to either B8ZS or AMI to define the line code for the network. In AMI (Alternate Mark Inversion), "1s" are transmitted as alternating positive or negative pulses, while a "0" is an absence of a pulse. If too many consecutive "0s" are sent, the line appears dead and synchroni-zation could be lost. Pulse density requirements on a T1 line dictate that no more than 15 "0" bits in a row be sent on the line. On an AMI encoded line, to ensure that this requirement is met, the user must select either 56Kbps as the channel rate (which allows the CSU to invisibly insert "1s" such that there can never be more than 7 "0s" in a row), or select 64Kbps and use alternating channels. In the latter case, the CSU fills the unused alternating channels with "1s" to provide the required pulse density. B8ZS is a variation of AMI in that data is still transmitted using alter-nating positive and negative pulses. However, B8ZS addresses the problem of too many "0s" by encoding any string of eight "0s" into a bit pattern that uses either two consecutive negative or positive pulses, which is a violation of the AMI line encoding format. Because of the unique pattern of "double negative" or "double positive" pulses, the string is easily recognized and decoded back into "0s," and the "1" pulses can be used for clock synchronization. B8ZS provides clear channel transmission (i.e., using the full 64Kbps). Both ends of a WAN connection must be configured with the same LineEncoding format.

If receive level is: Set transmit level to:

0 to -7.5 -15 dB

-7.5 to -15 -7.5 dB

-15 to -22 or <-22 0 dB



InvertData = [ On | Off ]When set to On, the InvertData keyword allows the user to invert data. Data inversion can be used to meet pulse density requirements. Always set to Off unless otherwise instructed by your ISP. If a CSU at one end of a T1 line inverts its data, then the CSU at the other end must do the same.

ChannelDataRate = [ 64K | 56K ]The ChannelDataRate keyword defines the base rate of each T1 channel. With B8ZS line encoding, the data rate is 64K. With AMI line encoding, the base rate can be either 56K (using contiguous chan-nels) or 64K (using alternating channels and Fractional T1). The T1 stream's actual data rate depends on the base rate and the number of DS0s defined. Both ends of a WAN connection must be configured with the same ChannelDataRate.

ClockSource = [ Slave | Master ]The ClockSource keyword configures whether the CSU will use its own internal clock or obtain the clock from the network. In Master mode, an internal clock is used. In Slave mode, the network clock is used. Most network applications will use Slave mode. Verify this setting with your ISP.

TransmitPRM = [ On | Off ]The TransmitPRM keyword determines whether the CSU transmits Performance Report Messages (PRM) data on the Facility Data Link. PRM messages can only be sent if the CSU is configured for Extended Super Frame (ESF). Set to On to transmit PRM data.

ReceiveATTLoopUps = [ On | Off ]When set to On, the ReceiveATTLoopUps keyword enables the CSU to recognize ATT64211 line loopup patterns from a remote CSU. When the pattern is received, the CSU will be put into network loop-back.

ReceiveV54LoopUps = [ On | Off ]When set to On, the ReceiveV54LoopUps keyword enables the CSU to recognize the V.54 line loopup pattern from a remote CSU. When the pattern is received, the CSU will be put into network loopback.



ExamplesThe following example shows ESF line framing and B8ZS line encoding, using the network clock.

[ T1 Interface Wan 0 ]DS0Start = 1DS0Count = 24ContiguousChannels = OnLineBuildOut = 0dbLineFraming = ESFLineEncoding = B8ZSChannelDataRate = 64KClockSource = SlaveReceiveATTLoopUps = OnReceiveV54LoopUps = On

In the following example, the telco has indicated that only D4 framing and AMI line encoding are available and that the line buildout should be 0db. The desired bandwidth is 256Kbps. The ISP provides the network clock.

[ T1 Interface Wan 0 ]DS0Start = 1DS0Count = 4ContiguousChannels = OffLineBuildOut = 0dbLineFraming = D4LineEncoding = AMIChannelDataRate = 64KClockSource = SlaveReceiveATTLoopUps = OnReceiveV54LoopUps = On

See Also[ Link Config <Section ID> ], wan(show), wan csu(set)


[ Time Server ]

[ Time Server ]This section is used to enable the setting of the device's internal clock from a network time server. The device's time server will connect to most UNIX systems running "inetd" using either the time server port (UDP 37) or NTP port (UDP 123).The time is used when logging is enabled or to time stamp configurations when saved. If the time server function is off, the log time stamp reports how long the device has been up and the saved configuration time stamp will be zero. Automatic daylight savings adjustment is not supported by the device. Keywords recognized in this section are described below. Enabled = [ On | Off ]

The Enabled keyword turns the time server access On and Off, respec-tively.

TimeProtocol = [ Timed | SNTP ]The TimeProtocol keyword identifies the type of time server protocol to use. The time server being used will dictate the protocol type to be used. UNIX servers generally use Timed. Windows servers generally use SNTP (Simple Network Time Protocol). The default is Timed.

ServerAddress = IP AddressThe ServerAddress keyword is used to tell the device the IP address of the primary time server. All time requests go to this server first. It is recommended that you use a time server which is local to your network. A ServerAddress must be specified if Enabled is set to On.

BackupAddress = IP AddressThe BackupAddress keyword is used to tell the device the IP address of the backup time server. All time requests go to the primary server first. If there is no response then the backup will be used. This address is optional.

Adjust = NumberThe Adjust keyword allows you to offset the device time from the time returned by the time server. The adjustment is in whole minutes and can be plus or minus.Most servers will return GMT. Unless you know what your server returns, adjust the offset from GMT. The following chart shows the values for standard U.S. time zones.

Time Zone OffsetPST -480

MST -420

CST -360

EST -300


[ Time Server ]

ExamplesSet timeserver for 198.41.9.30 with an offset of -420 minutes.

[Time Server]Enabled = OnTimeProtocol = TimedServerAddress = 198.41.9.30Adjust = -420

See Alsosystem(show)


[ Tunnel Partner <Section ID> ]

[ Tunnel Partner <Section ID> ]The Tunnel Partner section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. Tunneling of IP, IPX, AppleTalk or bridging protocols can then be configured using the appro-priate protocol-specific section for the configured VPN port (e.g., [ IP VPN 0 ]). Tunnel Partner sections do not have to be numbered consec-utively (e.g., Tunnel Partner VPN 0, Tunnel Partner VPN 2, Tunnel Partner VPN 5, etc.). All tunnel traffic sent between Tunnel Partners is processed according to the rules specified in this section. These parameters must be set for both ends of the tunnel.

Note: Products shipped to certain nations or organizations which are subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Compatible Systems retailer for more information if your product does not support 3DES.

Keywords recognized in this section are described below.

Partner = IP AddressThe Partner keyword specifies the IP address of the interface at the remote end of the tunnel. All tunnel traffic is sent to the Partner address for processing.

BindTo = Port StringThe BindTo keyword specifies which interface on this device will act as the end point for the tunnels defined by this configuration. Packets sent from this device to the partner will use the selected interface's IP address as a source address. Note: When configuring the remote end of the tunnel, the Partner

keyword will be this interface’s IP address. The BindTo keyword will be the remote device’s tunneling interface (which was used as the Partner for this end of the tunnel).

Note: If both Ethernet ports are being used on an IntraPort 2/2+, then the BindTo port must be set to Ethernet 1.

Note: All packets sent through the VPN tunnel are IP-encapsulated packets. If IP packet filtering is enabled for the configured VPN interface, then GRE (General Router Encapsulation) and AH (Authentication Header) packets must specifically be permitted through the filter. See the [ IP Filter <Name> ] section for more information.

KeyManage = [ Auto | Manual | Initiate | Respond ]The KeyManage keyword specifies how the tunnel will be set up. Auto specifies that IKE (Internet Key Exchange) will be used and that this device can both initiate tunnels and respond to tunnel establish-ment requests from other devices. Auto is the default setting and requires that the SharedKey keyword be set to the same value for both Tunnel Partners. This allows the two devices to negotiate between themselves what type of encryption and



authentication to use for the tunnel, based on the options specified by the Transform keyword. The Auto setting should only be used when the Tunnel Partner is another Compatible Systems VPN device.Initiate specifies that this Tunnel Partner will use IKE, but will only initiate tunnel establishment. It will not respond to tunnel establish-ment attempts from other devices.Respond specifies that this Tunnel Partner will use IKE, but will only respond to tunnel establishment attempts which have been initiated by other devices. It will not initiate tunnel establishment.Manual specifies that this Tunnel Partner will not use IKE, so the tunnel’s encryption and authentication parameters must be manually set. Therefore, you must set the Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for both Tunnel Partners, and the values selected for them must match.

Transform = [ ESP (SHA,DES) | ESP (SHA,3DES) | ESP (MD5,DES) | ESP (MD5,3DES) | ESP (MD5) | ESP (SHA) | AH (MD5) | AH (SHA) | AH (MD5) + ESP (DES) | AH (MD5 ) + ESP (3DES) | AH (SHA) + ESP (DES) | AH (SHA) + ESP (3DES) ]

The Transform keyword specifies the protection types and algorithms which will be used for tunnel sessions. Each option is a “protection piece” which specifies authentication and/or encryption parameters. This keyword controls IKE Phase 2 negotiation. Security settings for the IKE Phase 1 negotiation are set in the [ IKE Policy ] section. The mode setting for the Phase 1negotioation is automatic unless the remote tunnel partner is another vendor’s device, in which case the Mode keyword should be set (see Interoperability Settings later in this section for more information). This keyword may appear multiple times within this section, in which case the device will propose all of the specified protection pieces. The remote Tunnel Partner must have at least one matching Transform keyword. The two devices will then agree to use one of the options during the session. ESP (SHA,DES), ESP (SHA,3DES), ESP (MD5,DES) and ESP (MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algo-rithm to scramble the data. MD5 is the message-digest 5 hash algo-rithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups.ESP (MD5) and ESP (SHA), denote using the (ESP) header to authen-ticate packets (with no encryption).



AH (MD5) and AH (SHA) denote using the Authentication Header (AH) to authenticate packets. AH (MD5) + ESP (DES), AH (MD5) + ESP (3DES), AH (SHA) + ESP (DES) and AH (SHA) + ESP (3DES) use the Authentication Header to authenticate packets and the ESP header to encrypt packets.

SharedKey = <Pass Phrase>The SharedKey keyword is used to generate session keys which are then used to authenticate and/or encrypt each packet received or sent through the tunnel. The same key must be entered into the remote Tunnel Partner for the tunnel session to be successfully established. The Pass Phrase may be between 1-255 characters long.

PFS = [ G1 | G2 | On | Off ]The PFS keyword specifies whether “perfect forward secrecy” will be used during client sessions. PFS means that every time encryption and /or authentication keys are computed, a new Diffie-Hellman Key Exchange is included. This greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recov-erable. G1 specifies that the Group 1 algorithm will be used. G2 specifies that the Group 2 algorithm will be used. Because larger numbers are used by the Group 2 algorithm, it is more secure than Group 1.

On specifies that the group used in Phase 1 of the IKE negotiation will be used as the group for the PFS Diffie-Hellman Key Exchange. This Phase 1 group setting is configured in the [ IKEPolicy ] section. The default is Off.

Authentication = [ On | Off ]The Authentication keyword allows authentication of all tunnel traffic. This keyword is used when the KeyManage keyword is set to Manual. Each packet is digitally signed before sending. The receiving end of the tunnel checks the signature before allowing the traffic onto its local network.

Encryption = [ On | Off ]The Encryption keyword specifies whether encryption of all tunnel traffic will be enabled. This keyword is used when the KeyManage keyword is set to Manual.

EncryptMethod = [ Fixed | None | PLE | DES | 3DES ]The EncryptMethod keyword selects the encryption algorithm for this tunnel. This keyword is used when the KeyManage keyword is set to Manual. If None is entered, then the tunnel session will be sent in the clear in both directions. If Fixed is entered, then Personal Level Encryption will be used to scramble the data in both directions using a fixed key. If PLE is entered, then Personal Level Encryption will be used to scramble the data in both directions using a key generated from



the encryption secret. If DES is entered, then the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate. If DES3 is entered, then triple DES encryption will be used. The default value is either Fixed (for export releases) or PLE (for North American releases).

AuthSecret = <Authentication Secret>The AuthSecret keyword is used to generate session keys which are used to authenticate each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If AuthSecret is omitted, then packets sent through this tunnel are not authenticated. The authentication secret may be between 1-255 characters long.

EncryptSecret = <Encryption Secret>The EncryptSecret keyword is used to generate session keys which are used to encrypt each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If EncryptSecret is omitted, then packets sent through this tunnel are not encrypted. The encryption secret may be between 1-255 characters long.

SLAEnablePartner = [ On | Off ]The SLAEnablePartner keyword specifies that Service Level Agree-ment (SLA) information will be gathered for tunnel sessions. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met. SNMP is used to display the gathered information. This requires that SNMP be enabled using the [ SNMP ] section and that Compatible’s private Enterprise MIB be used. The default is Off.

INTEROPERABILITY SETTINGS The following keywords allow the IntraPort to interoperate with other vendors’ devices. If the remote Tunnel Partner is a Compatible Systems device, it is not necessary to configure these keywords.

Mode = [ Main | Aggressive ]The Mode keyword sets the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authen-ticate each other so that tunnel sessions can be established. Security settings for the IKE Phase 1 negotiation are set in the [ IKE Policy ] section. Main and Aggressive are the two IPSec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode. It is only necessary to set this keyword if the KeyManage keyword is set to Auto or Initiate.

As part of their interoperability function, the following keywords specify



access from one area behind a VPN device to another area behind a VPN device. The local settings specify what local subnets, hosts, ports and/or protocols will be reachable via the tunnel. The peer settings specify what remote subnets, hosts, ports and/or protocols will be reachable via the tunnel. The remote tunnel partner (i.e., peer) must have a matching policy in order for traffic to be successfully tunneled.

LocalAccess = IP Address/bitsThe LocalAccess keyword is used to specify a local host or subnet which will be reachable by the tunnel. The LocalAccess keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To allow access to only a single host, specify 32 in the bits portion. Note: In order to specify more than one reachable host or subnet for a

LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

LocalProto = protocol numberThe LocalProto keyword is used to specify an IP protocol which will accepted by this end of the tunneled. The default of 0 will allow all protocols. A list of the IP protocols and their protocol numbers follows.

TCP (6) UDP (17)ICMP (1) GRE (47)AH (51) OSPF (89)ESP (50)

Note: In order to specify more than one protocol type for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

LocalPort = port numberThe LocalPort keyword is used to specify a local port number which will be reachable via the tunnel. The default of 0 will allow all ports. A list of some of the more commonly used ports and their numbers can be found in the [ IP Filter <Name> ] section. Note: In order to specify more than one reachable port for a LAN-to-

LAN tunnel, multiple Tunnel Partner sections would have to be configured.

Peer = IP Address/bitsThe Peer keyword is used to specify a host or subnet behind the remote tunnel partner which will be reachable via the tunnel. The Peer keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To tunnel to only a single host, specify 32 in the bits portion.Any communications with an address which is part of one of the networks defined by a Peer keyword will be tunneled.



Note: In order to specify more than one reachable host or subnet for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

PeerProto = protocol numberThe PeerProto keyword is used to specify an IP protocol which will be tunneled. If a PeerProto keyword is specified, then only traffic of that protocol type will be tunneled. The default of 0 will allow all protocols. A list of the IP protocols and their protocol numbers follows.


Note: In order to specify more than one protocol type for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

PeerPort = port numberThe PeerPort keyword is used to specify a port number. If a PeerPort keyword is specified, then only traffic destined for that particular port will be tunneled. The default of 0 will allow all ports. A list of some of the more commonly used ports and their numbers can be found in the [ IP Filter <Name> ] section. Note: In order to specify more than one reachable port for a LAN-to-

LAN tunnel, multiple Tunnel Partner sections would have to be configured.

ExamplesThis example shows a VPN tunnel configuration which uses Manual key management. The VPN Tunnel Server at 192.168.169.170 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device’s Ethernet 0. Because it uses manual key management, all of the authentication and encryption parameters have to be entered. The KeyManagement, Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for the remote Tunnel Partner would have to match the ones listed below. There would also have to be [ IP VPN 0 ], [ IPX VPN 0 ], [ AppleTalk VPN 0 ], and/or, [ Bridging VPN 0 ] sections for those protocols to be tunneled.

[ Tunnel Partner VPN 0 ]Partner = 192.168.169.170BindTo = Ethernet0KeyManagement = ManualAuthentication = OnEncryption = OnAuthSecret = "No Fakes"EncryptSecret = "No Peeking"

This example shows a VPN Tunnel configuration which uses IKE. The VPN Tunnel Server at 192.168.117.18 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device’s



Ethernet 1. The Transform and SharedKey keywords would have to match the ones listed below. There would also have to be [ IP VPN 1 ], [ IPX VPN 1 ], [ AppleTalk VPN 1 ], and/or, [ Bridging VPN 1 ] sections for those protocols to be tunneled.

[ Tunnel Partner VPN 1 ]Partner = 192.168.117.18BindTo = Ethernet1KeyManagement = AutoTransform = ESP(DES,SHA)SharedKey = Pebbles02

See Also[ IP <Section ID> ], [ IP Filter <Name> ], [ IPX <Section ID> ], [ AppleTalk <Section ID> ], [ Bridging <Section ID> ], [ SNMP ], vpn(show)


[ V.35 Interface <Section ID> ]


[ V.35 Interface <Section ID> ]This section configures the serial characteristics of the router's V.35 inter-faces. Keywords recognized in this section are described below.TxInternal = [ On | Off ]

The TxInternal keyword is used to tell the router to source a synchro-nous clock. The vast majority of configurations will have this set to Off. Normally, the circuit provider, the DSU, or the ISDN TA will be configured to supply the transmit data clock. The On value is normally used when creating a NULL connection between two routers. The receive data clock is always an input to the router.

TxClkinvert = [On | Off]The TxClkinvert keyword is used to configure the polarity of the transmit clock. Some DSU’s have this option as well. This option can be set in lieu of configuring the DSU. Set this parameter to On if instructed to do so by the circuit provider, or if there is reason to believe that the router is not syncing up the data with the clock.

Baud = [ 56000 | 64000 | 128000 | 256000 | 512000 | T1 | 1544000 | E1 | 2048000 ]The keyword Baud specifies the transmit clock baud rate used when internal clocking is enabled. This keyword is ignored if external clocking is used.

Examples[ V.35 Interface Default ]TxInternal = OnBaud = 1544000

See Alsowan(show), statistics(show), [ Link Config <Section ID> ]

[ VPN Group <Name> ]

[ VPN Group <Name> ]This section defines tunneling profiles for a group of one or more IntraPort users. Thus, there may be several VPN Group sections, each with a unique name of 16 characters or less. IntraPort users are assigned to one of these VPN Group configurations in the [ VPN Users ] section, unless a RADIUS server is being used for authentication. If a RADIUS server is being used, then the RADIUS server’s user database must be set up to assign users to a VPN Group configuration. See the installation guide for your IntraPort for more information on setting up a RADIUS server to perform this function.The following table lists the maximum number of VPN Group configura-tions allowed per device type.

The keywords recognized in the VPN Group sections are described below. Note: This section of the configuration was previously called [ STEP

Client <Name> ]. STEP is Compatible Systems’ older, proprietary tunnel establishment protocol. STEP parameters are not recom-mended for new configurations, but if they have already been set in the device, they are supported as aliases to VPN Group sections.

Note: Products shipped to certain nations or organizations subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Compatible Systems retailer for more information if your product does not support 3DES.

BindTo = <port string>The BindTo keyword specifies which interface on the device will act as the local end point for the tunnels defined by this configuration.

MaxConnections = NumberThe MaxConnections keyword may be used to limit the number of client connections which use this VPN Group configuration. This is useful to reserve tunnel connections for users using other VPN Group configurations. MaxConnections may not exceed the maximum number of tunnel connections supported by the device. If the sum of

Device TypeMaximum Number

of VPN Groups

IntraPort 2 16

IntraPort 2+ 100

IntraPort Enterprise-2IntraPort Carrier-2

IntraPort Enterprise-8IntraPort Carrier-8

1,000



the MaxConnections entries of all VPN Group sections exceeds the maximum number of tunnel connections supported by the device, tunnel connections will be served on a first-come, first-served basis.

KeepaliveInterval = NumberThe KeepaliveInterval keyword specifies the number of seconds between keepalive packets sent to each connected client by the device. The range is 1 to 65535 seconds. The default is 60 seconds. Clients which do not answer these packets and/or generate other traffic within several keepalive intervals will have their connections shut down. Keepalive packets are only sent in the case where no other traffic has been received from the client in the specified number of seconds.

InactivityTimeout = NumberThe InactivityTimeout keyword specifies the number of seconds the device will wait without receiving any traffic from a client belonging to this VPN Group configuration before ending the tunnel session. Keepalive packets and ICMP (ping) traffic do not affect this timeout. This prevents users from using ping to keep their tunnels up. The range is 0 to 65535 seconds. The default of 0 seconds means there is no timeout.

MinimumVersion = StringThe MinimumVersion keyword places a limit on the VPN Client Software version number which will be allowed. A value of 0 or 1 will allow any software version number. A value of 2 will prevent Compat-ible’s older STAMP Clients from having access. A value of 3 will prevent both older STAMP Clients and any other Clients with version numbers less than 3.0. A value greater than three will prevent all clients from having access.

Transform = [ ESP(SHA,DES) | ESP(SHA,3DES) | ESP(MD5,DES) | ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) | AH(MD5) | AH(SHA) | AH(MD5)+ESP(DES) | AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) | AH(SHA)+ESP(3DES) ]

The Transform keyword specifies the protection types and algorithms which will be used for IKE (Internet Key Exchange) client sessions. Each option is a “protection piece” which specifies authentication and/or encryption parameters. This keyword controls IKE Phase 2 negoti-ation. IKE Phase 1 negotiation security settings are set in the [ IKE Policy ] section.This keyword may appear multiple times within this section, in which case the IntraPort will propose the specified protection pieces in the order they are parsed, until one is accepted by the IntraPort client for use during the session. In most cases, only one Transform keyword is needed. ESP(SHA,DES), ESP(SHA,3DES), ESP(MD5,DES) and



ESP(MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algo-rithm to scramble the data. MD5 is the message-digest 5 hash algo-rithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups.ESP(MD5) and ESP(SHA), denote using the (ESP) header to authen-ticate packets (with no encryption).AH(MD5) and AH(SHA) denote using the Authentication Header (AH) to authenticate packets. AH(MD5)+ESP(DES), AH(MD5)+ESP(3DES), AH(SHA)+ESP(DES) and AH(SHA)+ESP(3DES) use the Authenti-cation Header to authenticate packets and the ESP header to encrypt packets. Note: The Mac OS IntraPort Client software does not support using the

AH options. At least one ESP option should be specified if using the Mac OS client.

PFS = [ G1 | G2 | G5 | On | Off ]The PFS keyword specifies whether “perfect forward secrecy,” and additional security parameter, will be used during client sessions. PFS means that every time encryption and /or authentication keys are computed, a new Diffie-Hellman Key Exchange is included. This greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recoverable. G1 specifies that the Group 1 algorithm will be used. G2 specifies that the Group 2 algorithm will be used. Because larger numbers are used by the Group 2 algorithm, it is more secure than Group 1. G5 specifies that the Group 5 algorithm will be used. G5 uses a 1535-bit algorithm.On specifies that the group used in Phase 1 of the IKE negotiation will be used as the group for the PFS Diffie-Hellman Key Exchange. This Phase 1 group setting is configured in the [ IKEPolicy ] section. The default is Off.

ExcludeLocalLAN = [ On | Off ]The ExcludeLocalLAN keyword specifies that remote client LAN traffic will not be tunneled. When set to On, this can be used to exclude LAN traffic from tunneling when a wildcard of 0.0.0.0/0 has been used as the IPNet. In order for this to work, the user login in the VPN Client software must also have the Exclude Local LAN from Tunnel checkbox checked. The default is Off.



EncryptMethod = [ Fixed | None | PLE | DES | 3DES ]The EncryptMethod keyword selects the encryption algorithm which will be used for non-IKE client sessions. If None is entered, then the tunnel session will be sent in the clear in both directions. If Fixed is entered, then Personal Level Encryption will be used to scramble the data in both directions using a fixed key. If PLE is entered, then Personal Level Encryption will be used to scramble the data in both directions using a key generated from the encryption secret. If DES is entered, then the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate. If 3DES is selected, then the "Triple DES" algorithm will be used. In 3DES, the data is processed three times, each time with a different 56-bit key. Noted: PLE, DES and 3DES require the specification of an encryption

secret for each user in the [ VPN Users ] section. Some VPN devices may not allow 3DES as an option.

The default value is None. PPTPAllowed = [ On | Off ]

This keyword enables PPTP connections for clients in this VPN Group. The default is Off.Note: Currently, PPTP is only available in Compatible Systems’

Carrier products.PPTPEncryptmethod = [ None | MPPE40 | MPPE128 ]

This keyword specifies the method of encryption that will be performed on the data traffic between the PPTP client and the IntraPort. If None is selected, no encryption is performed. If MPPE40 is selected, the IntraPort negotiates CCP (the PPP Compression Control Protocol) with the client, and will only agree to do MPPE40 (Microsoft Point-to-Point Encryption with 40-bit key). If MPPE128 is selected, MPPE with 128-bit key is used for encryption. The default is None.Note: PAP authentication, (PPTPAuth in [ IKE Policy ]) cannot be

used with MPPE.Note: MPPE128 is only included with products that support 3DES

encryption.AllowL2TP = [ On | Off ]

The AllowL2TP keyword enables L2TP connections for client sessions using this configuration. L2TP is a VPN protocol which creates "virtual" PPP sessions between remote Windows computers and a corporate network. L2TP parameters can be set in the [ L2TP General ] section.

StartIPAddress = IP AddressThe StartIPAddress keyword specifies the first IP address to be assigned to client sessions under this VPN Group. This start address will be incremented by one for each new client session, until the



MaxConnections limit is reached. The IP address is freed when the client session is finished. Each of the addresses thus generated must be a valid, unique, and unused IP address. Also, these addresses must not conflict with addresses specified in other VPN Group configurations or with any other IP address within the server. These addresses must be on the internal TCP/IP network and would typically be on the same network as the BindTo interface (e.g., for an IntraPort 2/2+, on the same network as Ethernet 0 or a subinterface thereof). There is no default value for the StartIPAddress keyword. In order for IP-in-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled.

StartSubnetMask = IP AddressThe StartSubnetMask keyword specifies the subnet mask for the IP subnet used by the addresses specified by the StartIPAddress keyword. This keyword is only used on single-Ethernet IntraPorts if the subnet on which the StartIPAddress addresses reside is different from the subnet on which the device’s BindTo Ethernet IP address resides.

LocalIPNet = IP Address/bitsThe LocalIPNet keyword specifies the local network or subnet to be assigned to client sessions under this VPN Group. For each new client session, an available IP address from this network or subnet is assigned to that session, until the MaxConnections limit is reached. The IP address is freed when the client session is finished. This network or subnet must be unused and completely unique in the IP network to which the IntraPort is connected (i.e., not part of any Class C network in use) and may not conflict with address ranges spec-ified in other group configurations. The mask may be between 8 and 30 bits. There is no default value for the LocalIPNet keyword. In order for IP-in-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled. If a LocalIPNet is used, then either a dynamic routing protocol or static routes must be configured into the controlling router (e.g., the firewall) in order for traffic to find the LocalIPNet network.

AssignIPRADIUS = [ On | Off ]



The AssignIPRADIUS keyword specifies whether a RADIUS server can be used to assign IP addresses to VPN users. If set to Off, then IP addresses will be assigned using the address pool specified by the LocalIPNet or StartIPAddress keywords.If set to On, then communication with a RADIUS server must be configured using the RADIUS section and the RADIUS server must be set up to serve the IP addresses. This can be done using either the built-in RADIUS authentication attribute number 8 or the vendor-specific attribute number 2. If the vendor-specific attribute has been defined, it will take precedence over the built-in RADIUS attribute. This allows a RADIUS server to be used for IP address assignment by both a remote access server and VPN server. If neither type of attribute has been defined, then the IP address will be assigned using the address pool specified by the LocalIPNet or StartIPAddress keywords.

IPNet = IP Address/bitsThe IPNet keyword specifies a range of IP addresses which will be reachable by clients using this configuration. The IPNet keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. For example, an IPNet keyword entered as 192.168.32.0/19 would specify that traffic with all IP addresses from 192.168.32.1 through 192.168.63.255 will be tunneled. As a special case, the entry, 0.0.0.0/0, specifies that all IP traffic should be tunneled. To tunnel to only a single host, specify 32 in the bits portion. This keyword may occur multiple times in a section. All of the indicated address ranges will be tunneled. Any communications with an address which is part of one of the networks defined by an IPNet keyword will be tunneled. Communica-tions with any other addresses will occur normally, without tunneling.

LocalIPXNet = NumberThe LocalIPXNet keyword specifies the first local IPX network to be assigned to client sessions under this configuration. This address will be incremented by one for each new client session, until the MaxCon-nections limit is reached. When a client is connected to the device, the first available IPX address from this range is assigned to that session. The IPX address is freed when the client session is finished. There is no default value for the LocalIPXNet keyword. Each of the addresses thus generated must be a valid, unique, and unused IPX address. Also, these addresses must not conflict with networks specified in other VPN Group configurations or with any other IPX address within the server. In order for IPX-in-IP tunneling to operate with this VPN Group configuration, a group of local IPX addresses must be set using either the LocalIPXNet or a RADIUS server must be configured to serve the addresses and the AssignIPXRADIUS keyword must be enabled.



This keyword replaces the StartIPXAddress keyword. AssignIPXRADIUS = [ On | Off ]

The AssignIPXRADIUS keyword specifies whether a RADIUS server can be used to assign IPX addresses to VPN users. If set to Off, then IPX addresses will be assigned using the address pool specified by the LocalIPXNet keyword.If set to On, then communication with a RADIUS server must be configured using the RADIUS section and the RADIUS server must be set up to serve the IPX addresses. This can be done using either the built-in RADIUS authentication attribute number 23 or the vendor-specific attribute number 7. If the vendor-specific attribute has been defined, it will take precedence over the built-in RADIUS attribute. This allows a RADIUS server to be used for IPX address assignment by both a remote access server and VPN server. If neither type of attribute has been defined, then the IPX address will be assigned using the address pool specified by the LocalIPXNet keyword.

BlockType20 = [ On | Off ]The BlockType20 keyword specifies how IPX Packet Type 20 is handled for tunnel sessions connected using this VPN Group configu-ration. In order for certain protocol implementations, like NetBIOS, to function in the NetWare environment, routers must allow a broadcast packet to be propagated throughout an internet. The IPX Packet Type 20 is designated to perform broadcast propagation for these protocols. On prevents these packets from being rebroadcast. This is useful for reducing the bandwidth load on the tunnel. Off allows these propa-gated packets to be rebroadcast through the tunnel.

SaveSecrets = [ On | Off ]The SaveSecrets keyword specifies that all users assigned to this VPN Group configuration will be able to save their shared secret to disk, once it has been entered. This means these users will not be prompted for their secret after their first session. The default is Off.

SLAEnableClient = [ On | Off ]The SLAEnableClient keyword specifies that Service Level Agree-ment (SLA) information will be gathered for tunnel sessions using this VPN Group configuration. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met. SNMP is used to display the gathered information. This requires that SNMP be enabled using the [ SNMP ] section and that Compatible’s private Enterprise MIB be used. The default is Off.

VPNGroupDLCI = NumberThe VPNGroupDLCI keyword maps all tunnel traffic using this VPN Group configuration to a Frame Relay PVC. This can be used as an alternative to using routing to get packets to their destination once they



have been received from the tunnel. This keyword is only valid for IntraPort Carrier devices. The number must be between 16 and 991.

SecurIDRequired = [ On | Off ]The SecurIDRequired keyword specifies that all users assigned to this VPN Group configuration will undergo SecurID authentication. SecurID is Security Dynamic’s proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic two-factor authentication. See the [ SecurID ] section for more information.

SecurIDUserName = [ On | Off ]The SecurIDUserName keyword specifies whether the users assigned to this VPN Group configuration will have SecurID user names which are different from their VPN User names. If set to On, then all users assigned to this VPN Group configuration will be prompted for their SecurID user name by the IntraPort Client in order for SecurID authentication to take place. If set to Off, then for each user assigned to this VPN Group configura-tion, the user name entered into the [ VPN Users ] section will also be sent to the ACE/Server for authentication. This means that the names for each user entered in the IntraPort and the ACE/Server must be the same.

BackupServer = String The BackupServer keyword specifies the IP address or domain name of an alternate IntraPort. This allows the device, if full, to roll a client over to the specified alternate device. The string must be either an IP address or domain name. If a domain name is used, the IntraPort will resolve the domain name to the appropriate IP address.

DNSPrimaryServer = IP Address The DNSPrimaryServer keyword specifies the IP address of a DNS server. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the IntraPort. The IntraPort will take all DNS queries bound for the client’s primary DNS server and send them to the specified address. The IP address should be in standard dotted-decimal notation.

DNSSecondaryServer = IP Address The DNSSecondaryServer keyword specifies the IP address of a backup DNS server. A DNSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the IntraPort. The IntraPort will then send all DNS queries destined for the client’s backup DNS server (i.e., one that has a different IP address than the DNSPrimaryServer) to the specified server address. The IP address should be in standard dotted-decimal notation.

DNSSplitServer = IP Address



The DNSSplitServer keyword specifies the IP address of a "split" DNS server. This is useful for setups where queries for internal names are handled by one server (the primary server) while queries for external names are handled by another server (the "split" server). In order for the IntraPort to know which server to send the query to, at least one LocalDomainName keyword must be set. A DNSPrimary-Server must also be set in order for this keyword to work. Queries for a secondary server will be handled as usual.The IP address should be in standard dotted-decimal notation.

LocalDomainName = String The LocalDomainName keyword specifies a domain name that will be compared to the name in DNS queries to the DNSPrimaryServer in order to determine whether the query is for an internal or external domain. This keyword may appear multiple times within a section in order to specify multiple domains. The string can be between 1 and 255 char-acters in length.

WINSPrimaryServer = IP Address The WINSPrimaryServer keyword specifies the IP address of a WINS server. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the IntraPort. The IntraPort will take all WINS queries bound for the client’s primary WINS server and send them to the specified address. The IP address should be in standard dotted-decimal notation.Note: For proper operation of WINS redirection, Windows client PCs

must have a configured WINS server address in their control panel. In cases where non-tunneled access to a WINS server is not required, a dummy address can be used.

WINSSecondaryServer = IP Address The WINSSecondaryServer keyword specifies the IP address of a backup WINS server. A WINSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the IntraPort. The IntraPort will then send all WINS queries destined for the client’s backup WINS server (i.e., one that has a different IP address than the WINSPrimaryServer) to the specified server address. If queries are received for a third server address, they will be discarded.The IP address should be in standard dotted-decimal notation.Note: For proper operation of WINS redirection, Windows client PCs

must have a configured WINS server address in their control panel. In cases where non-tunneled access to a WINS server is not required, a dummy address can be used.

TunnelNetBT = [ On | Off ]



The TunnelNetBT keyword specifies whether Windows NetBT traffic will be tunneled. NetBT is Microsoft’s networking protocol. The default is Off.

IPOutFilters = StringThe IPOutFilters keyword allows a named set of IP packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped.Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes.See the [IPFilter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

IPInFilters = StringThe IPInFilters keyword allows a named set of IP packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped.Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes.See the [ IP Filter <Name> ] section for a definition of the rules that may be included in an IP packet filter.

IPXOutFilters = StringThe IPXOutFilters keyword allows a named set of IPX packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped.Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes.See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter.

IPXInFilters = StringThe IPXInFilters keyword allows a named set of IPX packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped.Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes.See the [ IPX Filter <Name> ] section for a definition of the rules that may be included in an IPX packet filter.

ExamplesThis example shows a VPN Group configuration for an IntraPort. The [ IP Ethernet 0 ] section for this device would have an IPAddress keyword and the [ General ] section would have a GatewayAddress keyword



which specify addresses on the 192.168.13.0 IP network. [ VPN Group "Bedrock" ]BindTo = Ether0MaxConnections = 8LocalIPNet = 192.168.12.0/24LocalIPXNet = F00D0IPNet = 192.168.13.0/24IPNet = 192.168.14.0/24Transform = ESP(DES,SHA)Transform = AH(MD5)Transform = AH(SHA)+ESP(3DES)



This example shows a VPN Group configuration with DNS servers configured. In this case, DNS queries bound for the primary server, 192.168.9.30, will be examined to see which domain name is contained in the query. If the name is faceplant.compatible.com or foo.bar.tape.stortek.com, the query will be forwarded to the primary DNS server as originally intended. But queries for disk.stortek.com or monkey.wrench.com will be redirected to the split server, 192.168.9.60. Queries bound for the secondary DNS server, 192.168.11.50, will be forwarded to that server unconditionally.

[ VPN Group "Cobblestone County" ]BindTo = Ether0MaxConnections = 4LocalIPNet = 192.168.16.0/24IPNet = 192.168.13.0/24IPNet = 192.168.14.0/24Transform = ESP(DES,SHA)DNSPrimaryServer = 192.168.9.30DNSSecondaryServer = 192.168.11.50DNSSplitServer = 192.168.9.60LocalDomainName = "compatible.com"LocalDomainName = "tape.stortek.com"

See Also[ VPN Users ], [ IP Filter <Name> ], [ IPX Filter <Name> ], [ IKEPolicy ], [ SecurID ], [ SNMP ], [ L2TP General ]


edit config

COMMAND NAMEedit config- Line editor for configuration.

SYNOPSISedit config

SYNOPSIS OF LINE EDITOR SUBCOMMANDSappend [ <line number> ] delete [ <range> ] print [ <range> ] list [ <range> ] help quit exit range := <line number> | <beginning line number> <ending line number>

DESCRIPTIONThis manual page describes the commands of the complex list editor built into the command line interface. This line editor allows you to manage (create, modify, delete, and view) these lists from the command line interface. Each of these lists, which are special sections of the configu-ration, has its own unique syntax that is described in its specific man page. The edit config command can also be used as a line editor for the entire configuration.The editor modifies a local buffer of the list which is separate from the configuration buffer that the rest of the command line interface uses. Changes made in the editor are not committed to the command line config-uration buffer until they are saved using the exit editor command. It is also possible to end an editing session without saving changes by using the quit editor command.The normal prompt within the editor is: edit config>

The editor will delete the list being edited, if it is saved with no lines in the buffer.Comments and blank lines may occur anywhere in a configuration. Comments begin with a pound sign (#) and continue until the end of the line.# This is a comment[ New Section ] # So is this

LINE EDITOR SUBCOMMANDSappend [ <line number> ]

The append subcommand is used to append lines into the buffer. Lines are appended after the specified line number or the current line


edit config

if none is specified. When editing a section, line 1 contains the section name, so specify line 1 in the append statement to add lines after the section name. After entering the append subcommand, a brief help message will be displayed and the prompt will change to "Append>". Any lines entered at this prompt will be placed in the editor buffer after the specified line number. To stop adding lines, enter a "." on a line all by itself.Edit config> append 0Enter lines at the prompt. To terminate input, entera . on a line all by itself.

Append> These lines will be appendedAppend> at the beginning of the buffer.Append> .Edit config>

If an error occurs while appending lines, a diagnostic note will be printed out and the message "Append failed." will be displayed.

delete [ <range> ]The delete subcommand is used to delete the specified range of lines in the editor buffer. If only one line number is entered as part of the range, only that line will be deleted. If no range is specified, then the current line is deleted.There is no "undo" command; lines deleted will be lost forever.

print [ <range> ]The print subcommand is used to display a range of lines from the editor buffer. If only one line number is entered as part of the range, a full screen will be displayed beginning with the specified line number.If no range is specified, a full screen of lines beginning with the current print line will be displayed. The current print line is the current line for the first print or list subcommand. Subsequent print or list subcommands with no range will display a screenfull beginning with the last line from the previous display.

list [ <range> ]The list subcommand has the same behavior as the print subcommand, except that non-printing characters are printed unambiguously.Control characters are printed out as <C-X> (where X is the control character, a tab would be <C-I>, a backspace would be <C-H>, and line feed would be a <C-J>). The delete character is printed out as <DEL>. All other non-printing characters are displayed as <\#> (where # is the character displayed as an octal number). The end of the line is marked with a "$".


edit config

Edit config> list 1 21: These lines will be appended$2: at the beginning of the buffer.$

Edit config>

helpThe help subcommand displays a short description of valid editor commands.

quitThe quit subcommand is used to leave the editor and ignore the changes that were made during the current editor session. The editor buffer is discarded and the list in the command line configuration buffer will remain the way it was prior to invoking the editor.If the editor buffer has been modified when issuing the quit subcommand, the editor will ask if it should abandon the changes.

exitThe exit subcommand will save the editor buffer and leave the editor. When editing some list types, a syntax checker will be run on the list when the editor exits. If errors are reported, the editor will offer a chance to re-edit the list, allowing the reported errors to be corrected.Note: Editor buffers saved using the exit subcommand are only saved

into the command line configuration buffer, and are not available for the system to use until after a save command has been issued and the system has been restarted (see save(mgmt)).

OPTIONSline number

A line number refers to a valid line within the editor buffer ranging from 1 to the last line in the buffer. The append command also accepts 0 as a valid line number. The character "$" is accepted as shorthand for the last line in the editor buffer. The character "." is accepted as shorthand for the current line.

rangeThe range option is either one or two line numbers that specify the range of lines that will be acted upon by the command. See the individual command descriptions for details about how the command will use the range if only one line number is specified.

SEE ALSOsave(mgmt)


[ AppleTalk Filter <Name> ]

[ AppleTalk Filter <Name> ]This section allows you to define, edit and name a set of AppleTalk filtering rules. Once a set of rules is defined and named, those rules may be applied to a variety of AppleTalk interpreters to accomplish different types of AppleTalk filtering. Each interpreter looks at a subset of the rules that are suitable for that interpreter. The interpreters available are: general packet filtering, get zone list filtering, zip reply filtering and route (RTMP) filtering.See the [ AppleTalk <Section ID> ] section for information about how to apply these named filters to the different interpreters. This method allows the greatest flexibility since common rules may be established and applied independently to the various types of AppleTalk interpreters. Each of the interpreters is described below.Packet Filtering

The Packet Filtering interpreter allows packets being forwarded by the device to be filtered on the input and output side of an interface. The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode, srcskt and dstskt for all packets. For Name Binding Protocol (NBP) request and reply packets, the NBPName, NBPType and NBPZone rules are also used. All other rules are ignored. The keywords InFilters and OutFilters in the [ AppleTalk <Section ID> ] section are used to specify the named set of rules for this interpreter.

Get Zone List (GZL)The Get Zone List (GZL) interpreter allows the filtering of outgoing GZL replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. This inter-preter will allow control of the zones that are seen on a Macintosh behind a device. The only rules used in this interpreter are the network, net-range and zone rules. All other rules are ignored. The keyword GetZoneFilters in the [ AppleTalk <Section ID> ] section is used to specify the named set of rules for this interpreter.

ZIP Reply Filters The ZIP Reply interpreter allows incoming zone names in ZIP reply packets to be filtered. ZIP reply packets are used between routers and access servers to exchange the zone names for the networks kept in their routing tables. These devices are required to maintain a zone list for each of the networks maintained in the AppleTalk routing table and receive the zone name from an upstream router advertising the network. Extended networks allow more than one zone name to be associated with the range, even if it is a single range. Note: If zone filtering for Macintosh end workstations is required, use

a Get Zone List filter. If a zone list is restricted in an upstream router with a ZIP reply filter, then the downstream routers will receive the filtered zone list for the network and subsequent downstream routers will also receive the filtered zone list.



The only rules used in this interpreter are the zone and network rules. The zone rule must be present in the rule for it to be used and the network rule may be used to further qualify the zone name being filtered. The network rule allows a zone name that is duplicated across an AppleTalk network to be filtered for that specific network. All other rules are ignored. The keyword ZIPReplyFilters in the [ AppleTalk <Section ID> ] section is used to specify the named set of rules for this parameter.

Routing Filters (RTMP)The Routing Table Maintenance Protocol (RTMP) interpreter allows network numbers in input and output AppleTalk RTMP routing packets to be filtered on an interface. The only rules used in this inter-preter are the network and net-range rules. All other rules are ignored. The keywords InRTMPFilters and OutRTMPFilters in the [ AppleTalk <Section ID> ] section are used to specify the named set of rules for this interpreter.

The interpreters will not reorder the rules as they are specified before using them. They will be applied sequentially from the first rule to the last. Any filtered information that isn't allowed by the set of rules will be dropped silently. If that information is to be allowed, a final permit rule must be specified:

permit

There is an interaction between the packet filtering interpreter and the other interpreters which should be considered when defining filter sets. The packet filter interpreter applies its filters to packets as they are received by the device. If not filtered, the packets will then be passed on to the other interpreters. The reverse is true for packets going out. First the ZipReply, GetZoneList filter and RTMP filters are applied, and if the packet is not filtered, it is passed on to the packet filter interpreter before being trans-mitted.Rules which have been specified using Compatible's CompatiView Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through CompatiView. When the rules are downloaded into the device from CompatiView, they will be encrypted.This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.



Synopsis of AppleTalk Filtering Rules<action> [type exp] [srcnet exp] [dstnet exp] [srcnode exp] [dstnode

exp] [srcskt exp] [dstskt exp] [network exp] [net-range exp] [zone exp] [NBPName exp] [NBPType exp] [NBPZone exp] [notify]

action ::= permit | deny type exp ::= type <operator> <ATalk packet type number> srcnet exp ::= srcnet <operator> <network number> dstnet exp ::= dstnet <operator> <network number> srcnode exp ::= srcnode < operator > <node address> dstnode exp ::= dstnode < operator > <node address> srcskt exp ::= srcskt <operator> <socket number> dstskt exp ::= dstskt <operator> <socket number> network exp ::= network <operator> <network number> net-range exp ::= net-range <operator> <network range> zone exp ::= zone <operator> <zone name> NBPName exp ::= NBPName <operator> <NBP entity name> NBPType exp ::= NBPType <operator> <NBP entity name> NBPZone exp ::= NBPZone <operator> <zone name> notify ::= log

At a minimum, every non-comment line in a filter set must include an action.permit or deny

The action permit specifies that packets meeting the conditions should be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter.

Options operator

The operator parameter is a logical operator used to compare a port number against a filtering rule. The basic action specified in the rule will almost always be accompanied with an option. AppleTalk filter options use some or all of a set of operators to determine whether the filter rule matches the information being examined or not. The following logical operators are supported: eq,==, and =

These are acceptable ways of writing an "equality" operator which will match if the value in the packet/information is equal to the value specified in the option expression.

lt and <These are acceptable ways of writing a "less than" operator which will match if the value in the packet/information is less than the value specified in the option expression.



lteq, le, <=, and =<These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the packet/information is less than or equal to the value specified in the option expression.

gt and >These are acceptable ways of writing a "greater than" operator which will match if the value in the packet/information is greater than the value specified in the option expression.

gteq, ge, >=, and =>These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the packet/information is greater than or equal to the value specified in the option expression.

ne, <>, and !=These are acceptable ways of writing an "inequality" operator which will match if the value in the packet/information is not equal to the value specified in the option expression.

The options available for AppleTalk filter rules allow rules to be more narrowly specified to exclude packets or other information based on a number of additional factors.type <operator> <Atalk packet type number>

This option allows filtering of the packet type from the AppleTalk DDP header. The packet type value must be between 1 and 255. The numbers of some well-known packet types are listed below. RTMP (1); NBP (2); ATP (3); ECHO (4); RTMP Request (5); ZIP (6); ADSP (7); SNMP (8); IP-in-AppleTalk (22); DECnet-in-AppleTalk (68)

srcnet <operator> <network number>This option allows filtering of the source network from the AppleTalk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values.

dstnet <operator> <network number>This option allows filtering of the destination network from the Apple-Talk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values.

srcnode < operator > <node address>This option allows filtering of the source node from the AppleTalk DDP header. The node value must be between 1 and 253.

dstnode < operator > <node address>This option allows filtering of the destination node from the AppleTalk DDP header. The node value must be between 1 and 253.

srcskt <operator> <socket number>



This option allows filtering of the source socket from the AppleTalk DDP header. The socket value must be between 1 and 255.

dstskt <operator> <socket number>This option allows filtering of the destination socket from the Apple-Talk DDP header. The socket value must be between 1 and 255.

network <operator> <network number>This option allows filtering of the network number in Get Zone List, Zip Reply and RTMP packets. The network value must be between 1 and 65279. The keyword all may be used to specify all network values.

net-range <operator> <network range>This option allows filtering of GetZoneList and RTMP packets using a network range. Two AppleTalk network numbers separated by a space make up the network range. Each number must be between 1 and 65279. The first number must be less than or equal to the second number. The operator in this option can only be "equality" or "inequality."

zone <operator> <zone name>This option allows filtering of the zone name in Get Zone List, Zip Reply and RTMP packets. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approximately equal sign wildcard (Ý) character or a "*". The operator in this option can only be "equality" or "inequality."

NBPName <operator> <NBP entity name>This option allows filtering of the NBP name in an NBP request or reply packet. The NBP entity name must be between 1 and 32 charac-ters and enclosed in quotation marks (""). It may contain the approxi-mately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. The operator in this option can only be "equality" or "inequality."

NBPType <operator> <NBP entity name>This option allows filtering of the NBP type in an NBP request or reply packet. The NBP entity name must be between 1 and 32 characters and included in quotation marks (""). It may contain the approximately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. The operator in this option can only be "equality" or "inequality."

NBPZone <operator> <zone name>This option allows filtering of the NBP zone name in an NBP request or reply packet. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approx-imately equal sign wildcard (Ý) character or a "*". The operator in this option can only be "equality" or "inequality."



logThe log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section for more information about logging.

ExamplesThe following is an AppleTalk packet filter which denies echo packets (type 4) from network 55, and permits everything else.

deny srcnet = 55 type = 4permit

The following is an AppleTalk packet filter which denies NBP lookups for the printer named "Engineering Printer," permits NBP lookups for the printer named "HP Printer" by the NBP zone "Sales," and permits every-thing else.

deny NBPName = "Engineering Printer"permit NBPName = "HP Printer" NBPZone = "Sales"permit

The following is an AppleTalk Get Zone List filter. These rules filter what is seen in the Chooser of Macintoshes attached to the network to which the rules are assigned. The example would: deny all zone names from networks 1-10; permit the zone name "Engineering;" deny the zone name "Sales;" permit all networks not equal to 100; and permit everything else.

deny net-range = 1 10permit zone = "Engineering"deny zone = "Sales"permit network != 100permit

The following is an AppleTalk RTMP filter. These rules can be used for either input or output RTMP filters to limit the network numbers that are allowed into the routing table or to be advertised from the device, respec-tively. The example performs the following actions: deny networks with a number of 100; permit networks between 200 and 300; deny networks numbered greater than 301; and permit everything else.

deny network = 100permit net-range = 200 300deny network > 301permit



The following is an AppleTalk ZIP Reply filter. These rules can be used to restrict the zone names that are returned in ZIP Reply requests from other routers. This limits the zone list in routers behind the interfaces to which these rules are applied. The following example would: deny the zone name "Engineering;" deny the zone name of "Twilight" where the network number is 301 (if there is a zone name of "Twilight" associated with another network number, that would be permitted); and permit everything else.

deny zone = "Engineering"deny zone = "Twilight" network = 301permit

See Also[ AppleTalk <Section ID> ], [ Logging ], appletalk(show)


[ Auth ]

[ Auth ]This section of the configuration defines the PPP remote authentication database. This is a special section of the configuration, meaning that there are no keywords to document. Each line is one entry defining a remote authentication entry. Multi-line entries must have line breaks escaped with a backslash. However, line breaks encapsulated in a double-quoted string are preserved.If the router has been configured to request PAP or CHAP, using the keywords PAPRequest or CHAPRequest in the [ PPP <Section ID> ] section, the database is used to validate authentication responses from the remote peer or user.The database is global to the router. When the router makes an authenti-cation request and receives a response, the router searches this database for a matching name. If the name is found, the password/secret is validated and the success or failure is sent back to the peer. If the name is not found, the router will try to authenticate the name using RADIUS if RADIUS has been enabled (see the [ Radius ] section). If RADIUS is not enabled, the router returns a failure to the peer (or remote user). The authentication database will always supercede the RADIUS database.An optional WAN interface can be specified to define the WAN interfaces on which a database entry is valid. Each authentication entry has the following syntax: <Incoming Name> <Secret/Password> [Dialback=<Callback Script>]

[<WAN ports>]

Incoming NameThe Incoming Name is the remote peer or user’s CHAP or PAP name. It can be 1-255 bytes long and may be quoted strings in order to preserve spaces or embedded line breaks.

Secret/PasswordThe Secret/Password is the remote peer or user’s CHAP secret or PAP password. It can be 1-255 bytes long and may be quoted strings in order to preserve spaces or embedded line breaks.

Dialback=Callback ScriptThe Callback Script is the optional chat script to be used if callback is desired. A callback mechanism is supported for both CHAP and PAP when a WAN connection is initiated by the remote peer. Dialout does not need to be enabled to use this feature (see the [ Link Config <Section ID> ] section). The script is defined through the [ Chat <Name> ] section. The name may be enclosed in double quotes ("") in order to preserve spaces or embedded line breaks.


[ Auth ]

WAN PortsWAN Ports are used to define the WAN interfaces on which a database entry is considered valid. It may be all, none or a list of portnames, (e.g., WAN 0 WAN 2 WAN 10). If all or none appear in a list of port-names, the first one encountered supercedes all other entries.

ExamplesTo specify a database entry for remote peer "Barney" with secret/password "Rubble":

[ Auth ]Barney Rubble

To add a database entry for remote peer "Barney" with secret/password "Rubble" and optional callback script "dial Fred" (this entry will be valid for connections on port WAN0 only):

[ Auth ]Barney Rubble Dialback = "dial Fred" WAN 0

See Also[ PPP <Section ID> ], [ Link Config <Section ID> ], [ Chat <Name> ], [ Radius ], ppp(show)


[BGP Route Map <Name> ]

[BGP Route Map <Name> ]This section allows you to define, edit and name a BGP route map. BGP route maps are used only by the BGP protocol to filter routes and set certain attributes. Route maps help the administrator influence the route selection process, since BGP uses weight, preference and multi-exit discriminator (MED), among other things, to determine the optimal route. BGP uses the following criteria, in the order presented, to select its best route for a destination: • The most preferred path is the path with the largest weight.

• If the weights are the same, the protocol selects the path with the largest local preference.

• If the preferences are the same, the protocol selects the path that has the shortest AS path length.

• If all paths have the same AS path length, the protocol selects the path with the lowest MED.

• If the paths have the same MED, the protocol selects the path from the BGP peer with the lowest Router ID.

Route maps are not associated with a particular interface. They are applied in the [ BGP Peer Config <Name> ] section. Note: IP route filters may be used with BGP instead of BGP route maps;

however, the matching conditions are more limited, and various parameters such as community, local preference, and weight cannot be set with IP route filters.

No input routes will be accepted by the router unless a BGP route map or IP route filter has been defined. To allow all other network numbers not filtered, include the following rule:

permit 0.0.0.0

The router checks BGP route maps first, and if the route is denied, the IP route filters will not be checked even if BGPUseIPRFltrs has been enabled in the [ BGP General ] section.BGP routes known to the router will be advertised unless denied by a route map or a route filter. Static, OSPF, RIP and directly connected routes will not be advertised unless specified in the [ BGP Networks ] section or the [ IP Route Redistribution ]w section. This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete route map uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.



Synopsis of IP Routing Mapping Rules<action> <route> direction [ output modifiers | input modifiers ]

action ::= permit | deny route ::= <IP address>[/<bits>] [direction] ::= in | out [output modifiers] ::= { ipaddr <IP address>[/<bits> | toas <AS number> } |

origin <protocol> | setnhop <IP address> | setmed <MED number> | setasp <AS number> | setcomm <community number> | addcomm <community number>

[input modifiers] ::= { ipaddr <IP address>[/<bits> | hasas <AS number> | srcas <AS number> | nhop <IP address> | comm <community number }

setpref <preference> | setwt <weight>

At a minimum, every non-comment line in a route map must include an action, a route and a direction. Together these components specify a rule that the router will follow when a route meets the condition of the rule.

permit | denyThese parameters specify the action to be taken when a route meets the condition of the rule.

<IP address>[/<bits>]IP addresses can be specified in a variety of ways:

a) IP addresses can be specified in normal dotted decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros matches anything and can be used as a wild card in the case where one of the addresses doesn't matter.

b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1, 2, 3, 15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address.

c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host



addresses from 192.15.32.1 to 192.15.63.255.A specified bit field will override the default class-based mask generated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match.

in | out These parameters allow users to specify the direction for which the rule is applied.

OptionsOutput modifiers|

{ ipaddr <IP address>[/<bits> | toas <AS number> } This modifier limits output rules to routes going to the designated IP address or Autonomous System (AS) number. Only one argu-ment is expected here. If the router only has one peer in a given AS, then ipaddr or toas will accomplish the same result. If the router has multiple peers within a neighboring AS, the IP address of the peer can be used to limit the rule to just that peer, or the AS number can be used to apply the rule to every peer in the AS. The IP address may be specified in any of the ways described above. The AS number is specified as a integer.

origin <protocol>This modifier limits output rules to routes originating from the designated protocol. BGP can advertise direct, static, RIP, OSPF, or other BGP routes from its own IP routing table to peers. The possible values are icmp, rip, ripv2, static, OSPF, BGP and di-rect. Multiple protocols may be listed.

setnhop <IP Address> This modifier allows the next hop to be set on the outgoing route. The hop is specified as an IP address in the standard dotted-deci-mal notation.

setmed <MED number> This modifier allows the multi-exit discriminator (MED) to be set on the outgoing route. This is a metric which is used only when there are multiple paths to an AS. The MED is used to set a pref-erence for a particular path to the AS. The MED is specified as an integer.

setasp <AS number> This modifier allows the specified AS list to be prepended to the outgoing AS path attribute. Up to 6 AS numbers may be entered. The AS number is specified as a integer.



setcomm <community number> | This modifier allows a community list to be set on the outgoing route. A community is a group of destinations to which routing decisions can be applied. The community number can be speci-fied with up to 6 community numbers, specified as integers, or can be listed as one of the special communities. The special community noexport (NO_EXPORT) specifies that this route will not be advertised outside a BGP confederation boundary. A BGP confederation is a collection of several AS’s that are advertised as a single AS to all BGP peers which are not members of the confederation. The special community noadv (NO_ADVERTISE) specifies that this route will not be advertised to any BGP peers (including in-ternal peers). The special community noexpsub (NO_EXPORT_SUBCONFED) specifies that this route will not be advertised to external peers. This means that this route can be advertised to internal peers only and will not be advertised outside its AS

addcomm <community number> This modifier allows a community list to be prepended on the out-going route. The parameters can be up to 6 community numbers. The community number can be specified with up to 6 community numbers specified as integers.

Input modifiers|ipaddr <IP address>[/<bits> | hasas <AS number> | srcas <AS number> | nhop <IP address> |comm <community number>

This modifier, with the exception of hasas, limits input rules to routes originating from the designated IP address, AS number, next hop or community. A BGP route contains information con-cerning each AS that it has traversed. The hasas parameter spec-ifies that the rule will be applied if the AS path contains the specified AS number anywhere in the AS path. Only one argu-ment is expected here. The IP address may be specified in any of the ways described above. The AS number is specified as a integer. The community number may be specified as an integer.

setpref <preference> This allows the preference to be set on incoming routes from the given IP address, AS number, community, or next hop. The pref-erence is specified as a integer.



setwt <weight> This allows the weight to be set on incoming routes from the given IP address, AS number, community, or next hop. The weight is specified as a integer.

ExamplesIn the following example, route 192.61.5.0 will be permitted in if the community attribute contains the community 200, and the preference will be set to 100. In line two, all other routes from Community 200 will also be accepted, but the preference will be set to 300. Routes that do not contain Community 200 will be denied.

[ BGP Route Map "mymapin" ]permit 192.61.5.0 in comm 200 setpref 100permit 0.0.0.0 in comm 200 setpref 300

In the following example, all direct routes specified in the [ BGP Networks ] section will be allowed out to AS number 200, and the MED will be set to 10. In the second line, all routes will be allowed out to AS number 300, but the community value will be set to noadv (NO_ADVERTISE).

[ BGP Route Map "mymapout" ]permit 0.0.0.0 out toas 200 origin direct setmed 10permit 0.0.0.0 out toas 300 setcomm noadv

See Also[ IP Route Filter <Name> ], [ BGP Peer Config <Name> ], [ BGP General ], [ BGP Networks ], [ IP Route Redistribution ]


[ Chat <Name> ]

[ Chat <Name> ]Compatible Systems routers support standard communications chat scripts that let you specify dialing and/or connect sequences between this router and remote routers or terminal servers. All of the chat scripts stored in a router are available for use on any of the router's WAN interfaces. To select the scripts which will be used on a specific interface, use the DialOut-Script and DialBackScript keywords in the [ Link Config <Section ID> ] section. These scripts may also be used for user-specific dial-back scripts in the[ Auth ] section. This is a special section of the configuration, meaning that there are no keywords to document. Each section contains a complete chat script uniquely identified by the "Name" portion of the section name. Multiple [Chat <Name> ] sections may exist, each with a unique name.The rules and syntax of chat scripts follow.send and expect

There are as many variations of chat scripts as there are specific instal-lation requirements. However, all chat scripts generally follow the same format, which is a series of send and expect statements. Every line in a chat script must start with either send or expect in order to be a valid chat script line.Lines which begin with send will cause all other characters on the line to be output through the WAN interface which is running the script (except escaped control characters, as described below).Lines which begin with expect will cause the router to wait for matching input characters from the WAN interface which is running the script. The router is case-sensitive when examining returned data. When the expected string is long (i.e., Please login:, Please enter your password:, etc.), it may be easier to get an exact match if only part of the expected response is included in an expect statement. (See the ISP example at the end of this section.)Note: The amount of time the router will wait for an expected response

is determined by the ScriptTimeout parameter specified in the [ Link Config <Section ID> ] section.

Control CharactersAll control characters are preceded by a backslash character (\). This tells the router that what follows is an escaped character and should not be literally sent on the WAN interface.\r Insert a carriage return.\c Don't add a carriage return to end of line; valid at end of line only.\x Insert a hex digit (range 0x0 to 0xFF).\p Pause for 0.3 seconds.


[ Chat <Name> ]

\b Send a break character.\<space> Follow the backslash with a space to insert a space; space

characters between send or expect commands and the first char-acter of a line are normally stripped.

\t Insert a tab.\n Insert a new line.\q Set "quiet mode" - do not log output until another \q encountered.\\ Insert a backslash.

Typically, send lines are used to send instructions to the communications device (e.g., modem, CSU/DSU or TA) and/or send information to the remote router or terminal server. If the WAN interface is configured for asynchronous operation, the instructions must be AT commands. If the WAN interface is configured for synchronous operation, the instructions must be V.25bis commands. The following sections give examples of common script instructions.The AT Command Set

Most asynchronous devices (e.g., modems and some terminal adapters) expect AT commands from the router in order to dial or perform other functions. Different devices support different subsets of AT commands. To be certain that the AT commands you are using are correct for your device, you must refer to the manual that came with your device.Every AT command is preceded by an "AT" which tells the device that the string is destined for it. Listed below are the most common (and commonly supported) AT commands: ATDT

Originate a call by dialing the number sequence which follows this command using tones (note: use a comma in the sequence for a delay).

Note: An asynchronous terminal adapter does not use tones to dial ISDN phone numbers. Use ATD to dial ISDN phone numbers.

Note: To include a pound sign (#) as part of the number sequence, the sequence must be enclosed in double quotes ("").

ATH0Hang up (note: the final character is a zero).

ATM0Set speaker off (note: the final character is a zero).

ATM1Set speaker on until connect.


[ Chat <Name> ]

Modems typically provide a response message depending on the success of an attempted call:

CONNECTThe other end has successfully answered. Note that some modems require a switch to be set correctly to receive text responses (as opposed to result codes).

Note: Compatible Systems routers automatically send standard modem setup parameters when an interface’s dialing method is set for AT dialing. To set the dialing method, see the Dialing keyword in the [ Link Config <Section ID> ] section. These setup parameters are adequate for virtually all dial-up applica-tions. In most cases, your modem should work right out of the box.

The V.25bis Command SetDifferent CSU/DSU’s and Terminal Adapters support different subsets of the V.25bis commands. To be certain that the V.25bis commands you are using are correct for your communications device, you should refer to the manual that came with the device.The V.25bis commands use hardware signaling to denote whether the information they are sending is destined for the communications device or the data link itself. Listed below are the most common (and commonly supported) V.25bis commands: CRN

Originate a call by dialing the number sequence which follows this command.

Note: To include a pound sign (#) as part of the number sequence, the sequence must be enclosed in double quotes ("").

CICConnect an incoming call.

Communications devices provide several responses depending on the outcome of an attempted call: CNX

The other end has successfully answered.

INCAn incoming call has been detected.

VALThe command received is valid.


[ Chat <Name> ]

INVThe command received is invalid or is not supported (may be fol-lowed by an error code).

CFICall Failure Indicator. The call could not be completed.

Note: If your router is connected to a device synchronously, make sure to configure the line device to accept V.25bis commands in bit-synchronous format (i.e., within HDLC packets). This is the format Compatible Systems routers use to send V.25bis commands.

ExamplesThis script dials through a PBX which requires a 9 to be dialed, followed by a delay in order to access an outside line:

[ Chat "PBX Out" ]send atdt 9,13035559000expect CONNECT

To connect to another router via an ISDN line using V.25bis dialing: [ Chat "ISDN V.25" ]send CRN 5554000expect CNX

To connect to an Internet Service Provider using a modem: [ Chat "ISP" ]send atdt 5551000expect CONNECTexpect login:send mynameexpect ssword:send im4skiingru2expect connecting

Note: As demonstrated in this script, only part of the expected response is included in the expect statement when the expected string is long. This can make it easier to get an exact match.

See Also[ Link Config <Section ID> ], [ Auth ], wan(show)


[ IP Filter <Name> ]

[ IP Filter <Name> ]This section permits sets of IP filtering rules to be defined, edited and identified with specific names. The named set of filtering rules may then be associated with either the IP input or output filtering attributes of an interface (See the [ IP <Section ID> ] section). This allows the router to accomplish IP packet filtering on packets inbound to and outbound from a router. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces.The router does not reorder the rules as they are specified before they are applied against a packet. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any IP packet not explicitly allowed by the rule set is dropped silently. To allow all other packets not filtered, the last rule must be:

permit 0.0.0.0 0.0.0.0 ip

Due to the nature of the IP protocol, IP packet filtering can be quite compli-cated. If you are attempting to design and implement a comprehensive set of filters, or an Internet firewall, there are a number of references you should consult. Please see the references cited at the end of this section. This is a special section of the configuration, meaning that there are no keywords to document. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.

Synopsis of IP Filtering Rules<action> <src IP address> <dst IP address> [ proto ] [ notify ]

action ::= permit | deny IP address ::= <IP address>[/<bits>] [proto] ::= IP |

TCP [ src <operator> <port> ] [ dst <operator> <port> ] [ <tcp-flags> ] | UDP [ src <operator> <port> ] [ dst <operator> <port> ] | ICMP [ type <operator> <port> ] |GRE |AH |ESP |OSPF |proto <operator> <protocol number>

[notify] ::= log | icmp At a minimum, every non-comment line in a filter set must include an action, a source IP address and a destination IP address. Together these components specify the action to be taken when a packet meets the condition of the rule. permit or deny

The action permit specifies that packets meeting the conditions should



be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter.

<src IP address>[/<bits>] and <dst IP address>[/<bits>]These are the source and destination IP addresses and masks used to filter an IP packet. The router extracts the source and destination address from the IP packet under scrutiny, masks them, and then compares them against the respective address in the filter rule. IP addresses can be specified in many ways: a) IP addresses can be specified in normal dotted-decimal notation.

If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros (0.0.0.0) matches anything and can be used as a wild card in the case where one of the addresses doesn't matter.

b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1,2,3,15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address.

c) IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1).

The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host addresses from 192.15.32.1 to 192.15.63.255.A specified bit field will override the default class mask generated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match.

OptionsFilter rules can accept certain modifiers (proto and notify, as shown in the synopsis at the beginning of this section) which use a set of expression operators to allow information in a packet to be compared to the modifier’s parameters. operator

The operator parameter is a logical operator used to compare a port



number against a filtering rule. The following logical operators are supported: eq,==, and =

These are allowable ways of writing an "equality" operator which will match a packet if its port number is equal to the port specified in the modifier.

lt and <These are allowable ways of writing a "less than" operator which will match a packet if its port number is less than the port specified in the modifier.

lteq, le, <=, and =<These are allowable ways of writing a "less than or equal to" operator which will match a packet if its port number is less than or equal to the port specified in the modifier.

gt and >These are allowable ways of writing a "greater than" operator which will match a packet if its port number is greater than the port specified in the modifier.

gteq, ge, >=, and =>These are allowable ways of writing a "greater than or equal to" operator which will match a packet if its port number is greater than or equal to the port specified in the modifier.

ne, <>, and !=These are allowable ways of writing an "inequality" operator which will match a packet if its port number is not equal to the port specified in the modifier.

portThe port parameter may be specified as a decimal number between 0 and 65,535. It may also be entered as one of the keywords in the following table. The keywords are followed by their port numbers for your reference.



Note: RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol keywords and numbers.

TCP PORTS:

systat (11) netstat (13) ftp-data (20)

ftp (21) telnet (23) smtp, mail (25)

whois (43) gopher (70) rje (77)

pop-2 (109) pop-3 (110) auth (113)

nntp, usenet (119) netbios-ssn (139) news (144)

rexec (512) rlogin (513) rshell (514)

printer, lpd (515) uucp (540) listen, rfs (1025)

x, xwin (6000) irc (6667) www,http (80)

UDP PORTS:

name (42) bootps (67) bootpc (68)

tftp (69) snmp (161) snmp-trap (162)

biff, comsat (512) rwho (513) syslog (514)

talk (517) ntalk (518) route, rip (520)

timed (525) mount (635) pcnfs (640)

nfs (2049)

COMMON UDP AND TCP PORTS:

echo (7) discard (9) daytime (13)

chargen (19) time (37) dns, domain (53)

sunrpc, rpc, portmapper (111)

ntp (123) netbios-ns (137)

netbios-dgm (138)

ICMP TYPES:

echo-reply (0) dest-unrch (3) src-quench (4)

redirect (5) echo, ping (8) time-exceed (11)

param-prob (12) time (13) time-reply (14)

info (15) info-reply (16) mask (17)

mask-reply (18)



IPThis option specifies that all packets from the source and destination IP address and mask will match this rule. If no particular IP protocol packet type (TCP, UDP, ICMP, GRE, AH, ESP or OSPF) is speci-fied, IP is assumed. The IP protocols, other than IP itself, may be specified as a decimal number or as a keyword. The supported keywords are followed by their protocol numbers for your reference.


TCP [ src <operator> <port> ] [ dst <operator> <port> ] [ <tcp-flags> ] This option allows filtering on TCP (Transmission Control Protocol) packets. A source or destination port may be filtered by using the src and dst specifiers, a logical expression operator and a port. A rule to allow TCP packets with a source port greater than or equal to 1024 and a destination port of 25 (SMTP mail) would look like: permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25

To allow certain sessions out but not in, use the specifier tcp-flags. The only value recognized as tcp-flags is est, which specifies that an external connection to a particular port is not allowed, but two-way traffic established by an internal machine will pass through the device. The device performs this operation by examining the flags in the TCP header. When a session is being established, the first packet only contains the "SYN" flag while subsequent packets contain the "ACK" flag. A permit packet filter rule using the est keyword will not match a packet with only the "SYN" flag and the packet will be dropped. Unless another rule allows it through, the "SYN" packet doesn't reach its destination, no reply will be returned to the sender, and a connection will never be established. See [Chapman 1995] pgs. 8-9 and the exam-ples section found later in this section.

UDP [ src <operator> <port> ] [ dst <operator> <port> ]This option allows filtering on UDP (User Datagram Protocol) packets. A source or destination port may be filtered by using the optional src and dst specifiers. A rule to allow UDP packets with a source port greater than 910 and a destination port of 53 (Domain Name System) would look like: permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53

Note: CompatiView uses UDP port 33020. Care should be taken not to deny this port if CompatiView configuration is desired.



ICMP [ type <operator> <port> ]This option allows filtering on ICMP (Internet Control Message Protocol) packets. The ICMP type may be filtered by using the type specifier. A rule to deny ICMP echo request (pings) would look like: deny 0.0.0.0 0.0.0.0 ICMP type = 8

GREThis option allows filtering on GRE (Generic Routing Encapsulation) packets. GRE provides a simple, general purpose mechanism to encap-sulate network protocols into IP for the purpose of tunneling across the Internet.Note: If VPN tunneling without authentication is enabled on an inter-

face to which an IP filter is applied, then the filter must specifi-cally permit GRE packets.

AHThis option allows filtering on AH (Authentication Header) packets. AH is used for authentication of tunneled packets across the Internet.Note: If VPN tunneling with authentication is enabled on an interface

to which an IP filter is applied, then the filter must specifically permit AH packets.

ESPThis option allows filtering on ESP (Encapsulating Security Payload) packets. ESP is used for encryption of tunneled packets across the Internet.Note: If VPN tunneling with encryption only (i.e., no authentication)

is enabled on an interface to which an IP filter is applied, then the filter must specifically permit ESP packets.

OSPFThis option allows filtering on OSPF (Open Shortest Path First) packets. OSPF IP packets carry OSPF routing data.

proto <operator> <protocol number>This option allows general filtering of IP protocol numbers that don't have established keywords as specified above. The rule also allows an expression to be specified which allows filtering on ranges of protocol numbers (i.e., proto > 51).

notifyThis option tells the router what to do when a packet matches a partic-ular rule. There is a counter associated with every rule that is incre-mented whenever a packet matches a rule. Normally, unless a notification option is specified, the matching packet will be silently dropped. The individual notification options are: log

The log keyword causes the router to log data about the packet to



syslog when the condition of the rule is met. See the [ Logging ] section for more information.

icmpThe icmp keyword is only valid on a deny rule and directs the router to return an ICMP notification to the source of the matching packet.

ExamplesDrop all packets with the source host address 192.15.1.10.

deny 192.15.1.10 0.0.0.0

Drop all packets with a source network address of 192.15.1.0. All packets from hosts on that network would be denied.

deny 192.15.1.0/24 0.0.0.0

Allow only inbound and outbound mail from 192.15.14.1. The input-filter:

permit 0.0.0.0 192.15.14.1 TCP src >= 1024 dst = 25permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024

The output-filter: permit 192.15.14.1 0.0.0.0 TCP src = 25 dst >= 1024permit 192.15.14.1 0.0.0.0 TCP src >= 1024 dst = 25

These sets of rules are intended to filter out all traffic and only allow incoming and outgoing mail to a server inside a net with an IP address of 192.15.14.1. However, these rules aren't enough to prevent an attack from someone with access to port 25. They can initiate a connection to ports greater than 1024 according to the second rule in the input filter. To prevent this from happening, add the est flag to the second rule. So it would look like:

permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 est

This rule now tells the router to only check TCP packets where the connection is already established. This can be done because TCP packets will only have the "SYN" flag set when a session is being established. After they are established, this flag isn't set. In other words, if a connection is trying to be established for the outside at port 25, the rule won't be applied and the connection can't be established since the packet will be dropped by the default rule.

ApplicationTo augment the descriptions and examples above, the following appli-cation of IP filtering is provided. This application assumes that the example organization has several Class C IP networks including 192.15.9.0, 192.15.10.0 and 192.15.11.0. The organization also has an Internet connection through a separate router on the 192.15.9.0 network. That



network and the rest of the Internet are considered insecure. First, a set of input filter rules to be applied on all packets from the insecure network is defined and shown below as ip-in. The only TCP services this rule set permits access to are SMTP (mail) and NNTP (Usenet news). All break-in attempts (deny's) and permitted news requests are logged. On the UDP side, everything but DNS, NFS, RPC (portmapper), and mount requests are allowed. All other IP traffic is let through.

[ IP Filter "ip-in" ]# Explicitly permit these servicespermit 0.0.0.0 0.0.0.0 tcp dst = smtppermit 0.0.0.0 0.0.0.0 tcp dst = nntp log

# Deny access to all other services below port 1024deny 0.0.0.0 0.0.0.0 tcp dst <= 1024 log

# Lock out access to our X Serverspermit 0.0.0.0 0.0.0.0 tcp dst < 6000permit 0.0.0.0 0.0.0.0 tcp dst > 6100deny 0.0.0.0 0.0.0.0 tcp log

# Deny access to specific UDP servicesdeny 0.0.0.0 0.0.0.0 udp dst = dns logdeny 0.0.0.0 0.0.0.0 udp dst = nfs logdeny 0.0.0.0 0.0.0.0 udp dst = rpc logdeny 0.0.0.0 0.0.0.0 udp dst = mount log

# Let everything else throughpermit 0.0.0.0 0.0.0.0 ip

In the real world, there are some hosts which are trusted (at least a little) that are on the insecure side of the router. The following rule set permits specific access from that host to the network. In this case, the host, 192.15.9.99, needs access to the secured DNS, telnet and mail services. Telnet is further restricted to only a few hosts on the secure side. This is the gw-host rule set.

[ IP Filter "gw-host" ]permit 192.15.9.99 0.0.0.0 udp dst = dnspermit 192.15.9.99 192.15.10.{5,15,16} tcp dst = tel-netpermit 192.15.9.99 0.0.0.0 tcp dst = mail

Often there are some hosts from which all packets going through the interface should be filtered. These hosts might be local hosts containing sensitive data that should be considered invisible to the insecure network. Or they might be hosts from the insecure side that have been known to cause trouble in the past. This is the servers rule set.

[ IP Filter "servers" ]deny 192.15.11.{100,101} 0.0.0.0 logdeny 0.0.0.0 192.15.11.{100,101} log

After the first command is entered, whether it is permit or deny, the default



rule says that everything else will be denied. Therefore, a rule permitting everything is required. This is the permit all else rule set.

# The router filters everything by default, sometimes# this isn't what we want...[ IP Filter "permit all else" ]permit 0.0.0.0 0.0.0.0 ip

Each IP interface in the router may have up to 4 input and output filtering rule sets. Filter sets are associated with an interface in the [ IP <Section ID> ] section. Here is how the rules described above would be applied to the interface of the insecure net.

[ IP Ethernet 3 ]Mode = RoutedIPAddress = 192.15.9.1InFilters = servers gw-host ip-inOutFilters = servers "permit all else"

In this case, the interface "Ethernet 3" is attached to a small net with a gateway router and a few server hosts that run FTP, mail, DNS, and web servers. The rest of the interfaces are attached to secure internal networks. All traffic to or from the secure hosts 192.15.11.100 and 192.15.11.101 is totally blocked through this interface. All other hosts on the secure side may connect to any service on any insecure host, but the only insecure connections they will receive will be mail and netnews.

References[Chapman, 1995]

Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly & Associates, 1995.

[Cheswick, 1994]Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin. Addison-Wesley Publishing Company, Reading Massachusetts, 1994.

See Also[ IP <Section ID> ], [ Logging ]


[ IP Route Filter <Name> ]

[ IP Route Filter <Name> ]This section allows you to define, edit and name a set of IP route filtering rules. This allows the device to filter inbound IP network numbers received in routing advertisements and outbound routes advertised by the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers as explained later in this section.The device does not reorder the rules as they are specified before applying them against a network number. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last.Any IP network not explicitly allowed by the rules will not be included in the routing table on input or in the routing update on output. To allow all other network numbers not filtered, the last rule must be:

permit 0.0.0.0

The exception to this rule is that direct and static routes are always installed and cannot be removed from the routing table using IP route filtering. This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.

Synopsis of IP Route Filtering Rules<action> <IP address> [direction] [modifiers] [notify]

action ::= permit | deny IP address ::= <IP address>[/<bits>] [direction] ::= in | out | both [modifiers] ::= via <protocol> |

origin <protocol> |contains <AS number> | metricin | metricout <metric> | from | to <IP address>[/<bits>] | <port identifier string> | <AS number>

[notify] ::= log

At a minimum, every non-comment line in a filter set must include an action and an IP address. Together these components specify a filter rule that the device will follow when sending and/or receiving IP routing packets.



permit or denyThe permit action specifies that information from routing packets meeting the conditions should be included in the IP routing table. The deny action specifies that information from routing packets meeting the conditions should not be included in the IP routing table.

<IP address>[/<bits>]IP addresses can be specified in a variety of ways:a) IP addresses can be specified in normal dotted decimal notation. If the rightmost components are 0, they are treated as wild cards (for ex-ample, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An address with all zeros matches anything and can be used as a wild card in the case where one of the addresses doesn't matter. b) IP addresses can be specified as a factorized address in the form of #.#.#.{#,#,...}. For example, 192.12.9.{1, 2, 3, 15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. There is no need for all 4 components. For example, 198.41.{8,9,10,11,12,13} would match all host addresses from 198.41.8.1 to 198.41.13.255. However, the factorized part must be at the end of the address. c) IP addresses may also be specified as a hexadecimal number (for ex-ample, 0x82cc0801 matches the host address 130.204.8.1). The optional /bits at the end of an IP address is a bit field denoting the number of bits that are significant when doing the comparison against the addresses from the IP packet. It denotes the top or most significant bits to use. For example, an address specified in the rules as 192.15.32.0/19 would match all host addresses from 192.15.32.1 to 192.15.63.255.A specified bit field will override the default class-based mask gener-ated by the address specification rules listed above. For example, the address 198.15.9.0 would have a mask of 255.255.255.0, as if a /24 had been appended to the address. However, if 198.15.9.0/8 had actually been entered, the /8 would override the default mask and all addresses from 198.0.0.1 to 198.255.255.255 would match.

Optionsin | out | both

These parameters specify the packet direction for which the rule is applied. Filter rules specifying in are applied only to incoming routing packets. Filter rules specifying out are applied only to outgoing routing packets. If no direction is specified, both is assumed.

via <protocol>This modifier specifies that the rule be applied to routing data being received or transmitted by the routing protocol designated. The possible values are icmp, rip, ripv2, ospf, and bgp. By default, the rule is applied to all routing data. Multiple protocols may be listed, each separated by white space.



contains <AS number>This modifier specifies that the rule be applied if the BGP Autonomous System (AS) path contains the specified AS number anywhere in the AS path, which is a record of each AS that a BGP route has traversed.The AS number is specified as an integer.

origin <protocol>This modifier limits output rules to routes originating from the desig-nated protocol. The possible values are icmp, rip, ripv2, static, direct, ospf and bgp. By default, the rule applies to all routes regard-less of origin. Multiple protocols may be listed, each separated by white space.

metricin | metricout <metric>These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. The value must be a decimal number between 1 and 15.

from | to <IP address>[/<bits>] | <port identifier string> | <AS number>This modifier narrows the rule to apply only to routes from or to a specific IP address, IP interface, or, if BGP is in use, an AS. If an IP address is specified, it must be in one of the formats discussed above. If a port identifier string is specified, it must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.). If an AS number is specified, it must be an integer.

logThe log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section.

ExamplesThe following example specifies to permit input only from RIP and only from 198.41.11.1, and output of routing information that originates from RIP, directly connected routes and static routes.

[ IP Route Filter "rip-in" ]permit 0.0.0.0 in via rip from 198.41.11.1permit 0.0.0.0 out origin rip direct static

The following example illustrates a BGP route filter. This filter would deny any incoming routes that contained AS 600 anywhere in their AS path. Note the final line in the route filter to prevent unintended filtering of RIP and OSPF routes.

[ IP Route Filter "bgp600" ]deny 0.0.0.0 in via bgp contains 600permit 0.0.0.0 in via rip ospf



The route filter is applied in the [ General ] section. [ General ]IPRouteFilters = rip-in bgp600

See Also[ IP <Section ID> ], [ IP Static ], [ IP Filter <Name> ], [ IP Route Redistribution ], [ BGP Route Map <Name> ], [ Logging ], [ General ], ip(show)


[ IP Static ]

[ IP Static ]This section sets a default IP router and permits the definition of multiple static routes. Static routes provide IP routing information to the device when the device has not been able to determine the correct route for an IP packet using dynamic routing information. The device may also be configured to redistribute a static route via RIP. In cases where the routing metrics (the number of routing hops to a desti-nation) are equal between a static route and a dynamic route, Compatible Systems devices will use the dynamic route. Note: Static routes are more difficult to maintain and are generally not as

reliable as dynamically determined routes. We recommend that you use static routing only when the network does not provide adequate routing information through RIP.

This is a special section of the configuration, meaning that there are no keywords to document. Each line contains a complete IP static route entry. Each static route consists of a line with the following syntax:<Destination> <Mask> <Gateway/Port> <Metric> [Redist= RIP | OSPF1 | OSPF2 | BGP | none ] Destination

A Destination is an IP address for which you wish to provide static routing information. It is usually entered in the standard dotted-decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers must either be preceded by a "0x" or they must be complete (8 hexadecimal digits, e.g., C6290C00 for 198.41.12.0).If 0.0.0.0 is specified as the Destination, then the route being added is to a default router. The Mask must also be 0.0.0.0. The default router will be used to route packets when the destination network is not known by the device.Note: The "default router" is used as a "route of last resort" when your

device cannot determine where an IP packet should be sent. In very simple routing setups, including connecting small networks to the Internet through an Internet Service Provider, a default router entry may be the only routing information required.

MaskThe Mask field tells the device how much of the destination address entry should be considered when determining the route for a packet. This field has the same format as the Destination field but typically has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route. See the subnet mask description in the [ IP <Section ID> ] section for more information.


[ IP Static ]

Gateway/PortThe Gateway field also has the same format as the Destination option and usually is the address of another router (gateway) which is respon-sible for packets being sent to the destination address.This field can also be specified as a physical interface of the device you are configuring (e.g., WAN 1.) However, the name of a physical inter-face cannot be used when that interface is configured for Frame Relay operation. This is because the Frame Relay protocol allows multiple IP addresses to be reached over a single physical interface via different PVCs (permanent virtual circuits.) See the [ Frame Relay <Section ID> ] section for more information.

MetricThe Metric field specifies the distance or cost to the destination address. The metric is used by the routing process to determine where packets should be sent. It usually corresponds loosely with the number of hops to the destination. A lower value makes this a "better" route. The value entered here must be between 1 and 15 and may correspond to the actual number of hops to the gateway or may be larger to artifi-cially inflate the cost.Note: There are several reasons why you might enter a static route with

an inflated metric. If there is more than one route to a destination but the route with the shortest number of hops is over a slow WAN link, you might add a route with an inflated metric to cause the IP traffic to take the "quicker" route.

Redist=RIP | OSPF1| OSPF2 | BGP | noneThe optional Redist field indicates whether a static route should be redistributed. If you leave this field off or if none is specified, the static route will not be redistributed. Only one routing protocol can be selected for redistributing each static route. If RIP is specified, the static route entry will be redistributed into the RIP routing protocol which means that other routers will be able to choose this device as a way to forward packets to the destination address, depending on the metric and what other routes are available. Routing information received via RIP from other routers will be redis-tributed out other interfaces where RIP processing is enabled. When routes are rebroadcast in this fashion, the metric for this route is increased by 1, which increases the cost of the route.If OSPF1 or OSPF2 is specified, the static route entry will be redis-tributed into the OSPF routing protocol. The 1 or 2 refer to the two types of external metrics which may be used in OSPF. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that router. A type 1 cost is the sum of both the external cost and the internal cost used to reach that router.


[ IP Static ]

If BGP is specified, the static route entry will be redistributed into the BGP routing protocol.

ExamplesThe first example adds a default route which passes all packets with unknown destinations to WAN 0. This route might be used on a device which has a connection to an Internet Service Provider via PPP through serial interface WAN 0.

[ IP Static ]0.0.0.0 0.0.0.0 Wan 0 1

The next example adds a route to network 198.41.13.0 through the gateway 198.41.9.65. Notice that the metric is 4. That means that if a better dynamic route is found (the metric is less than or equal to 4), this route will not be used. The command also tells the device to include this route in its RIP broadcast.

[ IP Static ]198.41.13.0 255.255.255.0 198.41.9.65 4 Redist=RIP

See Also[ IP <Section ID> ], [ IP Route Filter <Name> ], ip(show), [ Frame Relay <Section ID> ]


[ IPX Filter <Name> ]

[ IPX Filter <Name> ]This section allows you to define, edit and name a set of IPX filtering rules. The named set of filtering rules may then be associated with either the IPX input or output filtering attributes of an interface. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces.The device does not reorder the rules as they are specified before using them. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last. Any IPX packet not explicitly allowed by the rule set is dropped silently. To allow all other packets not filtered, the last rule must be:

permit

This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.

Synopsis of IPX Filtering Rules<action> [type exp] [srcnet exp] [dstnet exp] [srcnode exp] [dstnode exp] [srcskt exp] [dstskt exp] [notify] action ::= permit | deny [type exp] ::= type <operator> <IPX packet type> [srcnet exp] ::= srcnet <operator> <network number> [dstnet exp] ::= dstnet <operator> <network number> [srcnode exp] ::= srcnode <operator > <node address> [dstnode exp] ::= dstnode <operator > <node address> [srcskt exp] ::= srcskt <operator> <socket number> [dstskt exp] ::= dstskt <operator> <socket number> [notify] ::= log

At a minimum, every non-comment line in a filter set must include an action. permit or deny

The action permit specifies that packets meeting the conditions should be passed through the filter. The action deny specifies that packets meeting the conditions should be dropped by the filter.

OptionsThe basic action specified in the rule will almost always be accompanied by an option. IPX packet filter options use some or all of a set of operators to determine whether the filter rule matches information in a packet or not. operator

The operator parameter is a logical operator used to compare a port number against a filtering rule. The following logical operators are supported:



eq,==, and =These are acceptable ways of writing an "equality" operator which will match if the value in the packet is equal to the value specified in the option expression.

lt and <These are acceptable ways of writing a "less than" operator which will match if the value in the packet is less than the value specified in the option expression.

lteq, le, <=, and =<These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the packet is less than or equal to the value specified in the option expression.

gt and >These are acceptable ways of writing a "greater than" operator which will match if the value in the packet is greater than the value specified in the option expression.

gteq, ge, >=, and =>These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the packet is greater than or equal to the value specified in the option expression.

ne, <>, and !=These are acceptable ways of writing an "inequality" operator which will match if the value in the packet is not equal to the value specified in the option expression.

The options available for IPX packet filter rules allow rules to be more narrowly specified to exclude all but certain types of packets, packets with a given source network number (srcnet), packets with a specified desti-nation network number (dstnet), packets with a selected source socket number (srcskt), packets with a selected destination socket number (dstskt), packets with a chosen source node address (srcnode), and/or packets with a stated destination node address (dstnode). type <operator> <IPX packet type>

This rule allows filtering on the IPX packet type. The IPX packet type is specified as a hex number. The keyword all may be used to specify all packet types. For some versions of NetWare, the packet type field is not a reliable indicator of the type of packet encapsulated by the IPX header. Gener-ally, the source and destination socket fields should be used to implic-itly filter the packet type. NetBIOS propagate packets (type 14h) are an exception to this rule.



srcnet <operator> <network number> This rule allows filtering on the source network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.

dstnet <operator> <network number> This rule allows filtering on the destination network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.

srcskt <operator> <socket number> This rule allows filtering on the source socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. Also, the following keywords may be used for well-known socket numbers:

NCP (0451h); SAP (0452h); RIP (0453h); DIAG(0456h)

dstskt <operator> <socket number> This rule allows filtering on the destination socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. The keywords listed above for srcskt may also be used.

srcnode <operator > <node address> This rule allows filtering on the source node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node address is specified as an Ethernet address, which is six hexadecimal octets separated by dots (.) or colons (:) (e.g., 0.0.A5.0.0.1 or 0:0:A5:0:0:1). The keyword all may be used to specify all node values.

dstnode <operator > <node address> This rule allows filtering on the destination node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node address is specified as shown above for srcnode. The keyword all may be used to specify all node values.

logThe log option causes the device to log data about the packet to syslog when the condition of the rule is met.

ExamplesDrop all packets where the source network number is greater than or equal to 1000 and permit all other packets.

[ IPX Filter "deny-1000" ]deny srcnet >= 1000permit



Drop all packets from a specific IPX node and network and permit all other packets.

[ IPX Filter "beatles" ]deny srcnet = FAB4 srcnode = 0.0.A5.0.0.1permit

Drop all packets where the source socket is a diagnostic packet, log the denial and permit all other packets through.

[ IPX Filter "diagnostic" ]deny srcskt = DIAG logpermit

See Also[ IPX <Section ID> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], [ Logging ], ipx(show)


[ IPX Route Filter <Name> ]

[ IPX Route Filter <Name> ]This section allows you to define, edit and name a set of IPX route filtering rules. This allows the device to filter inbound IPX network numbers received via broadcast advertisements and outbound routes advertised from the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers as explained later in this section.The device does not reorder the rules as they are specified before applying them against a network number. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last.Any network numbers not explicitly allowed by the rules will not be included in the routing table on input or in the routing update on output. To allow all other network numbers not filtered, the last rule must be:

permit network = all

This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple IPX route filter sections may exist, each with a unique name.

Synopsis of IPX Route Filtering Rules<action> <network exp> [direction] [modifiers] [notify] action ::= permit | deny network exp ::= network <operator> <network number> [direction] ::= in | out | both [modifiers] ::= from | to {<ipx internet address> | <port identifier string>} | metricin | metricout <metric> [notify] ::= log

At a minimum, every non-comment line in a filter set must include an action and a network expression. Together these components specify a filter rule that the device will follow when sending and/or receiving IPX RIP packets. permit or deny

The permit action specifies that information from routing packets meeting the conditions should be included in the IPX routing table. The deny action specifies that information from routing packets meeting the conditions should not be included in the IPX routing table.

network <operator> <network number> This rule allows filtering of the network number from either the inbound or outbound IPX route advertisement. The network exp uses a set of operators to specify the conditions under which the rule will be satisfied.



operatorThese operators are used to determine whether the filter rule matches information in a RIP packet or not. The following logical operators are supported: eq,==, and =

These are acceptable ways of writing an "equality" operator which will match if the value in the routing information is equal to the value specified in the network expression.

lt and <These are acceptable ways of writing a "less than" operator which will match if the value in the routing information is less than the value specified in the network expression.

lteq, le, <=, and =<These are acceptable ways of writing a "less than or equal to" operator which will match if the value in the routing information is less than or equal to the value specified in the network expression.

gt and >These are acceptable ways of writing a "greater than" operator which will match if the value in the routing information is greater than the value specified in the network expression.

gteq, ge, >=, and =>These are acceptable ways of writing a "greater than or equal to" operator which will match if the value in the routing information is greater than or equal to the value specified in the network expression.

ne, <>, and !=These are acceptable ways of writing an "inequality" operator which will match if the value in the routing information is not equal to the value specified in the network expression.

network numberThis parameter is the IPX network number specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network values.

Optionsin | out | both

These parameters specify the direction for which the rule is applied. Filter rules specifying in are applied only to incoming routing packets. Filter rules specifying out are applied only to outgoing routing packets. If no direction is specified, both is assumed.



from | to <ipx internet address> | <port identifier string>This modifier narrows the rule to apply only to routes from or to a specific IPX internet address or IPX interface.The ipx internet address is specified as a hexadecimal network number and node number separated by a dash (e.g., A011-0:0:A5:0:0:1 indi-cates a node with the hexadecimal network number of A011 and a node address of 0:0:A5:0:0:1).The port identifier string must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.).

metricin | metricout <metric> These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. The value must be a decimal number between 0 and 15.

logThe log option causes the device to log data about the packet to syslog when the condition of the rule is met.

ExamplesThe following example specifies a rule to allow routes to be input from any IPX network except network number 7.

[ IPX Route Filter "net-7" ]permit network != 7

The following example specifies that routing information should only be accepted from the Ethernet 0 interface.

[IPX Route Filter "ether0-only"permit network = ALL from ethernet 0

The "ether0-only" filter would be applied in the [ General ] section. [ General ]IPXRouteFilters = ether0-only

See Also[ IPX <Section ID> ], [ IPX Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ], [ Logging ], [ General ], ipx(show)


[ IPX SAP Filter <Name> ]

[ IPX SAP Filter <Name> ]This section allows you to define, edit and name a set of IPX SAP filtering rules. This allows the device to filter inbound IPX servers received via broadcast advertisements and output servers advertised from the device. These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers in the rule.The device does not reorder the rules as they are specified before using them. They are applied in the order they were written. When multiple filter sets are selected, they are concatenated in the device from first to last.Any server not explicitly allowed by the rules will not be included in the SAP table or in the SAP update. To allow all other servers not filtered, the last rule must be:

permit

This is a special section of the configuration, meaning that there are no keywords to document. The elements enclosed in square brackets ([ ]) are optional. Each section contains a complete filter set uniquely identified by the Name portion of the section name. Multiple sections may exist, each with a unique name.

Synopsis of IPX SAP Filtering Rules<action> [type exp] [server exp] [network exp] [node exp] [socket exp] [direction] [modifiers] [notify]

action ::= permit | deny [type exp] ::= type <operator> <server type> [service exp] ::= server <operator> <server name> [network exp] ::= network <operator> <network number> [node exp] ::= node <operator > <node address> [socket exp] ::= socket <operator> <socket number> [direction] ::= in | out | both [modifiers] ::= from | to {<ipx internet address> | <port identifier string>} | metricin | metricout <metric> [notify] ::= log

At a minimum, every non-comment line in a filter set must include an action. permit or deny

The permit action specifies that server information meeting the condi-tions should be inserted into the device’s SAP table. The deny action specifies that server information meeting the conditions should not be included in the device’s SAP table.

OptionsAn action alone will not create a useful filter rule (except for setting a default route as noted above). The basic action specified in the rule will



almost always be accompanied with an option. IPX SAP filter options use some or all of a set of operators to determine whether the filter rule matches information in a packet or not. operator

These operators are used to determine whether the filter rule matches information in a SAP packet or not. The following logical operators are supported: eq,==, and =

These are allowable ways of writing an "equality" operator which will match if the value in the server information is equal to the value specified in the option expression.

lt and <These are allowable ways of writing a "less than" operator which will match if the value in the server information is less than the value specified in the option expression.

lteq, le, <=, and =<These are allowable ways of writing a "less than or equal to" operator which will match if the value in the server information is less than or equal to the value specified in the option expression.

gt and >These are allowable ways of writing a "greater than" operator which will match if the value in the server information is greater than the value specified in the option expression.

gteq, ge, >=, and =>These are allowable ways of writing a "greater than or equal to" operator which will match if the value in the server information is greater than or equal to the value specified in the option expression.

ne, <>, and !=These are allowable ways of writing an "inequality" operator which will match if the value in the server information is not equal to the value specified in the option expression.

type <operator> <IPX server type> This option allows filtering of the server type contained in the SAP update tuple. The IPX server type is specified as a hex value. The keyword all may be used to specify all server types.

server <operator> <server name> This option allows filtering of the server name contained in the SAP update tuple. The operator in this rule can only be "equality" or "inequality." The server name must be enclosed in quotation marks ("") and be 48 characters or less.



network <operator> <network number> This option allows filtering of the server network number contained in the SAP table. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network numbers.

node <operator> <node address> This option allows filtering of the server node address contained in the SAP table. The operator in this rule can only be "equality" or "inequality." The node address is specified as an Ethernet address. An Ethernet address is specified as six hexadecimal octets separated by colons (:) or dots (.). An example would be 0:0:A5:0:0:1 or 0.0.A5.0.0.1. The keyword all may be used to specify all node addresses.

socket <operator> <socket number> This rule allows filtering of the server socket contained in the SAP table. The server socket number is specified as a hex value. The keyword all may be used to specify all socket numbers.

in | out | bothThese parameters specify the packet direction for which the rule is applied. Filter rules specifying in are applied only to incoming server information. Filter rules specifying out are applied only to outgoing server information. This modifier is required since the IPX SAP filtering rules are global to the device. If no direction is specified, both is assumed.

from | to <IPX internet address> | <port identifier string>This modifier narrows the rule to apply only to server information from or to a specific IPX internet address or IPX port.The IPX internet address is specified as a hexadecimal network number and node number separated by a dash ( e.g., A011-0:0:A5:0:0:1 indicates a node with the hexadecimal network number of A011 and a node address of 0:0:A5:0:0:1). The port identifier string must be a recognized interface (e.g., Ethernet 0, WAN 0, etc.).

metricin | metricout <metric> These modifiers allow the metric on incoming and outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, the servers on a partic-ular route can be made more or less attractive. The value must be a decimal number between 0 and 15.

logThe log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the [ Logging ] section.



ExamplesIn the following example, the "servers" rule set denies server advertise-ments from network 1ABC0 and servers with the name "Printer" which come into the device on Ethernet 0. It also denies server advertisements from network FAB4 out on Ethernet 1. The final rule is to permit every-thing else.

deny network = 1ABC0 in from ethernet 0deny service = "Printer" in from ethernet 0deny network = FAB4 out to ethernet 1permit

The SAP filter is applied in the [ General ] section. [ General ]IPXSAPFilters = servers

See Also[ IPX <Section ID> ], [ IPX Filter <Name> ], [ IP Route Filter <Name> ], [ IPX Tunnels ], [ Logging ], [ General ], ipx(show)


[ NAT Mapping ]

[ NAT Mapping ]This section of the configuration defines the one-to-one translation pairs of the NAT (Network Address Translation) mapping database. These pairs allow the user to provide access from the internal or external network to selected parts of the NAT internal network, such as a web server. This is a special section of the configuration, meaning that there are no keywords to document.Each translation pair has the following syntax: <internal IP address> [ /<bits> | :<port> ] [ -> | = ] <external IP address>

[ /<bits> | :<port> ]

<internal IP address>This is the IP address on the internal network to be mapped to the external IP address. It must be entered first, followed by " -> " or " = " and the external IP address. The internal IP address must be within the range (or ranges) of IP addresses defined by the InternalRange keyword(s) in the [ NAT Global ] section. IP addresses must be spec-ified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (e.g., 128.138.12.0 includes all devices on the 128.138.12 subnet).

<external IP address>This is the IP address on the external network to be mapped to the internal IP address. The external IP address must be within the range of IP addresses defined by the ExternalRange keyword in the [ NAT Global ] section. Note: If only a single external IP address is available for the NAT

router, do not map that IP address to an internal IP address because you will no longer be able to communicate with the router. Mapping single ports of the single external IP address to internal IP address:port combinations (e.g., creating access to a web server in the internal NAT network) is acceptable, however.

:<port>The :port option allows an individual socket (IP address and port combination) to be mapped as part of a translation pair. Note: An IP address:port combination cannot be paired with an IP

address range (even if that range is a single IP address). It can only be paired with another IP address:port combination.

/<bits> The /bits option allows a range of IP addresses to be mapped as part of a translation pair. The bits field denotes the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indicate a range from 192.15.32.1 to 192.15.63.255.


[ NAT Mapping ]

ExamplesThe following example shows one IP address being translated into another.

[ NAT Mapping ]10.5.3.20 -> 198.41.9.194

The following example shows individual sockets (IP address and port com-bination) being mapped as a translation pair.

[ NAT Mapping ]10.5.3.10:80 -> 198.41.9.195:80

The following example shows a range of IP addresses being mapped as a translation pair.

[ NAT Mapping ]10.5.3.0/29 -> 198.41.9.200/29

See Also[ IP <Section ID> ], ip(show), [ NAT Global ], nat(show)


[ VPN Users ]

[ VPN Users ]This section of the configuration defines the IntraPort users database. Each line defines an IntraPort user along with that user’s VPN Group configuration and password. Multi-line entries must have line breaks escaped with a backslash. However, line breaks encapsulated in a double quoted string are preserved. When an IntraPort client begins a tunnel session, it transmits the username to the device. If the user is found in this section, the information found in the entry is used to set up the tunnel. RADIUS and LDAP servers can also be used for authentication of VPN users (see the [ Radius ] or [ LDAP Auth Server ] sections). If the username is not found, and a RADIUS or LDAP server has not been configured to perform the authentication, then the tunnel session will not be opened and an error is returned to the client.Each user entry has the following syntax: username Config=<config name> [SharedKey=<Pass Phrase>] [Auth=<Authentication Pass Phrase>] [Encrypt=<EncryptionPass Phrase>]

usernameThe username is a string which identifies a unique user. It must be the same as the string entered into that user’s client. The name may be between one and 60 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes. This entry must always be the first on the line.

Config=<config name>The Config keyword is required for all users and specifies which [ VPN Group <Name> ] section is used to define the tunneling parame-ters used by the client. Therefore, the config name must be the same as the Name portion of a [ VPN Group <Name> ] section. Information from that section is sent to the client when the tunnel is opened.

SharedKey=<Pass Phrase>The SharedKey keyword is used to generate session keys which are then used to authenticate and/or encrypt each packet received from or sent to the client. This keyword is only valid for VPN groups using IKE. The same key must be entered into the IntraPort Client for the tunnel session to be successfully established. The Pass Phrase may be between 1-255 characters long.

Auth=<Authentication Pass Phrase>The Auth keyword is used to generate session keys which are used to authenticate each packet received from or sent to the client. This keyword is only valid for VPN groups using manual key management. The same key must be entered into the IntraPort client in order for authentication to succeed. If the Auth keyword is omitted, then packets are not authenti-cated for this connection. The Authentication Pass Phrase may be between 1-255 characters long.

Encrypt=<Encryption Pass Phrase>


[ VPN Users ]

The Encrypt keyword is used to generate session keys which are used to encrypt each packet received from or sent to the client. This keyword is only valid for VPN groups using manual key management and either 3DES, DES or PLE encryption. The same key must be entered into the IntraPort client in order for encryption to succeed. The Encryption Pass Phrase may be between 1-255 characters long.

Example[ VPN Users ]Fred Config="Bedrock" SharedKey="Wilma"Barney Config="Cobblestone County" SharedKey="Betty"

See Also [ Radius ], [ LDAP Auth Server ], [ VPN Group <Name> ], vpn(show)


[ VPN Users ]


Management Section

apply(mgmt)


COMMAND NAMEapply - Apply a configuration without restarting the device.

SYNOPSISapply [ edited | flash ]

DESCRIPTIONThe apply command is a privileged command that requires supervisor mode to operate. This command allows you to apply a configuration to the device immediately, without restarting the device. Either flash or edited must be specified. This command is only available on the IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and on the IntraGuard Firewall.

OPTIONSedited

This keyword specifies that an edited (but not saved) configuration will be applied to the device’s current operations. If the edited configuration hasn’t been saved and a restart occurs, the changes will be lost and the device will revert to the configuration in the Flash ROM.

flashThis keyword specifies that the configuration which is currently in the device’s Flash ROM will be applied to the device’s current operations and will overwrite any runtime changes which have been made. Configurations are saved (or written) to a device’s Flash ROM using either the save or write commands.

SEE ALSOsave(mgmt), write(mgmt)

bgpenable(mgmt)


COMMAND NAMEbgpenable, bgpdisable - Disable or enable BGP.

SYNOPSISbgpenable [ all | <IP address> ] bgpdisable [ all | <IP address> ]

DESCRIPTIONThe bgpenable command enables BGP with all peers, if all is specified, or with a specific peer if an IP address is specified. The bgp enable all command can only be used if BGP was previously disabled during this router session. Individual peers can be enabled at any time. The bgpdisable command discontinues a BGP session with a selected peer, or with all peers, without restarting the router. The IP address is specified in the standard dotted-decimal notation for IP addresses.

SEE ALSO[ BGP General ], bgp(show)

boot(mgmt)


COMMAND NAMEboot - Restart the router immediately.

SYNOPSISboot

DESCRIPTIONThe boot command is a privileged command that requires supervisor mode to operate. After issuing this command the router will restart. It will take 10 to 15 seconds before the router will forward packets, and up to a minute before all the routing tables will be stabilized.

SEE ALSOenable(mgmt), save(mgmt)

enable(mgmt)

COMMAND NAMEenable, disable - Enter and leave supervisor mode.

SYNOPSISenable disable

DESCRIPTIONThe enable command is used to enter the system's supervisor mode. There are two modes of operation in the command interface, supervisor and normal modes.All operations that do not modify the system configuration or display critical (security related) information are permitted in normal mode. In normal mode, the command prompt ends in a ">".The enable command will prompt for the password, and if successful, the user will be in supervisor mode. The command prompt for supervisor mode ends with a "#" to indicate that configurations can be modified. Modified configurations are kept in an edit buffer and will not affect the runtime operation of the router. A supervisor session may be terminated or timed out by the system if no user input occurs within 5 minutes. In this case, if a modified configuration buffer exists, it will remain in the system's memory until the system is restarted.Show commands that display configuration information will display the edited copy while in supervisor mode. It is possible to display the currently configured values (stored in non-volatile Flash ROM) by leaving super-visor mode and reentering the show command.If a configuration in the edit buffer has been modified, the command prompt will be preceded by a "*". This occurs whether in supervisor mode or not.To exit supervisor mode, use the disable command.

EXAMPLESThe following example shows the enabling of supervisor mode. Notice the prompt change after enabling.

Main RISC Router> enableEnter Password: password entered hereMain RISC Router#


enable(mgmt)

The following example shows a configuration session in which the system information is displayed, the domain changed, and then both the edited copy and the flash version is displayed.

Main RISC Router# show sys infoAdministrator: Dave BalloweDomain Name: Main network RISC RouterRouter Location: Front office telephone closetMain RISC Router# set sys domain Routers from theplanet mars*Main RISC Router# show sys infoAdministrator: Dave BalloweDomain Name: Routers from the planet marsRouter Location: Front office telephone closet*Main RISC Router# disable*Main RISC Router> show sys infoAdministrator: Dave BalloweDomain Name: Main network RISC RouterRouter Location: Front office telephone closet*Main RISC Router>

SEE ALSOexit(mgmt)


exit(mgmt)


COMMAND NAMEexit, quit - Exit supervisor mode or command parser

SYNOPSISexit quit

DESCRIPTIONThe exit and quit commands both exit supervisor mode. If the session is not in supervisor mode, then the command parser is exited. These commands will terminate a telnet or command line session on a console, returning you to the password prompt. They are different from the exit and quit commands of the line editor (see the edit config section for more information).

SEE ALSOenable(mgmt), boot(mgmt), save(mgmt), edit config

help(mgmt)


COMMAND NAMEhelp - Display context-sensitive online help information.

SYNOPSIShelp [ <command string> ]

DESCRIPTIONA limited amount of online help is available to command line users via the help command. Help information is accessed by typing the help command, by entering incorrect input during normal command entry, or by entering a "?" (question mark) anywhere during command entry.To display help information using the help command, enter help followed by a partial command string. The parser will display context-sensitive help for the portion of the command string that was parsed. If help is entered with no arguments, general help information is displayed along with all top level commands.Help information displayed consists of the valid subcommands of the entered command string. Or, if the command string is a complete command, a usage line with command arguments along with a brief command description will be displayed.Command help is also displayed when the parser detects an error in the user's command input. In this case, an error message followed by help information as described above will be displayed.If enhanced terminal processing mode is enabled (see terminal(set)), the portion of the command line that was successfully parsed will be redis-played on the next command prompt, and the displayed part will not need to be re-entered.

EXAMPLESThe following commands are identical:

help showshow ?

Use the help command to get information about management commands.*[ Time Server ]# help pingPing Ping a remote machine

Usage: ping <destination address> | <host name> [count <count> ] [ timeout <timeout> ] [ datalength<data length>] [spray] [ sourceaddress <source ad-dress> | <interface> ]

SEE ALSOterminal(set)

interface(mgmt)


COMMAND NAMEinterface - Specify the interface for set commands.

SYNOPSISinterface <media> [ <interface number/name> ]

DESCRIPTIONThe interface command is used to select an interface to configure. Most set commands require an interface to be selected prior to modifying the configuration.If you have enabled supervisor mode, using the enable command (see enable(mgmt)), the command prompt will let you know which interface you are configuring.

OPTIONSmedia

This parameter specifies the media type that you want to configure. Valid media types vary depending on the device hardware and software configuration. Recognized types include: Ethernet, LocalTalk, WAN, VPN, AUX, and Bridge. If an invalid type is selected, the command will print an error message indicating that there are 0 interfaces of the selected type.

interface number/nameThis optional parameter is used to select the specific interface. This interface number will default to the first interface for the selected type. This argument is an integer or letter. The first interface is number 0 or letter A.

EXAMPLESTo select the first Ethernet interface, the next three commands are equiv-alent.

interface ethernetinterface ethernet ainterface ethernet 0

To select the Bridge protocol port.interface bridge

SEE ALSOenable(mgmt)

ipxping(mgmt)

COMMAND NAMEipxping - Send a Ping request over IPX.

SYNOPSISipxping <destination address> [ count <count> ] [ timeout <timeout> ] [ datalength <data length>] [spray]

DESCRIPTIONThe ipxping command directs the device to send a ping request over IPX to an IPX address. This command is compatible with the Cisco IPX ping and it is often used to determine if a remote device is reachable.When using the ipxping command to isolate network faults, devices that are nearer should be pinged first. Then, nodes successively further away should be probed. Round-trip times and packet loss statistics are computed.Duplicate and corrupted packets received from the remote node are flagged. Lost packets are flagged as timed out. When the specified number of packets have been sent (and received), a brief summary is displayed. The command can also be terminated with a <CTRL-C>. This command is intended to be used for network testing. Because of the network load imposed by the spray option, it is unwise to use ipxping during normal operation.

OPTIONSdestination address

This required parameter is used to indicate the remote device being pinged. The address is specified as a hexadecimal network number and node number separated by dots (e.g., A011.0.0.A5.0.0.1 indicates a node with the hexadecimal network number of A011 and a node address of 0.0.A5.0.0.1).

countThis optional keyword specifies the number of ipxping requests to be sent. The default is 1.

timeoutThis optional keyword specifies how long to wait in seconds for a reply from the remote device before timing out the request. The default is 2 seconds.

datalengthThis optional keyword specifies the data length of a packet. The default is 64 bytes.

sprayThis optional keyword directs the ipxping command to output packets as fast as they come back or one every timeout period, whichever is first. For every ipxping request sent a "." is printed, and for every ipxping reply received it is erased.


ipxping(mgmt)

EXAMPLESTo send 10 ping packets to node 38000.00.00.0c.09.7c.34 with a 1 second timeout: Swizzle Router> ipxping 38000.00.00.0c.09.7c.34 count 10 timeout 1

Packet len 64, seqnum 1 to [38000-00:00:00:0c:09:7c:34] 16 ms.Packet len 64, seqnum 2 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 3 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 4 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 5 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 6 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 7 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 8 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 9 to [38000-00:00:00:0c:09:7c:34] 0 ms.Packet len 64, seqnum 10 to [38000-00:00:00:0c:09:7c:34] 0 ms.10 pings sent, 10 received (100%)min/max/avg time in milliseconds = 0/16/1Swizzle Router>

Note: If more processing is enabled, output will stop when a screenful of data has been output. If a lot of output is expected, more processing can be disabled using the set terminal nomore command (see terminal(set)).

SEE ALSOterminal(set)


ospfenable(mgmt)


COMMAND NAMEospfdisable, ospfenable - Disable or enable OSPF.

SYNOPSISospfenable ospfdisable

DESCRIPTIONThe ospfenable and ospfdisable commands allow the user to temporarily disable or enable the OSPF protocol without restarting the router. The ospfdisable command will cause the router to notify its neighbors that it is "going down." The ospfenable command will allow the router to re-establish the adjacencies with each neighbor from scratch, just as if the router was first coming up. The ospfenable command should be used only after ospfdisable has been used.

SEE ALSO[ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], [ IP Route Filter <Name> ], ospf(show)

ping(mgmt)

COMMAND NAMEping - Send ICMP Echo Request to IP address.

SYNOPSISping <destination address> | <host name> [ count <count> ] [ timeout <timeout> ] [ datalength <data length>] [spray] [ sourceaddress <source address> | <interface> ]

DESCRIPTIONThe ping command directs the device to send ICMP (Internet Control Message Protocol) Echo Request messages to an IP address. This command is often used to determine if a remote router or host is reachable.When using the ping command to isolate network faults, hosts that are nearer to the device should be pinged first. Then, nodes successively further away should be probed. Round-trip times and packet loss statistics are computed. Duplicate and corrupted packets received from the remote node are flagged. Lost packets are flagged as timed out. When the specified number of packets have been sent (and received), a brief summary is displayed. The command can also be terminated with a <CTRL-C>. This command is intended to be used for network testing. Because of the network load imposed by the spray option, it is unwise to use ping during normal operation.

OPTIONSdestination address or host name

This required parameter is used to indicate the host name or IP address of the ultimate destination. It can be entered either as a numerical IP address (e.g., 10.1.2.3) or a host name (e.g., hal.acme.com) if a Domain Name Server has been configured (see the [ Domain Name Server ] section).

countThis optional keyword specifies the number of ICMP Echo Requests to be sent. The default is 1.

timeoutThis optional keyword specifies how long to wait in seconds for a reply from the remote host before timing out the request. The default is 2 seconds.

datalengthThis optional keyword specifies the data length of a packet. The default is 64 bytes.

sprayThis optional keyword directs the ping command to output packets as fast as they come back or one every timeout period, whichever is first. For every Echo Request sent a "." is printed, and for every Echo Reply received it is erased.


ping(mgmt)

sourceaddressThis keyword specifies which port or address is to be used as the origin of the outbound packet. The value must be an IP address of an associated interface or a port name (i.e., Ethernet 0, WAN 0) on the device. If no sourceaddress is specified, the device will, by default, use the address of the outbound interface as its source. This option allows packets that are sent out via ping to be correctly answered. This option allows the ping command to function over the Internet from a device which uses a private, unroutable WAN address. An example is the case where a Frame Relay link is using a private IP address on the WAN and the user wants to ping across that interface to test connectivity out to the Internet.

EXAMPLESTo send 10 echo packets to node 10.0.0.1 with a 1 second timeout:

Swizzle Router> ping 10.0.0.1 10 1Packet len 64, seqnum 1 to [10.0.0.1] 0 ms.Packet len 64, seqnum 2 to [10.0.0.1] 0 ms.Packet len 64, seqnum 3 to [10.0.0.1] 0 ms.Packet len 64, seqnum 4 to [10.0.0.1] 0 ms.Packet len 64, seqnum 5 to [10.0.0.1] 0 ms.Packet len 64, seqnum 6 to [10.0.0.1] 0 ms.Packet len 64, seqnum 7 to [10.0.0.1] 0 ms.Packet len 64, seqnum 8 to [10.0.0.1] 0 ms.Packet len 64, seqnum 9 to [10.0.0.1] 0 ms.Packet len 64, seqnum 10 to [10.0.0.1] 0 ms.

10 pings sent, 10 received (100%)min/max/avg time in milliseconds = 0/0/0Swizzle Router>


SEE ALSO[ Domain Name Server ], terminal(set)


save(mgmt)


COMMAND NAMEsave - Save a new configuration and restart immediately.

SYNOPSISsave

DESCRIPTIONThe save command is a privileged command that requires supervisor mode to operate. If the save command is issued and a configuration buffer has not been modified, it will return without doing anything.After issuing the save command, the user will be given a "Y/N" prompt. If "Y" is entered, the edited configuration will be saved to the device’s Flash ROM. During the process, the current contents of the ROM will be saved to RAM, the ROM will be erased, and the contents programmed back into the ROM from RAM. This can take from 30 to 105 seconds, depending on the device type. If power is turned off during this time, the contents of RAM will be erased and the process will be aborted. The device will then restart from its boot loader ROM. If this happens, you must reload the operating software using tftp (see tftp(mgmt)) or CompatiView.Please wait at least five minutes for the device to complete this process.

Note: The IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and the IntraGuard Firewall have additional commands which can allow you to save and/or apply a new configuration without restarting the device. See write(mgmt) and apply(mgmt).

SEE ALSOenable(mgmt), write(mgmt), apply(mgmt), tftp(mgmt)

sys(mgmt)

COMMAND NAMEsys - Miscellaneous system operations.

SYNOPSISsys attach sys detach sys connect <Wan Port Number> [ force ] sys dropline <Wan Port Number> [ <tries> ] sys upline <Wan Port Number> sys write <port name> [ <message to be sent>... ] sys echo sys date sys debug

DESCRIPTIONThis is a collection of commands that perform miscellaneous system related functions. sys attach

This command re-attaches the user to a modified configuration buffer. Although multiple command line sessions may be active at once on a system, there may only be one supervisor session active on the system and there is only one command line configuration buffer allocated in the system. This buffer contains the modified configuration before it is saved using the save command (see save(mgmt)). A supervisor session may be terminated or timed out by the system if no user input occurs within 5 minutes. In this case, if a modified configuration buffer exists, it will remain in the system's memory until the system is restarted.By using the sys attach command all of the previous configuration buffer’s information is remembered as if it were entered in the current session.In addition, the command parser will notify a supervisor that a modified buffer exists on the first command that will change the configuration. At this point the user will have the opportunity to overwrite the previous configuration buffer and discard all previous changes; to attach to the previous configuration buffer and add the new change to it; or to cancel the new change and leave the previous configuration buffer as it was.

sys detachA modified buffer that is not associated with any terminal session is considered detached. It is possible to detach from a modified configuration buffer by issuing the sys detach command. It is also possible to detach from a modified configuration buffer by issuing the exit command (see exit(mgmt)).


sys(mgmt)

sys connect This command is used on a WAN interface to connect to a modem and verify the system connection to the modem by issuing modem commands directly from the telnet or terminal session.

sys dropline This command instructs the device to abruptly terminate an existing connection when a WAN interface has an on-demand connection configured.

sys upline This command will instruct the device to initiate a connection on a WAN interface which has an on-demand connection configured.

sys write This command sends a message to another telnet or terminal session. The show os processes command can be used to display the names of other terminal sessions. In this display, sessions will be listed as "CLI @XXX", where XXX is the name of the terminal associated with the session. Use that name as the name of the interface to write to.

sys echo This command simply repeats the arguments passed to it. This can be used to determine how escape characters and various command arguments will be interpreted.

sys date This command displays the date and time if the time server has been enabled (see the [ Time Server ] section).

sys debug This command is used to turn on system debugging. Note: This command is not enabled in production releases and should

only be used when instructed to do so by a CompatibleSystems Technical Support Engineer.

OPTIONSWAN Port Number

This parameter must be entered as a number corresponding to the WAN interface starting with 0 (WAN A is 0, and WAN B is 1).

forceThe keyword force is used to force an attempt to connect with a modem on a WAN interface even if another connection is already in progress or if the WAN link is up.

port nameThis parameter specifies an interface name (e.g., CON, PTY1, ...) that a brief message should be sent to.


sys(mgmt)

message to be sentThis parameter can be any string that should be sent to another terminal session.

SEE ALSOsave(mgmt), exit(mgmt), os(show), [ Time Server ]


tftp(mgmt)

COMMAND NAMEtftp - Enable/disable system software downloading using TFTP.

SYNOPSIStftp enable [ < timeout > ] [ <TFTP client IP address > ] tftp disable

DESCRIPTIONThe tftp enable command permits downloading of system software to a device using Trivial File Transfer Protocol (TFTP) from a remote IP host. Downloading through TFTP won't be permitted unless this command is executed from either a console or from a remote host that is telnetted into the device. This command asks for the device's password and will establish a window of opportunity for TFTP downloading to the device only from the remote IP host specified. The default window is 60 seconds. If entering this command from the console, or from a host other than the host from which the TFTP will originate, the TFTP client IP address must be specified.Transfer configuration files to and from the device using an ASCII mode transfer. The remote file name must be the device type followed by ".cfg". The following chart shows the different device types and sample configu-ration file names.

It is also possible to create a text-based configuration file and use CompatiView to transfer the file to and from the device. This method uses a secure transfer mechanism, preventing the configuration from being observed while it is in transit to the device. See the CompatiView Reference Guide for more information.

The tftp disable command is used to cancel a previous enable command.OPTIONS

timeoutThis is the amount of time, in seconds, that TFTP downloading to the device will be permitted from the established IP host. The default is 60 seconds.

DEVICE TYPE SAMPLE FILE NAME

Risc Router rr4000s.cfg, rr3500r.cfg, etc.

MicroRouter mr1200i.cfg, mr2200r.cfg, etc.

IntraPort VPN Access Server IntraPort2+.cfg, IntraPortEnterprise.cfg, IntraPortCarrier.cfg, etc.

IntraGuard Firewall IntraGuard.cfg

VSR Multigigabit Switching Router VSR.cfg


tftp(mgmt)

TFTP client IP addressThis is the remote IP address from which a TFTP download can be established. This option is required if issuing the tftp enable command from the console or from a host other than the host from which the TFTP will originate. The default is the IP address of the telnet host.

EXAMPLESFollowing is an example of a tftp enable command from a remote host via telnet.

tftp enable

Following is an example of a tftp enable command issued from the console.

tftp enable 60 192.15.0.1


traceroute(mgmt)

COMMAND NAMEtraceroute - Print the route that packets take to a network host.

SYNOPSIStraceroute <destination address>|<host name> [nonames] [probes<#probes>] [ timeout<timeout>] [hops<#hops>] [ sourceaddress<source address> | <interface>]

DESCRIPTIONThe traceroute command directs the device to send UDP test packets to each intermediate hop along the route to the requested IP address or host name. This command is used for network testing when there are difficulties in reaching a selected host. Each node along the route to the host is probed with a test UDP packet, and should return an ICMP packet to the device. The device displays round-trip times and IP addresses/host names for each node. If a node does not respond within the timeout period, a timeout is indicated in the display by an asterisk.

OPTIONSdestination address or host name

This required parameter is used to indicate the host name or IP address of the ultimate destination. It can be entered either as a numerical IP address (e.g., 10.1.2.3) or a host name (e.g., hal.acme.com) if a Domain Name Server has been configured (see the [ Domain Name Server ] section).

nonamesThis optional keyword directs the command to print out only numerical IP addresses for each node along the route. If this keyword is not present, both the IP address and the host name of each intermediate hop will be displayed.

probesThis optional keyword specifies the number of probes to be launched at each intermediate machine. Valid probe counts are 1, 2, or 3. The default is 3 probes.

timeoutThis optional keyword specifies the amount of time which the device will wait before declaring that the response has timed out. The default timeout is 1 second. If excessive timeouts are occurring during the traceoute, the process can be terminated by entering a <CTRL-C> at the keyboard.

hopsThis optional keyword specifies the maximum number of hops the traceroute command will use in an attempt to reach the end destination. The default is 40 hops. This should be sufficient for most applications.


traceroute(mgmt)

sourceaddressThis keyword specifies which port or address is to be used as the origin of the outbound packet. The value must be an IP address of an associated interface or a port name (i.e, Ethernet 0, WAN 0) on the device. If no sourceaddress is specified, the device will, by default, use the address of the outbound interface as its source. This option allows packets that are sent out via traceroute to be correctly answered. This option allows the traceroute command to function over the Internet from a device which uses a private, unroutable WAN address. An example is the case where a Frame Relay link is using a private IP address on the WAN and the user wants to traceroute across that interface to test connectivity out to the Internet.

EXAMPLESThe following illustrates a traceroute to the host "hal.acme.com" using the default parameters. The round-trip time is reported in increments of 16 ms, anything less will be reported as 0 ms. Note that node 4 did not respond to any of the UDP packets in the allotted time. This could indicate excessive congestion on that node at the time of the probes.

MyRouter> tr hal.acme.comTraceroute to hal.acme.comIP Address = 10.1.2.3

3 probes per hop, 1 sec timeout, 40 hops max1 12.5.6.8 (saturn.abc.com) 16ms 16ms 0ms2 13.80.3.18 (neptune.def.com) 128ms ** 64ms3 4.100.6.30 (mercury.ghi.com) 160ms 340ms 176ms4 ********** ** ** **5 138.42.2.1 (pluto.jkl.com) 48ms 192ms 208ms6 10.1.2.3 (hal.acme.com) 48ms 64ms 48msDestination reached in 6 hops

If there is no Domain Name Server, the name lookup can be disabled with the nonames option. The timeout can be increased in an attempt to get a response from node 4:

MyRouter> tr hal.acme.com nonames 2 3 10Traceroute to hal.acme.comIP Address = 10.1.2.3

2 probes per hop, 3 sec timeout, 10 hops max1 12.5.6.8 16ms 16ms2 13.80.3.18 128ms 64ms3 4.100.6.30 160ms 176ms4 15.3.80.4 1600ms 1760ms5 138.42.2.1 192ms 208ms6 10.1.2.3 48ms 64ms

Destination reached in 6 hops


SEE ALSO[ Domain Name Server ], terminal(set)


vpn tunnel(mgmt)


COMMAND NAMEvpn tunnel up, vpn tunnel down - Establish or tear down a LAN-to-LAN tunnel.

SYNOPSISvpn tunnel up <vpn port>vpn tunnel down <vpn port>

DESCRIPTIONThe vpn tunnel up command directs the device to establish a VPN LAN-to-LAN tunnel for a specified VPN port without restarting the device. In order for this command to work, the KeyManage keyword must be set to Initiate in the [ Tunnel Partner <Section ID> ] for the VPN port.The vpn tunnel down command directs the device to shut down a VPN LAN-to-LAN tunnel for a specified VPN port. The show vpn runtime command will display a list of all currently active VPN tunnels (see vpn(show)).

SEE ALSO[ Tunnel Partner <Section ID> ], vpn(show)

write(mgmt)


COMMAND NAMEwrite - Write an edited configuration to Flash ROM without restarting the device.

SYNOPSISwrite

DESCRIPTIONThe write command is a privileged command that requires supervisor mode to operate. This command allows you to write a configuration to the device’s Flash ROM without restarting the device. The changes which were made to the configuration will not be applied until the device is restarted.

If the write command is issued and a configuration buffer has not been modified, it will return an error message indicating that no configuration changes have been made.

This command is only available on the IntraPort 2/2+, IntraPort Enterprise, and IntraPort Carrier VPN Access Servers and on the IntraGuard Firewall.

SEE ALSOsave(mgmt), apply(mgmt)

ip arp(add)


COMMAND NAMEadd ip arp - Add a static IP ARP cache entry.

SYNOPSISadd ip arp <IP address> <Ethernet address | DLCI>

DESCRIPTIONThis command adds a static Address Resolution Protocol (ARP) entry to the device's ARP cache. The entry will not be timed out of the cache as is done with dynamic ARP entries. The entry will reside in the ARP cache until the device is rebooted; it cannot be saved in Flash ROM for subse-quent installation ARP is used to map high level IP addresses to physical addresses. The physical address may be either an IEEE Ethernet address or a Frame Relay DLCI which can be converted into a Frame Relay Q.922 hardware address. IP ARP is described in RFC 826.

OPTIONSIP address This option specifies an IP address to be associated with the hardware address in the ARP cache. It should be a legal IP address specified in dotted decimal format. Ethernet address This option specifies an IEEE Ethernet address to be associated with the IP address in the ARP cache. It should be six hexadecimal octets separated by colons (:) or dots (.) ( i.e., 0:0:A5:0:0:1 or 0.0.A5.0.0.1). DLCI This option specifies a DLCI address to be associated with the IP address in the ARP cache. The device will translate the DLCI into a Frame Relay Q.922 hardware address. The DLCI number must be between 16 and 1007.

EXAMPLESadd ip arp 192.15.8.100 0.0.A5.0.0.1add ip arp 192.15.8.100 0:0:A5:0:0:1add ip arp 192.15.1.100 16

SEE ALSOarp(show), arp(reset), [ Frame Relay <Section ID> ]

ip route(add)

COMMAND NAMEadd ip route - Add static IP route.

SYNOPSISadd ip route <destination> <mask> <gateway/wan port> <metric> [Redist= RIP | OSPF1 | OSPF2 | BGP | none ]

DESCRIPTIONThe add ip route command is used to add runtime static entries to the IP routing table. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the[ IP Static ] section. The route(s) must be saved with the save command (see save(mgmt)).Static routes are used to provide information to the device about where IP packets should be sent when the device itself has not been able to determine a correct route for them using dynamic routing information.In cases where the routing metrics (i.e., the number of routing hops to a destination) are equal between a static route and a dynamic route, Compatible Systems devices will use the dynamic route.Note: Static routes are more difficult to maintain and are generally not as

reliable as dynamically-determined routes. We recommend that you use static routing only when the network does not provide adequate routing information through RIP.

OPTIONSdestination

A destination option is usually entered in the standard dotted decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers must either be preceded by a "0x" or they must be complete (8 hexadecimal digits, e.g., C6290C00 for 198.41.12.0).If 0.0.0.0 is specified as the destination, then the route being added is to a default router. The mask must also be 0.0.0.0. The default router will be used to route packets when the destination network is not known by the device.

maskThe mask option tells the device how much of the destination address entry should be considered when determining the route for a packet. This field has the same format as the destination field but typically has 255's for the network portion of the address and 0 for the host portion when adding a network route, and all 255's when adding a host route.

gateway/wan portThe gateway/wan port option also has the same format as the destination option and usually is the address of another router (gateway) which is responsible for packets being sent to the destination address or network.


ip route(add)

This field can also be specified as a physical interface of the device you are configuring (e.g., WAN A or just "0") when the interface is unnumbered. However, the name of a physical interface cannot be used when that interface is configured for Frame Relay operation. This is because the Frame Relay protocol allows multiple IP addresses to be reached over a single physical interface via different PVCs (permanent virtual circuits). See the [ Frame Relay <Section ID> ] section for more information.

metricThe metric option specifies the distance or cost to the destination. The metric is used by the routing process to determine where packets should be sent. It usually corresponds loosely with the number of hops to the destination. A lower value makes this a "better route." The value entered here must be between 1 and 15 and may correspond to the actual number of hops to the gateway or may be larger to artificially inflate the cost.There are several reasons why you might enter a route with an inflated metric. If there is more than one route to another destination but the route with the shortest number of hops is over a slow WAN link, you might add a route to cause the IP traffic to take the "quicker" route.

Redist=RIP | OSPF1| OSPF2 | BGP | noneIf the optional Redist parameter is specified, this route will be redistrib-uted into the specified routing protocol. If you leave this field off or if none is specified, the static route will not be redistributed. Only one routing protocol can be selected for redistributing each static route. If RIP is specified, the static route entry will be redistributed into the RIP routing protocol which means that other routers will be able to choose this device as a way to forward packets to the destination address, depending on the metric and what other routes are available. Routing information received via RIP from other routers will be redis-tributed out other interfaces where RIP processing is enabled. When routes are rebroadcast in this fashion, the metric for this route is increased by 1, which increases the cost of the route.If OSPF1 or OSPF2 is specified, the static route entry will be redistrib-uted into the OSPF routing protocol. The 1 or 2 refer to the two types of external metrics which may be used in OSPF. The cost of a type 2 route is simply the external cost, regardless of the interior (i.e., within OSPF) cost to reach that router. A type 1 cost is the sum of both the external cost and the internal cost used to reach that router. If BGP is specified, the static route entry will be redistributed into the BGP routing protocol.


ip route(add)

EXAMPLESThe first example adds a default route which passes all packets with unknown destinations to WAN 0. This route might be used on a device which has a connection to an Internet Service Provider through WAN 0.

add ip route 0.0.0.0 0.0.0.0 0 1

The next example adds a route to network 198.41.13.0 through the gateway 198.41.9.65. Notice that the metric is 4. That means that if a better dynamic route is found (the metric is less than or equal to 4), this route will not be used. The command also tells the device to include this route in its RIP broadcast. If the device is restarted or the configuration is saved, this route will not be retained.

add ip route 198.41.13.0 255.255.255.0 198.41.9.65 4redist=RIP

SEE ALSO[ IP Static ], [ IP <Section ID> ], ip(show), save(mgmt), [ Frame Relay <Section ID> ]


chat(edit)


COMMAND NAMEedit chat - Create and edit chat scripts.

SYNOPSISedit chat [ <chat script name> ]

DESCRIPTIONCompatible Systems devices support standard communications chat scripts that let you specify dialing and/or connect sequences between this device and remote routers or terminal servers. The rules and syntax of chat scripts are documented in the [ Chat <Name> ] section. New or existing chat scripts can be entered or viewed using the device’s built-in line editor. See edit config for a description of this line editor.

SEE ALSO[ Chat <Name> ],edit config

filter(edit)


COMMAND NAMEedit filter - Create and edit protocol filtering rules.

SYNOPSISedit filter appletalk <name> edit filter ip <name> edit filter iprouting <name> edit filter ipx <name> edit filter ipxrouting <name> edit filter ipxsap <name>

DESCRIPTION The edit filter commands allow you to create or edit new or existing protocol-specific filters using the device’s built-in line editor. See edit config for a description of this line editor. Note: Rules that have been specified using Compatible's CompatiView

Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through CompatiView. When the rules are downloaded into the router from CompatiView, they will be encrypted.

The edit filter appletalk command allows you to define, edit and name sets of AppleTalk filtering rules. The rules and syntax of AppleTalk filters are documented in the [ AppleTalk Filter <Name> ] section. The edit filter ip command allows you to define, edit and name sets of IP packet filtering rules. The rules and syntax of IP packet filters are documented in the [ IP Filter <Name> ] section.The edit filter iprouting command allows you to define, edit and name a set of IP route filtering rules. The rules and syntax of IP route filters are documented in the [ IP Route Filter <Name> ] section.The edit filter ipx command allows you to define, edit and name a set of IPX packet filtering rules. The rules and syntax of IPX packet filters are documented in the [ IPX Filter <Name> ] section.The edit filter ipxrouting command allows you to define, edit and name a set of IPX route filtering rules. The rules and syntax of IPX route filters are documented in the [ IPX Route Filter <Name> ] section. The edit filter ipxsap command allows you to define, edit and name a set of IPX SAP filtering rules. The rules and syntax of IPX SAP filters are documented in the [ IPX SAP Filter <Name> ] section.

SEE ALSOedit config, [ AppleTalk Filter <Name> ] , [ IP Filter <Name> ], [ IP Route Filter <Name> ], [[ IPX Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ]

appletalk(reset)


COMMAND NAMEreset appletalk - Delete AppleTalk routing parameters.

SYNOPSISreset appletalk statistics reset appletalk routing { <network number> | all } reset appletalk cache { <network number> | all }

DESCRIPTIONThe reset appletalk commands delete runtime AppleTalk parameters.reset appletalk statistics This command resets the DDP (Datagram Delivery Protocol) tallies kept for AppleTalk.reset appletalk routing This command deletes AppleTalk dynamic routing table entries. Direct connect entries cannot be deleted. To delete an entry, the network number of the route must be specified or all will delete all dynamic entries. The show appletalk routing command will display the routing table.reset appletalk cache This command deletes entries from the AppleTalk fast-routing cache. Use the show appletalk cache command to display the cache (see appletalk(show)).

OPTIONSnetwork number

This is the AppleTalk network number of the entry to delete. It must be between 1 and 65279. In the case of networks specified by a range, use the beginning number of the range.

all This option specifies that all the tables the command pertains to should be deleted.

SEE ALSO[ AppleTalk <Section ID> ], [ AppleTalk Tunnels ], appletalk(show), interface(mgmt)

arp(reset)


COMMAND NAMEreset arp - Delete ARP table entries.

SYNOPSISreset arp [ <address> | all ]

DESCRIPTIONThis command removes entries from the Address Resolution Protocol (ARP) cache. Normally, dynamic entries are timed out after 20 minutes and static entries remain in the cache until the device is restarted. This command is useful when new hardware using the same higher level protocol address is replaced on a network. It is necessary since the previous hardware address is retained in the ARP mapping cache.

OPTIONSaddress

This is the high-level address associated with the hardware address in the ARP cache to be deleted. It must be either a legal IP address specified in dotted- decimal format or an AppleTalk address specified as net:node.

all This option specifies that all entries, dynamic and static, be deleted from the ARP cache.

EXAMPLESreset arp 192.15.100.1reset arp 35000:1reset arp all

SEE ALSOarp(show), ip arp(add)

bgp(reset)


COMMAND NAMEreset bgp peer - Reset BGP session.

SYNOPSISreset bgp peer [ all | <IP address> ]

DESCRIPTIONThe reset bgp peer command is used to reset a BGP session with a specific peer or, if all is specified, with all peers. The IP address specifies a particular peer. Its value should be entered in dotted-decimal format.

EXAMPLESThis example resets the BGP session with a single peer.

reset bgp peer 205.14.128.1

SEE ALSO[ BGP General ], bgp(show)

config(reset)


COMMAND NAMEreset config - Reset configuration with current or factory settings.

SYNOPSISreset config [ default ]

DESCRIPTIONThe reset config command is used to reset the current configuration infor-mation in the router. This command should be used during editing if you wish to erase all of your changes and return to the configuration infor-mation stored in the Flash ROM. If used with the optional default parameter (and this must be spelled out completely), the configuration information will be set to factory defaults.This command takes effect immediately. However, most changes will not take effect within the device until you issue the save command (see save(mgmt)).

EXAMPLESTo clear all changes in the presently edited configuration, type:

reset config

To set the editing configuration to factory defaults, type: reset config default

SEE ALSOsave(mgmt)

decnet(reset)


COMMAND NAMEreset decnet - Delete DECnet parameters.

SYNOPSISreset decnet routing <DECnet node> | all

DESCRIPTIONThe reset decnet routing command removes one or all entries from a router's DECnet routing table. The DECnet routing table is updated by DECnet routing messages. If you delete a valid route, it will appear again in the table when the next routing message is received.

OPTIONSDECnet node

This is the DECnet area and DECnet node address in dotted decimal notation.

all Using all for this option will reset the entire DECnet routing table for the router.

EXAMPLESThe following example removes a single DECnet node from the routing table.

reset decnet routing 1.10

SEE ALSO[ DECnet <Section ID> ], [ DECnet Global ], decnet(show)

ip(reset)


COMMAND NAMEreset ip - Reset/Delete IP routing table entries, statistics, and UDP broadcast relays.

SYNOPSISreset ip routing { all | <IP address> [ <mask >] } reset ip statistics reset ip cache [ all | <IP address> ]

DESCRIPTIONThe reset ip commands are used to reset or clear IP routing parameters, relays and statistics.The reset ip routing command is used to remove entries from the routing table. These can be static routes configured previously or dynamic routes picked up via RIP. If the optional all parameter is specified, all dynamic routes are purged from memory and the router "relearns" them. Use of the command with the other options removes specific entries.The reset ip statistics command resets all of the IP statistic tallies to zero. This is helpful if you are debugging an IP problem and want to watch IP statistics accrue from the current time.The reset ip cache command clears entries from the IP portion of the fast-routing cache. If the optional all parameter is specified, all entries are purged from memory and the router will "relearn" them.

OPTIONSall

This option specifies that all the tables the command pertains to should be deleted.

IP addressThe IP address is the destination host IP address or network address for the entry to be deleted. Its value should be entered in dotted-decimal format.

maskThe mask is the subnet mask for this entry.

EXAMPLESThis example removes a routing table entry for a host route from both the runtime and configuration.

reset ip routing 198.41.12.2 255.255.255.255

SEE ALSOip(show), ip route(add)

ipx(reset)


COMMAND NAMEreset ipx - Delete IPX parameters.

SYNOPSISreset ipx routing { <network number> | all } reset ipx cache { <network number> | all } reset ipx sap { <network number:node> | all }

DESCRIPTIONThe reset ipx commands delete permanent and runtime IPX parameters.reset ipx routing

This command deletes IPX dynamic routing table entries. Direct connect entries cannot be deleted. To delete a specific entry, the network number of the route must be specified or all will delete all dynamic entries.

reset ipx cache This command deletes entries from the IPX fast-routing cache.

reset ipx sap This command deletes an IPX SAP (Service Advertising Protocol) server entry from the dynamic table kept by the router. The router's SAP entry cannot be deleted because this entry is needed to manage the router using IPX as a transport.

OPTIONSnetwork number

This option specifies the hexadecimal IPX network number of the entry to delete. Must be between 1 and FFFFFFFE.

node This option specifies the server node address of the entry to delete. This number is specified as an Ethernet address. An Ethernet address is specified as six hexadecimal octets separated by dots (.) or colons (:). An example would be 0.0.A5.0.0.1 or 0:0:A5:0:0:1.

all This option specifies that all the parameters the command pertains to should be deleted.

SEE ALSO[ IPX <Section ID> ], ipx(show)

ospf nbr(reset)


COMMAND NAMEreset ospf nbr - Reset OSPF adjacency with a neighbor.

SYNOPSISreset ospf nbr [ all | <IP address> ]

DESCRIPTIONThe reset ospf nbr command resets the adjacency with just one OSPF neighbor, or, if all is specified, with all neighbors. This command allows the OSPF protocol to continue running while ending an adjacency with the specified neighbor(s). This router will immediately set up new adjacencies with the specified neighbor(s). This command can be particularly useful if two neighbors are hung up during the adjacency establishment process. The address provided can be either the IP address the neighbor has on its interface with this router, or the neighbor's Router ID (which is the largest IP interface address associated with that router).

EXAMPLESThis example removes the adjacency with a single neighbor.

ospf reset nbr 192.41.10.1

SEE ALSO[ IP <Section ID> ], ospf(show)

resevent(reset)


COMMAND NAMEreset resevent - Clear restart event information.

SYNOPSISreset resevent

DESCRIPTIONThe reset resevent command clears restart event information from the router's memory. A restart condition occurs when the router detects an error condition from which is cannot gracefully recover. The router stores the error and other memory registers in a "safe" place in memory and then automatically restarts. After restart, information relevant to the restart condition can be accessed by the show os resevent command (see os(show)).You may also clear the restart information by powering the router off and back on again.

SEE ALSOos(show)

securid secret(reset)


COMMAND NAMEreset securid secret - Delete the shared SecurID secret

SYNOPSISreset securid secret { <IP address> | all }

DESCRIPTIONThe reset securid secret command deletes the SecurID secrets stored in memory on an IntraPort VPN Access Server. The first time an IntraPort contacts an ACE/Server, they exchange a secret based in part on the IntraPort’s IP address. Any major changes to the IntraPort’s configuration (such as changing its IP address) will mean that the IntraPort and the ACE/Server will no longer be able to communicate. To get around this, you must use the reset securid secret command on the IntraPort and also uncheck the Sent Node Secret checkbox in the ACE/Server’s Add Client Dialog Box (which can be accessed using the Add Client option under the Client menu).After both of these steps have been completed, the two devices will do a new secret exchange and will be able to communicate again.

OPTIONSIP Address

This option limits the command to apply only to the secret for a specific ACE/Server using its IP address. It must be a legal IP address specified in dotted-decimal format.

all This option specifies that the secrets for all ACE/Servers should be deleted.

SEE ALSO[ SecurID ], securid(show)

statistics(reset)

COMMAND NAMEreset statistics - Clear router statistics.

SYNOPSISreset statistics ethernet reset statistics memory reset statistics appletalk reset statistics ip reset statistics serial [ <WAN port> ] reset statistics csu [ <WAN port> ] reset statistics connect [ <WAN port> ] reset statistics ds3 [ <WAN port> ]reset statistics hssi [ <WAN port> ] reset statistics ppp [ <WAN port> ] reset statistics frelay [ <WAN port> ] [ <DLCI> ] reset statistics radius

DESCRIPTIONThese commands clear statistics kept by the device. The statistics cleared by each of the commands are described below.reset statistics ethernet

This command clears Ethernet statistics which are displayed by the show ethernet statistics command.

reset statistics memoryThis command clears buffer usage statistics which are displayed by the show os memory command.

reset statistics appletalkThis command clears AppleTalk statistics which are displayed by the show appletalk statistics command.

reset statistics ipThis command clears IP, UDP, and ICMP statistics which are displayed by the show ip statistics command.

reset statistics serialThis command clears WAN serial statistics which are displayed by the show wan serial statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics csuThis command clears WAN CSU statistics which are displayed by the show wan csu statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics connectThis command clears WAN connection statistics which are displayed by the show wan connect statistics command. By specifying the


statistics(reset)

optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics ds3This command clears WAN DS3 statistics which are displayed by the show wan ds3 statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics hssiThis command clears WAN HSSI statistics which are displayed by the show wan hssi statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics pppThis command clears WAN PPP statistics which are displayed by the show ppp statistics command. By specifying the optional WAN port parameter, only the statistics for that port will be cleared.

reset statistics frelayThis command clears Frame Relay statistics which are displayed by the show frelay statistics command. By specifying the optional WAN port and DLCI parameters, only the statistics for that port and/or DLCI will be cleared.

reset statistics radiusThis command clears the RADIUS authentication and accounting statistics displayed by the show radius statistics command.

SEE ALSOstatistics(show) , ethernet(show), system(show), os(show), appletalk(show), ip(show), wan(show), ppp(show), frelay(show), radius(show), save(mgmt)


bridge(set)

COMMAND NAMEset bridge - Modify bridge parameters.

SYNOPSISset bridge on [ <spigot priority> [ <path cost> ] set bridge off set bridge mode [ Ieee | Learning ] [ <table size> [ <aging time> ] set bridge spanning priority <bridge priority> set bridge spanning maxage <time> set bridge spanning hello <time> set bridge spanning fdelay <time> set bridge filter permit set bridge filter deny set bridge filter add < protocols > set bridge filter remove < protocols >

DESCRIPTIONThese commands are used to configure runtime bridging information within the router. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Bridging <Section ID> ] and [ Bridging Global ] sections. The set bridge on, set bridge off, and set bridge filter commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). The other commands set global bridging parameters. The bridging code in the router is enabled by two switches. Each interface has an individual switch to enable bridging for that interface explicitly, and there is a global switch telling the low-level forwarding code to enter the bridging routines.Two commands set the global bridging switch on – set bridge mode and set bridge on. If global bridging was previously disabled, you must save the configuration and reboot the router to turn bridging on.The only way to disable global bridging is to turn off all of the bridge inter-faces, using the set bridge off command. When the last interface is disabled, the global bridging switch will be turned off. Individual interfaces may be enabled or disabled without affecting the status of other interfaces with respect to bridging.The set bridge mode command selects the global operating mode for the bridge.

Ieee | Learning The Ieee mode configures the bridge to support the IEEE 802.1D Spanning Tree algorithm. The Spanning Tree algorithm is used by bridges to detect loops (i.e., two or more pathways to the same


bridge(set)

destination) and "prune" them into a tree-like, loop-free topology by establishing a root bridge and then calculating the best path from each bridge to the root bridge. Traffic is then forwarded only along this path. If the network to which the bridge is attaching contains loops, Spanning Tree must be enabled to prevent packet duplication. The Learning mode configures the bridge for operation with the Spanning Tree algorithm disabled. Learning mode should only be used on networks without active loops.

Note: Because the set bridge mode command sets global parameters, it isn't possible to turn on Ieee (Spanning Tree) or Learning for individual interfaces. When the mode is Ieee, the root bridge dictates the parameters for the whole network.

BRIDGE SPANNINGThese commands are used to configure the IEEE 802.1D Spanning Tree Algorithm parameters within the bridge.The set bridge spanning commands are used to set global Spanning Tree parameters. The commands are described below.set bridge spanning priority

This command sets the bridge priority. The bridge priority is combined with the bridge's Ethernet address to create an 8-byte Bridge ID. The Spanning Tree algorithm uses the Bridge ID to determine the root bridge for a network. The numerically lowest Bridge ID on a network will be the root bridge for that network. There will only be one root bridge on a network.

set bridge spanning maxageThis command sets the maximum age, which is used to determine when a Spanning Tree configuration packet is considered stale and its information is discarded. The default value is 20 seconds; values may range from 6 to 40.

set bridge spanning helloThis command sets the hello time, which is the interval between Span-ning Tree configuration packets sent by the bridge. The default value is 2 seconds; values range from 1 to 10.

set bridge spanning fdelayThis command sets the forward delay. The forward delay is the time between state transitions on the spigot (bridge interface). It will also be used as the aging time during periods of topology change on the net-work. The default value is 15 seconds; values may range from 4 to 30.

Because all bridges on a Spanning Tree network will use the same values for all timer parameters, all bridges use timer values set by the root bridge. To change the values of the timer parameters for the network, set the values on the root bridge, or make the current bridge the root bridge by lowering


bridge(set)

the value of the bridge priority. The bridge enforces the following relationships between the timer values mentioned above:

2 x (fdelay - 1 second) >= maxage maxage >= 2 x (hello + 1 second)

BRIDGE FILTERINGThe current implementation of bridging will by default bridge any protocol not being routed, and it has a limited capability to filter or restrict the traffic to and/or from a port based on the packet's protocol. There are two levels of protocol filtering that occur within the bridging code based on routed protocols and also explicit bridge protocol filtering. In this filtering scheme, the decision to route or filter a packet based on routing takes precedence over explicit bridge filtering.If a port is configured to route a packet for a protocol, all of that protocol's packets received on the port which are not routed will be discarded by the bridge. In order to bridge a particular protocol, routing for that protocol must be turned off for both receiving and transmitting interfaces.The set bridge filter commands configure the bridge protocol filtering. Each interface has a filtering list to which protocols may be added or removed using the set bridge filter add or set bridge filter remove commands.The set bridge filter permit and set bridge filter deny commands tell the bridge whether to permit or restrict (deny) packets in the interface's protocol filter list.

OPTIONSspigot priority

The spigot priority parameter sets the IEEE 802.1D Spanning Tree protocol port priority parameter. This parameter is used to give prece-dence to an interface within the bridge. The port priority is combined with the interface number to create a Bridge ID. The interface with the lowest Bridge ID (numerically) will have precedence over interfaces with higher Bridge IDs. The default is 128; valid values range from 0 to 255.

path costThe path cost parameter sets the IEEE 802.1D Spanning Tree protocol path cost, which is the cost of using an interface and is used by the bridge to compute the distance from the root bridge. It may be used to artificially change the topology of a Spanning Tree network. The default value of 100 is recommended by the IEEE specification for 10 Mbit Ethernet interfaces; valid values range from 1 to 65535.


bridge(set)

table sizeThe table size parameter sets the maximum number of address entries in the bridge's Ethernet address cache. The bridge will only allocate as many entries as it needs, allocating more as the table becomes full up to the table size number of entries. The default value is 1200 entries; valid values range from 256 to 16,384.

aging timeThe aging time parameter sets the time in seconds that address cache entries can remain in the address cache without receiving a packet before the entry will be removed from the bridge. The default value is 300 seconds; valid values range from 10 to 100,000.

bridge priorityThe bridge priority parameter is a numerical value that is used to select the root bridge on a network. Setting the bridge priority to 0 should make the local bridge the root bridge. The default value is 32,768; valid values range from 0 to 65,535.

timeThe time parameter is a value in seconds. Defaults and ranges are described above in the description of the individual commands.

protocolsThe protocols parameter is used by the set bridge filter add and set bridge filter remove commands to modify the bridge protocol filtering database. Enter any number of protocols to be added or removed. The interface currently recognizes the IP, IPX, ATP1 (AppleTalk Phase 1), ATP2 (AppleTalk Phase 2), and Decnet keywords.

EXAMPLESThe following example will turn bridging on between Ethernet ports A and B for protocols other than currently routed protocols.

interface ethernet aset bridge oninterface ethernet bset bridge on

To turn bridging off, for each interface on which bridging is enabled: interface ethernet aset bridge offinterface ethernet bset bridge off

To turn Spanning Tree on: set bridge mode ieee

To set the root bridge and change the hello time for the network: set bridge spanning priority 0set bridge spanning hello 4


bridge(set)

NOTESIt is possible to receive an error message indicating that an invalid priority or path cost has been entered when enabling an interface for the first time when using the set bridge on command.Re-enable the interface using the following parameters:

set bridge on 128 100

This will set appropriate default parameters for the interface priority and path cost.

SEE ALSO[ Bridging <Section ID> ], [ Bridging Global ], bridge(show), save(mgmt), interface(mgmt), enable(mgmt)


ppp quality(set)

COMMAND NAMEset ppp quality - Set Point-to-Point Protocol (PPP) link quality parameters.

SYNOPSISset ppp quality echo on set ppp quality echo off set ppp quality echo interval <seconds> set ppp quality echo threshold <misses> <total>

DESCRIPTIONThese commands are used to configure runtime link quality parameters within the device. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ PPP <Section ID> ] section. All of these commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). To monitor the quality of a WAN link, echo packets are sent out at a specified interval and the responses are counted. The link will be dropped if the number of missed packets out of the total echo packets sent exceeds the specified parameters. The link can then be re-established with a (hopefully) better quality line, or, if a multilink is being used, data can be diverted away from the downed link. (See the [ Multilink PPP <Name> ] section for more information on multilinks.) Echo packets will not affect the inactivity timer of a dialup connection. The set ppp quality echo commands are described below: set ppp quality echo on

This command enables link quality testing for the current interface.set ppp quality echo off

This command disables link quality testing for the current interface.set ppp quality echo interval

This command is used to set the frequency in seconds at which echo packets will be sent. This command also sets the amount of time in which an echo response must be received in order not to be counted as missed. The seconds value must be in the range of 1 to 255 seconds. The default is 1 second.

set ppp quality echo thresholdThis command is used to set the desired quality of the WAN link. The misses option sets the number of echo reply packets that must be missed out of the last total echo packets sent for the link to be dropped. The misses parameter can have a value of 1-32 and must be less than or equal to total. The default is 8.The total parameter can have a value of 1-32 and must be greater than or equal to misses. The default is 32.


ppp quality(set)

EXAMPLESThe following commands will turn on runtime echo link quality testing for port WAN 0. Echo packets will be sent every 5 seconds. If 3 out of the last 30 echo packets are missed, the link will be dropped:

interface wan 0set ppp quality echo interval 5set ppp quality echo threshold 3 30set ppp quality echo on

SEE ALSO[ PPP <Section ID> ], [ Multilink PPP <Name> ], interface(mgmt), ppp(show)


smds(set)


COMMAND NAMEset smds keepalive - Enable or disable SMDS keepalive.

SYNOPSISset smds keepalive off set smds keepalive on [ <polling frequency> ]

DESCRIPTIONThese runtime commands are used to enable or disable keepalive for SMDS. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ SMDS <Section ID>] section. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). When keepalive is enabled, the router periodically polls the SMDS switch. If the switch does not respond within 60 seconds the router will declare the SMDS link down and stop sending packets over it. Use set smds keepalive on to enable keepalive on the interface where SMDS is activated. Use set smds keepalive off to shut keepalive off on the interface where SMDS is activated. Turning keepalive off will automatically declare the SMDS link up.

OPTIONSpolling frequency

This option sets the interval to be used to poll the SMDS switch. The default value is 5 seconds. The allowed range is 0 to 30 seconds. Choosing a value of 0 seconds is equivalent to shutting keepalive off.

EXAMPLESThe following example will activate keepalive on interface WAN 0 and set the polling frequency to 10 seconds.

interface wan 0set smds keepalive on 10

To turn keepalive off: interface wan 0set smds keepalive off

SEE ALSOinterface(mgmt), enable(mgmt), [ SMDS <Section ID>] smds(show), save(mgmt)

system log(set)

COMMAND NAMEset system log - Set global system logging parameters.

SYNOPSISset system log off set system log on set system log level <log level> set system log aux set system log noaux set system log remote <syslog IP addr> <local facility> set system log noremote set system log clear set system log port [ enable | disable ] <port>

DESCRIPTIONThe set system log commands set runtime logging parameters. When the system is rebooted the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Logging ] section. The system log facility is used to pass configuration, error, and debug information to the device administrator. Log messages can be saved in an internal buffer, sent to the AUX port, or sent to a UNIX-style syslog facility. Messages stored in the internal buffer can be viewed later by the show system log command (see system(show)) or from the Windows or Macintosh CompatiView managers. Logging can be configured to use one or more of the logging facilities. The set system log commands are described below: set system log off

This command disables all logging in the device.set system log on

This command enables logging to the internal buffer. It also enables AUX port logging and syslog logging if they are configured on using the set system log aux and set system log remote commands, respectively.

set system log levelThis command determines the detail of messages logged. The level applies to all types of logging.

set system log auxThis command enables logging to the AUX serial port. The default serial rate for the AUX port is 9600 baud. The global logging on/off setting takes precedence over this setting. <CTRL -Z> at the console will toggle this setting.

set system log noauxThis command disables logging to the AUX serial port. This is the default. <CTRL-Z> at the console will toggle this setting.


system log(set)

set system log remoteThis command enables logging to a remote UNIX-style syslog daemon. See syslog(sys) on the remote host for details on configuring syslog. The global logging on/off setting takes precedence over this setting.

set system log noremoteThis command disables logging to a remote syslog daemon. This is the default.

set system log clearThis command clears the internal log buffer.

set system log portThis command specifies the ports for which log messages will be generated. This is used to limit the number of messages generated.

OPTIONSlog level

The log facility has 7 levels of log detail: 0/Emergency means that you will receive logging informa-tion only when the system is unusable. These log messages will help indicate the source of the problem.1/Alert reports only alert and emergency messages. An alert message requires immediate attention.2/Critical reports critical, alert and emergency messages. A critical condition requires immediate attention.3/Error reports exception cases pertaining to violations of protocols or other operational rules. Such violations may include illegal packets and improper command syntax.4/Warning reports problems which may need a response. Examples include network number conflicts and resource allocation problems. If Warning messages are repeated, they require a response.5/Notice reports information that may be useful on a day-to-day basis by an administrator but generally does not require any response. Examples include login/logout, serial line resets, and LAN-to-LAN connections. This setting is suit-able for most conditions.6/Info reports routine information, such as WAN network connect and disconnect messages.7/Debug reports every action of the device and should not be used on a day-to-day basis since it generates a large num-ber of log messages.


system log(set)

Emergency is the least verbose level but contains the most important messages. Debug is the most verbose level. Debug level is useful for getting detailed information on dialing chat scripts and link activity. The default level is Notice.

syslog IP addr The IP address on the host running syslog. Enter in the standard dotted decimal notation.

local facilityA value between 0-7 which determines the syslog facility to which log messages are sent. The remote syslog daemon should be configured to accept messages sent to LOCALx, where x is equal to the value configured here.

[ enable | disable ] enable specifies that log messages will be generated for the port. disable stops the generation of log messages for the specified port.

portThe port number.

EXAMPLESThe following commands will turn on runtime logging at level DEBUG (7). Log messages will go to the internal buffer and to the AUX port.

set system log level debugset system log auxset system log on

To turn off logging in the saved config: set system log off

SEE ALSOsystem(show), [ Logging ]


terminal(set)

COMMAND NAMEset terminal - Set command line terminal settings.

SYNOPSISset terminal width <columns> set terminal height <rows> set terminal moreset terminal nomore set terminal enhanced set terminal noenhanced set terminal erase [ bs | del ]set terminal print [ numbers | letters ]

DESCRIPTIONThese commands are used to configure runtime terminal settings that define the way that the command parser interacts with the user. If more than one session is active at a given time, they can have different terminal settings. Typically, these commands only affect the current parser session. However, the default settings of the erase character, more processing, and enhanced mode can be configured and permanently remembered between sessions by being in supervisor mode when the command is issued (see enable(mgmt)). The status of the current terminal configuration can be displayed with the show version command (see version(show)).The commands of the set terminal command are described below.set terminal width

This command is used to set the terminal width. This variable is only used for informational purposes in this release of the command parser.The default is 80 columns, but it may also be set by the telnet client, if the client supports it.

set terminal heightThis command is used to set the terminal height. The command parser uses the height variable to determine screen sizes, especially in conjunction with the set terminal more option described below. The default is 24 rows, but it may also be set by the telnet client, if the client supports it.

set terminal more and set terminal nomoreThe command parser supports "more" processing of all displayed output. With set terminal more enabled, displayed output longer than the configured terminal height will be paused and a "--more--" prompt will be displayed. To display the next screen of data, enter a <SPACE>. To display only the next line of data, enter a <RETURN>. Any other input terminates the output and the next command prompt will be displayed. The set terminal nomore command disables this feature. The default is set terminal more.


terminal(set)

set terminal enhanced and set terminal noenhancedThe command parser supports an "enhanced" mode. With set terminal enhanced enabled, if the parser cannot decipher the input entered or an invalid option was entered for a command, the parser will redisplay the portion that was successfully parsed. The set terminal noenhanced disables this feature. The default is set terminal enhanced.

set terminal eraseThis command sets the parser's erase character. Only <BACKSPACE> and <DELETE> are supported as erase characters. The default is <BACKSPACE>.

set terminal printThis command tells the parser whether interfaces should be displayed with numbers or letters. The default is numbers.

OPTIONScolumns

This option is used by the set terminal width command to enter the width of screen in characters.

rowsThis option is used by the set terminal height command to enter the height of the screen in lines.

bsThis option sets the erase character to <BACKSPACE>.

delThis option sets the erase character to the <DELETE> key.

numbersThis option sets the parser to display interfaces as numbers.

lettersThis option sets the parser to display interfaces as letters.

SEE ALSOversion(show), save(mgmt), enable(mgmt), [ Command Line ]


wan connect(set)

COMMAND NAMEset wan connect - Set runtime Wide Area Network (WAN) connection parameters.

SYNOPSISset wan connect mode dedicated [ <connect script> ] set wan connect mode alwaysup <connect script> [ Incoming_allowed ] set wan connect mode dialup [ in | out | both ] <connect script>

DESCRIPTIONThe set wan connect mode commands are used to configure runtime connection characteristics for the current WAN interface. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ Link Config <Section ID> ] section. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). Note: The default for RS-232 interfaces is dialup. The default for V.35

interfaces is dedicated.set wan connect mode dedicated

This command is used for links that are available regardless of traffic activity and do not need dialing commands.

set wan connect mode alwaysupThis command should be used for links which require dialing commands to be issued. An alwaysup link will stay up regardless of the activity on the link. If the link drops for any reason, it will be brought back up immediately. An alwaysup link requires that your communications device (modem, CSU/DSU, TA, etc.) be set to raise the DCD (Data Carrier Detect) line when a connection is established, and drop it when the connection is terminated.

set wan connect mode dialupThis command should be used for links which require dialing commands to be issued. A dialup link will be brought up and down based upon the activity on the link. A dialup link requires that your communications device (modem, CSU/DSU, TA, etc.) be set to raise the DCD (Data Carrier Detect) line when a connection is established, and drop it when the connection is terminated. For interfaces set to dialup, there are certain maintenance packets for each protocol (IP, IPX, etc.) which will not cause an inactive link to be dialed. This is a security measure that keeps intruders out and allows on-demand links to be useful.

OPTIONSconnect script

This is the name of the chat script used for outgoing connections.


wan connect(set)

Incoming_allowed This option enables answering of incoming calls.

in | out | bothThese options set how the device will handle an on-demand link. The in option allows the device to accept incoming on-demand PPP connections from other routers or end-node clients. The out option specifies that incoming packets from another interface on this device will initiate a dialing sequence if the link is not already connected. If the link is already connected, then the packets will simply be forwarded. The both option allows the device to perform both functions.

EXAMPLESSet WAN 0's runtime configuration to a dialup in/out connection using connect script "dial out":

interface wan 0set wan connect mode dialup both "dial out"

SEE ALSOwan(show), interface(mgmt), [ Link Config <Section ID> ], [ Chat <Name> ]


wan csu(set)

COMMAND NAMEset wan csu - Set internal CSU parameters.

SYNOPSISset wan csu loopback dte [ local | framer | off ] set wan csu loopback local [ line | payload | off ] set wan csu loopback remote [ line | v54 | off ] set wan csu loopback accept [ line | v54 | all | none ]

DESCRIPTIONThe set wan csu loopback commands are used to configure runtime parameters for the CSU on the current WAN interface. When the system is rebooted, the parameters will revert to the last saved values. To make permanent changes to the configuration, use the [ T1 Interface <Section ID> ] section. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan csu loopback dte

This command configures the device to perform DTE (Data Terminal Equipment) loopback, which is a diagnostic test of the internal CSU/DSU and the local DTE. DTE loopback will loop data between the device's serial driver and its internal CSU/DSU. local | framer | off

The framer option tests the device’s DTE by looping data out the device’s serial driver back into the serial receiver at the input to the internal DSU.The local option tests the entire CSU/DSU by looping data out the device’s serial driver back into the serial receiver through the internal CSU/DSU. The off option disables DTE loopback. The default value is off.

set wan csu loopback local This command configures the device to perform local loopback, which is a diagnostic line test which forces the device's CSU to loop data received from the network back out to the network.line | payload | off

During line loopback, all data, including framing and overhead bits, is immediately looped once it is received off the T1 line.During payload loopback, data is stripped of framing and overhead bits before being passed through all the CSU's circuitry before it is looped back. The off option disables local loopback. The default value is off.

set wan csu loopback remoteThis command enables you to put the far end T1 terminal into loopup. It manipulates the CSU on the remote end of your connection by


wan csu(set)

sending out a specific bit pattern which is recognized by the remote CSU. Compatible Systems devices support two different loopup sequences. You may need to check the far end unit to see which sequences are supported and enabled.line | v54 | off

The line option initiates the transmission of the inband loopup code specified by AT&T 64211. (This is only done in conjunction with the phone company.) The v54 option activates the transmission of a V.54 loopup pattern.The off option disables remote loopback. The default value is off.

set wan csu loopback acceptThis command directs your local device to recognize a loopup code sent by a remote device. line | v54 | all | none

The line option directs the device to recognize the inband loopup code specified by AT&T 64211. (This is only done in conjunction with the phone company.) The v54 option directs the device to recognize the V.54 loopup pattern.The all option directs the device to recognize both loopup patterns. If the none option is selected,the device will not recognize any loopback code sent by a remote device. The default is all.

SEE ALSOwan(show), interface(mgmt), [ T1 Interface <Section ID> ]


wan ds3(set)


COMMAND NAMEset wan ds3 - Set internal CSU parameters.

SYNOPSISset wan ds3 loopback dte onset wan ds3 loopback dte off set wan ds3 loopback local onset wan ds3 loopback local off set wan ds3 loopback remote onset wan ds3 loopback remote off

DESCRIPTIONThe set wan ds3 loopback commands are used to configure runtime parameters for the CSU on the current DS3 WAN interface. When the system is rebooted, the parameters will revert to the last saved values. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan ds3 loopback dte on

This command configures the device to perform DTE (Data Terminal Equipment) loopback, which is a diagnostic test of the internal CSU/DSU and the local DTE. A more thorough test can be performed by connecting the transmit and receive connectors with a single DS3 cable.

set wan ds3 loopback dte offThis command disables DTE loopback.

set wan ds3 loopback local onThis command configures the device to perform local loopback, which is a diagnostic line test which forces the device's CSU to loop data received from the network back out to the network.

set wan ds3 loopback local offThis command disables local loopback.

set wan csu loopback remote onThis command enables you to put the far end DS3 terminal into loopup. It manipulates the CSU on the remote end of your connection by sending out a specific bit pattern which is recognized by the remote CSU.

set wan csu loopback remote offThis command disables remote loopback. The default value is off.

SEE ALSOwan(show), interface(mgmt), [ DS3 Interface <Section ID> ]

wan hssi(set)

COMMAND NAMEset wan hssi - Set HSSI interface parameters.

SYNOPSISset wan hssi loopback localdteset wan hssi loopback locallineset wan hssi loopback remote set wan hssi loopback off set wan hssi clock [ external | internal ]

DESCRIPTIONThe set wan hssi loopback commands are used to send commands to the DCE (usually a CSU/DSU) on the current HSSI interface. These commands set interface-specific parameters and require the use of the interface command to determine which interface to configure (see interface(mgmt)). set wan hssi loopback localdte

This command issues a command over the HSSI interface instructing the DCE to loop back data from the DTE back to the DTE. This command is useful for testing the integrity of the HSSI line. Many CSU/DSU manufacturers will also refer to this as a Channel-side loopback. While the CSU/DSU is in this mode, a network administrator can verify that the connection between the local interface and the CSU/DSU is working properly by configuring the connection for PPP (see the [ PPP <Section ID> ] section) and seeing if the wan port goes into "magic loopback." In most cases, magic loopback can be verified by performing a show statistics hssi command and then checking if the counters for input and output packets rise without any errors accumulating.

set wan hssi loopback locallineThis command issues a command over the HSSI interface instructing the DCE to loop back data from the network port (usually a DS3 interface) back out the network port. This command is useful for testing the line from the local CSU/DSU to the remote device. Many CSU/DSU manufacturers will also refer to this as a Line-side loopback. While the CSU/DSU is in this mode, a network administrator can verify that the connection between the local CSU/DSU and the remote device is working properly by configuring the connection for PPP (see the [ PPP <Section ID> ] section) and seeing if the WAN port on the remote device goes into "magic loopback." Magic loopback can be verified using the instructions in the set wan hssi loopback localdte command.


wan hssi(set)

set wan hssi loopback remote This command is very similar to the set wan hssi loopback localline command except that it's the remote CSU/DSU which will be put into a line-side loopback. Also, the result of the command will be that the local interface that you performed this function on will go into "magic loopback" if the network port is configured for PPP (see the [ PPP <Section ID> ] section). This command is useful for testing the line from the local device through to the remote CSU/DSU.Magic loopback can be verified using the instructions in the set wan hssi loopback localdte command.

set wan csu loopback remote offThis command disables all loopback commands.

The set wan hssi clock command sets whether the interface will use its own internal clock or obtain the clock from the DCE. This is a runtime parameter which means when the system is rebooted, the configuration will revert to the last saved values. The internal option specifies that an internal 33 Mb clock is used. Internal clocking should only be used when testing between two back-to-back HSSI ports connected via a NULL-modem cable. The external option specifies that the clock provided by the DCE is used. Always use external clocking when attached to a CSU/DSU. The default is external.

SEE ALSOwan(show), interface(mgmt), [ PPP <Section ID> ], [ HSSI Interface <Section ID> ]


all(show)

COMMAND NAMEshow all - Show summary of router parameters, variables and statistics.

SYNOPSISshow all [ Verbose ]

DESCRIPTIONThe show all command displays most of the system configuration and status. The information displayed by this command is displayed by other show commands. Please refer to the referenced commands for specific information about the displayed information.The information displayed varies with the hardware platform and the software configuration. The following is a list of the information displayed: General Information

This section displays general system configuration information. The same information is displayed with the show version verbose command.

IP ConfigurationThis section displays the IP routing configuration. The same information is displayed with the show ip config command.

IPX ConfigurationThis section displays the IPX routing configuration. The same information is displayed with the show ipx config command.

AppleTalk ConfigurationThis section displays the AppleTalk routing and tunnel configurations. The same information is displayed with the show appletalk config and show appletalk tunnels commands.

DECnet ConfigurationThis section displays the DECnet routing configuration. The same information is displayed with the show decnet config command.

WAN/PPP ConfigurationThis section displays the WAN port and PPP protocol configuration. The same information is displayed with the show wan serial config, show wan connect config, and show ppp lcp commands.

STEP ConfigurationThis section displays the STEP configuration. The same information is displayed with the show step config command.

Bridge/Spanning Tree ConfigurationThis section displays the bridge and Spanning Tree protocol configuration. The same information is displayed with the show bridge config and show bridge spigots commands.


all(show)

Runtime StatusThis section displays the runtime status of the various system interfaces. The same information is displayed with the show os netif command.

OPTIONSVerbose

This option causes the command to display even more information.SEE ALSO

version(show), ip(show), ipx(show), appletalk(show), decnet(show), wan(show), ppp(show), vpn(show), bridge(show), os(show)


appletalk(show)

COMMAND NAMEshow appletalk - Show AppleTalk configuration parameters.

SYNOPSISshow appletalk config [ Ethernet | Localtalk | WAN | VPN ] [<port>] [ Status ] show appletalk runtime [ Ethernet | Localtalk | WAN | VPN ] [<port>] show appletalk zones show appletalk filters [ Ethernet | Localtalk | VPN ] [ <port> ] show appletalk tunnels [ Ip | Filters ] show appletalk routing [ Verbose ] show appletalk nbp show appletalk cache show appletalk statistics

DESCRIPTIONThe show appletalk commands display configured and runtime AppleTalk parameters.show appletalk config

The show appletalk config command will display the AppleTalk configuration parameters for all of the interfaces. For more information about how to set the parameters see the [ AppleTalk <Section ID> ] section.Port Phase Seed Netnum Node Zone NameEther0 1 ** Disabled **Ether0 2 On 35000 - 35030 n/a HardwareEther1 1 ** Disabled **Ether1 2 On 2300 - 2400 186 Swizzle NetEther2 1 ** Disabled **Ether2 2 On 45000 - 45030 n/a Printer-EngineeringEther3 1 ** Disabled **Ether3 2 ** Disabled **Bridge 1 ** Disabled **Bridge 2 ** Disabled **Wan 0 Unnumbered

Remote Address: 0:0 <Trigger>

NBP Filters:Stay in Lookups Tilde Laser-

Port Phase zone? In Out Devices WritersEther0 1 ** Disabled **Ether0 2 Off Off Off Off OffEther1 1 ** Disabled **Ether1 2 Off Off Off Off OffEther2 1 ** Disabled **Ether2 2 Off Off Off Off OffEther3 1 ** Disabled **Ether3 2 ** Disabled **Bridge 1 ** Disabled **Bridge 2 ** Disabled **Wan 0 Off Off Off Off Off


appletalk(show)

Appletalk Zone List:SoftwareHardwareEngineering

Swizzle Net

Red-NetPrinter-Engineering

The information shown is: Port

This identifies the AppleTalk interface. Ethernet interfaces can have three virtual AppleTalk networks associated with them.

PhaseThis identifies the type of AppleTalk network. On Ethernet, this identifies the virtual AppleTalk networks on the physical wire.

SeedThis displays the seed status of the AppleTalk interface. Possible seed identifiers are Seed, Auto or Non [seed]. If the interface is off, ** Disabled ** is displayed. On a WAN interface, the possible seed identifier can be Unnumbered.

NetnumThis is the network number configured when the interface is configured as a seed port.

NodeThis is the AppleTalk node number configured as the initial guess for the router when doing the AppleTalk address probing at startup. This value isn't necessarily the same as the value being used by the router after doing the address probing at startup.

Zone NameThis is the zone name configured when the interface is configured as a seed port.

WAN PortsOn WAN interfaces, additional information shows the Remote Node Address as (net:node) and the RTMP update method, (Trigger or Periodic).

FiltersThe filter configuration shows all NBP filters that have been configured into the router.

Appletalk Zone ListThis shows the AppleTalk zone list configured for any seeded Ethernet Phase 2 interfaces on the router. The default zone is shown in the main section of the display. This shows only extra zones entered with the Zone keyword in the [ AppleTalk <Section ID> ] section.


appletalk(show)

ANSP Backward compatibility:This shows whether ANSP compatibility mode is enabled or disabled.

show appletalk runtime This command shows the AppleTalk parameters that are currently running in the router. The format of this information is the same as that shown above for the show appletalk config command except this information may be different than the configured information due to the dynamic nature of AppleTalk routing. The information will reflect the runtime status of the AppleTalk networks that are connected to the router.

show appletalk zones This shows the AppleTalk zone list configured for any seeded Ethernet Phase 2 interfaces on the router. See the [ AppleTalk <Section ID> ] section for an explanation of adding zone names to a zone list.

show appletalk filters For all AppleTalk interfaces, this shows the NBP filters that are configured in the router. See the [ AppleTalk <Section ID> ] section for an explanation of adding NBP filters to an AppleTalk interface of the router.NBP Filters:

Stay in Lookups Tilde Laser-Port Phase zone? In Out Devices WritersEther0 1 ** Disabled **Ether0 2 Off On Off Off OffEther1 1 Off Off Off Off OffEther1 2 Off Off Off Off OffEther2 1 ** Disabled **Ether2 2 ** Disabled **Ether3 1 ** Disabled **Ether3 2 ** Disabled **Bridge 1 ** Disabled **Bridge 2 ** Disabled **

AppleTalk Packet Filters:Apple VPN0 (1)1: permit network = 200

Matches: 1220152: permit network = 210




Matches: 122013

show appletalk tunnels This command shows the AppleTalk-in-IP tunneling parameters. See the [ AppleTalk Tunnels ] section for an explanation of configuring


appletalk(show)

AppleTalk tunnels. The following is output from the show appletalk tunnels command. Tunnel Partners:

198.41.11.106No filtered nets entered, all nets are recognized

show appletalk routing This command shows the current AppleTalk routing table. The directly connected AppleTalk networks are shown first, followed by the dynamic routes discovered via the RTMP protocol.An AppleTalk routing table is shown below. Directly connected routes:Network Gateway Port Hop Age Flgs Zone Name3456 3456:34 Wan 0 0 0 0d00 Invisible Zone55400 - 55400 55400:63 Eth 0 P2 0 0 0f00 Eng.Lab Phase 2

Dynamic routes discovered via RTMP:Network Gateway Port Hop Age Flgs Zone Name1 - 1 55400:21 Eth 0 P2 3 0 0f00 P2Ether1 A5BEEF552 - 2 55400:21 Eth 0 P2 3 0 0f00 P2Ether2 A5BEEF563 - 3 55400:21 Eth 0 P2 3 0 0f00 P2Ether3 A5BEEF575 55400:21 Eth 0 P2 3 0 0d00 Main Ethernet6 55400:21 Eth 0 P2 3 0 0d00 Backbone Phase18 - 8 55400:21 Eth 0 P2 4 0 0f00 Kahunet

Zones: Kahunet-too10 - 30 55400:21 Eth 0 P2 3 0 0f00 Main Phase2-1

Zones: Main Phase2-2 Server Zone50 55400:21 Eth 0 P2 3 0 0d00 Net Modem100 55400:21 Eth 0 P2 3 0 0d00 Main LocalTalk200 - 200 55400:21 Eth 0 P2 4 0 0f00 DemoNet Zone210 55400:21 Eth 0 P2 5 0 0d00 DemoNet Zone220 55400:21 Eth 0 P2 5 0 0d00 DemoNet Zone275 55400:21 Eth 0 P2 4 0 0d00 demo-dialin-

remote-zone

The routing table is shown is two sections. The first is the network information for the directly connected networks. The second section shows the dynamic routes obtained through RTMP packets on the directly connected networks.The information shown in the routing table is explained below. Network

This is the network number of the AppleTalk route. For extended networks, the lower and upper numbers of the range are shown.

GatewayThis is the AppleTalk address (net:node) of the router respon-sible for the network. Packets bound to that network are sent to the router at that address to be forwarded. For the entries shown in the direct-connect section, this is the AppleTalk address of the router.

PortThis is the interface through which the route was received and identifies the interface where the gateway is located.


appletalk(show)

HopThis is the number of hops to the network. It represents the number of routers that a packet will traverse until it reaches the network. The hop count cannot be greater than 16 on an AppleTalk internet.

AgeThis is the age of the route in terms of AppleTalk aging param-eters. A value of 1 represents a "suspect" state, meaning that the gateway router hasn't broadcasted information about the route within the last 10 seconds. Since this router's aging timer and the peer router's RTMP timers (every 10 seconds) are not in sync, it is common to see the age of a route set to 1. A value of 2 or 3 represents 20 and 40 seconds after the route has become "suspect." When the age becomes 3, the route is deleted.

FlgsThese are internal flags used by the router to maintain the routing tuple.

Zone NameThese are the zone names associated with the route. If the route is non-extended, this is the only zone name shown. If the route is extended, this is the default zone name, and if there are more zones, they are shown in groups of three on subsequent lines below the tuple.

show appletalk nbp This command shows the NBP registration table currently running in the router. The information includes the name, type, zone and socket number the service is registered on.

show appletalk cache This command shows the AppleTalk fast-routing cache available in Compatible’s Ethernet-to-Ethernet routers. This fast-routing cache enables this class of router to route at full Ethernet wire speed.

show appletalk statistics This command shows AppleTalk DDP statistics for packets destined for the router or forwarded by the router. Currently, this command is disabled for the MicroRouter 1000R.

OPTIONSEthernet | Localtalk | WAN | VPN

This option allows selective display of information about a specific type of interface. When a type is specified, all the interfaces of that type are shown in the command’s output.

port This option allows selective display of information about a specific interface (i.e., Ethernet 0, WAN 0, etc.).


appletalk(show)

Status This option specifies that the AppleTalk runtime information be shown. It is the same output as that shown for the show appletalk runtime command.

IP | FiltersThese options allow selective display of AppleTalk-in-IP tunneling parameters. IP specifies that the IP numbers of the tunneling partners be shown. Filters specifies that the filtered AppleTalk network numbers be shown.

Verbose This shows detailed information about the AppleTalk routing table. This includes more information about the status of the zones, interpretation of the routing flags and internal routing table information.

SEE ALSOappletalk(reset), [ AppleTalk <Section ID> ], [ AppleTalk Tunnels ]


arp(show)

COMMAND NAMEshow arp - Show Address Resolution Protocol (ARP) cache.

SYNOPSISshow arp

DESCRIPTIONThis command shows the contents of a router's Address Resolution Protocol cache. This cache holds the mapping between a high-level protocol address and the physical address. The physical address may be either an IEEE Ethernet address, SMDS station address or a Frame Relay DLCI which can be converted into a Frame Relay Q.922 hardware address. ARP entries are added to the cache either dynamically through the use of ARP on an Ethernet LAN, SMDS Wan or IARP (Inverse ARP) on Frame Relay. They also may be added statically with the add arp command.The following is output from the show arp command: B# Protocol Address Age Hardware Addr Type Interface0 IP 198.41.9.1 0 aa:00:04:00:0d:04 Dynam Ethernet A13 IP 198.41.8.1 0 c303.444.9531 Dynam Wan014 IP 198.41.9.12 0 00:00:a5:2f:20:00 Dynam Ethernet A15 IP 198.41.9.30 0 08:00:20:08:cc:0d Dynam Ethernet A

The information shown is: B#

This is the hash bucket number of the cache entry. Hashing is used to index the cache to allow fast searching for an entry.

ProtocolThis identifies the high-level protocol address in the entry. The possible protocol represented in the cache are IP, AppleTalk and IPX (only on Frame Relay).

AddressThis is the high-level protocol address. IP addresses are shown in dotted-decimal notation. AppleTalk addresses are shown as net:node. IPX addresses, only on Frame Relay interfaces, are also show as net:node.

AgeThis is the age of the ARP entry in minutes. After 20 minutes the entry is timed out and deleted. Entries added statically or through IARP on Frame Relay aren't aged and will always have an age of zero.

Hardware AddrThis is the physical address that the high-level address resolves to. If the entry is an IEEE Ethernet hardware address, it is shown with six octets separated by colons. If the entry is an SMDS station address, it is shown with 8 octets separated by dots. If the physical address is from a Frame Relay interface, it will be


arp(show)

displayed as a DLCI address.The hardware address will sometimes report "incomplete" if there is a misconfiguration of the physical address or of the hardware itself. These age out after two minutes.

InterfaceThis is the router’s interface through which the hardware address can be reached.

SEE ALSOip arp(add), arp(reset)


bgp(show)

COMMAND NAMEshow bgp - Show BGP (Border Gateway Protocol) configuration, statistics and databases.

SYNOPSISshow bgp rtcountshow bgp routes [ IP address ] show bgp peers show bgp timersshow bgp mem show bgp configshow bgp statsshow bgp networksshow bgp aggregates

DESCRIPTIONThe show bgp commands display extensive information about the BGP database, configuration, and dynamic memory usage. show bgp rtcount

The show bgp rtcount command displays a summary of the number of routes in the BGP Routing database. This command can be useful if there is a very large number of routes and you want to know how many without printing them all out.BGP Routing Database Entries In Use Added RemovedIn IP routing table: 51548 78694 27146BGP route heads: 51548 78702 27154

IP Routing Table Entries: 51561

show bgp routes The show bgp routes command displays the best route in the BGP routing database for each destination. The BGP routing database may contain routes that are not in the router's IP routing table; a BGP route will not be present in the IP routing table if the router did not have an entry for the next hop on that route. The IP address option can be used to limit the output to a single route.

BGP Best Routes List

Network/Mask Bits Pref Weight Next Hop AS Path1 128.128.0.0 /16 100 100 199.45.133.101 3404 1 12 129.129.0.0 /16 100 100 199.45.133.101 3404 1 1239 1673 1133 5593 130.130.0.0 /16 100 100 199.45.133.101 3404 1 1 5727 7474 75704 131.131.0.0 /16 100 100 199.45.133.101 3404 1 1 12365 134.134.0.0 /16 100 100 199.45.133.101 3404 1 1239 1760 49836 135.135.0.0 /16 100 100 199.45.133.101 3404 3561 3561 42937 139.139.0.0 /16 100 100 199.45.133.101 3404 1 1239 568 1913 15698 140.140.0.0 /16 100 100 199.45.133.101 3404 1 1239 7170 3749 141.141.0.0 /16 100 100 199.45.133.101 3404 1 1239 3739 3739 373910 142.142.0.0 /16 100 100 199.45.133.101 3404 3561 3561 577 549 80811 147.147.0.0 /16 100 100 199.45.133.101 3404 3561 3561 5400 285612 149.149.0.0 /16 100 100 199.45.133.101 3404 1 1 374913 150.150.0.0 /16 100 100 199.45.133.101 3404 3561 3561 3786 606814 151.151.0.0 /16 100 100 199.45.133.101 3404 1 1239 174


bgp(show)

15 152.152.0.0 /16 100 100 199.45.133.101 3404 1 1 286 189116 155.155.0.0 /16 100 100 199.45.133.101 3404 1 701 702 8413 1913 156417 158.158.0.0 /16 100 100 199.45.133.101 3404 3561 356118 161.161.0.0 /16 100 100 199.45.133.101 3404 1 1239 17419 164.164.0.0 /16 100 100 199.45.133.101 3404 1 701 763320 165.165.0.0 /16 100 100 199.45.133.101 3404 1 701 5713

Network/Mask BitsThis is the Classless Interdomain Routing (CIDR) notation of the BGP routes.

PrefThis is the local preference of the route. The higher the local preference, the more preferred the route.

WeightThis is the weight of the route. The higher the weight, the more preferred the route.

Next HopThis is the next hop on the route.

AS PathThe complete AS path is shown, with the source AS being the one farthest to the right. Each AS which passes the route on will prepend its own AS to the AS path attribute.

show bgp peers The show bgp peers command displays information about the configured BGP peers of this router.

==========================================================================

BGP PEER STATUS--------------------------------------------------------------------------Int AS Router IP TCP Enable BGPExt Number ID Address Socket Status State--------------------------------------------------------------------------Ext 23456 0.0.0.0 198.14.13.18 0 Off IDLEExt 34567 198.41.11.6 198.14.12.6 82 On ESTABL.Int 11129 0.0.0.0 198.41.11.17 0 Off IDLEInt 11129 0.0.0.0 198.41.11.2 0 On ACTIVE==========================================================================

Int/ExtThis indicates whether this is an internal or external peer. An internal peer has the same AS number as the router itself.

AS NumberThis is the number of the AS to which the peer belongs.


bgp(show)

Router IDThis is the router ID, which is the largest IP interface address associated with the peer router. The router ID is not known until the peer contacts the router, so if the BGP State is IDLE, ACTIVE, or CONNECT, this parameter might be 0.

IP AddressThis is the IP address of the peer.

TCP SocketThis is the socket number the router has internally assigned to the connection.

Enable StatusThis indicates whether the router will currently accept a connection request from this peer. The peer can be brought up as enabled by setting the peer to On in the BGP Peer List section. Also, the peer can be dynamically enabled or disabled using the bgpenable or bgpdisable commands (see bgpenable(mgmt)). When the Enable Status is Off, the BGP State is always IDLE.

BGP StateThis is the connect state of the peer. ESTABLISHED indicates that a BGP session is currently active with this peer. In the IDLE state, the router will not accept connections from the peer. This state is entered briefly after a connection has timed out, to prevent too-rapid up-and-down transitions of peers.In the ACTIVE state, the router is listening on its server port for connection requests from the peer. In the CONNECT state, the router has sent out an active TCP connection request to the peer. In the OPENSENT and OPENCONFIRM states, the two peers are exchanging preliminary packets in order to establish their BGP session. If the exchanges are successful, the peers will enter the ESTABLISHED state. The peers must continue to exchange periodic keepalive packets to remain in the established state, unless the negotiated hold time is 0.

show bgp networksThe show bgp networks displays the list of internal networks to be advertised to external BGP peers. BGP NETWORKS: 2Address Mask198.41.11.0 255.255.255.0209.14.128.0 255.255.255.0


bgp(show)

show bgp stats The show bgp stats command displays statistics about packet types received from and sent to BGP peers, and the current uptime of the peer.

Received SentOpen messages: 8 58Keepalive messages: 4069 4124Notify messages: 0 0

BGP External Peer 198.41.11.6 state ESTABLISHED6 peer sessions, current uptime 2 days 16 hrs 40 mins 19 secs0 updates received78791 updates sent, last at 6 secs

BGP Internal Peer 198.41.9.2 state ESTABLISHED1 peer sessions, current uptime 2 days 20 hrs 42 mins 28 secs88791 updates received, last at 7 secs0 updates sent

show bgp timers The show bgp timers command displays the current time in seconds left on each timer associated with each peer.

====================================================================BGP TIMERS--------------------------------------------------------------------Peer Address Status State Timers--------------------------------------------------------------------198.41.9.2 Enabled ESTABLISHED Send KEEPALIVE pkt: 2 secs

HOLD timer expires: 121 secs198.14.13.2 Enabled ACTIVE Next CONNECT attempt: 16 secs199.13.12.3 Enabled IDLE AUTO ENABLE: 112 secs198.41.9.3 Disabled IDLE No timers active====================================================================

Peer AddressThis is the IP address of the peer.

StatusThis indicates whether the router will currently accept a connection request from this peer. When the Status is Disabled, the State is always IDLE.

StateThis is the connect state of the peer. If the peer is in ESTAB-LISHED state, the KEEPALIVE timer and the HOLD timer are displayed. If the peer is in ACTIVE state, the CONNECT timer is displayed. If the peer is in IDLE state but enabled, the AUTO ENABLE timer will be displayed. If the peer is IDLE and disabled, no timers are active until the bgpenable command is issued (see bgpenable(mgmt)).

TimersThe KEEPALIVE timer indicates how many seconds until the router will send another keepalive packet to the peer.


bgp(show)

The HOLD timer indicates how many seconds until the HOLD timer for the peer will expire. The HOLD timer is set every time the router receives either an update or a keepalive packet from the peer. If the HOLD timer expires, the router will declare the peer down, transition the peer to IDLE state, and set the AUTO ENABLE timer. The CONNECT and AUTO ENABLE timers both indicate how many seconds remain until the router will once again try to contact the peer. The CONNECT timer is used when the peer is in ACTIVE state; in this state, the router will accept an incoming connection request from the peer before the CONNECT time expires.The AUTO ENABLE timer is used when the peer is in IDLE state; in this state, the router will not accept a connection request from the peer until the AUTO ENABLE time has expired. When the AUTO ENABLE time expires, the peer will transition back into the ACTIVE state. The purpose of the AUTO ENABLE timer is to prevent peer sessions from going up and down at too fast a rate. Once a peer session has been interrupted for some reason, the peer is held down for a short period before a new session will be allowed.

show bgp mem The show bgp mem command displays detailed dynamic memory usage information for BGP.

ROUTING DATABASE DYNAMIC MEMORY USAGE------------------------------------------------------------Memory Block Allocs Deallocs Size (bytes)------------------------------------------------------------ip radix nodes 1976180ip routing entries 4332132bgp ip routes 78709 27149bgp routes 78717 27157 2062400bgp int change 0 0 0bgp aggregates 0 0 0bgp agg paths 0 0 0bgp timers 12 0 384-------------------------------------------------------Peer 198.41.9.2bgp path entries 78728 27168 1443680bgp transmit queues 0 0 0bgp PA strings 28151 21181 1784320bgp PA hdr entries 28151 21181 529720bgp rejected routes 0 0 0bgp rej entries 0 0 0bgp history entries 0 0 0------------------------------------------------------------Total Size 12128816------------------------------------------------------------


bgp(show)

show bgp configThe show bgp config command displays user-configured values that are currently being used by the protocol.

BGPEnabled YesRouter ID 205.14.128.2BGP AS Number 100BGP Local Preference 100Use IP Route Filters YesRoute Reflector Server No

Redistribute RIP routes into BGP is disabledRedistribute OSPF routes into BGP is disabledRedistribute Static routes into BGP is disabledRedistribute BGP routes into OSPF is disabledRedistribute BGP routes into RIP is disabled

BGP Peer 205.14.128.1Startup State InactiveAS Number 110Peer Weight 2000Cfg Hold Time 180Retry Time 45Advertise Default YesReflector Client NoInput Route Map rmapinOutput Route Map rmapout

BGP Peer 198.41.11.213Startup State ActiveAS Number 100Peer Weight 1000Cfg Hold Time 180Retry Time 65Advertise Default NoReflector Client NoInput Route Map NoneOutput Route Map None

show bgp aggregates The show bgp aggregates command displays the routes which have been configured to be aggregated to external peers. Aggregation will only occur when an instance of the route appears in the IP routing table.

BGP AGGREGATES:195.41.0.0/16

SEE ALSO[ IP <Section ID> ], [ IP Route Redistribution ], bgpenable(mgmt), [ BGP Peer Config <Name> ], [ BGP Peer List ], [ BGP Aggregates ], [ BGP Networks ], bgp(show), bgp(reset)


bridge(show)

COMMAND NAMEshow bridge - Display bridging configuration and status.

SYNOPSISshow bridge cache show bridge statistics show bridge spigots show bridge config [ Status ] show bridge spanning

DESCRIPTIONThis manual page describes the show commands that are used to display bridging information within the router.show bridge cache

This command will display the bridge's Ethernet address cache. The cache table contains hashed Ethernet addresses that are looked up to determine where to forward a particular packet.The first line of the display contains statistics about the hashing performance of the bridge. The rest of the display is the contents of the cache. Sample output from this command is shown below. Station Addr Spigot Pkt Cnt Bucket Flags01:80:c2:00:00:00 Span Tree 1 0 <Perm>00:05:02:a0:ab:0c Eth 0 65 7 <Current>00:05:02:20:73:58 Eth 0 2387 11 <Current>00:00:a5:72:7e:01 Eth 0 144 13 <Current>00:05:9a:20:a5:96 Eth 0 84 19 <Current>00:00:a5:00:19:00 Eth 0 481 25 <Current>00:00:a5:86:a2:00 Router 2 36 <Perm>00:60:97:cc:3a:d2 Eth 0 826 36 <Current>00:00:a5:86:a2:01 Router 1 37 <Perm>00:00:a5:5d:6e:00 Eth 0 562 51 <Current>08:00:07:b4:88:7d Eth 0 3823 65 <Current>00:00:a5:c7:82:00 Eth 0 5929 69 <Current>00:05:a8:00:48:1d Eth 0 145 85 <Current>00:05:a8:00:44:1f Eth 0 14710 91 <Current>00:05:9a:20:59:18 Eth 0 4138 97 <Current>00:00:a5:c0:a3:00 Eth 0 577 99 <Current>aa:00:04:00:62:06 Eth 0 78895 100 <Current>00:05:02:80:a7:56 Eth 0 60 113 <Current>00:05:02:00:f5:77 Eth 0 79 130 <Current>00:05:02:60:45:a8 Eth 0 32698 141 <Current>08:00:07:d7:56:12 Eth 0 3598 147 <Current>00:00:c0:e2:9f:e8 Eth 0 2 149 <>00:60:08:11:99:38 Eth 0 3 176 <Current>00:00:c0:90:d6:f3 Eth 0 399 181 <Current>00:00:a5:f2:45:00 Eth 0 6907 183 <Current>09:00:07:00:00:b7 Rtr Mcast 1 183 <Perm>aa:00:04:00:bc:06 Eth 0 2207 186 <Current>00:05:02:60:79:a6 Eth 0 7064 191 <Current>00:05:a8:00:04:c5 Eth 0 2891 193 <Current>00:05:a8:00:88:67 Eth 0 10644 239 <Current>ff:ff:ff:ff:ff:ff Brdcast 1 255 <Perm>09:00:07:ff:ff:ff Rtr Mcast 1 255 <Perm>00:e0:29:0e:05:f4 Eth 0 413 255 <Current>


bridge(show)

Station AddrThe Ethernet address that has been detected on the network.

SpigotThe bridge spigot that was most recently associated with the Ethernet address. The router's addresses are listed as Router or Rtr Mcast.

Pkt CntThe number of packets received from the station while the entry has been in the cache. If a station has timed out, the packet count from that station is cleared.

BucketThe hash bucket in which the Ethernet address has been placed. Hash buckets range from 0 to 255.

FlagsCurrently there are two caching flags displayed: Current and Perm. Current indicates that the most recent packet has been received from the station in less than half of the aging interval. Perm indicates that the entry is considered permanent and will never be timed out.

show bridge statisticsThis command displays bridge statistics on a per spigot basis. Sample output from this command is shown below. Statistic Type Discard Eth 0 Eth 1 Wan 0Packets In 0 181903 0 0

Filtered 0 161618 0 0Bridge 0 9652 0 0Blocked 0 66 0 0Protocol 0 0 0 0Routed Protocol 0 151899 0 0No Hash Entry 0 0 0 0

Routed 0 16991 0 0Forwarded 0 3294 0 0

Packets Out 161618 1 0 0Broadcast 0 0 0 0Flooded 0 0 0 0

Statistic TypeThere are two main statistic types for the show bridge statistics command, Packets In and Packets Out. These two types tally the number of packets received and transmitted per bridge spigot. The statistic types are described below:

Packets InThe total number of packets received by the bridge spigot. Received packets are broken down into the Filtered, Routed and Forwarded subtypes.


bridge(show)

FilteredThe total number of packets which the bridge received and discarded. The subtypes of this type are Bridge, Blocked, Protocol, Routed Protocol and No Hash Entry. Bridge

The number of packets discarded because the transmit-ting and receiving stations are on the same bridge spigot.

BlockedThe number of packets discarded as a result of the Spanning Tree algorithm. Packets will be blocked if the spigot state is blocked, listening, or learning.

ProtocolThe number of packets discarded because of protocol filtering.

Routed ProtocolThe number of packets discarded because the protocol is currently being routed on this port, and the packet was not addressed to the station address of the router.

No Hash EntryThe number of packets discarded because the bridge was out of hash table entries. This tally should be 0; if it isn't, increase the allocation of hash table entries using the [ Bridging Global ] section.

RoutedPackets listed as routed were handed to the router input rou-tines and were dispatched by the router switching routines.

ForwardedThe number of packets that have been forwarded by the bridge.

Packets OutThe total number of packets transmitted by the bridge spigot. Transmitted packets are broken down into the Broadcast and Flooded subtypes. These two subtypes will not add up to the total number of transmitted packets on this spigot.

BroadcastThis tally is the number of broadcast packets that were transmitted by this bridge spigot.FloodedThis tally is the number of flooded packets that were trans-


bridge(show)

mitted by this bridge spigot. Flooded packets are transmit-ted out all spigots by the bridge, like broadcast packets. They include multicast packets, and those packets with unknown or new destination Ethernet addresses.

show bridge spigotsThis command displays the status of the bridge spigots, including current filtering masks. A bridge spigot is a physical or a virtual interface on the bridge. This command is mostly used to debug bridging problems and displays raw information of several important internal bridging parameters. Sample output from this command is shown below.Spigot Port ID Pmask Rpmask State FlagsDiscard ff00 0 0 - 60Eth 0 8001 7ffffffe a Forwarding 72Eth 1 2 0 0 Disabled 10Wan 0 3 0 0 Disabled 0Wan 1 4 3 3 Disabled 0Router 4d ffffffff ffffffff - 62Rtr Mcast 4e 0 0 - 60Brdcast 4f 0 0 - 60Flood 50 0 0 - 60Span Tree 51 0 0 - 60

SpigotThis is the bridge spigot name; all spigots configured will be listed by this display.

Port IDThe Port ID is a Spanning Tree parameter. The Port ID is the spigot number combined with its priority.

PmaskThe hexadecimal value of the protocol mask in effect for the spigot.

RpmaskThe hexadecimal value of the router protocol mask which indicates the protocols that are being routed for a spigot.

StateThe Spanning Tree state for the spigot.

FlagsThe hexadecimal value of the spigot flags.

show bridge config This command displays the current bridge configuration as stored in Flash ROM, or if a modified configuration exists in the command loop edit buffer, its information is displayed. The show bridge config command with the optional Status parameter displays the runtime parameters used by the system at the time the command is issued. The same parameters (with potentially different values) are displayed by


bridge(show)

all variations of these show bridge commands. Sample output from the show bridge config command is shown below.Global Bridge Parameters:

Hash Table Size: 1024Table Aging Time: 300 seconds

Spanning tree parameters:Bridge Bridge ID Priority Max Age Hello Fwd DlyFlash values 8000-00:00:a5:86:a2:00 32768 0 2 15

Port Priority Path Cost FlagsEther0 128 100 <On>Ether1 disabledWan0 disabledWan1 disabled

Port FiltersEther0 IPX, Atalk P1, Atalk P2, DECnetEther1 disabledWan0 disabledWan1 disabled

The first part of the display contains the Global Bridge Parameters. The Hash Table Size and Table Aging Time values are displayed. If no bridging is enabled, this is all that will be displayed.The next section displays the global Spanning Tree Parameters. Many of these values are only valid if the bridge is the root bridge. All bridges on a Spanning Tree bridged network use the values set by the root bridge. If Spanning Tree is not enabled, no parameters will be displayed.Parameters for the physical ports on the router are displayed last. These parameters include filter settings, priorities, and path costs.

show bridge spanningThis command displays the IEEE Spanning Tree configuration of the bridge. If Spanning Tree is disabled, no information will be displayed by this command. Sample output from this command is shown below.

Spanning tree parameters:Bridge Bridge ID Priority Max Age Hello Fwd DlyConfigured 8000-00:00:a5:86:a2:00 32768 20 2 15Root Bridge 8000-00:00:a5:5d:6e:00 32768 20 2 15

Root Bridge?: NoRoot Path Cost: 200Root Port: Eth 0 (1)

Spanning tree port parameters:Spigot Port ID State Priority Path CostEth 0 8001 Forwarding 128 100Eth 1 2 Disabled 0 0Wan 0 3 Disabled 0 0Wan 1 4 Disabled 0 0

Spigot Designated Root Cost Designated Bridge Port IDEth 0 8000-00:00:a5:5d:6e:00 100 8000-00:00:a5:f2:45:00 8001Eth 1 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 2Wan 0 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 3Wan 1 8000-00:00:a5:5d:6e:00 200 8000-00:00:a5:86:a2:00 4


bridge(show)

The first section displays global Spanning Tree parameters for the bridge and the root bridge on the network. The values used by the bridge are those of the root bridge. Also displayed are a flag indicating if the bridge is the root bridge; the root path cost; and the root port on the bridge. See the [ Bridging Global ] section for descriptions of what the parameter values are and how to become the root bridge on the network.The next section displays the port parameters for spigots that are part of the Spanning Tree algorithm. The values displayed are the runtime values. The fields are described below: Spigot

The bridge spigot name.Port ID

The hexadecimal value of the Spanning Tree port ID for a spigot. The port ID is a combination of the spigot number and its priority. Lower numbers have higher priority.

StateThe Spanning Tree state for the port. Possible states include: Listening, Learning, Forwarding, Blocked, and Disabled. Other states are possible, but have the same meaning as Disabled. The states have the following definitions:

ListeningIn this state, a bridge spigot has just been enabled, and is preparing to participate in the Spanning Tree network. The bridge only learns of neighboring bridges and will not for-ward any packets or learn any addresses.LearningIn this state, the bridge spigot has just left the Listening state, but it still isn't forwarding packets. Station addresses are learned and added to the address cache.ForwardingThis state is the normal operating mode. Station addresses are learned and packets are forwarded.BlockedIn this state, the spigot doesn't participate in the bridged net-work except to listen to Spanning Tree packets. This state is entered anytime that a loop is detected by the Spanning Tree algorithm.


bridge(show)

DisabledIn this state, the spigot has been disabled by the administra-tor, and it is not included in the Spanning Tree computation in any way.

PriorityThe priority of the spigot.

Path CostThe path cost of a spigot, used to compute the cost/distance from the root bridge.

Designated Root The root bridge as reported by the configuration packets received by the spigot.

CostThe cost reported is the distance to the root bridge on the network attached to the spigot.

Designated Bridge and Port IDThese two parameters indicate the bridge with the highest priority on a network segment and the ID of the port with which it is attached.

SEE ALSO[ Bridging Global ], [ Bridging <Section ID> ], os(show), enable(mgmt)


config(show)

COMMAND NAMEshow config - Display device's text-based configuration and default param-eters.

SYNOPSISshow config [ <options>... ] [ <section name> ] list [ <options>... ]

DESCRIPTIONThe show config command is used to display various aspects of a text-based configuration that is stored in the device or being modified. For information about the format and syntax of the configuration, please refer to the manual page for each section of the configuration. The list command is valid only when in the configuration editor, and is used to display the section being edited. It accepts the same options as the show config command. For more information about the configuration editor, see the configure section. In addition to simply displaying a configuration, these commands can be used to: check configurations for errors; display the device's default config-uration or differences between the current configuration and the default configuration; flatten port hierarchies; display the line and section where a value was found; and for several other miscellaneous functions.A configuration can be displayed using one of the two basic modes, raw and cooked.Raw Mode

Raw mode is the default way a configuration or section of a configuration will be displayed. In this mode, the configuration will be displayed exactly as it is stored in the device's permanent configuration memory, or, in the case of an edited configuration, as it exists in the edit buffer.

Cooked ModeWhen a configuration is displayed using cooked mode, the device will run the raw configuration through a parser to check the values in the configuration. This mode is called "cooked" because the data being displayed has been prepared for display.

When editing a configuration, it is possible to run the configuration through the same parsers that the device uses to initialize itself. Use the existing show * config commands (e.g., show ip config) to run these parsers.

OPTIONSsection name

The section name must be a valid configuration section and must be fully spelled out in order to be found. If no section name is specified, the entire device configuration will be displayed.


config(show)

Options (General)All options specified must be specified with the full option name. Abbreviated options will be interpreted as a part of the section name, resulting in a syntax error.help

The help option is used to generate a message showing all of the options available and a short description of how the option is used. This is entered as show config help.

listThe list option will generate a list of section names known to the device. Not all devices understand all sections listed in this manual, because configuration information is dependent on which features a device has. This is entered as show config list.

Options (Raw Mode)Raw mode is the default mode for displaying a configuration or a section of the configuration. No special option exists to enable this display mode.number

The number option will cause line numbers to be printed as the configuration is displayed. This is entered as show config number [<section name> ].

Options (Cooked Mode)Cooked mode is used to display different aspects of the configuration. In cooked mode, the configuration will be reformatted and reordered, and comments will be stripped out of port-specific and general configuration sections. Cooked mode must be enabled using the cook option.cook

The cook option tells the command to display the configuration in "cooked" mode.Once the cook option has been specified, the configuration parser will be run causing the configuration to be checked for errors as it is being displayed. The following options may be used with the cook option to tailor the display or find out different information.

allThe all option tells the command to display all possible variables in each section, whether they exist in your configuration or not. Normally the cooked mode display command will display configured values and important default keywords and values.

defaultsThe defaults option causes only default values built into the device to be displayed. Use this option to display the factory


config(show)

default configuration. This option may be used with the all option to display all keywords and values built into the device.

markThe mark option is useful to highlight the differences between the current configuration and the device's defaults. If a keyword's value differs from the default, the default value will be printed out as a comment on the line. This option may not be used with the defaults option.

originIf default sections are used in a hierarchical configuration, the origin command is useful to determine from which line and section a value was found.

verbose[#]The verbose option is used to generate verbose parser output.This is useful only when trying to determine why a configuration parameter is being set to a mysterious value. You may optionally specify different levels of information ranging from level 1 to 7.Level 7 is the most verbose.

EXAMPLESThe following example displays a raw version of a configuration section.

*[ IP Wan 0 ]# list[ IP Wan 0 ]RIPVersion = V1 # Turnn RIP onNumbered = TRUEIPAddress = 31.0.0.5SubnetMask = 255.0.0.0IPBroadcast = 31.255.255.255RemoteAddress = 0.0.0.0Updates = periodic

The next example shows the same section cooked.*[ IP Wan 0 ]# list cook[ IP Wan 0 ]Mode = RoutedIPAddress = 31.0.0.5SubnetMask = 255.0.0.0IPBroadcast = 31.255.255.255RIPVersion = V1OutFilters =InFilters =Numbered = OnUpdates = PeriodicRemoteAddress = 0.0.0.0

Notice that the comments have been removed and the configuration has been reformatted. Also notice that several additional keywords have been added to the display. The additional keywords are considered important variables and as such they are displayed in cooked configurations.


config(show)

The following example shows the same configuration displayed using the mark option.

*[ IP Wan 0 ]# list cook mark[ IP Wan 0 ]Mode = RoutedIPAddress = 31.0.0.5 # Default => 0.0.0.0SubnetMask = 255.0.0.0 # Default => 0.0.0.0IPBroadcast = 31.255.255.255 # Default => 0.0.0.0RIPVersion = V1 # Default => NoneOutFilters =InFilters =Numbered = On # Default => OffUpdates = Periodic # Default =>TriggeredRemoteAddress = 0.0.0.0

The next sequence of commands illustrates the use of hierarchies and the origin option.

*[ IP Wan 0 ]# configure ip wan defaultSection 'ip wan default' not found in the config.Do you want to add it to the config? y


<Keyword> = <Value>

To find a list of valid keywords and additional help enter "?"

*[ IP Wan Default ]# mode = bridged*[ IP Wan Default ]# list[ IP Wan Default ]Mode = Bridged

*[ IP Wan Default ]# show config cook origin ip wan 0# TBM Parser: Looking for: IP Wan 0: Mode# Found in Cfg Buffer, line 231, section 'IP Wan Default'[ IP Wan 0 ]# TBM Parser: Looking for: IP Wan 0: Mode# Found in Cfg Buffer, line 231, section 'IP Wan Default'Mode = Bridged# TBM Parser: Looking for: IP Wan 0: IPAddress# Found in Cfg Buffer, line 26, section 'IP Wan 0'IPAddress = 31.0.0.5# TBM Parser: Looking for: IP Wan 0: SubnetMask# Found in Cfg Buffer, line 27, section 'IP Wan 0'SubnetMask = 255.0.0.0# TBM Parser: Looking for: IP Wan 0: IPBroadcast# Found in Cfg Buffer, line 28, section 'IP Wan 0'IPBroadcast = 31.255.255.255

Display continues for a while...*[ IP Wan Default ]#

Notice in the preceding display, the value of the Mode keyword is set to Bridged even though it is not set in the [ IP Wan 0 ] section. The display shows which line and in which section all of the keywords were found.

SEE ALSOconfigure


decnet(show)

COMMAND NAMEshow decnet - Show DECnet configuration parameters.

SYNOPSISshow decnet config show decnet routing

DESCRIPTIONThe show decnet commands provide information on the configured and operating state of a router for DECnet operation.show decnet config

This command provides information on the configured values for DECnet operation of a router. The following is the output from the show decnet config command: Global Decnet Parameters:Area: 1 Node: 1000 Max Address: 1023Hello Tmr: 30 Routing Tmr: 120

Port State Hello Tmr Routing TmrEthernet A OnWAN A On 30 120Bridge Off

The information shown from the show decnet config command is: Area

A DECnet area is a logical grouping of DECnet nodes. It may include one or more physical network segments. The area infor-mation, along with the node number, uniquely identifies the router on the network.

NodeA DECnet node number uniquely identifies the router in the DECnet area.

Max AddressThis is the maximum number of addresses allowed in the DECnet area. This value is configured into the router and should be consistent between routers in the same DECnet area.

Hello TmrDECnet hello messages tell end nodes which routers are available to route packets. The global value (shown at the top of the output) defines how often (in seconds) the router will send these messages on its LAN ports. Specific values for WAN ports are shown in the port-by-port listing.

Routing TmrDECnet routing messages are exchanged between routers and contain routing table information including node numbers, hello timer values, hop counts and costs. The global value (shown at


decnet(show)

the top of the output) defines how often (in seconds) the router will send these messages on its LAN ports. Specific values for WAN ports are shown in the port-by-port listing.

PortThis item identifies the interface on the router to which the rest of the line's information pertains.

StateThe DECnet state on an interface can either be On or Off. If it is On, the interface will participate in DECnet routing. If it is Off, the interface will not route DECnet information.

show decnet routingThis command shows the runtime status of the DECnet routing table in a router.The following is the output from the show decnet routing command:

Dest Cost Hops TTL Prio Interface Gateway or end node Address1.1 4 1 52 Ethernet B aa:00:04:00:01:04 (enode 1.1)1.10 4 1 33 1 Ethernet A aa:00:04:00:0a:04 (lvl1r 1.10)1.13 8 2 Ethernet A aa:00:04:00:0a:04 (gtway 1.10)1.321 4 1 82 1 Ethernet A aa:00:04:00:41:05 (lvl1r 1.321)1.666 4 1 83 1 Ethernet A aa:00:04:00:9a:06 (lvl1r 1.666)1.801 4 1 69 1 Ethernet B aa:00:04:00:21:07 (lvl1r 1.801)1.1000 0 0 1 Local aa:00:04:00:e8:07 (lvl1r 1.1000)

The information shown from the show decnet routing command is: Dest

This is the address of a DECnet end node, router or gateway. The format is area.node.

CostThis is the cost metric for the route. DEC defines an Ethernet as having a cost of 4. Compatible Systems routers also set the cost of all WAN interfaces to 4.

HopsThis is the number of routers between this router and the desti-nation.

TTLThis is the time to live value in seconds for the route. This value is counted down from the arrival of a routing message from the next hop router.

PrioThis is the priority value for the next hop router on the route. This value is used to decide which router is the "designated router" on a segment. Compatible Systems routers default to a priority of 1, which is the lowest priority.

InterfaceThis is the interface on the router through which this route will be found.


decnet(show)

Gateway or End Node AddressThe address for all ports of the router is shown first. DECnet modifies a device's assigned Ethernet address and assigns the same address to all ports.The type of node is then shown in parentheses, along with its gateway's DECnet address (or its own DECnet address if it is directly connected). Descriptions of the node types follow.enode

This is an end node. lvl1r

This is a level-one router. A level-one router routes DECnet within the local area.

gtwayThis is an address behind a gateway.

SEE ALSO[ DECnet Global ], [ DECnet <Section ID> ]


ethernet(show)

COMMAND NAMEshow ethernet - Show Ethernet statistics and related parameters.

SYNOPSISshow ethernet addresses show ethernet statistics

DESCRIPTIONThe show ethernet commands display information specifically about the Ethernet ports in the device.show ethernet addresses

This command displays the hardware address of the Ethernet chip for each interface. This can be helpful in debugging network problems. The following is output from the show ethernet addresses command for a two-port router: Ethernet Address: 00:00:a5:77:2c:00Ethernet Address: 00:00:a5:77:2c:01

show ethernet statistics This command displays tallies for all ports returned from the Ethernet chip(s) for various types of conditions and exceptions. The following is output from the show ethernet statistics command. The number of columns will vary depending on the number of Ethernet interfaces.Statistic Type Ether0 Ether1Packets In 390095 337345Packets Out 334093 291833CRC Errors 0 0Frame Errors 0 0Overruns 0 0Underruns 0 0Loopback Pkts 0 0Missed Pkts 0 0Receive Error 0 0Transmit Error 2 0Post Send 334095 291833Bad Length 0 0Receive Int 389222 337182Transmit Err Int 0 0Collisions 0 0Rcv Desc Exhaust 0 0Rcv Buf Exhaust 0 0RBA Exceeded 0 0Bad RDA 0 0Hung Transmit 0 0Iface discard 0 0

As this display suggests, many of the statistics should be zero. The Statistic Types and what they mean are described below:


ethernet(show)

Packets InThis is the total number of packets taken in on this interface.

Packets OutThis is the total number of packets sent out this interface.

CRC ErrorsThis is the number of packets that contained CRC (Cyclical Redundancy Check) errors on packets received.

Frame ErrorsThis is the number of packets that had frame alignment errors on packets received.

OverrunsThis is the number of receive FIFO (First In First Out) overruns detected. FIFO is a method of queuing packets.

UnderrunsThis is the number of transmit FIFO underruns detected.

Loopback PktsThis is the number of loopback packets received.

Missed PktsThis is the number of packets missed due to buffer overflow.

Receive ErrorThis is the number of packets where an error was detected in the packet header.

Transmit ErrorThis is the number of packets that were not sent due to a transmit error.

Post SendThis is the number of packets queued to be sent. It should be nearly the same as, if not identical to, Packets Out.

Bad LengthThis is the number of packets received that had an invalid length.

Receive IntThis is the number of times that the processor was interrupted to receive a packet. It should be nearly the same as, if not identical to, Packets In.

Transmit Err IntThis is the number of processor interrupts for transmit errors.

CollisionsThis is the number of packet collisions detected during packet transmission.


ethernet(show)

Rcv Desc ExhaustThis is the number of times that the received descriptors were exhausted.

Rcv Buf ExhaustThis is the number of times that the receive buffer area was exceeded.

RBA ExceededThis is the number of packets received that were oversized (greater than 1514 bytes).

Bad RDAThis is the number of times a bad receive descriptor array was detected.

Hung TransmitThis is the number of times a transmitter hang was detected and reset.

Iface discardThis is the number of packets discarded when the router transmit resources were exhausted.

Cntr OflowThis is the number of times the Ethernet chip counters were exceeded.

SEE ALSO[ Ethernet Interface <Section ID> ]


firewall(show)

COMMAND NAMEshow firewall - Display firewall configuration and status.

SYNOPSISshow firewall ports show firewall paths show firewall rejects [ Verbose ]show firewall protoshow firewall sessions [ Verbose ]show firewall statistics

DESCRIPTIONThis manual page describes the show commands that are used to display information about the IntraGuard Firewall.show firewall ports

This command will display the firewall’s ports. Sample output from this command is shown below. Port FlagsEth 0 00000000Eth 1 00000000Eth 2 00000000Firewall 00000000

PortThis is a list of the firewall’s interfaces. The Firewall interface is the bridge interface.

FlagsThis shows special flags which apply to the interface. A flag of 00000001 indicates that packets coming from that port will not be checked by the device. This flag should only appear on the Firewall (bridge) interface. A flag of 00000002 indicates that no packets from that port will be permitted in or out. This flag will only appear if the interface has not been assigned to a path.


firewall(show)

show firewall pathsThis command displays the status of the firewall paths. Paths define a route for packets through the firewall. Each path has two endpoints, which are inside interfaces ("Input") and outside interfaces ("Output"). Sample output from this command is shown below.Path FPlcy Flags Path NumberGreen-Red 3 00023110 1Yellow-Red 4 00023100 2Green-Yellow 3 00023110 3

Input Output Bckt PathEth 0 -> Eth 2 18 Green-RedEth 0 -> Eth 1 19 Green-YellowEth 0 -> Firewall 20 < MultiplexedOpen >Eth 1 -> Eth 2 50 Yellow-RedFirewall -> Eth 2 66 Green-RedFirewall -> Eth 1 67 Green-Yellow

PathThis is the path name; all paths configured will be listed by this display.

FPlcyThis is the security policy assigned to the path. Possible policies include: 1/Blocked, 2/Strict, 3/Standard, 4/Lenient, and 5/Open. The policies have the following definitions:

1/Blocked This is the most secure policy, which does not allow packets in or out along the path. It is the equivalent of physically separating the internal and external networks. The Blocked policy can be used to create a very restrictive policy set using the additional configuration options.

2/StrictThis is a restrictive policy set. A small set of outgoing client sessions are permitted through the firewall and all incoming server sessions are excluded.

3/Standard This is the default policy set. Almost all outgoing client ses-sions are permitted, and almost all incoming server sessions are excluded. The only exceptions to those rules are that the BGP and X Windows protocols are excluded from going in or out of the firewall and the IPSec protocol is permitted in.

4/Lenient This a less secure policy. All outgoing client sessions are permitted and some incoming server sessions are permitted.


firewall(show)

5/Open This an insecure policy set. Everything is permitted through the firewall, thereby turning the firewall into a transparent bridge.

FlagsThese indicate the protocols permitted in or out along the path, the path’s security configuration.

Path NumberThis is the number assigned to the path by the firewall.

InputThis is the interface which is serving as the inside interface on the path. Typically, the inside interface is the secure side of the path.

OutputThis is the interface which is serving as the outside interface on the path. Typically, the outside interface is the less secure side of the path.

BcktThis is the hash index used for looking up paths in the firewall’s internal databases.

show firewall sessions This command displays the current sessions on each path in the firewall. Sample output from the show firewall sessions command is shown below.

'Green-Red' Session Table:Session Bckt IP Proto Flags Usage Cnt192.168.4.51:1187 -> 192.168.4.60:23 303 TCP 00010002 181192.168.4.33:520 -> 224.0.0.9:520 331 UDP 00020000 81192.168.4.61:520 -> 224.0.0.9:520 359 UDP 00020000 9

'Yellow-Red' Session Table:Session Bckt IP Proto Flags Usage Cnt

'Green-Yellow' Session Table:Session Bckt IP Proto Flags Usage Cnt192.168.4.33:520 -> 224.0.0.9:520 331 UDP 00020000 81192.168.4.61:520 -> 224.0.0.9:520 359 UDP 00020000 9

SessionThis shows the IP addresses for each session and indicates whether it is an outgoing client session (->) or an incoming server session (<-).

BcktThis is the has index used for looking up the session in the firewall’s internal databases.

IP ProtoThis indicates the IP protocol of the session. Values may be


firewall(show)

TCP, UDP, ICMP, GRE, OSPF, or IPSec. It may also be IP followed by a space and the assigned protocol number.

FlagsThis shows the flags which currently apply to the session and indicate such things as whether the session is active, whether it is a permanent session, whether either side has shut down, and whether it has received input packets or output packets.

Usage CntThis is a counter for how many times packets have gone through for the session.

show firewall rejectsThis command displays a summary of information about rejected sessions. Sample output from the show firewall rejects command is shown below.'Green-Red' Reject Table:Session Bckt IP Proto Flags Usage Cnt192.168.5.12:* <- 192.168.5.2:* 15 ICMP 0008000a 15192.168.5.227:113 <- 195.241.48.131:51566 75 TCP 00080008 1192.168.5.227:23369 <- 193.207.1.1:25 76 TCP 00080008 2192.168.5.227:23716 <- 209.27.23.188:25 98 TCP 0008000a 2208.251.158.137:3783 <- 192.168.5.30:4606 114 TCP 00080008 1208.251.158.137:3782 <- 192.168.5.30:21 136 TCP 00080008 1192.168.5.52:32768 <- 192.168.5.30:53 152 UDP 00080008 4192.168.5.227:113 <- 194.183.166.3:4672 157 TCP 00080008 2192.168.5.103:6101 <- 192.168.5.12:43601 159 TCP 00080008 1192.168.171.14:137 <- 205.199.222.115:137 164 UDP 00080008 3192.168.5.103:6101 <- 192.168.5.12:43608 166 TCP 00080008 1192.168.5.103:6101 <- 192.168.5.12:43609 167 TCP 00080008 1192.168.5.103:6101 <- 192.168.5.12:43610 168 TCP 00080008 1192.168.5.103:6101 <- 192.168.5.12:43611 169 TCP 00080008 1192.168.5.103:6101 <- 192.168.5.12:43612 170 TCP 0008000a 1

'Yellow-Red' Reject Table:Session Bckt IP Proto Flags Usage Cnt192.168.5.31:520 <- 192.168.5.8:520 72 UDP 0008000a 10192.168.5.31:138 <- 192.168.5.24:138 348 UDP 0008000a 2

'Green-Yellow' Reject Table:Session Bckt IP Proto Flags Usage Cnt

SessionThis shows the IP addresses for the rejected session and indicates whether it is an outgoing client session (->) or an incoming server session (<-).

BcktThis is the hash index used for looking up the session in the firewall’s internal databases.

IP ProtoThis indicates the IP protocol of the rejected session. Values may be TCP, UDP, ICMP, GRE, OSPF, or IPSec. It may also be IP followed by a space and the assigned protocol number.

FlagsThis shows the flags which currently apply to the session and indicate such things as whether it has received input packets or


firewall(show)

output packets. Usage Cnt

This is a counter for how many times packets have been discarded for the rejected session. The timer for the counter is set in the [ Firewall Globals ] section. The counter will be cleared when the timer expires.

show firewall protoThis command displays the prototypes which are allowed in and out along each path. The display includes both the pushbutton configuration and the Allow Ports/Protocols configuration. Sample output from the show firewall proto command is shown below.

'Green-Red' Pushbutton Configuration:Protocols/Services permitted in: (Masks -> 06080e0a 00000004)HTTP, SMTP, DNS, CSC Management, NTP (NetTime), ARP, IP Security, RIP,BGP

Protocols/Services permitted out: (Masks -> 0ffdffff 00000007)FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS,CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio,H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF,BGP, Other UDP, Other TCP, Non IP

'Yellow-Red' Pushbutton Configuration:Protocols/Services permitted in: (Masks -> 062a060b 00000006)FTP, HTTP, SMTP, DNS, CSC Management, NTP (NetTime), X Windows, ARP,IP Security, ISAKMP, BGP, Other UDP

Protocols/Services permitted out: (Masks -> 0ffdffff 00000007)FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS,CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio,H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF,BGP, Other UDP, Other TCP, Non IP

'Green-Yellow' Pushbutton Configuration:Protocols/Services permitted in: (Masks -> 04000000 00000000)ARP

Protocols/Services permitted out: (Masks -> 0dfdffff 00000007)FTP, Telnet, HTTP, LPR, SMTP, POP, NNTP (news), Gopher, BSD R-Utils, DNS,CSC Management, TFTP, NTP (NetTime), SUN RPC, NFS, IRC, Real Audio,H.323, ARP, ICMP, GRE Tunnels, IP Security, ISAKMP, NetBIOS, RIP, OSPF,

Other UDP, Other TCP, Non IP

'Green-Red' Non Pushbutton Protocol/Service Configuration:Session Bckt IP Proto Flags Usage CntTCP port 548 <IN, OUT> 132 TCP 00000076 2

'Yellow-Red' Non Pushbutton Protocol/Service Configuration:Session Bckt IP Proto Flags Usage Cnt

'Green-Yellow' Non Pushbutton Protocol/Service Configuration:Session Bckt IP Proto Flags Usage Cnt


firewall(show)

show firewall statisticsThis command displays global firewall and path-specific statistics since the device was last booted. Sample output from this command is shown below. Global Statistics:

Invalid Port 0 Bad Path 1Open MUX 103277 Mcast/Bcast 828637Active Ses 408 Max Ses 701

Dynamic Memory Usage:Ses in use 408 Ses free 328Ses allocated 736 Total Ses 296391

Green-Red Yellow-Red Green-YellowPkts Thru 6123770 1683 19116Frag ok 261 0 0ARP 5383 1656 1065Non IP 0 0 0

Pkts Dropped 1250745 433351 105329Bad IP hdr 0 0 0Src Route 0 0 0Bad Frag 0 0 0Min Frag 0 0 0Non IP 904367 399503 105329

Timeouts 176027 27 556Inactivity 128789 16 556TCP SYN 44833 11 0TCP FIN 2401 0 0

TCP Resets 35685 0 0

Active Ses 407 0 1Max Ses 700 1 1Ses Err 0 0 0Ses Missing 0 0 0

Global StatisticsThis section displays global firewall statistics. The statistic types are described below:Invalid Port

The number of sessions which attempted a connection with an interface which wasn’t included in any path. The value should usually be 0.

Open MUXThe number of sessions between open multiplexed (Open MUX) interfaces. These are any interfaces which have the same setting on a path (i.e., any interfaces which are designated as inside interfaces on the same path are Open MUX; similarly, interfaces which are designated as outside interfaces on the same path are also Open MUX).

Active SesThe total number of active sessions on the firewall.


firewall(show)

Bad PathThe number of sessions which attempted a connection to a bad path. This may occasionally happen at startup.

Mcast/BcastThe number of multicast and broadcast packets received since boot.

Max SesThe maximum number of simultaneous active sessions which have occurred on the firewall.

Dynamic Memory UsageThis section displays the dynamic memory usage The statistic types are described below.Ses in use

A tally of the active sessions on the firewall. This should be very close, if not identical to, Active Ses.

Ses allocatedThe number of available sessions on the firewall, based on memory allocation. This number should always be slightly above Max Ses.

Ses freeThe number of allocated sessions which are not in use. As sessions are timed out, the Ses free will increase; as new sessions are established, the Ses free will decrease. If there appear to be too many or too few sessions available, the session timers may need to be adjusted. Session timers are set using the [ Dynamic Firewall Globals ] section.

Total Ses The total number of sessions since boot.

The next section of statistics displays path-specific information. Pkts Thru

The total number of packets transmitted along the path.Frag Ok

The number of fragmented packets which were allowed through.ARP

The number of ARP packet which were allowed through.Non IP

The number of non-IP packets which were allowed through.


firewall(show)

Pkts DroppedThe total number of packets which were discarded.

Bad IP hdrThe number of packets discarded due to errors in the IP header.

Src RouteThe number of source routed packets which were discarded.

Bad FragThe number of overlapping fragmented packets which were discarded.

Min FragThe number of fragmented packets which were discarded because they were smaller than the minimum size allowed in the configuration.

Non IPThe number of non-IP packets (e.g., IPX and AppleTalk ) which were discarded based on the security policy.

TimeoutsThe total number of sessions timed out.

InactivityThe number of sessions timed out due to inactivity.

TCP SYNThe number of sessions timed out due to incomplete TCP session establishment negotiation.

TCP FINThe number of sessions timed out due to incomplete TCP session teardown negotiation.

TCP ResetsThe number of sessions timed out due to a TCP reset. A TCP reset is an abnormal session termination causing an instantaneous abort.

Active SesThe total number of active sessions on the path.

Max SesThe number of the most simultaneous active sessions which have occurred on the path.

Ses ErrThe number of times the firewall encountered an error when trying to free a session.


firewall(show)

Ses MissingThe number of times the firewall couldn’t find a session when trying to free it.

OPTIONSVerbose

This option causes the command to display even more information.SEE ALSO

[ Dynamic Firewall Globals ], [ Dynamic Firewall Logging ], [ Dynamic Firewall Path <Name> ]


frelay(show)

COMMAND NAMEshow frelay - display Frame Relay configuration and status.

SYNOPSISshow frelay config show frelay dlci show frelay pvc [ port ] [ dlci ] show frelay stats [ port ] [ dlci ]

DESCRIPTIONThe show frelay commands are used to display Frame Relay configuration adn statistics within the router.show frelay config shows the status of the Frame Relay configuration for each physical port of the router. This includes whether it is on or off, which local maintenance protocol is configured, and the interval for exchanging the local maintenance packets.The following is the output from a show frelay config command.

Port Maint Poll MTU DLCIWan0 annexD 10 1500 n/aWan1 Off

show frelay dlci shows the configured DLCI (Data Link Connection Identifier) mappings. These are DLCI’s that have been configured with their specific protocol address mappings.The following is the output from a show frelay dlci command.

Wan0 DLCI ConfigurationDLCI IP AppleTalk IPXDECnet101 10.1.2.2 Off IARPOff103 10.1.2.3 Off IARPOff102 10.1.2.4 Off IARPOff100 10.1.2.5 Off IARPOff

show frelay pvc shows the status of the PVCs (Permanent Virtual Circuits) that have been picked up from the Frame Relay switch through local maintenance packets. It shows the status of the PVC, the Q.922 physical address and DLCI value for the PVC, the total number of input and output packets, a reference and use count, and the up time of the PVC. If no port number is specified, then the known PVC for all ports will be shown. If a port is specified, then the PVCs for that specific port are shown. If a dlci is specified in conjunction with a port, the status of the PVC will be shown that includes the above data along with an expanded list of packet statistics. This expanded list includes tallies for input and output fragmented packets, FECN and BECN packets and packets that have been discarded. Certain dlci numbers are used for maintenance protocols (i.e., 0 is used for ANSI


frelay(show)

Annex-D, and 1023 is used for LMI). The following is the output from a show frelay pvc command.

Wan0 Frame Relay PVCDLCI State Type Interface Flags Q.922 RefUse Active (D:H:M:S)102 Inactive User ni_wan0 21 1861 13018 0:00:00:00101 Active User ni_wan0 21 1851 3112944 10:03:49:3816 Active User ni_wan0 21 0401 66759709 2:08:22:580 Active Maint ni_wan0 41 0001 1175562 10:03:50:02

show frelay stats shows an expanded list of Frame Relay packet tallies, described above, for each port of the router. If a port is specified, then only the extended Frame Relay packet tallies for that port are shown. If a dlci is specified in conjunction with a port, then the extended Frame Relay packet tallies for that PVC or DLCI are shown.

SEE ALSO[ Frame Relay <Section ID> ]


history(show)

COMMAND NAMEshow history - Show Command history.

SYNOPSISshow history

DESCRIPTIONThe show history command is used to display the last commands entered in the current command loop session. The command history is displayed from the oldest command to the newest command.The command history has room for 650 bytes of command history, or about 40 commands. When the buffer fills up, older commands are removed to make room for more recent ones. All commands stored in the buffer are displayed by the show history command.

COMMAND LINE EDITINGThe command loop parser supports command line editing. By using this mechanism, whole commands from the history buffer can be retrieved, or a complex set of commands can be retrieved and modified to eliminate most retyping.The edit config command has two separate history buffers: one for editor commands and another for text input using the append command. There is no way to display the history in these buffers, but the complete editing functionality described below is supported.On a VT100 or ANSI terminal, the up and down keyboard arrow keys may be used to scroll through the history buffer. The left and right arrow keys may be used to move the cursor position on the current command.Keyboard input will be inserted at the position of the cursor, pushing the rest of the command to the right. There is no overstrike mode. Characters to the left of the cursor may be deleted by pressing either the delete or backspace key. An entire line may be deleted by entering a <CTRL-U> or <CTRL-C>. A more powerful "emacs" style of editing is also available for users without access to compatible arrow keys or users who are familiar with emacs or other emacs-style command line implementations. The command search functions <CTRL-S> and <CTRL-R> are not implemented.A complete summary of valid commands for both styles is listed below. Both editing styles are active and recognized at the command prompt.

VT100/ANSI KEYPAD EDITINGKey Sequence Command action Left Arrow Cursor back one character Right Arrow Cursor forward one character Down Arrow Go forward in history Up Arrow Go backward in history to previous command Backspace Delete previous character


history(show)

Delete Delete previous character Ctrl U Erase line and start over Ctrl C Interrupt input

EMACS-STYLE EDITINGKey Sequence Command action Ctrl A Beginning of line Ctrl B Cursor back one character Ctrl C Interrupt input Ctrl D Delete forward character Ctrl E End of line Ctrl F Cursor forward one character Ctrl H Delete previous character Ctrl K Kill (delete) rest of line Ctrl L Redraw line Ctrl N Go forward to the next line Ctrl P Go backward to the previous line Ctrl Q Enter next character literally Ctrl U Erase line and start over DEL Same as Ctrl H Note: Entering passwords, input to other command prompts, and input to

subcommands will not show up in the command history. Incorrect and partial input will show up.

SEE ALSOhelp(mgmt), edit config


ip(show)

COMMAND NAMEshow ip - Show IP configuration and related data.

SYNOPSISshow ip config [ Ethernet | Localtalk | VPN | WAN ] [ <port> ] [ Status ] show ip filtershow ip routing [ Direct | Dynamic <protocol> | Static | Default | Configured] [ <IP address> <subnet mask> ]show ip protocolshow ip cache show ip statistics show ip rtcount

DESCRIPTIONThe show ip commands display information about the configured and runtime IP parameters and IP routes. They can also show information about the status of the IP ARP cache and IP statistics.show ip config

The show ip config command will display the IP configuration parameters for all of the interfaces. For more information about how to set the parameters see the [ IP <Section ID> ] section.The following is the output from a show ip config command for a RISC Router 3400R.

AddressesPort IP Addr Subnet BroadcastFlagsEthernet 0 192.168.11.6 255.255.255.224192.168.11.31 <OSPF:Active>

<RIP:in,V2>Ethernet 1 ** Disabled **Bridge ** Disabled **Wan0 Unnumbered interface<Rip_out,Rip_in>

Remote Address: 0.0.0.0<>Wan1 disabledWan2 Unnumbered interface<Rip_out,Rip_in>

Remote Address: 192.168.9.18<>Wan3 163.179.16.33 255.255.255.0163.179.16.255 <Rip_out,Rip_in>

Remote Address: 163.179.16.2<>

Ethernet parameters are displayed with one line, while WAN and LocalTalk interfaces are displayed with two, unless disabled. The column headings are described below.


ip(show)

PortThis column usually displays all of the physical interfaces. The exception is for devices that also do bridging. In that case, the bridge "port" is also listed. While bridging is usually associated with Ethernet interfaces, it is logically different to the device. If a WAN interface is Unnumbered, WAN interfaces are noted as such.

IP AddrThis is the IP address assigned to this interface. If there is no IP address assigned, it is designated as an unnumbered interface.

SubnetThis is the subnet mask that is being used by this interface.

BroadcastThis is the broadcast address which this interface will use.

OptionsThese are the IP options set for this interface. These include information on the status of routing protocols, Proxy ARP, etc.

Remote AddressThis is the remote address, if configured, for this interface. The address itself is actually displayed in the second line of the WAN output under the Broadcast column.

If the optional parameters Ethernet, LocalTalk, VPN or WAN are used, only interfaces of that type will be shown. The display can be further restricted with the use of the port option.The optional Status parameter shows the present runtime information. If the configuration has been changed, the values displayed when this parameter is used will be different from those displayed without it.

show ip filterThe show ip filter command will display the runtime IP protocol filters for all of the interfaces. The following is the output from a show ip filter command.Filter Spec: test (1)1: permit 0.0.0.0/00000000 -> 0.0.0.0/00000000

Protocol: ==45Matches: 0:

show ip routingThe show ip routing command will display the IP routing table presently being used by the device. This information is useful for determining if the device is connected to the networks desired and to find out if there are routes to networks directly attached.The output is displayed in four main sections. The first is the Directly Connected Routes. These are the routes installed based upon the


ip(show)

configuration information as well as internal routes that the device uses for routing packets sent directly to it. The second section lists runtime Static Routes. These are routes defined by the user. The third section, Dynamic Routes, lists routes picked up from other devices on the network. The last section, Configured IP Routes, shows permanently configured static routes.Output from the show ip routing command follows.

Directly Connected Routes:Destination Mask Refs Uses Type Interface127.0.0.1 FFFFFFFF 1 0 STIF Local192.168.9.31 FFFFFFFF 1 4812 STIF Local192.168.9.0 FFFFFFFF 1 0 STIF Local192.168.9.8 @FFFFFFFF 1 2820 Local Local192.168.9.18 @FFFFFFFF 1 27 Stat Wan2192.168.9.0 FFFFFFE0 1 45253 STIF Ethernet0163.179.16.255 FFFFFFFF 1 0 STIF Local163.179.16.0 FFFFFFFF 1 0 STIF Local163.179.16.33 @FFFFFFFF 1 0 Local Local163.179.16.0 FFFFFF00 1 2036 STIF Wan3255.255.255.255 @FFFFFFFF 1 1737 Local Local

Static Routes:Destination Mask Gateway Metric Refs Uses Type Interface

Dynamic Routes:Destination Mask Gateway Metric Refs Uses Type TTL InterfaceDEFAULT 199.45.130.49 1 1 52724 RIP 176 Wan0192.168.8.0 FFFFFF00 192.168.9.1 3 1 2682 RIP 171 Ethernet0192.168.9.128 FFFFFFE0 192.168.9.1 1 1 0 RIP 171 Ethernet0192.168.9.224 FFFFFFE0 192.168.9.1 5 1 1603 RIP 171 Ethernet0192.168.9.64 FFFFFFE0 192.168.9.1 3 1 0 RIP 171 Ethernet0192.168.9.32 FFFFFFE0 192.168.9.1 3 1 1502 RIP 171 Ethernet0192.168.10.0 FFFFFF00 192.168.9.1 5 1 8756 RIP 171 Ethernet0199.45.130.24 FFFFFFE0 199.45.130.49 1 1 0 RIP 175 Wan0163.179.0.0 FFFFFF00 192.168.9.6 1 1 0 RIP 154 Ethernet0

Total Routes in use: 24 Default Router = <not set>@Mask -> Host route *Type -> Redistribute

Configured IP Routes:Destination Mask Gateway Metric IFnum Wan0

DEFAULT 192.168.200.1 1 0

The column headings are described below.Destination

This is the network or host which a route has been defined for.Mask

This is the subnet mask associated with the destination.Gateway

This is the gateway (or router) where packets for the destination are to be sent.

MetricThis is the number of routers between this device and the desti-nation. Values will be between 1 and 16. If a metric count is 16, the route is timed out and will be purged from the table.


ip(show)

RefsThis is the internal count of references to the route displayed.

UsesThis is the number of IP packets routed to the destination by this device.

TypeThis is the method by which the route was "discovered." Possible types include RIP, RIP V2, OSPF and BGP.

Src/TTLThis is the Time To Live for the route in seconds, or, if the router is a BGP router, this shows the source of the packet. A TTL value of 999 means that the timeout is infinite and will never be timed out.Most BGP routes are IGP, which means they originated in an interior gateway protocol. The other possibilities are EGP (exterior gateway protocol) or Incomplete , which usually indicates a static route.

InterfaceThis is the interface that packets for this destination will be forwarded on.

If the optional parameters Direct, Dynamic, Static, Default, or Configured are used, the display will be abbreviated. If the Dynamic option is used, the display may be further restricted by using the protocol modifier. The protocol options are RIP, OSPF, BGP or ICMP. This is of greatest use on routers which are running BGP, since it enables you to display just OSPF, RIP, or ICMP routes without getting a full BGP routing table display. (A router running full BGP can have over 50,000 BGP routes.) An IP address and subnet mask can be used to show a single IP route.

show ip protocolThe show ip protocol command can be used to display a summary of the configuration of each IP routing protocol, as shown in the following example. Note that BGP is enabled globally, not per interface like OSPF and RIP.

IP PROTOCOL CONFIGURATION

Wan0 : OSPF:passive RIP:disabled,V2Wan1 : OSPF:passive RIP:disabled,V2Ether0: OSPF:disabled RIP:in,out,V2Ether1: OSPF:active RIP:disabled,V2

BGP: 2 configured peers: 1 external, 1 internal

IP PROTOCOL PRECEDENCE: (1) ospf (2) rip (3) static


ip(show)

ROUTING PROTOCOL REDISTRIBUTIONRIP to OSPF: disabledDefault to OSPF: disabledOSPF to RIP: disabledBGP to OSPF: disabledBGP to RIP: disabledRIP to BGP: enabledOSPF to BGP: enabled

show ip cacheThe show ip cache command displays information about IP addresses presently in the fast-routing cache.An example of the show ip cache command is given below.Destination Ethernet Address Iface Use cntLast Used192.168.11.50 00:00:a5:71:2c:00 Eth3 1381589361247192.168.9.226 00:00:a5:f1:54:00 Eth2 195745360677192.168.11.10 02:60:8c:dd:af:58 Eth1 106912360909192.168.9.30 aa:00:04:00:0a:04 Eth0 18048360677

DestinationThis is the IP address of the destination.

Ethernet AddressThis is the MAC-level Ethernet address.

IfaceThis is the interface through which the device communicated with this destination.

Use cntThis is the number of packets sent to this destination.

Last UsedThis is the time (relative to the start of the device and measured in clock ticks) of the last use of this entry.

show ip statisticsThe show ip statistics command displays information about various IP tallies. The display is split up into sections based on whether the statistic is IP, ICMP, or UDP. The values are all defined as MIB variables and can also be obtained by using an SNMP Management station. For more information, see RFC 1213 "Management Information Base for Network Management of TCP/IP-based internets: MIB-II." Unless otherwise indicated, these tallies are only for packets directed to the device.


ip(show)

Received Transmitted Other------------------------ ------------------------ -----------------------IP:Packets 111638 Packets 2218 FragmentationDelivered 5999 Forwarded 1 Success 0

(datagrams) 102700 Creates 0Errors Errors Failures 0Bad Header 30 No route 0 ReassemblyProto Unkn 721 Success 0Bad Address 0 Requests 0

Timeouts 30Discards 0 Discards 0 Failures 0

ICMP:Packets 0 Packets 1769Errors 0 Errors 0Dest Unreach 0 Dest Unreach 1738Time Exceeded 0 Time Exceeded 30Parameter Err 0 Parameter Err 0Source Quench 0 Source Quench 0Redirect 0 Redirect 1Echo 0 Echo 0Echo Reply 0 Echo Reply 0Timestamp 0 Timestamp 0Tstamp Reply 0 Tstamp Reply 0Addr Mask 0 Addr Mask 0Amask Reply 0 Amask Reply 0

UDP:Packets 5856 Packets 4088 No Ports 1Errors 0

IP:Packets

The total number of datagrams received, including errors, or number of datagrams received from the IP stack to be trans-mitted. The Received packets tally is for all packets which have passed through the device.

DeliveredThe number of datagrams delivered to the IP stack.

Forwarded (datagrams)This is the number of packets forwarded by this device. The datagrams tally is for all packets which have passed through the device.

ErrorsThese tallies are for all packets passing through the device.

Bad HeaderThe number of datagrams discarded due to errors in the header.

Proto UnknThe number of datagrams discarded because they contained an unknown protocol.

Bad AddressThe number of datagrams discarded due to an invalid IP address.


ip(show)

DiscardsThe number of datagrams discarded for other reasons.

FragmentationThe number of datagrams sent that had to be fragmented.

SuccessThe number of datagrams fragmented successfully.

CreatesThe number of fragmented datagrams created.

FailuresThe number of datagrams that could not be fragmented and were discarded.

ReassemblyThe number of IP fragments received that needed to be reassembled.

SuccessThe number of IP fragments successfully reassembled.

RequestsThe number of reassembly requests.

TimeoutsThe maximum number of seconds which received fragments are held while they are awaiting reassembly by the device.

FailuresThe number of IP fragments not successfully reassembled.

ICMP:Packets

The number of ICMP packets sent or received.Errors

The number of ICMP packets not sent because of errors or received with errors.

Dest UnreachThe number of ICMP destination unreachable messages sent or received.

Time ExceededThe number of ICMP packets sent or received that timed out.

Parameter ErrThe number of ICMP parameter problem packets sent or received.

Source QuenchThe number of ICMP source quench packets sent or received.

RedirectThe number of ICMP redirects sent or received.


ip(show)

EchoThe number of echo requests sent or received.

Echo ReplyThe number of echo replies sent or received.

TimestampThe number of ICMP timestamp request packets sent or received.

Tstamp ReplyThe number of ICMP timestamp replies sent or received.

Addr MaskThe number of ICMP address mask requests received.

Amask ReplyThe number of ICMP address mask replies sent.

UDP:Packets

Total number of datagrams delivered to UDP users.Errors

Number of UDP datagrams not delivered because of an error.No Ports

The number of UDP datagrams received for which there was no application at the destination port.

show ip rtcount The show ip rtcount command will display the total number of routes currently in the IP routing table, including both BGP and non-BGP routes. This command is particularly useful if there are a very large number of routes. An example of the show ip rtcount command is given below.

Number of routes in IP Routing Table: 1008Number of routes in BGP Routing Database: 980

OPTIONSport

The port option restricts the command to only display information about the interface specified. The port can be specified either as the letter or number of the interface.

SEE ALSO[ IP <Section ID> ], [ IP Filter <Name> ], [ IP Route Filter <Name> ], [ IP Static ], ip route(add), ip arp(add)


ipx(show)

COMMAND NAMEshow ipx - Show IPX configuration parameters.

SYNOPSISshow ipx config [ Ethernet | Wan ] [ <port> ] [ Status ] show ipx runtime [ Ethernet | Wan ] [ <port> ] show ipx routing [ Verbose ] show ipx servers [ Verbose ] show ipx tunnels [ IP | Filters ] show ipx cache show ipx filter

DESCRIPTIONThe show ipx commands display configured and runtime IPX parameters.show ipx config

This command shows the IPX parameters that are configured into the Flash ROM of a device. The output from the command looks like:

TimersPort RIP SAP Frame Seed Net FlagsEthernet 0 60 60 Ether TypeII Seed 2001 <>

802.3 (RAW) Auto 2002802.2 (LLC) NonSNAP Off

Wan 0 60 60 Unnumbered net <>Remote Net: 0 <RTR>

Wan 1 60 60 Unnumbered net <>Remote Net: 0 <RTR,Trigger>



The information shown is: Port

This identifies the physical IPX interface.Timers (RIP and SAP)

These values show how often the router sends out IPX RIP (Routing Information Protocol) and IPX SAP (Service Adver-tising Protocol) packets on the network segment attached to this interface.The RIP packets sent out on this interface contain routing infor-mation about networks for which this device is responsible. The SAP packets sent out on this interface contain information about services (such as servers, printers, etc.) for which this device is responsible. The default timer is 60 seconds for both.


ipx(show)

FrameFor Ethernet interfaces, this shows the IPX frame type. On WAN interfaces, this shows whether the interface is numbered or unnumbered. A numbered interface means that there is a non-zero network number configured on the interface. An unnum-bered interface means that the network doesn't have a number associated with it and is considered half-routed.

SeedThis displays the seed status of the IPX interface and frame type. Possible seed identifiers are Seed, Auto or Non [seed]. If the interface is off, Off is displayed. On a WAN interface the possible seed identifier can be Unnumbered.

NetThis is the network number configured when the interface is a seed port. It is shown as a hexadecimal value.

FlagsOn WAN interfaces, the RIP update method is shown as either Triggered or Periodic. RTR indicates that PPP should negotiate the router name option.

Remote NetOn WAN interfaces, additional information is shown about the remote net address.

show ipx runtime This command shows the IPX parameters that are currently running in the device. The format of this information is the same as that shown above for the show ipx config command. The information reflects the runtime status of the IPX networks that are connected to the device and may differ from the configured information.

show ipx routing This command shows the current IPX routing table. An IPX routing table is shown below: Directly Connected Routes:Net Nmbr Refs Uses Flags Iface

1 1 2147 0 Eth 12 1 3423 0 Eth 13 1 1884 0 Eth 1

dade0 1 2397 0 Eth 1deaf 1 4705 0 Eth 0


ipx(show)

Dynamic Routes:Net Nmbr Gateway Ref Uses Metric TTL Flgs Iface

10001 deaf - aa:00:04:00:32:04 1 1431 1 158 0 Eth 02001 deaf - aa:00:04:00:32:04 1 511 1 158 0 Eth 06000 deaf - aa:00:04:00:32:04 1 0 2 158 0 Eth 06001 deaf - aa:00:04:00:32:04 1 1533 2 158 0 Eth 0500 deaf - aa:00:04:00:32:04 1 511 3 158 0 Eth 0

d00d1e deaf - 00:00:a5:cc:5e:00 1 0 1 144 0 Eth 033210 deaf - aa:00:04:00:32:04 1 0 2 158 0 Eth 0

deadf00d deaf - 00:00:a5:71:2c:00 1 2052 1 162 0 Eth 0cafe6000 deaf - aa:00:04:00:32:04 1 0 2 158 0 Eth 0

cafe deaf - aa:00:04:00:32:04 1 1533 3 158 0 Eth 0face0ff deaf - aa:00:04:00:32:04 1 917 2 158 0 Eth 0

The routing table is shown in two sections. The first is the network information for the Directly Connected Routes. The second section shows the Dynamic Routes obtained through IPX RIP packets on the directly connected networks.The information shown in the routing table is explained below. Net Nmbr

This is the network number of the IPX route shown as a hexadecimal value.

GatewayThis is the IPX address (net - node) of the device responsible for the network. Packets bound for the network are sent to the device at that address to be forwarded.

RefsThis is the internal count of references to the route displayed.

UsesThis is the number of IPX packets routed to the destination by this device.

MetricThe metric is the number of routers between this device and the destination. Values will be between 1 and 16. If a metric count is 16, the route is timed out and will be purged from the table.

TTLThis is the Time To Live for the route in seconds.

FlagsThese are internal flags used by the router to maintain the routing table.

IfaceThis is the interface through which the route was received and also identifies the interface where the gateway is located.


ipx(show)

show ipx servers This command shows the current IPX SAP (Service Advertising Protocol) table. An IPX SAP table is shown below:

Type Name Net Address Port Hops TTL Iface1466 RR3400R_A5BAAB95(EN... face0ff-00:00:a5:ba:ab:95::33017 2 35 Eth 01466 Crossroads 10001-aa:00:04:00:32:04::33016 2 135 Eth 01466 goldy's Local Micro... 2-00:00:a5:63:54:00::33019 3 135 Eth 01466 goldy's nugget 2-00:00:a5:52:98:01::33020 3 135 Eth 01466 Red Bridge 10001-00:00:a5:c7:3b:00::33020 3 135 Eth 01466 Jericho cafe-00:00:a5:52:35:00::33020 4 135 Eth 01466 frame relay guy 1-00:00:a5:a7:3c:00::33019 2 170 Eth 11466 Span Bridge deadf00d-00:00:a5:f8:3b:00::33020 3 166 Eth 01466 Dieter's bridge deadf00d-00:00:a5:51:b6:00::33020 3 166 Eth 01466 Bob's Router 1-00:00:a5:1c:5c:00::33019 5 135 Eth 01466 Grunion 6001-00:00:a5:56:5b:00::33019 4 135 Eth 01466 Bagwanh 6001-00:00:a5:95:5f:00::33018 2 135 Eth 01466 Lanfear 6001-00:00:a5:be:ef:a0::33017 4 135 Eth 01466 TGINAMR deaf-00:00:a5:be:ef:22::33017 2 165 Eth 01466 Yet Another RISC Ro... deaf-aa:00:04:00:b7:07::33020 1 999 Eth 0

4 COMPATISAURUS 500-00:00:00:00:00:01::1105 3 135 Eth 0

The information shown in the SAP table is explained below.Type

This is the server type.Name

This is the server name.Net Address

This is the IPX address (net - node) of the server.Port

This is the port or socket number where the server is listening.Hops

This is the number of hops away that the server is from this device. Values will be between 1 and 16. If a hop count is 16, the server is timed out and will be purged from the table.

TTLThis is the Time To Live for the service in seconds. A value of 999 means that the timeout is infinite and will never be timed out.

IfaceThis is the interface through which information about the service was received and also identifies the interface where the service is located.

show ipx tunnels This command shows the IPX-in-IP tunneling parameters.

show ipx cache This command shows the IPX fast-routing cache available in Compatible's Ethernet-to-Ethernet routers. This fast-routing cache enables this class of router to route at full Ethernet wire speed.


ipx(show)

show ipx filter This command shows the runtime IPX protocol filters for all of the interfaces.

OPTIONSEthernet | Wan

This option allows selective display of information about a specific type of interface. When a type is specified, all the interfaces of that type are shown in the command's output.

port This option allows selective display of information about a specific interface.

Status This option specifies that the IPX runtime information be shown. It is the same output as that shown for the show ipx runtime command.

Verbose This shows additional detailed information about the IPX routing and SAP tables.

IP | Filters These options allow selective display of IPX-in-IP tunneling parameters. IP specifies that the IP numbers of the tunneling partners be shown. Filters specifies that the filtered IPX network numbers be shown.

SEE ALSO[ IPX <Section ID> ], [ IP Filter <Name> ], [ IPX Route Filter <Name> ], [ IPX SAP Filter <Name> ], [ IPX Tunnels ]


l2tp(show)

COMMAND NAMEshow l2tp - Show L2TP configuration and users.

SYNOPSISshow l2tp config show l2tp users

DESCRIPTIONThe show l2tp commands display information about the L2TP configu-ration and users. show l2tp config

The show l2tp config command will display the configured L2TP parameters, L2TP system parameters (WHICH ARE WHAT?), and provides a list of LAC peers. Following is sample output from a show l2tp config command.L2TP Configured Parameters:

Authenticate Tunnels: TRUEDo Hidden AVP's: FALSEReceive Window Size: 0

L2TP System Parameters:Hello Interval: 60 secondsRetransmission Interval: 10 secondsMaximum Retransmission Count: 5System Acknowledgement Timeout: 10 seconds

Configured L2TP LAC Peersbungie: jumpl2tpmax: letmein

L2TP Configured ParametersThis displays current L2TP configuration parameters.Authenticate Tunnels

This indicates whether the IntraPort server has been config-ured to authenticate tunnels.If this is True, then the L2TP negotiation between the LAC peer and the IntraPort will use a CHAP-like tunnel authenti-cation mechanism. If this is False, then no authentication of remote peers will be done.

Do Hidden AVP’sThis indicates whether the IntraPort server has been config-ured to hide certain types of L2TP control message data, known as AVPs. If this is True, then the LACPeer secret will be used encrypt the data.

Receive Window SizeThis indicates the number of control messages the peer can send before waiting for an acknowledgment. This number


l2tp(show)

will only be sent to the remote peer (i.e., the LAC) if this number has been set to something other than the default of 0. Otherwise, the remote peer will assume a window size of 4 messages.

L2TP System ParametersThis displays L2TP fixed system parameters. These settings are not configurable. They help control how L2TP tunnels will be setup.

Configured L2TP LAC PeersThis displays a list of the configured LAC peers. The peer name is listed first, followed by the secret.

show l2tp usersThe show l2tp users command will display active L2TP client sessions. Following is sample output from a show l2tp users command.

===============================================ACTIVE L2TP CALL SESSIONS===============================================

LAC peer name skytrail, LAC IP address 198.41.11.199Local tunnel id 1, Remote tunnel id 17

Call sessions in this tunnel:Username l2tpuser: port VPN1, assigned IP address

192.168.190.1local call id 32, remote call id 1

SEE ALSO[ L2TP General ]


mppp(show)

COMMAND NAMEshow mppp statistics - Show Multilink PPP (MPPP) configuration param-eters and statistics.

SYNOPSISshow mppp statistics

DESCRIPTIONThe show mppp statistics command displays MPPP-specific information about the state of your multilink ports. Parameters are set in the [ Multilink PPP <Name> ] section of the router configuration file. show mppp statistics produces the following output:

Mlink Section Home-OfficePrimary WAN 0Ports Configured 2Ports Up 2Packets In 361Packets In - FS 355Packets Out 3225Fragments In 0Fragments Drop 0Dup Fragments 0Lost Fragments 2Sequence Reset 0Min Sequence 440Next Rx Seq 442Next Tx Seq 3225

Each of the statistics is described below.Mlink Section

This is the name used to describe the multilink section of the configuration.

Primary WANThis is the WAN port number that the router uses to get higher-level configuration parameters. In the above example, the primary WAN is WAN 0. All higher-level protocol information will be taken from WAN 0 in this router's configuration. Therefore, section [ IP WAN 0 ] defines IP parameters for the entire bundle.

Ports ConfiguredThis is the total number of ports configured in this multilink bundle.

Ports UpThis is the total number of ports that have successfully negotiated Multilink PPP.

Packets InThis is the number of packets received on this multilink bundle.


mppp(show)

Packets In - FSThis is the number of packets received whole and in order. No re-sequencing was necessary.

Packets OutThis is the number of packets sent onto the multilink bundle.

Fragments InThis is the number of partial packets received on the multilink bundle.

Fragments DropThis is the number of fragments dropped due to corruption of some kind.

Dup FragmentsThis is the number of duplicate sequence numbers on the multilink bundle.

Lost FragmentsThis is the number of fragments assumed lost because of improper sequence order.

Sequence ResetThis is the number of times the router needed to reset its sequence number space.

Min SequenceThis is the smallest last sequence number seen over all ports in the multilink bundle.

Next Rx SeqThis is the next sequence number expected on the multilink.

Next Tx SeqThis is the next sequence number to be used on the multilink.

Note: If show mppp statistics produces no output, then Multilink PPP is probably misconfigured. Check to see that the name given for the [ Multilink PPP <Name> ] section is less than 16 characters. Also check that MPEnabled is set to TRUE and that the Bundle parameter is set. Finally, make sure that the Mode parameter in the [ Link Config <Section ID> ] section is set to PPP for each of the WAN ports included in the multilink bundle.

SEE ALSO[ Multilink PPP <Name> ], [ Link Config <Section ID> ], wan(show)


nat(show)

COMMAND NAMEshow nat - Show NAT configuration parameters and related data.

SYNOPSISshow nat configshow nat mapshow nat sessionsshow nat statisticsshow nat address_db

DESCRIPTIONThe show nat commands provide information on the configured and operating state of a router’s NAT (Network Address Translation) variables.show nat config

This command shows the current configuration of the NAT variables, including the NAT mapping translation pairs and the NAT map database, which are explained in more detail below. The following is the output from the show nat config command:NAT functionality enabled (On/Off): OnNAT Response to external ICMPs (On/Off): OnCommunicate w/ Router through IP Ports (On/Off): OnConfigured Ports: Ether0UDP timeout period (sec.): 300TCP timeout period (sec.): 86400TCP SYN timeout period (sec.): 180TCP FIN timeout period (sec.): 180Entered Internal range(s):

10.5.3.0/27Entered External range(s):

198.41.9.219198.41.9.195198.41.9.194

Entered Pass Thru range(s):198.41.9.{205-210}

[ NAT Map Database ]Total Number of Entries in NAT Map Database: 2

--------------------------------------------------Internal External

LineNo. <IPaddress[/Mask or :Port]> -> <IPaddress[/Mask or :Port]>1 <10.5.3.11:80> -> <198.41.9.195:80>2 <10.5.3.20/32> -> <198.41.9.194/32>

show nat mapThis command shows the one-to-one address translation pairs currently entered in the router, or displays a message that no one-to-one address pairs are presently entered in the NAT map database.


nat(show)

The following is the output from the show nat map command:Nat_2220> show nat map[ NAT Map Database ]Total Number of Entries in NAT Map Database: 1

--------------------------------------------------Internal External

LineNo. <IPaddress[/Mask or:Port]> -> <IPaddress[/Mask or:Port]>1 <10.5.3.20/32> -> <198.41.9.194/32>

This display is read as the internal address (10.5.3.20) which is translated to/from the external address (198.41.9.194). Packets addressed to 198.41.9.194 from the Internet will be accepted by the router, translated to the destination address 10.5.3.20 and sent to the internal NAT network by the router.

show nat sessionsThis command displays the translation sessions currently active in the router’s NAT software.The following is the output from the show nat sessions command:

Active Map Remote Proto Hashes------------------------------------ -------------------- ------ --------

Time Since: Created Last Activity----------------- ----------------

10.5.3.20:0 ->198.41.9.194:0 198.41.9.200:0 ICMP 221/907124.33 114.33

10.5.3.20:0 ->198.41.9.194:0 198.41.9.215:0 ICMP 236/922105.00 104.00

10.5.3.10:29841 ->198.41.9.219:29841 198.41.9.30:53 UDP 255/97633.93 33.50

10.5.3.10:1899 ->198.41.9.219:1899 198.41.9.12:80 TCP 983/68025.67 0.16

10.5.3.10:1900 ->198.41.9.219:1900 198.41.9.12:80 TCP 984/68130.24 15.83

Active MapThis is the IP address:port internal-to-external address trans-lation. If the translation is not to or from a specific port, then the port value will be 0.

RemoteThis is the location on the external Internet communicating with the workstation or router in the internal NAT network.

ProtoThis is the protocol the session is translating. Current values for this column are ICMP, UDP, and TCP, or the actual number of the other IP protocols.

HashesThis is the information used by the software to store and locate the translation sessions in the NAT internal database.

Time Since:CreatedThis is the time, in seconds, since the session was created.


nat(show)

Time Since:Last ActivityThis is the time, in seconds, since the session was last used to translate an IP packet.

show nat statisticsThis command displays the total number of sessions the router has created since it was lasted booted, how many are currently active and the status of those sessions which are no longer active. The following is the output from the show nat statistics command:Total Sessions: 38

Filtered: 0

Currently Active: 0

Properly Removed: 33

Sessions Timed Out: 5SYN Timeouts: 0FIN Timeouts: 0Inactivity: 5

Sessions Reset: 2Invalid Cache: 0No Resources: 0Stale ACK: 0

Total SessionsThis is the total number of NAT sessions created to translate IP packets since the router was last booted.

FilteredFiltered currently has no values defined.

Currently ActiveThis is the number of sessions presently being used by the router to translate packets.

Properly RemovedThis is the number of sessions removed from the NAT session database as a result of FIN and ACK packets being exchanged between the workstation/router on the NAT network and the workstation/router on the Internet. The IP session is terminated and the NAT session doing the address translation is likewise removed from the NAT hash database.

Note: The sum of the values for Currently Active, Properly Removed, and Sessions Timed Out should be equal to the value for Total Sessions.


nat(show)

Sessions Timed OutThis is the number of NAT sessions removed from the NAT hash database as a result of a time limit being exceeded. There are three types of time outs:SYN Timeouts

This occurs when a SYN packet in a session does not receive a response within the time limit defined by the TCP SYN timeout period.

FIN TimeoutsThis occurs when a FIN packet in a session does not receive a response within the time limit defined by the variable TCP FIN timeout period.

InactivityThis occurs when a session has not been used for any IP address translations in the time limit defined by either the UDP timeout period or the TCP timeout period.

Note: Currently, all non-TCP NAT sessions use the UDP timeout period for their inactivity timeout limits.

Sessions Reset This is the tally of the NAT session for which an RST packet was sent. Invalid Cache, No Resources, and Stale ACK currently have no values defined.

show nat address_dbThis command displays all of the IP addresses being used by the router for Network Address Translation.The following is the output from the show nat address_db command:

Network Address Translation Address DatabaseAddress Tree Level IP Address IP Mask Flags------------------- ------------------ ---------- ----------+ 10.5.3.0 0xffffffe0 0x00000001++ 10.5.3.11 0xffffffff 0x00000019++ 10.5.3.20 0xffffffff 0x00000009+ 198.41.9.192 0xffffffe0 0x00001000++ 198.41.9.194 0xffffffff 0x0000000a++ 198.41.9.195 0xffffffff 0x0000001a++ 198.41.9.205 0xffffffff 0x00000004++ 198.41.9.206 0xffffffff 0x00000004++ 198.41.9.207 0xffffffff 0x00000004++ 198.41.9.208 0xffffffff 0x00000004++ 198.41.9.209 0xffffffff 0x00000004++ 198.41.9.210 0xffffffff 0x00000004++ 198.41.9.219 0xffffffff 0x00000002

Flag Legend: INTERNAL: 0x0001, MAPPED: 0x0002,PassThru: 0x0004

1 to 1: 0x0008, PORT in MAP_DB: 0x0010,PLACEHOLDER: 0x1000


nat(show)

Address Tree LevelThis is the search depth of the IP addresses in the database. Each plus sign (+) indicates a deeper level within the address tree.

IP AddressThis is either an internal or external IP address which is being used by the router for NAT. The Flags indicate which type of address it is.

IP MaskThis is the hexadecimal representation of the mask associated with each address.

FlagsThis shows all flags which apply to each IP address in the NAT Address Database. The flags are defined briefly in the "Flag Legend" at the end of the display.

SEE ALSO[ NAT Global ], [ NAT Mapping ]


os(show)

COMMAND NAMEshow os - Show the device's Operating System parameters.

SYNOPSISshow os processes show os memory [Verbose]show os dump <address> [ <nbytes> ] show os netif [ <if number> ] [Verbose] show os resevent show os timeq show os tcp

DESCRIPTIONThese commands show the device's Operating System parameters.show os processes

This command shows the process table for the device. show os memory

This command shows the current status of the memory allocation in the device. Free memory as well as the allocation of packet buffers is shown.

show os dumpThis command allows arbitrary memory of the device to be dumped in hexadecimal format to the terminal.

show os netifThis command shows the current status of the internal network interface structures. There is one network interface structure for every type of network encapsulation done by the device (i.e., Ethernet SNAP, Ethernet Type II, PPP, Frame Relay, etc.)

show os reseventThis command shows detailed information about the status of the device when the last restart event occurred. A "restart event" will occur when the device reaches a condition where it can't proceed. The restart event information can be cleared using the reset resevent command.

show os timeqThis command shows the time queue required to implement IEEE Spanning Tree bridging. See the bridge(show) section and the [ Bridging Global ] section.

show os tcpThis command shows TCP connection state information.

OPTIONSaddress

This is the memory location to be dumped, specified as a hexadecimal


os(show)

address. Addresses of invalid memory locations may cause a bus error which will cause a restart event and restart the device.

nbytesThis is the number of bytes of memory to dump. The default is 320 bytes.

if numberThis is the internal network interface number.

VerboseThis keyword shows more detail about the memory allocation or the internal network interface structures.

SEE ALSOresevent(reset), bridge(show), [ Bridging Global ]


ospf(show)

COMMAND NAMEshow ospf - Show OSPF configuration, statistics and databases.

SYNOPSISshow ospf rtrid show ospf config show ospf statsshow ospf mem show ospf if [ verbose ]show ospf nbrshow ospf rt show ospf all show ospf db [ all | rtr | net | sum | ext ]

DESCRIPTIONThe show ospf commands display extensive information about the OSPF database, configuration, and dynamic memory usage. show ospf rtrid

The show ospf rtrid command displays the router ID, which is the largest IP interface address associated with the router. The router ID is calculated only at boot time, or when OSPF has been re-enabled using the ospfenable command (see ospfenable(mgmt)). Following is sample output from a show ospf rtrid command.

OSPF Router ID for this router is 198.41.11.202

show ospf configThe show ospf config command displays user-configured values that are currently being used by the protocol. Following is sample output from a show ospf config command.

OSPF PER-INTERFACE CONFIGURATIONIP Ethernet Intface 198.41.11.201 assign to area 0.0.0.0Interface is Active

Interface Cost = 10, Router Priority = 1Hello Interval = 10, Router Dead Interval = 40Transit Delay = 1, Retransmit Interval = 5

IP Ethernet Interface 74.0.0.1 assigned to area 0.0.0.0Interface is Active

Interface Cost = 10, Router Priority = 1Hello Interval = 10, Router Dead Interval = 40

Transit Delay = 1, Retransmit Interval = 5IP Ethernet Interface 73.0.0.1 assigned to area 0.0.0.0Interface is Active


IP Ethernet Interface 77.0.0.1 assigned to area 0.0.0.0Interface is Active



ospf(show)

OSPF VIRTUAL LINK CONFIGURATIONNone

OSPF AREA CONFIGURATIONArea ID: 0.0.0.0Net Ranges defined for this area:

None

ROUTING PROTOCOL REDISTRIBUTIONRedistribute RIP routes into OSPF is disabledRedistribute BGP routes into OSPF is disabledRedistribute OSPF routes into RIP is disabled

This displays configured settings for each interface, including the IP address of the interface, the area the interface is assigned to, and whether the interface is an active or passive OSPF interface. Interface Cost

This is the configured cost assigned to this interface.Router Priority

This is the configured priority assigned to this interface.Hello Interval

This is the interval, in seconds, the interface sends out "keepalive" packets to let other routers know this interface is up.

Router Dead IntervalThis is the interval, in seconds, the router’s neighbors will wait without receiving a "keepalive" packet from this router before they assume this router is down.

Transit DelayThis is the amount of time added to the age of Link State Update packets before transmission.

Retransmit IntervalThis is the interval, in seconds, the interface will delay before retransmitting Link State Update packets.

The display also includes any configured settings for OSPF virtual links, the Area ID and any net ranges set for the area and the routing protocol redistribution settings.

show ospf memThe show ospf mem command displays OSPF dynamic memory usage.


ospf(show)

Following is sample output from a show ospf mem command.------------------------------------------------------------OSPF DATABASE STATIC MEMORY USAGE: 36882 bytes

OSPF DATABASE DYNAMIC MEMORY USAGEMemory Block Allocs Deallocs In Use Size Total------------------------------------------------------------ospf_intf 2 0 2 874 1748ospf_nbr 4 0 4 118 472ospf_nbr_node 4 0 4 20 80ospf_nh_block 4 0 4 20 80ospf_lsdb 419 323 96 74 7104ospf_rtr_lsa 178 173 5 var 216ospf_stub_lsa 2 0 2 24 48ospf_net_lsa 36 35 1 var 44ospf_sum_lsa 350 340 10 28 280ospf_ase_lsa 3027 2949 78 36 2808ospf_route 6 4 2 46 92ospf_netrange 0 0 0 28 0ospf_rtinfo 82 2 30 80 2400ospf_dbsum 6 6 0 12 0ospf_hdr 6 6 0 1422 0ospf_ack_hdrq 156 156 0 28 0ospf_ack_intf 3503 3503 0 28 0ospf_nbrlist 70 70 0 12 0ospf_lsreq 94 94 0 24 0ospf_lsdblist 3660 3660 0 16 0------------------------------------------------------------Total In Use 15130------------------------------------------------------------

show ospf statsThe show ospf stats command shows OSPF packet statistics. This shows how many of each of the five types of OSPF packets have been received and sent: Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment. Discarded packets are not errors; an example of a discarded packet would be a multicast for Designated Routers when this router is not the Designated Router or Backup Designated Router. Following is sample output from a show ospf stats command.

OSPF Packet Statistics

Received SentHello Packets: 29371 5880Database Description Packets: 13 16Link State Request Packets: 0 9Link State Update Packets: 327 34LS Acknowledgment Packets: 275 279Total Packets: 30811 6218

Packets discarded: 825Packet errors: 0

If "Packet errors" is nonzero, a detailed breakdown of each type of packet error will be displayed. In the example below, the router is reporting a Hello timer interval mismatch with one of the routers on


ospf(show)

the network, which will cause the two routers to be unable to establish an adjacency.

OSPF Packet Statistics

Received SentHello Packets: 26 19Database Description Packets: 11 11Link State Request Packets: 1 4Link State Update Packets: 17 4LS Acknowledgment Packets: 6 10Total Packets: 63 48

Packets discarded: 0Packet errors: 2Hello timer mismatch: 2

show ospf ifThe show ospf if command displays the OSPF interface database. The verbose option can be used to display more information. Following is sample output from a show ospf if command.

OSPF IP Interfaces

Interface Ether0 is ActiveCost: 5 State: NOT DR OR BDR Type: BROADCASTPriority: 1Designated Router: 198.41.11.205Backup Designated Router: 198.41.11.204Timers: Hello: 10 Dead: 40 Retrans: 5Neighbors:Down 0 Att 0 Init 0 2Way 3 ExStart 0 Exch 0 Loading

0 Full 2

Interface Ether1 is ActiveCost: 5 State: NOT DR OR BDR Type: BROADCASTPriority: 1Designated Router: 198.41.11.17Backup Designated Router: 198.41.11.6Timers: Hello: 10 Dead: 40 Retrans: 5Neighbors:Down 0 Att 0 Init 0 2Way 0 ExStart 0 Exch 0 Loading

0 Full 2

CostThis is the cost of using this interface. An OSPF router will choose the path with the lowest cost to enter into its routing table.

StateThis indicates whether this router is the Designated Router or the Backup Designated Router.

TypeThis indicates the interface’s type. Broadcast interfaces are LAN/Ethernet interfaces. Point-to-Point interfaces are WAN interfaces


ospf(show)

running PPP. Point-to-Multipoint interfaces are WAN interfaces running Frame Relay.

PriorityThis indicates the router’s priority. The priority is used to determine whether the router is eligible to become the Desig-nated Router or the Backup Designated Router for the LAN. A priority of 0 means that the router is not eligible. The router with the highest priority becomes the Designated Router.

Designated RouterThis is the IP address of the Designated Router.

Backup Designated RouterThis is the IP address of the Backup Designated Router.

TimersThis displays the timer settings for this interface. The Hello and Dead timers for each connected router must match or the routers will not be able to communicate.

Neighbors This shows the number of current neighbors in each state of the neighbor negotiation process. Down, Att (attempting connection), Init (initializing connection), ExStart (starting to exchange database information), Exch (in the process of exchanging database information), and Loading (requesting Link State Advertisements from each other) are transient states and should only appear at startup. 2WAY indicates that this router and the neighbor have completed their neighbor negotiation. FULL indicates that the neighbor is the Designated Router or the Backup Designated Router.

show ospf nbrThe show ospf nbr command displays an abbreviated list of current neighbors and their state. Following is sample output from a show ospf nbr command.

-----------------------------------------------------------------OSPF Neighbors=================================================================Ether0 RtrID: 198.41.11.200 Addr: 198.41.11.200 State: 2WAYEther0 RtrID: 198.41.11.202 Addr: 198.41.11.202 State: 2WAYEther0 RtrID: 198.41.11.203 Addr: 198.41.11.203 State: 2WAYEther0 RtrID: 198.41.11.204 Addr: 198.41.11.204 State: FULLEther0 RtrID: 198.41.11.205 Addr: 198.41.11.205 State: FULLEther1 RtrID: 198.41.11.6 Addr: 198.41.11.6 State: FULLEther1 RtrID: 198.41.11.17 Addr: 198.41.11.17 State: FULL-----------------------------------------------------------------

Rrt IDThis is the neighbor’s router ID, which is the largest IP interface address associated with the router.


ospf(show)

AddrThis is the IP address of the neighbor.

State This is the current state of the neighbor negotiation process between this router and the neighbor. Unless the router is just starting up, the state should either be 2WAY or FULL. FULL indicates that the neighbor is the Designated Router or the Backup Designated Router. 2WAY indicates that this router and the neighbor have completed their neighbor negotiation.

show ospf rtThe show ospf rt command displays the ABR (Area Border Router) and ASBR (Autonomous System Border Router) routes. An Area Border Router is a router which has interfaces in more than one area. An Autonomous System Border Router is a router which acts as a gateway between OSPF and other routing protocols (e.g., RIP, BGP, etc.). Following is sample output from a show ospf rt command.

AREA 0:AS Border Routes:

None

Area Border Routes:78.0.0.1 Area 0 Cost 10 AdvRouter 78.0.0.1

Nexthop: 75.0.0.5 Interface: 75.0.0.276.0.0.2 Area 0 Cost 10 AdvRouter 76.0.0.2

Nexthop: 75.0.0.3 Interface: 75.0.0.275.0.0.2 Area 0 Cost 0 AdvRouter 75.0.0.2

AREA 2:AS Border Routes:

None

Area Border Routes:75.0.0.2 Area 2 Cost 0 AdvRouter 75.0.0.2

SUMMARY AS Border Routes:None

show ospf allThe show ospf all command displays the entire OSPF Link State Database.

show ospf db The show ospf db commands display various portions of the OSPF Link State Database. If the all option is used, the router, net and summary databases will be displayed. If the rtr option is used, the router Link State Database will be displayed. If the net option is used, the network Link State Database will be displayed. If the sum option is used, the summary Link State Database will be displayed. If the ext option is used, the


ospf(show)

external Link State Database will be displayed.Following is sample output from a show ospf db command.

OSPF Router, Net and Summary Databases:

Area 10:STUB AdvRtr: 198.41.11.202 Len: 24 Age: 3600 Seq: 00000000

Router: 198.41.11.192 Mask: 255.255.255.240 Network:198.41.11.192

STUB AdvRtr: 198.41.11.202 Len: 24 Age: 2084 Seq: 00000000Router: 79.0.0.0 Mask: 255.0.0.0 Network: 79.0.0.0

RTR AdvRtr: 198.41.11.193 Len: 36 Age: 1199 Seq: 80000d6bRouterID: 198.41.11.193 Area Border: On AS Border: Off

Connect Type: TRANS NET Cost: 10DR: 198.41.11.193 Address: 198.41.11.193Nexthops(1):

198.41.11.193 Interface: 198.41.11.202

RTR AdvRtr: 198.41.11.194 Len: 36 Age: 393 Seq: 8000063fRouterID: 198.41.11.194 Area Border: Off AS Border: Off

Connect Type: TRANS NET Cost: 10DR: 198.41.11.193 Address: 198.41.11.194Nexthops(1):

198.41.11.194 Interface: 198.41.11.202

NET AdvRtr: 198.41.11.193 Len: 44 Age: 1200 Seq: 80000034Router: 198.41.11.193 Mask: 255.255.255.240 Network:

198.41.11.192Attached Router: 198.41.11.193Attached Router: 198.41.11.194Attached Router: 198.41.11.200Attached Router: 198.41.11.202Attached Router: 198.41.11.203Nexthops(1):

198.41.11.193 Interface: 198.41.11.202

SUM NET AdvRtr: 198.41.11.193 Len: 28 Age: 1486 Seq: 80000026Network: 192.168.40.0 Mask: 255.255.255.0 Cost: 20Nexthops(1):

198.41.11.193 Interface: 198.41.11.202


198.41.11.193 Interface: 198.41.11.202


198.41.11.193 Interface: 198.41.11.202

SEE ALSO[ IP <Section ID> ], [ OSPF Area <Name> ], [ OSPF Virtual Link <Name> ], [ IP Route Redistribution ], ospfenable(mgmt)


ppp(show)

COMMAND NAMEshow ppp - Show Point-to-Point Protocol (PPP) configuration parameters.

SYNOPSISshow ppp lcp [Status] show ppp quality [Status] show ppp auth show ppp compression show ppp statistics

DESCRIPTIONThe show ppp commands display PPP-specific information about the WAN interfaces.show ppp lcp

This command displays LCP (Link Control Protocol) parameters configured for the WAN interfaces. For each WAN interface, flags for Want and Allow are displayed along with the Async-Character-Control-Map (ACCM). The output is shown below.Wan 0:

Want=5ac<ACCM,AUTH,MAGIC,PFC,ACFC,PAP>Allow=1a4<ACCM,MAGIC,PFC,ACFC>ACCM Mask=0<>

WantThe Want flags are parameters that the device requests of the remote end.

AllowThe Allow flags are parameters that the device will agree to accept from the remote end if requested.

ACCM MaskThe ACCM Mask is a 32-bit hexadecimal value which has a bit set for each control character requested to be mapped by the remote end. The value can be decoded starting from the least significant bit. See the [ PPP <Section ID> ] section for more information about the ACCM mask.

If the optional Status parameter is used, the display will show the runtime settings for the interface(s).

show ppp qualityThis command displays the settings for the sending of echo packets. The output follows.Port Proto Interval ThresholdWan 0 OffWan 1 OffWan 2 ECHO OffWan 3 ECHO 11 21/ 30


ppp(show)

PortThe Port is the name of the WAN interface.

ProtoPresently, the Proto column will have one of two values. A value of Off indicates that this interface is set for Frame Relay and the parameter cannot be set. A value of ECHO indicates that the ECHO protocol is selected (which is used in PPP).

IntervalThe Interval is the frequency, in seconds, at which each echo will be sent. It is also the amount of time in which an echo response must be received in order not to be counted as missed. A value of Off indicates that the ECHO protocol is disabled.

ThresholdThe Threshold is a set of numbers indicating the number of echo packets that must be missed out of the last number received before an error is reported.

If the optional Status parameter is used, the display will show the runtime settings for the interface(s).

show ppp authThis command displays the authentication database used by PAP and CHAP. Because password and security information is shown, you will be prompted for the password. The following is an example of the information displayed.

Enter Password:Port Proto Status Name PasswordWan 0 PAP Off

CHAP OffWan 1 PAP Allow Mickey Mouse

CHAP Allow Donald DuckWan 2 PAP Want

CHAP Want BettyWan 3 PAP Both Howdy Doody

CHAP Both Graendal Oneof the ForesakenAuthentication Database:Name Password ChatScript MaskBarney Rubble dialFred 000f

The first portion of the output displays information specific to each of the WAN interfaces. For more information on how to set these parameters see the [ PPP <Section ID> ] and [ Auth ] sections. The column headings are described below.Port

This is the name of the WAN interface.


ppp(show)

ProtoThe Proto column will always have PAP and CHAP for inter-faces configured for PPP. If the interface is configured for Frame Relay or is turned off, it will say disabled.

StatusThe Status values will be Want, Allow, Both or Off. Off means that PPP authentication has not been configured for this interface. Allow means that the device will allow the remote device to negotiate the protocol and will respond. Want means that the device will ask the other end to negotiate the protocol and require a response. Both means that the device will ask the other end to negotiate the protocol and respond if the other end sends a protocol request.

NameFor the PAP protocol, the Name column will only have a value if the Status is Allow or Both. For the CHAP protocol, a Status of Want, Allow or Both will have a Name entry.

PasswordThe Password is the PAP password or CHAP secret to be used during authentication. There will only be an entry here if PAP is set to Allow or Both, or if CHAP is set to Allow or Both.

The second part of the output displays Authentication Database entries. This table is consulted if PAP or CHAP is set to Want or Both. These entries can be used for any or all of the interfaces.Name

The Name column will have an entry if PAP is set for Want or Both or if CHAP is set for Allow for the interface(s) designated by the Mask (see below).

Chat ScriptThe Chat Script specifies the name of the chat script to be used for dial-back.

MaskThe Mask is a hexadecimal value specifying the ports on which this entry should be used. Each bit in the 32-bit value corre-sponds to a WAN interface (the least significant bit corre-sponding to WAN 0). In the output above the Mask of 000f tells the device to use this entry for WAN interfaces 0, 1, 2, and 3 (bits 0, 1, 2, 3).


ppp(show)

show ppp compressionThis command displays the settings for PPP data compression.Port CompressionWan 0 OffWan 1 OffWan 2 OffWan 3 Compatible Systems Sequenced Predictor

PortThe Port is the name of the WAN interface.

CompressionThe current PPP compression algorithm is shown. Possible values are Off and Compatible Systems Sequenced Predictor.

show ppp statisticsThis command displays packet statistics for the WAN interface(s). Stats Wan0in 25out 12691discard 0compressI 0compressO 0compressID 0compressOD 0

Each of the statistics is described below.in

The number of packets received by this interface's PPP stack.out

The number of packets sent by this interface's PPP stack.discard

The total number of packets discarded due to an error by this interface's PPP stack.

compressIThe number of input packets to this interface's CCP decom-pressor. This value is zero if PPP data compression is not negotiated for this link.

compressOThe number of output packets from this interface's CCP compressor. This value is zero if PPP data compression is not negotiated for this link.

compressIDThe number of packets discarded by this interface's CCP decom-pressor. This value is zero if PPP data compression is not negotiated for this link.


ppp(show)

compressODThe number of packets discarded by this interface's CCP compressor. This value is zero if PPP data compression is not negotiated for this link.

SEE ALSO [ PPP <Section ID> ], [ Auth ], wan(show)


radius(show)

COMMAND NAMEshow radius - Show RADIUS parameters.

SYNOPSISshow radius config show radius statistics

DESCRIPTIONshow radius config

This command shows the current settings for RADIUS parameters.RADIUS State UDPAuthentication On 1645Accounting On 1646Secret 'Homer Simpson'

Server IP address AttemptsPrimary 1.2.3.4 5Secondary 9.8.7.6 5

The first section shows general RADIUS parameters.State

Valid states are On and Off.UDP

This is the UDP port that will be used for authentication or accounting. Any valid UDP port value can be used. The defaults are 1645 for authentication and 1646 for accounting.

SecretThis shows the secret shared between the RADIUS client and server. It is a string of 1-31 bytes. The server must be configured with the same client secret.

The second section shows parameters related to the primary and secondary RADIUS servers.IP address

This is the IP address of the RADIUS server. An address of 0.0.0.0 for the secondary server indicates that it has been disabled.

AttemptsThis value shows the number of attempts to be made at trans-mitting a packet to the RADIUS server. If a response is not received from the primary server in the specified number of attempts, the secondary server (if enabled) will be used.


radius(show)

show radius statisticsThe show radius statistics command displays packet statistics for the RADIUS client.Authentication xmit retry rcvPrimary 1 0 1Secondary 0 0 0Errors 0 0No Match 0Timeouts 0Holdq 0

Accounting xmit retry rcvPrimary 3 0 3Secondary 0 0 0Errors 0 0No Match 0Timeouts 0Holdq 0

Users Name Session ID SecsWan0 InactiveWan1 InactiveWan2 Wilber 01234567-00000001 138Wan3 Inactive

Authentication and Accounting statistics are described below: Primary

This is the number of packets transmitted to or received from the primary server.

SecondaryThis is the number of packets transmitted to or received from the secondary server.

ErrorsThis is the number of packets that had errors while being trans-mitted or received.

No MatchThis is the number of packets that were received but didn't have a matching packet on the transmit hold queue.

TimeoutsThis is the number of packets that did not get a response from the primary or secondary servers.

HoldqThis is the number of packets that are being transmitted to a server but have not received a response.


radius(show)

xmitThis is the number of packets sent to a server. It does not include retries.

retryThis is the number of retry packets sent to a server.

rcvThis is the number of packets received from a server.

User statistics are described below: Name

This is the name of the user currently using this port. Inactive means the port is not being used.

Session IDThis ID is unique per user session. It is recorded in the server detail file and is used for matching accounting start and stop records.

SecsThis is the number of seconds the current user has been connected.

SEE ALSO[ Radius ]


routing(show)


COMMAND NAMEshow routing - Show protocol routing tables.

SYNOPSISshow routing appletalk [ Verbose ] show routing ip [ Dynamic | Static | Default ] show routing decnet show routing ipx

DESCRIPTIONAll of the show routing commands are alternative ways to get routing table information for each of the protocols.show routing appletalk

See show appletalk routing in appletalk(show) for a detailed description.

show routing ipSee show ip routing in ip(show) for a detailed description.

show routing decnetSee show decnet routing in decnet(show) for a detailed description.

show routing ipxSee show ipx routing in ipx(show) for a detailed description.

SEE ALSOappletalk(show), ip(show), decnet(show), ipx(show)

securid(show)

COMMAND NAMEshow securid - Show SecurID statistics and server information.

SYNOPSISshow securid secrets show securid statistics

DESCRIPTIONshow securid secrets

This command shows all the ACE/Servers with which an IntraPort VPN Access Server has exchanged secrets. The first time an IntraPort contacts an ACE/Server, they exchange a secret based in part on the IntraPort’s IP address. SecurID node secrets are stored for the following:Server Address Source Address192.168.10.102 192.168.10.65

Server AddressThis shows the server address for all the servers that the IntraPort has exchanged secrets with and has stored in memory.

Source AddressThis is the IP address of the interface on the IntraPort that the packets destined for the ACE/Server are going out.

show securid statisticsThe show securid statistics command displays basic statistics for messages received by an IntraPort which were sent by an ACE/Server. More detailed usage statistics are available through the ACE/Server. SecurID StatisticsTotal Packets In 0Bad Packets In 0Packets Out 0Access Granted 0Access Denied 0Next Code Required 0New PIN Required 0Server Timeouts 0

Total Packets InThis is the total number of packets from the ACE/Server which were received by the IntraPort.

Bad Packets InThis is the number of error packets received from the ACE/Server by the IntraPort. If this is a large number, then it may indicate a security problem on the network (e.g., packet "spoofing").

Packets OutThis is the total number of packets sent from an IntraPort to the ACE/Server.


securid(show)

Access GrantedThis is the number of user logins which were successfully completed.

Access DeniedThis is the number of user logins which were denied.

Next Code RequiredThis is the number of times the ACE/Server asked a user for the next token code number.

New PIN RequiredThis is the number of times the ACE/Server asked a user for a new PIN.

Server TimeoutsThis is the number of packets that did not get a response from the ACE/Server.

SEE ALSO[ SecurID ], securid secret(reset)


smds(show)

COMMAND NAMEshow smds - Show SMDS (Switched Multi-megabit Data Service) config-uration and status.

SYNOPSISshow smds config show smds runtime show smds state show smds statistics

DESCRIPTIONThe show smds commands display information about the configurations and the state of SMDS.show smds config

The show smds config command will display the SMDS configuration parameters for all the ports where SMDS is activated. The following is the output from a show smds config command.Port Station Address IPmulticastWan0 C111.1111.1111.FFFF E303.4444.4444.FFFFKeepAlive 10Wan1 C222.2222.2222.FFFF E303.5555.5555.FFFFKeepAlive Off

Each of the statistics is described below.Port

This column displays the physical interfaces where SMDS is activated.

Station AddressThis is the SMDS station address assigned by the service provider to the SMDS link for this interface.

IPmulticastThis is the IP multicast address assigned to this interface. It is the same as the SMDS group address assigned by the SMDS provider to the link for this port.

KeepAliveThis shows whether keepalive is activated or not and what the polling frequency is.

show smds runtimeThe show smds runtime command will display the current SMDS configuration parameters for the particular WAN ports. The runtime values should be the same as those shown by the show smds config command.

show smds stateThe show smds state command will display the state of the SMDS link for every port. The state can be Up or Down. A dash (–) is used to


smds(show)

indicate that SMDS is not configured for that port.Output from a show smds state command is given below.

Wan0 Wan1State Up -

show smds statisticsThe show smds statistics command will display SMDS statistics. Output from a show smds statistics command is given below.Stats Wan0 Wan1in 14831 0out 27667 0heartbeat in 0 0heartbeat out 16 0discard 20 0BA err 0 0HE err 0 0tag err 0 0IN addr err 0 0Out Lngth err 0 0Out Addr err 0 0Out WAN err 0 0Ctrl/Data err 0 0RSRV err 0 0Encap. err 0 0Unkwn pkt err 0 0

Each of the statistics is described below.in

The number of packets with SMDS encapsulation that have been received through that particular WAN port.

outThe number of packets with SMDS encapsulation that have been transmitted through that particular WAN port.

heartbeat inThe number of keepalive answer packets received from the SMDS switch.

heartbeat outThe number of keepalive poll packets sent by the router to the SMDS switch.

discardThe number of packets with SMDS encapsulation that have been discarded from that particular WAN port. The number of discarded packets should be equal to the total number of err packets.

The various err tallies signify encapsulation errors and may indicate an incorrect configuration or a problem with the SMDS switch.


smds(show)

For statistics about the physical port that is sending or receiving SMDS encapsulated packets, use the show statistics serial command.

SEE ALSOstatistics(show), [ SMDS <Section ID>]


statistics(show)

COMMAND NAMEshow statistics - Show device statistics.

SYNOPSISshow statistics ethernet show statistics memory show statistics ip show statistics bridge show statistics tcp show statistics appletalk show statistics serial show statistics connect show statistics ppp show statistics frelay [ <port> ] [ <DLCI> ] show statistics smdsshow statistics radiusshow smds statisticsshow statistics stepshow statistics mppp

DESCRIPTIONThese commands display statistics kept by the device. The statistics displayed are described on separate man pages. Below is a brief description of the statistics commands and a reference to the man pages with more complete descriptions.show statistics ethernet

This command displays ethernet statistics including packet counts and a tally of errors encountered. See ethernet(show) for a detailed description.

show statistics memoryThis command displays unallocated system memory and packet buffer usage statistics. See os(show) for a detailed description.

show statistics ipThis command displays IP, UDP, and ICMP statistics. See ip(show) for a detailed description.

show statistics bridgeThis command displays bridge forwarding and filtering statistics. See bridge(show) for a detailed description.

show statistics tcpThis command displays TCP statistics. These statistics are not shown by any other command.


statistics(show)

show statistics appletalkThis command displays AppleTalk statistics. See appletalk(show) for a detailed description.

show statistics serialThis command displays WAN serial statistics. See wan(show) for a detailed description.

show statistics connectThis command displays WAN connection statistics. See wan(show) for a detailed description.

show statistics pppThis command displays WAN PPP statistics. See ppp(show) for a detailed description.

show statistics frelayThis command displays Frame Relay statistics. See frelay(show) for a detailed description.

show statistics smdsThis command displays SMDS (Switched Multi-megabit Data Service) statistics. See smds(show) for a detailed description.

show statistics radiusThis command displays statistics for RADIUS authentication and accounting. See radius(show) for a detailed description.

show statistics stepThis command displays information about active STEP tunnel connections. See vpn(show) for a detailed description.

show statistics mpppThis command displays MPPP-specific information about the state of the Multilink ports. See mppp(show) for a detailed description.

SEE ALSOstatistics(reset), bridge(show), ethernet(show), system(show), os(show), appletalk(show), ip(show), wan(show), ppp(show), frelay(show), smds(show), radius(show), vpn(show), mppp(show)


system(show)

COMMAND NAMEshow system - Show system parameters and statistics.

SYNOPSISshow system ethernet addresses show system ethernet statistics show system localtalk show system serial [ Status ] show system log config show system log buffer [ Delta ] [ <lines> ] show system hardware show system info show system uptime

DESCRIPTIONThe show system commands display system-related parameters, status and statistics. Much of the information displayed by these commands is also displayed by the show version command.Interface display information:

The show system ethernet, show system localtalk, and show system serial commands all display information about the physical interfaces of the system.show system ethernet addresses

This command displays the Ethernet (MAC) addresses of all Ethernet interfaces in the system. If DECnet is enabled, the MAC address will be the same DECnet-assigned address of each interface.

show system ethernet statisticsThis command displays current statistics for each Ethernet interface. The displayed counters include transmit and receive packets, receive interrupts and error conditions.

show system localtalkThis command displays LocalTalk statistics.

show system serialThis command displays the configuration of the serial ports. The Status option shows the runtime configuration of the serial ports.

System log information:These commands display the configuration and contents of the system log.show system log config

This command displays the runtime and edited log configuration. Configuration information includes the system-wide log level and output options for the log messages. Log messages can be sent to the AUX port (system console) or to a remote syslog


system(show)

daemon. All messages with a higher priority than the log level will be stored in an internal log buffer.

show system log bufferThis command displays the contents of the internal log buffer. The lines option limits the display to the most recent log messages up to the specified number of lines.The display will normally timestamp the messages with the time in seconds since boot or with the actual time if the system time server has been set (see the [ Time Server ] section). With the optional keyword Delta, the messages will be displayed in a delta format where the interval between log messages is shown.

System administrative/contact information:The show system info command displays administrative information about the system. This is informational data that will be returned to automated network queries from SNMP or certain AppleTalk echo requests (see the [ SNMP ] section for more information).

Miscellaneous system information:The show system hardware command displays the hardware configuration of the system, and the show system uptime command displays the length of time the router has been running.

SEE ALSOversion(show), [ SNMP ], [ Time Server ]


version(show)


COMMAND NAMEshow version - Show vital statistics of router.

SYNOPSISshow version [ Verbose ]

DESCRIPTIONThe show version command combines the output of many show system commands and displays it along with additional information. The following information is displayed: •Static system configuration information, such as the hardware configu-ration, software version/build date and the system Ethernet addresses.•Information indicating when and how the software configuration in flash was last modified.•The system up time, time server configuration and, if the time server is configured, the current date and time.•Per-session terminal configuration information, including the screen size, the erase character, parser setting, and the more processing status (see the [ Command Line ] section for more information). Optionally displayed information includes: •System administrative information (also displayed by show system info).•System log configuration (also displayed by show system log).

OPTIONSVerbose

This option causes the command to display additional information about the router, including system administration information and log configuration information.

EXAMPLEThe typical output of the show version command:

Main RISC Router> show versionMain RISC Router - System Status

Software Version: RISC Router 3000E v2.1.0 b10SW Build Date: 1/4/95 10:05Hardware: 512K Flash ROM, 1024K RAMLast Configuration Date: 1/30/95 8:38:51Configuration File: Main RISC Router ConfigEthernet Address: 00:00:a5:77:2c:00Ethernet Address: 00:00:a5:77:2c:01Up Time: 45 days 23 hours 39 minutes39 secsTerminal settings: 80x24, Erase <BS>, Non-En-hanced Parser, More OnTime Server: disabledMain RISC Router>

SEE ALSOsystem(show), [ Command Line ]

vpn(show)

COMMAND NAMEshow vpn - Show VPN configuration and user information.

SYNOPSISshow vpn config [ VPN <port> ]show vpn runtime [ VPN <port> ]show vpn users [ all ] [ <name> ]show vpn statistics

DESCRIPTIONThe show vpn commands display information about the configured and runtime VPN parameters. show vpn config

The show vpn config command will display the VPN configuration parameters for all of the interfaces. Note: If STEP configuration parameters have been set in the device,

then you may issue either the show step config or the show vpn config command in order to display the STEP configuration. STEP is Compatible System’s older, proprietary tunnel establish-ment protocol. STEP parameters are not recommended for new configurations, but if they have already been set in the device, they are supported.

The following is the output from a show vpn config command for a LAN-to-LAN VPN router.Iface Tunnel BindTo Auth Encrypt

Partner PortVPN0 ** Disabled **VPN1 ** Disabled **VPN2 ** Disabled **VPN3 192.168.180.2 Ether0 On Fixed

The following is the output from a show vpn config command for an IntraPort.Iface Client

VPN0 192.168.22.33VPN1 10.123.234.98VPN2 Waiting for Client ConnectionVPN3 Waiting for Client ConnectionVPN4 Waiting for Client ConnectionVPN5 Waiting for Client ConnectionVPN6 Waiting for Client ConnectionVPN7 Waiting for Client Connection

The column headings are described below. Note that the columns other than Iface and Tunnel Partner are only used for interfaces which currently have an active connection.Iface

For the IntraPort, this is the name of the interface described.


vpn(show)

While the device allows up to eight client connections, fewer may be configured and this will be reflected in the number of interfaces shown. For LAN-to-LAN VPN, this is the name of the VPN tunnel connection described.

Tunnel Partner or ClientFor the IntraPort, this is the IP address of the client computer, which is typically an address assigned by an Internet Service Provider. For LAN-to-LAN VPN connections, this is the stati-cally assigned IP address of the tunnel partner.

BindTo PortFor the IntraPort, this is the port to which the client has connected. For LAN-to-LAN VPN, this is the port to which the tunnel partner has connected. The BindTo Port determines the IP address to which the client or the tunnel partner connects.

AuthOn indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel.

EncryptThis shows whether or not the tunnel session is encrypted. None indicates that the tunnel session will be sent in the clear in both directions. Fixed indicates that Personal Level Encryption will be used to scramble the data in both directions using a fixed key. PLE indicates that Personal Level Encryption will be used to scramble the data in both directions using a key generated from the encryption secret. DES indicates that the DES algorithm is being used.

Note: In compliance with U.S. encryption export laws, products shipped outside North America do not support the PLE or DES encryption options.

UserThis column is only for the IntraPort and shows the name of the user connected to this tunnel.


vpn(show)

show vpn runtimeThe show vpn runtime command will display the VPN parameters that are currently running in the device. The following is the output from a show vpn runtime command for an IntraPort.Iface Tunnel BindTo Auth Encrypt User

Partner PortVPN0 192.168.22.33 Ether0 On None HaroldVPN1 10.123.234.98 Ether0 On Fixed MaudeVPN2 Waiting for Client ConnectionVPN3 Waiting for Client ConnectionVPN4 Waiting for Client ConnectionVPN5 Waiting for Client ConnectionVPN6 Waiting for Client ConnectionVPN7 Waiting for Client Connection

show vpn usersThe show vpn users command will display configured parameters for currently connected IntraPort users. Following is sample output from a show vpn users command.

User Name Auth Encrypt IPX Client LocalNetwork Address Address

Fred MD5 None B00B00 10.41.11.43 192.168.179.100Betty MD5 Fixed B00B01 192.168.1.22 192.168.179.101

Descriptions of the column headings follow.User Name

The name of the VPN user.Auth

MD5 indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel. Compatible Systems devices use MD5-based authentication. None indicates that no packet-by-packet authenti-cation is being performed.

EncryptThis shows whether or not the tunnel session is encrypted. None indicates that the tunnel session will be sent in the clear in both directions. Fixed indicates that Personal Level Encryption will be used to scramble the data in both directions using a fixed key.

IPX NetworkThe IPX network number being used by this client during this session. This number is assigned by the IntraPort based on the StartIPXNet keyword in the[ VPN Group <Name> ] section.

Client AddressThe IP address of the client computer, which is typically an address assigned by an Internet Service Provider.


vpn(show)

Local Address The IP network address being used by this client during this session. This number is assigned by the IntraPort based on the StartIPAddress keyword in the [ VPN Group <Name> ] section.

show vpn statisticsThis command shows information about active VPN tunnel connections.Stats VPN0 VPN1 VPN2 VPN3Wrapped 16008 153 437 29Unwrapped 89030 170 410 28BadEncap 0 0 0 0BadAuth 0 0 0 0BadEncrypt 0 0 0 0rx IP 87980 160 190 28rx IPX 1050 10 220 0rx Apple 0 0 0 0rx Other 0 0 0 0rx Err 0 0 0 0tx IP 16008 141 206 29tx IPX 0 12 231 0tx Apple 0 0 0 0tx Other 0 0 0 0tx Err 0 0 0 0

Each of the statistics is described below.Wrapped

The total number of packets encapsulated. For the IntraPort, this is the number of packets sent to the client computer. For LAN-to-LAN VPN, this is the number of packets sent to the tunnel partner.

UnwrappedThe total number of packets de-encapsulated. For the IntraPort, this is the number of packets received by the IntraPort from the client computer. For LAN-to-LAN VPN, this is the number of packets received by the local device from the tunnel partner.

BadEncapThe number of packets found with bad encapsulation. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.

BadAuthThe number of packets where authentication failed. This usually indicates that the shared authentication secret is incorrect on one end of the tunnel.

BadEncryptThe number of packets where encryption failed. This usually indicates that the shared encryption secret is incorrect on one end


vpn(show)

of the tunnel.rx IP

The number of IP packets received.rx IPX

The number of IPX packets received.rx Apple

The number of AppleTalk packets received.rx Other

The number of other packets received.rx Err

The number of packets with errors received. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.

tx IPThe number of IP packets transmitted.

tx IPXThe number of IPX packets transmitted.

tx AppleThe number of AppleTalk packets transmitted.

tx OtherThe number of other packets transmitted.

tx ErrThe number of packets which could not be transmitted as IPSec packets. This error is very unusual and probably indicates a bad VPN configuration or possibly a problem with the device software.

OPTIONSVPN<port>

This option restricts the command to only display information about the VPN port specified.

allThis option displays information on all users, whether or not they are currently connected.

nameThis option shows information only for the specified user.

SEE ALSO[ VPN Users ], [ VPN Group <Name> ]


wan(show)

COMMAND NAMEshow wan - Show Wide Area Networking parameters.

SYNOPSISshow wan config show wan connect config [ Status ] show wan connect statistics show wan serial config [ Status ] show wan serial statistics show wan mode [ Status ] show wan state show wan csu config [ Status ] show wan csu statistics show wan ds3 configshow wan ds3 statisticsshow wan hssi configshow wan hssi statistics

DESCRIPTIONshow wan config

The show wan config command displays all of the relevant information about how the WAN interface(s) have been configured. The output is split into a number of sections, each of which can be displayed with other show wan commands. WAN modes:Port ModeWAN0 Frame RelayWAN1 Frame RelayWAN2 PPPWAN3 PPP

Connect Info:Port Mode Dial ConnectOut Callback Flags

Delay Retry Inactivity ChatWAN 0 Dedctd - - - rt=8000<Out>

0 0 n/a 0WAN 1 Dedctd - - - rt=8000<Out>

0 0 n/a 0WAN 2 Dedctd - - - rt=28000<Out,DIOK>

0 0 n/a 0WAN 3 Dedctd - - - rt=28000<Out,DIOK>

0 0 n/a 0

Serial Info:Port Type TX Clk Baud Rate Fcntl FlagsWAN 0 Sync Ext n/a n/a =0<>WAN 1 Sync Ext n/a n/a =0<>WAN 2 Async n/a 115200 HW =1<DIOK>WAN 3 Async n/a 115200 HW =1<DIOK>AUX 0 Async n/a 9600 None =0<>


wan(show)

PPP Lcp Info:WAN 0 OffWAN 1 OffWAN 2:

Want=1a4<ACCM,MAGIC,PFC,ACFC>Allow=1a4<ACCM,MAGIC,PFC,ACFC>ACCM Mask=0<>

WAN 3:Want=1a4<ACCM,MAGIC,PFC,ACFC>Allow=1a4<ACCM,MAGIC,PFC,ACFC>ACCM Mask=0<>

PPP Data Compression:Port CompressionWAN 0 OffWAN 1 OffWAN 2 OffWAN 3 Predictor1

Frame Relay Maintenance Info:Port Maint Poll MTUWAN0 annexD 5 1500WAN1 LMI 10 1500WAN2 OffWAN3 Off

Frame Relay DLCI Info:Port WAN 0 DLCI ConfigurationDLCI IP AppleTalk IPX20 IARP IARP IARPPort WAN 1 DLCI ConfigurationDLCI IP AppleTalk IPX16 200.30.9.1 IARP IARPPort WAN 2 DLCI ConfigurationOffPort WAN 3 DLCI ConfigurationOff

show wan connect configThe show wan connect config command displays parameters used to make a connection for each of the WAN interfaces. The display shows two lines for each interface. If the optional Status parameter is used, the runtime status will be displayed. Port Mode Dial ConnectOut Callback Flags

Delay Retry Inactivity ChatWAN 0 Always V25bs coop -rt=48002<DCD,Out,DOOK>

2 5 n/a 30WAN 1 Dedctd - - - rt=8000<Out>

15 5 n/a 30WAN 2 Dialup AT - - rt=20000<DIOK>

15 5 10 30WAN 3 Always AT netcom -rt=48002<DCD,Out,DOOK>

15 5 n/a 60

ModeValues will be Always for always up connections, Dedctd for dedicated connections, and Dialup for on-demand dialup.


wan(show)

DialThis is the dialing method used. Values will be AT for Hayes AT Command Set dialing, V25bs for V.25bis synchronous dialing, or "–" for dedicated connections that do not need to dial.

ConnectOutThis is the name of the chat script to be used to originate a connection. See the [ Chat <Name> ] section for more infor-mation about chat scripts.

CallbackThis is the name of the chat script to be used for a dial-back connection. See the [ Chat <Name> ] section for more infor-mation about chat scripts.

FlagsThe Flags indicate runtime flags set for this interface. The Flags are indicated numerically and are decoded inside the "<" and ">" characters. Values for the Flags include DCD when the carrier has been detected, Dial when the device is dialing, In when the current connection was initiated by an incoming call, Out when the current connection was initiated by an outgoing call, DIOK when the interface is configured for dial-in, DOOK when the interface is configured for dial-out, and Ucnnt if the interface is presently in the user connect state.

DelayThis is the period of time that the device will wait between attempts to connect.

RetryThis is the number of times the device will try to establish a new connection or reconnect to one that has gone down. If the mode is "always up" the device will retry this many times and then re-initialize and begin the cycle again. "On demand" devices will try this many times and then wait for the next event to cause it to dial again.

InactivityThis is the amount of time in minutes that the device will wait before closing the connection due to inactivity.

ChatThe Chat timeout value is the maximum amount of time in seconds for the chat script to complete. If it does not complete, the connection is dropped.


wan(show)

show wan connect statisticsThe show wan connect statistics command displays timers and counters specific to the connections made by the WAN interface(s).Stats Wan0 Wan1 Wan2 Wan3inact 0:00 0:00 0:00 0:00cur cnnt 0:00:00:02 0:00:00:08 0:00:00:03 0:00:00:05avg cnnt 0:00:00:17 0:00:00:32 0:00:00:39 0:00:00:39tot cnnt 0:01:08:28 0:01:08:27 0:01:12:05 0:01:12:05dial try 229 125 109 109dial out 229 125 109 109dial in 0 0 0 0

Below is a description of the different statistical categories. inact

This is the present value of the inactivity disconnect timer. A value of 0:00 usually indicates a connection that is synchronous, always up, or dedicated.

cur cnntThis is the amount of time that the current connection has been up.

avg cnntThis is the average amount of time that the device has stayed connected for each connection made.

tot cnntThis is the total amount of time that the device was in a connected state.

dial tryThis is the total number of dial-out tries attempted.

dial outThis is the number of successful dial-out connections.

dial inThis is the number of successful dial-in connections.

show wan serial configThe show wan serial config command displays hardware-specific configuration information about the WAN interface(s). If the optional Status parameter is used, the runtime status will be displayed. The output of the command will look something like the following: Port Type TX Clk Baud Rate Fcntl FlagsWAN 0 Sync Ext n/a n/a =2<DOOK>WAN 1 Sync Int 1544000 n/a =8<IntTxClk>WAN 2 Async n/a 115200 HW =1<DIOK>WAN 3 Async n/a 57600 HW =2<DOOK>AUX 0 Async n/a 9600 None =0<>


wan(show)

A description of the column headings is given below: Port

This is the name of the interface. Type

The Type will be either Sync for synchronous operation, Async for asynchronous operation, or Off if the interface is not turned on.

TX ClkThe TX Clk column has values when the interface is set to synchronous mode only. It will have either Ext to indicate that the device receives the transmit clock signal externally or Int if the device is providing the transmit clock. The n/a value is displayed for asynchronous interfaces.

Baud RateThe Baud Rate is the serial speed for asynchronous links and synchronous links where the transmit clock is internal. See the [ RS232 Interface <Section ID> ] and/or [ V.35 Interface <Section ID> ] sections for information about available rates.

FcntlThe Fcntl is the flow control assigned to each interface. Values will be None if no flow control is configured, HW for hardware (RTS/CTS), XON/XOFF for software, and n/a when there is no need for any (as in a sync connection).

FlagsThe Flags indicate special options configured for this interface. The Flags are indicated numerically and are decoded inside the "<" and ">" characters. The three flags that you can expect to see are IntTxClk when synchronous interfaces are set for internal transmit clock, DIOK when the interface is configured for dial-in, and DOOK when the interface is configured for dial-out.


wan(show)

show wan serial statisticsThe show wan serial statistics command displays packet and physical layer statistics for the WAN interface(s). Most of these tallies are error conditions and should normally be 0. If they are not, check the descriptions below. If the tally is an error condition, the physical connections should be scrutinized for problems. Stats Wan0 Wan1 Wan2 Wan3in pkts 3446870 0 2050 55920out pkts 3849662 21701 2881 2910tot disc 0 0 5095 0crc 0 0 5095 0overruns 0 0 0 0framing 0 0 0 0oversize 0 0 0 0abort 0 0 9 0break 0 0 0 0PPP flag 0 0 9701 46306sw fc in 0 0 0 0unalign 0 0 0 0fr2long 0 0 0 0rx_busy 0 0 0 0tx_gltch 0 0 0 0rx_gltch 0 0 0 0underrun 0 0 0 0cts_lost 0 0 0 0cd_lost 0 0 0 0sp_int 0 0 0 0nullptr 0 0 0 0noIbuf 0 0 0 0unknown 0 0 0 0

Each statistic is described below. in pkts

The number of packets received by this interface. out pkts

The number of packets sent by this interface. tot disc

The total number of packets discarded due to an error. crc

The number of packets received with CRC Frame Check Errors. overruns

The number of overrun errors. framing

The number of framing errors. oversize

The number of oversized packets received. abort

The number of abort events logged by the serial chip. An abort is


wan(show)

defined as more than seven 1s in a row in the datastream. This is an error found on synchronous lines of an HDLC connection.

breakThe number of break events logged by the serial chip.

PPP flagThe number of PPP flags received on PPP connections. There will usually be two flags per packet.

sw fc inThe number of software flow control (Xon/Xoff) bytes received.

unalignThe number of packets received with alignment errors while in HDLC mode. The packet size was not a multiple of 8 bits.

fr2longThe number of packets that exceed the maximum frame length.

rx_busyThe number of times the serial processor receives a packet and does not have a buffer to allocate to it. This statistic may be non-zero since it may get one occurrence during startup.

tx_gltchThe number of times the serial processor detects a glitch in the TX clock during HDLC mode.

rx_gltchThe number of times the serial processor detects a glitch in the RX clock during HDLC mode.

underrunThe number of times the serial processor detected a transmission underrun in HDLC mode.

cts_lostThe number of times the Clear-to-Send (CTS) signal was negated during transmission.

cd_lostThe number of times the Data Carrier Detect (DCD) signal was negated during reception.

sp_intThe number of times the serial processor detected a spurious interrupt. Nothing is in the interrupt register.

nullptrThe number of null pointers encountered in the interrupt routine.

noIbufThe number of times the serial processor fails to get a Pbuf in asynchronous mode.


wan(show)

unknownThe number of errors with an unknown tally type.

asi rstThe number of times the async receive serial driver was reset due to overloading.

asi wrapThe number of times the async receive buffer wrapped. This is informational only and not an error.

asi waitsThe number of async transmit packets which needed to wait for an async-HDLC conversion buffer. This is not an error but is an indication of heavy transmit traffic.

asi oflowThe number of times the async receive buffer overflowed. This is an indication of very heavy receive traffic.

show wan modeThe show wan mode command displays the present operating mode for each of the WAN interfaces. Presently, the modes supported are Frame Relay, PPP, SMDS and Off. If the optional Status parameter is used, then the runtime status of the interfaces will be displayed. Below is an example of the output of the command. Port ModeWAN0 Frame RelayWAN1 Frame RelayWAN2 PPPWAN3 PPP

show wan stateThe show wan state command displays the status of each WAN interface and its connection statistics. State Wan0 Wan1 Wan2 Wan3Connect Cnnt Cnnt Cnnt CnntFRmaint Up Up - -PPP - - Nego UpIP - - Down UpIPX - - Down UpAtalk - - Down UpDECnet - - Down Down

Stats Wan0 Wan1 Wan2 Wan3inact 0:11 0:11 0:11 0:11cur cnnt 0:00:00:16 0:00:00:10 0:00:00:33 0:00:00:35avg cnnt 0:00:00:18 0:00:00:32 0:00:00:39 0:00:00:39tot cnnt 0:01:06:18 0:01:06:17 0:01:09:55 0:01:09:55dial try 221 121 105 105dial out 221 121 105 105dial in 0 0 0 0

The first block of statistics displays the current state of each interface by protocol. Except for Connect, each protocol will have a value of


wan(show)

Up, Down, Nego (for negotiating), or "-" for not applicable. Connect

The Connect state is the status of the physical level connection. Values include: Cnnt indicating that the interface is connected and is able to communicate with the equipment attached to it, Check when the device is checking the interface to see if it can communicate with the attached device, UCnnt when the interface is in User Connect mode, Idle when the link is available but is not being used, CIn when there is an incoming connection in progress, COut when there is an outgoing connection in progress, Drop when the connection is in the process of being dropped, and Off if the interface is disabled.

FRmaintThis is the status of the Frame Relay maintenance protocol for each interface.

PPPThis is the status of PPP for each interface.

IPThis is the status of the IP protocol for each interface.

IPXThis is the status of the IPX protocol for each interface.

AtalkThis is the status of the AppleTalk protocol for each interface.

DECnetThis is the status of the DECnet protocol for each interface.

The second set of statistics displays the connection information about each interface. The values are explained in the show wan connect statistics.

show wan csu configThe show wan csu config command displays parameters used to configure WAN interfaces equipped with an internal T1 CSU. The display consists of one line for each interface. The values displayed correspond to the titles in the column headings. If the optional Status parameter is used, the runtime status will be displayed.

Port Clock Frame Code Start/#/Cont Rate DataInv LBO PRM_TX LineLUP V54LUPWan0 Slave ESF B8ZS 1/24/cont 64k no 0dB Yes Yes NoWan1 n/a

PortThis is the name of the interface.

ClockThis is the transmit clock source. Values will be Slave for most applications where the unit is located on the customer premise and T1 service is provided by an ISP. In Slave mode, the CSU


wan(show)

will receive its clock from the network. The only other option for Clock is Master, where the CSU uses an internal clock to transmit data. Master mode may be useful when a custom network is being constructed or when two Compatible Systems T1 routers are attached to each other back-to-back (one unit would be the master, the other the slave).

FrameThis is the T1 frame format. Values will be ESF for "Extended Super Frame" format or D4, which is commonly referred to as "Super Frame" format.

CodeThis is the T1 line coding. Values will be B8ZS for "Bipolar Eight Zero Substitution" and AMI for "Alternate Mark Inversion."

Note: If the line coding is set to B8ZS (the preferred line code format), then the Start/#/Cont and Rate can be set to any value. If line coding is set to AMI, then either the Rate must be set to 56K or alternating channels must be selected for Start/#/Cont. See the [ T1 Interface <Section ID> ] section for more information.

Start/#/ContValues describe the range of DS0 channels used and whether they are contiguous (cont) or alternating (alt).

RateThis is the data rate per DS0 channel. Values are either 64K or 56K.

DataInvThis tells whether data is being inverted.

LBOValues for "Line Build Out" can be 0dB, -7.5dB, -15dB, or -22.5dB. See the [ T1 Interface <Section ID> ] section for more information.

PRM_TXThis tells whether Performance Report Messages are being trans-mitted.

LineLUPThis tells whether the CSU will turn on network loopback in response to an ATT Line Loopup pattern from the remote CSU.

V54LUPThis tells whether the CSU will turn on network loopback in response to a V.54 Loopup pattern from the remote CSU.

show wan csu statisticsThe show wan csu statistics command displays runtime statistics


wan(show)

related to the device's internal CSU and the T1 line. Wan0 CSU Stats:T1 signal : carrier=OK sync=OK rx level=+2dbto -7.5dbAlarms sent : yellow=FALSE/0 blue=FALSE/0Alarms received : yellow=FALSE/1 blue=FALSE/0Loopback @ DTE : framer=off local=offLoopback @ Local T1: LineLUP=en V54LUP=dis V.54=offline=off payload=offLoopback @ Remote T1: V.54=off line=offBERT : pattern='no pat' sync=FALSE

Errors 1 sec TotalLCV 0 44PCV 0 37OOF 0 8ESF 45

FDL Stats TX RXT1.403 1194023 0TR54016 0 0Errors 0 0

T1.403 PRM data for previous 1194024 seconds:G1 G2 G3 G4 G5 G6 SE FE LV SL LB

Curr F F F F F F F F F F FCurr-1 F F F F F F F F F F FCurr-2 F F F F F F F F F F FCurr-3 F F F F F F F F F F FTX Tot 35 1 0 0 0 0 0 0 36 0 0RX Tot 0 0 0 0 0 0 0 0 0 0 0

The statistics display several internal boolean variables including: T1 signal: carrier - are we receiving a T1 bit stream? If this is not OK then the line is probably disconnected, the line is cut, or the upstream T1 source has stopped transmitting. T1 signal: sync - are we receiving valid framing? If this is not OK and the carrier is OK, it usually means framing is set incorrectly.Alarms sent or Alarms received

yellow - A yellow alarm indicates that there is a remote loss of signal and informs the local user that the locally generated trans-mission is not being received at the destination.blue - A blue alarm usually indicates that a loss of signal has been detected by a signal regenerator somewhere between the T1 terminal at the remote end and the local device. It is an all 1s signal in order to maintain clock recovery.

Loopback @ DTE: This is a diagnostic test of the internal CSU/DSU and the local Data Terminal Equipment (DTE) which will loop data between the router's serial driver and its internal CSU/DSU.

framer tests the router’s DTE by looping data out the router’s serial driver back into the serial receiver at the input to the


wan(show)

internal DSU. local tests the entire CSU/DSU by looping data out the router’s serial driver back into the serial receiver through the internal CSU/DSU.

Loopback @ Local T1: This is a diagnostic line test which forces the router's CSU to loop data received from the network back out to the network.

LineLUP - will we accept an AT&T line loopup signal? V54LUP - will we accept a V.54 loopup signal? V.54 - are we receiving a V.54 loopup pattern? line - During line loopback, all data, including framing and overhead bits, is immediately looped once it is received off the T1 line. payload - During payload loopback, data is stripped of framing and overhead bits before being passed through all the CSU's circuitry before it is looped back.

Loopback @ Remote T1: This feature enables you to put the far end T1 terminal into loopup. It manipulates the CSU on the remote end of your connection by sending out a specific bit pattern which is recog-nized by the remote CSU. Compatible Systems devices support two different loopup sequences. You may need to check the far end unit to see which sequences are supported and enabled.

V.54 - are we transmitting a V.54 loopup pattern to the CSU on the remote end of the connection? line - are we transmitting an AT&T line loopup pattern to the CSU on the remote end of the connection? (This is only done in conjunction with the phone company.)

BERT: - The unit includes an internal Bit Error Rate Test (BERT) receiver.

pattern - this indicates the type of test pattern being received, if any. sync - this indicates whether the BERT chip is in sync with the pattern. If one of the standard test patterns is received and the value for sync is true, the unit is out of service.

ErrorsThis displays a tally of the number of errors seen in the last second along with the total number. LCV

These are Line Code Violations (historically known as Bipolar Violations).


wan(show)

PCV These are Path Code Violations. In ESF mode, this is the number of CRC errors. In D4 mode, this is the number of signalling frame bit errors.

OOFThese are Out Of Frame errors. In ESF mode, this is the number of frame bit errors. In D4 mode, this is the number of terminal frame bit errors.

ESF This tallies the total of PCV + OOF errors (in ESF mode only).

FDL StatsFDL statistics include information about the number of Perfor-mance Report Messages sent and received since the device has been up. If the device was too busy to process a PRM or couldn't send one, an error is recorded. This is not a line error and does not indicate a problem. It indicates, however, that the PRM data displayed may be inaccurate.

T1.403 PRMT1.403 PRM data displays information regarding Performance Report Messages sent and received over each of the last 4 seconds (Curr, Curr-1, etc.) and the totals transmitted and received since the device was last booted. If one of the following events occurred in one of the previous 4 seconds, a T (TRUE) would appear in the corresponding column:

G1 - 1 CRC error occurred.G2 - 2 to 5 CRC errors occurred.G3 - 6 to 10 CRC errors occurred.G4 - 11 to 100 CRC errors occurred.G5 - 101 to 319 CRC errors occurred.G6 - more than 319 CRC errors occurred.SE - Severely Errored frame event occurred.FE - Frame Bit Error occurred.LV - Line Code Violation occurred.SL - Elastic store Slip occurrence.LB - Chip entered Loopback mode.

Note: In ESF mode, the CSU performs T1 line CRC generation and checking. This is independent of and a completely different CRC calculation from that displayed in show wan serial statistics.


wan(show)

show wan ds3 configThe show wan ds3 config command displays all of the relevant information about how the WAN interface(s) have been configured.

DS3 0

Line State UpDATA Invert OffDS3 Subrate 44.210 MbsCRC Length 32 bitClocking InternalLine Build Out Short

show wan ds3 statisticsThe show wan ds3 statistics command displays runtime statistics related to the device's internal CSU and the DS3 line. Statistic Type DS3 0Packets In 308315Packets Out 309232Tx discards 0heldoff 0Code Violations 0Pulse Density Lo 0CRC errors 0RX Overflows 0Frame len errors 0RX Aborts 0TX underflow 0TX len errors 0TX Aborts sent 0RX Busy 0RX FIFO full 0TX FIFO full 0DS3 EF SA 0DS3 LOS 0DS3 OOF 0DS3 AIS Rcvd 0DS3 IDLE Rcvd 0DS3 EF NSA 0DS3 CEF 0DS3 LOOPA 0DS3 LOOPD 0DS3 Line Loop 0DS3 Norm Op 0Spurious Int 0

Statistic TypeThe interface for which statistics are being displayed.

Packets In The number of packets received by this interface since powerup or since the statistics were reset using the reset wan ds3 stats command (see statistics(reset)).

Packets OutThe number of packets sent by this interface since powerup or


wan(show)

since the statistics were reset using the reset wan ds3 stats command (see statistics(reset)).

Tx discardsThe number of outgoing packets discarded due to an error.

heldoffThe number of packets held off due to a busy interface.

Code ViolationsThe count of D3RC cycles for which CV is high.

Pulse Density LoThe number of Loss of Signal interrupts received from the framer.

CRC errorsThe number of packets received with CRC Frame Check Errors.

RX OverflowsThe number of times the receive buffer overflowed. This is an indication of very heavy receive traffic.

Frame len errorsThe number of times a frame over the maximum frame length was received.

RX AbortsThe number of abort events logged by the serial chip. An abort is defined as more than seven 1s in a row in the datastream.

TX underflowThe number of times the transmitter was in the middle of a trans-mission and the Tx FIFO did not have data to send out.

TX len errorsThe number of times transmission of a packet greater than the maximum allowed size was attempted.

TX Aborts sentThe number of abort events sent by the interface. An abort is defined as more than seven 1s in a row in the datastream.

RX BusyThe number of times no Buf was available for a received packet.

RX FIFO fullThe number of packets received which were bigger than the Framer’s Rx FIFO.

TX FIFO fullThe number of packets received which were bigger than the Framer’s Tx FIFO.


wan(show)

DS3 EF SAThe number of Equipment Failure, Service Affecting messages received from the remote device.

DS3 LOSThe number of Loss of Signal messages received from the remote device.

DS3 OOFThe number of Out Of Frame Detected messages received from the remote device.

DS3 AIS RcvdThe number of yellow alarm messages received from the remote device. A yellow alarm indicates that there is a remote loss of signal and informs the local user that the locally generated trans-mission is not being received at the destination.

DS3EF NSAThe number of Equipment Failure, Non Service Affecting messages received from the remote device.

DS3 CEFThe number of Common Equipment Failure messages received from the remote device.

DS3 LOOPAThis is the number of times Loopback Activate requests have been received from the remote device.

DS3 LOOPDThe number of Loopback De-activate requests have been received from the remote device.

DS3 Line LoopThe number of times the remote end has gone into loopback.

DS3 Norm OpThe number of times the remote end has returned to normal operation after being in loopback.

Spurious IntThe number of times the serial processor detected a spurious interrupt. Nothing is in the interrupt register.


wan(show)

show wan hssi configThe show wan hssi config command displays all of the relevant information about how the WAN interface(s) have been configured.

HSSI 0Local loop OffCSU/DSU loop OffCRC Length 32 bitClocking ExternalCA (CSU ready) OnClock Present Yes

show wan hssi statisticsThe show wan hssi statistics command displays tallies from the HSSI interface for various types of conditions and exceptions. Statistic Type HSSI 0Packets In 25622Packets Out 21531Tx discards 0Tx Heldoff 0Rx discards 0PCI Bus Error 0Transmit Error 0Tx Too Long 0Deferred 0Receive Error 0Rx Overflow 0Length Error 0Desc Len Err 0Illegal Length 0CRC Error 0

Statistic TypeThe interface for which statistics are being displayed.

Packets In The number of packets received by this interface since powerup or since the statistics were reset using the reset wan hssi stats command (see statistics(reset)).

Packets OutThe number of packets sent by this interface since powerup or since the statistics were reset using the reset wan hssi stats command (see statistics(reset)).

Tx discardsThe number of outgoing packets discarded due to an error.

Tx HeldoffThe number of packets held off due to a busy interface.

Rx discardsThe number of incoming packets discarded due to an error.

PCI Bus ErrorThe number of times a PCI Bus error has occurred on this


wan(show)

interface. Transmit Error

The number of packets that were not sent due to a transmit error.Tx Too Long

The number of transmit packets discarded due to a length error. Deferred

This indicates the number of times the 21140 processor had to defer a transmit because the carrier was asserted.

Receive ErrorThe number of packets where an error was detected in the packet header.

RX OverflowThe number of times the receive buffer overflowed. This is an indication of very heavy receive traffic.

Length ErrorThe number of packets received that had an invalid length.

Desc Len ErrorThe number of length errors detected in the 21140 processor’s buffer descriptors.

Illegal LengthThe number of packets received that had an invalid length (either too long or too short).

CRC ErrorThe number of packets that contained CRC (Cyclical Redun-dancy Check) errors on packets received.

SEE ALSOppp(show), statistics(reset), [ Chat <Name> ], [ Frame Relay <Section ID> ], [ DS3 Interface <Section ID> ], [ HSSI Interface <Section ID> ], [ RS232 Interface <Section ID> ], [ V.35 Interface <Section ID> ], [ T1 Interface <Section ID> ], [ Link Config <Section ID> ], [ PPP <Section ID> ]


Appendix A: Default Sections and Default Values

Appendix A: Default Sections and Default ValuesThe device reads the configuration in a hierarchical manner. If a parameter value has been configured in a port-specific configuration section, that value is used. If the value is not found, a search is performed on the default section for that physical interface and specified protocol.If the parameter is still not found (or if the default section is absent), the search proceeds through the default section for that interface type and protocol. Finally, the default for the protocol is checked, followed by the device's default value for that parameter.For instance, if the device or CompatiView is trying to determine the value for RipOut (outgoing RIP) for Ethernet interface 1, subinterface 2, it will first look for a RipOut parameter in the

[ IP Ethernet 1.2 ]

section. If not found, it will search the following sections [ IP Ethernet 1 Default ][ IP Ethernet Default ][ IP Default ]

in that order. If any of these sections are not present, the next one in the list is used.If the RipOut parameter is not found in any of these sections, the device's default value will be used. The device's default value may be found in the Installation Guide that came with your device. It is also possible to use the configuration editor built into the device to find the default values. For more details, see the configure section. One convenient method for finding out where a particular value was found is to use the show config cook origin command from the console or from a telnet session. See the configure section for further information. The configure section has many options that are useful for displaying the configuration and checking the syntax of a configuration.In the rest of this Appendix are the keywords which may be used in default sections. For information on allowed values, see the section of the manual for that protocol. Some of these sections have an optional interface number in the section name. This interface number is represented below as [Inum].

[ IP Default ]# Parameters entered in this section serve as defaults# for all interfaces.ModeRIPVersionRIPOutRIPInSplitHorizon



SubnetMaskOutFiltersInFilters

[ IP Ethernet [Inum] Default ]# Parameters entered in this section serve as defaults# for all Ethernet interfaces. Allowed parameters in-clude# all parameters in the [ IP Default ] section.ProxyARPUDPFloodRelay

[ IP WAN [Inum] Default ]# Parameters entered in this section serve as defaults# for all WAN interfaces. Allowed parameters includeall# parameters in the [ IP Default ] section.NumberedUpdatesVJHeaderCompIPCPAddr

[ IP LocalTalk [Inum] Default ]# Parameters entered in this section serve as defaults# for all LocalTalk interfaces. Allowed parametersinclude# only the following parameters in the [ IP Default ]# section; RIPOut, Relay, and, SubnetMask.ModeForwardingPortFirstIPAddressNumDynamicNumStaticSubnetIPAddress

[ IPX Default ]ModeRIPTimerSAPTimerBlockType20OutFiltersInFilters

[ IPX Ethernet Default ]# Allowed parameters include all parameters in the# [ IPX Default ] section.FrameTypeIIFrameRawFrame8022FrameSNAP



[ IPX WAN Default ]# Allowed parameters include all parameters in the# [ IPX Default ] section.NumberedUpdatesNodeProxy

[ AppleTalk Default ]ModeSeedOutFiltersInFiltersOutRTMPFiltersInRTMPFiltersGetZoneFiltersANSP

[ AppleTalk Phase1 Ethernet Default ]# Allowed parameters include all parameters in the# [ AppleTalk Default ] section.LockOutLockInLWFilterTildeFilterStIZFilter

[ AppleTalk Phase2 Ethernet Default ]# Allowed parameters include all parameters in the# [ AppleTalk Default ] section.LockOutLockInLWFilterTildeFilterStIZFilter

[ AppleTalk WAN Default ]# Allowed parameters include all parameters in the# [ AppleTalk Default ] section.NumberedUpdatesNodeProxy

[ AppleTalk LocalTalk Default ]# Allowed parameters include all parameters in the# [ AppleTalk Default ] section.LockOutLockInLWFilterTildeFilterStIZFilterPhase1



[ DECnet Ethernet Default ]Mode

[ DECnet WAN Default ]ModeHelloTimerRoutingTimer

[ Bridging Ethernet Default ]ModeSpanningTreeBridgedUnknownProtocolsBridgedPortPriorityPathCost[ Bridging WAN Default ]ModeSpanningTreeBridgedUnknownProtocolsBridgedPortPriorityPathCost

[ Link Config WAN Default ]ModeConnectModeDialOutDialInAlwaysUpDropInactDialingDialOutScriptDialBackScriptDialTriesRetryDelayScriptTimeoutDCDCheckBackupEnableDelayBackupDisableDelayBackupInitDelay

[ PPP WAN Default ]CompressEchoPacketsEchoIntervalEchoDropEchoThresholdACCMACCMValAddrCompressProtoCompressMagicCHAPRequestCHAPRespondCHAPNameCHAPSecret



CHAPReevalDelayPAPRequestPAPRespondPAPNamePAPPassword

[ Frame Relay Default ]MaintProtocolMTUPollingFreqHomeDLCI

[ RS232 Interface Default ]LinkTypeFlowCntlTxInternalBaud

[ V.35 Interface WAN Default ]TxInternalBaud

[ T1 Interface WAN Default ]DS0StartDS0CountContiguousChannelsLineBuildOutLineFramingLineEncodingInvertDataChannelDataRateClockSourceTransmitPRMReceiveATTLoopUpsReceiveV54LoopUps


Appendix B: Configuration Variable Types

Appendix B: Configuration Variable TypesThere are four basic types of values used in keyword-value pairs in a router configuration. They are label, number, IP address, and string. Each type is described below.

LabelA label is a string of letters, underscores, dashes, and/or numbers with no spaces. Keywords which expect labels are documented with all allowed labels. For example, the Mode keyword for IP configurations can have a label value of Routed, Bridged, or Off.Keywords with Boolean values will accept any version, such as On/Off, True/False, 1/0, or Yes/No.

NumberA number value may be entered as a decimal number or as a hexadecimal number preceded by 0x. Some numbers (e.g., IPX network numbers) must be hexadecimal and do not need a leading 0x.

IP AddressAn IP address is entered in dotted-decimal notation (e.g., 192.116.12.1) where each 1- to 3- digit number is between 0 and 255.

StringA string consists of a sequence of allowed characters and recognized escape sequences enclosed in double quotes. The allowed characters are all printable ASCII characters except for the backslash (\) and double quote (") characters. In addition, the tab and new line characters are allowed inside the double quotes. The escape sequences which are recognized are:

\n Insert a new line. \t Insert a tab.\<space>Follow the backslash with a space to insert a space.\" Insert a " (double quote).\<octal digits>

Insert a single control character by entering its ASCII code as an octal number.\<new line>

Continue a long line of input across multiple lines. The new line will be converted to a single space character.\\ Insert a backslash.



If a string is continued onto a second or succeeding line, there must be whitespace at the beginning of the line. Thus,

AdminName="This text is on line 1This text is on line 2.\This text is also on line 2."

is allowed whereas, AdminName="This text is on line 1This text is on line 2.\This text is also on line 2."

is an error.Some keyword values may be a combination of more than one of the above types. In these cases, the different values are separated by whitespace. In order for a string to be differentiated in this case, the entire string should be enclosed in double quotes.


INDEX

AANSP 76Appendix A

Default Sections and Default Values 407

Appendix BConfiguration Variable

Types 412AppleTalkAppleTalk Filter Section 174AppleTalk Section 23AppleTalk Tunnels Section 32Auth Section 181

BBGP Peer Config Section 37BGP Peer List Section 39

Examples 40Bridging Global Section 43Bridging Section 41

CChat ScriptsChat Section 188ClockCommand Line Section 46Comments, in a configuration 9CompatiView 1Compression

PPP Packet Header 130Configuration Editor 15configure Command 407Control Characters

in Chat Scripts 188

DDECnet Global Section 48

DECnet Section 47Default

Sections 407Values 407

DLCI 71DNS 50Domain Name Server Section 50DS3 Interface Section 51

EEthernet Interface Section 70

FFrame Relay Section 71

GGeneral Section 75General Sections 8

HHierarchical Parsing of

Sections 407

IIKE Policy Section 80IKE Settings

for LAN-to-LAN tunnels 151–??

for the IntraPort (Phase 1) 80for VPN Groups 160for VPN Users 221

Introduction 1IP Addresses 412IP Filter Section 192IP Loopback Section 82

Examples 82IP Protocol Precedence Section 84

Index 415

Index

Examples 84IP Route Filter Section 201IP Section 88IPSec Gateway, configuring 77IPX Filter Section 208IPX Route Filter Section 212IPX SAP Filter Section 215IPX Section 99IPX Tunnels Section 104

KKeywords

Multi-line Values 413

LL2TP

Configuring 106Displaying information 347

LDAP Auth Server Section 108Examples 109

LDAP Config Section 110Line Editor commands 171Link Config Section 112Link Control Protocol 130Link Quality 129Logging Section 117

MMultilink PPP Section 119

NName of device, Setting 75NAT Global Section 121NAT Mapping Section 219Numbers 412

OOSPF Area Section 125

PPassword, Setting 75Port-Specific Sections 7PPP Section 129

Qquit command

in Configuration Editor 232

RRadius Section 133Radius Settings

configuration section 133for an IntraPort 164

RS232 Interface Section 137

SSaving Configurations 10Section Titles 9SecurID Section 139Sequenced Predictor

Compression 129show bgp commands 298show wan commands 389SMDS Section 140SNMP Community String

Section 143SNMP Section 141SNMPTrap Section 144Static Entries

IP Routes, configuring 205Strings 412System Clock, Setting 149System Password, Setting 75

TT1 Interface Section 145Time Server Section 149Transferring Configurations to the

Router 10

416 Index

Index

Tunnel Partner Section 151Tunnels

VPN UsersConfiguring 221

VV.35 Interface Section 158Van Jacobson Header

Compression 94Variable Types 412

Multi-line Values 413String 412

VPNClient tunnels, configuring 159Users, configuring 221

VPN Users Section 221

WWAN

ExamplesDial Out Connection 115Frame Relay Dedicated 115PPP Dedicated 115

ZZone Names

Setting 25

Index 417

text-based configuration and command line management ... · pdf filetext-based configuration...

Documents