Nortel Annex Host Tools R14.2 New Features Manual

Brand: Nortel

Model: Annex Host Tools R14.2

Type: New Features Manual

This manual is also suitable for

1302565-A Rev. 00

Annex Communications Server R10.0B and

Annex Host Tools R14.2 Release Notes

These release notes apply to the following:

❑

The Annex Communications Server Operational Code

Version R10.0

❑

The Annex Host Tools Version R14.2.24

❑

Quick2Config Annex R2.3

❑

Annex Manager R2.3

The release notes for Quick2Config Annex can be found by selecting

the Readme notepad icon in the Bay Networks Program Group.

Included in these release notes are the following topics:

❑

New Features

❑

Special Considerations

❑

Supported Platforms

❑

Known Problems/Limitations

❑

Problems Resolved with this Release

These release notes supersede the notes provided on the distribution

media.

New Features

Ease of Use Installation

The installation process has been significantly improved and more

binaries have been added to the distribution media. The new

installation script will give users the following options:

❑

Installing the Annex Host Tools and/or Annex Manager 2.3

❑

Extracting only the necessary files from the medium

❑

Editing the necessary system files

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Blacklisting and Password History

Two new security features, user blacklisting and password history,

have been added to the ACP security functionality. The blacklisting

enhancement logs and monitors the number of failed login attempts for

users. The administrator may configure erpcd to disallow a user from

logging into the system based on the number of consecutive failed

An acp_dbm utility was added to access the database used to store

the user's login history. This feature is not enabled by default.

ch_passwd

The ch_passwd utility has been enhanced to keep a history of a user's

passwords and can be configured to prevent a user from setting a

previously used password. This feature is not enabled by default

unless the system uses shadow passwords.

One-to-Many Dynamic Dial-up Routing

The Annex now provides for dynamic dialout to multiple destinations

via a single modem or modem pool.

Chap Security for PPP

This feature allows for the use of encrypted passwords for PPP.

Enigma Security

The Annex can now authenticate a user via the Enigma SafeWord

Authentication Server.

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

CIDR

The Annex now supports Classless Interdomain Routing (CIDR),

which provides for supernetting of Class C addresses. Supernetting

allows you to use a subnet mask that is shorter than the intrinsic mask

derived from the class of the Internet address.

IP Basic Security Option (IPSO)

The Annex partially implements this security option by adding the

IPSO classification level to packets generated by telnet or rlogin

running on an Annex dedicated, adaptive, or CLI port.

ACP Port Statistics Logging

This feature tracks the number of packets sent and received and the

total number of bytes sent and received for each session.

TAP Identification Protocol

The Annex now supports this feature as defined in RFC 1413. TAP

Identification Protocol can determine the identity of a user of a

particular TCP connection. Given a TCP port number pair, TAP

returns a character string that identifies the owner of that connection

on the server's system.

Filtering Improvements

Changes have been made to the filter-action algorithm. There are four

filter lists for any interface:

❑

global filter list for input (interface set to the * symbol)

❑

global filter list for output (interface set to the * symbol)

❑

local filter list for input (interface set to other than *)

❑

local filter list for output (interface set to other than *)

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

When a packet is sent by the Annex, the local output filter is scanned

first, followed by the global output filter list. When a packet is

received by the Annex, the local input filter list is scanned first,

followed by global input filter list. For the purposes of the algorithm,

local and global are combined into one large list, and input and output

are considered separately.

The algorithm scans each filter, and if the filter conditions match the

packet under consideration, the associated actions are appended to

one of two lists. If the filter is an include, the actions are placed on the

to-do list. If the filter is an exclude, the actions are placed on the inhibit

list.

Once the complete list (both local and global) has been scanned, one

more check is done. If at least one include filter with the netact action

was seen (not necessarily matched, just scanned) and there were no

exclude filters with netact, the default action is none, that is, not netact.

If there were no include netact filters scanned or if any exclude netact

filters were seen, the default action is netact. This default is added to

the to-do list. Finally, the inhibit values are subtracted from the

to-do list.

The following are examples of this process:

Example 1

No filters at all; all traffic is activity.

Example 2

in include proto tcp dst_port telnet netact

in include proto icmp discard

out include proto icmp discard

Packets received that are destined for the standard telnet port (23) are

considered activity and may trigger a dial if the interface is a dial-out

type. No other IP packets are considered activity, and icmp packets

(such as ping) going either way are discarded. (This shows how

include netact works by itself.)

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

Example 3

out exclude proto udp port_pair router router netact

out include proto tcp dst_port smtp no_start

Packets generated by RIP are not considered activity and cannot start

the link. Packets destined for SMTP (email) are considered activity

and will keep an active link up, but will not start a dial. All other

packets are considered activity and will start a dial. (The second filter

could have also specified netact, but that is unnecessary because the

exclude implies that netact is the default.)

Example 4

out exclude dst_address 132.245.33.0/24 netact

out exclude dst_address 132.245.11.0/24 netact

Packets sent to either the 33 or 11 subnets will not be considered

activity. All other packets sent will constitute activity. This

demonstrates how excludes are logically ANDed together.

Example 5

out exclude proto tcp dst_address 132.245.66.0/24 netact

in include proto tcp dst_address 132.245.33.0/24 netact

Packets which the Annex sends over the link that are destined for the

66 subnet are not considered activity. All other packets sent are

considered activity. Packets the Annex receives that are addressed to

the 33 subnet are also considered activity. No other packets received

are considered activity. (This example is included to illustrate how

input and output filters do not interact.)

Setting a specific include with netact when there is an exclude with

netact for the same destination (in or out) has no effect. The exclude

with netact implies that everything else is activity (so no specific

include is needed) and, if the exclude matches the same packet as an

include, the exclude takes precedence (thus no specific include is

possible).

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Disallowing VCLI Service

A new syntax is supported in the services file to disallow the

advertising of VCLI service:

service VCLI no

More Information from the stats -o Command

The stats -o command has been modified to give more information.

In the following example, the option key has been set properly for

tn3270 and LAT, but neither is enabled. In the case of LAT, resetting

the disabled_modules parameter will still not enable it because the

loader has disabled it, and the loader takes precedence over

disabled_modules.

admin : show annex disabled_modules

disabled_modules: atalk,ipx,lat,tn3270

admin :

AppleTalk and IPX are not supported in the Communications Server

release. NA and admin always display these modules as disabled.

The CLI stats -o command, however, does not display them at all.

annex: stats -o

KEYED OPTIONS:

MODULES DISABLED

LAT, tn3270

annex:

LAT:

keyed on but disabled by loader

tn3270:

keyed on but disabled by disabled_modules

dialout/RIP/filtering:

keyed off

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

Rotary Enhancement

You can now specify an Annex rotary that is reachable through the

normal UNIX rlogin protocol. Specify either protocol=rlogin or the

alternate TCP port /513 to enable this feature. (The user name and

terminal type are discarded. Thus, if port_server_security is enabled,

you must enter your user name and password again.) For examples:

rlogin:protocol=rlogin 8-12@jdc

rlogin:8-12@jdc+132.245.33.229/513

rlogin:protocol=rlogin 8-12@jdc+132.245.33.229

rlogin:protocol=rlogin direct_camp_on=never

Year 2000 Compliance

The R10.0B release of software is Year 2000 Compliant for Micro

Annex XL and the Annex 3. R10.0B is Year 2000 compliant when run

self-boot mode or when run on a supported platform. The R14.2.24

host tools are Year 2000 compliant when run on a supported platform.

For more information, refer to SPR 11150 in the Problems Resolved

with this Release section.

Special Considerations

The R10.0 image names are as follows:

R10.0 Communication Servers:

oper.42.enet - Annex3

oper.52.enet - Micro AnnexXL

The Communications Server release does not support IPX and ARAP.

After an Annex boots, the Annex parameter disabled_modules is set

to ATALK and IPX. Annex configuration parameters related to these

protocols are in some cases displayed and can be modified but have

no effect on the operation of the Annex. For more information refer

to Known Problems section.

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

The smaller image size makes this release suitable for use in the

existing base of installed Annex3 and Micro XL hardware.

The following is a list of supported Annex platforms/configurations:

❑

Micro Annex: 2mb ram/1mb flash/8 serial ports

❑

Micro Annex: 2mb ram/1mb flash/16 serial ports

❑

Annex3: 020 mother board/2mb ram max/1mb flash/32

serial ports*

❑

Annex3: 3mb ram/1mb flash/64 serial ports*

❑

Annex3: 4mb ram/1mb flash/64 serial ports

* Memory limited hardware - Some of the older hardware

configurations may be somewhat memory restricted when

used in a heavily loaded environment. These units have a lower

RAM-to-port ratio and are more likely to run out of memory

when an application demands high simultaneous port usage

with slip, ppp, or multiple sessions per port.

RAM is used to hold the operational image of the Annex. Loading an

operational image larger in size than its predecessor results in less

available memory for processes and sessions. The Communications

Server image size is slightly smaller than R9.2.7, therefore upgrading

from R9.2.7 would have no impact on the available RAM of the Annex.

However, if the upgrade is for a memory-limited Annex running R8.0

that is used in a truly loaded environment, the additional size of the

Communications Server image could cause insufficient RAM

conditions to occur.

Disabling modules that are not being used can often free enough RAM

to run in this situation. Disabling modules adds memory to the

available RAM heap by freeing the RAM that was used to store the

operational code of the module being disabled. Refer to the

Administrators's Guide for more information regarding disabling

modules.

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

Table 1 lists the modules that may be disabled in the Communications

Server release and the approximate RAM savings in kilobytes for each

module.

Memory Usage Example

A CLI port with 2 active telnet sessions requires 13.5k: 4.5k for the

CLI and 9k for the two telnet sessions.

The Annex defaults ports to CLI mode. Setting uninhabited ports to

a mode of UNUSED saves 4.5k per port. Administrators can monitor

memory with the CLI stats command. See the example below and the

Administrators's Guide for more detail.

Table 1 RAM Saved by Disabling Modules

Module Disabled Savings

Admin >1

Dialout 4

Ftpd >1

Lat 74

SNMP 81

Slip 9

tn3270 >1

tstty >1

ppp 50

fingerd 2

name server 12

vci 50

edit 23

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

Example:

Memory:

total=3145728

avail=1929944

free=882320

min free=785112

fails=0

total The total installed RAM

avail The total available RAM after an image is loaded

free The current free memory available for general

consumption

min free The lowest value the free pool has obtained since the

Annex was booted

Fails Memory was requested but not available.

When configuring a dialout route, you must set the metric for the

dialout route to exactly the same value as the metric on all the ports

for which the dialout is defined. By default, all metrics are 1.

Supported Platforms

The Distribution media contains binary files for most of the supported

platforms. When the script detects that there are binary files for the

host operating system, it gives you the option of installing the binary

files or loading the source code and compiling the software at a later

time. If there are no binary files available, the script loads the source

code and uses an available compiler on the host system to build the

image. If the script does not identify a compiler on your system, it

ends the installation session.

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

Table 2 lists the operating system versions supported by R10.0 and

the binary files that are provided on the distribution media.

Known Problems

The modems.annex file Cardinal V.34, Cardinal 56K, Motorola voice/

modemsurfer 56K, Penril V.34, Practical Perf V.34 and 56K, US

Robotics 56K, Courier V.Everything, andZoom 56K. f you have a

modem from another vendor, you may have to update the

modems.annex file.

Annex Manager R2.3 may incorrectly display IPX and AppleTalk as

enabled software options in the Annex Info dialog box. The

Communications Server release does not support either protocol. This

misinformation only occurs in Annexes that have these protocols

enabled in their current option key setting. Obtaining and loading a

new option key eliminates the problem.

When the Motorola V.3400 modem is used with either the Micro

Annex XL or the RA2000, the connection is dropped as soon as DCD

is asserted by the modem. The port must be configured for modem

control and hardware flow control:

❑

control_lines is set to

both

Table 2 Operating System Support

Operating System Files Available

Sun Microsystems SunOS 4.1.4 Binary files and source code

Sun Microsystems SunOS 4.1.3 Binary files

Solaris 2.5.1 Binary files

Solaris 2.4 Binary files and source code

IBM RS/6000 AIX 4.2 Binary files and source code

Hewlett-Packard HP-UX 10.20 Binary files and source code

Hewlett-Packard HP-UX 10.0 Binary files

Linux 2.0.34 Binary files and source code

302565-A Rev. 00

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

❑ input_flow_control is set to eia

❑ output_flow_control is set to eia

The modem must be configured as follows:

❑ hardware flow control set

❑ DSR always on

❑ DCD to follow carrier detect

❑ hangup and reset on loss of DTR

For the time being, forcing DCD high works but will cause a problem

with the Annex terminating sessions. Since the Annex will never see

DCD go low, the connections will not be terminated when users exit.

Problems Resolved with this Release

SPR 11150 The acp_logfile is now year 2000 compliant.

The year 2000 is now displayed as "00" rather than "100".

If you are not installing on one of the supported host

platforms and you use the acp_logfile for accounting

purposes, you should be aware that after 991231 (which

represents 1999/12/31) midnight, the entry in the

acp_logfile will appear as 1000101 instead of 000101. If

you have scripts that use this information for accounting,

you need to modify those scripts to handle this properly.

SPR.8900 Dialback now works properly

SPR.8575 The modems.annex file has been updated to support USR

33.6 modems.

SPR.8702 Maximum value for erpcd max_logon parameter is now

1440 minutes.

SPR.9576 Aprint now works properly.

Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes

302565-A Rev. 00

SPR.10447 Cardinal V.34, Cardinal 56K, Motorola voice/

modemsurfer 56K, Penril V.34, Practical Perf V.34 and

56K, US Robotics 56K, Courier V.Everything, and Zoom

56K.

Features Not Supported in This Release

The following list of features are not supported by the R10.0B release

of software. The Annex Administrators Guide for Unix that is sent with

this release of software mentions several features which are not

present in the R10.0B software release. Some (but not all) of these

features are listed below:

❑

LP and LPD

❑

TSTTY

❑

TMUX

❑

Embedded RADIUS and RADIUS proxy

❑

IPX

❑

ARAP

❑

Windows NT

Nortel Annex Host Tools R14.2 New Features Manual

Brand: Nortel

Model: Annex Host Tools R14.2

Type: New Features Manual

This manual is also suitable for

Download PDF

report

Nortel Annex Host Tools R14.2 New Features Manual

This manual is also suitable for

Nortel Annex Host Tools R14.2 New Features Manual

Related papers

Other documents