Nortel Guide to VPN Routing for Security and VoIP phần 9 ppsx

ADSL Asymmetric Digital Subscriber Line AH Authentication Header AIM Asynchronous Interface Module ANSI American National Standards Institute APPN Advanced Peer-to-Peer Networking ARIN A

The Address Resolution Protocol (ARP) provides a way to find a node’s MACaddress when only the IP address is known The way ARP works is simple Asending node will send a broadcast through the network with the IP address

of the node that it is trying to locate Once a node recognizes an IP address in

an ARP broadcast, it will respond to the originating node with the MACaddress that matches the IP address ARP entries are stored in a cache, known

as the ARP table.

ARP is limited to the nodes within the network that support broadcastingand will accept a broadcast packet Other nodes will ignore the broadcasts

Sometimes a node may be moved or, for some other reason, a node may nolonger be able to locate another node within the network When this occurs,you might want to try to force the node to relearn where the destination nodemay reside

The Arp section of the Tools screen provides access to the ARP table andsome options that can be used to assist in troubleshooting This section islocated at the bottom of the Tools screen (see Figure 12-38) Within the Arp sec-tion is one field that allows you to specify the IP address of a node that youwould like to have removed from the ARP cache so the device will resend theARP broadcast packets You can enter the IP address and then press the Arpdelete button that is in this section

Two other buttons can be chosen within the Arp section The first button isthe Show Arp Table button By clicking this button, you will receive an output

of the ARP table, which lists the entries contained in the VPN Router’s ARPcache Figure 12-39 shows an example of an ARP table The other button pro-vides an option to clear the entire ARP table

Figure 12-38: The Arp section of the System Tools screen

Figure 12-39: The ARP table

Packet Capture

Previously in this chapter, we discussed the use of sniffers as a helpful tool introubleshooting data connection issues within a network Often, however, alink must be broken to put a sniffer “in line” before it can be used Also, somenodes (such as the Nortel VPN Router) use an encryption technology that asniffer may not understand when capturing packets

Many data nodes (such as VPN Routers) support what is known as PacketCapture (PCAP) built into the software This allows the capture of packets thatare passing through the node without requiring an external sniffer to be placed

in the network segment PCAP is an application program interface (API) thatsupports the capture of packets within a network The captured packets are

then stored in a trace (often referred to as a capture), which can then be

ana-lyzed by a packet sniffer application, such as Ethereal Figure 12-40 shows anexample of a PCAP capture of a client tunnel session that is being viewed inEthereal

Beginning with VPN Router code version v04_85, the Nortel VPN Routersupports packet capturing by including PCAP support within the software.The Nortel VPN Router PCAP utility allows for the capturing of packets thatare passing through all interfaces, tunnels, and even Ethernet segments thatare not related to the VPN Router.

Several security events are in place when performing a PCAP on the NortelVPN Router Performing a PCAP must be done from the console interface Theadministration password must be other than the default password, and a pass-word is assigned to the capture, so that password must be known before thecapture can be read

Performing the PCAP operation on the VPN Router is memory-intensive so

it should be performed only when required for troubleshooting purposes.There are filters that can be implemented to reduce the amount of data captureand free up some resources, but the process still requires the use of VPNRouter resources

Most sniffer applications provide a few features that allow you to view ferent aspects of the PCAP file This is helpful when you are trying to gatherstatistics or narrow down the information that you are viewing These featuresinclude the ability to sort by protocol hierarchy (see Figure 12-41) and graphstatistics (see Figure 12-42)

dif-Figure 12-40: Viewing the PCAP capture

Figure 12-41: Viewing the protocol hierarchy statistics in a client tunnel session PCAP

capture

Figure 12-42: Viewing a statistical graph of a client tunnel session PCAP capture

General Network Proactive Measures

As mentioned previously, problems with communication in a data networkare going to happen Hardware failures, compatibility issues, data traffic flowissues, and many other things can contribute to a break in communication.Sometimes these issues are simple to diagnose, and sometimes they can takehours and even days to resolve

Proactive measures can be taken in anticipation of potential failures ing outages in a proactive manner can truly help the resolution time when aproblem arises Unfortunately, a proactive approach is not always practiced inmany LANs.

View-This section discusses some recommended proactive measures to assist you

in considering and in taking a proactive stance toward the maintenance of theVPN Router, as well as other network nodes

Perform Regular Backups

One of the easiest things that can be done to the VPN Router (as well as othernodes within the network) is to perform system backups regularly If possible,

it is also a good practice to make duplicate backups in case of a backup storagedevice failure Anticipate the possible and try to accommodate

System configurations, databases, images, and other system files do get corrupted and sometimes may even get lost Having a recent backup for anyrequired file can save you a lot of work in the long run Many network man-agers perform daily backups of critical files This may or may not be a practicethat needs to be adhered to in every network, but a regular backup is highlyrecommended

Consider what problems may arise if a core network node experiences figuration corruption and the network administrator does not practice regularsystem backups That core device’s configuration will have to be rebuilt,which will probably contribute to extended downtime for the device In turn,user productivity will drop because of the lack of network resources The lack

con-of a recent backup may cost your employer hundreds to thousands con-of dollars.Backups are also a necessity when performing system maintenance.Whether it is a hardware replacement or a configuration change, always back

up the system-critical files before you begin the scheduled maintenance for thedevice

A little time spent up front in backing up these files can save you a lot oftime in the long run

pro-Effective planning is paramount in data networks In addition to planninghow the change may affect the current network, it is also prudent to anticipatefuture growth What might occur if you need to purchase a VPN Router andyou don’t consider the number of active tunnels that you may need in yourdecision? What problems might occur if you purchase a NIC upgrade for aserver only to later discover that there are compatibility issues with the brand

of NIC and some of the nodes within your network?

Effective planning is always a very important proactive step to take It’salways possible that not all contingencies can be considered up front, but plan-ning for as many as you can think of will help alleviate potential problems inthe future

Always Have a System Recovery Disk Available

Making a system recovery disk and having it available to you are very tant, but often ignored The process of making the recovery disk is very quickand easy and can save you a lot of problems in the future

impor-If you are running multiple versions of code on the VPN Routers in your

network (which, by the way, is not recommended), then ensure that you have

a recovery disk to match each of those versions of code

When making a recovery disk, also ensure that you make the recovery diskavailable It will not serve any purpose if you are onsite working on a VPNRouter issue and need your recovery disk, which happens to be in anotherstate

We recommend that you keep the recovery disk available in an area that islocal to the VPN Router In addition to making one local to the router, ensurethat it is accessible to anyone who may be performing troubleshooting and/ormaintenance on the VPN Router

Another practice that is followed by some VPN administrators is to provide

a copy of the recovery disk to all personnel who may need to have it The lem with this practice it that a procedure would need to be set up to allow forrecovery disk upgrades

prob-Consider the impact that the users would feel if you had a catastrophic ure on the VPN Router and you did not have a recovery disk available Thesystem downtime would then be increased until a recovery disk was obtained,

fail-or a VPN Router replacement would have to be fail-ordered

Whatever policy you choose to implement, the main thing is to ensure thatthe recovery disk is made and is made available to anyone who may be work-ing on the VPN Router

Dial Access for Support Personnel

Providing access to the network for the support personnel within the network

is a very important proactive step to take If the network provides for an call person for potential outages, then it is very important that that person beable to access the network from a remote area

on-Ensuring that all support personnel have remote access can assist in clearing

up outages in a timely manner Of course, remote access is not always going to

be the resolution to a problem, and personnel will have to go to the site wherethe equipment resides, but it may help in certain instances

Knowledge Sharing

Because of security concerns and some other factors, some networks providecritical information about the network and the nodes within the network toonly a few personnel Far too often, this information resides with only one person

Knowledge management is a very important factor when running a work The sharing of knowledge can also make the resolution to networkproblems much easier to contend with Ensure not only that as many people aspossible are involved in the administration of basic network duties, but alsothat at least two or three trusted individuals have access to all of the docu-mentation pertaining to the network

net-Consider what problems may arise if you entrust only one person to retainthe management login information for all of the VPN Routers in the network.What may occur if that person is on vacation or has left the company and youneed to access the VPN Router for troubleshooting purposes? Because of thesecurity considerations for the VPN Router, there is no default or back-doorpassword In the event of system failure when login access is denied, the unitwill have to be replaced

Also consider the extended time it may take to troubleshoot a problemwithin a subnet when the only person who is aware of the nodes within thesubnet is not available Tracing down problem areas can be very time consum-ing (if not impossible) at times

Knowledge sharing is very important and it can make a tremendous ence in resolving issues that occur in the network Follow this very importantproactive step to help ensure that network connectivity timelines stay up and

differ-to reduce recovery time when network troubleshooting is required

Documentation

Using a system of developing and retaining effective documentation thatrelates to your network can be very rewarding in not only troubleshooting thenetwork, but also in future growth and development Effective documentationcan also provide a wealth of information for training and reference

Among the most important documents that should be developed are work topology diagrams These diagrams can provide a lot of help when youare troubleshooting a network They also make great reference documentswhen you are training new personnel, or planning for network changes and/

net-or growth Following are some examples of other helpful documentation tohave available:

■■ Network change control documents

■■ Contractual support documents

as the network itself, is very effective for the overall support of the network.There is really no such thing as too much documentation

Upgrades and Configuration Changes

Data communications are always changing New products are always beingintroduced to the marketplace New technologies and protocols are developed

on a fairly constant basis Keeping up with these changes is a time-consumingprocess, but one that is required to meet the demands of customers andemployees within the corporate LAN

Technology that was cutting-edge just 5 to 10 years ago is being replacedwith the technology of today Data equipment upgrades and replacements arefairly common with most large corporations and, with that, the need to ana-lyze and plan for that growth is a requirement and not a luxury

In addition to keeping up with the ever-expanding data communicationsmarket, there are times when an upgrade or a change is required to resolve anissue, or simply to meet internal growth

You have already learned that planning to meet the current needs of the work is important When cost is a factor, planning for the future is also impor-tant So, now that the planning is complete and the hardware and softwarethat are needed to implement the change are available, it’s time to take theplan and put it into action.

net-Because most planned events on the network do require some networkdowntime, it makes sense to reduce the downtime as much as possible and tomake the transition run as simply as possible This section contains a fewproactive steps that can be taken to help ensure that the implementation of theplan runs more smoothly than it would if the changes were put into place “onthe fly.”

Research

When planning for a network change event, it is important to ensure that youresearch what you are trying to accomplish If you are introducing new hard-ware or support of a new protocol or technology, research to ensure that theexisting infrastructure can support what you want to introduce Following aresome questions to consider when introducing a technology change or hard-ware change:

■■ Will the new hardware or change accomplish what you need?

■■ Are there any interoperability issues with the new change and the ing equipment within the network?

exist-■■ Are any code upgrades required to support the new hardware/change?

■■ Are any other changes or hardware upgrades required to support thenew change?

If you are performing a software upgrade, then research the release notes forthe software to ensure that you are aware of new changes and implementa-tions within the new code version, as well as any known issues When upgrad-ing your VPN Router, ensure that you read the code version release notes.Following are examples of things to check and verify:

■■ Will the new code accomplish what you need?

■■ Are there any known issues in the new code that may affect the network?

■■ Are any hardware upgrades required to support the new code?

■■ Are any higher versions of code that may need to be considered?

■■ Are there any interim upgrades required to upgrade to the version thatyou need?

■■ If upgrading VPN Router code, will a Client upgrade be required aswell?

Knowing the answers to these questions is important Consider what lems may occur if you upgrade to a version that is not compatible with tech-nologies that are supported within your network? What is the impact of theupgrade to the end user? Knowing what to expect and planning for it will helpthe transition run smoothly.

prob-Pre-Testing

Whenever practical, it is always a good practice to pre-test the change that youwill be making in a lab environment Not only will this give you an opportu-nity to document the steps required to complete the change, but it will alsogive you practice in doing the change

Pre-testing should be accomplished as far in advance as possible This will give you ample time to walk through and document the process, and will also provide time to let the setup run in the lab for a while If the setupruns smoothly in the lab, chances are it will run fine when implemented inyour production network

As with upgrades and changes to existing equipment, pre-staging new ment can be a tremendous help in implementing a change in the network Pre-staging new equipment gives you an opportunity to “burn” the equipment inand also test to ensure that the equipment is functional If pre-staged correctly,you can also simply move the new equipment into place with very little con-figuration required This process greatly reduces network downtime duringthe change

equip-Action Plan

A detailed action plan is a tremendous help when implementing a networkchange Not only does the action plan outline all steps to be taken during theduration of the change, but it can provide a lot of insight if technical support isrequired at some point during the change

A network change action plan should be as detailed as possible Followingare some of the things that should be included within the action plan:

■■ Exact time and date of the change

■■ Equipment that will be affected

■■ What the purpose of the change is

■■ Individuals to be involved

■■ Anticipated duration

■■ List of required tools (software, configurations, hardware, and so on)

■■ Login information

■■ Topology diagram(s)

■■ Pre-change testing information

■■ Post-change testing information

■■ White space for notesOnce you have developed an action plan, ensure that all individuals whowill be involved in the change receive a copy of the action plan and review it.Whenever possible, have a “dry run” for the action plan to ensure that nodetails have been left out If you have pre-tested or pre-staged the equipmentthat will be involved in the change, get someone to test the action plan in thelab Finally, save a copy of the action plan and have it available in case youneed to involve a support person from one of your vendors at some point dur-ing the change

Nortel Support

Nortel provides technical support 24/7 for most of its products The NortelVPN Router is included in this support To access Nortel technical support,you will need to have a valid support contract or provide a valid credit cardnumber Nortel telephone support can be reached at 1-800-4NORTEL

The Nortel Web site also contains a lot of support information that can assistthe users of Nortel equipment in troubleshooting and/or configuring theequipment The Nortel Web site is located at: www.Nortel.com

If you must call the Nortel support center for help with a problem with yourNortel VPN Router, there is some basic information that you should haveavailable to provide to the support engineer Although not required, this basicinformation will help the support engineer understand your network and theproblem that you are calling for assistance on This information is as follows:

■■ An exact description of the problem

■■ Code version of the VPN Router

■■ Code version of the VPN Client

■■ Personnel affected

■■ List of recent changes

■■ Baseline the criticality of your issue

■■ Configuration, logs, dumps, and any other supporting system files(when applicable)

■■ IP address of the public interface

■■ IP address for the management interface

■■ An admin user account to be used by the Nortel support engineer

■■ Topology diagrams

■■ Unit serial number and model number

■■ Remote access for support personnel

■■ Action plan (if applicable)

■■ Outline of troubleshooting performedBecause all networks are different, this information can assist in a speedyrecovery Even if you cannot get all of the information on this list, the more youcan get the more helpful it is to the support engineer

Summary

This chapter provided an overview on network troubleshooting, as well as

an overview of troubleshooting the Nortel VPN Router Many of the utilitiesthat are available were introduced Also, third-party tools were discussed andexamples were provided of each of these

This chapter completes the introduction to the Nortel VPN Router Usingand understanding the information in this book will greatly improve yourunderstanding and effectiveness when working with your Nortel VPN Router

This appendix contains abbreviations and acronyms for VPN terminology, aswell as other abbreviations and acronyms that you will come across occasion-ally as the VPN router administrator

A

AAA Authentication, Authorization, and Accounting

AAL ATM Adaptation Layer

AAL1 ATM Adaptation Layer 1

AAL2 ATM Adaptation Layer 2

AAL3/4 ATM Adaptation Layer 3/4

AAL5 ATM Adaptation Layer 5

AARP AppleTalk Address Resolution Protocol

ABM Asynchronous Balanced Mode

ABR Available Bit Rate

ABR Area Border Router

ABRD Automatic Baud Rate Detection

AC Alternating Current

ACK Acknowledgment

Abbreviation and Acronym Reference Listing

A P P E N D I X

A

ADSL Asymmetric Digital Subscriber Line

AH Authentication Header

AIM Asynchronous Interface Module

ANSI American National Standards Institute

APPN Advanced Peer-to-Peer Networking

ARIN American Registry for Internet Numbers

ARM Asynchronous Response Mode

ARP Address Resolution Protocol

ARPA Advanced Research Projects Agency

ARPANET Advanced Research Projects Agency Network

ARQ Automatic Repeat Request

ARU Alarm Relay Unit

AS Autonomous System

ASAM ATM Subscriber Access Multiplexer

ASBR Autonomous System Boundary Router

ASCII American Standard Code for Information Interchange

ASIC Application-Specific Integrated Circuit

ASN Auxiliary Signal Network

ATM Asynchronous Transfer Mode

ATM NIC ATM Network Interface Card

AU Access Unit

AUI Attachment Unit Interface

B

BAP Bandwidth Allocation Protocol

BACP Bandwidth Allocation Control Protocol

BAMM Bidirectional Asymmetric Multipoint-to-Multipoint

BAP Bandwidth Allocation Protocol

BAPM Bidirectional Asymmetric Point-to-Multipoint

BAPP Bidirectional Asymmetric Point-to-Point

BER Bit Error Rate

BERT Bit Error Rate Test

BG Border Gateway

BGP Border Gateway Protocol

BIOS Basic Input/Output System

B-ISDN Broadband ISDN

B-ISSI Broadband Inter-Switching System Interface

BIT Binary Digit

BMS Bandwidth Management Services

BN Boundary Node

BNI Broadband-to-Narrowband Interface

BOM Beginning of Message

BOOTP Bootstrap Protocol

BPDU Bridge Protocol Data Unit

Bps Bits per second

BRI Basic Rate Interface

C

CA Collision Avoidance

CAU Controlled Access Unit

CBR Constant Bit Rate

CBS Committed Burst Size

CCP Compression Control Protocol

CCU Communications Control Unit

CD Carrier Detect

CDMA Code Division Multiple Access

CD-ROM Compact Disk Read Only Memory

CD-RW CD Rewritable

CDS Current Directory Structure

CDSA Common Data Security Architecture

CGI Common Gateway Interface

CGM Computer Graphics Metafile

CHAP Challenge-Handshake Authentication Protocol

CIDR Classless Inter-Domain Routing

CIF Cells in Frames

CIR Committed Information Rate

CLI Command Line Interface

CLK Clock

CLNP Connectionless Network Protocol

CLNS Connectionless Network Service Protocol

CO Central Office

COM Continuation of Message

CONS Connection-Oriented Network Services

CPS Characters Per Second

CPU Central Processing Unit

CRC Cyclic Redundancy Check

CRM Connection Request Mode

CRMI Committed Rate Measurement Interval

CSMA Carrier Sense Multiple Access

CSMA/CA Carrier Sense Multiple Access with Collision Avoidance

CSMA/CD Carrier Sense Multiple Access with Collision Detection

CSP Cryptographic Service Provider

CSU Channel Service Unit

CTCP Client to Client Protocol

CTS Clear-to-Send

D

DAP Directory Access Protocol

DAP Data Access Protocol

DARPA Defense Advanced Research Projects Agency

DBA Data Base Administrator

DBCS Double-Byte Character Set

DC Direct Current

DCAP Data Link Switching Client Access Protocol

DCC Data Communication Channel

DCD Data Carrier Detect

DCE Data Carrier Equipment

DCP Data Compression Protocol

DCR Direct Connecting Receptacle

DDA Digital Differential Analyzer

DDC Display Data Channel

DDCMP Digital Data Communications Message Protocol

DDE Dynamic Data Exchange

DDNS Dynamic DNS

DDoS Distributed Denial of Service attack

DDP Distributed Data Processing

DDP Datagram Delivery Protocol

DE Discard Eligibility

DES Data Encryption Standard

DET Directory Entry Table

DHCP Dynamic Host Configuration Protocol

DIMM Dual In-line Memory Module

DISA Data Interchange Standards Association

DLC Data Link Control

DLCI Data Link Connection Identifier

DLL Dynamic Link Library

DLSW Data Link Switching

DMA Direct Memory Access

DN Distinguished Names

DNA Digital Network Architecture

DNS Domain Name Service

DOS Denial of Service attack

DRAM Dynamic Random Access Memory

DS Distribution System

DSE Data Switching Equipment

DSL Digital Subscriber Line

DSMON Differentiated Services Monitoring

DSN Data Source Name

DSO Dynamic Shared Object

DSU Digital Service Unit

DSVD Digital Simultaneous Voice and Data

DTCP Digital Transmission Content Protocol

DTE Data Terminal Equipment

DTP Data Transfer Process

DTR Data-Terminal-Ready

DTS Distributed Time Service

DVMRP Distance-Vector Multicast Routing Protocol

DWDM Dense Wavelength Division Multiplexing

E

EBS Excess Burst Size

EC Error Checking

ECC Error Checking and Correction

ECF Echo Frame

ECP Encryption Control Protocol

ED Ending Delimiter

EDAC Error Detecting and Correcting

EGP Exterior Gateway Protocol

EISA Extended Industry Standard Architecture

EN End Node

EOF End of File

EOI End of Interrupt

EOL End of Line

EOR End of Record

EOT End of Transmission

EPROM Erasable Programmable Read-Only Memory

EPS Encapsulated PostScript

ESD Electro-Static Discharge

ESDI Enhanced Small Device Interface

ESP Encapsulating Security Payload

FATMA Frequency and Time Multiple Access

FC Frame Control

FCAPS Faults, Configuration, Accounting, Performance, Security

FCC Federal Communications Commission

FCRAM Fast Cycle RAM

FCS Frame Check Sequence

FDDI Fiber Distributed Data Interface

FDM Frequency Division Multiplexing

FDX Full Duplex operation

FEBE Far-End Bit Error

FEC Front-End Controller

FECN Forward Explicit Congestion Notification

FERF Far-End Receive Failure

FIFO First-In First-Out

FIPS Federal Information Processing Standard

FIR Fast Infrared

FLAG Fiber-optic Link Around the Globe

FLOPS Floating Point Operations Per Second

FM Frequency Modulation

FO Fragment Offset

FPS Fast Packet Switching

FRU Field Replaceable Unit

FS Frame Status

FTAM File Transfer Access and Management

FTP File Transfer Protocol

G

GLAN Global LAN

GMM GPRS Mobility Management

GMT Greenwich Mean Time

GSM Global System for Mobile Communications

GSMP General Switch Management Protocol

GUI Graphical User Interface

GUID Global Unique Identifier (128-bit code)

H

HDLC High-level Data Link Control

HDSL High bit rate Digital Subscriber Line

HDSL-RA HDSL Rate Adaptive

HDTP Handheld Device Transport Protocol

HDX Half Duplex

HEC Header Error Control

HEL Hardware Emulation Layer

HERF High Energy Radio Frequency

HSSI High-Speed Serial Interface

HTA HTML Application

HTML Hyper Text Markup Language

HTTP Hyper Text Transport Protocol

HTTPR Reliable HTTP

HTTPS Secure HTTP

Hz Hertz

I

IAB Internet Architecture Board

IACR International Association for Cryptologic Research

IANA Internet Assigned Number Authority

IAS Information Access Service

IASIW Institute for the Advanced Study of Information Warfare

IBR Intermediate Bit Rate

IC Integrated Circuit

ICA International Communications Association

ICH I/O Controller Hub

ICMP Internet Control Message Protocol

ICMPv6 Version 6 revision of ICMP

ICP Initial Connection Protocol

IDEA International Data Encryption Algorithm

IDN Integrated Data Network

IDRP Interdomain Routing Protocol

IEEE Institute of Electrical and Electronics Engineers

IESG Internet Engineering Steering Group

IETF Internet Engineering Task Force

IGMP Internet Group Management Protocol

IGP Interior Gateway Protocol

IGRP Interior Gateway Routing Protocol

IHL Internet Header Length

IIS Internet Information Server

ILMI Interim Local Management Interface

INMS Integrated Network Management System

InterNIC Internet Network Information Center

IO Input/Output

IP Internet Protocol

IPCP Internet Protocol Control Protocol

IPES Improved Proposed Encryption Standard

IPHC IP Header Compression

IPSec IP Security

IPSO Internet Protocol Security Options

IPX Internet Packet Exchange

IPXCP Internet Packet Exchange Control Protocol

IPV6 Revised version of IP

IPV6CP IPv6 PPP Control Protocol

IRC Internet Relay Chat

IrDA Infrared Data Association

IrLAP Infrared Link Access Protocol

IrLMP Infrared Link Management Protocol

IrOBEX Infrared Object Exchange protocol

IRQ Interrupt Request

IRTF Internet Research Task Force

IS Intermediate System

ISA Industry Standard Architecture

ISDN Integrated Services Digital Network

ISI Information Sciences Institute

ISO International Organization for Standardization

ISOC Internet Society

ISSA Information Systems Security Association

IT Information Technology

IVD Integrated Voice Data

K

KB Kilobyte

Kbps Kilobits per Second

KEA Key Exchange Algorithm

L

L2F Layer 2 Forwarding

L2TP Layer 2 Tunneling Protocol

LAI Location Area Identity

LAN Local Area Network

LANA Local Area Network Adapter

LANE LAN Emulation

LAP Link-Access Procedure

LAPB Link-Access Procedure (Balanced)

LAPD Link-Access Procedure, D channel

LAPF Link-Access Procedure F (Frame Relay)

LAT Local Area Terminal

LCP Link Control Protocol

LCR Least Cost Router

LDAP Lightweight Directory Access Protocol

LDIF LDAP Data Interchange Format

LDM Local Domain Manager

LDSL Low bit rate Digital Subscriber Line

LLC Link Layer Control

LLC Logical Link Control

LLP Lower-Level Protocol

LMI Layer Management Interface

LSA Link State Algorithms

LSB Least Significant Byte

M

MAC Media Access Control

MAN Metropolitan-Area Network

MAP Management Access Protocol

MAU Medium Attachment Unit

MB Megabyte

Mbps Million bits per second

MBR Master Boot Record

MBS Maximum Burst Size

MDSL Medium bit rate Digital Subscriber Line

MFM Modified Frequency Modulation

MFT Master File Table

MFTP Multicast File Transfer Protocol

MGCP Media Gateway Control Protocol

MHS Message Handling System

MHz Megahertz

MIB Management Information Base

MIC Management Interface Connector

MID Message Identification

MIPS Million Instructions per Second

MIS Management Information System

MO Managed Object

MODEM Modulator / Demodulator

MOF Managed Object Format

MOPS Millions of Operations per Second

MOSPF Multicast Open Shortest Path First

MPDU Message Protocol Data Unit

MPOA Multi-Protocol Over ATM

MRU Maximum Receive Unit

MSB Most Significant Bit

MSB Most Significant Byte

MSS Maximum Segment Size

MTBF Mean Time Between Failures

MTTR Mean Time to Repair

MTU Maximum Transmission Unit

N

NAK Negative Acknowledgment

NANP North American Numbering Plan

NAP Network Access Points

NAS Network Attached Storage

NAT Network Address Translation

NAU Network-Addressable Unit

NBMA Nonbroadcast, Multiaccess

NBS National Bureau of Standards

NC Network Computer

NCC Network Control Center

NCM Network Control and Management

NCSA National Computer Security Association

NCSC National Computer Security Center

NE Network Element

NetBEUI NetBIOS Extended User Interface

NetBIOS Network Basic Input/Output System

NFS Network File System (Sun)

NHC Next Hop Client

NIC Network Interface Card

NIST National Institute for Standards and Technology

NIU Network Interface Unit

NIUF North American ISDN User Forum

NMC Network Management Center

NMIB Network Management Information Base

NMMP Network Management Manager Process

NMP Network Management Protocol

NMPE Network Management Protocol Entry

NMS Network Management System

NMUP Network Management User Process

NN Network Node

NNI Network to Network Interface

NSAP Network Service Access Point

NT Network Termination

NT1 Network Termination 1

NT2 Network Termination 2

NTFS NT File System (NT)

NTP Network Time Protocol

NUA Network User Address

NUI Network User Identification

NVFS Network Virtual File System

NVP Network Voice Protocol

NVRAM Non Volatile RAM

O

OAM Operations, Administration, and Maintenance

OCC Open, Cooperative Computing

OCCA Open, Cooperative Computing Architecture

ODI Open Data-Link Interface

OEM Original Equipment Manufacturer

OLE Object Linking and Embedding

OOF Out of Frame

OS Operating system

OSI Open Systems Interconnection

OSINLCP OSI Network Layer Control Protocol

OSPF Open Shortest Path First

OU Organizational Unit

PAD Packet Assembly / Disassembler

PAM Pulse Amplitude Modulation

PAP Password Authentication Protocol

PBX Private Branch Exchange

PC Personal computer

PCI Peripheral Component Interface

PCMCIA Personal Computer Memory Card International Association

PCR Peak Cell Rate

PCSA Personal Computing System Architecture

PCTA Personal Computer Terminal Adapter

PCU Packet Control Unit

PDN Public Data Network

PDP Packet Data Protocol

PDU Protocol Data Unit

PES Proposed Encryption Standard

PHY Physical layer medium independent

PIM Protocol Independent Multicast

PIM-DM Protocol Independent Multicast/Dense Mode

PIM-SM Protocol Independent Multicast/Sparse Mode

PING Packet Internet Groper

PKCS Public Key Cryptography Standards

PKI Public Key Infrastructure

PMP Point to Multipoint

PNNI Private Network to Network Interface

PnP Plug ‘n’ Play

POP Point of Presence

POST Power-on Self Test

POTS Point of Termination Station

PPP Point-to-Point Protocol

PPPBPDU PPP Bridge Protocol Data Unit

PPPMultilink Multilink Point-to-Point Protocol

PPPoE PPP over Ethernet

PPS Packets per second

PPTP Point-to-Point Tunneling Protocol

PRI Primary Rate Interface

PROM Programmable Read-Only Memory

PSDN Packet-Switched Data Network

PSPDN Packet Switched Public Data Network

PSN Private Switching Networks

PSTN Public Switched Telephone Network

PU Physical Unit

PVC Permanent Virtual Circuit

PVT Permanent Virtual Terminal

Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial-In User Service

RAF Resource Allocation Frame

RAID Redundant Array of Inexpensive Disks

RAM Random Access Memory

RARP Reverse ARP

RAS Remote Access Service

RCP Remote Communications Processor

RDA Remote Database Access protocol

RDF Request Denied Frame

RDP Reliable Datagram protocol

REJ Reject

RF Radio Frequency

RFB Remote Frame Buffer

RFC Request for Comment

RFI Radio Frequency Interference

RFI Request for Information

RFP Request for Proposal

RFS Remote File Service

RIF Routing Information Field

RIP Routing Information Protocol

RISC Reduced Instruction Set Computing

RJE Remote Job Entry

RLOGIN Remote Login

RLP Radio Link Protocol

RMA Return Merchandise Authorization

RMON Remote Monitoring

RNR Receive Not Ready

ROM Read Only Memory

RPC Remote Procedure Call

RPM Rotations per Minute

RR Receive Ready

RRAS Routing and Remote Access Service

RST Reset

RTC Real Time Clock

RTD Round Trip Delay

RTF Rich Text Format

RTM Response Time Monitor

RTMP Routing Table Maintenance Protocol

RTO Retransmission Time Out

RTP Routing Update Protocol

RTS Request to Send

RTSE Reliable Transfer Service Element

RTT Round Trip Time

RUDP Reliable UDP

RW Read/Write

S

SA Security Association

SAA Systems Application Architecture

SABM Set Asynchronous Balanced Mode

SAC Single Attached Concentrator

SAP Service Advertising Protocol

SAR Segmentation And Reassembly sublayer

SARM Set Asynchronous Response Mode

SAS Single Attached Station

SCSI Small Computer System Interface

SD Starting Delimiter

SFD Start Frame Delimiter

SFTP Simple File Transfer Protocol

SID Security ID

SIF Status Information Frame

SIMM Single In-line Memory Module

SIPP Single In-line Pin Package

SLA Service-Level Agreement

SMTP Simple Mail Transfer Protocol

SNA System Network Architecture

SNR Signal to Noise Ratio

SOA Start of Authentication

SOHO Small Office/Home Office

SONET Synchronous Optical Network

STA Spanning Tree Algorithm

STD Standard

STDM Synchronous Time Division Multiplexing

STE Signaling Terminal Equipment

STM Synchronous Transport Module

STP Shielded Twisted Pair

STP Spanning Tree Protocol

STS Synchronous Transport Signal level

SVC Switched Virtual Circuit

SVD Simultaneous Voice over Data

SWAP Shared Wireless Access Protocol

TA Terminal Adapter

TAN Transaction Number

TCA Telecommunications Association

TCP Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet Protocol

TDM Time Division Multiplex

TDMA Time Division Multiple Access

TE Terminal Equipment

TEI Terminal Endpoint Identifier

TELNET Telecommunications Network

TFTP Trivial File Transfer Protocol

TIA Telecommunications Industry Association

TL Total Length

TMN Telecommunications Management Network

TOS Type of Service

TP Transaction Program

TPDU Transport Protocol Data Unit

TPS Transactions per Second (Bus)

TPU Time Processing Unit

TS Time Slot

TSR Terminate and Stay Resident

TTL Time to Live

U

UART Universal Asynchronous Receiver Transmitter

UAWG Universal ADSL Working Group

UBR Unspecified Bit Rate

UCI User Class Identifier

UCP Universal Computer Protocol

UCS Universal Component System

UDC Universal Digital Channel

UDP User Datagram Protocol

UE User Elements

ULP Upper Level Protocol

UMB Upper Memory Block

UME UNI Management Entity

UMM Unidirectional Multipoint-to-Multipoint

UMTS Universal Mobile Telecommunications Systems

UN Unbalanced Normal

UNA Upstream Neighbor Address

UNC Universal Naming Convention

UNI User Network Interface

UPM Unidirectional Point-to-Multipoint

UPnP Universal Plug and Play

UPP Unidirectional Point-to-Point

UPS Uninterruptible Power System

URI Universal Resource Identifier

URL Uniform Resource Locator

USB Universal Serial Bus

USENET User Network

USM User-based Security Model

USTA United States Telephone Association

UTC Universal Coordinated Time

UTP Unshielded Twisted Pair

V

VAC Volts of Alternating Current

VAS Value-added services

VAT Virtual Allocation Table

VAX Virtual Address Extension

VBR Variable Bit Rate

VC Virtual Circuit

VCC Virtual Channel Connection

VCI Virtual Channel Identifier

VCL Virtual Channel Link

VCM Virtual Channel Memory

VCPI Virtual Control Programming Interface

VCSDRAM Virtual Channel SDRAM

VDC Volts of Direct Current

VDSL Very high bit rate Digital Subscriber Line

VDU Visual Display Unit

VESA Video Electronics Standards Association

VF Voice Frequency

VFAT Virtual File Allocation Table

VLAN Virtual LAN

VLSIC Very Large Scale Integrated Circuit

VM Virtual Memory

VMM Virtual Memory Manager

VMS Virtual Memory System

VOIP Voice over IP

VP Virtual Path

VPC Virtual Path Connection

VPI Virtual Path Identifier

VPL Virtual Path Link

VPN Virtual Private Network

VRE Voltage Regulated Extended

VRRP Virtual Router Redundancy Protocol

VRT Voltage Reduction Technology

VSE Virtual Storage Extended

VSIA Virtual Socket Interface Alliance

W

W3C World Wide Web Consortium

WAE Wireless Application Environment

WAIS Wide Area Information Server

WAN Wide Area Network

WAP Wireless Access Protocol

WATS Wide Area Telephone Service

WDM Wavelength Division Multiplexing

The use of Command Line Interpreter (CLI), also known as Command LineInterface, commands have less intensive bandwidth requirements and may beused for out-of-band management via a low-speed dialup connection con-nected to the Console Interface This aids in monitoring the Nortel VPNRouter when TCP/IP connectivity over the Internet has been lost and allows

a user to communicate with the device to monitor and perform remote nostics and troubleshooting

diag-CLI Command mode may be entered via Telnet or the Console mode Telnetmay be used over the dialup connection if the Console Interface has been con-figured to accommodate TCP/IP To use Telnet, simply telnet to the manage-ment IP address of the Nortel VPN Router This also can be done from eitherthe private network or through a user control tunnel established with a VPNClient over the Internet If using a Console connection, select Command LineInterface from the Console menu choices if the Console Interface has been con-figured for terminal use

The Nortel VPN Router has three levels of command mode:

■■ User EXEC mode

■■ Privileged EXEC mode

■■ Global configuration mode

Command Line Interpreter Commands

A P P E N D I X

B

Access via Console Connection

The console connection is an RS232 Serial Port on the unit It may be accessedlocally by connecting a compatible serial cable to a PC running a terminalemulation program such as HyperTerminal in Windows The default settingsfor the Console Interface on a Nortel VPN Router is 9600 baud, 8 bits, 1 stopbit, and no parity Upon connection to the Console Interface, you may need topress the Enter key to display the login screen The prompt appears as follows:Please enter the administrator’s user name: admin <Name of the Primary Administrator of the unit>

Please enter the administrator’s password: setup <Password assigned to the Primary Administrator Used ID>

N OT E On a new unit, the default user ID for the Primary Administrator is admin with a password of setup These values may be changed upon initial configuration of the Nortel VPN Router and can be changed only by that administrator The user ID and password must be safeguarded Without it, the unit cannot be totally administered or configured because the Primary Administrator has rights that no other administrator has.

After logging in, the user is presented with the following Console Interfacemenu:

Main Menu: System is currently in NORMAL mode.

0) Management Address 1) Interfaces

2) Administrator 3) Default Private Route Menu 4) Default Public Route Menu 5) Create A User Control Tunnel(IPsec) Profile 6) Restricted Management Mode FALSE 7) Allow HTTP Management TRUE 8) Firewall Options

9) Shutdown B) System Boot Options P) Configure Serial Port C) Controlled Crash L) Command Line Interface R) Reset System to Factory Defaults E) Exit, Save and Invoke Changes

Please select a menu choice (0 - 9,B,P,C,L,R,E):

Select selection L to enter the CLI The user is presented with the followingprompt to begin entering commands:

CES>

Access via Telnet Session

Using any Telnet utility program, a Telnet session may be established with theNortel VPN Router by connecting to the Management Interface IP address.Once the connection is established, the user is presented with a login prompt.After logging in, the user is presented with the following prompt:

CES>

The user may now enter commands that will be acted upon by the CLI

User EXEC Mode

The EXEC mode is a limited-display mode that is established when you Telnet

to the Nortel VPN Router In this mode, the user is unable to view the uration file or modify configuration settings However, in this mode, a userhas the ability to clear a route

config-A list of EXEC mode commands may be displayed by logging in as theadministrator and typing a question mark at the command prompt as follows:Login: admin

exit Enables settings and disables exec mode and enables user level

mode help Displays information about using commands interactively

ls To display a list of files in the current directory ping Sends a ping message to a destination

pwd To show the current directory reset Resets a port

show Displays running system information terminal Terminal screen configuration

trace Enables tracing a route to a destination verify Verify the system

who Displays active Telnet sessions on the CES with what number

a particular telnet session is since boot

help Command

The help command is a descriptive command that explains the help that isavailable while navigating the command structure Its output is as follows:CES>help

Help may be requested at any point in a command by entering

a question mark ‘?’ If nothing matches, the help list will

be empty and you must backup until entering a ‘?’ shows the available options.

Two styles of help are provided:

1 Full help is available when you are ready to enter a command argument (e.g ‘show ?’) and describes each possible argument.

2 Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input

(e.g ‘show pr?’.)

File System Commands

The cd, dir, ls, and pwd commands are used to view and verify the directorystructure and files contained within the Nortel VPN Router

The pwd command is used to print the working directory where the user iscurrently located This will provide the user with the directory tree structure insubdirectory ldif Following is an example:

CES>pwd /ide0/system/slapd/ldif/

The dir and ls commands are similar in that they will display the contents

of the directory that the user is currently located in Following is an example ofboth:

CES>dir

Directory of /ide0/system/slapd/ldif/

<DIR> /ide0/

<DIR> FRI FEB 03 16:04:14 2006 .

<DIR> FRI FEB 03 16:04:36 2006

310349 FRI FEB 03 16:04:14 2006 527LDAP

87354 FRI FEB 03 16:00:00 2006 TEMPLATE.LDF

103784 FRI FEB 03 16:04:14 2006 TEST

Notice the difference in the display characteristics of each command Thedir command gives greater details with file sizes and creation dates, alongwith the directory and filenames The ls command displays only the names ofthe directories and files If the presence of a file must be verified, use the lscommand When file detail is important, the dir command must be used

The cd (change directory) command allows the user to navigate the tory structure The standard directory structure starting at the root directory(/) is used within the Nortel VPN Router All navigation starts from the cur-rent directory

direc-When a user first connects and is at the command-line prompt, the user is atthe user level route directory of ide0

CES>pwd /ide0/

The files and directories located within this “root” directory are as shownhere:

The SYSTEM directory is the current running server code directory All filesthat are being used for control and logging of data when the Nortel VPNRouter is operational are contained within the directories located under thisdirectory.

To navigate down the directory tree, you can continually execute cd mands at each directory along the way to navigate to the directory below Fol-lowing is an example of navigating down to the ldif subdirectory:

com-CES>pwd /ide0/

CES>cd system CES>pwd /ide0/system/

CES>cd slapd CES>pwd /ide0/system/slapd/

CES>cd ldif CES>pwd /ide0/system/slapd/ldif/

The pwd command was issued in each step to allow the user to see the gression down the directory tree

pro-If the directory is known, the user just needs to type the whole path whileusing only one cd command Following is an example:

CES>pwd /ide0/

CES>cd system/slapd/ldif CES>pwd

/ide0/system/slapd/ldif/

CES>

So far, you have learned how to move down a directory tree However, auser can move up or to a whole new directory branch altogether by typing inthe full path with the cd command A shorthand notation of dot-dot ( ) may

be used to move back up the tree one directory location

Here is an example of using the shorthand notation of dot-dot ( ) to move

up a directory location:

CES>pwd /ide0/system/slapd/ldif/

CES>cd

CES>pwd /ide0/system/slapd/

Following is an example of typing a path with the cd command to move upthe same directory branch: