3Com Router User Manual

							Rlogin Terminal Service67
■Only supports IP address configuration. DNS is not supported. 
■The supported terminal type is VT100.
■The supported baud rate is 9600 bps.
■Supports remote access of user terminals connected with the asynchronous 
serial port under the flow mode by asynchronous private line or modem dial-up 
and supports the maintenance of terminals connected with Console port. 
Remote access of the terminals connected with routers in other means (such as 
through telnet) is not supported.   
■The function of activating multiple Rlogin sessions at the same user terminal is 
not provided.
Configure RloginPlease implement the following configuration in system view.
Ta b l e 50   Establish a Rlogin connection
Typical Rlogin 
Configuration ExamplesUse local user name abc to log on 
[Router]rlogin 10.110.96.53 root
  Trying 10.110.96.53 ...
Password:
Last successful login for root: Thu Jan 30 20:29:45 2003 on ttyp2
Last unsuccessful login for root: Sun Jan 26 11:21:53 2003
                          SCO OpenServer(TM) Release 5
                  (C) 1976-1998 The Santa Cruz Operation, Inc.
                  (C) 1980-1994 Microsoft Corporation 
                              All rights reserved.
                        For complete copyright credits,
                   enter copyrights at the command prompt.
you have mail
TERM = (vt100)
Terminal type is vt100
# exit
rlogin: connection closed.
Use local user name abc and enter the wrong password for the first time
[Router] rlogin 1.1.254.78 
Trying 1.1.254.78 ... 
Password:     ( enter Wrong password)
Login incorrect                                          
Wait for login retry:                               
login: abc                                                        
Password:   (enter correct password)
Last successful login for root: Thu Sep 06 15:14:15 2001 on ttyp0    
Last unsuccessful login for root: Thu Sep 06 14:22:35 2001 on ttyp0
OperationCommand
Establish a Rlogin connectionrlogin ip-address [ username ]
Shut down a Rlogin connectionexit 
						

							68CHAPTER 4: TERMINAL SERVICE
SCO OpenServer(TM) Release 5
(C) 1976-1998 The Santa Cruz Operation, Inc.
(C) 1980-1994 Microsoft Corporation.
All rights reserved.
For complete copyright credits,
enter copyrights at the command prompt.
you have mail                                                        
Terminal type is vt100                                               
#         
X.25 PAD Remote 
Access ServicePAD (Packet Assembly/Disassembly facility) is a definition specific to X.25 protocol.
The traditional X.25 network requires that all its terminals are of X.25 type, and 
relevant hardware and software are needed to support X.25 protocol, which are 
the so-called packet terminals. Packet terminals must be intelligent ones, but 
many terminals uses are either non-X.25 or not intelligent (such as keyboard, 
monitor, printer, etc.) or intelligent but do not support X.25 procedures. In that 
case it is impossible for non-X.25 terminals to interconnect with each other 
through the X.25 network, or even access the X.25 network. X.25 PAD technology 
was developed to address how these devices can be enabled to communicate via 
X.25 network.
X.25 PAD bridges the X.25 network and non-X.25 terminals — it provides a 
mechanism through which non-X.25 terminals can access the X.25 network. As 
shown in the figure below, a PAD is positioned between the X.25 network and 
terminals that do not support X.25 procedures to enable the latter to 
communicate with other terminals through the X.25 network.
Figure 32   Access function of PAD
The main functions of the X.25 PAD are to:
■Provide support to X.25 procedures and accordingly to connect and 
communicate with the X.25 network.
■Provide support to non-X.25 procedures and accordingly to connect non-X.25 
terminals.
■Provide non-X.25 terminals with functions of call establishment, data 
transmission and call clearing through the X.25 network.
■Provide non-X.25 terminals with functions of observing and changing interface 
parameters so as to adjust to the requirements of varied terminals.
X.25 NetworkX.25
Procedures
P
A
DNon-X.25 terminal
Non-X.25
Procedures 
						

							X.25 PAD Remote Access Service69
Therefore X.25 PAD devices actually serve as a procedure translator or network 
server, providing services to different terminals and helping them to access the 
X.25 network. 
The 3Com Router implements X.29 and X.3 protocol in the X.25 PAD as well as in 
the X.29 protocol-based Telnet application and the users can configure routers 
without geographical limitation, as shown in the figure below. When the user, for 
the sake of security, is unable to use IP protocol-based Telnet to configure routers, 
they can access a remote router through X.25 PAD for the configuration.
Figure 33   Access remote router through an X.25 PAD
Configure X.25 PADThe X.25 PAD configuration includes:
■Configure X.25 PAD remote users
■Enable AAA authentication of X.25 PAD remote users
■Place the X.25 PAD call and access the remote terminal
■Set the response time for the Invite Clear message 
Configure X.25 PAD remote user
Since remote PAD users can place an X.25 PAD call through the X.25 network, 
access the local router, and configure the router, it may be necessary to 
authenticate the validity of remote users. You can configure X.25 remote users 
with access permission on the router for the purpose of authentication on 
receiving the remote PAD request.  
This command is not necessary, but if required, it must be used together with the 
login pad command.
The called end (also called the configured end) is defined as the Server side, and 
the calling end (also called the configuration end) is defined as the Client side.
Please implement the following configuration under the system view at the Server 
side.
Ta b l e 51   Configure X.25 PAD remote user
Router B Router ASerial 0
X. 25 N etw ork
OperationCommand
Configure X.25 PAD remote userlocal-user user-name 
service-type type [ password { 
simple | cipher } password ]
Cancel the completed configuration of X.25 
PAD remote user undo local-user user-name 
						

							70CHAPTER 4: TERMINAL SERVICE
By default, no X.25 PAD remote user is configured at the Server side. 
For details of the Command, refer to the relevant sections on Security 
Configuration Commands in Command Reference (V1.6).
Start AAA authentication of X.25 remote users
After the configuration of X.25 PAD remote users, AAA authentication is started 
at the Server side for the purpose of identity authentication on receipt of a remote 
PAD request.
This command is not mandatory, but if required, it must be used together with the 
user command.
Please implement the following configuration under the system view at the Server 
side.
Ta b l e 52   Enable AAA authentication for X.25 remote PAD users
By default, there is no AAA authentication for X.25 remote PAD users.
Establish an X.25 PAD call 
In the routers interconnected through X.25 network, the following commands are 
used to place a PAD call to remote terminals. If both terminals support X.25 PAD, 
the call will be authenticated at the Server side. (If user authentication is not set, 
this step can be skipped.). If the authentication succeeds, the Client side can 
access the Server side and configure the Server side. After successful access of the 
remote terminals, users can log out and disconnect the X.25 PAD connection.
Please implement the following configuration under the system view at the Client 
side.
Ta b l e 53   Establish a X.25 PAD call
If a call successfully logs on, the user can, at the Client side, access the Server.
Pad command can be nested with itself or with the telnet command, that is, the 
user can place an X.25 PAD call on a router and access another router, from which 
they do the same and access a third router. Or, the user first Telnets to a router 
from which they can place X.25 calls and access a third router. Or, users can place 
X.25 calls, access a router and then telnet to another router, and so on. It is 
recommended to limit the nesting to three times to ensure normal transmission.
OperationCommand
Enable AAA authentication of X.25 remote 
user login pad
Disable AAA authentication of X.25 remote 
userundo login pad
Enable AAA authenticationaaa-enable
Configure user name and passwordlocal-user username password 
password
OperationCommand
Establish a X.25 PAD call pad x.121-address
Exit X.25 PAD loginexit 
						

							X.25 PAD Remote Access Service71
Exit command can also be nested with the Pad command. That is, users can 
access a third or even more routers from a router by repeatedly using the 
telnet/pad command or by repeatedly using the exit command to exit the 
routers being accessed in turns until returning to the one from which the first call 
is placed. 
Please implement the following configuration under the system view at the Server 
side.
Set the Response Time to the Invite Clear Message 
If for some unknown reason (for example, the Client side gives an exit request or 
needs to release link resources) after the Server side of the X.25 PAD sends the 
link-clearing message Invite Clear to the Client side, the Server side will wait for a 
response from the Client side. If the Client side fails to respond to the message 
within the specified time, the Server side will clear the link positively.
Please implement the following configuration under the system view at the Server 
side.
Ta b l e 54   Set the response time to the Invite Clear message 
Display and Debug X.25 
PAD Perform the following configuration in all views.
Ta b l e 55   Display and debug X.25 PAD 
Typical X.25 PAD 
Configuration ExampleI. Networking Requirement 
As shown in the figure below, with Serial 0 as the interface to the X.25 network, 
router A is connected with router B through the X.25 network. It is required that 
router B can access and configure router A after it calls router A.
II. Networking Diagram 
As shown in Figure 33 “Access remote router through an X.25 PAD”.
III. Configuration Procedure 
1Configure RouterA:
aConfigure X.25 PAD remote users.
[RouterA]local-user paduser service-type exec-guest  password simple 
pad
bEnable AAA authentication of X.25 PAD remote users.
[RouterA] login pad
OperationCommand
Set the response time to the Invite Clear messagex29 inviteclear-time time 
seconds
OperationCommand
Display the relevant information of X.25 PADdisplay x25 pad [ 
pad-number ] [ tty ]
Enable the debugging of X.25 PAD on varied levelsdebugging pad { packet | 
error | all } 
						

							72CHAPTER 4: TERMINAL SERVICE
cEnter the view of interface Serial 0 and set its link layer protocol as X.25 DTE 
IETF.
[RouterA]interface serial 0
[RouterA-serial0]link-protocol x25 dte ietf
dSet its X.121 address as 123456.
[RouterA-serial0]x25 x121-address 123456
2Configure Router B: 
aEnter the view of interface Serial 0 and set its link layer protocol as X.25 DTE 
IETF.
[RouterB]interface serial 0
[RouterB-serial0]link-protocol x25 dte ietf
bSet its X.121 address as 5678.
[RouterB-serial0]x25 x121-address 5678
cReturn to the system view and place the X.25 PAD call to router A 
[RouterB] pad 123456
Trying 123456...Open
Username:paduser
Password:
User paduser logged in.
[RouterA]
Fault Diagnosis and 
Troubleshooting of X.25 
PA DFault one: If after X.25 calls a remote terminal, logon fails. The screen 
displays 
Trying xxxxxxxxxx...Destination unreachable.
Troubleshooting: Follow the steps below.
■X.25 protocol is encapsulated on the serial port that is used for connection and 
both ends support X.25 PAD protocol.
■After the above condition is met, make sure that the serial port at the Server 
side used to receive X.25 calls has set the X.121 address and the address is 
correctly called at the Client side.
■After the above conditions are satisfied, then you should confirm that the serial 
interface used to accept the X.25 PAD calls at the Server end has specified the 
X.121 address, and the Client has correctly called this address.
■If the above condition is also satisfied, please check if the Client side has set 
switch attributes (i.e., 
x25 switching command is used under system view), 
but does not set the route to the Server side. If so, the data cannot be 
transmitted from the Client side to the Server side in the packet mode. It is not 
mandatory for the Client side to configure the route to access the Server, 
though. If the Client side does not configure switch attributes, X.25 will choose 
the default route for the call. Therefore, please confirm that the Client side is 
not configured with the switch attributes or the Client side is configured with 
the switch attributes as well as the route to the Server side.  
						

							5
CONFIGURING NETWORK 
M
ANAGEMENT
This chapter includes information on the following topics:
■SNMP Overview
■RMON Overview
SNMP OverviewSimple Network Management Protocol (SNMP), a widely accepted industry 
standard, is the most dominant network management protocol in computer 
networks by far. It is developed to ensure transmission of management 
information between any two nodes, which will facilitate network administrators 
to search for information at any node on the networks for the purpose of 
modifying, locating faults, troubleshooting, planning capacity and generating 
reports. Adopting the polling mechanism, SNMP provides essential functionality, 
and is suitable for a networking environment requiring small size, high speed and 
low cost. Since it uses the transport layer protocol UDP (User Datagram Protocol) 
which requires no acknowledgement, it gains wide support in many products.
SNMP system comprises an NMS (Network Management Station) and an agent. 
NMS is the workstation running the client application. It sends various request 
packets to the managed network devices, receives the response and trap packets 
from the managed devices, and displays status information of the managed 
devices. The agent is a process running on the managed equipment. It receives 
and processes the request packets from the NMS, and responds to the NMS by 
returning the corresponding management variables obtained from the protocol 
module of the managed equipment. Whenever the agent detects the occurrence 
of emergency events on the managed device, such as a change in the interface 
status or a failed call, it will send traps to notify the NMS. The relationship 
between NMS and agent is shown in the following figure:
Figure 34   Relationship between NMS and agent
SNMP is the most widely applied communication protocol between NMS and 
Agent in the computer network.
Development of SNMP
There are three versions of SNMP: SNMPv1, SNMPv2c and SNMPv3. SNMPv3 
defines a series of access control management functions for network security, in 
NMSRouter
Ethernet
RequestResponseTrap 
						

							74CHAPTER 5: CONFIGURING NETWORK MANAGEMENT
addition to the functions defined in SNMPv2c and SNMPv1. In other words, 
SNMPv3 develops SNMPv2c by adding security and management functions.
SNMPv1 and SNMPv2c lack security functions, especially in the aspect of 
authentication and privacy. SNMPv1 defines only a type of community 
representing a group of managed devices. Each NMS controls access to the 
devices via the community name list. However, agents do not verify whether the 
community names used by the senders are authorized, and they even do not 
check the IDs of administrators. Additionally, transmission of SNMP messages 
without encryption, which exposes the community name, brings potential threats 
to security. Even though some security mechanisms, like digest authentication, 
timestamp authentication, encryption and authorization, have been considered at 
the early stage of proposing SNMPv2c, only the “community name” similar to 
SNMPv1 is used in the final criterion of RFC 1901 through 1908. SNMPv2c is only 
a transitional version between SNMPv1 and SNMPv3. To avoid the lack of security 
in SNMPv1 and SNMPv2c, IETF develops the SNMPv3 protocol, which is described 
in RFC2271 through 2275 and RFC2570 through RFC2575 in details.
RFC2570 through RFC2575 supplements and subdivides SNMPv3 on the basis of 
RFC2271 through RFC2275, giving a complete and exact description of the 
processing of abnormal errors and the message processing procedure. The 
SNMPv3 framework thus defined has become a feasible standard.
Security of SNMPv3 is mostly represented by data security and access control.
■Data security features provided in SNMPv3
Message-level data security provided in SNMPv3 includes the following three 
aspects:
■Data integrity. It ensures that data will not be tampered with by means of 
unauthorized modes and the data sequence will only be changed within the 
permitted range.
■Data origin authentication. It confirms which user the received data is from. 
Security defined in SNMPv3 is user-based. Hence, it authenticates the users 
that generate messages instead of the particular applications that are used 
to generate the messages.
■Data confidentiality. Whenever an NMS or agent receives a message, it will 
verify when the message is generated. If the difference between the 
generating time of message and the current system time exceeds the 
specified time range, the message will be rejected. Thereby, it ensures that 
the message has not been tampered with in-transit on the network and 
prevents processing of received malicious messages.
■Access control in SNMPv3 
As a security measure, access control defined in SNMPv3 implements a security 
check on the basis of protocol operations, thereby to controlling access to the 
managed objects.
MIB accessible to a SNMP entity is defined by the particular context. For 
security reasons, different groups and corresponding authorities probably need 
to be defined on one entity. The authorities are specified by the MIB view. A 
MIB view specifies a collection of managed object types in the context. The MIB 
view takes the form of a “view sub-tree” to define objects because MIB adopts 
the tree structure. If the flag of the object to be accessed belongs to the MIB  
						

							SNMP Overview75
sub-tree, the network administrator can access the device with read or write 
authority. Otherwise, the operations will be rejected.
SNMP architecture
An SNMP entity comprises one SNMP engine and multiple SNMP applications. The 
SNMP engine is the core of the SNMP entity. It transceives and authenticates 
SNMP messages, extracts PDU (Protocol Data Unit), reassembles messages, and 
communicates with the SNMP applications. SNMP applications process PDUs, 
implement protocol operations, and stores/gets MIB.
The SNMP engine comprises the scheduler, message processing sub-system, 
security sub-system, and access control sub-system. SNMP applications include the 
command generator, command responder, indication generator, indication 
receiver, and proxy transponder. The SNMP entity that owns the command 
generator or indication receiver is called the SNMP manager, and the SNMP entity 
that owns the command responder, indication generator or proxy transponder is 
called the SNMP agent. Nevertheless, an SNMP entity can have functions of both 
manager and agent.
SNMP-supported MIB
To uniquely identify the equipment management variables in SNMP packets, SNMP 
identifies the managed objects by using the hierarchical structure to name them. 
The hierarchical structure is like a tree, in which, the nodes of the tree represent 
the managed objects. As shown in the following figure, it can use a path starting 
from the root to identify an object unambiguously.
Figure 35   MIB tree structure
As shown in the above figure, the managed object B can be uniquely specified by 
a digit string {1.2.1.1}, which is the object identifier of the managed object. 
Consisting of collections of standard variable definitions of monitored network 
equipment, MIB describes the hierarchical structure of the tree
SNMP agents in the 3Com Router series support standard network management 
versions SNMPv1, SNMPv2c, and SNMPv3. MIBs that are compatible with the 
agents are shown in the following table.
  A    2
    6 1
  5     2      1     12    1
B 
						

							76CHAPTER 5: CONFIGURING NETWORK MANAGEMENT
Ta b l e 56   3Com Router-supported MIB
Configure SNMPSNMP configuration includes:
■Configure the network management agent on a router
■Configure the information of router administrator
■Configure the SNMP version
■Configure the trap
■Adjust the maximum size of SNMP packets 
1Configure network management agent on a router
Perform the following configurations in system view.
Ta b l e 57   Configure network management agent on a router
By default, the system disables SNMP service.
Engine ID is the unique ID of individual routers on the overall network. It is a string 
of 5 to 32 bytes in hexadecimal format. By default, the SNMP engine ID is 
MIB attributeMIB descriptionReference
Public MIBMIB II based on TCP/IP network 
equipmentRFC1213
RMON MIBRFC1757
RIP-2 MIBRFC1389
OSPF MIBRFC1253
BGP MIBRFC1657
PPP MIBRFC1471
X.25 MIBRFC1382
LAPB MIBRFC1381
PPPRFC1471, RFC1472, RFC1473, 
RFC1661, RFC1332, and RFC1334
FrameRelay MIBRFC1315 and RFC2115
SNMPRFC1907, RFC2271, RFC2272, 
RFC2273, RFC2273, RFC2274 and 
RFC2275
Private MIBIP MIB
ICMP MIB
QoS MIB
NDEC MIB
DLSw MIB
MIB of terminal access servers
MIB of RMON extension alarms
3Com Router MIB
3Com Module MIB
OperationCommand
Enable SNMP servicesnmp--agent
Disable SNMP serviceundo snmp-agent
Set an engine ID for the equipmentsnmp-agent local-engineid 
engineid
Set the engine ID of equipment to the default 
valueundo snmp-agent local-engineid