Documente Academic
Documente Profesional
Documente Cultură
Copyright
Copyright 2002 GlobespanVirata Inc. All Rights Reserved. This document and the software programs to which it relates are furnished under license and may only be used in accordance with the terms and conditions set forth in the license agreement. This document is provided for information only and is subject to change without notice. GlobespanVirata Inc assumes no responsibility or liability for any errors or inaccuracies that may appear in the document, and specifically disclaims any implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Except as permitted by such license, no part of this document may be copied, reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, recording or otherwise, or used as the basis for manufacture or sale of any items without the prior written consent of GlobespanVirata Inc. Virata is a registered trademark of GlobespanVirata Inc. All other names are for reference only and are the property of their respective owners. ISOS (8.2 Service Release 2) User Guide: DO009467-PS GlobespanVirata Company Proprietary.
Contacting GlobespanVirata
For more information on GlobespanVirata, contact the offices below or visit our web site:
GlobespanVirata UK
Unit 230 Cambridge Science Park Milton Road Cambridge CB4 0WB United Kingdom Telephone: +44 1223 707400
Trademarks
Virata, EmStack and EmWeb are registered trademarks of GlobespanVirata Inc. ATMOS real-time operating system, Helium communications processor, Helium 200 communications processor, Helium 210 communications processor, ISOS Integrated Software on Silicon, are trademarks of GlobespanVirata Inc.
ii
ISOS (8.2 Service Release 2) User Guide, DO-009467-PS (Issue 4, 6th Dec 2002)
Contents
1. About this Guide 1
1.1 Structure of this guide 2 1.2 Typographical conventions 4 1.3 Reading this guide 5 1.4 Documentation Reference Roadmap 6
2. Introduction 7
2.1 What is ISOS? 8 2.2 What is an ISOS System? 8 2.3 What configurations are supported by an ISOS System? 8 2.4 How is the ISOS System configured? 9 2.5 What are the features of each supported configuration? 10 2.6 What is the typical setup for each supported configuration? 13 2.7 What software platforms are supported? 18 2.8 What software development platforms are supported? 20 2.9 What additional software applications are needed? 20
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
iii
Contents
106
6.6 Booting an ISOS System over the network 109 6.7 Troubleshooting 113
iv
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
Contents
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
Contents
vi
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
Contents
337
16.4 Virtual DMZ interface network 340 16.5 Initial virtual DMZ interface network configuration (CLI) 342 16.6 Security configuration (CLI) 345 16.7 NAT example configurations (CLI) 346 16.8 Firewall example configurations (CLI) 348 16.9 Initial Firewall, WAN Router & DMZ Router configuration (EmWeb) 353 16.10 Configuring the security interfaces (EmWeb) 359 16.11 Initial virtual DMZ interface network configuration (CLI) 361 16.12 NAT example configurations (CLI) 365 16.13 Firewall example configurations (CLI) 367 16.14 Initial virtual DMZ interface configuration (EmWeb) 372 16.15 Firewall example configurations (EmWeb) 378 16.16 NAT example configurations (EmWeb) 383
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
vii
Contents
viii
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
Contents
Index 461
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
ix
Contents
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
List of Tables
Table 1: Gateway features 10 Table 2: PC-attached (USB) Gateway features 11 Table 3: Switch features 12 Table 4: Supported software platforms for ISOS 20 Table 5: Perl compatibility with ISOS Tools releases 21 Table 6: C++ compiler dependency for Linux Debian releases 23 Table 7: Software Source release 30 Table 8: Chip support package releases 30 Table 9: EmWeb Compiler License 31 Table 10: Tools Release Compatibility 32 Table 11: ISOS Software Tools Binary packages 33 Table 12: Installation directories for Linux and Solaris 34 Table 13: Installation directories for Windows platforms 34 Table 14: PC-attached Gateway Driver details 52 Table 15: RNDIS Driver package 54 Table 16: RNDIS Driver package 55 Table 17: MAC OS CDC Ethernet Driver package 58 Table 18: Linux CDC Ethernet Driver package 60 Table 19: Contents of flash.bin file 64 Table 20: BDXXXX Hardware types 67 Table 21: DMXXXX Hardware types 67 Table 22: (He210-80) MDS Hardware types 68 Table 23: ISOS product types 69 Table 24: Supported Product/Hardware type combinations 71 Table 25: Booting configuration options 118 Table 26: flash.bin image breakdown 231 Table 27: Image compression comparison 234 Table 28: Image decompression comparison 235 Table 29: PPPoE and FRED configuration setup 279 Table 30: Event level description 401 Table 31: ISOS Module configuration files 445 Table 32: ISOS ISFS files 445
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002 xi
List of Tables
xii
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
List of Figures
Figure 1 : Documentation roadmap 6 Figure 2 : Typical Gateway configuration 13 Figure 3 : Typical Gateway (detailed configuration) 14 Figure 4 : Typical PC-attached (USB) Gateway configuration 15 Figure 5 : PC (USB)-attached Gateway (detailed configuration) 16 Figure 6 : Typical Switch configuration 18 Figure 7 : ISOS Installation procedure 28 Figure 8 : TEMP and TMP Variables Setup 40 Figure 9 : AGRANAT_LICENSE_FILE Variable Setup 47 Figure 10 : MAC OS CDC Ethernet Driver loaded 59 Figure 11 : ISOS image structure 63 Figure 12 : ISOS Build directories and configuration files 72 Figure 13 : ISOS image structure (with recovery image) 83 Figure 14 : ISOS image (with multiple partitions) 88 Figure 15 : EmWeb Status homepage 144 Figure 16 : EmWeb Quick Start No Login/DHCP page 150 Figure 17 : EmWeb Quick Start PPPoE Login Setup page 151 Figure 18 : EmWeb webserver Error Log page 153 Figure 19 : EmWeb Auto update page 154 Figure 20 : EmWeb Remote Access page 155 Figure 21 : EmWeb Firmware Upgrade page 155 Figure 22 : EmWeb Configuration Backup/Restore 156 Figure 23 : EmWeb Restart page 157 Figure 24 : EmWeb Save Configuration page 159 Figure 25 : EmWeb Authentication page 160 Figure 26 : EmWeb create user page 160 Figure 27 : EmWeb Edit User page 161 Figure 28 : EmWeb LAN connections page 162 Figure 29 : EmWeb WAN connections page 164 Figure 30 : EmWeb Edit Routes page 166 Figure 31 : EmWeb Create IP V4 Route page 167
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
xiii
List of Figures
Figure 32 : EmWeb ZIPB page 169 Figure 33 : DHCP Server page 172 Figure 34 : EmWeb DHCP server subnet configuration page 173 Figure 35 : EmWeb DHCP Server configuration option page 174 Figure 36 : EmWeb Create new DHCP server fixed host page 175 Figure 37 : EmWeb DHCP Relay page 176 Figure 38 : EmWeb DNS client page 178 Figure 39 : EmWeb DNS Relay page 179 Figure 40 : EmWeb Security page 181 Figure 41 : EmWeb Firewall Add Interface page 183 Figure 42 : EmWeb Security Interfaces table 184 Figure 43 : EmWeb Advanced NAT configuration page 185 Figure 44 : EmWeb Firewall Add Global Address Pool page 185 Figure 45 : EmWeb Firewall Add Reserved Mapping page 187 Figure 46 : EmWeb Firewall Add Policy page 189 Figure 47 : EmWeb Current Firewall Policies table 190 Figure 48 : EmWeb Firewall Add TCP Port Filter page 191 Figure 49 : EmWeb Firewall Add Raw IP Filter page 192 Figure 50 : EmWeb Firewall Add Host Validator page 193 Figure 51 : EmWeb Firewall Add Trigger page 194 Figure 52 : EmWeb Firewall Configure Intrusion Detection page 197 Figure 53 : EmWeb Ethernet Port Configuration page 199 Figure 54 : ISOS Module configuration schematic 220 Figure 55: : Demo Network (Gateway) 239 Figure 56 : Demo network (Gateway) with Bootp/TFTP server 240 Figure 57 : Ethernet-RFC1483 bridged configuration 243 Figure 58 : Ethernet-Frame Relay bridged configuration 246 Figure 59 : Ethernet-IPoA routed configuration 251 Figure 60 : Ethernet-BUN RFC1483 routed configuration 255 Figure 61 : Ethernet-PPP routed configuration 259 Figure 62 : PPPoE Client over RFC1483 configuration 267 Figure 63 : PPPoE Configuration using FRED 274 Figure 64 : Multiple PPPoE sessions with pass-through configuration 281 Figure 65 : Multiple PPPoE session IP architecture 282 Figure 66 : Routed using DHCP configuration 289 Figure 67 : DHCP test configuration 290 Figure 68 : Tunnelling encapsulation stack schematic 294
xiv ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
List of Figures
Figure 69 : Ethernet-PPTP tunnelling-PPP server configuration 295 Figure 70 : Ethernet-PPTP tunnelling-PPP client configuration 298 Figure 71 : Demo network PC (USB)-attached Gateway configuration 303 Figure 72 : Ethernet-USB PC-attached (USB) Gateway configuration 306 Figure 73 : Ethernet-USB IPoA PC (USB)-attached Gateway routed configuration 309 Figure 74 : Ethernet-USB/PPPoE PC (USB)-attached Gateway configuration 315 Figure 75 : Demo network (Switch) 325 Figure 76 : Firewall network configuration setup 334 Figure 77 : Firewall virtual DMZ network configuration setup 341 Figure 78 : ISOS Image structure 389 Figure 79 : Demonstration configuration for ISOS System systems 450 Figure 80 : Connecting the ISOS System (Gateway) 455 Figure 81 : Connecting the ISOS System (PC-attached Gateway) 457 Figure 82 : Connecting the ISOS System (Switch) 459
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
xv
List of Figures
xvi
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
This chapter tells you about: The scope of this guide and its intended audience. The typographical conventions used in this guide. How to read and provide feedback about this guide. The information contained in this guide must be read and fully understood before you attempt to use the product.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
1.1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The next few chapters describe the basic use and configuration of ISOS: Using the CLI on page 125; explains how to use the CLI - the new command-line interface for ISOS. Using the EmWeb server on page 151; explains how to configure and set-up EmWeb; the ISOS embedded Web server. Using the ISOS File Manager on page 201; describes how to manage the Flash memory used on the ISOS System. Configuring ISOS modules on page 217; describes the various methods for configuring ISOS modules.
Compressing an ISOS image on page 229; describes how to use the various compression methods provided in ISOS. The next few chapters describe how to configure an ISOS System in typical network configurations: Configuring the ISOS System in Gateway mode on page 235; describes how to use the CLI to configure an ISOS System in many typical Gateway configurations. Configuring the ISOS System in PC-attached Gateway mode on page 275; describes how to use the CLI to configure an ISOS System in PC-attached Gateway configurations. Configuring the ISOS System in Switch mode on page 323; describes how to use the CLI to configure an ISOS System to function as an ATM switch.
Configuring security on the ISOS System on page 259; describes how to setup security on an ISOS System and provides example configurations for Firewall and NAT. The final chapters and appendices contain advanced and reference information about ISOS: Obtaining and changing system setup information on page 387; describes how to obtain system and setup information for the ISOS System. Upgrading an ISOS System on page 403; describes how to upgrade software and hardware components of an ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Typographical conventions
Troubleshooting network configurations on page 419; describes the procedures to follow to find problems with many types of network configurations. ISOS Modules description on page 429; describes the configurations which are supported by the ISOS System. Installing ISOS System hardware on page 447; describes the GlobespanVirata BD6000 Series Evaluation systems and how to install these systems.
After reading this guide you should be ready to begin using ISOS for your own development.
1.2
Typographical conventions
Throughout this guide, the following typographical conventions are used to denote important information. 1.2.1 Text conventions The following text conventions are used: Text like this is used to introduce a new term, to indicate menu options or to denote field and button names in GUI windows and dialogue boxes. Text like this is used to emphasize important points. For example: To keep your changes, you must save your work before quitting. Text like this is used for text that you type as a command or entry to a field in a dialogue box. Variables to a command are shown in text like this. Text like this is used for text that you see on the screen in a terminal window. Variables to displayed text are shown in text like this. Text in square brackets is used to indicate keyboard keys. For example: To reboot your computer, press [Ctrl]+[Alt]+[Del]. Type versus Enter; Type means type the text as shown in the instruction. Enter means type the text as indicated and then press [Enter]; the Return key on the keyboard.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
1.2.2
Notes, Warnings and Cautions The following symbols are used: Warning Indicates a hazard which may endanger equipment or personnel if the safety instruction is not observed. Caution Indicates a hazard which may cause damage to equipment if the safety instruction is not observed. Note Indicates general additional information about the operation of the equipment, including safety information.
1.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
1.4
Helium Boot Procedure (DO-007286-TC) Helium 210-80 Data Book (DO-008538-PS) Helium 100 Data Book (DO-008532-PS)
Booting Console Helium ISOS 8.2 User Guide ISOS IP Stack Feature & Interface Guide (DO-400072-TC)
IP Stack
Figure 1 Documentation roadmap There are also references given in this manual to other supporting documents which can be read for more information about ISOS. These documents are also available from the Licensee Server.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
2. Introduction
This chapter provides a brief overview of ISOS software and ISOS System hardware. It is essential that you are familiar with the information in this chapter before you start using this system for development.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
What is ISOS?
2.1
What is ISOS?
ISOS stands for Integrated Software On Silicon. It is a comprehensive suite of networking software and protocols which, when used with a GlobespanVirata Communications processor, provides an ideal platform for developing a wide range of networking and communications products.
2.2
2.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
The ISOS System can be used in any of the following configuration modes: PC-attached Gateway configuration; where the ISOS System appears as both a PC-attached Ethernet NIC card via USB device and an Ethernet Gateway. The PC runs protocols for the PC-attached component of the device and the ISOS System runs protocols for the Gateway component of the device. Gateway configuration; where the ISOS System acts as a standalone bridge/router between interfaces supported by the system. For example, USB, Ethernet/HDLC and ATM/ADSL. Switch configuration; where the ISOS System acts as an ATM switch, switching between multiple ATM ports. For more details about the above configurations, refer to What are the features of each supported configuration? on page 10.
2.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This configuration can be saved to Flash memory on the ISOS System in order to permanently save the configuration of the unit. The ISOS System can then be configured to boot from Flash, so that this configuration is used when the system is rebooted. Although some modules are configured partially at compile time, for example using Config.h lines in the system file, most modules can also be configured at run-time. When the system boots, these modules read a text configuration file from the ISFS filing system. Separate files can be stored in ISFS which configure certain parts of ISOS. For more details about configuring the ISOS System, refer to Configuring ISOS modules on page 217.
2.5
Typical product
Typical use Booting method during Development Booting method for end product Supported product platforms
Table 1:
Gateway features
10
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
2.5.2
PC-attached (USB) Gateway The table below defines the features of a PC-attached Gateway configuration:
Feature Typical product Typical use Booting method during Development Booting method for end product PC-attached Gateway A multi-user, multi-port device, such as a Router or Gateway. Small office/Home Ethernet (TFTP) and/or USB Flash memory/USB Windows 98 FE (Gold) Windows 98 SE Windows 2000 Supported product platforms Windows ME Windows XP Linux (RedHat 7.2) MAC OS X MAC OS 9
Table 2:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
11
2.5.3
Table 3:
Switch features
12
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
2.6
Higher level protocols ATM protocols BUN drivers PC ISOS System HUB Ethernet UTOPIA/EIO PHY ADSL
WAN
Figure 2 Typical Gateway configuration In the configuration shown above, the ISOS System system provides all the layer 2 and layer 3 protocols required to communicate with the Network. A DSL PHY (provided separately), connected via the UTOPIA/EIO port of the ISOS System, runs the DSL code for physically connecting the ISOS System to the network.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13
Gateway
Bridge
ADSL
Ethernet (LAN)
Figure 3 Typical Gateway (detailed configuration) The ISOS System is booted over Ethernet (via a TFTP server) during development. An end-product developed from this type of configuration would probably be booted from Flash. Note In order to develop for this type of configuration, you must install the full GlobespanVirata software release. For more information about the modules used in such a configuration, refer to ISOS Modules description on page 429.
14
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
2.6.2
Typical PC-attached Gateway (USB) configuration The diagram below illustrates how you would connect up an ISOS System to develop a PC-attached Gateway:
Higher level protocols ETH driver RNDIS/CDC driver BUN drivers PC USB HUB Ethernet ISOS System UTOPIA/EIO PHY Ethernet ADSL ATM protocols
PC WAN
Figure 4
This configuration combines the features of a PC-attached and Gateway configurations to create a dual-mode configuration known as PC-attached Gateway. In this configuration, the ISOS System can be connected simultaneously to both USB and Ethernet connection ports. The ISOS System is recognised by the PC as a USB-attached Ethernet NIC and the PCs USB interface is recognised by the ISOS System as an extra Ethernet interface.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
15
USB port
IP Stack NAT
CDC
RNDIS Bridge
PPPoE RFC1483
pc-ethernet port
usb-ethernet port
Ethernet port
DSL port
PC-Attached
Gateway
Ethernet NIC
Ethernet Gateway
Ethernet (LAN)
ADSL
Figure 5
In the above diagram, the ISOS System is bridging information between ADSL and Ethernet. In addition, LAN traffic received on the Ethernet port can be bridged to ADSL without the need for the data to travel to the PC and back again to the modem. This data flow can happen even while the PC is powered off. One key advantage of this type of configuration is that it enables the ISOS System to operate completely independently of the PC, yet take advantage of the USB-attached connection (via the Ethernet driver) for initial setup and configuration from the host PC. A DSL PHY (provided separately), connected via the EIO/Utopia port of the ISOS System, runs the DSL code for physically connecting the ISOS System to the Network.
16
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
This configuration is supported on the chip-side by either an RNDIS or USB CDC Ethernet driver depending on the OS running on the connected PC. RNDIS is a specification developed by Microsoft for network devices on dynamic Plug-and-Play I/O buses such as USB. The specification defines a bus-independent message set and a description of how this message set can be conveyed across a specific I/O bus on which it is supported. If a device adheres to this specification then it eliminates the need for hardware vendors to provide PC-side device drivers to communicate with their device. If RNDIS is supported on the PC and the devices also support RNDIS, the network device can be attached to the PC without a device driver having to be loaded on the PC. Thus, RNDIS provides a truly driver-less installation. The RNDIS specification is supported by Microsoft for all versions of Microsoft OS from Windows XP onwards. For earlier versions of Microsoft OS the RNDIS drivers are provided by Microsoft. CDC Ethernet Networking model is used for Linux and MAC OS PCs. The CDC-Ether model is defined by the USB Forum as the specification for devices to follow for driver-less installation on host operating systems which support the CDC Ethernet Networking Model and have a common driver for it. CDC-Ether support has been built into the Linux kernel (V2.4.18) and GlobespanVirata have developed CDC-Ether drivers for both MAC OS 9 and MAC OSX (10.1 and 10.2). The ISOS System can be booted by the PC over USB during development. An end-product developed from this type of configuration would be booted from Flash or USB. Note In order to develop for this type of configuration, you must install the ISOS full software release as well as the PC driver software. For more information about PC-attached support, refer to Booting the ISOS System in PC-attached mode on page 111.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
17
2.6.3
Figure 6
In the configuration shown above, the ISOS System system provides all of the ATM protocols to communicate with and manage the ATM Network Devices connected to it via the UTOPIA port. The ISOS System system enables SVC and PVC connections to be setup between the ATM Network Devices. For more information about the modules used in such a configuration, refer to ISOS Modules description on page 429.
2.7
18
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
2.7.1
For PC-attached configuration The ISOS System can be connected to PCs and used in the PC-attached configuration on any of the following operating systems: Windows XP Windows 2000 Windows 98 and Windows 98 SE Windows 98 FE (PC-attached (USB) Gateway only). (This version of Windows is also referred to as Windows 98 Gold.) Windows ME MAC OSX 10.1 and MAC OSX 10.2 MAC OS 9 Linux
2.7.2
For Gateway configurations The ISOS System can be connected to any network node which has an Ethernet interface.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
19
2.8
Linux Debian (i386) Linux RedHat (i386/libc6.1) Linux RedHat (i386) Solaris (Sun OS 5.7) Windows NT 4 Windows 2000 Windows XP
Table 4:
You should consult the documentation provided with your system for information on how to find out which version of a particular OS you are running. In general: For Windows systems, the information about the OS is given from the System Properties dialog box. This box is displayed by choosing Properties from the menu of the My Computer icon. For UNIX-based systems, this information is normally contained in a configuration file in /etc. For example, RedHat Linux systems store version information in /etc/issue.
2.9
20
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
2.9.1
Perl requirements The correct version of Perl is needed for all ISOS Tools releases installed on any supported platform. This is because the ISOS Tools releases supply a pre-built version of the Perl expat library. The following table shows which Perl versions have been used to build the supplied expat library for each platform and which versions of Perl should be compatible with this build:
Version of Perl used for build V5.005_5 (from Debian V2.2 distribution) V5.005_x Perl version required for compatibility
Platform
V5.005_3 (from RedHat V6.2 CD) V5.6.0 (from RedHat V7.0 CD) V5.005_x V5.6.0 (from RedHat 7.0 CD) V5.6.1.x (from www.activestate. com) V5.6.1
Solaris 2.7
Table 5: Perl compatibility with ISOS Tools releases Note Cygwin, which must be installed for all Windows platforms, includes Perl, so by installing the correct version of Cygwin you have also installed the correct version of Perl. If you would like to use a different version of Perl (which must be at least 5.005), you will need to recompile the expat library. To do this, you need the source code for this library. The source code for the expat library is part of the XML::Parser perl module, and GlobespanVirata uses V2.29 of this module.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
21
GlobespanVirata also make this module available in the ISOS Tools 8.41 Source release. To build the expat library, follow these steps:
1
Download the module from a distribution site. Some web sites where this module may be found include: http://www.activestate.com http://www.cpan.org (or one of its mirror sites)
2 3 4
Untar the downloaded file into a temporary directory. For example: tar -xzvf XML-Parser-2.29.tar.gz Enter the directory created by the previous step (XML-Parser-2.29). Enter the following commands: perl Makefile.PL make make install This will create a working version of the expat library, installed in the correct Perl directory.
The following sections outline other more general requirements that you need to meet for each particular platform. 2.9.2 For Linux All Linux systems You must have the following applications installed on your computer: A Terminal application; a program called Minicom is supplied with many Linux distributions. (If you do not have this application, you can use gdbterm which is provided as part of the ISOS Tools Release.) unzip, to decompress software releases. You may also need the following applications installed on your computer, depending on how you will be configuring the ISOS System: TFTP Boot server or similar.
22
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
Debian Linux Debian Linux systems require particular versions of the C++ compiler libstdc++ to be installed. The following table shows the required versions:
Version of C++ compiler required libstdc++2.10
Platform
You must have the following applications installed on your computer: GNU make version 3.62 or later. Note The ISOS Tools release will not work with the standard Solaris make. A Terminal application; a program called minicom is supplied with Solaris. (If you do not have this application, you can use gdbterm which is provided as part of the ISOS Tools Release.) unzip, to decompress software releases.
You may also need the following applications installed on your computer, depending on how you will be configuring the ISOS System: TFTP Boot server or similar. 2.9.4 For Windows (NT, 2000 and XP) You must have the following applications installed on your computer: The Cygnus Cygwin software (UNIX environment for Windows) must be pre-installed on your system. To obtain Cygwin, visit: http://sources.redhat.com/cygwin/ The following elements of Cygwin must be installed: Base: All (the default set) Interpreters: gawk and Perl
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
23
Devel: make The versions of Cygwin which have been fully tested with ISOS are: v1.3.6 or v1.3.9. Later versions of Cygwin are also likely to be compatible with ISOS. Note that if you install Cygwin in another directory apart from the default directory you must edit the file atmos.bat in the root of the Tools installation directory. Edit the line:
PATH=%__INSTDIR_W%\%ATMOSHOST%bin;c:\cygwin\bin;%PATH%; set ATMOSTOOLS=%__INSTDIR_U%
to match the directory where you have installed Cygwin. A Terminal application; a program called HyperTerminal, is normally supplied with Windows. There are lots of other similar Terminal applications available from the Internet. WinZip, to decompress software releases. This program is not needed for Windows XP as this OS includes unzip functionality. A Multi-file editor, such as PFE which can handle text files in UNIX format. To obtain PFE, visit: http://www.winsite.com
You may also need the following applications installed on your computer depending on how you will be configuring the ISOS System: To download image files to the ISOS System over Ethernet, you will need Bootp and TFTP server software for your computer. This software is available as a third-party add-on from many vendors. Some web sites where this software can be found include: http://www.weird-solutions.com/download/index.html: bootp server. http://www.walusoft.co.uk/products.htm: tftp server and bootp application. Note No association with Walusoft or Weird Solutions is implied, nor is this an endorsement of their products. You are strongly encouraged to read the usage agreements provided
24
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Introduction
with each product and to abide by them. GlobespanVirata can assume no responsibility for users that do not follow the instructions provided with each product.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
25
26
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to install ISOS software, including source software, license packages and development tools.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
27
Installation overview
3.1
Installation overview
To install ISOS software, you need to carry out the following steps, as shown in the diagram below:
The diagram below illustrates how you would connect up a ISOS System to develop a PC-attached
START
Search for the ISOS release packages using the Licensee Server or ISOS Release CD Download the packages specific to your hardware platform
Configure your shell initilisation file. (If working with more than one ISOS release.)
28
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The installation steps are described in the following sections of this chapter.
3.2
3.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
29
3.3.1
ISOS source software package The following table indicates which ISOS source files you need to download.
ISOS Release Software 8.2 Service Release 2: ISOS Source Part number DO-400599-LS
The Chip support package (CSP) is the software which has knowledge of the underlying hardware platform and in particular the communications processor being used. If you consider the ISOS Source release as a generic release, then the CSP is the software which customizes the ISOS source release for use with a particular GlobespanVirata communications processor. The following table lists the most common CSP releases for ISOS Systems:
Chip support package (CSP) Software 8.2 Service Release 2: Helium 2x0/100 CSP Software 8.2 Service Release 2: Argon Chip Support Package Part number DO-400600-LS DO-400601-LS
Table 8:
There are many more CSPs available for use with the full range of GlobespanVirata development systems and reference designs. These packages can all be downloaded from the GlobespanVirata Licensee Server.
30
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
3.3.3
Board support package The Board support package (BSP) is a similar package to the CSP. A BSP also has knowledge of the underlying hardware platform. If you consider the ISOS Source release as a generic release, then the BSP is the software which customizes the ISOS source release for use with a particular GlobespanVirata ISOS System. In general, only ISOS Systems such as Reference Designs require a BSP package to be installed. Support for ISOS Systems such as BD3000 and BD6000 systems is provided in the CSP for the Communication processors used by these systems. There are many more BSPs available for use with the full range of GlobespanVirata Development Systems and Reference Designs. These packages can all be downloaded from the GlobespanVirata Licensee Server.
3.3.4
EmWeb compiler license package The EmWeb compiler license package is needed to enable you to use the EmWeb compiler (ewc). The EmWeb compiler is used in the build process to rebuild the set of default web pages which are provided in ISOS. The following table indicates the EmWeb license which can be used with ISOS 8.2:
EmWeb license Web Content Compiler Enhanced License Part number DO-008620-LS
The ISOS 8.2 Tools are released as a set of binary packages for specific development platforms. The Tools are also provided in source form for licensees who wish to understand more about how some of the Tools work or to make custom changes and rebuild the tools.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
31
The main version number of ISOS Tools release must agree with the ISOS software release version number. For example, for an ISOS 8.x source release you should use the latest version of the ISOS 8.x Tools release. Therefore, for ISOS 8.2 we strongly recommend that you use the ISOS 8.20 Tools release. The following table offers some guidelines to follow for choosing which Tools release to use with which version of ISOS:
ISOS Release ISOS 7.1 (and earlier) ISOS 8.0 ISOS 8.1 ISOS 8.2 Tools 8.20 Tools Release Tools 7.13
Table 10:
If you need to work with more than one ISOS 8.x release, you need to download and install each ISOS source software release and then download the latest 8.x Tools release. Also check that there is not a patch available for the ISOS Software release you are using to ensure compatibility with the latest Tools release. If you need to work with both an ISOS 7.x and an ISOS 8.x source release then you will need to install the latest versions of both the 7.x Tools and the 8.x Tools and configure your environment to switch between each Tools release. (For more information on how to switch between different Tools release versions, refer to Configure your shell initialisation file on page 48.). The Release Notes provided with an ISOS software release will always mention the Tools release version which needs to be used and provide advice for backwards compatibility with previous ISOS Tools releases.
32
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Tools Binary Release packages The following table indicates which ISOS Tools binary files you need to download for developing with ISOS 8.2:
Platform Part number DO-009471-LS DO-009470-LS DO-009473-LS DO-009474-LS DO-009475-LS
Linux i386/libc6.1 (Debian 2.2 i386) Linux i386/libc6.1 (RedHat 6.2) Linux i386/libc6.1 (Redhat 7.0 i386) Solaris 2.6/2.7 Windows (NT4 / W2K / XP)
Table 11: ISOS Software Tools Binary packages Tools Source Release packages The ISOS 8.20 Tools are also provided in source format. The source is provided primarily as a reference if you wish to understand how some of the tools work in more detail, or to make custom changes. However, note that building the Tools from source is not a trivial exercise and is not usually necessary or recommended. 3.3.6 Installation directories The following sections list the top-level directories which are created when the ISOS Tools release is installed on all supported platforms. For Linux and Solaris based platforms For Linux and Solaris based platforms the directories created are: /usr/local/virata/share
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
33
/usr/local/virata/tools_v<version number> where <version number> is the version of the Tools release being installed. For example, for Tools 8.20, the directory created would be: /usr/local/virata/tools_v8_20 The directories created for each platform are listed in the table below:
Platform Directories /Linux2-6 Linux2-6 Linux2-6 Linux2-6 SunOS5-1
Linux i386/libc6 (Debian 2.1) Linux i386/libc6.1 (Debian 2.2 i386) Linux i386/libc6.1 (RedHat 6.2) Linux i386/libc6.1 (Redhat 7.0 i386) Solaris 2.6/2.7
Table 12:
For Windows platforms For Windows platforms the directories created are: c:\usr\local\virata\share c:\virata\tools_v<version number> where <version number> is the version of the Tools release being installed. For example, for Tools 8.20, the directory created would be: /usr/local/virata/tools_v8_20 The directory created is listed in the table below:
Platform Directory tools tools tools
Table 13:
34
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
3.4
Ensure that you are running a supported version of Debian. (For more information, refer to What software development platforms are supported? on page 20.) Ensure that you have met all additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.) Ensure that you have downloaded the appropriate ISOS Tools file for your platform, as described in Downloading ISOS software packages on page 29. Type the following command:
dpkg i -force-depends <tools binary file>
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
35
Configure your shell initialisation file to ensure that your path includes the correct ISOS Tools and any necessary environment variables are set. Add a line to your shell configuration file, to set the shell variable VIRATA_TOOLS to the version of the Tools you will be using. For csh and tcsh users, add the line: set VIRATA_TOOLS=8.20 For sh, bash or zsh users, add the line: VIRATA_TOOLS=8.20
Add another line to your shell configuration file to source the relevant Tools configuration script. For csh and tcsh users, add the line: source /usr/local/virata/config.csh For sh, bash or zsh users, add the line: . /usr/local/virata/config.sh This line must come after the VIRATA_TOOLS line in your shell configuration file. For more information on how to work with more than one release, refer to Configure your shell initialisation file on page 48.
6
For the very latest information about the release, read the Tools Release note provided with the release. This is called RELEASE.txt and is contained in the directory: /usr/local/virata/tools<version>/doc.
3.4.3
Linux (RedHat) installation procedure You must be logged in as root in order to install the tools. To install the Tools on a RedHat (Linux) system, follow the procedure below:
1
Ensure that you are running a supported version of RedHat Linux. (For more information, refer to What software development platforms are supported? on page 20.) Ensure that you have met any additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.)
36
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Ensure that you have downloaded the appropriate ISOS Tools file for your platform, as described in Downloading ISOS software packages on page 29. Type the following command: rpm i --force <tools binary file> A directory structure is created for the Tools in /usr/local/virata/tools<version>/Linux2-6/ and information is displayed on how you need to change your shell configuration file to use the release. Configure your shell initialisation file to ensure that your path includes the correct ISOS tools and any necessary environment variables are set. Add a line to your shell configuration file, to set the shell variable VIRATA_TOOLS to the version of the tools you will be using. For csh and tcsh users, add the line: set VIRATA_TOOLS=8.20 For sh, bash or zsh users, add the line: VIRATA_TOOLS=8.20
Add another line to your shell configuration file to source the relevant Tools configuration script. For csh and tcsh users, add the line: source /usr/local/virata/config.csh For sh, bash or zsh users, add the line: . /usr/local/virata/config.sh This line must come after the VIRATA_TOOLS line in your shell configuration file. For more information on how to work with more than one release, refer to Configure your shell initialisation file on page 48.
6
For the very latest information about the release, read the Tools Release note provided with the release. This is called RELEASE.txt and is contained in the directory: /usr/local/virata/tools<version>/doc.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
37
3.4.4
Solaris installation procedure You must be logged in as root in order to install the ISOS Tools. To install the Tools on a Solaris system, follow the procedure below:
1
Ensure that you are running a supported version of Solaris. (For more information, refer to What software development platforms are supported? on page 20.) Ensure that you have met any additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.) Ensure that you have downloaded the appropriate ISOS tools file for your platform, as described in Downloading ISOS software packages on page 29. Enter the following command: pkgadd -d <tools binary file> If prompted, overwrite any existing files. A directory structure is created for the tools files in /usr/local/virata/tools<version>/SunOS5-1/ and information is displayed on how you need to change your shell configuration file to use the release. Setup a symbolic link to perl for the Tools. The default installation for perl is /usr/bin, but the Tools release expects to find perl in /usr/local/bin. Therefore, a symbolic link needs to be created from /usr/bin as shown below:
cd /usr/bin ln -s /usr/local/bin/perl
Ensure that you have installed GNU make version 3.62 or later. Note The ISOS Tools release will not work with the standard Solaris make.
38
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configure your shell initialisation file to ensure that your path includes the correct ISOS Tools and any necessary environment variables are set. Add a line to your shell initialisation file, to set the shell variable VIRATA_TOOLS to the version of the tools you will be using. For csh and tcsh users, add the line: setenv VIRATA_TOOLS=8.20 For sh, bash or zsh users, add the line: VIRATA_TOOLS=8.20
Add another line to your shell initialisation file to source the relevant Tools configuration script. For csh and tcsh users, add the line: source /usr/local/virata/config.csh For sh, bash or zsh users, add the line: . /usr/local/virata/config.sh This line must come after the VIRATA_TOOLS line in your configuration file. For more information on how to work with more than one Tools release, refer to Configure your shell initialisation file on page 48.
8
For the very latest information about the release, read the Tools Release note provided with the release. This is called RELEASE.txt and is contained in the directory: /usr/local/virata/tools<version>/doc.
3.4.5
Windows (NT, 2000, XP) installation procedure Note If you have previously installed a Tools release on the Windows system, then you must firstly un-install the old release before you install this Tools release. For more information, refer to the Release Notes provided with this release which describes the un-install procedure. To install the Tools on a Windows system, follow the procedure below:
1
Ensure that you are running a supported version of Windows. (For more information, refer to What software development platforms are supported? on page 20.)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
39
Ensure that you have met any additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.) Note The most important requirement is to ensure that you have installed the Cygnus Cygwin software (UNIX environment for Windows). This must be pre-installed on your system before you install the Tools release.
Ensure that you have downloaded the appropriate ISOS Tools packages for your platform, as described in Downloading ISOS software packages on page 29. Ensure that the Environment variables temp and tmp have been setup to point to temporary directories on your computer. The variable settings are shown on the Environment tab in the System Properties dialog box. (This dialog box is displayed by right-clicking on the My Computer icon and choosing Properties from the menu displayed.) For example:
40
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Run the *.exe file you have downloaded. This will start the InstallShield program which will begin installing the Tools release. Note - Do not install the Tools in a directory path containing a space, such as Program Files. A directory structure is created, by default, in: c:\virata\tools_v<version_number>\tools
Run the Build ATMOS images program from the menu: Start > Programs > Virata-Tools<Version number> The Build ATMOS images sub-shell window is displayed. From here you can build images. For the very latest information about the release, read the Tools Release note provided with the release. This is called RELEASE.txt and is contained in the directory: c:\virata\tools_v<version_number>\doc.
3.5
Log in to your computer using your normal username and password. You do not need to be logged in as root to install the software. Ensure that you are running a supported version of Linux or Solaris. (For more information, refer to What software development platforms are supported? on page 20.) Ensure that you have met all additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
41
4 5 6
Ensure that you have installed the relevant ISOS Tools release, as described in Installing ISOS Tools on page 35. Create a new directory where you wish to store the software. For example, ISOS_DEVEL. Decompress the ISOS source file to the new directory, using the correct Zip options. For example: unzip <software source file> A directory structure is created, containing the ISOS source and system files. Read the Release Notes, for any further information about the release. The Release note for the ISOS source release is a text file called release.txt and is contained in the root of the install directory. There is also a document that you should read: DO-400602-TC, Software 8.2 Service Release 2: Release Notes which contains more detailed information about the release.
3.5.2
Windows (NT, 2000 and XP) installation procedure To install the ISOS source software release, follow the procedure below:
1
Ensure that you are running a supported version of Windows. (For more information, refer to What software development platforms are supported? on page 20.) Ensure that you have met any additional requirements for this platform. (For more information, refer to What additional software applications are needed? on page 20.) Ensure that you have installed the relevant ISOS Tools release, as described in Installing ISOS Tools on page 35. Create a new directory called, for example, ISOS_DEVEL. Open the downloaded ISOS source file in WinZip and extract all files to the new directory. A directory structure is created, containing the ISOS source and system files. Read the Release Notes, for any further information about the release. The Release note for the ISOS source release is a text file called release.txt and is contained in the root of the install directory.
3 4 5
42
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
There is also a document that you should read: DO-400602-TC Software 8.2 Service Release 2: Release Notes which contains more detailed information about the release.
3.6
Decompress the CSP from the same directory in which you installed ISOS, using the correct Zip options. For example: unzip <CSP file> The files are copied to the relevant ISOS directories. Read the Release Notes for the CSP that has been installed. The Release Note for the CSP is a .txt file which will be installed in the current directory. You should read this note as it contains important information about how to make various customizations to the software. For example, in the Release Note for the Helium CSP there is information about how to enable the second ATM port on the ISOS System and how to enable the ISOS System to work with the TransVoice 2 board.
Open the downloaded CSP file in WinZip and extract all files to the same directory in which you installed ISOS. The files are copied to the relevant ISOS directories.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
43
Read the Release Notes for the CSP that has been installed. The Release Note for the Helium CSP is a .txt file which will be installed in the current directory. You should read this note as it contains important information about how to make various customisations to the software.
3.7
Decompress the BSP from the same directory in which you installed ISOS, using the correct Zip options. For example: unzip <BSP file> The files are copied to the relevant ISOS directories. Read the Release Notes for the BSP that has been installed. The Release Note is a .txt file which will be installed in the current directory.
Open the downloaded BSP file in WinZip and extract all files to the same directory in which you installed ISOS. The files are copied to the relevant ISOS directories. Read the Release Notes for the BSP that has been installed. The Release Note for the CSP is a .txt file which will be installed in the current directory.
44
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
3.8
Decompress the license package into a temporary directory, using the correct Zip options. For example:
unzip <license file>
agranat.lic readme.txt
Copy the agranat.lic (the license file) to an appropriate directory, which you can refer to in an environment variable. A good place to copy the license file is the directory /usr/local/virata/share that is created when you install any GlobespanVirata Tools package. This directory is used to store files which are not tied to a specific Tools release. Add the following environment variable to your shell initialisation file:
AGRANAT_LICENSE_FILE
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
45
Read the ReadMe file (readme.txt) for more information about the license. In particular, pay attention to the expiry date for the license that you have installed. The license files will expire on 1st Nov 2006. After this time period, you will need to download a new license from the GlobespanVirata Licensee Server and install it by overwriting the old license file with the new license file.
Open the downloaded license file in WinZip and extract all files to a temporary directory. Two files are copied to the temporary directory: agranat.lic readme.txt
Copy the agranat.lic (the license file) to an appropriate directory, which you can refer to in an environment variable. A good place to copy the license file is the directory c:\virata\share that is created when you install any GlobespanVirata Tools package.
46
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This variable should point to the location of the argranat.lic file. The variable settings are shown on the Environment tab in the System Properties dialog box. (This dialog box is displayed by right-clicking on the My Computer icon and choosing Properties from the menu displayed.) For example:
Figure 9
4
Read the Readme file (readme.txt) for more information about the license. In particular, pay attention to the expiry date for the license that you have installed. The license files will expire on 1st Nov 2006. After this time period, you will need to download a new license from the GlobespanVirata Licensee Server and install it by overwriting the old license file with the new license file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
47
3.9
to see what the VIRATA_TOOLS variable has been set to. For csh and tcsh users, edit the following line in your shell initialisation file: setenv VIRATA_TOOLS=8.20 For sh, bash or zsh users, edit the following line in your shell initialisation file: VIRATA_TOOLS=8.20 Change these lines to whatever Tools release you wish to use and export the new setting using the following commands: For csh users, enter:
source ~/.cshrc
48
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Then check that the new Tools version has been set correctly using the set or env commands described earlier. 3.9.2 Windows (NT, 2000 and XP) To switch between different Tools releases on a Windows system, select the relevant version of the ISOS release from the Start menu: Start > Programs > Virata Tools<Version number>. This menu will have separate menu entries for each Tools release which has been installed on the system.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
49
50
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to install PC-driver software on Windows, MAC and Linux OS platforms.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
51
Installation overview
4.1
Installation overview
PC Driver software is needed if you wish to use the ISOS System in a PC-attached Gateway configuration where the PC is attached to the ISOS system via USB. Refer to Typical PC-attached Gateway (USB) configuration on page 15 for more information about PC-attached Gateway configurations. The table below summarises the driver requirements for all OS platforms which can support a PC-attached Gateway configuration:
PC-attached Gateway Driver details OS Windows XP Windows 2000 Windows 98 Windows 98 SE Windows ME MAC OS 9 USB CDC Ethernet MAC OS X 10.1 and USB CDC Ethernet MAC OS X 10.2 Linux USB CDC Ethernet RNDIS Driver type PC-side driver Microsoft (Native support prov) Microsoft (download) Microsoft (download) Microsoft (download) GlobespanVirata (support included in Microsoft (download) usb-gateway image) GlobespanVirata GlobespanVirata Linux kernel 2.4.18 Chip-side driver
Table 14:
This chapter describes how to setup your PC for use in a PC-attached Gateway configuration for all the OS platforms listed in the table above. These systems can be connected to an ISOS System running a PC-attached Gateway build image (usb-gateway). This image file includes support for RNDIS and USB CDC Ethernet. Due to the legal restrictions of using RNDIS on non-Microsoft operating systems and to benefit from the in-built support of CDC under Linux, GlobespanVirata has devised an architecture to allow a single image (usb-gateway) to support RNDIS and CDC. Two USB configurations are exposed by the device and the host operating system selects which protocol to use for communication with the device by selecting the correct USB configuration.
52
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
4.2
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
53
4.2.2
Software supplied by GlobespanVirata GlobespanVirata provide an example RNDIS distribution package which shows you the packages you will need to distribute to your customers.
Release Name Part number DO-400849-LS
Table 15:
The package contains: The RNDIS drivers - in object code format as supplied by Microsoft. INF file - customised for GlobespanVirata use. License Agreements as supplied by Microsoft. Thus, the only item which has been customised by GlobespanVirata is the INF file. All other components are included as supplied by Microsoft. This software package is referenced and used in the following section which describes how to install the RNDIS drivers on a Windows OS PC platform which does not have native RNDIS support. 4.2.3 Outline installation procedure The outline procedure for installing the RNDIS drivers on a Windows PC is described below:
1 2
Ensure you meet the pre-requisites; see Pre-requisites on page 54. Install the PC Driver software release on the computer; see Installing RNDIS Driver software on Windows on page 55.
4.2.4
Pre-requisites The procedure described in this section assumes the following: You are using a computer which contains a clean installation of any of the following Windows platforms (all of the platforms listed below support a PC-attached Gateway configuration):
54
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Windows 98 FE (PC-attached Gateway configuration only). (This version of Windows is also referred to as Windows 98 Gold.) Windows 98 SE Windows ME Windows 2000
4.2.5
Windows XP You have System Administrator-level knowledge and privileges for the platform that you are using. For example, you can install software packages, have permission to edit system files and so on. You have built a usb-gateway ISOS image and successfully downloaded the image to the system.
Installing RNDIS Driver software on Windows To install the RNDIS software on all versions of Windows which do not include native RNDIS support, follow the procedure below:
1
Download the GlobespanVirata RNDIS Driver Package. The table below shows the release package required:
Release Name Part number DO-400849-LS
Table 16:
2 3
Create a new directory on your PC called, for example, GSPNVRTA_PC. Open the downloaded file in WinZip and extract all files to the new directory. A directory structure is created containing the drivers and system files. Copy the files on to a floppy disk. Read the Release Notes, for information about the release. There is also a document that you should read: DO-400602-TC, Software 8.2 SR2 Release Notes which contains more detailed information about the release. Power up the ISOS System.
4 5
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
55
Plug the USB cable from the ISOS System into the USB port of the PC. The PC will detect the newly-attached device and display the Found New Hardware dialog box. The Add New Hardware Wizard dialog box is then displayed to load the driver for the ISOS System: Click on Next to continue. The following dialog box is displayed asking you to specify how to install the driver:
8 9
The following dialog box is displayed asking you to specify where the driver can be found:
56
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
11 Insert the floppy disk containing the RNDIS driver software. 12 Check the Floppy disk drive option and click on Next.
A dialog box is displayed which confirms that a suitable driver has been found on the floppy disk which will now be installed. The driver will now be installed.
13 After restarting the system, the device will be detected as a new
LAN Device called GSPN USB Remote NDIS Network Device. For example:
Refer to the documentation supplied with your system for more information on configuring the Ethernet port on the device.
4.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
57
http://www.usb.org/developers/data/devclass/usbcdc11.pdf CDC-Ether support has been built into the Linux kernel (V2.4.18) and GlobespanVirata have developed CDC-Ether drivers for MAC OS platforms. 4.3.1 For MAC OS platforms GlobespanVirata provides both chip-side and PC-side support for the CDC Ethernet Networking Model for MAC OS platforms running MAC OS 9 and MAC OSX 10.1 and MAC OSX 10.2. PC-side support is provided by a set of Ethernet drivers for the USB interface on Helium Communication Processors. Both drivers for each version of MAC OS are supplied in the following packages
Release Name Part number DO-400844-LS
Table 17:
For more information on how to use the MAC OS drivers, refer to the Release Notes provided with the software shown above. The Release Notes describe how to install and run the software and discuss known issues and limitations with the drivers. If you follow the instructions in the release notes, you should end up with an additional Ethernet port on the MAC system which you can configure.
58
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For example:
Figure 10
Refer to the documentation supplied with your system for more information on configuring the Ethernet port. 4.3.2 For Linux OS platforms The CDC Ethernet Networking Model is supported on PCs running a version of the Linux OS with a recent version of the kernel. The following version of the Linux kernel contains PC-side support for the CDC Ethernet Networking model: V2.4.18 The only commercial version of Linux which incorporates this version of the kernel is RedHat 8.0. If you are using other versions of Linux you can download this version of the kernel from one of many web sites and recompile the kernel for your system.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
59
For example: http://www.kernel.org/ You will need to download the kernel and recompile this kernel for the Linux OS you are using. Refer to the documentation supplied with your system for more information on how to recompile the kernel. The Linux kernel 2.4.18 is provided with drivers for CDC-Ether. During testing GlobespanVirata found some issues with the Linux CDC-Ether support. A patch is available from GlobespanVirata to address these issues with the current Linux CDC-Ether driver.
Release Name Part number DO-400911-LS
Table 18: Linux CDC Ethernet Driver package The Release Notes provided with this patch explain how to add the patch to the kernel. GlobespanVirata have provided these changes back to the Linux community and expect these fixes to be available as standard in future Linux kernel If the kernel compiles with no errors you will be able to connect an ISOS system to the PC. If the Linux OS distribution you are using includes hot-plug support, then simply plugging a device running an ISOS usb-gateway image into the USB port will cause the USB driver to be loaded. To check whether the driver is loaded, type lsmod If the driver is loaded and the ISOS System is correctly configured it should appear as a normal network device (called GlobespanVirata DM6710) and can be listed by the command: ifconfig -a The device can now be configured and used as a normal Linux network device. Refer to the documentation supplied with your system for more information on configuring the Ethernet port.
60
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to build an ISOS image to download to your ISOS System. It also describes the contents of the image file produced and describes how to create customized ISOS image files.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
61
Introduction
5.1
Introduction
The ISOS System requires a software image to be available in order for it to boot and function as a network device. After booting and initial configuration, the image also needs to be able to be configured by various management applications. This chapter discusses how to build an image for this purpose. For more information about how to configure and manage the image, refer to Using the ISOS File Manager on page 201. The ISOS Tools utility called mkproduct is used to build an image file from the ISOS source and configuration files which will typically be stored in Flash memory on the ISOS System. The image file produced, (usually called flash.bin), is a composite file which contains the boot images and the run-time images required by the ARM processors contained in the Helium communications processor, together with software and hardware configuration information required by the ISOS System to support a particular type of network configuration. In addition, you can customize the build process to build various types of images: Building a default image; see Building an ISOS image on page 79. Building a debug image; see Building a debug image on page 80. Building a network-bootable image; see Building a network-boot image on page 81. Building an image containing a recovery image; see Building an image containing a recovery image on page 83 Building an image containing multiple configuration partitions; see Building an image containing multiple configuration partitions on page 87. Including additional files in an image; see Including files in an image on page 91. Building an image to include particular ISOS processes; Creating customized images on page 94. The next few sections describe some of the fundamental concepts about image building and configuration under ISOS.
62
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.2
Run-time image
Figure 11
The complete image is not restricted to being on one Flash chip. This image can be located on a number of Flash chips and you can edit configuration files to determine which part of the image is stored on which particular Flash chip.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
63
5.2.1
Images included in a build This flash.bin file has three main sections described in the table below:
Flash area File name Description of Contents The images required to boot the ARM chips in the Communications processor (CP): Boot area boot.bin - Boot image (for the IDMAE (Intelligent DMA Engine) in the CP). - PP Boot image (for the PP (Protocol Processor) ARM chip in the CP). Configuration information used to configure the images in the Image area. Information such as the MAC address of the ISOS System is stored in this file. Run-time images that will be loaded when the CP has booted up: Image area flashfs_main.bin - IDMAE run-time image. - PP run-time image. Also contains configuration information for the image and web page archive.s
Configuration area
config.bin
Table 19:
Note that the above description is for a typical image file. You can make changes to the image file produced by editing various configuration files to suit your particular requirements. This is discussed in the later sections of this chapter. For more information about listing the contents image file which has been downloaded to the ISOS System, refer to Using the ISOS File Manager on page 201.
64
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.3
Build requirements
In order to build an ISOS image you need to consider two areas: Hardware type; the type of hardware (ISOS System) you are using. For example, BD6100. Product type; the type of product you wish to build. For example, a PC-attached (USB) gateway configuration is called a usb-gateway product type. When building any type of image, you need to specify the hardware you are using and the type of product you wish to build. The flash.bin image is then built to include all the required software packages for this particular combination of hardware and product type. The build directory created to produce the images is derived from the hardware and product type that you specify. For example, building an image for: Hardware type: bd6100 Product type: usb-gateway produces a build directory called: bd6100-usb-gateway. You must specify a product type which will be supported by the ISOS System you are using. For example, it makes no sense to attempt to build a pci-modem product for a BD6100 ISOS System as the Helium processor does not have a PCI interface.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
65
Hardware type
5.4
Hardware type
The Hardware type defines the hardware system that is used to run ISOS software. For example, BD6100. Hardware configuration files are provided for each system type supported by ISOS 8.2 Service Release 2. The files are located in the directory: <install dir>/atmos/source/hardware For example, for the BD6100 ISOS System, the hardware file is called bd6100.hw. The following sections list the hardware types which are supported in ISOS ISOS 8.2 Service Release 2 for each group of hardware systems supported by GlobespanVirata and the corresponding hardware configuration files which are used to build an image for each of these systems. The systems supported are: BDXXXX systems; GlobespanVirata Development systems, where XXXX is a number denoting the type of Communications processor used in the system. DMXXXX systems; GlobespanVirata Design for Manufacture systems, where XXXX is the model number. MDS system; GlobespanVirata Modular Development System comprising a Communications processor blade and other blades providing additional network interfaces.
66
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.4.1
Table 21:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
67
Product type
5.4.3
Table 22:
Note All other MDS blade configurations using the RD7102 (He210-80 blade) are not supported by GlobespanVirata and are also unlikely to work.
5.5
Product type
The Product type defines a specific type of product for a particular configuration. (The types of configurations supported by the ISOS System are described in What configurations are supported by an ISOS System? on page 10.) The number of product types available will vary depending on the software release you are using with the ISOS System; later software releases support a larger number of configurations.
68
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
usb-gateway-lean
extra-sw
Table 23:
For more information about the characteristics of the product types listed in the above table, refer to What are the features of each supported configuration? on page 13. For more information about the other product types which are available, refer to Product type on page 68. All product types are defined in pre-configured product files in the <install dir>/atmos/products directory. A separate directory exists for each particular product. For example, the directory used to create an image for a PC-attached (USB) Gateway product is called usb-gateway.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
69
5.6
70
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Product
flash-rewrite
serialboot
Table 24:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
71
5.7
atmos/products/usb-gateway/mkproduct.pst atmos/products/usb-gateway/mkproduct.cfg Product configuration files atmos/system/usb-gateway System configuration file Product directory Build Configuration Files
Build directory
Image directory
Figure 12
72
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following sections describe the use for each of the above files and directories.
5.8
5.9
This includes the system files, usb-gateway-lean and np_rt in a usb-gateway-lean product build. The usb-gateway-lean system file can be edited extensively to include or remove software modules which are not required. The np_rt system file defines the runtime code used for the IDMAE (Intelligent DMA Engine). It is supplied in binary image format.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
73
When a product using this file is built, the build process will search for a system file called np_rt. If it is not found, the build process looks for an object file in the following directory: atmos/products/objects/<chip-type>-np_rt where <chip-type> is the name of the processor as defined in the hardware configuration file (in the directory atmos/source/hardware/):
HWCHIP:augustus
For example, for a build on the target hardware He 210 (Augustus) the NP object file will be found in the directory: atmos/products/objects/augustus-np_rt There are many product variants provided in an ISOS release which provide similar features. For example: eth-gateway usb-gateway are identical products apart from usb-gateway includes support for USB. To ensure that changes made to one product type are also applied to other similar product types, the system files for both of these products reference a generic system file called gateway. The eth-gateway system file calls this file to use as its system file. The usb-gateway file also calls this system file and adds a line to provide USB support. For example, here is the main section of the eth-gateway system file:
Include ../system/gateway
For more information and for an example of using system files, refer to Creating customized images on page 94.
5.10
74
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For example, the hardware file defines: Sizes of flash partitions Flash granularity Board registers LEDs (if present). BUN software drivers to use for the physical interfaces provided by the hardware. EPB modes GPIO settings It is unlikely that you will ever need to change this file but you are likely to want to take a copy of a hardware file and edit it to suit your particular hardware product which may not use all of the functionality provided by the hardware. There is usually one hardware file for each ISOS System where an ISOS System is a BDXXX Series Evaluation System. For example, for the BD6100 system the hardware file is bd6100.hw. In the case of the MDS System which can contain multiple boards there is still one hardware file but this hardware file references other lower-level hardware files one hardware file for each board in the MDS configuration. These lower-level MDS hardware files are contained in a sub-directory of the hardware directory, called mds-card. For example, here is an extract from the hardware file mds-210-atm25-155.hw which provides support for an MDS system containing: RD7102 (Helium 210-80 CPU) RD7302 (ATM card) The following lines in the hardware file reference the other hardware files required for each of the above blades in the MDS:
% Include base MDS support Hardware mds-base % Pull in CPU card Hardware mds-card/rd7102-3 % Pull in ATM25/ATM155 card support Hardware mds-card/rd7302_rev1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
75
Build directory
For more information about the hardware files and the corresponding system they are used with, refer to Hardware type on page 66.
5.11
Build directory
mkproduct creates a build directory based on the hardware type (BD6100) and system file (usb-gateway). The name of the build directory is formed by combining the hardware type and system file. For example: atmos/build/bd6100-usb-gateway mkproduct also creates a sub-directory within the main build directory for each product. This directory is created in atmos/build/products. The name of this directory is also formed by combining the hardware type and product file name. For example: atmos/build/products/bd6100-usb-gateway. These build directories contain all the intermediate files and directories for use in producing the image files in the image directory. You can build as many product types as you wish using mkproduct. Separate build directories are created for each hardware and product type combination that you build. 5.11.1 Image files The two main image files for a build are: The image file used by the IDMAE (Intelligent DMA Engine) in the Helium communications processor. The PP image file used by the Protocol Processor in the Helium communications processor. The PP image is created from source and is copied into the build directory for the product you are building. For example, if you build an bd6100-usb-gateway image, the PP image file (called image.comp) would be located in the build directory: atmos/build/bd6100-usb-gateway The IDMAE image is for an ISOS System is provided as a pre-compiled binary. It will be installed in the directory: atmos/build/bd6100-np_rt/
76
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.12
device : atm = chameleon, debug, pppoe, rfc1483, atm_phy, atm_transport #device : adsl_device = chameleon, debug, rfc1483, dsl_phy, t1_413 device : h1 = chameleon, debug, hdlc device : e1 = chameleon, debug, ethernet, ethernet_phy device : aal2cps_device = aal2cps port : hdlc = h1 /NewAttribute=<bool:VMI=true> port : ethernet = e1 /NewAttribute=<bool:VMI=true> /NewAttribute=<bool:Inside=true> %filtering driver replaces EDD %port : etherfilter=filter/interface=<port=ethernet> port : a1 = atm/PhysicalPort=0/PortSpeed=59111 /NewAttribute=<bool:VMI=true> /NewAttribute=<bool:Outside=true> #port : a1 = adsl_device/PortSpeed=2000 /NewAttribute=<bool:VMI=true> /NewAttribute=<bool:Outside=true> # To include support for AAL2 on a particular port and VCI, uncomment the following # line and modify the settings as appropriate. #port : aal2_cps = aal2cps_device/rxbuffersource=<AAL2>/interface=<port=a1/txvci=100/rxvci=100 >
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
77
The information in this file can be changed to suit your particular requirements. For example, you may wish to comment out ports that you are not using and to set different attributes for the ports you are using. For more information on the BUN directives which can be used in the initbun file, refer to the ISOS BUN Developers Guide, DO-010033-TC. 5.12.1 BUN configuration in the hardware file It is also worth pointing out that hardware files also contain a Software driver definition section which defines the BUN device drivers which are needed for each of the interfaces supported by the system. Here is a section taken from the bd6100.hw hardware file:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % Software driver definitions % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Set atm_device = bun/devices/utopia Set atm_phy_device = bun/devices/idt7710x Set num_atm_ports = 31 Set atm_multi_phy_device = bun/devices/idt7710x Set ethernet_device = bun/devices/ethernet bun/devices/fluorine Set hdlc_device = bun/devices/hdlc Set t1_413_device = bun/devices/adsl Set dsl_phy_device = bun/devices/sample_adsl Set usb_device = bun/devices/usb
% Set up standard devices Config.hs Config.hs Config.hs Config.hs Config.hs Config.hs Config.hs BUN_CONFIG_HW_0 BUN_CONFIG_HW_1 BUN_CONFIG_HW_2 BUN_CONFIG_HW_3 BUN_CONFIG_HW_4 BUN_CONFIG_HW_5 BUN_CONFIG_HW_6 "device : atm_transport = utopia" "device : atm_phy = idt7710x" "device : atm_multi_phy = idt7710x" "device : dsl_phy = SampleAdsl" "device : t1_413 = adsl" "device : ethernet_phy = fluorine" "port : ciao = ciao"
78
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.13
Image directory
This directory contains the output of the build process. It contains the components of the final flash.bin image which is downloaded to the ISOS System. The files included in this directory are: boot.bin config.bin flashfs_main.bin flashfs_main.cfg A separate ISOS Tools program called mkhfflash is used to combine all the above files into the flash.bin composite file. The following file is also created in this directory: http-upload.tar This file is a tar format of all the files which are included in the flash.bin file. This file can be downloaded to an ISOS System via HTTP upload using a web browser. For more information, refer to Update on page 171. For more information about these images, refer to Images included in a build on page 64.
5.14
Ensure that you have a command prompt from where you can run ISOS commands: For Linux and Solaris users, ensure that you are working in the atmos directory. For any Windows users, start a Build ATMOS images sub-shell window by choosing Start > Programs > Virata Tools<Version number> from the Start menu. You may then need to cd to the atmos directory.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
79
Enter the command: mkproduct usb-gateway bd6100 to build an image for a PC-attached gateway product type for an ISOS System, attached via USB. where: usb-gateway refers to a product name defined in the <install dir>/atmos/products/ directory. Namely, usb-gateway.
bd6100 refers to a hardware file in the <install dir>/atmos/source/hardware/ directory. Namely, bd6100.hw. The resultant ISOS image file produced, called flash.bin, will be copied into the directory: <install dir>/atmos/build/products/bd6100-usb-gateway
5.15
80
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.16
This flag tells the build process to ignore this partition if building a network-boot image. All Flash chip sizes are ignored; the image is built as small as possible for quicker download over the network.
You can build a network-boot image in two ways: Using mkproduct with the -n option. Editing the product configuration file to add an option to always build this type of image. Using mkproduct For example: mkproduct -n usb-gateway bd6100 Editing mkproduct.pst To build a network-boot image for a particular product build you can edit the product configuration file, mkproduct.pst for the product you are building. Adding the line:
NETWORK_BOOT=1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
81
To build a normal image again you can either remove this line from the file or change the line to:
NETWORK_BOOT=0
This setting will also override the mkproduct -n option. If NETWORK_BOOT is not specified in the mkproduct.pst file a normal image is built, unless the mkproduct -n option is used.
82
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5.17
flashfs_recovery.bin
flashfs_main.bin
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
83
This flash.bin file has a main flash image which it uses to boot (flashfs_main.bin) and also a recovery image (flashfs_recovery.bin) which it will use if the main flash image fails to boot. For an example of the changes you need to make to build an image containing a recovery image, refer to: atmos/products/eth-gateway-recovery file. This product has built-in support for including a recovery image in the flash.bin file. The hardware file for the BD6100 ISOS System includes such a section for the recovery image. To build an image containing a recovery image, you will need to edit the following configuration files: mkproduct.pst mkproduct.cfg hardware file You will also need to have created the following configuration files and directories for the recovery image. For example: A system file in atmos/system. For example, called usb-recovery. Typically this file would define a minimum ISOS build containing support for restoring a new image from a remote host. An additional FlashFS directory in the Products directory to contain any configuration information for the recovery image. The outline procedure to follow for creating a recovery image for the BD6100ISOS System using a usb-gateway image is given below:
1
Edit the file mkproduct.pst in the directory, atmos/products/usb-gateway and add the following line:
PPRECIMAGE=build/${HWTYPE_PREFIX}usb-recovery${DEBUG_DIR}/image
to the first section of the mkproduct.pst file. This section of the file should now read:
PPIMAGE=build/${HWTYPE_PREFIX}usb-gateway${DEBUG_DIR}/image PPRECIMAGE=build/${HWTYPE_PREFIX}usb-recovery${DEBUG_DIR}/image NPIMAGE=build/${HWTYPE_PREFIX}np_rt${DEBUG_DIR}/image NPBOOTIMAGE=build/${HWTYPE_PREFIX}hf_np_boot${DEBUG_DIR}/image PPBOOTIMAGE=build/${HWTYPE_PREFIX}hf_pp_boot${DEBUG_DIR}/image
The line defines a new image referred to as PPRECimage and called usb-recovery.
84
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add the following line to define a FlashFS directory (flashfs_recovery) where you wish to add any recovery configuration information. This directory should be in the same directory as the main product directory (${PRODUCT_DIR}).
FLASHFS_RECOVERY_DIR=products/${PRODUCT_DIR}/flashfs_recovery/
You must ensure that you export the image using the same name you defined for it in the previous step.
4
Add the following two lines to call mkhfimage to create the NP and PP images for the recovery image (PPRECIMAGE):
mkhfimage $VERBOSE_v -p 0 -i ${PPRECIMAGE} ${NPIMAGE} ${NPIMAGE}.val2 mkhfimage $VERBOSE_v -i ${PPRECIMAGE} -e ${PPRECIMAGE} ${PPRECIMAGE}.comp ${PPRECIMAGE}.val
You must ensure that you refer to the image using the same name you defined for the recovery image in Step 1. These two lines are a copy of the two lines used for generating the main flash.bin image but replace PPIMAGE with PPRECIMAGE and refer to NPIMAGE.val2 rather than NPIMAGE.val.
5
Add an entry for creating the recovery image in the START BUILD CONFIG section of the file. This section defines what needs to be added to the flash.bin file:
# # # # # # flashfs recovery flags skipnet file ${NPIMAGE}.val2 NPimage file ${PPRECIMAGE}.val image dir ${FLASHFS_RECOVERY_DIR} end
This section defines a recovery image called recovery containing an NP and PP image and a FlashFS recovery directory which you have defined in the previous steps. The option flags skipnet tells the build process to ignore building this image if building a network boot image. (There is more information about creating a network boot image in Building a network-boot image on page 81.) Note that even though this section of the file appears to be commented out it is parsed by the build process.
6
Edit the file mkproduct.cfg to include a reference to the system file for the recovery image (usb-recovery). For example:
SYSTEM_FILES="usb-gateway usb-recovery np_rt hf_pp_boot hf_np_boot"
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
85
Edit the hardware file bd6100.hw to define a partition for the recovery image:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Flash chip configuration for build process %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % These lines are process by the build process to extract board specific % information that is needed for the build process % % START BUILD CONFIG % % flashchipsize 4096k % flashchipnum 1 % % fsorder recovery main % % flashfs main % size 3072k % end % % flashfs recovery % size 512k % offset 512k % end % % END BUILD CONFIG
The above entry defines two partitions called main and recovery. The images are added to flash in the order recovery followed by main. This is defined by the fsorder line in the file. Both partitions are then defined separately. The recovery image (recovery) is allocated a size of 512k in memory and this partition is created in Flash after an offset of 512k. (This offset is included to leave space (0 to 512K) for the boot partition and configuration information.) The main image (main) is allocated all the remaining space in Flash memory, 3072k:
4096k - 1024k (512k (offset) +512k (recovery)) = 3072k
These definitions must correspond with those set for FLASH_START_OFFSET and EMERGENCY_FLASHFS_SIZE in this file. For example:
config.hs FLASH_START_OFFSET (512UL * 1024UL) EMERGENCY_FLASHFS_SIZE (512UL * 1024UL)
and
config.hs
86
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
You should now be able to create a recovery image, using the command: mkproduct usb-gateway bd6100 To check that the recovery image has been created, use the ISOS File Manager to examine each partition. For more information, refer to Using the ISOS File Manager on page 201.
5.18
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
87
The following diagram shows the flash.bin structure for an image containing partitions for a recovery image and configuration data:
Figure 14
88
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Note that the configuration partitions are used to store dynamic configuration data. All fixed configuration data such as im.conf.factory etc. is stored in the main image. The files which are classified as dynamic configuration data are defined in the file atmos/source/im/library/SystemConfig.cc. The files included in this file by default are: im.conf (defined by IM_DEF_FILE earlier in this file) dhclient.leases dhcpd.leases initportcli You can add extra files to this list if you wish by including the following line in your system configuration file. For example, to add snmpinit, enter:
Config.hs IM_DYNCONFIG_FILE_0 "snmpinit"
This will add snmpinit to the list of dynamic configuration files. The FlashFS partition definitions are located in the file: atmos/source/hardware/flashfs_config/flashfs_config<x>MB.hw where <X> is the total flash size in MB. This file is included in the hardware file for all ISOS systems. For example, in the bd6000.hw file:
% Include the flashfs partition definitions Hardware flashfs_config/flashfs_config_4MB
Currently, only one file is contained in this directory as all ISOS systems contain 4MB of Flash. You will need to create your own definition file if you are using bigger or smaller Flash devices on your system. If you are building images to program into flash chips you will also need to ensure that the FlashFS directives in the metamk configuration lines in the hardware file are updated to match the new FlashFS partition definitions. An example metamk definition section for configuration partitions is provided in the hardware file atmos/source/hardware/mds-210-ar1.hw:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
89
% % % % % % % % % % % % % % % % % % % % % % % % % % % % %
The following lines are suitable for a 4M FLASH matching the settings in atmos/source/hardware/flashfs_config/flashfs_config_4MB.hw: flashchipsize 4096k flashchipnum 1 fsorder recovery main config1 config0 flashfs main size 3072k end flashfs recovery size 448k flags skipnet offset 512k end flashfs config1 size 32k flags skipnet offset 4032k end flashfs config0 size 32k flags skipnet offset 4064k end
5.18.1 Procedure to follow To create an image containing configuration partitions for the configuration data, you need to add support for multiple partitions to both your run-time image and your Boot ROM image.
1
Build a new Boot ROM image and download this to your system. (For more information on how to update the Boot ROM image, refer to Upgrading Boot ROM on page 410.)
90
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Build a new run-time image and download this to your system. For more information, refer to Building an ISOS image on page 79. You should now have multiple configuration partitions. Check this by running the command: system config save This command should save the configuration noticeably quicker than before. You can also enter the console and list the partitions. For example:
--> console enable 1.2.3.4> flashfs partitions Number of partitions: 4 Partition 1: 0x003f8000 ... Partition 2: 0x003f0000 ... Partition 3: 0x000f0000 ... Partition 4: 0x00080000 ...
is is is is
5.19
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
91
The guidelines for what type of files should go into each directory are given below: atmos/products/include/flashfs; files in here are required for all builds. For example, the banner.txt file which contains the company name that is displayed on the console during system start-up is stored in this directory. atmos/products/<product>/flashfs; files in here are required for all builds for this particular product. For example, the BUN software initialisation file, initbun, is stored in this directory. Note If both directories contain the same filename, then the file contained in atmos/products/<product>/flashfs will be included in the build. For example, a build for a usb-gateway image for the BD6100 ISOS System would include the following directories: atmos/products/include/flashfs atmos/products/usb-gateway/flashfs The file flashfs.conf (contained in the atmos/products/include/ directory) can be used to pre-process any of the files stored in the flashfs directories before they are included in the build.
92
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
flashfs.conf contains a list of files that will be pre-processed in some way before being added to FlashFS. The format of the file is:
<directive> <filename>
The valid directives which can be used in this file are: compress the file will be compressed (using gzip) before being included in FlashFS. strip the file will be stripped of all comments before being compressed and included in FlashFS. ignore the file will be ignored and will not be included in FlashFS. Files which are not referenced in this file are simply included in the build. No pre-processing of the file is performed. 5.19.2 As references from module files You can add additional files to a build, for example phy images, by adding a make command to the appropriate module file in the source directory. The commands which can be used are: Make.zflashfs to include the file in the build and to compress the file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
93
For example, the webserver.module file (in atmos/source/webserver/) uses this command to create a compressed version of the ISOS web pages:
Make.zflashfs derived_data.dat derived_data.dat Make.dep derived_data.dat
This command will compress the derived_data.dat file - calling the compressed file by the same name - and putting the compressed file in the build. To add a file with no compression, enter:
Make.flashfs <filename> <compressed filename> Make.dep <compressed filename>
The files are compressed with gzip. You can use the ISOS File Manager to view which files have been compressed in an image. For more information on viewing compressed images, refer to Listing the contents of ISFS and FlashFS on page 206.
5.20
94
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The procedure below explains how to create a customized image file. It assumes that you are going to produce a customized image based on the usb-gateway product configuration:
1 2
Copy the directory /atmos/products/usb-gateway-lean to a new directory name. For example, usb-gwl-custom. In the usb-gwl-custom directory, edit the file mkproduct.cfg. Change the line:
SYSTEM_FILES="usb-gateway-lean np_rt"
to read:
SYSTEM_FILES="usb-gwl-custom np_rt"
In the same directory, edit the file mkproduct.pst. Change the line:
PPIMAGE=build/${HWTYPE_PREFIX}usb-gateway-lean${DEBUG_DIR}/image
to read:
PPIMAGE=build/${HWTYPE_PREFIX}usb-gwl-custom${DEBUG_DIR}/image
to:
metamk -v products/usb-gwl-custom/mkproduct.pst
In the atmos/system directory, copy the system file usb-gateway-lean as usb-gwl-custom, keeping it in the same directory.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
95
Further information
Edit the newly copied file, usb-gwl-custom, to suit your requirements. For example, if you do not wish to include any Security modules in a build, comment out the lines which include the processes related to Security: Change the lines:
% firewall Set use_firewall % Set use_dmz Set use_nat Set use_firewall_logging Package security
to:
% % % % % % firewall Set use_firewall Set use_dmz Set use_nat Set use_firewall_logging Package security
Build the image using the command: mkproduct usb-gwl-custom bd6100 The resultant ISOS image file produced, called flash.bin, will be copied into atmos/build/products/bd6100-usb-gwl-custom.
You can now download this file and check if the processes which you have added or removed are available or not. For more information, refer to Booting the ISOS System in Gateway mode on page 99.
5.21
Further information
For more information about the mkproduct command and the Tools releases in general, refer to the online manual pages which are provided in the Tools release.
96
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For Linux and Solaris platforms, enter the command: man mkproduct This will display the manual page for mkproduct, describing all the options available. There are also manual pages for all the GlobespanVirata tools, contained in: /usr/local/virata/tools<version>/man The manual pages are also provided in HTML format. To view the pages, open the following file in your web browser: /usr/local/virata/tools<version>/doc/index.html For Windows platforms, choose Tools Documentation from the Start Menu Start > Programs > Virata Tools<Version number>. This will display a page in your Web browser containing information about all the Tools provided in the Tools release, including mkproduct.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
97
Further information
98
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes the different methods which can be used to boot an ISOS System over a network in a Gateway configuration. This chapter assumes that you have created a suitable image by building an image from the ISOS source code. For more information about booting an ISOS System in any type of PC-attached configuration, refer to Booting the ISOS System in PC-attached mode on page 111.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
99
Introduction to Booting
6.1
Introduction to Booting
The most common method of booting an ISOS System is over the network for a Gateway configuration and over USB in a PC-attached configuration. This chapter covers booting over the network. (For more information on booting over USB, refer to Booting the ISOS System in PC-attached mode on page 111.) For more information how to configure the booting of an ISOS System, refer to Configuring Booting of an ISOS System on page 115. Once there is a running image on the ISOS System, the images and/or configuration stored in Flash memory can be updated using TFTP and HTTP. For more information, refer to Updating software from a running image on page 411. For more information on the most suitable booting method for your type of configuration, refer to What are the features of each supported configuration? on page 10.
6.2
Assumptions
The procedures contained in this chapter assume the following: You have created a compiled ISOS image, as described in Building an ISOS image on page 61. You have System Administrator-level knowledge and privileges about the platform that you are using. For example, you can install software packages, have permission to edit system files and so on. You know the MAC address of the ISOS System system that you wish to boot over the network. You have allocated an IP address for the ISOS System system that you wish to boot over the network. The boot server that you use for booting the ISOS System is on the same subnet as the ISOS System.
6.3
100
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The above platforms provide a DHCP server instead of a Bootp server. DHCP is a superset of Bootp and is backwards-compatible; a Bootp client can issue a request and it will be serviced by a suitably configured DHCP server. For the boot procedure to follow using Bootp, refer to Booting over the network (using BOOTP and TFTP (UNIX)) on page 102. 6.3.1 Outline procedure The outline procedure to follow to set-up network booting using DHCP and tftp is as follows:
1 2 3
Add an entry for the ISOS System by editing /etc/dhcpd.conf. Make the files you wish to boot available to dhcpd. Restart dhcpd.
6.3.2
Edit /etc/dhcpd.conf dhcpd is used to boot the target hosts by identifying them using their IP address. To configure dhcpd, you need to edit the file /etc/dhcpd.conf. A typical entry for an ISOS System called ISOS system-1 is shown below:
subnet 192.168.235.0 netmask 255.255.255.0 {} host ISOS system-1 { hardware ethernet 00:20:2b:00:40:18; fixed-address 192.168.235.65; filename "/tftpboot/flash.bin"; }
This file configures the dhcp daemon serving requests on the 192.168.235.0 (netmask 255.255.255.0) subnet, with a single entry for the ISOS System with Ethernet address 00:20:2b:00:40:18. The device will be assigned the IP address 192.168.235.65 and told to boot the file /tftpboot/flash.bin. Before the DHCP daemon will start, it needs to have a file in which to store its leases. This is the case even if the DHCP daemon is issuing fixed IP addresses to individual devices. The file is called /var/state/dhcp/dhcpd.leases. For our purposes the file should be empty.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
101
6.3.3
Make the files you wish to boot available to dhcpd The filename entry in the file /etc/dhcpd.conf defines the location of the file that will be used to boot the ISOS System. By convention, the location is always specified as the /tftpboot directory. Instead of copying files to this location, it is usual to create a symbolic link from this directory to the actual file to be used to boot. A symbolic link can be created using the ln -s command. For example, to link the file flash.bin in the directory /home/jjf to the /tftpboot directory, enter:
ln -s /home/jjf/flash.bin /tftpboot
Listing the contents of the /tftpboot directory will show the symbolic link to the flash.bin file:
lrwxrwxrwx 1 root root 19 Jul 11 15:52 flash.bin -> /home/jjf/flash.bin
6.3.4
The following information is displayed after this command has been issued:
dhcpd reload Shutting down dhcpd Starting dhcpd [OK] [OK]
This information confirms that dhcpd has been restarted successfully. You should now be able to boot the ISOS System over the network. For more information, refer to Booting an ISOS System over the network on page 109.
6.4
102
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
6.4.1
Outline procedure The outline procedure to follow to set-up network booting using Bootp and TFTP is as follows:
1 2 3 4
Add entries for tftp and bootp services in /etc/inetd.conf. Add an entry for the ISOS System, by editing /etc/bootptab. Make the files you wish to boot, available to tftpd. Restart inetd.
The above steps are covered in detail in the remainder of this section. 6.4.2 Edit /etc/inetd.conf Add entries for tftp and bootp in the inetd.conf file. The example below shows a typical entry:
#:BOOT: Tftp service is provided primarily for booting. # run this only on machines acting as "boot servers." tftp dgram /tftpboot bootps dgram -d 9 -t 120 udp udp wait wait nobody root /usr/sbin/tcpd /usr/sbin/in.tftpd -l bootpd -i Most sites
/usr/sbin/bootpd
Note In this example tftp is invoked by tcpd, which can be used to provide a minimum level of security by restricting the hosts that may connect (tftp does not include any of its own security measures). If this is inconvenient or not needed, tftpd could be invoked directly using the entry:
tftp dgram udp wait nobody /usr/sbin/in.tftpd tftpd -l /tftpboot
Both of these examples specify /tftpboot as the directory to which tftp will give access (and therefore in which the boot images, or symbolic links to them) should be placed. 6.4.3 Edit /etc/bootptab An entry must be added to the file /etc/bootptab for the ISOS System. The example below shows a typical entry:
# /etc/bootptab: database for bootp server (/usr/sbin/bootpd) # # Blank lines and lines beginning with '#' are ignored. # # Legend: (see bootptab.5)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
103
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
first field -- hostname (not indented) bf -- bootfile bs -- bootfile size in 512-octet blocks cs -- cookie servers df -- dump file name dn -- domain name ds -- domain name servers ef -- extension file gw -- gateways ha -- hardware address hd -- home directory for bootfiles hn -- host name set for client ht -- hardware type im -- impress servers ip -- host IP address lg -- log servers lp -- LPR servers ns -- IEN-116 name servers ra -- reply address rl -- resource location protocol servers rp -- root path sa -- boot server address sm -- subnet mask sw -- swap server tc -- template host (points to similar host entry) td -- TFTP directory to -- time offset (seconds) ts -- time servers vm -- vendor magic number Tn -- generic option tag n
Weird (bad)
# things can happen when a backslash is omitted where one is intended. # Also, note that generic option data must be either a string or a # sequence of bytes where each byte is a two-digit hex value.
104
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
:bf=/tftpboot/pgc:
This defines a single entry, for an ISOS System with Ethernet address 00:20:2b:00:04:85, which will be passed to the IP address 192.168.219.194 and the filename /tftpboot/pgc. 192.108.219.94 is the IP address of the server (which the system will need for tftp access). Note that pgctest is a dummy hostname; it will not be sent to the bootp client and simply marks the start of the entry. To send the hostname, there should be a tag hn: in the entry. The manual page for bootptab(5) explains in detail all of the options available. 6.4.4 Make the files you wish to boot available to tftpd The filename entry in the file /etc/inetd.conf defines the location of the file that will be used to boot the ISOS System. By convention, the location is always specified as the /tftpboot directory. Instead of copying files to this location, it is usual to create a symbolic link from this directory to the actual file to be used to boot. A symbolic link can be created using the ln -s command. For example, to link the file flash.bin in the directory /home/jjf to the /tftpboot directory, enter:
ln -s /home/jjf/flash.bin /tftpboot/
Listing the contents of the /tftpboot directory will show the symbolic link to the flash.bin file:
lrwxrwxrwx 1 root root 19 Jul 11 15:52 flash.bin -> /home/jjf/flash.bin
6.4.5
Restart inetd Restart inetd on the server to make tftp and bootp services available. This can be done by typing:
kill -SIGHUP <pid>
where <pid> is the process identifier of the inetd process. Alternatively, rebooting the server is the simplest way of ensuring that all the services become available in the right order. The ISOS System can now be booted on the network. For more information, refer to Booting an ISOS System over the network on page 109.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
105
6.5
Obtain and install Bootp and TFTP software. Configure the Bootp application. Configure the TFTP server. Make the files you wish to boot available to tftpd.
6.5.2
Downloading and Installing Bootp/TFTP software For more information on where to download suitable Bootp/TFTP software, refer to What additional software applications are needed? on page 20. The rest of this procedure provides instructions for setting up the Bootp server provided by Weird Solutions and TFTP Server from Walusoft. Although you may be using different software, it is likely that the setup procedure will be similar.
6.5.3
Configure the Bootp server To configure the Bootp server, follow the procedure below:
1 2 3
Start the Bootp application, from: Start > Programs > Weird Solutions > Bootp Server 95 Choose Service > Properties. The Bootp Server 95 properties window is displayed. Click on the Clients tab.
106
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
5 6 7 8 9
Enter the MAC address of the ISOS System system in the Hardware Address edit field. Select <no template> from the Template drop-down list box. Double-click on Boot file in the Available options list box. The Boot file option will move to the Configured options list box. Select the Boot file option and click on the Edit button alongside the Value field. The Boot file dialog box is displayed.
10 Enter the complete path and filename of the binary image file that
the ISOS System system should boot in the Boot file field.
11 Click on OK.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
107
Enter the size of the boot file (in bytes) the Boot file size dialog box. (You can find out the size of the boot file by right-clicking on the file in Explorer and choosing Properties from the menu displayed.)
13 Select the IP address option and click on the Edit button alongside
The Bootp server is now configured. This will allow the ISOS System system to initiate the appropriate TFTP request for its boot file. 6.5.4 Configure the tftp server The installation instructions included with the download from Walusoft enable you to install a TFTP server that is very easy to set up. Once the installation is complete, the boot file simply needs to be located exactly as specified in the Boot file option as configured in the BOOTP application, and the TFTP server should not have any restrictions on outbound files. This is the default TFTP server configuration. 6.5.5 Make the files you wish to boot available to tftpd After you have built an image, you must copy the flash.bin file to this directory so that the file can then be downloaded to the ISOS System. The ISOS System can now be booted on the network. For more information, refer to Booting an ISOS System over the network on page 109.
108
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
6.6
Enter a terminal session with the ISOS System using a suitable Terminal program such as HyperTerminal. Start the TFTP program. Reset the ISOS System by pressing the Reset button on the front panel of the ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
109
Booting from Ethernet or USB (auto-select) boot reply IP 192.168.234.2 Server 192.168.234.1 () Booting 'tftpboot\flash.bin' ................................................................ ................................................................ ................................................................ ................................................................ ................................................................
rest of system start-up messages ... completing when the login prompt is displayed:
Login:
The ISOS System has been successfully booted if the information above is displayed on the Terminal. Refer to Using the CLI on page 125 for information about logging in to the system. If the booting procedure fails, you will be returned to the following prompt on the Terminal:
He>
Refer to the section Troubleshooting on page 113 for more information about the possible causes of the problem. 6.6.2 UNIX procedure To boot the ISOS System over the network, follow the procedure below. The procedure assumes that the ISOS System is connected to a UNIX computer:
110
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Start a terminal session with the ISOS System from the computer, using a suitable Terminal program. (For more information on the Terminal programs which can be used, refer to What additional software applications are needed? on page 20.) To enter a Terminal session using the ISOS tool gdbterm, enter the following command from a Terminal window: gdbterm -s /dev/ttyS0 Reset the ISOS System by pressing the Reset button on the front panel of the ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
111
Booting from Ethernet or USB (auto-select) boot reply IP 192.168.234.2 Server 192.168.234.1 () Booting 'tftpboot\flash.bin' ................................................................ ................................................................ ................................................................ ................................................................ ................................................................
rest of system start-up messages ... completing when the login prompt is displayed:
Login:
The ISOS System has been successfully booted if the information above is displayed on the Terminal. Refer to Using the CLI on page 125 for information about logging in to the system. If the booting procedure fails, you will be returned to the following prompt on the Terminal:
He>
Refer to the section, Troubleshooting on page 113 for more information about the possible causes of the problem.
112
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
6.7
Troubleshooting
This section contains some information which may help you to diagnose any problems that you have with booting the ISOS System over the network. 6.7.1 Diagnostic information You should be aware of the useful information that is displayed during the booting sequence. Information is shown about the Board Support package (BSP) and the Chip Support Package (CSP) which has been used to build the image. In the examples below, V2.3 of the Helium 100/2xx CSP and V2.0 of the BD6000 BSP have been used to build the image, using ISOS Release 8.2:
BSP: BD6000 BSP v2.0 (ISOS 8.2) CSP: Helium 100/2xx CSP v2.3 (ISOS 8.2)
V2.3 of the Helium 100/2xx CSP and V2.0 of the DM8010 BSP have been used to build the image, using ISOS Release 8.2: For more information about BSP and CSP releases, refer to Downloading ISOS software packages on page 29. 6.7.2 Whether BOOTP/DHCP needs to be gatewayed By default, BOOTP/DHCP requires that the client and server be on the same subnet. It is usually easiest to go along with this, but if the restriction is unacceptable, BOOTP and DHCP servers generally include a gateway server or the option to configure the main server as a gateway server. The gateway server will forward BOOTREQUEST packets to a specified BOOTP/DHCP server. 6.7.3 Permissions on tftpboot directory The permissions on the /tftpboot directory must allow the tftpd server to search for and read files, otherwise the ISOS System will print a message such as:
Error 0x0002: Access violation
when trying to load the boot image. Typically, a permission mask of 755 on the /tftpboot directory will be satisfactory where users are not allowed to create files on an ad hoc basis.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
113
Troubleshooting
114
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure the booting of an ISOS System. For more information on booting an ISOS System system, refer to Booting the ISOS System in Gateway mode on page 99 and Booting the ISOS System in PC-attached mode on page 111.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
115
Introduction
7.1
Introduction
This chapter describes how to configure the booting of an ISOS System. Booting the ISOS System is multi-faceted due to the need to boot the two processors contained in the Helium communications processor and to allow for flexibility in how an image is provided. Several images are involved: the Serial boot ROM image is the first code that is run on power-up of the ISOS System; the boot sequence then moves to an NP boot image and a PP boot image and finally the NP and PP run-time images are entered. If a Serial ROM is fitted in the ISOS System, the system can be booted from the following sources: Booting over the network; (using BOOTP/TFTP) via an Ethernet connection. Booting from Flash memory. Booting from USB. Booting from UART (Serial port). If a Serial ROM is not fitted on the ISOS System then the Boot ROM contained in Flash is used. This will boot the system from Flash or over the network. But note that USB booting out of Flash is not supported. The body of code that performs network booting resides in the Serial ROM. It is built using the system file serialboot_main. The Boot ROM software in Flash can be built using the system file flash-rewrite. For more detailed information about the booting process, refer to DO-007286-TC, Helium Boot Procedure.
7.2
Assumptions
The configuration options described in this section assume you are using V3.12 or later of the Serial ROM update utility. For more information on how to upgrade your Serial ROM with the latest version of software, refer to Upgrading Serial ROM on page 404.
7.3
Overview
This section provides an overview of the boot options for an ISOS System system fitted with a Serial ROM and without a Serial ROM.
116
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The Serial ROM (EEPROM) can be configured using the following command with suitable options:
configeeprom
The Boot ROM in Flash is configured using the following command with suitable options:
configflash
When the Serial ROM is fitted all configflash options are ignored. The Serial ROM must be removed from the system before the configflash options will take effect.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
117
Overview
7.3.1
Serial ROM boot settings The following table describes the various booting configuration options which are provided for an ISOS System with a Serial ROM installed:
Boot source configeeprom serialboot Flash Network Ethernet USB
Prompt for the boot source each time the system is rebooted. When Flash Boot source is used X No USB boot out of Flash
Table 25: Booting configuration options The serialboot option determines the boot source used to boot the ISOS System. The netboot option is used to determine how the system will be booted from Flash if the boot source to be used is configured as Flash by the configeeprom setting or because the normal boot sequence has been interrupted (by pressing * on the keyboard attached to the Serial port of the system and telling the system to boot from Flash). If netboot is set to Yes, the system boots over Ethernet via tftp. If netboot is set to No (the default setting), the system boots from Flash. Note that if booting from Flash fails you can also manually download an image over the network using the Boot ROM tftp command. For more information, refer to Using tftp to download an image from the network on page 123.
118
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
7.3.2
Boot from Flash options To ensure that your ISOS System will always boot from Flash, you need to set the following options in the Serial ROM and Boot ROM: configeeprom serialboot no configeeprom netboot no
7.3.3
Boot from Network options To ensure that your ISOS System will always attempt a network boot via Ethernet or USB you need to set the following options in the Serial ROM and Boot ROM: configeeprom serialboot yes configflash netboot yes You can force network booting from a particular network source by changing the serialboot option in the Serial ROM: configeeprom serialboot usb to always attempt to boot from USB. configeeprom serialboot eth to always attempt to boot from Ethernet. The above options are described in more detail in the later sections of this chapter which describe the procedure to follow to configure booting.
7.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
119
7.5
Press the Reset button on the ISOS System, while holding down the [*] key on your computer keyboards numeric keypad. The following prompt is displayed: Boot from Ethernet, USB or Flash (E/U/F)? Press the appropriate key to specify which location you wish to boot from: Press E to boot from Ethernet. Press U to boot from USB.
Press F to boot from Flash. The ISOS System will attempt to boot from the location specified. Note This boot setting is temporary; it will only apply for this session. If you reset the system, the ISOS System will run the boot sequence from its permanently configured source in the Serial ROM.
7.6
Press the Reset button on the ISOS System while holding down the space-bar on the keyboard of the PC connected to the ISOS System. Keep holding down the space-bar as the ISOS System boots up. The ISOS System will boot-up normally and then drop-down to the Boot ROM console prompt: SDRAM size = 0x800000 Key pressed, stopping boot. Entered console ... User request. ]
120
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
At the boot prompt, enter: configeeprom serialboot ask This command sets the Serial ROM to prompt for a boot source each time that it boots up. Press the Reset button. After a short wait, the ISOS System will prompt you to specify the boot source, as shown below:
He100/He2xx Family Ethernet / USB boot v3.12 MAC 00:20:2b:80:0e:80 SDRAM 0x01000000 bytes Boot from Ethernet, USB or Flash? (E/U/F)
Press the appropriate key to specify which location you wish to boot from: Press E to boot from Ethernet. Press U to boot from USB.
Press F to boot from Flash. The ISOS System will attempt to boot from the location specified.
7.7
Press the Reset button on the ISOS System, while holding down the space-bar on the keyboard of the PC connected to the ISOS System. Keep holding down the space-bar as the ISOS System boots up. The ISOS System will boot-up normally and then drop-down to the Boot ROM console prompt: SDRAM size = 0x800000 Key pressed, stopping boot. Entered console ... User request. ]
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
121
To disable network booting, enter: configeeprom serialboot no configeeprom netboot no This command disables network booting in both the Serial ROM and Boot ROM. Press the Reset button. After a short wait, the ISOS System will attempt to boot from Flash memory, as shown below: ]
He100/He2xx Family Ethernet / USB boot v3.9 Network boot disabled: trying flash or UART
If a valid boot image is found in Flash memory, the ISOS System will use this to boot. If no valid boot image is found in Flash, it will then attempt to load a boot image over the Serial port (UART).
7.8
Press the Reset button on the ISOS System, while holding down the space-bar on the keyboard of the PC connected to the ISOS System. Keep holding down the space-bar as the ISOS System boots up. The ISOS System will drop-down to the Boot ROM console prompt: SDRAM size = 0x800000 Key pressed, stopping boot. Entered console ... User request. ]
122
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
At the boot prompt, enter: configeeprom serialboot yes This will configure the system to attempt to boot over the network from either USB or Ethernet depending on the response time of the USB host of TFTP boot server. To force booting from either USB or Ethernet only, you can enter: configeeprom serialboot usb or configeeprom serialboot eth for USB or Ethernet booting respectively. Press the Reset button. The ISOS System will now attempt to boot over the network.
For more information about other useful Serial EEPROM Console commands, refer to DO-007286-TC, Helium Boot Procedure.
7.9
Press the Reset button on the ISOS System, while holding down the space-bar on the keyboard of the PC connected to the ISOS System. Keep holding down the space-bar as the ISOS System boots up. The ISOS System will drop-down to the Boot ROM console prompt: SDRAM size = 0x800000 Key pressed, stopping boot. Entered console ... User request. ]
At the boot prompt, enter: tftp The image is downloaded. At the boot prompt, enter: quit The ISOS System will now boot up using this image.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
123
124
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter provides information about how to use the ISOS Command Line Interface (CLI).
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
125
Introduction
8.1
Introduction
This chapter describes how to use the Command Line Interface (CLI). It describes the CLI commands available which provide useful information about the configuration or performance of the ISOS System. For more information on all the commands available and their options, refer to DO-009430-PS, ISOS (8.2) CLI Reference Manual. 8.1.1 What is the CLI? The CLI is the Command Line Interface for configuring ISOS modules. It largely replaces the console commands that were provided in earlier releases of ISOS. For information on the relationship between the CLI and the console commands, see Using CLI and Console Commands on page 128. For detailed information on the structure of the Unified CLI, see the ISOS CLI Specification: DO-008362-PS. Some console commands are available for use if you have appropriate access permissions set. For details of access permissions, see Access permissions to the CLI on page 129.
8.2
where ttys0 refers to Serial Port 0 on the computer attached to the serial port of the ISOS System.
126
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
You can also use gdbterm to start a console session via a terminal server. For example, to connect to an ISOS System via a terminal server called spider1 at port 2064, enter:
gdbterm t spider1 2064
By default, gdbterm listens on TCP/IP socket 1042. This can be changed using the -g option. For more information about gdbterm, refer to the manual page gdbterm(1). The manual page for gdbterm can be displayed on the screen by entering:
man gdbterm
8.2.2
Using Terminal programs There are many terminal applications provided which can be used to start a console session with the ISOS System. The most popular applications available for each platform are shown below: Minicom; available with most Linux distributions. HyperTerminal; available with most Windows distributions. Refer to the documentation provided with each application for more information on how to set up a terminal session from your computer to the ISOS System.
8.3
This is the only user ID which is set up on the system by default. An admin user has super-user level access, so you can create new user IDs and access permissions from this account. To see the settings for the admin user enter:
system list users
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
127
---------------------------------------------------------------------------
8.4
The system logs out the current user and displays the Login: prompt:
Logging out GlobespanVirata Login:
8.5
Console commands - some console commands have not been replaced by CLI commands. Users with appropriate access permissions (see Access permissions to the CLI on page 129) can enter console mode from the CLI and use the console commands. For details of how to enter console mode, see Entering console commands from the CLI on page 137. There are two types of console command, and different access permissions exist for each type of command: Usable commands - console commands which do not change or affect the system. Most of these commands are read-only commands which provide status information and do not configure any part of ISOS.
128
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Blacklisted commands - using blacklisted console commands can lead to inconsistencies between the information model and the underlying system and should be used with extreme caution.
Details of which category each command belongs to can be found in DO-009430-PS, ISOS (8.2) CLI Reference Manual. 8.5.1 Access permissions to the CLI There are three access level options for CLI users: default user - can use CLI commands; cannot use usable console commands or blacklisted console commands. engineer - can use CLI commands and usable console commands; cannot use blacklisted console commands. super user - can use CLI commands, usable console commands and blacklisted console commands. Can also set up user login accounts, save backup configuration and restore factory settings. 8.5.2 CLI Command Groups Each ISOS module included in an image file will have an associated group of commands available in the CLI for configuring the module. All commands in a group start with the same command string. For example, all router configuration commands start with ip.The typical CLI command groups included in an ISOS image are as follows:
Command string begins: ip bridge ethernet rfc1483 ipoa
CLI Group
Used to: Add, configure and remove IP interfaces Add, configure and remove bridge interfaces Create and remove ethernet transports and provide statistics Create, configure and remove RFC transports Create, configure and remove IP over ATM transports
router configuration bridge configuration ethernet configuration RFC1483 configuration IPoA configuration
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
129
CLI Group
Used to: Create, configure and remove PPPoA server and client transports Create, configure and remove PPTP tunneling configurations. Defines the DHCP network topology Add, change and remove DHCP client interface declarations Add and remove DHCP server addresses Add and remove DNS server addresses Add and remove DNS client addresses Enable the security module, create, configure and remove security interfaces and create/configure triggers Enable/disable NAT objects, create, configure and remove global address pools and reserve mappings Create, configure and remove port filters and validators. Control Intrusion Detection settings Enable and disable auto provisioning and check its status Control the operation and check the status of the webserver Display and delete existing transport configuration details
PPPoA configuration
PPTP configuration DHCP server configuration DHCP client configuration DHCP relay configuration DNS relay configuration DNS client configuration
Security configuration
security
NAT configuration
nat
Firewall configuration
firewall
130
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Used to: Access console commands Configure and display port information
For a comprehensive list of the modules which can be included in an ISOS image, refer to ISOS Module Configuration files on page 444. 8.5.3 CLI terminology In order to use the CLI commands, you need to understand the following CLI terms: Transport: A transport is a layer 2 session and everything below it. You can create a transport and attach it to a bridge or router so that data can be bridged or routed via the attached transport. For an example, see Attaching a transport to an interface on page 132. The CLI supports the following transports: PPPoA PPPoE PPPoH RFC1483 IPoA
Ethernet (For more information on transport protocols, see Encapsulations on page 438.) Interface: bridges and routers both have interfaces. A single transport is attached to a bridge or router via an interface. For an example, see Attaching a transport to an interface on page 132. Object: an object is anything that you can create and manipulate as a single entity, for example, interfaces, transports, static routes and NAT rules.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
131
List: Objects are numbered entries in a list. For example, if you have created more than one IP interface, the following command:
ip list interfaces
produces a list of numbered interface objects. Object numbers are displayed in the first column under the heading ID. For example:
IP Interfaces: ID | Name | IP Address | DHCP | Transport
------------------------------------------------------------------
Attaching a transport to an interface To attach a transport to a bridge or router, you need to:
1
Create a transport. In the following command, an Ethernet transport is created and named eth2, and the port name is specified (ethernet):
ethernet add transport eth2 ethernet
Create an interface. In the following command, a bridge interface is created and called myinterface:
bridge add interface myinterface
Attach the transport to the interface. In the following command, the eth2 Ethernet transport is attached to the myinterface bridge interface:
bridge attach myinterface eth2
8.5.4
CLI conventions The CLI uses standard, intuitive command names that can be used in different instances: Add Use this command to add and name objects (e.g., interfaces or transports). The add command requires attributes to be specified as arguments in a certain order. For example, to create an Ethernet transport, you need to specify the transport name and system port:
ethernet add transport <name> <port>
132
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Delete The delete command deletes named objects or numbered objects (as displayed using the list command):
ethernet delete transport {<name>|<number>}
Clear The clear command deletes ALL named entities that belong to an object, for example, the following command:
firewall clear policies
deletes all of the policy objects that belong to the Firewall. You should use the clear command with caution - the above example also deletes all validators and portfilters that belong to the policies. Set The set command changes a value or multiple values within the system, for example:
ip set interface {<name>|<number>} ipaddress <ipaddress>
Show The show command lists current configuration and statistics for an object or module. For example, the command:
dhcpserver show subnet {<name>|<number>}
May give the following output, depending on your DHCP server configuration:
Global DHCP Server Configuration:
Status: ENABLED
Default lease time: 43200 seconds Max. lease time: 86400 seconds
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
133
8.5.5
Help with completing CLI commands Tab-completing keywords You can tab-complete unique keywords in CLI commands. For example, if you type the first few characters of a keyword in a command, then press the [Tab] key:
ethernet add t[Tab]
Note The tab-completion facility works with fixed CLI keywords. It does not work with any CLI objects that you create or edit, such as transport names. Command syntax options If you type a command keyword and want to find out what the next syntax options are, type [Spacebar]?. For example:
ethernet ?
Displays a list of valid keywords that you can use after ethernet:
add delete set show list clear
For more information on using the CLI to configure the ISOS System, refer to Configuring the ISOS System in Gateway mode on page 235. You can also enter:
help
This commands will display some general help information about the CLI.
134
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
8.5.6
Using the source CLI command The source <filename> command allows you to run a list of predefined commands stored in an existing file. This saves you having to retype lengthy configurations when you want to use them again. Before you can use this command, you need to create a file containing the command list and save it in your ISFS directory. Once you specify the filename in the source command, the file is located and the commands are executed. For example:
prompt> source //isfs/myconfigfile.txt
8.5.7
Adding new CLI commands You can create CLI commands that configure and read values and attributes that you have defined. For information on how to do this, see the ISOS Management Developers Guide: DO-008640-PS.
8.6
For example:
system add user fred user with dialin access
a login user who can login to the system. To add a login user, use the command:
system add login <name> [comment]
For example:
system add login joe user with login access
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
135
---|--------|----------|----------|------------|-----------------------1 | joe 2 | fred 3 | admin | ENABLED | disabled | default | default | user with login access | user with dialin access | Default admin user
| disabled | superuser
------------------------------------------------------------------------
By default, both new users are given a default access level as described in Access permissions to the CLI on page 129.
8.7
Note that no check is made for any current password which may have been set for the user. If you wish to change the password for another user, enter the command:
user change <name>
This command logs you into the system as another user. You can then use the user password command to change the password for this user. Note that changing to another user means that you lose all superuser privileges. Note that only superusers can use the user change command.
8.8
136
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
system set user <name> access {default|engineer|superuser} system set user <name> maydialin {enabled|disabled} system set user <name> mayconfigure {enabled|disabled}
Note that only superusers can use the user change command. 8.8.1 Controlling login access To set user access permissions for a user that has been added to the system using the system add login command, enter the command:
system set login <name> access {default|engineer|superuser}
8.8.2
Controlling user access To set user access permissions for a user that has been added to the system using the system add user command, enter the command:
system set user <name> access {default|engineer|superuser}
8.9
For example:
console process event show
This command enables the display of background output on your console device. To enter a series of console commands you can enter console mode. Enter the following CLI command:
console enable
You are now in console mode and can enter console commands.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
137
Note You must type the exit command at the root level of the console to return to the CLI. 8.9.2 Navigating the console The console is structured in a hierarchical fashion. Entering a module name on the console drops you into this module. From this position, any commands which are then typed are assumed to be commands specific to the module you have entered. To return to the top of the hierarchy, use the command home. For example, entering:
0:20:2b:0:75:20>fm
drops you into the fm module. This is indicated by the change in the console prompt:
0:20:2b:0:75:20 fm>
All commands that are now issued from this prompt refer to commands supported by the IP module. For example, entering the device command:
0:20:2b:0:75:20 fm>fsinfo produces information about the classes known to filesystem. File system: isfs Total bytes: 2095006 Used bytes: 2095006 Dynamic allocation: TRUE File system is valid
Entering the fsinfo command from this location produces an error, as shown below:
0:20:2b:0:75:20>list classes console: Unknown command 'fsinfo' - try 'help'
138
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
If you know the commands supported by a module, you can call them directly, prefixed with the module name. For example:
0:20:2b:0:75:20>fm fsinfo
For more detailed information about the console, refer to DO-007094-PS, VIRATA Console Functional Specification. 8.9.3 Obtaining help with command syntax The console provides you with tips and help information at various stages. To find out the commands and modules available from the top of the hierarchy, type:
help
A list will be displayed showing the currently loaded modules and available commands. To find out about the console commands provided by a particular module, type:
help
after the module name. This will display a list of all the commands available for the module along with their syntax. For example, typing:
fm help
displays all of the options which can be used with this command:
Commands are: append fsinfo mv cat info rm cp ls version default md5
'.' repeats the last command Type "ip help all" or "ip help <command>" for more details
You can also obtain help on the arguments required for a particular command. For example, to obtain help on the arguments required for the ls command, enter:
fm help ls ls [-l | -L] - list file system
You can also obtain help for all the commands. Enter the command:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
139
fm help all
to display help information for all the commands in the IP module. 8.9.4 Further information For more information about the console commands refer to the appendices in DO-009430-PS, ISOS (8.2) CLI Reference Manual.
140
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure the embedded web server, EmWeb, on your ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
141
Introduction
9.1
Introduction
This chapter describes how to use EmWeb - the embedded web server in ISOS. It describes the content of EmWeb configuration pages. The example image that is used throughout this chapter is the image produced using the mkproduct command:
mkproduct usb-gateway bd6000
The image is downloaded to a BD6210 ISOS system. If you are using a different image or different hardware, the information displayed on EmWeb configuration pages may differ from those described here. 9.1.1 References to CLI commands Configuring your product using EmWeb has the same effect as configuring it using the Command Line Interface (CLI). Throughout this chapter, you will see references to the CLI commands that provide functionality equivalent to EmWeb configurations. This allows you to refer to the ISOS 8.2 CLI Reference Manual: DO-009430-PS if you want further information about specific EmWeb configurations.
9.2
About EmWeb
For more information about the implementation of EmWeb in ISOS, refer to VMI Web Management Entity Architecture: DO-008274-TC.
9.3
Accessing EmWeb
To access EmWeb on an ISOS System that has been booted with an image containing a factory default configuration:
1
Attach a PC to one of the LAN interfaces. At the console, type the following CLI command: ip list interfaces This command lists the default interfaces available, including the LAN interface that is attached to your PC. The default LAN IP address is 192.168.1.1.
142
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
At your web browser, enter the URL: http://192.168.1.1 If you need to change the ip address of the LAN interface, use the following CLI command (with the correct values added): ip set interface iplan ipaddress 192.168.1.1 then at your web browser, enter the new IP address as the URL. The following page is displayed. This is the Status homepage for EmWeb on an ISOS System system running a default usb-gateway image:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
143
Accessing EmWeb
Figure 15 EmWeb Status homepage The first time that EmWeb is launched during a session, a Welcome message is displayed at the top of the Status homepage. This message is replaced by the Status heading once the page is automatically or manually refreshed.
144
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
9.3.1
Logging in to EmWeb The first time that you click on an entry from the left-hand menu, a login box is displayed. You must enter your username and password to access the pages. The default network login is the same as the login used at the CLI console. Type the following: User Name: admin Password: admin Click on OK. You are now ready to configure your ISOS System using EmWeb.
9.4
9.5
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
145
9.5.1
Status section; see Status on page 146 Advanced Diagnostics; see Advanced Diagnostics on page 146 Port Connection Status; see Port Connection Status on page 146 WAN Status; see WAN Status on page 147 LAN Status; see LAN Status on page 147 Hardware Status; see Hardware Status on page 148 Defined Interfaces; see Defined Interfaces on page 148
Status The Status section displays: PPPoE Connection status (connected or disconnected). See Creating a PPPoE login on page 151. the current WAN IP Address configuration. It also provides a WAN Settings hyperlink that allows you to create, modify or delete your WAN configuration. See WAN Connection on page 164 for details of how to do this. the current Local IP Address configuration. It also provides a LAN Settings hyperlink that allows you to create, modify or delete your LAN configuration. See LAN connections on page 162 for details of how to do this.
9.5.2
Advanced Diagnostics The Advanced Diagnostics section displays: Connection Authentication details; this displays details about your current ISP login settings. It also provides a Login Settings hyperlink that allows you to create, modify or delete your existing login setup. See About the Quick Start page on page 149. PPPoE Dial-On-Demand status; this displays whether you can dialin to the system using PPPoE. To configure this setting, see About the Quick Start page on page 149.
9.5.3
Port Connection Status This section displays information about your port connections: Port; the ports available on your ISOS System Type; the kind of traffic that can be transported on each port
146
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Connected; which of the ports on your ISOS System are currently connected: represents a port that is not connected represents a port that is connected Line State; DSL connection status
For information on how to configure ports, see Ports on page 199. 9.5.4 WAN Status This section displays the following status information about your WAN configuration: IP Address Type; whether the WAN IP address is used or the address is obtained dynamically from DHCP. See WAN Connection on page 164. WAN Subnet Mask Default Gateway; whether DHCP server has been configured to give out the WAN IP address as the default Gateway address. See DHCP Server on page 171. Primary DNS; whether a Primary DNS IP address has been set. See DHCP Server on page 171. The WAN Status section also provides two hyperlinks: IP Address Settings; this allows you to create, modify or delete your WAN configuration. See WAN Connection on page 164. DNS Client Settings; this allows you to create, modify or delete your DNS Client configuration. See DNS Client on page 177. 9.5.5 LAN Status This section displays the following status information about your Local Area Network settings: LAN Subnet Mask Act as Local DHCP Server (Yes/No) MAC Address; this is the actual MAC address for the Ethernet block in the GlobespanVirata communications processor which is used in the ISOS System. You can configure the ISOS System to use the MAC address from the Ethernet NIC in the PC instead of its own MAC address. This is known as MAC Address Spoofing. For more information on how to clone the MAC address, refer to the MAC
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
147
Spoofing Functional Specification: DO-009427-PS. If you have configured MAC spoofing on the ISOS System the MAC address shown in this table will not be changed. This table will always show the true MAC address of the ISOS System. The LAN Status section also provides a DHCP Server Settings hyperlink that allows you to configure your DHCP server status. See DHCP Server on page 171. 9.5.6 Hardware Status This section displays the following status information about your ISOS System: Up-Time; the length of time (in hours:minutes:seconds) that your current session has been connected for Version; information about the ISOS core software release which has been used to build the image running on your ISOS System, including: the image version that you are booting, for example USB Hypergate the ISOS System that the image is suitable for the Board Support Package and Chip Support Package versions included in the image build
9.5.7
the release version number For more information, refer to ISOS source software package on page 32. Vendor; The name of the Vendor supplying the ISOS System. The default setting for this is GlobespanVirata.
Defined Interfaces This section lists LAN interfaces that have been defined. For more information on defining LAN interfaces, see LAN connections on page 162. Each interface listed has a Show Statistics hyperlink associated with it. Click on this for detailed information about some/all of the following (depending on the interface type and configuration): the interface connection details
148
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Your ISOS System has default interfaces defined. These defaults depend on the type of image that you are building. For example, a BD6210 ISOS System booting a usb-gateway image has the following default interfaces:
--> ip list interfaces IP Interfaces:
ID
Name
IP Address
DHCP
Transport
-------------------------------------------------------------------
The iplan interface is your default LAN connection over Ethernet. The ipwan interface is your default connection to the WAN. It uses PPPoE over ATM (RFC1483). To list the transports set for each of the interfaces, use the following command:
--> transports list Services:
ID
Name
| Type
-----|--------------|-----------------------------------------------------1 | iplan 2 | Rfc1483Up 3 | PppoeUp | Ethernet | RFC1483 | PPPoE | TxPkts: | TxPkts: | TxPkts: 750/0 0/0 2/0 RxPkts: RxPkts: RxPkts: 475/0 0/0 0/0
---------------------------------------------------------------------------
9.6
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
149
9.6.1
From the Login Type section, click on the No Login/DHCP radio button. Click on Apply. The DHCP Login Options form is displayed:
Figure 16
2 a b 3
Complete the DHCP Login Options: If you want your ISP server to automatically recognize your own host name, type a Special DHCP host name. If you want LAN DHCP clients to use a specific domain name, type a Domain Name for Clients to send with DNS Requests.
Once you have configured DHCP login options, click on Apply. The Quick Start page is refreshed, and the following confirmation message appears near the top of the page: Settings successfully changed
These actions have the same effect as typing the following CLI commands: dhcpclient interfaceconfig add sent option host-name dhcpserver subnet add option domain-name dhcpclient update dhcpserver update
150
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
9.6.2
From the Login Type section, click on the PPPoE Login radio button. Click on Apply. The PPPoE Login Setup form is displayed:
Complete the PPPoE Login Setup section to enable a user to login to the remote end:
a
PPPoE Username and Password; type a (dialout) username and password which will be required when PPP negotiation takes place and is supplied to the remote PPP server for authentication. PPPoE Service Name; type the PPPoE tag that identifies a specific service acceptable to the PPPoE client. Dial on Demand check box; check this box if you want PPPoE to automatically connect to TCP/IP whenever a user requests TCP/IP packets from public destinations. Auto-disconnect idle time (secs); if you have checked the Dial on Demand box, type the length of time a PPPoE session connected to an ISP can remain idle before the session is disabled.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
151
Keep-Alive check box; check this box if you want PPPoE to send regular Link Control Protocol (LCP) echo request frames. If no reply to the request is received, the PPP connection is torn down. Domain Name for Clients to send with DNS Requests text box; type a domain name if you want LAN DHCP clients to use a specific domain name.
Once you have configured PPPoE login options, click on Apply. The Quick Start page is refreshed, and the following confirmation message appears near the top of the page: Settings successfully changed
These actions have the same effect as typing the following CLI commands: pppoe set transport username pppoe set transport password pppoe set transport servicename pppoe set transport autoconnect pppoe set transport idletimeout pppoe set transport lcpechoevery dhcpserver subnet add option domain-name dhcpserver update
9.7
152
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
9.7.1
Backup/restore; allows you to backup your configuration and restore an existing configuration. See Backup/restore on page 156. Restart; allows you to restart your ISOS System and optionally restore factory defaults. See Restart on page 157.
Error Log The Error Log page is automatically displayed when a configuration error occurs. From the System menu, click on Error Log. The following page is displayed:
Figure 18
This page displays a table containing all configuration errors experienced by your ISOS System during a current session. The table also tells you: when the error occurred (in seconds since your system was restarted) which process the error occurred in brief descriptions of the Error 9.7.2 One-click update This allows you to use one-click to download new ISOS images from a remote HTTP server. You do not need to browse for the correct file to upload, which you must do when updating your system software using Update on page 155.
1
From the System menu, click on One-click update. The following page is displayed:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
153
Click on the Next button. The Auto Update page is displayed. This page contains the following information: Existing software version: the software version that you are currently using Available software version: the software version available for download Download from: the available software versions source address Summary: description of downloadable source Overview: URL that can be linked to a Web page detailing additional information about this software version.
To update device firmware, click on OK. The Firmware Update page is refreshed. The page contains two progress bars: the first progress bar displays how long it is taking to fetch the new software version from the Web server. once the software version has been retrieved, the second progress bar displays how long it is taking to write the new software version to Flash.
Once the file has been written to Flash, the Auto Update page is refreshed. The page confirms completion of the update and asks you to restart your ISOS System in order to use the new firmware. Click on Restart. See Restart on page 157.
For more information about one-click updating, see One-click Firmware Download Functional Specification: DO-009841-PS. 9.7.3 Remote Access This allows you to enable temporary remote access to your ISOS System using Network Address Translation (NAT).
154
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Note In order to configure remote access, you first need to enable the firewall and create an external to internal firewall policy. For more information, see Security on page 180.
1
Once you have configured Security, from the System menu, click on Remote Access to display the following:
Figure 20
2 3
Type in the length of time that you want to allow remote access for. Click on Enable. The Remote Access page is displayed, confirming the number of seconds remaining for remote access. There is also a Disable button that allows you to stop remote access before the specified time ends.
9.7.4
Update This option allows you to upload firmware images to the ISOS System using HTTP. A .tar archive is uploaded to the RAM of your ISOS System. The archive is unpacked automatically, files are validated and then written to Flash memory.
1
From the System menu, click Update. The following page is displayed:
Figure 21
2
Type in the network location of the new firmware image that you want to upload, or use the Browse button to browse through the network and select the file. Click on Update.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
155
Once the file has been uploaded to the RAM of your ISOS System, it is written to Flash. A status page is displayed confirming that the upload is complete and telling you how much of the file (in bytes and as a percentage) has been written to Flash. Once the file has been written to Flash, the Firmware Update page is refreshed. The page confirms completion of the update and asks you to restart your ISOS System in order to use the new firmware. Click on Restart. See Restart on page 157. Note Updating your firmware could take up to 4 minutes to complete.
For more information on updating the firmware on your ISOS System, refer to Upgrading an ISOS System on page 403. 9.7.5 Backup/restore This page allows you to backup your configuration to, or restore it from, your computer. Backing up your configuration
1
From the System menu, click on Backup/restore. The following page is displayed:
156
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
From the Backup Configuration section, click on the Backup button. The File Download window is displayed. Click to select the Save this file to disk radio button. From the Save As window, select a file in which to save your backup configuration. Click on Save. These actions have the same effect as typing the following CLI command: system config backup From the System menu, click on Backup/restore. In the Restore Configuration section, click in the Configuration File text box and type the network path of the file that you wish to restore. If you do not know the path details, click on the Browse button and locate the file using the Choose file box. Click on the Restore button. The page is refreshed with a Configuration Restored message and details of the number of bytes uploaded. These actions have the same effect as typing the following CLI command: system config restore
9.7.6
Restart This page allows you to restart your ISOS System. It has the same effect as resetting your ISOS System by pressing the appropriate reset button on the hardware.
1
From the System menu, click on Restart. The following page is displayed:
Figure 23
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
157
Click on the Restart button to reset the ISOS system. The Restart page also provides you with the option of restarting and restoring the factory default settings. Click in the Reset to factory default settings box to check it, then click on the Restart button. Read the console status output to check how the reset is progressing. Once the login and password prompt is displayed at the console, you can login as usual (with login = admin, password = admin), then refresh the browser that is running EmWeb. The Status page is displayed and your ISOS System has been reset.
The Restart button has the same effect as typing the following CLI command: system restart Checking the Reset to factory default settings check box has the same effect as typing the following CLI command: system config restore factory
9.8
158
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
9.8.1
IP routes; allows you to create, edit and delete IP routes. See IP Routes on page 166. ZIPB; allows you to enable, disable and configure the ISOS Zero Installation PPP Bridge. See ZIPB on page 168. DHCP server; allows you to enable, disable and configure your DHCP server. See DHCP Server on page 171. DHCP relay; DNS client; allows you to enable, disable and configure DNS client. See DNS Client on page 177. DNS relay; allows you to enable, disable and configure DNS relay. See DNS Relay on page 179. Security; allows you to configure Security, Firewall, NAT and Intrusion Detection. See Security on page 180. Ports; allows you to configure the ports available on your ISOS System. See Ports on page 199.
From the Configuration menu, click on Save config. The following page is displayed:
Figure 24
2
Click on the Save button to save your current configuration in the im.conf file in FlashFS. The Save button has the same effect as typing the following CLI command: system config save After a short time the configuration is saved and the following confirmation message is displayed: Saved information model to file //flashfs/im.conf
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
159
9.8.2
Authentication This option allows you to administer accounts for users who access the ISOS System. From the Configuration menu, click on Authentication. The following page is displayed:
Figure 25
Click on the Create a new user button. The following page is displayed:
Type details for the new user into the username, password and comment text boxes, and select a May login? option: true means that the user can login but not dialin false means that the user can dialin but not login
Click on the Create button. The Authentication page is displayed. The table now contains details for the user that you have just created.
160
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The Authentication page table contains an Edit user hyperlink for each user account entry. Click on a link. The following page is displayed:
Figure 27 EmWeb Edit User page This page allows you to:
2
update details for a specific user account. Modify the necessary text boxes then click on the Apply button. delete a user account. Click on the Delete this user button.
Once you have edited or deleted a user account, the Authentication page is displayed and the table reflects any changes that you have made on the edit user page.
These actions have the same effect as entering the following CLI commands: system list users system list logins system add login system add user system set login maydialin system set user maydialin system set login mayconfigure system set user mayconfigure system delete login system delete user
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002) 161
9.8.3
LAN connections This option allows you to: configure the IP address and subnet of the default LAN connection to the ISOS System. configure a secondary IP address on the same subnet as the primary IP address. create virtual interfaces; multiple virtual interfaces can be associated with the existing primary LAN interface. From the Configuration menu, click on LAN connections. The following page is displayed:
Figure 28
IP address and subnet mask details of your primary LAN connection. To edit these details, click in the appropriate text box and type new primary address details. This has the same effect as entering the following CLI command (with the correct values added): ip set interface ipaddress ip set interface netmask
162
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Secondary IP address details. To create/configure a secondary IP address, click in the Secondary IP Address text box and type new address details. This has the same effect as entering the following CLI command (with the correct values added): ip interface add secondaryipaddress
Once you have configured the IP address(es), click on the Apply button. A message is displayed confirming that your address information is being updated. If you have changed the primary IP address, you may need to enter the new address in your web browser address box.
Click on the Create a new virtual interface... hyperlink at the bottom of the LAN connections page. On the Create virtual interface page, type the IP address and netmask of the virtual interface, then click on the Apply button. The LAN connections page is displayed. The virtual interfaces section contains a table listing the names of the virtual interface(s). Each virtual interface is called item# by default. Each virtual interface name has an Edit and a Delete link associated with it. To edit a service:
a b
Change the options for the existing virtual interface, then click on Change. The page is reset and the new values are displayed. To delete a service: Click on the Delete link. Check the details displayed, then click on the Delete this connection button.
a b
These actions have the same effect as entering the following CLI commands (with the correct values added): ip add interface ip attachvirtual ip set interface ip delete interface
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
163
For more information on virtual interfaces, see the ISOS IP Stack Feature and Interface Guide: DO-400072-TC. 9.8.4 WAN Connection This option allows you to create and configure WAN connections for your ISOS System. You can also create virtual interfaces on routed services. From the Configuration menu, click on WAN connections. The WAN connections page is displayed:
Click on Create a new service. A page is displayed containing a list of WAN service options. The options available on this page are determined by the image which is running on the ISOS System. Select an option, then click on Configure. You need to add detailed configuration information about the WAN service that you are creating. Click on Apply. The WAN connections page is displayed. The table now contains details of the service that you have just created. Configuring the service type has the same effect as entering the following CLI command (with the correct values added): <module> add transport and ip add interface ip attach or bridge add interface bridge attach
164
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the Edit link for a specific service. The WAN connection: edit page is displayed. Change the values for the existing service. If you want to carry out advanced editing, click on the links at the top of the edit page. The links that appear depend on the type of service that you are configuring. For example, for an RFC 1483 routed service, you can choose from the following advanced editing links: Edit Service Edit RFC1483 Edit Atm Channel Edit Ip Interface Edit Tcp Mss Clamp Edit Rip Versions Edit Nat Helper Click on Change. The edit page is displayed and changes are applied to the service.
At the WAN connections page, click on the Delete link for a specific service. The WAN connection: delete page is displayed. Check the details displayed, then click on the Delete this connection button. This has the same effect as entering the following CLI commands (with the correct values added): ip delete interface or bridge delete interface Click on the Virtual I/f link for a specific service. The Virtual interface page is displayed. Click on the Create a new virtual interface... hyperlink. On the Create virtual interface page, type the IP address and netmask of the virtual interface, then click on the Apply button.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
165
The WAN connections page is displayed. If you click on the Virtual I/f link, the Virtual interface page displays a table listing the names of existing virtual interfaces. Each virtual interface is called item# by default. This has the same effect as entering the following CLI commands (with the correct values added): ip add interface <module> add transport ip attachvirtual
9.8.5
IP Routes This option allows you to create static IP routes to destination addresses via an IP interface name or a Gateway address. From the Configuration menu, click on IP routes. The Edit Routes page is displayed:
Figure 30
This page lists the following information about existing routes: Whether the route is valid or invalid Destination IP address Gateway address Netmask address This has the same effect as entering the following CLI command: ip list routes
166
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Editing a route
1
To edit the destination, gateway and netmask address of a route, Click in the relevant text box, update the information then click on Apply. This has the same effect as entering the following CLI command (with the correct values added): ip set route destination ip set route gateway To edit the cost and interface setting for the route, click on the Advanced Options hyperlink for a specific route and update the relevant information. Click on OK. This has the same effect as entering the following CLI command (with the correct values added): ip set route cost ip set route interface To delete an existing route, check the Delete? box for a specific route. Click on Apply. This has the same effect as entering the following CLI command (with the correct values added): ip delete route Click on the Create new Ip V4 Route hyperlink. The following page is displayed:
Deleting a route
1 2
Creating an IP V4 Route
1
Figure 31
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
167
Complete the Create IP v4 Route form in order to configure the route. Adding a route has the same effect as entering the following CLI command (with the correct values added): ip add route and you can use the following CLI commands to set the properties of the route: ip set route destination ip set route cost ip set route gateway ip set route interface When you have typed the details, click on OK. The Edit Routes page is displayed. The table now contains details of the route that you have just created. This has the same effect as entering the following CLI command: ip list routes
9.8.6
ZIPB This option allows you to enable, disable and configure the ISOS Zero Installation PPP Bridge (ZIPB) on your ISOS System. From the Configuration menu, click on ZIPB. The following page is displayed:
168
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
enable/disable ZIPB. Click on the Enable button. The ZIPB page is refreshed and the ZIPB status is changed to enabled. To disable ZIPB, click on the Disable button. This has the same effect as typing the following CLI commands: zipb enable zipb disable carry out advanced configuration of ZIPB. Note You must ensure that ZIPB is in a disabled state before you carry out any configuration changes. Once you have changed the configuration and clicked on OK, you can enable
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
169
ZIPB and changes will be reflected in the configuration. Any changes made to the configuration while ZIPB is enabled will be ignored. You can configure the following:
a b c
select the LAN interface that ZIPB will run on. Click on the LAN interface drop down list and select an interface. select the WAN interface that ZIPB will run on. Click on the WAN interface drop down list and select an interface. set the Private LAN IP address. Type the address into the Private LAN IP address boxes. The private LAN IP address allows you to continue configuring the ISOS System via EmWeb pages. You should set the private LAN to the IP address entered as the URL in Accessing EmWeb on page 142. set the LAN IP address spoof method. Once a public IP address is assigned to the LAN PC, an IP address on the same subnet as the public IP address must be created and assigned to the ISOS System LAN interface. This option configures how the LAN interface IP address is created. Click on the LAN IP address spoof method drop down list and select one of the following: Top of subnet - selects the highest available address in the subnet Bottom of subnet - selects the lowest available address in the subnet Increment - increments the assigned IP address by 1 Manual - uses the IP address specified in the Manual LAN IP address field. set the manual LAN IP address only if you selected Manual as your LAN IP address spoof method. Type the address into the Manual LAN IP address boxes. set the LAN subnet mask selection method. Click on the LAN subnet mask selection method drop down list and select one of the following: Natural - uses the subnet mask of the assigned IP address Manual - uses the netmask specified in the Manual LAN subnet mask field
170
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
set the manual LAN subnet mask only if you selected Manual as your LAN subnet mask selection method. Type the subnet mask into the Manual LAN subnet mask boxes. set the LAN DHCP server lease time. Click on the LAN DHCP server lease time text box and type the duration (in seconds) of DHCP leases on the LAN. set the LAN PC power down time. Click on the LAN PC power down time text box and type the duration (in seconds) of down time before ZIPB assumes that the LAN PC has been turned off and that the user no longer needs access to the Internet. Note For more information about these configuration options, click on the Help hyperlink at the bottom of the page.
Once you have configured ZIPB, click on the OK button. Note that the configuration changes will not take effect until ZIPB is set to enabled. Click on the Enable button at the top of the page.
For more information on ZIPB, see the ISOS Zero Installation PPP Bridge (ZIPB) Functional Specification: DO-400808-PS. 9.8.7 DHCP Server This option allows you to enable/disable the DHCP server and create, configure and delete DHCP server subnets and DHCP fixed IP /MAC mappings.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
171
From the Configuration menu, click on DHCP server. The following page is displayed:
Figure 33
Click on the Enable/Disable button at the top of the page. The DHCP server is enabled by default. If you click on the Disable button, DHCP server is disabled and the button changes to Enable. This has the same effect as entering the following CLI command (with the correct values added): dhcpserver enable dhcpserver disable Note If DHCP relay is enabled, DHCP server will be disabled by default. You can not enable DHCP server unless you disable DHCP relay. See DHCP Relay on page 176.
Click on the Create new Subnet link. The following page is displayed:
172
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Set the value and netmask of the subnet (either manually or by selecting an IP interface whose value and mask is used instead), and set the maximum and default lease times. This has the same effect as entering the following CLI commands: dhcpserver add subnet dhcpserver set subnet defaultleasetime dhcpserver set subnet maxleasetime Set the DHCP address range (or use a default range of 20 addresses). This has the same effect as entering the following CLI commands: dhcpserver add subnet or dhcpserver subnet add iprange This has the same effect as entering the following CLI command:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
173
Set the Primary and Secondary DNS Server addresses or set your ISOS System to give out its own IP address as the DNS Server address. This has the same effect as entering the following CLI commands: dhcpserver subnet add option domain-name-server primary-dns, secondary-dns or dhcpserver set subnet hostisdnsserver Set your ISOS System to give out its own IP address as the default Gateway address. This has the same effect as entering the following CLI command: dhcpserver set subnet hostisdefaultgateway
Once you have entered new configuration details for your DHCP server, click on OK. The DHCP Server page is displayed, containing details of your new subnet.
Click on the Advanced Options link for a specific subnet. The Edit DHCP server subnet page is displayed. This allows you to edit all of the values that were set when the subnet was created. This page also allows you to add additional option information. At the bottom of the page, click on the Create new DHCP option link. The following page is displayed:
Figure 35
174
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the Option name drop-down list and select a name. Type a value that matches the selected option name in the Option value text box. Click on OK. This has the same effect as entering the following CLI command: dhcpserver subnet add option The Edit DHCP server subnet page is displayed, and details of you new option are displayed under the sub-heading Additional option information. To delete an existing option, check the Delete? box for a specific option and click OK.
Click on the Create new Fixed Host link. The following page is displayed:
Type in the IP address that will be given to the host with the specified MAC address.
Type in the MAC address and the maximum lease time (default is 86400 seconds). This has the same effect as typing the following CLI command: dhcpserver add fixedhost
Click on OK. The DHCP Server page is displayed, and details of your new fixed host are displayed under the sub-heading Existing DHCP fixed IP/MAC mappings. To edit a fixed mapping, click on
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
175
the IP address, MAC address or max lease time, type a new entry and click Apply. To delete a fixed mapping, check the Delete? box for a specific mapping and click Apply. This has the same effect as typing the following CLI commands: dhcpserver set fixedhost ipaddress dhcpserver set fixedhost macaddress dhcpserver set fixedhost maxleasetime dhcpserver delete fixedhost 9.8.8 DHCP Relay This option allows you to: enable/disable DHCP relay. add DHCP servers to the DHCP relay list. configure/delete server entries on the DHCP relay list. From the Configuration menu, click on DHCP relay. The following page is displayed:
Figure 37
176
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the Enable/Disable button at the top of the page. If you click on the Disable button, DHCP server is disabled and the button changes to Enable. This has the same effect as entering the following CLI command: dhcprelay enable dhcprelay disable Note If DHCP server is enabled, DHCP relay will be disabled by default. You can not enable DHCP relay unless you disable DHCP server. See DHCP Server on page 171.
In the Add new DHCP server section, type an address in the New DHCP server IP address text box. Click on Apply. The address is displayed in the Edit DHCP server list section.
To edit an entry, click on an IP address and type a new entry, then click on Apply. To delete an entry, check the Delete? box for a specific IP address, then click on Apply. These actions have the same effect as entering the following CLI commands (with the correct values added): dhcprelay add server dhcprelay update dhcprelay list servers dhcprelay delete server
9.8.9
DNS Client This option allows you to: create a list of server addresses. This enables you to retrieve a domain name for a given IP address. create a domain search list. DNS client uses this list when a user asks for the IP address list for an incomplete domain name.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
177
From the Configuration menu, click on DNS client. The following page is displayed:
Type the IP address of the unknown domain name in the DNS servers: text box. Click Add. The IP address appears in the DNS servers table. You can add a maximum of three server IP addresses. Each IP address entry has a Delete button associated with it. Click on Delete to remove an IP address from this list. Adding/deleting IP addresses has the same effect as entering the following CLI commands: dnsclient add server dnsclient list server dnsclient delete server Type a search string in the Domain search order: text box.
178
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click Add. The search string is displayed in the Domain search order table. You can add a maximum of six search strings. Each search string entry has a Delete button associated with it. Click on Delete to remove a string from this list. Adding/deleting domain search strings has the same effect as entering the following CLI commands: dnsclient add searchdomain dnsclient list searchdomain dnsclient delete searchdomain
9.8.10 DNS Relay This option allows you to create, configure and delete DNS relays primary and secondary DNS servers. DNS relay can forward DNS queries to the DNS servers on this list. From the Configuration menu, click on DNS Relay. The following page is displayed:
Figure 39
In the Add new DNS server section, type an address in the New DNS server IP address text box.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
179
Click on Apply. The address is displayed in the Edit DHCP server list section. To edit an entry, click on an IP address and type a new entry, then click on Apply. To delete an entry, check the Delete? box for a IP address, then click on Apply. These actions have the same effect as entering the following CLI commands (with the correct values added): dnsrelay add server dnsrelay update dnsrelay list servers dnsrelay delete server
9.8.11 Security This option allows you to configure Security, NAT and Firewall: Security - EmWeb allows you to: enable Security, see Enabling Security on page 181. configure Security interfaces; Configuring security interfaces on page 182.
configure triggers, see Configuring triggers on page 194. NAT - EmWeb allows you to: enable NAT between interfaces; see Configuring NAT on page 183. configure global addresses; see Configuring NAT global addresses on page 185.
configure reserved mapping; see Configuring NAT reserved mapping on page 187. Firewall - EmWeb allows you to: enable Firewall and Firewall Intrusion Detection settings; see Enabling Firewall and/or Intrusion Detection on page 181 set the Firewall security level; see Setting a default security level on page 182. configure Firewall policies, portfilters and validators; see Configuring Firewall policies on page 188, Configuring portfilters on page 190 and Configuring validators on page 192. configure Intrusion Detection settings; see Configuring Intrusion Detection Settings on page 196.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
180
From the Configuration menu, click on Security. The following page is displayed:
Figure 40 EmWeb Security page This page contains the default Security settings. Enabling Security You must enable Security before you can enable Firewall and/or Intrusion Detection. In the Security State section:
1 2
Click on the Security Enabled radio button. Click on Change State to update the Security State section. This has the same effect as typing the following CLI commands: security enable security status
Enabling Firewall and/or Intrusion Detection You must create a security interface before you can enable Firewall and/or Intrusion Detection. See Configuring security interfaces on page 182.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
181
Click on the Firewall Enabled and/or Intrusion Detection Enabled radio buttons. Click on Change State to update the Security State section. This has the same effect as typing the following CLI commands (depending on which state you want to enable): firewall enable firewall enable IDS security status
Setting a default security level You must have Security and Firewall enabled in order to set a default Security level. See Enabling Security on page 181 and Enabling Firewall and/or Intrusion Detection on page 181.
1 2 3
From the Security Level section, click on the Security Level drop-down list. Click on the level that you want to set; none, high, medium or low. Click on the Change Level button. This has the same effect as typing the following CLI command: firewall set securitylevel
For more information on the configuration of each type of security level, see the Firewall CLI chapter of the ISOS 8.2 CLI Reference Manual: DO-009430-PS and the ISOS Security (NAT and Firewall) Functional Specification: DO-008557-PS. Configuring security interfaces Security interfaces are based on existing LAN services. You must create a LAN service for every security interface that you want to configure. For details of how to create LAN services, see LAN connections on page 162.
1
From the Security Interfaces section, click on Add Interface. The Firewall: Add Interface page is displayed:
182
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the Name drop-down list and select the LAN service that you want to base your security interface on. Click on the Interface Type drop-down list and specify what kind of interface it is depending on how it connects to the network; external, internal or DMZ. Click on Apply. The Security page is displayed. The Security Interfaces section contains a table that displays information about each security interface that you have created: Name - name of LAN service that the security interface is based on Type of network connection specified NAT setting. It contains hyperlinks that allow you to configure NAT. See Configuring NAT on page 183.
Delete Interface... hyperlink. Click on this to display the Security: Delete Interface page. Check the interface details, then click on the Delete button. These actions have the same effect as entering the following CLI commands: security add interface security list interfaces security delete interface
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
183
Create at least two different security interface types based on existing LAN services; see Configuring security interfaces on page 182. Once you have created more than one security interface, the NAT column in the Security Interfaces table tells you that you can enable NAT between the existing security interface and a network interface type. For example, if you create an external interface and an internal interface, your table will look like this:
Figure 42 EmWeb Security Interfaces table The NAT column for the external interface tells you that you can enable NAT to internal interfaces. If you also had a DMZ interface configured, this column would also include an Enable NAT to DMZ interfaces button. For more details of NAT configurations, see Configuring security on the ISOS System on page 331.
4
To enable NAT between the external interface and the internal interface type, click on Enable NAT to internal interfaces. The Security page is refreshed and NAT is enabled. To disable NAT between these interfaces, click on Disable NAT to internal interfaces. These actions have the same effect as entering the following CLI commands: nat enable nat disable
Once you have enabled NAT between interfaces, you can: configure global addresses; see Configuring NAT global addresses on page 185. configure reserved mapping; see Configuring NAT reserved mapping on page 187.
184
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configuring NAT global addresses Global address pools allow you to create a pool of outside network addresses that is visible outside your network. Before you can configure global addresses, you need to configure NAT. See Configuring NAT on page 183. If you want to set up a global address pool on your existing NAT enabled interfaces:
1
From the NAT Security Interfaces table, click on the Advanced NAT Configuration hyperlink for the interface that you want to add a global pool to. The following page is displayed:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
185
This page allows you to create a pool of network IP addresses that are visible outside your network. Add values for the following table entries: Interface type; the internal address type that you want to map your external global IP addresses to. Click on the drop-down list and select an interface type. Use Subnet Configuration; there are two ways to specify a range of IP addresses. You can either Use Subnet Mask (specify the subnet mask address of the IP address) or Use IP Address Range (specify the first and last IP address in the range). Click on the drop-down list and select a method. type in the IP Address that is visible outside the network Subnet Mask/IP Address 2; the value you specify here depends on the subnet configuration that you are using. If you chose Use Subnet Mask, type in the subnet mask of the IP address. If you chose Use IP Address Range, type in the last IP address in the range of addresses that make up the global address pool.
Once you have configured the table, click on Add global address pool. The table is refreshed and the global address pool is added to your NAT configuration.
To delete a global address pool, click on the Delete hyperlink, then click on the Delete Global Address Pool button. These actions have the same effect as typing the following CLI commands: nat add globalpool nat list globalpools nat delete globalpool Click on Return to Interface List to display the Security Interface Configuration page. To create a reserved mapping, click on the Add Reserved Mapping hyperlink. See Configuring NAT reserved mapping on page 187.
186
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configuring NAT reserved mapping Reserved mapping allows you to map an outside security interface or an IP address from a global pool to an individual IP address inside the network. Mapping is based on transport type and port number. Before you can configure reserved mapping, you need to configure NAT. See Configuring NAT on page 183. If you want to set up a reserved mapping on your existing NAT enabled interfaces:
1
From the NAT Security Interfaces table, click on the Advanced NAT Configuration hyperlink for the interface that you want to add reserved mapping to. The Advanced NAT Configuration page is displayed (see EmWeb Advanced NAT configuration page on page 185). Click on the Add Reserved Mapping hyperlink. The following page is displayed:
Figure 45
3
This page allows you to configure your reserved mapping. Add specific values for the following table entries: Global IP Address; if you are mapping from a global IP address, type the address here. If you are mapping from a security interface, type 0.0.0.0. Internal IP Address; the IP address of an individual host inside your network.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
187
Transport Type; specify the transport type that you want to map from the outside interface to the inside. Port Number; the port number that your transport uses.
Once you have configured the table, click on Add reserved mapping. The table is refreshed and the reserved mapping is added to your NAT configuration.
To delete a reserved mapping setup, click on the Delete hyperlink, then click on the Delete Reserved Mapping button. These actions have the same effect as typing the following CLI commands: nat add resvmap globalip nat add resvmap interfacename nat list resvmaps nat delete resvmap Click on Return to Interface List to display the Security Interface Configuration page. Configuring Firewall policies A policy is the collective term for the rules that apply to incoming and outgoing traffic between two interface types. Before you can create a Firewall policy, you need to enable Firewall. See Enabling Firewall and/or Intrusion Detection on page 181. To create and configure a Firewall policy:
1
Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration page. Click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. Click on New Policy. The Firewall Add Policy page is displayed:
188
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Figure 46
3
This page allows you to configure your Firewall policy. Add specific values for the following entries: Set the interface types that you want to create a policy between by selecting a type from each of the Between interfaces of types drop down lists.
Set the policy to either block only traffic specified in validators, or allow only traffic specified in validators. For more information on validators, see Configuring validators on page 192. Click on Apply. After a short time, the policy is added to the Firewall configuration.
To display policy details, click on Return to Policy List. The page is refreshed and contains a Current Firewall Policies table:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
189
Figure 47 EmWeb Current Firewall Policies table The table contains details of each Firewall policy. You can now configure the policies to include portfilters and validators. See Configuring portfilters on page 190 and Configuring validators on page 192. These actions have the same effect as entering the following CLI commands: firewall add policy firewall list policies Configuring portfilters A portfilter is an individual rule that determines what kind of traffic can pass between two interfaces specified in an existing policy. This section assumes that you have followed the instructions in Configuring Firewall policies on page 188. To configure a portfilter:
1
From the Current Firewall Policies table, click on the Port Filters link for the policy that you want to configure. The page displayed contains three Add Filter hyperlinks that allow you to create three different kinds of portfilter:
190
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For a TCP portfilter click on Add TCP Filter. The following page is displayed:
Figure 48 EmWeb Firewall Add TCP Port Filter page Specify the start and end of the port range for the TCP protocol that you want to filter. For information on application port numbers, see http://www.ietf.org/rfc/rfc1700.txt. Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the TCP portfilter that you have just added. For a UDP portfilter click on Add UDP Filter. The Firewall Add UDP Port Filter page is displayed. For details on how to complete the table, follow the above instructions for adding a TCP portfilter. For a non-TCP/UDP portfilter click on Add Raw IP Filter. The following page is displayed:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
191
Figure 49 EmWeb Firewall Add Raw IP Filter page Specify the protocol number in the Transport Type text box, for example, for IGMP, enter protocol number 2. For more information on protocol numbers, see http://www.ietf.org/rfc/rfc1700.txt. Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the IP portfilter that you have just added.
2
Each portfilter displayed in the Firewall Port Filters page has a Delete hyperlink assigned to it. To delete a portfilter, click on this link, then at the confirmation page, click on the Delete button. The portfilter is removed from the Firewall configuration.
These actions have the same effect as typing the following CLI commands: firewall add portfilter firewall list portfilters firewall delete portfilter Configuring validators A validator allows/blocks traffic based on the source/destination IP address and netmask. Traffic will be allowed or blocked depending on the validator configuration specified when the policy was created. See
192
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configuring Firewall policies on page 188. This section assumes that you have previously followed the instructions in Configuring Firewall policies on page 188. To configure a validator:
1
From the Current Firewall Policies table, click on the Host Validators link for the policy that you want to configure. The Configure Validators page is displayed. Click on the Add Host Validator link. The following page is displayed:
In the Host IP Address text box, type the IP address that you want to allow/block. In the Host Subnet Mask text box, type the IP mask address. If you want to filter a range of addresses, you can specify the mask, for example, 255.255.255.0. If you want to filter a single IP address, use the specific IP mask address, for example, 255.255.255.255. Click on the Direction drop-down list and select the direction of traffic that you want the validator to filter. Click on Apply. The Configure Validators page is displayed, containing details of the host validator that you have just added. Each portfilter displayed in the Configure Validators page has a Delete Host Validator hyperlink assigned to it. To delete a validator, click on this link, then at the confirmation page, click on the Delete Host Validator button. The validator is removed from the Firewall configuration.
4 5 6
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
193
These actions have the same effect as typing the following CLI commands: firewall add validator firewall list validators firewall delete validator Configuring triggers A trigger allows an application to open a secondary port in order to transport packets. The most common applications that require secondary ports are FTP and NetMeeting. This section assumes that you have followed the instructions in Enabling Security on page 181. To configure a trigger:
1
Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration. Click on Firewall Trigger Configuration. The Firewall Trigger Configuration page is displayed. There are no triggers defined at this time. Click on the New Trigger link. The following page is displayed:
Transport Type; select a transport type from the drop-down list, depending on whether you are adding a trigger for a TCP or a UDP application. Port Number Start; type the start of the trigger port range that the primary session uses.
194
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
c d
Port Number End; type the end of the trigger port range that the primary session uses. Allow Multiple Hosts; select allow if you want a secondary session to be initiated to/from different remote hosts. Select block if you want a secondary session to be initiated only to/from the same remote host. Max Activity Interval; type the maximum interval time (in milliseconds) between the use of secondary port sessions. Enable Session Chaining; select Allow or Block depending on whether you want to allow multi-level TCP session chaining. Enable UDP Session Chaining; select Allow or Block depending on whether you want to allow multi-level UDP and TCP session chaining. You must set Enable Session Chaining to Allow if you want this to work. Binary Address Replacement; select Allow or Block depending on whether you want to use binary address replacement on an existing trigger. Address Translation Type; specify what type of address replacement is set on a trigger. You must set Binary Address Replacement to Allow if you want this to work.
e f g
Once you have configured the trigger, click on Apply. The Firewall Trigger Configuration page is displayed, containing details of the trigger that you have just configured. Each trigger displayed in the Firewall Trigger Configuration page has a Delete hyperlink assigned to it. To delete a trigger, click on this link, then at the confirmation page, click on the Delete button. The Firewall Trigger Configuration page is displayed and details of the deleted trigger have been removed. There are two hyperlinks on the page:
a b
To add a new trigger, click on New Trigger. To display the Security Interface Configuration page, click on Return to Interface List.
These actions have the same effect as typing the following CLI commands: security add trigger security list triggers
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
195
security set trigger endport security set trigger startport security set trigger multihost security set trigger maxactinterval security set trigger sessionchaining security set trigger security set trigger UDPsessionchaining security set trigger binaryaddressreplacement security set trigger addressreplacement Configuring Intrusion Detection Settings Intrusion Detection settings allow you to protect your network from intrusions such as denial of service (DOS) attacks, port scanning and web spoofing. This section assumes that you have followed the instructions in Enabling Security on page 181 and Enabling Firewall and/or Intrusion Detection on page 181. To configure Intrusion Detection settings:
1
Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration page. Click on Configure Intrusion Detection. The Firewall Configure Intrusion Detection page is displayed:
196
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Figure 52 EmWeb Firewall Configure Intrusion Detection page The values displayed in EmWeb Firewall Configure Intrusion Detection page on page 197 are the default values.
2
Use Blacklist; select true or false depending on whether you want external hosts to be blacklisted if the Firewall detects an intrusion from that host. Click on the Clear Blacklist button at the bottom of the page to clear blacklisting of an external host. The Security Interface Configuration page is displayed. Use Victim Protection; select true or false depending on whether you want to protect a victim from an attempted web spoofing attack. DOS Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for once a DOS attack attempt has been detected. Scan Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for after it has detected scan activity.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
197
Victim Protection Block Duration; type the length of time (in seconds) that the Firewall blocks packets destined for the victim of a spoofing style attack. Maximum TCP Open Handshaking Count; type in the maximum number of unfinished TCP handshaking sessions (per second) that are allowed by Firewall before a SYN Flood is detected. Maximum Ping Count; type in the maximum number of pings (per second) that are allowed before the Firewall detects an Echo Storm DOS attack. Maximum ICMP Count; type in the maximum number of ICMP packets (per second) that are allowed by the Firewall before an ICMP Flood DOS is detected.
Once you have configured Intrusion Detection, click on Apply. The Intrusion Detection settings are applied to the Firewall, and the Security Interface Configuration page is displayed.
These actions have the same effect as typing the following CLI commands: security enable firewall enable IDS firewall set IDS blacklist firewall set IDS victimprotection firewall set IDS DOSattackblock firewall set IDS SCANattackblock firewall set IDS MaxTCPopenhandshake firewall set IDS MaxPING firewall set IDS MaxICMP firewall set IDS blacklist clear
198
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
9.9
Ports
This option allows you to configure the ports available on your ISOS System, depending on the type of image that you are booting. For details of how port configuration is integrated into the VMI, see VMI Architecture: DO-008266-TC. Configuring ports
1
From the left-hand menu, click on Configuration. From the Configuration menu, click on Ports. A sub-list of ports available on your ISOS System is displayed. The following ports are available for the usb-gateway image: A1 A2 Ethernet Hdlc These ports are defined in the hardware BUN configuration file atmos/source/hardware/initbun/bd6000. From the Ports menu, click on Ethernet. The Ethernet Port Configuration page is displayed:
Figure 53 EmWeb Ethernet Port Configuration page The page displays basic port attributes for the Ethernet port on your ISOS System. Click on one of the attribute names to display help information about each entry.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
199
Ports
You can carry out advanced configuration of your Ethernet port attributes. From the Ethernet Port Configuration page, click on View advanced attributes. The Advanced Ethernet Port Configuration page is displayed. Click on one of the advanced attribute names to display help information about each entry. Update the port attributes that are available for editing, then click on Apply to update the advanced configuration, or Reset to revert back to the default advanced configuration settings. Click on the Return to basic attribute list to return to the Ethernet Port Configuration page.
These actions have the same effect as typing the following CLI commands: port ? lists the ports available on your ISOS System. port show displays basic and advanced port configuration port set allows you to update your basic and advanced port configuration.
200
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter provides information about how to use the ISOS File Manager to manage ISOS image files and image configuration files stored in ISFS and FlashFS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
201
Introduction
10.1
Introduction
This chapter describes how to use the ISOS File Manager to manage the filing systems present in ISOS. Filing systems are used for storing ISOS images and ISOS configuration files. Note The tasks described in this chapter use the ISOS console. It is assumed that you can access the ISOS console from the CLI. For more information, see Entering console commands from the CLI on page 137.
10.2
Note The File Manager console commands allow the manipulation of critical file systems. You should think carefully about whether you want to make some of the commands available in a released image. This chapter describes some of the more useful fm commands. For more information on the File Manager process and all the fm console commands, see the File Manager Process Functional Specification: DO-008609-PS.
10.3
202
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For example, setting the IP address of the ISOS System and the ARP server it uses is the type of information that would be configured during a session and then saved for future use as configuration data in FlashFS. The File Manager (fm) process console commands are used to manipulate some aspects of FlashFS and ISFS. For more specific commands for either ISFS or FlashFS filing system you will need to use isfs and flashfs console commands. For more information about all aspects of ISFS and FlashFS, refer to DO-007101-PS, ATMOS ISFS & FLASHFS Functional Specification.
10.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
203
The FlashFS filing system is corrupt while the file is open. This stops the system from trying to boot from a partially-written file. If you have a FlashFS partition file open, you cannot use the following console commands:
config save flashfs update
If you try to use either of these commands an error message will appear. 10.4.2 FlashFS boot process When the boot program looks for a bootable partition in FlashFS (partition one by default), it examines the identification block for each image that it requires. It checks and cross checks the information in the identification block. If errors are discovered, the partition is not used and the boot program looks for another bootable partition (partition two by default).
10.5
10.5.2 Checking the default filesystem To check which is the default filesystem, enter:
fm default Current filing system: 'flashfs'
204
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
10.5.3 Changing the default partition To change the default partition, use the default partition console command:
flashfs default 2
After issuing this command, all commands that are issued without referring to a partition number will act on partition 2. For example:
flashfs wipe
will wipe the contents of partition 2; the default partition. The command:
flashfs wipe 1
will wipe the contents of partition 1. 10.5.4 Checking the default partition To check which partition is your default partition, use the following console command:
flashfs default default is 1
10.5.5 Specifying a filesystem/partition You can also refer to a specific filesystem or partition from fm. For example:
fm cat im.conf fm cat //isfs/im.conf fm cat //flashfs/im.conf/PARTITION=1
The first command displays the im.conf file in the current default filesystem. The second command displays the im.conf file currently stored in ISFS (which maybe the default filesystem) and the third command displays the im.conf file stored in FlashFS partition 1.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
205
10.6
The above commands give progressively more detailed information about the files contained in ISFS. For example, the output for a typical build such as usb-gateway is shown below:
192.168.1.1> fm ls isfs File system: isfs snmpd.cnf~ dhcpd.leases dhclient.leases dhcrelay.conf dhcpd.conf dhclient.conf NPimage image banner.txt cliconsole im.conf.factory im.descriptions translate.tab derived_data.dat im.system initbun initvpn services snmpd.cnf snmpinit translate.tab.sw fluorine.translations idt7710x.translations utopia.translations
206
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This command shows the files which are currently contained in ISFS.
192.168.1.1> fm ls -l isfs File system: isfs 215 snmpd.cnf~ 0 dhcpd.leases 0 dhclient.leases 0 dhcrelay.conf 275 dhcpd.conf 124 dhclient.conf 9832 NPimage * 1112406 image * 303 banner.txt * (compressed) 468 cliconsole * (compressed) 698 im.conf.factory * (compressed) 312 im.descriptions * (compressed) 587 translate.tab * (compressed) 52130 derived_data.dat * (compressed) 2080 im.system * 2497 initbun * 832 initvpn * 99 services * 241 snmpd.cnf 41 snmpinit * 1784 translate.tab.sw * 1055 fluorine.translations * 448 idt7710x.translations * 719 utopia.translations *
This command shows the same list of files as shown by the fm ls isfs command, but also shows: Size (in bytes) for each file in the column to the left of the file name. The asterisk alongside the filename indicates that the file was included in the flash.bin image that was downloaded. Some files are already created as part of the initialisation process by certain ISOS modules. For example, DHCP has created many files. These are not marked with an asterisk. If the file is compressed this will also be shown in brackets alongside the file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
207
192.168.1.1> fm ls -L File system: isfs 215 (0x00c76350) 0 (0x00e23b80) 0 (0x00e23bc0) 0 (0x00e23e10) 275 (0x00cdc310) 124 (0x00cdbda0) 9832 (0x00303e00) 1112406 (0x00306500) 303 (0x00415f00) 468 (0x00416100) 698 (0x00416300) 312 (0x00416600) 587 (0x00416800) 52130 (0x00416b00) 2080 (0x00423700) 2497 (0x00424000) 832 (0x00424a00) 99 (0x00424e00) 241 (0x00c757c0) 41 (0x00425000) 1784 (0x00425100) 1055 (0x00425900) 448 (0x00425e00) 719 (0x00426900)
isfs snmpd.cnf~ dhcpd.leases dhclient.leases dhcrelay.conf dhcpd.conf dhclient.conf NPimage * image * banner.txt * cliconsole * im.conf.factory * im.descriptions * translate.tab * derived_data.dat * im.system * initbun * initvpn * services * snmpd.cnf snmpinit * translate.tab.sw * fluorine.translations * idt7710x.translations * utopia.translations *
This command provides similar information as shown by the fm ls isfs command, but also shows the location in memory for each file (logical address in brackets alongside the filename). If you then save the configuration, using the config save command, and list the contents again you will notice that more configuration files have been created in ISFS. For example:
10.0.0.1> config save Saving configuration... Configuration saved.
ISOS processes will write out their configuration setting to their associated configuration file. So, if you now view the contents of ISFS again you will see that new files have been added:
208
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
192.168.1.1> fm ls -l isfs File system: isfs 0 initconfig 8 initdnsclient 0 resolve 300 initppp 98 initwebserver 0 initportcli 8 initdnsrelay 17 initbridge 1 initreflect 215 snmpd.cnf~ 0 dhcpd.leases 0 dhclient.leases 0 dhcrelay.conf 275 dhcpd.conf 124 dhclient.conf 9832 NPimage * 1112406 image * 303 banner.txt * (compressed) 468 cliconsole * (compressed) 698 im.conf.factory * (compressed) 312 im.descriptions * (compressed) 587 translate.tab * (compressed) 52130 derived_data.dat * (compressed) 2080 im.system * 2497 initbun * 832 initvpn * 94 services 241 snmpd.cnf 41 snmpinit 1784 translate.tab.sw * 1055 fluorine.translations * 448 idt7710x.translations * 719 utopia.translations *
There are now new files which have been created by ISOS processes. Note Some of the config files that were originally marked with an asterisk as downloaded files are no longer marked with an asterisk. Their associated process has written them to
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
209
FlashFS and so to ISFS they appear to have been added. For example, snmpinit. The files which still contain an asterisk have not been written. For example, the NP image file, npimage. The file snmpinit is an example of a dynamic file and NPimage is an example of a fixed file. It is dynamic files such as configuration ASCII-based files which can be written to FlashFS. Fixed files, such as the NP image file, are not written to FlashFS. If you save the system configuration from the CLI rather than the console, the file im.conf is also created which is the configuration file used by the VMI. For example:
--> system config save Wait for 'configuration saved' message... --> Saving configuration... Configuration saved. --> console enable Switching from CLI to console mode - type 'exit' to return
210
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
192.168.1.1> fm ls -L File system: isfs 7430 (0x00b78700) 0 (0x00c73cc0) 8 (0x00c73d60) 0 (0x00c74230) 300 (0x00b777a0) 98 (0x00b78480) 0 (0x00c75270) 8 (0x00c75310) 17 (0x00c753b0) 1 (0x00c754a0) 215 (0x00c76350) 0 (0x00e23b80) 0 (0x00e23bc0) 0 (0x00e23e10) 275 (0x00cdc310) 124 (0x00cdbda0) 9832 (0x00303e00) 1112406 (0x00306500) 303 (0x00415f00) 468 (0x00416100) 698 (0x00416300) 312 (0x00416600) 587 (0x00416800) 52130 (0x00416b00) 2080 (0x00423700) 2497 (0x00424000) 832 (0x00424a00) 94 (0x00b77500) 241 (0x00c757c0) 41 (0x00c73e00) 1784 (0x00425100) 1055 (0x00425900) 448 (0x00425e00) 719 (0x00426900)
isfs im.conf initconfig initdnsclient resolve initppp initwebserver initportcli initdnsrelay initbridge initreflect snmpd.cnf~ dhcpd.leases dhclient.leases dhcrelay.conf dhcpd.conf dhclient.conf NPimage * image * banner.txt * cliconsole * im.conf.factory * im.descriptions * translate.tab * derived_data.dat * im.system * initbun * initvpn * services snmpd.cnf snmpinit translate.tab.sw * fluorine.translations * idt7710x.translations * utopia.translations *
For more information about the im.conf file, refer to Module configuration files on page 219. 10.6.2 Listing the contents of FlashFS You can issue similar commands to view the contents of FlashFS:
fm ls flashfs fm ls -l flashfs fm ls -L flashfs
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
211
For example:
192.168.1.1> fm ls -L File system: flashfs 0 (0x0037fe00) 8 (0x0037fd00) 0 (0x0037fc00) 300 (0x0037fa00) 98 (0x0037f900) 0 (0x0037f800) 8 (0x0037f700) 17 (0x0037f600) 1 (0x0037f500) 215 (0x0037f400) 0 (0x0037f300) 0 (0x0037f200) 0 (0x0037f100) 275 (0x0037ef00) 124 (0x0037ee00) 2080 (0x0037e500) 2497 (0x0037db00) 832 (0x0037d700) 94 (0x0037d600) 241 (0x0037d400) 41 (0x0037d300) 1784 (0x0037cb00) 1055 (0x0037c600) 448 (0x0037c400) 719 (0x0037b800) 9832 (0x00000100) 1112406 (0x00002800) 303 (0x00112200) 468 (0x00112400) 698 (0x00112600) 312 (0x00112900) 587 (0x00112b00) 52130 (0x00112e00) flashfs initconfig * initdnsclient * resolve * initppp * initwebserver * initportcli * initdnsrelay * initbridge * initreflect * snmpd.cnf~ * dhcpd.leases * dhclient.leases * dhcrelay.conf * dhcpd.conf * dhclient.conf * im.system * initbun * initvpn * services * snmpd.cnf * snmpinit * translate.tab.sw * fluorine.translations * idt7710x.translations * utopia.translations * NPimage image banner.txt cliconsole im.conf.factory im.descriptions translate.tab derived_data.dat
212
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
As with ISFS, following a system config save command from the CLI, the im.conf file is also added:
192.168.1.1> fm ls -L File system: flashfs 7430 (0x0037e100) 0 (0x0037e000) 8 (0x0037df00) 0 (0x0037de00) 300 (0x0037dc00) 98 (0x0037db00) 0 (0x0037da00) 8 (0x0037d900) 17 (0x0037d800) 1 (0x0037d700) 215 (0x0037d600) 0 (0x0037d500) 0 (0x0037d400) 0 (0x0037d300) 275 (0x0037d100) 124 (0x0037d000) 2080 (0x0037c700) 2497 (0x0037bd00) 832 (0x0037b900) 94 (0x0037b800) 241 (0x0037b600) 41 (0x0037b500) 1784 (0x0037ad00) 1055 (0x0037a800) 448 (0x0037a600) 719 (0x00379a00) 9832 (0x00000100) 1112406 (0x00002800) 303 (0x00112200) 468 (0x00112400) 698 (0x00112600) 312 (0x00112900) 587 (0x00112b00) 52130 (0x00112e00) flashfs im.conf * initconfig * initdnsclient * resolve * initppp * initwebserver * initportcli * initdnsrelay * initbridge * initreflect * snmpd.cnf~ * dhcpd.leases * dhclient.leases * dhcrelay.conf * dhcpd.conf * dhclient.conf * im.system * initbun * initvpn * services * snmpd.cnf * snmpinit * translate.tab.sw * fluorine.translations * idt7710x.translations * utopia.translations * NPimage image banner.txt cliconsole im.conf.factory im.descriptions translate.tab derived_data.dat
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
213
10.7
This command updates Flash memory (FlashFS) with the files currently contained in ISFS, which are not yet present in FlashFS. FlashFS effectively provides a backup of all the information contained in ISFS. Note The CLI command system config save performs exactly the same operation as the flashfs update command. For more information about the system commands, refer to the ISOS 8.2 CLI Reference Manual, DO-009430-PS.
10.8
214
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
10.8.2 Copying a file using the cp command To copy a file in the current default filesystem, use the cp command. This command creates a copy of the original file to a new file using the specified file-name. No check is made if the new filename already exists. Any existing file will be overwritten. For example, to copy the im.conf file to im.conf.bak, enter:
fm cp im.conf im.conf.bak
Note that you cannot copy a file in the same FlashFS partition. You can only copy files between partitions. For example, to copy the same file between two partitions in FlashFS, enter:
fm cp //flashfs/im.conf/PARTITION=1 //flashfs/im.conf/PARTITION=2
This command copies the im.conf file stored on partition 1 in FlashFS to partition 2 on FlashFS. 10.8.3 Renaming a file using the mv command To rename a file in the current default filesystem, use the mv command. This command renames the original file using the specified filename. No check is made if the new filename already exists. Any existing file will be overwritten. For example, to rename the im.conf file to im.conf.bak, enter:
fm mv im.conf im.conf.bak
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
215
This command moves the im.conf file stored on partition 1 in FlashFS to partition 2 on FlashFS. 10.8.4 Removing a file using the rm command To remove a file from the current default filesystem, use the rm command. For example, to remove the im.conf file, enter:
fm rm im.conf
216
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes the various methods for configuring ISOS modules at run-time.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
217
Introduction
11.1
Introduction
This chapter describes the different methods which can be used to configure the modules which are included in an ISOS image. The modules contained in ISOS can be configured in two ways: At compile time; by modifying config.h files. At run time; by issuing configuration commands. This chapter covers the methods for configuring ISOS modules at run-time. (For more information about configuring ISOS at compile-time, refer to DO-007819-TC, How To Program ATMOS.) There are four main ways to configure ISOS at run-time: Issuing commands from ISOS; see Using a Management Tool or Console on page 221. Restoring a saved configuration file; see Restoring a saved configuration from the CLI on page 225. Downloading a configuration file; see By downloading files to ISFS on page 226. Programming Flash; see By programming Flash devices on page 227. The list above is ordered according to the amount of user-intervention required to perform the configuration, ordered from most to least intervention. Issuing commands to configure a module requires a lot of user-intervention. Programming flash devices provides a relatively automated method for configuring ISOS.
11.2
218
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
However, it is important to remember that a file transferred during a network boot overrides a version stored in flash. Therefore, to avoid confusion, follow these rules when configuring the system: When configuring a system from the console or by using a Management tool, you should ensure that no configuration files are transferred during a network boot. (You can ensure this by removing the configuration file from the configuration directory for the module you wish to configure.) When configuring a system entirely by downloading configuration files to ISFS during a network boot, ensure that there are no configuration files stored in Flash which are not also transferred during the boot. For more information about ISFS and FlashFS, refer to Using the ISOS File Manager on page 201.
11.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
219
The diagram below shows how some of the ISOS modules are configured under ISOS depending on whether they are supported by the VMI:
strates how you would connect up a ISOS System to develop a PC-attached
CLI
Console VMI
Bridge
PPP
PPTP
SNMP
im.conf snmpinit
Figure 54 ISOS Module configuration schematic The name of the configuration file is used to determine the module to which it applies. You should be able to work out the name of the configuration file as the name is derived from the name of the module. For example, snmpinit is the name of the configuration file for the SNMP module. You can see a list of the current configuration files by issuing the console command:
fm ls isfs
This will display a list of images and configuration files stored in ISFS.
220
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For a list of the configuration files used by ISOS, refer to ISOS Module Configuration files on page 444. For more information about the configuration commands supported by a module, refer to the ISOS 8.2 CLI Reference Manual, DO-009430-PS.
11.4
Use one of the Management tools provided in ISOS to configure the module. The tools provided are: EmWeb; web server. (For more information on how to setup and use the web server, refer to Using the EmWeb server on page 151.)
CLI; command-line interface. (For more information on how to use the CLI, refer to Using the CLI on page 125.) For more information about configuring ISOS in different supported configurations by issuing commands from the CLI, refer to the following chapters: Configuring the ISOS System in Gateway mode on page 235.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
221
Configuring the ISOS System in PC-attached Gateway mode on page 275. Configuring the ISOS System in Switch mode on page 323.
Once all the modules have been configured as required using any of the provided Management tools, you can use the following console command to view the configuration file im.conf:
im show
This command shows the current configuration of the VMI. Note The format of the im.conf file is not very readable and requires knowledge of the VMI design to completely understand the information displayed. (For more information, refer to DO-008766-PS, VMI - File Formats.)
3
Save the configuration listed by the im show command, using the CLI command:
system config save
This command saves the current configuration listing to Flash memory, as indicated by the following messages:
-->system config save Wait for 'configuration saved' message... --> Saving configuration...
This command saves the configuration for each module to the ISFS file //isfs/im.conf. This file is then written to FlashFS for permanent storage or until the next system config save command is issued. Note The old configuration files for these supported modules are also created in //isfs, but they are by default not used for configuration of the module; the file im.conf is used for configuration.
222
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
11.4.2 Using the console To configure ISOS modules using the console, follow the procedure below:
1
Configure the ISOS module using the console. For more information on the console commands which are provided for each module, refer to the ISOS 8.2 CLI Reference Manual, DO-009430-PS. Note Any configuration of the BUN module performed using console commands is not saved by the config save command. To permanently reconfigure the BUN module, you need to create/edit the BUN configuration file, initbun and then download this file to ISFS. For more information, refer to By downloading files to ISFS on page 226.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
223
Once all the modules have been configured as required, use the following command to view the configuration:
config print
Each module displays its configuration information. The modules which are included in the list include modules whose configuration will be saved when the config save command is used. To see the configuration of a particular module, append the module name to the command. For example, to view the configuration of the webserver module, enter:
config print webserver
To view the modules which are registered and will have their configurations saved, use the config list command. For example:
config list
224
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
dnsclient
Save the configuration listed by the config print command, using the console command:
config save
This command saves the current configuration listing to Flash memory, as indicated by the following messages:
Saving configuration...
This command saves the configuration for each module to the appropriate ISFS configuration file. This file is then written to the FlashFS filing system for permanent storage or until the next config save command is issued.
11.5
This command creates a file in ISFS called im.conf.backup. To save a backup configuration to a file other than im.conf.backup, use the command:
system config backup <filename>
where <filename> is the name of an existing isfs file. To restore the im.conf.backup configuration file, enter the command:
system config restore backup
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
225
To restore a configuration from a file other than im.conf.backup, enter the command:
system config restore <filename>
These commands will reconfigure the modules supported by the VMI according to the configuration defined in the selected configuration file.
11.6
Refer to Module configuration files on page 219 for information about which configuration file you need to use for the module you wish to configure. Note You should only be configuring those modules whose configuration is not saved in the im.conf file.
Create a configuration file for the module you wish to configure, using a suitable text editor. The format of the ISFS configuration files should be an ASCII text file, one command per line, in the same format as the commands which can be given to the module from the CLI or console. (If you need to create an im.conf configuration file, refer to Creating an im.conf configuration file on page 227). Note You should be aware that DOS/Windows and Unix/Linux systems have different conventions for marking line endings in text files. The DOS convention is to use carriage return (ASCII 13) + line feed (ASCII 10), whereas the Unix convention is to use only line feed. ISOS expects configuration files to conform to the Unix line-ending convention. Therefore, if you edit ISFS configuration files on a Windows PC, you will need to use an editor which can save the file with Unix-style line endings.
226
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Copy the created configuration file to the directory: atmos/products/<product>/flashfs where <product> is the name of an ISOS product directory. All files stored in this directory will be downloaded to the ISOS System along with the image file. Download the image and configuration files. (For more information about how to download an image over the network to a ISOS System, refer to Booting the ISOS System in Gateway mode on page 99 and Booting the ISOS System in PC-attached mode on page 111.)
11.6.1 Creating an im.conf configuration file Although you can edit the im.conf file, the syntax of this file is not as straightforward as the standard ISFS configuration files. If you wish to configure modules whose configuration is saved in im.conf, you should follow the procedure below:
1
Make configuration changes to the module using a Management tool and then save the configuration to the im.conf file. For more information, refer to Using a Management Tool or Console on page 221. From the console, enter:
fm cat im.conf
This command will display the contents of the im.conf configuration file.
3 4 5
Copy the output of this command into a text file editor. Make any further configuration changes you require. But be very careful with the format of the file when you are making changes. Save the file as im.conf.
Refer back to step 3 in By downloading files to ISFS on page 226 to copy this file into the appropriate download directory.
11.7
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
227
For more information about how to boot the ISOS System from Flash memory, refer to Configuring Booting of an ISOS System on page 115.
228
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to compress an ISOS image using the image compression utilities provided in ISOS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
229
Introduction
12.1
Introduction
The latest release of ISOS includes a large, feature-rich software base which can be used to build images which provide a high degree of functionality and features. The drawback to providing all this functionality is that the compiled image (flash.bin) can become quite large and not fit into the memory available on some systems. To solve this problem, ISOS includes a set of image compression tools which can be used to reduce the overall size of the PP run-time image contained in the flash.bin image so that it can fit into the memory available. This chapter describes the compression tools available in ISOS and how they can be used to compress ISOS images. For more detailed information on image compression, refer to ATMOS Image Compression Support: DO-008825-PS.
12.2
Compression overview
12.2.1 When/where is the ISOS image compressed? The ISOS image is compressed during the build process. Typical ISOS systems store their built image in non-volatile memory (FLASH) which is then copied into volatile memory (SDRAM) at run-time. The image is compressed in FLASH and then during the boot-up stage the image is uncompressed and copied into SDRAM. 12.2.2 What image compression utilities are available? There are three compression utilities supported in ISOS: bzip2 zlib vcomp Some of the utilities also provide options which can be used to select how much compression to apply to the image. These utilities are described in About the compression utilities on page 232.
230
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
12.2.3 What parts of the image can be compressed? The images provided in a flash.bin image are described in Images included in a build on page 64. The table below shows the typical sizes of these images and the other components included for an eth-gateway product:
Component PP Boot image NP Boot image NP Runtime image PP Runtime image Configuration area Web pages (derived archive) 64K 8K 16K 450K to 1200K 64K 70K Typical size
Table 26:
Compression is applied to the following images during the build process: PP Runtime image. (vcomp, bzip2 and zlib compression only). PP Boot image. (vcomp compression only). You can also configure the build process to compress any additional PHY image you are including in the build. For more information, refer to Including files in an image on page 91. For more information about the image compression options that can be used with the images above, refer to Configuring the compression method on page 236. 12.2.4 What typical compression results can be achieved? Typically, you should be able to achieve a 40-50% reduction in the overall size of an image. Greater compression can be achieved, but this can impact performance. For more information, refer to Typical compression figures on page 234.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
231
12.2.5 What impact does using compression have on the system? The two areas which you need to consider when using compression are: Performance. Volatile memory requirements. Performance The time taken to decompress an image can be significant for images which have been heavily compressed. Decompression occurs prior to boot-up, so for the most efficient compression schemes there can be a significant delay in boot-up time. For more information, refer to Typical decompression figures on page 235. Volatile memory requirements Each compression scheme requires a certain amount of memory (workspace) to do the actual compression. Different compression schemes require different amounts of workspace. For more information on memory requirements, refer to Typical decompression figures on page 235
12.3
232
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
zlib provides a fair compromise between compression and boot-up time. It performs an effective compression (better than vcomp but not as good as bzip2) and will only cause a small delay in boot-up time (slightly slower than vcomp but much quicker than bzip2). The following sections describe each compression utility and where to look for more detailed information. 12.3.1 vcomp For more detailed information about vcomp, refer to the manual page for vcomp which is provided in ISOS: For Linux and Solaris, enter: man vcomp For Windows, choose Tools Documentation from the Start Menu Start > Programs > Virata Tools<Version number>. This will display a page in your Web browser containing information about all the tools provided in the Tools release, including vcomp. 12.3.2 bzip2 For more information about bzip2, refer to: atmos/source/bzip2/doc/manual_toc.html; your main interest is in the section entitled, How To Use bzip2 which describes the options which can be used with bzip2. 12.3.3 zlib For more information about zlib, refer to: atmos/source/zlib/zlib.h; this file contains descriptions of the options which can be used with zlib. atmos/source/zlib/doc; this directory contains further useful information about zlib.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
233
12.4
Table 27:
The above table illustrates that there is a trade-off to be made between how much compression can be achieved and the workspace required in memory to perform the compression. Bzip reduces the image size to less than half (37% and 41%) of its original size but requires a large workspace area to perform the compression. VComp reduces the image to 60% of its original size and requires a small amount of workspace memory. ZLib reduces the image to slightly less than half (46% and 47%) of its original size and requires a lot less workspace than BZip. Note that the compression ratios will vary depending on exactly what data is contained in the image. So you must view the above figures as estimate compression values only. Your particular image may produce different compression results. You need to compare this table against the decompression table in the next section to decide which compression method suits your requirements.
234
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
12.5
Table 28:
The table illustrates that images compressed with VComp and Zlib will have a relatively small impact on performance. However, BZip compression will have a relatively big performance impact.
12.6
to any of the following values: none; to use no compression. bzip2; to use bzip2 compression. zlib; to use zlib compression. vcomp; to use vcomp compression (default). This compression method will be used in all subsequent builds, unless image_compression_method is set elsewhere. For example, in a hardware file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
235
12.7
To provide verbose output during the compression, add the --verbose option to the bzip2 command:
set comp = sh -c 'bzip2 -5 --keep --verbose $$1; mv $$1.bz2 $$2' bzip2
For information about the different options which can be used with each compression method, refer to the documentation provided on each compression method. (The docs available are listed in About the compression utilities on page 232.)
236
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure the ISOS System in typical Gateway configurations.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
237
Introduction
13.1
Introduction
This chapter describes how to configure the ISOS System in various gateway configurations: Bridged configurations: Ethernet - RFC1483 bridged; see Ethernet - RFC1483 bridged on page 243.
Frame Relay - bridged; see Frame Relay - bridged on page 246. Routed configurations: Ethernet - IPoA routed; see Ethernet - IPoA routed on page 250. Ethernet - BUN RFC1483 routed; see Ethernet BUN RFC1483 routed on page 255. Ethernet - PPP routed; see Ethernet - PPP routed on page 259. PPPoE Client over RFC1483; see PPPoE Client over RFC1483 on page 267. Standalone PPPoE configuration using FRED; see Standalone PPPoE Configuration using FRED on page 274. Multiple PPPoE configuration; see Multiple PPPoE sessions with pass-through using qInterface and pppoe-mux on page 280
Routed using DHCP; see Routed example using DHCP on page 288. Tunnelling configurations: Ethernet - PPTP tunnelling - PPP server; see Ethernet PPTP tunnelling PPP server on page 295. Ethernet - PPTP tunnelling - PPP client; see Ethernet PPTP tunnelling PPP client on page 298.
For troubleshooting information and useful tips on trying to solve any configuration problems refer to Troubleshooting network configurations on page 419. For more information about the commands that you can use to obtain more information about the network that has been setup, refer to Obtaining and changing system setup information on page 387. For more information about the syntax of the commands used in this chapter, refer to the ISOS 8.2 CLI Reference Manual, DO-009430-PS.
238
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.2
PC A Ethernet
ISOS System A
ATM25
PC B
Ethernet
ISOS System B
Figure 55: Demo Network (Gateway) Using this setup, you can configure the ISOS System in a number of ways to show it operating as a particular type of network device. In the diagram above: Each PC is fitted with a 10Base-T or 100Base-T Ethernet network card. Each PC is connected to the Ethernet port on the ISOS System; this may be through an Ethernet hub, or directly using an Ethernet crossover cable. If using Ethernet hubs, you should make sure that there is no direct path via Ethernet from one PC to the other - only via ATM. ATM port 0 of the first ISOS System is connected to ATM port 0 of the second ISOS System, using an ATM crossover cable. (Note that an ATM crossover cable is not the same as an Ethernet crossover cable.)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
239
Note The physical location of ATM Port 0 (a1) differs on certain ISOS Systems: For BD3000, BD6100, BD6200 and BD6210 systems: ATM Port 0 is the ATM port furthest from the DC Power In connector.
For BD6221 systems: ATM Port 0 is the port nearest to the DC Power In connector. A serial cable should be connected to the Serial port of each ISOS System. For more information on the port settings, refer to Serial port settings on page 354. For more information on the Terminal programs which you can run on your computer, refer to What additional software applications are needed? on page 20. Apart from the example PPTP configuration, the PCs may run any operating system. The examples only require that the IP address and gateway (default route) of the PC can be changed, and the ping utility can be used to verify connectivity. This chapter does not describe how to change your PCs IP address and gateway.
If you are booting the ISOS Systems over the network and wish to have a BOOTP/TFTP server PC separate from the test PCs, the following configuration is suggested:
PC
BOOT PC
ISOS System
ATM25
ISOS System
BOOT PC
PC
HUB
Ethernet
Ethernet
HUB
Figure 56
For more information about how to setup booting over Ethernet, refer to Booting the ISOS System in Gateway mode on page 99.
240
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.2.2 Choice of IP addresses All of the IP addresses used in these examples are from one of the blocks reserved by the Internet Assigned Numbers Authority for use on private IP networks. See RFC 1918, Address Allocation for Private Internets for more information. 13.2.3 Choice of VCI The examples in this chapter all use a VCI of 600 or above. The main restriction on choosing a VCI is that all VCIs below 32 are reserved for predefined functions, such as ILMI. However, 600 was chosen as it is also above the range used by many signalling implementations for SVCs. 13.2.4 ISOS System configuration The examples in this chapter describe how to configure your ISOS Systems using each of the following methods: using the CLI using EmWeb If you are configuring using the CLI, you need to understand how to use the CLI interface before you can follow the instructions in this chapter. For more information, refer to Using the CLI on page 125. If you are configuring using EmWeb, you need to understand how to use the EmWeb interface before you can follow the instructions in this chapter. For more information, refer to Using the EmWeb server on page 151. The instructions for configuring the system assume the absence of any previous configuration. Please be sure that any old configuration files have been removed from FLASHFS and the system rebooted, before starting to configure the system. For more information on the configuration files present in ISOS, refer to ISOS Module Configuration files on page 444. You can individually remove files from Flash using the console command:
fm default flashfs
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
241
fm rm <filename>
For more information, refer to Removing a file using the rm command on page 216. You can erase the entire contents of FLASHFS using the console command:
flashfs wipe
For more information on the use of this command, refer to DO-007101-PS, ISFS / FLASHFS Functional Specification. 13.2.5 Image size In some of the examples in this chapter, you may find that the image you need to build for a particular configuration will not fit in Flash on your ISOS System. If this occurs, then you will need to compress the image. For more information, refer to Compressing an ISOS image on page 229.
242
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.3
Bridged configurations
All of the configurations in this section use the ISOS Bridge module to bridge between Ethernet and an ATM protocol. These configurations are bridging at Layer 2. If you are using the CLI to configure your network, the systems do not need to be configured with any IP address information because both LAN PCs are on the same subnet. If you are using EmWeb, you will need to configure the default LAN IP address for each system. Once the ISOS Systems have been configured, the two PCs should be able to communicate as if they were connected directly by Ethernet. The ISOS Bridge module is described in detail in DO-007087-PS, Transparent Bridge Functional Specification. 13.3.1 Ethernet - RFC1483 bridged Each ISOS System bridges between Ethernet and BUN RFC1483. The RFC1483 encapsulated frames run over a PVC between the two ISOS Systems. The BUN RFC1483 device is described in detail in DO-007605-PS, BUN Devices: RFC1483.
ISOS System A
BUN RFC1483
PC A
ISOS System B
BUN RFC1483
PC B
192.168.100.1
192.168.100.2
Ethernet
Ethernet
Figure 57
1 2
The outline configuration procedure is as follows: Configure the PCs; see Configure PC A and PC B on page 244 Choose a software image for each ISOS System; see Select ISOS Software images on page 244
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
243
Bridged configurations
Configure ISOS System A; see Configure ISOS System A using the CLI on page 244 or Configure ISOS System A using EmWeb on page 245 Configure ISOS System B; see Configure ISOS System B using the CLI or EmWeb on page 246
Configure PC A and PC B
1
Configure PC A as follows: IP address: 192.168.100.1 Subnet mask: 255.255.255.0 Gateway: None IP address: 192.168.100.2 Subnet mask: 255.255.255.0 Gateway: None
Configure PC B as follows:
Select ISOS Software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file with no changes made to any of the hardware or BUN configuration files. Configure ISOS System A using the CLI
1
Clear your current configuration by entering the following command: system config clear Add an Ethernet device to the Bridge. In the following commands, eth1 is the transport name, ethernet is the port name and bridge1 is the Bridge interface name: ethernet add transport eth1 ethernet bridge add interface bridge1 bridge attach bridge1 eth1
244
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add an RFC1483 device to the Bridge, with RFC1483 configured to run on port a1, using VCI 600 and LLC encapsulation. In the following commands, my1483 is the transport name and bridge2 is the Bridge interface name: rfc1483 add transport my1483 a1 0 600 llc bridged bridge add interface bridge2 bridge attach bridge2 my1483 Add an Ethernet device to the Bridge. By default, your Ethernet device is already attached to the Bridge using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.100.3:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.100.3 At your web browser, enter the new IP address as the URL: http://192.168.100.3 The EmWeb Welcome page is displayed.
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
Add an RFC1483 device to the Bridge, with RFC1483 configured to run on port a1, using VCI 600 and LLC encapsulation.
a
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
245
Bridged configurations
Click on the RFC 1483 bridged radio button, then click on Configure. At the WAN connection: RFC 1483 bridged page, complete the following: Description: my1483 VPI: 0 VCI: 600 Encapsulation method: LLC/SNAP Click on Apply.
Configure ISOS System B using the CLI or EmWeb Configure ISOS System B by following the same configuration instructions for ISOS System A. If you are using EmWeb, change the default LAN IP address to 192.168.100.4. 13.3.2 Frame Relay - bridged Each ISOS System bridges between Ethernet and Frame Relay. Frame Relay runs between the two ISOS Systems over an HDLC link. Note You need to modify one of the ISOS System Evaluation Boards so that it can communicate with the other ISOS System over HDLC. For instructions on the necessary modification, refer to the appropriate Hardware Guide for your system. The Frame Relay device is described in detail in BUN Devices: Frame Relay: DO-008218-PS.
hillustrates how you
PC A
ISOS System A
FR port
ISOS System B
FR port
PC B
192.168.100.1
192.168.100.2
Ethernet
HDLC
Ethernet
Figure 58 Ethernet-Frame Relay bridged configuration The outline configuration procedure is as follows:
246
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
1 2 3
Configure the PCs; see Configure PC A and PC B on page 247 Choose a software image for each ISOS System; see Select ISOS software images on page 247 Configure ISOS System A; see Configure ISOS System A using the CLI on page 248 or Configure ISOS System A using EmWeb on page 249 Configure ISOS System B; see Configure ISOS System B using the CLI or EmWeb on page 250
Configure PC A and PC B
1
Configure PC A as follows: IP address: 192.168.100.1 Subnet mask: 255.255.255.0 Gateway: None IP address: 192.168.100.2 Subnet mask: 255.255.255.0 Gateway: None
Configure PC B as follows:
Select ISOS software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file for the ISOS System with support for Frame Relay added. The eth-gateway file calls the generic gateway file to use as its system file. You need to make changes to the configuration in the gateway system file:
1
The following lines need to be added to the gateway system file to provide support for Frame Relay:
Package bun/devices/emu Package bun/devices/assignmac If AticSharedLibrary Package bun/devices/frame_relay Endif
These lines are included in the extra-sw system file. Copy them from this file and paste into the gateway system file. These added lines must be placed after the statement: Package core in the gateway system file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
247
Bridged configurations
For ISOS System A and B, the Frame relay software port needs to be defined in the software BUN configuration file atmos/products/eth-gateway/flashfs/initbun. Copy the following lines from the initbun file for the extra-sw product, located in atmos/products/extra-sw/flashfs/initbun:
device : fr1 = chameleon, assignmac, emu, FrameRelay # frame relay port port : fr = fr1/Interface=<hdlc>/MapPort=<ethernet>/MapPortConnecte d=<Connected>/MapPortLinkSpeed=<LinkSpeed>
Add these lines to the software BUN configuration file atmos/products/eth-gateway/flashfs/initbun. You also need to add New Attribute details to the port line:
port : fr = fr1/Interface=<hdlc>/MapPort=<ethernet>/MapPortConnecte d=<Connected>/MapPortLinkSpeed=<LinkSpeed>NewAttribute= <bool:VMI=true>/NewAttribute=<bool:outside=true>
Clear any existing Bridge interfaces and Ethernet and Frame Relay transports by typing the following command: system config clear Add an Ethernet device to the Bridge. In the following commands, eth1 is the transport name, ethernet is the port name and bridge1 is the Bridge interface name: ethernet add transport eth1 ethernet bridge add interface bridge1 bridge attach bridge1 eth1 Add a Frame Relay device to the Bridge, with Frame Relay configured to run on port fr using DLCI 171. In the following commands, t1 is the transport name and bridgedether is the encapsulation method: framerelay add transport tl fr 171 framerelay set transport t1 encapsulation bridgedether bridge add interface bridge2 bridge attach bridge2 t1
248
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add an Ethernet device to the Bridge. By default, your Ethernet device is already attached to the Bridge using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.100.3:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.100.3 At your web browser, enter the new IP address as the URL: http://192.168.100.3 The EmWeb Welcome page is displayed.
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
Add a Frame Relay device to the Bridge, with Frame Relay configured to run on port fr using DLCI 171.
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the Frame Relay bridged radio button, then click on Configure. At the WAN connection: Frame Relay bridged page, complete the following: Description: FR DLCI: 171 Encapsulation method: Bridged Ethernet Click on Apply. The WAN connections page is displayed, containing details of the new Frame Relay transport. By default, the transport is set to run on port fr. To check this, from the WAN connections table, Click on the Frame Relay Edit link. From the Edit Service page, click on Edit Frame Relay Channel. Check that the Port is set to fr.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
249
Routed configurations
Configure ISOS System B using the CLI or EmWeb Configure ISOS System B by following the same configuration instructions for ISOS System A. If you are using EmWeb, change the default LAN IP address to 192.168.100.4.
13.4
Routed configurations
All of the configurations in this section use the ISOS ip module to route between Ethernet and an ATM protocol. As these configurations perform IP routing, each part of the network must be on a different subnet. In these examples, three subnets are involved: Between PC A and the Ethernet interface of ISOS System A. Between the ATM interfaces of the two ISOS Systems. Between Ethernet interfaces of ISOS System B and PC B. Once the ISOS Systems have been configured, the two PCs should be able to communicate using any IP protocol. The ISOS ip module is described in detail in DO-400072-TC: ISOS IP Stack Feature and Interface Guide. 13.4.1 Ethernet - IPoA routed Each ISOS System routes between Ethernet and Classical IP over ATM (RFC1577) - this is referred to as IPoA. The IPoA data runs over a PVC between the two ISOS Systems.
250
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The IPoA protocol is implemented by the ISOS IP module, so it does not have a separate Functional Specification document.
ISOS System A 192.168.102.2 192.168.101.1 192.168.101.2 ISOS System B 192.168.102.3 192.168.103.3 192.168.103.4
PC A
PC B
Ethernet
VCI 700
Ethernet
Figure 59
1 2 3
The outline configuration procedure is as follows: Configure the PCs; see Configure PC A and PC B on page 251 Choose a software image for each ISOS System; see Select ISOS software images on page 252 Configure ISOS System A; see Configure ISOS System A using the CLI on page 252 or Configure ISOS System A using EmWeb on page 253 Configure ISOS System B; see Configure ISOS System B using EmWeb on page 254 or Configure ISOS System B using EmWeb on page 254
Configure PC A and PC B
1
Configure PC A as follows: IP address: 192.168.101.1 Subnet mask: 255.255.255.0 Gateway: 192.168.101.2 IP address: 192.168.103.4 Subnet mask: 255.255.255.0 Gateway: 192.168.103.3
Configure PC B as follows:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
251
Routed configurations
Select ISOS software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file. Configure ISOS System A using the CLI
1
Clear your current configuration by entering the following command: system config clear Add the Ethernet device to the router. In the following command, eth1 is the transport name, ethernet is the port name and ip1 is the interface name: ethernet add transport eth1 ethernet ip add interface ip1 192.168.101.2 ip attach ip1 eth1 Add the IPoA device to the router configured to run on VCI 700 with a peak cell rate of 50000 cells per second, using the port named a1. In the following commands, ipoa1 is the transport name and ip2 is the interface name: ipoa add transport ipoa1 pvc a1 0 700 ip add interface ip2 192.168.102.2 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System B as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.102.3
252
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configure ISOS System B using the CLI Configure ISOS System B using a configuration similar to ISOS System A. Follow the instructions in Configure ISOS System A using the CLI on page 252, but change the IP addresses as follows: system config clear ethernet add transport eth1 ethernet ip add interface ip1 192.168.103.3 ip attach ip1 eth1 ipoa add transport ipoa1 pvc a1 0 700 ip add interface ip2 192.168.102.3 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.102.2 Configure ISOS System A using EmWeb
1
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.101.2:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.101.2 At your web browser, enter the new IP address as the URL: http://192.168.101.2 The EmWeb Welcome page is displayed.
Clear any existing WAN connections and IP routes by following the instructions below:
a b
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
253
Routed configurations
From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the IPoA device to the router configured to run on VCI 700 with a peak cell rate of 50000 cells per second, using the port named a1.
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 700 (click on the WAN IP address radio button) WAN IP address: 192.168.102.2 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. By default, the connection is set to run on port a1. From the WAN connections table, Click on the IPoA Edit link. From the Edit Service page, click on Edit ATM Channel. Set the Peak Cell Rate text box to 50000. You do not need to change the other default settings. Click on Change. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.102.3. You do not need to change the other default settings. Click on OK.
Configure ISOS System B using EmWeb Configure ISOS System B using a configuration similar to ISOS System A. Follow the instructions in Configure ISOS System A using the CLI on page 252, but change the IP addresses as follows: Change the IP address of the default iplan interface to 192.168.103.3. Set the IPoA routed WAN IP address to 192.168.102.3.
254
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.4.2 Ethernet BUN RFC1483 routed Each ISOS System routes between Ethernet and RFC1483. The RFC1483 data runs over a PVC between the two ISOS Systems.
ISOS System A 192.168.102.2 192.168.101.1 192.168.101.2 ISOS System B 192.168.102.3 192.168.103.3 192.168.103.4
PC A
PC B
Ethernet
VCI 600
Ethernet
Figure 60
1 2 3
The outline configuration procedure is as follows: Configure the PCs; Configure PC A and PC B on page 255 Choose a software image for each ISOS System; see Select ISOS Software images on page 256 Configure ISOS System A; see Configure ISOS System A using the CLI on page 256 or Configure ISOS System A using EmWeb on page 257 Configure ISOS System B; see Configure ISOS System B using the CLI on page 257 or Configure ISOS System B using EmWeb on page 258
Configure PC A and PC B
1
Configure PC A as follows: IP address: 192.168.101.1 Subnet mask: 255.255.255.0 Gateway: 192.168.101.2 IP address: 192.168.103.4
Configure PC B as follows:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
255
Routed configurations
Select ISOS Software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file. Configure ISOS System A using the CLI
1
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: system config clear Add the Ethernet device to the router. In the following commands, eth1 is the name of the transport, ethernet is the port name and ip1 is the interface name: ethernet add transport eth1 ethernet ip add interface ip1 192.168.101.2 ip attach ip1 eth1 Add the RFC1483 device to the router, with RFC1483 configured to run on port a1 using VCI 600, vcmux routed encapsulation. In the following commands, my1483 is the transport name and ip2 is the interface name: rfc1483 add transport my1483 a1 0 600 vcmux routed ip add interface ip2 192.168.102.2 ip attach ip2 my1483 Add a default route, with ISOS System B as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.102.3
256
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configure ISOS System B using the CLI Configure ISOS System B. The configuration here is similar to ISOS System A. Follow the instructions in Configure ISOS System A using the CLI on page 256, but change the IP addresses: system config clear ethernet add transport eth1 ethernet ip add interface ip1 192.168.103.3 ip attach ip1 eth1 rfc1483 add transport my1483 a1 0 600 vcmux routed ip add interface ip2 192.168.102.3 ip attach ip2 my1483 ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.102.2 Configure ISOS System A using EmWeb
1
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.101.2:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.101.2 At your web browser, enter the new IP address as the URL: http://192.168.101.2 The EmWeb Welcome page is displayed.
Clear any existing WAN connections and IP routes by following the instructions below:
a b
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
257
Routed configurations
Click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the RFC1483 device to the router, with RFC1483 configured to run on port a1 using VCI 600, vcmux routed encapsulation.
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the RFC 1483 routed radio button, then click on Configure. At the WAN connection: RFC 1483 routed page, complete the following: Description: my1483 VPI: 0 VCI: 600 Encapsulation method: VcMux (null) (click on the WAN IP address radio button) WAN IP address: 192.168.102.2 Click on Apply. The WAN connections page is displayed, containing details of the new RFC 1483 transport. By default, the connection is set to run on port al. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.102.3. You do not need to change the other default settings. Click on OK.
Configure ISOS System B using EmWeb Configure ISOS System B. The configuration here is similar to ISOS System A. Follow the instructions in Configure ISOS System A using the CLI on page 256, but change the IP addresses: Change the IP address of the default iplan interface to 192.168.103.3. Set the RFC1483 routed WAN IP address to 192.168.102.3. Set the default route Gateway to 192.168.102.2.
258
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.4.3 Ethernet - PPP routed In this example, each ISOS System routes data between Ethernet and PPP over ATM. The PPP data runs over a PVC between the two ISOS Systems. ISOS System A will be the dial-out (i.e., client) end of the PPP link, and ISOS System B will be the dial-in (i.e., server) end of the link. This type of configuration would be required for a PC connected to a modem and dialling out to a local ISP. In this example, PC A represents the home PC, connected to ISOS System A (modem). ISOS System B represents the PPP server which is dialled from the Home PC via the modem. PPP is described in detail in DO-007078-PS, PPP Functional Specification. In the network, both ISOS Systems are configured as Gateway configurations. (For more information about Gateway configurations, refer to What configurations are supported by an ISOS System? on page 8.)
ISOS System A 192.168.102.2 192.168.101.1 192.168.101.2 ISOS System B 192.168.102.3 192.168.103.3 192.168.103.4
PC A
PC B
Ethernet
Ethernet
Configure the PCs; see Configure PC A and PC B on page 260 Choose a software image for each ISOS System; see Select ISOS software images on page 260 Configure ISOS System A; see Configure ISOS System A using the CLI on page 260 or Configure ISOS System A using EmWeb on page 263
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
259
Routed configurations
Configure ISOS System B; see Configure ISOS System B using the CLI on page 261 or Configure ISOS System B using EmWeb on page 264
Configure PC A and PC B
1
Configure PC A as follows: IP address: 192.168.101.1 Subnet mask: 255.255.255.0 Gateway: 192.168.101.2 IP address: 192.168.103.4 Subnet mask: 255.255.255.0 Gateway: 192.168.103.3
Configure PC B as follows:
Select ISOS software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file. Configure ISOS System A using the CLI
1
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces ip clear routes transports clear dhcpclient update Add the Ethernet device to the router. In the following command, eth1 is the name of the transport, and ethernet is the port name. ethernet add transport eth1 ethernet ip add interface ip1 192.168.101.2 ip attach ip1 eth1
260
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Create the PPP transport. The PPP module supports multiple simultaneous connections, so we explicitly specify device 1 here. The following commands configure PPP device 1 for dial-out on VCI 800. pppoa add transport ppp1 dialout pvc 1 a1 0 800 We will be using PPP device 1 and interface 1, which are able to automatically configure the IP address of the router interface, and add a default route when the connection is made. That is why the IP address of the router interface is specified as the remote ip. Configure the PPP transport:
a
CHAP authentication will be used; PPP will supply a username of fred and a password of password: pppoa set transport ppp1 welogin chap pppoa set transport ppp1 username fred pppoa set transport ppp1 password password Ensure that PPP uses the correct IP subnet mask: pppoa set transport ppp1 subnetmask 225.225.225.0 By default, the transport creates a default route to the subnet at the remote end of the PPP link. You do not need to configure this.
Add the PPP device to the router: ip add interface ip2 ip attach ip2 ppp1 Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces ip clear routes transports clear dhcpclient update
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
261
Routed configurations
Add the Ethernet device to the router. In the following command, eth1 is the name of the transport, and ethernet is the port name. ethernet add transport eth1 ethernet ip add interface ip1 192.168.103.3 ip attach ip1 eth1 We will be using PPP device 2 and interface 2, because on the dial-in end of the link, we do not require the ability to automatically configure the IP address of the router interface and add a default route when the connection is made. That is why the IP address of the router interface was specified in the previous command. The following command configures PPP device 2 for dial-in on PVC 800. CHAP authentication will be used, and PPP will expect the user fred to login using the password password. pppoa add transport ppp1 dialin pvc 2 a1 0 800 ip add interface ip2 192.168.102.3 pppoa set transport ppp1 theylogin chap pppoa set transport ppp1 remoteip 192.168.102.2 ip attach ip2 ppp1 On the dial-in end of the link, a route to the other PC will not be added manually. The following command adds a default route using ISOS System A as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.102.2 Finally, add a dial-in facility for user fred using password password: system add user fred user change fred You are now logged in as user fred... user password enter new password: password again to verify: password user logout
262
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.101.2:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.101.2 At your web browser, enter the new IP address as the URL: http://192.168.101.2 The EmWeb Welcome page is displayed.
Clear any existing WAN connections and IP routes by following the instructions below:
a b
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. Click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the PPP device to the router. The PPP module supports multiple simultaneous connections, device 1 is used by default. The following instructions configure PPP device 1 for dial-out on VCI 800. We will be using PPP device 1 and interface 1, which are able to automatically configure the IP address of the router interface, and add a default route when the connection is made. That is why the IP address of the router interface is specified as the remote ip. CHAP authentication will be used; PPP will supply a username of fred and a password of password:
a
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
263
Routed configurations
Click on the PPPoA routed radio button, then click on Configure. At the WAN connection: PPPoA routed page, complete the following: Description: ppp1 VPI: 0 VCI: 800 WAN IP address: 0.0.0.0 LLC header mode: off HDLC header mode: off CHAP (click radio button) User name: fred Password: password Click on Configure. The WAN connections page is displayed, containing details of the new PPPoA transport.
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.103.3:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.103.3 At your web browser, enter the new IP address as the URL: http://192.168.103.3 The EmWeb Welcome page is displayed.
Clear any existing WAN connections and IP routes by following the instructions below:
a
From the left-hand menu, click on Configuration>WAN connections. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. Click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
264
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
We will be using PPP device 2 and interface 2, because on the dial-in end of the link, we do not require the ability to automatically configure the IP address of the router interface and add a default route when the connection is made. The following command configures PPP device 2 for dial-in on PVC 800. CHAP authentication will be used, and PPP will expect the user fred to login using the password password.
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the PPPoA routed radio button, then click on Configure. At the WAN connection: PPPoA routed page, complete the following: Description: ppp1 VPI: 0 VCI: 800 WAN IP address: 192.168.102.3 LLC header mode: off HDLC header mode: off CHAP (click radio button) Click on Configure. The WAN connections page is displayed, containing details of the new PPPoA transport. From the WAN connections table, click on the ppp1 Edit link. The Edit Service page is displayed. Click on Edit PPP. Complete the following: Server: true Dialout Auth: chap Interface ID: 2 Remote Ip: 192.168.101.2 You do not need to make changes to the other default settings. Click on Change.
c d
e 4
On the dial-in end of the link, a route to the other PC will not be added manually. The following instruction adds a default route using ISOS System A as the gateway:
a
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
265
Routed configurations
Click on Create new IP V4Route. In the Gateway text box, type 192.168.102.2. You do not need to make changes to the other default settings. Click on OK.
Finally, add a dial-in facility for user fred using password password:
a
From the left-hand menu, click on Configuration>Authentication. Click on the Create a new user link. The Authentication: create user page is displayed. Complete the following: Username: fred Password: password May login? false Click on Create.
266
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.4.4 PPPoE Client over RFC1483 The ISOS Point-to-Point Protocol over Ethernet (PPPoE (RFC2516)) client allows a PPP connection to a PPPoE Access Concentrator (AC) over an IP network. In this example, the connection is initiated from a PPPoE client to a remote PPPoE server. PPPoE is described in detail in DO-008195-PS, BUN Device: Point to Point Protocol over Ethernet (PPPoE). Consider the following network in which PC A represents a home PC connected to ISOS System A, which plays the role of the users modem, and PC B, which represents the PPP dial-in server:
ISOS System A
BUN RFC1483
PC A
ISOS System B
BUN RFC1483
PC B 192.168.100.1
192.168.101.1
192.168.101.2
Ethernet PPPoE AC
Figure 62
The PPPoE connection is initially established from ISOS System A (dial-out), which contains the PPPoE client, to PC B (dial-in), which is configured as a PPPoE AC. ISOS System B acts as a Bridge allowing ATM/Ethernet traffic transport using RFC1483 (See Ethernet RFC1483 bridged on page 243 for a bridging example). PC B, upon completing the connection with ISOS System A will assign an IP address to the PPPoE client. The AC gives out an address from the range that is configured on the AC application. PC A and PC B should then be able to communicate via the Internet Protocol (IP). The end of the PPP link, which terminates at PC B, is configured here to use an IP address of 192.168.100.1. PC A is configured to use 192.168.101.1. These IP addresses are used to pass PPP Ethernet-encapsulated data over the point-to-point link.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
267
Routed configurations
Configure the PCs; see Configure PC A and PC B on page 268 Choose an ISOS image for each of the ISOS System; see Select ISOS software images on page 269 Configure ISOS System A; see Configure ISOS System A using the CLI on page 269 or Configure ISOS System A using EmWeb on page 271 Configure ISOS System B; see Configure ISOS System B using the CLI on page 271 or Configure ISOS System B using EmWeb on page 273
Configure PC A and PC B
1
PC A must have a mechanism to communicate with the PPPoE AC, such as ICMP ping capabilities, or Telnet. Configure PC A as follows:
a
Ethernet interface configuration: IP address: 192.168.101.1 Subnet mask: 255.255.255.0 Gateway: 192.168.101.2 PPP configuration: Dial-out user name: viratauser Dial out password: viratapass Authentication Protocol: CHAP
PC B must have a PPPoE Access Concentrator (server) application installed, and should have ping and/or telnet capabilities. There are several PPPoE Access Concentrator applications available as freeware for Unix-based systems. Here is a list of some of the most popular applications: Windows: RASPPPoE (PPPoE Client and AC/Server application)
UNIX (Linux and Solaris): Roaring Penguin (PPPoE Client and AC/Server application). See the GlobespanVirata Licensee Server Knowledge Base for details of How to set-up Roaring Penguin (PPPoE Client) on Linux. Configure PPPoE AC on PC B as follows: IP address: 192.168.100.1
268
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Subnet mask: 255.255.255.0 Set the IP address range as follows: Start of range: 192.168.100.2 End of range: 192.168.100.4
Select ISOS software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file. Before building the image, you need to check the contents of the following configuration file on each system:
1
Eth-gateway system file; atmos/system/eth-gateway. Check that the following lines are present in the eth-gateway system file:
a
The CYAN_POOL1_PREFIX must be configured as 48 bytes or larger for the packet header encapsulation used in PPPoE:
Config.hs CYAN_POOL1_PREFIX (48)
b 2
BUN configuration file for eth-gateway; atmos/products/eth-gateway/flashfs/initbun. The following device and port (physical port 0 on BD6000 Series A and BD6000 Series B) need to have been configured in the ISFS initbun configuration file for the eth-gateway product. Check that the PPPoE driver has been added to the atm device definition in the initbun file:
device : atm = chameleon, debug, pppoe, rfc1483, atm_phy, atm_transport
Also check that the atm device has been defined correctly. This is the default entry:
port : a1 = atm/PhysicalPort=0/PortSpeed=59111/NewAttribute=<bool:V MI=true>/NewAttribute=<bool:outside=true>
Clear any existing IP interfaces and transports, and update the DHCP client configuration, by typing the following commands: ip clear interfaces transports clear
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
269
Routed configurations
Add the Ethernet device to ISOS System A; this provides access to the PPPoE client from PC A. In the following command, ETH is the name of the transport, and ethernet is the port name. ethernet add transport ETH ethernet ip add interface myip 192.168.101.2 255.255.255.0 The PPPoE BUN driver uses functionality provided by the PPP module. Configure a PPP channel for an outgoing PPPoE connection to the remote AC using PVC 600. The PPPoE AC in this scenario utilizes CHAP authentication, but PAP authentication may be substituted. PC B will need to be configured for a specific authentication, if desired, before connecting. If no authentication is used, simply omit the welogin command. Since the PPP module supports multiple, simultaneous connections, we will be using PPP device 1 and Interface 1. PPP is able to automatically configure the IP address of the router interface, and add a default route when the connection is made. This is the reason the IP address of the router interface is not specified in the command. TCP MSS Clamp functionality is enabled on the IP interface: ip add interface ip2 ip set interface ip2 tcpmssclamp enabled pppoe add transport PPP dialout pvc 1 a1 0 600 bridge add interface br-eth bridge attach br-eth ETH ip attachbridge myip pppoe set transport PPP welogin chap pppoe set transport PPP username viratauser pppoe set transport PPP password viratapass ip attach ip2 PPP
270
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Clear any existing IP and Bridge interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces bridge clear interfaces transports clear dhcpclient update Add the Ethernet device to the Bridge. In the following command, eth1 is the name of the transport, and ethernet is the port name. ethernet add transport eth1 ethernet bridge add interface mybridge1 bridge attach mybridge1 eth1 rfc1483 add transport myrfc1483 a1 0 600 llc bridged bridge add interface mybridge2 bridge attach mybridge2 myrfc1483 Add the Ethernet device to ISOS System A; this provides access to the PPPoE client from PC A. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.101.2:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.101.2 At your web browser, enter the new IP address as the URL: http://192.168.101.2 The EmWeb Welcome page is displayed.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
271
Routed configurations
The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
The PPPoE BUN driver uses functionality provided by the PPP module. Configure a PPP channel for an outgoing PPPoE connection to the remote AC using PVC 600. The PPPoE AC in this scenario utilizes CHAP authentication, but PAP authentication may be substituted. PC B will need to be configured for a specific authentication, if desired, before connecting. If no authentication is used, at the WAN connection edit page, set the Dialout Auth text box to none. Since the PPP module supports multiple, simultaneous connections, we will be using PPP device 1 and Interface 1. PPP is able to automatically configure the IP address of the router interface, and add a default route when the connection is made:
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the PPPoE routed radio button, then click on Configure. At the WAN connection: PPPoE routed page, complete the following: Description: PPP VPI: 0 VCI: 600 CHAP (click radio button) User name: viratauser Password: viratapass Click on the Edit Tcp Mss Clamp link at the top of the page and set Tcp Mss Clamp to enabled. You do not need to make changes to the other default settings. From the WAN connections table, click on the PPP Edit link. The Edit Service page is displayed. Click on Edit PPP. You can check that the Interface ID is set to 1, and that Dialout Authentication is set to CHAP.
272
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add the Ethernet device to the Bridge. By default, your Ethernet device is already attached to the Bridge using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.100.2:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.100.2 At your web browser, enter the new IP address as the URL: http://192.168.100.2 The EmWeb Welcome page is displayed. From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the RFC 1483 bridged radio button, then click on Configure. At the WAN connection: RFC 1483 bridged page, complete the following: Description: myrfc1483 VPI: 0 VCI: 600 Encapsulation method: LLC/SNAP Click on Apply. The WAN connections page is displayed, containing details of the new RFC 1483 transport.
c d
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
273
Routed configurations
13.4.5 Standalone PPPoE Configuration using FRED The ISOS FRED BUN Device Driver combined with the Point-to-Point Protocol over Ethernet (PPPoE) BUN client and Chameleon BUN Drivers, allow concurrent PPP connections to a PPPoE Access Concentrator (AC) over an IP network. For more information about the FRED BUN Driver, refer to DO-008287, BUN Devices: Forwarding RFC1483/Ethernet Device (FRED). In this example, two connections are initiated; one is from a PPPoE client located on ISOS System A, the other is a PPPoE software client located on PC A, both simultaneously connecting to a remote PPPoE server on PC C. Consider the following network in which PC A connects directly via the Ethernet with its PC-based local PPPoE client, PC B which represents a home PC connected to ISOS System A (the user's modem) and PC C, which represents the PPP dial-in server:
PC A
PPPoE Client installed Ethernet HUB
ISOS System A
BUN RFC1483
ISOS System B
BUN RFC1483
PC C
192.168.100.1
192.168.101.1
PC B
PPPoE Client 192.168.101.3
Ethernet
Figure 63 PPPoE Configuration using FRED Although the order of device connection is not important, the PPPoE connections in this example are initially established from ISOS System A. It is then followed by a PC A connection, which contains the local
274
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
software PPPoE client. Both PPPoE clients connect to PC C, which is configured as a PPPoE AC. ISOS System B acts as a Bridge allowing ATM/Ethernet traffic transport using RFC1483. PC C upon completing the connection with PC A and ISOS System A will assign a unique IP address to each client. PC A and PC B should then be able to communicate with the server using the Internet Protocol (IP). The end of the PPP link, which terminates at PC C, is configured here to use an IP address of 192.168.100.1. PC A is configured to use a PPPoE AC supplied IP address, which is on the same subnet at PC C. PC B is configured to use 192.168.101.3. These IP addresses are used to pass PPP Ethernet encapsulated data over the point-to-point link.
1 2 3 4
Configure the PCs; see Configure PC A, PC B and PC C on page 275 Choose an ISOS image for each of the ISOS System; see Select ISOS software images on page 277 Configure ISOS System A; see Configure ISOS System A using the CLI on page 278 Configure ISOS System B; see Configure ISOS System B using the CLI on page 279
Note that EmWeb in ISOS 8.2 does not support this configuration. Configure PC A, PC B and PC C
1 2
PC A must have a Windows or Unix PPPoE software Client installed. PC A and PC B should also have a mechanism to communicate with the PPPoE AC, such as ICMP Ping capabilities, or Telnet. Once the PPP connections have been established, any method to test an IP link can be used. PC C must have a PPPoE Access Concentrator (server) application installed and should also have IP testing capabilities.
There are several PPPoE Client and Server (Access Concentrator) applications available as freeware for Unix and Windows based operating systems. Here is a list of some of the most popular applications: Windows: WinPoet (WindRiver Systems) (PPPoE Client only)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
275
Routed configurations
RASPPPoE (PPPoE Client and AC/Server application) UNIX (Linux and Solaris) Roaring Penguin (PPPoE Client and AC/Server application). See the GlobespanVirata Licensee Server Knowledge Base for details of How to set-up Roaring Penguin (PPPoE Client) on Linux.
This configuration example uses WinPoet (V2.5) for Windows 2000 as the PPPoE client on Windows and RASPPPoE (V2.2) as the PPPoE server. The table below summarizes the required configuration for the PCs used in this example:
PC
PPP configuration: PC A PPPoE Client installed: WinPoet V2.5 Able to communicate with PC C using ping or telnet. Ethernet interface configuration: IP Address: 192.168.101.3 Subnet mask: 255.255.255.0 Gateway: 192.168.101.1 PPPoE Client NOT installed. Able to communicate with PC C using ping or telnet. Ethernet interface configuration: PC C IP Address: 192.168.100.1 Subnet mask: 255.255.255.0 PPPoE Access Concentrator / Server installed: RASPPPoE (V2.2) with an IP address range specified
Configuration
PC B
WinPoet setup (PC A). The following details should have been setup on the WinPoet client application on PC A: PPP username: viratauser PPP password: viratapass PPP authentication: CHAP
276
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
RASPPPoE setup (PC C). The following details should have been setup on the RASPPPoE server application on PC C: PPP username: viratauser PPP password: viratapass PPP authentication: CHAP
Select ISOS software images Select an ISOS software image for ISOS Systems A and B. Use an ISOS image built from the eth-gateway system file for each system.
1
For ISOS Systems A and B, add/check that the following device and port (physical port 0 on ISOS System A) have been configured in the respective ISFS initbun configuration files: Note The Port speed=29555 is set for maximum throughput of a 10MB/s Ethernet link. If configuring for a true DSL link (8MB/s), this port speed may have to be set lower for better throughput results.
device : atm = debug, pppoe, rfc1483, atm_phy, atm_transport device : e1 = debug, ethernet, ethernet_phy port : ethernet = e1 port : a1 = atm/PhysicalPort=0/PortSpeed=29555
These lines are included in the initbun file for extra-sw located in: atmos/products/extra-sw/flashfs/initbun. Add these lines to the eth-gateway initbun configuration file located in: atmos/products/eth-gateway/flashfs/initbun.
2
For ISOS System A, add/check that the following lines are included in the eth-gateway system file:
a
The CYAN_POOL1_PREFIX must be configured as 48 bytes or larger for the packet header encapsulation used in PPPoE:
Config.hs CYAN_POOL1_PREFIX (48)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
277
Routed configurations
The BUN packages pppoe, chameleon and fred must be included in the system file:
Package bun/devices/pppoe Package bun/devices/chameleon Package bun/devices/fred
For ISOS System A, the consoleinit file needs to be created in the atmos/products/eth-gateway/flashfs directory and the following entries need to be added to this file:
tell bun set port fred / NewChannelAttribute = <U32:rxvci=0> tell bun set port fred / NewChannelAttribute = <U32:rxvpi=0> tell bun set port fred / NewChannelAttribute = <U32:txvci=0> tell bun set port fred / NewChannelAttribute = <U32:txvpi=0> tell bun set port fred / NewChannelAttribute = <BOOL:rfc1483=FALSE> tell bun set port fred / NewChannelAttribute = <BOOL:PortClassAtm=TRUE> tell bun set port fred / NewChannelAttribute = <string:class=""> tell bun set port fred / NewChannelAttribute = <string:mode=""> tell bun set port fred / NewChannelAttribute = <string:type=""> tell bun set port fred / NewPortAttribute = <U32:portspeed=0> tell bun set port fred / NewPortAttribute = <BOOL:Connected=TRUE>
The above commands add the channel attributes to the Chameleon BUN driver that BUN PPPoE needs to open its channel. Configure ISOS System A using the CLI
1
Clear your current configuration by entering the following command: system config clear Create all the interfaces and required transports using the information in the table below:
Port Ethernet Fred rfc1483 PPPoE
ethernet fred -
Transport
ETH FRED WAN PPP
Interface
ip ip2
Bridge Interface
br-eth br-fred br-wan -
278
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Table 29: PPPoE and FRED configuration setup Enter the following commands: ip add interface ip 192.168.101.1 255.255.255.0 ip add interface ip2 ethernet add transport ETH ethernet ethernet add transport FRED fred
3
Add an rfc1483 device to the bridge: rfc1483 add transport WAN a1 0 800 llc bridged pppoe add transport PPP dialout pvc 1 fred 0 800 bridge add interface br-eth bridge add interface br-wan bridge add interface br-fred bridge attach br-eth ETH bridge attach br-fred FRED bridge attach br-wan WAN bridge set interface br-wan filtertype pppoe ip attachbridge ip ip attach ip2 PPP pppoe set transport PPP welogin chap pppoe set transport PPP username viratauser pppoe set transport PPP password viratapass Clear any existing IP and Bridge interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear dhcpclient update
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
279
Routed configurations
Add the rfc1483 bridging configuration: ethernet add transport eth1 ethernet bridge add interface mybridge1 bridge attach mybridge1 eth1 rfc1483 add transport myrfc1483 a1 0 800 llc bridged bridge add interface mybridge2 bridge attach mybridge2 myrfc1483
The PPPoE Client on ISOS system A should be connected, and PC A should now be able to run the local PPPoE Client and connect to the AC/server. PC A and PC B should both be able to ping the PPPoE AC at PC C. 13.4.6 Multiple PPPoE sessions with pass-through using qInterface and pppoe-mux This configuration combines ISOS qInterface and pppoe-mux BUN Device Drivers with the Point-to-Point Protocol over Ethernet (PPPoE) BUN client. This allows multiple PPP sessions over a single RFC1483 or Ethernet transport to a PPPoE Access Concentrator (AC). This configuration uses RFC1483. For more information about the qInterface BUN Driver, refer to BUN Devices: qInterface: DO-009876-PS. For more information about the pppoe-mux BUN Driver, refer to BUN Devices: Multiple PPPoE sessions over a single transport (pppoe-mux): DO-400910-PS. In this example, PC A and PC B represent home PCs connected via Ethernet to ISOS System A. PC B does have PPPoE Client installed, PC A does not. ISOS System B bridges between RFC1483 and Ethernet. Packets from PC A and PC B to ISOS System A are received by the bridge and transported (via ISOS System B) to the WAN using different methods: PC A; packets are routed via one of the two PPP sessions, which are multiplexed into a single virtual connection, over RFC1483 to ISOS System B. ISOS System B bridges the packets back to Ethernet and then forwards them to one of the access concentrators at PC C or PC D. The bridge on ISOS System A has a filter applied to the WAN interface through which only PPPoE packets may pass.
280
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
PC B; PPPoE packets received by the bridge on ISOS System A are forwarded (via ISOS System B) to the WAN interface and on to the access concentrators at PC C or PC D. This is known as PPPoE pass-through.
ISOS System A PC A
HUB
ISOS System B PC C
BUN RFC1483
Access HUB Concentrators
Router
192.168.111.1
ppp1 ppp2
Bridge
PC B
PPPoE Client Installed
Ethernet
Ethernet
PC D
Figure 64 Multiple PPPoE sessions with pass-through configuration Multiple PPPoE sessions are enabled by the pppoe-mux and qInterface BUN devices that are included in ISOS System As system file configuration. As each discovery packet from PC A passes through pppoe-mux, the BUN device collects the Host-Uniq tags, the access concentrator MAC address and the Session ID. Note A single host MAC address is used for all PPPoE sessions because pppoe-mux acquires the MAC address of the underlying layer. BUN qInterface has two parts; a simple BUN device coupled with a process. It is required because BUN cannot connect directly to a process at a BUN devices bottom edge. BUN qInterface sits at the bottom of a compound device and when it receives a packet from higher in the IP stack (for example, from the pppoe device), it sends the packet further down the stack (in this case, to the bridge). The reverse happens when the bridge receives a PPPoE packet; it goes via the qInterface process to BUN qInterface and then up to pppoe-mux and pppoe. The following diagram illustrates the architecture of the configuration used in ISOS System A:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
281
Routed configurations
BUN PPPoEMux
BUN qinterface
BUN Ethernet
Packets from PC A
Packets from PC B
BUN RFC1483
BUN utopia
LAN Figure 65
282
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configure PC A and PC B; see Configure PC A and PC B on page 283 Configure PC C and PC D; Configure PC C and PC D on page 283 Choose an ISOS image for each of the ISOS System; see Select ISOS software images on page 277 Configure ISOS System B; see Configure ISOS System B using the CLI on page 286 Configure ISOS System A; see Configure ISOS System A using the CLI on page 278
Configure PC A and PC B
1 2
PC A must have an IP address on the same subnet as the routers LAN IP address on ISOS System A, for example, 192.168.111.2. PC B must have Windows or Unix PPPoE Client software installed.
Configure PC C and PC D
1
PC C and PC D must have PPPoE Access Concentrator (server) applications installed and should also have IP testing capabilities. There are several PPPoE Client and Server (Access Concentrator) applications available as freeware for Unix and Windows based operating systems. Here is a list of some of the most popular applications: Windows: WinPoet (WindRiver Systems) (PPPoE Client only) RASPPPoE (PPPoE Client and AC/Server application) UNIX (Linux and Solaris) Roaring Penguin (PPPoE Client and AC/Server application). See the GlobespanVirata Licensee Server Knowledge Base for details of How to set-up Roaring Penguin (PPPoE Client) on Linux.
This configuration example uses WinPoet (V2.5) for Windows 2000 as the PPPoE client on Windows and RASPPPoE (V2.2) as the PPPoE server.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
283
Routed configurations
The table below summarizes the required configuration for the PCs used in this example:
PC Configuration
IP Address: 192.168.111.2 Subnet mask: 255.255.255.0 Gateway IP Address: 192.168.111.1 (ISOS System A) PC A PPP configuration: PPPoE Client NOT installed Able to communicate with PC C and PC D using ping or telnet (once PPP session is established). PPP configuration: PPPoE Client installed: WinPoet V2.5 Able to communicate with PC C and PC D using ping or telnet (once PPP session is established). PPPoE interface configuration: IP Address: 192.168.100.1 Subnet mask: 255.255.255.0 Remote DNS Primary Address: 192.168.150.1 Remote DNS Secondary Address: 192.168.150.2 PPPoE Access Concentrator / Server installed (named pcc): RASPPPoE (V2.2) with an IP address range specified PPPoE interface configuration: IP Address: 192.168.200.2 Subnet mask: 255.255.255.0 PPPoE Access Concentrator / Server installed (named pcd): RASPPPoE (V2.2) with an IP address range specified
PC B
PC C
PC D
WinPoet setup (PC B). The following details should have been setup on the WinPoet client application on PC B: PPP username: viratauser PPP password: viratapass PPP authentication: CHAP RASPPPoE setup (PC C and PC D). The following details should have been setup on the RASPPPoE server application on PCs C and D respectively: PPP username: viratauser PPP password: viratapass PPP authentication: CHAP
284
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Select an ISOS software image for ISOS System A Select an ISOS software image for ISOS System A. Use an ISOS image built from the eth-gateway system file.
1
For ISOS System A, check that the following devices and ports are included in the ISFS initbun configuration file located in atmos/products/eth-gateway/flashfs/initbun: Note The Port speed=29555 is set for maximum throughput of a 10MB/s Ethernet link. If configuring for a true DSL link (8MB/s), this port speed may have to be set lower for better throughput results.
device : atm = debug, pppoe, rfc1483, atm_phy, atm_transport device : pi = debug, pppoe, pppoe_mux device : qi = qInterface port : a1 = atm / PhysicalPort = 0 / PortSpeed = 29555 port : q1 = qi/interface=<//bridge/TYPE=PPPOE> port : pppoe = pi/interface=<port=q1>/NewAttribute=<bool:outside=true>
For ISOS System A, check that the following lines are included in the eth-gateway system file:
a
The CYAN_POOL1_PREFIX must be configured as 48 bytes or larger for the packet header encapsulation used in PPPoE:
Config.hs CYAN_POOL1_PREFIX (48)
The BUN packages pppoe, pppoe-mux, qinterface and ppp must be included in the system file:
Package Package Package Package bun/devices/pppoe bun/devices/pppoe-mux bun/devices/qinterface ppp
Select an ISOS software image for ISOS System B Select an ISOS software image for ISOS System B. Use an ISOS image built from the eth-gateway system file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
285
Routed configurations
For ISOS System B, check that the following devices and ports are included in the ISFS initbun configuration file located in atmos/products/eth-gateway/flashfs/initbun: Note The Port speed=29555 is set for maximum throughput of a 10MB/s Ethernet link. If configuring for a true DSL link (8MB/s), this port speed may have to be set lower for better throughput results.
device : atm = debug, pppoe, rfc1483, atm_phy, atm_transport port : a1 = atm / PhysicalPort = 0 / PortSpeed = 29555
For ISOS System B, check that the following lines are included in the eth-gateway system file:
a
The CYAN_POOL1_PREFIX must be configured as 48 bytes or larger for the packet header encapsulation used in PPPoE:
Config.hs CYAN_POOL1_PREFIX (48)
The BUN packages pppoe and ppp must be included in the system file:
Package bun/devices/pppoe Package ppp
Clear your current configuration by entering the following command: system config clear Create an Ethernet transport for the LAN and attach it to the bridge: bridge add interface myethernet ethernet add transport eth1 bridge attach myethernet eth1 Create an RFC1483 transport using port a1, VPI 0, VCI 800. Attach the RFC1483 transport to the bridge: rfc1483 add transport my1483 a1 0 800 bridge add interface myrfc1483 bridge attach myrfc1483 my1483
286
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Clear your current configuration by entering the following command: system config clear Create an Ethernet transport for the LAN and attach it to the bridge: bridge add interface myethernet ethernet add transport eth1 bridge attach myethernet eth1 Create an RFC1483 transport for the WAN using port a1, VPI 0, VCI 800. Attach the RFC1483 transport to the bridge, and set the bridge filter to allow only PPPoE frames through, so that the WAN cannot see the LANs IP packets: rfc1483 add transport my1483 a1 0 800 bridge add interface myrfc1483 bridge set interface myrfc1483 filtertype pppoe bridge attach myrfc1483 my1483 Attach the bridge to the IP stack so that the LAN and WAN are routable: ip add interface ipbridge 192.168.111.1 ip attachbridge ipbridge At this point, the PPPoE Client on PC B can connect to PC C and PC D using PPPoE pass-through via the bridge.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
287
Routed configurations
Create two PPPoE client sessions and attach them to the IP stack. Both sessions use port pppoe.The first session connects to the PPPoE server (access concentrator) called PC C: ip add interface ppp1 ip set interface ppp1 tcpmssclamp enabled pppoe add transport myppp1 dialout eth 1 pppoe accessconcentrator pcc pppoe set transport myppp1 username viratauser pppoe set transport myppp1 password viratapass pppoe set transport myppp1 specificroute enabled pppoe set transport myppp1 remotedns 192.168.150.1 ip attach ppp1 myppp1 The second session connects to the PPPoE server (access concentrator) called PC D: ip add interface ppp2 ip set interface ppp2 tcpmssclamp enabled pppoe add transport myppp2 dialout eth 2 pppoe accessconcentrator pcd pppoe set transport myppp2 username viratauser pppoe set transport myppp2 password viratapass ip attach ppp2 myppp2
PC A should now connect to the PPPoE Access Concentrators on PC C and PC D via the PPPoE Clients on ISOS System A. 13.4.7 Routed example using DHCP Because the Dynamic Host Configuration Protocol operates using IP broadcasts, it can only operate over certain protocols. For example, Ethernet and ATM Forum LAN Emulation (FLANE) may be used with DHCP, RFC 1483 may be used when bridged to Ethernet or FLANE, but IPoA is not suitable. This example demonstrates DHCP operating over Ethernet.
288
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
ISOS DHCP is described in detail in its Functional Specifications: DO-007309-PS (Client) and DO-007343-PS (Server). Because DHCP provides a means to configure interfaces, and does not provide data transport itself, this example only describes how to configure an Ethernet interface on which the DHCP client or server operate. This is additional configuration information, which may be used with any of the previous routed examples in this section to produce a complete system. Consider the following network:
PC A
PC B
192.168.101.1
DHCP client
Ethernet
Figure 66
Here, ISOS System A is running the DHCP server, and allocates an IP address to PC A. ISOS System B is running the DHCP client, and is allocated an IP address by a server running on PC B. The IP addresses which have been allocated to the DHCP clients are shown in the diagram.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
289
Routed configurations
If the only aim of the test network is to show DHCP working, the network can be rearranged as follows:
ISOS System A
192.168.101.101
ISOS System B
192.168.101.1
DHCP server
Figure 67
It can be seen that this is exactly the same as the previous diagram, except that the two ISOS Systems have been connected together by their Ethernet interfaces (either using an Ethernet crossover cable, or an Ethernet Hub). The software configuration is exactly the same as in the first diagram; the only difference is that this alternative setup allows DHCP to be demonstrated without needing the two PCs. In the first network, a DHCP server is installed and configured on PC B. If using the second example network, neither PC is required. The configuration information below assumes the first example using PCs. Note that EmWeb in ISOS 8.2 does not support this configuration. Configure the PCs Configure the PCs as follows:
1
PC A: IP address: Obtained by DHCP Subnet mask: Obtained by DHCP Gateway: Obtained by DHCP
290
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The configuration information below assumes the second example using just two ISOS Systems. Select ISOS software images For ISOS Systems A and B, use an ISOS image built from the eth-gateway system file. Configure ISOS System A using the CLI
1
Clear any existing IP interfaces and Ethernet transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear dhcpserver clear subnets dhcpserver update dhcpclient clear interfaceconfigs dhcpclient update Add the Ethernet device to the router. ethernet add transport eth0 ethernet ip add interface ip1 192.168.101.101 ip attach ip1 eth0 Configure the DHCP server as follows: To serve up to 100 clients on the 192.168.101.0 subnet with a maximum lease time of one day (86400 seconds). To tell its clients their subnet mask (255.255.255.0).
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
291
Routed configurations
To take the IP address of the IP interface that it is running on and tell DHCP clients that this is the DNS server and default gateway respectively. dhcpserver set allowunknownclients enable dhcpserver set bootp enable dhcpserver add subnet mysubnet 192.168.101.0 255.255.255.0 192.168.101.1 192.168.101.100 dhcpserver set subnet mysubnet maxleasetime 86400 dhcpserver set subnet mysubnet hostisdnsserver enabled dhcpserver set subnet mysubnet hostisdefaultgateway enabled dhcpserver update Configure ISOS System B using the CLI
1
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear dhcpclient update The Ethernet device is added to the router as normal, except the special token dhcp is used instead of an IP address; this tells the IP stack to obtain the address from the DHCP client: ethernet add transport eth1 ethernet ip add interface ip1 ip attach ip1 eth1 ip set interface ip1 dhcp enabled
292
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The DHCP client is automatically configured to obtain a lease from the DHCP server, sending its MAC address as the identifier. Many of the following lines specify various timeouts for the client (suitable example values are given). dhcpclient set retry 2000 dhcpclient set reboot 500 dhcpclient set backoff 240 dhcpclient add interfaceconfig mydecl ip1 dhcpclient set interfaceconfig mydecl requestedleasetime 900 dhcpclient update
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
293
Tunnelling configurations
13.5
Tunnelling configurations
The configurations in this section are fundamentally different to the bridged and routed configurations described earlier in this chapter where in both the bridged and the routed examples, the ATM protocol (RFC 1483, IPOA or PPP) runs on the ISOS System. With the tunnelling examples given here, the PPP protocol is initiated by the PC and is tunnelled via PPTP to the ISOS System over an Ethernet link which then switches the session over a PPPoA tunnel to the final ISOS System for session authentication and termination. This encapsulation scheme is illustrated in the diagram below:
294
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
13.5.1 Ethernet PPTP tunnelling PPP server PPTP (Point-to-Point Tunnelling Protocol) allows a PPP connection to be tunnelled through an IP network. In this example, the connection is initiated from the PPTP Network Server (PC A). Consider the following network:
192.168.102.2 PC A
PNS
PAC
PPP server
192.168.103.3
Ethernet VCI 800 VCI 0
192.168.103.4
Figure 69
The PPP connection is established from PC A to ISOS System B. ISOS System B routes between PPP and Ethernet just as it did in the Ethernet - PPP routed on page 259 example earlier in this chapter. PC A and ISOS System A use PPTP in order to tunnel this PPP link through a separate IP network running over Ethernet. PC A provides functionality known as a PNS (PPTP Network Server), and ISOS System A provides functionality known as a PAC (PPTP Access Concentrator). PC A therefore uses two different IP addresses. The end of the PPP link which terminates at PC A is 192.168.102.2. This is the address that PC B, or ISOS System B use when they want to communicate with PC A. But PC A also has the address 192.168.10.1, which refers to its local Ethernet interface. This IP address is only used to transport the tunnelled PPP data to ISOS System A. PPTP is described in detail in DO-007352-PS, PPTP Functional Specification.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
295
Tunnelling configurations
Once the ISOS Systems have been configured, and once PC A has dialed-out to establish a PPP connection to ISOS System B through the PPTP tunnel, PC A and PC B should be able to communicate using any IP protocol. Note that EmWeb in ISOS 8.2 does not support this configuration. PC Configuration PC A must run an operating system which supports PPTP, providing a PNS. Windows 2000 server provides this.
1
PC A:
a
Ethernet interface configuration: IP address: 192.168.10.1 Subnet mask: 255.255.255.0 Gateway: 192.168.10.2 PPTP configuration: IP address of PAC: 192.168.10.2 Dial-out user name: fred Dial out password: password
Select your ISOS Software images For ISOS System A and B, use an ISOS image built from the eth-gateway system file. The eth-gateway file includes the gateway system file. You need to add the following line to the gateway system file to include support for the PPTP package:
Package pptp
Clear any existing IP interfaces or Ethernet and PPPoA transports or PPTP tunnels by typing the following commands: ip clear interfaces transports clear pptp clear tunnels
296
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Add the Ethernet device to the router; this provides one endpoint of the PPTP tunnel. In the following command, eth1 is the name of the transport, and ethernet is the port name. ethernet add transport eth1 ethernet ip add interface myip 192.168.10.2 255.255.255.0 ip attach myip eth1 The PPTP module uses functionality provided by the PPP module. Configure PPP channel 1 for an outgoing PPTP connection, using VCI 800. pppoa add transport myppp dialout pvc 1 a1 0 800 Next, create a PPP tunnel, set the IP address of the remote system running the PNS (PC A) and attach the tunnel to the PPP transport: pptp add tunnel mytunnel pptp set tunnel remoteip 192.168.10.1 pptp attach mytunnel myppp
Configure ISOS System B using the CLI ISOS System B is configured exactly the same as PPP server in the Ethernet - PPP routed on page 259.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
297
Tunnelling configurations
13.5.2 Ethernet PPTP tunnelling PPP client PPTP (Point-to-Point Tunnelling Protocol) allows a PPP connection to be tunnelled through an IP network. In this example, the connection is initiated from the PPPoA peer (ISOS System B). Consider the following network:
192.168.102.2 PC A
PNS
PAC
PPP Client
192.168.10.2
Ethernet
192.168.103.3
VCI 800
192.168.103.4
Figure 70
The PPP connection is established from ISOS System B to PC A. ISOS System B routes between PPP and Ethernet just as ISOS System A routed between PPP and Ethernet in the example Ethernet - PPP routed on page 259 earlier in this chapter. PC A and ISOS System A use PPTP in order to tunnel this PPP link through a separate IP network running over Ethernet. PC A provides functionality known as a PNS (PPTP Network Server), and ISOS System A provides functionality known as a PAC (PPTP Access Concentrator). PC A therefore uses two different IP addresses. The end of the PPP link which terminates at PC A is 192.168.102.2. This is the address that PC B or ISOS System B, use when they want to communicate with PC A. But PC A also has the address 192.168.10.1, which refers to its local Ethernet interface. This IP address is only used to transport the tunnelled PPP data to ISOS System A.
298
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
PPTP is described in detail in DO-007352-PS, PPTP Functional Specification. Once the ISOS Systems have been configured, and once ISOS System B has dialed-out to establish a PPP connection to PC A through the PPTP tunnel, PC A and PC B should be able to communicate using any IP protocol. PC Configuration PC A must run an operating system which supports PPTP, providing a PNS. Microsoft Windows 2000 server provides this.
1
PC A:
a
Ethernet interface configuration: IP address: 192.168.10.1 Subnet mask: 255.255.255.0 Gateway: 192.168.10.2 PPTP configuration: IP address of PAC: 192.168.10.2 Dial-in user name: fred Dial in password: password
Select ISOS Software images For ISOS System A, use an ISOS image built from the eth-gateway system file. The eth-gateway file includes the gateway system file. You need to add the following line to the gateway system file to include support for the PPTP package:
Package pptp
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
299
Tunnelling configurations
Clear any existing IP interfaces or Ethernet and PPPoA transports or PPTP tunnels by typing the following commands: ip clear interfaces transports clear pptp clear tunnels Add the Ethernet device to the router; this provides one endpoint of the PPTP tunnel. In the following command, eth1 is the name of the transport, and ethernet is the port name. ethernet add transport eth1 ethernet ip add interface myip 192.168.10.2 ip attach myip eth1 The PPTP module uses functionality provided by the PPP module. Configure PPP channel 1 for an incoming PPTP connection, using PPTP tunnel 1, and using PVC 800. pppoa add transport myppp dialin pvc 1 a1 0 800 The HDLC headers also need to be enabled on the PPPoA transport: pppoa set transport myppp headers hdlc enabled Next, configure the PPTP module for its remote IP address 192.168.10.1: pptp add tunnel mytunnel pptp set tunnel remoteip 192.168.10.1 pptp set tunnel mytunnel type dialin pptp attach mytunnel myppp
Configure ISOS System B using the CLI The configuration of the PPP client is explained in the Ethernet - PPP routed on page 259 example for ISOS System A, with the IP address changed. So, replace the line: ip add interface ip1 192.168.101.2 with: ip add interface ip1 192.168.103.3 The network is now configured.
300
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure the ISOS System in typical PC-attached Gateway configurations.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
301
Introduction
14.1
Introduction
This chapter describes how to configure the ISOS System in various PC-attached gateway configurations: Bridged configurations: Ethernet - USB bridged; see Ethernet - USB bridged on page 306. Routed configurations: IPoA routed example; see Ethernet - USB / IPoA on page 309. Bridged/Routed configuration: PPPoE routed example; see Ethernet - USB / PPPoE over RFC1483 on page 315.
For more information about PC-attached Gateway configurations, refer to Typical PC-attached Gateway (USB) configuration on page 15. For troubleshooting information and useful tips on trying to solve any configuration problems refer to Troubleshooting network configurations on page 419. For more information about the commands you can use to obtain more information about the network that has been setup, refer to Obtaining and changing system setup information on page 387. For more information about the syntax of the commands used in this chapter, refer to DO-009430-PS, ISOS (8.2) CLI Reference Manual.
302
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
14.2
ISOS System A
ISOS System B
PC B
Ethernet
Figure 71
Using this setup, you can configure ISOS System A in a number of ways to show it operating as a particular type of PC-attached network device. In the diagram above: Each PC is fitted with an Ethernet network card. PC A is connected to the USB port on ISOS System A. PC B is connected to the Ethernet port on ISOS System A through an Ethernet Hub, or directly using an Ethernet crossover cable. ISOS System A is connected to ISOS System B via ATM. A serial cable should be connected from PC A to the Serial port of ISOS System A. For more information on the port settings, refer to Serial port settings on page 354. For more information on the Terminal programs which you can run on your computer, refer to What additional software applications are needed? on page 20.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
303
14.2.2 ISOS System initbun configuration file For the ISOS System, the following ports need to have been configured in the initbun file: ethernet usb-ethernet pc-ethernet These ports are already defined in the default initbun file for usb-gateway:
port : ethernet = ethernet_device / NewAttribute = <bool:inside=true> port : usb-ethernet = gw_fake_ether_device / BackingGroup = "link" / NewAttribute = <bool:inside=true>/NewAttribute = <string:icon=usb-slave> /MapPort=usb/MapPortConnected=connected port : pc-ethernet = vvb_fake_ether_device / BackingGroup = "link" / NewAttribute = <bool:PortClassExposedToVvb=true> / NewAttribute = <bool:PortClassGateway=true>/RxMulticastAllEnable = FALSE
The three Ethernet port definitions are required to support the dual mode operation of PC-attached and Gateway. See PC (USB)-attached Gateway (detailed configuration) on page 16 for more information. This diagram shows the locations of the ports defined in the usb-gateway initbun file. The initbun file for usb-gateway is located in: atmos/products/usb-gateway/flashfs/initbun 14.2.3 Choice of IP addresses All of the IP addresses used in these examples are from one of the blocks reserved by the Internet Assigned Numbers Authority for use on private IP networks. See RFC 1918, Address Allocation for Private Internets for more information. 14.2.4 ISOS System configuration The examples in this chapter describe how to configure your ISOS Systems using each of the following methods: using the CLI using EmWeb
304
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
If you are configuring using the CLI, you need to understand how to use the CLI interface before you can follow the instructions in this chapter. For more information, refer to Using the CLI on page 125. If you are configuring using EmWeb, you need to understand how to use the EmWeb interface before you can follow the instructions in this chapter. For more information, refer to Using the EmWeb server on page 151. The instructions for configuring the system assume the absence of any previous configuration. Therefore, please be sure that any old configuration files have been removed from FLASHFS (as described in Removing a file using the rm command on page 216), and the system has been rebooted, before starting to configure the system. If the contents of a file is not given in a particular example, either ensure that file is not downloaded and is not in FLASHFS, or that an empty file is downloaded.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
305
Bridged configurations
14.3
Bridged configurations
14.3.1 Ethernet - USB bridged The configuration in this section uses the ISOS bridge module to bridge between Ethernet and USB. The ISOS bridge module is described in detail in DO-007087-PS, Transparent Bridge Functional Specification.
PC A
Serial to A USB Ethernet HUB
ISOS System A
192.168.88.1 (255.255.255.0)
Bridge
192.168.88.253
PC B
192.168.88.2 (255.255.255.0)
p
Ethernet
Figure 72
Select ISOS software images Select a software image. For ISOS System A, use an ISOS image built from the usb-gateway system file. (The initbun file must be configured as described in ISOS System initbun configuration file on page 304.) Configure ISOS System A using the CLI
1
Clear any existing IP interfaces, Bridge interfaces or Ethernet transports by typing the following commands: ip clear interfaces bridge clear interfaces transports clear
306
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This configuration requires two transports for the Ethernet devices ethernet and usb-ethernet (as defined in the usb-gateway initbun file): ethernet add transport eth1 ethernet ethernet add transport eth2 usb-ethernet Create two interfaces on the bridge and attach the ethernet transports to the bridge interfaces: bridge add interface bridge1 bridge attach bridge1 eth1 bridge add interface bridge2 bridge attach bridge2 eth2 Add the bridge to the router using an IP interface. This will enable you to ping devices that are attached to any interface in the bridge. ip add interface bridge 192.168.88.253 ip attachbridge bridge system config save
You should now be able to send data from all these systems: Ping the router (ISOS System A) from PC B over Ethernet port. Ping the router (ISOS System A) from PC A over USB port. Ping PC A from the router (ISOS System A). Ping PC B from PC A. Configure ISOS System A using EmWeb
1
For this configuration, you need to attach the Ethernet devices called ethernet and usb-ethernet to the bridge. By default, your ethernet device is already attached to the bridge using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.88.253:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.88.253 At your web browser, enter the new IP address as the URL: http://192.168.88.253 The EmWeb Welcome page is displayed.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
307
Bridged configurations
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the Status page, click on the LAN Settings hyperlink or from the left-hand menu, click on Configuration>LAN connection. The LAN connections page is displayed. Click on Create a new service. Click on the Ethernet bridged radio button, then click on Configure. At the LAN connection: Ethernet bridged page, complete the following: Description: eth2 Port: usb-ethernet Click on Apply. The LAN connections page is displayed, containing details of the new Ethernet transport. From the left-hand menu, click on Configuration>Save config. At the Save configuration page, click on Save.
c 4
The ethernet devices are attached to the bridge, and the bridge is attached to the router by default via the iplan IP interface. This will enable you to ping devices that are attached to any interface in the bridge.
You should now be able to send data from all these systems: Ping the router (ISOS System A) from PC B over Ethernet port. Ping the router (ISOS System A) from PC A over USB port. Ping PC A from the router (ISOS System A). Ping PC B from PC A.
308
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
14.4
Routed configurations
14.4.1 Ethernet - USB / IPoA The configuration in this section is similar to the IPoA routing setup in Ethernet - IPoA routed on page 246. However, traffic is routed between any of the three interfaces; USB, Ethernet and ATM.
p
PC A 192.168.102.1
USB
ISOS System B
192.168.103.3
192.168.101.2
PC B
VCI 700 VPI 0 Ethernet
192.168.101.1
Figure 73
For ISOS System A, use an ISOS image built from the usb-gateway system file. For ISOS System B, use an ISOS image built from the eth-gateway system file.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
309
Routed configurations
Clear any existing IP and Bridge interfaces, routes and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear ip clear routes bridge clear interfaces dhcpclient update Add two new transports for the Ethernet ports ethernet and usb-ethernet: ethernet add transport eth1 ethernet ethernet add transport eth2 usb-ethernet Add the interfaces to the router, for the physical ethernet port: ip add interface ip1 192.168.101.2 ip attach ip1 eth1 and for the usb-ethernet port: ip add interface ip2 192.168.102.2 ip attach ip2 eth2 Add the IPoA device to the router configured to run on VCI 700 with a peak cell rate (pcr) of 50000 cells per second, using the port named atm.In the following commands, ipoa1 is the transport name and ip3 is the interface name: ipoa add transport ipoa1 pvc atm 0 700 ip add interface ip3 192.168.103.2 ip attach ip3 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System B as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.103.3 system config save
310
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear dhcpclient update Add the IPoA device to the router: ip add interface ipoa 192.168.103.3 ipoa add transport t1 pvc a1 0 700 ip attach ipoa t1 Add a default route, with ISOS System A as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.103.2 system config save
You should now be able to send data from all these systems: Ping the router (ISOS System A) from PC A over the USB port. Ping the router (ISOS System A) from PC B over the Ethernet port. Ping PC A from the router (ISOS System A). Ping PC B from PC A (via the router ISOS System A). Ping the gateway (ISOS System B) from PC A and PC B. Configure ISOS System A using EmWeb
1
For this configuration, you need to attach the Ethernet device called ethernet to the router. By default, your ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.103.4:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.103.4 At your web browser, enter the new IP address as the URL: http://192.168.103.4 The EmWeb Welcome page is displayed.
311
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Routed configurations
Clear any existing WAN connections and IP routes by following the instructions below:
a b
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted. From the Status page, click on the LAN Settings hyperlink or from the left-hand menu, click on Configuration>LAN connection. The LAN connections page is displayed. Click on Create a new service. Click on the Ethernet routed radio button, then click on Configure. At the LAN connection: Ethernet routed page, complete the following: Description: eth2 Port: usb-ethernet (Click on the LAN IP address radio button) LAN IP address: 192.168.102.2 Click on Apply. The LAN connections page is displayed, containing details of the new Ethernet transport.
Add the IPoA device to the router configured to run on VCI 700 with a peak cell rate (pcr) of 50000 cells per second, using the port named atm.
a
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service.
312
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 700 (click on the WAN IP address radio button) WAN IP address: 192.168.103.2 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the WAN connections table, Click on the IPoA Edit link. From the Edit Service page, click on Edit ATM Channel. Set the Peak Cell Rate text box to 50000. You do not need to change the other default settings. Click on Change. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.103.3. You do not need to change the other default settings. Click on OK. From the left-hand menu, click on Configuration>Save config. At the Save configuration page, click on Save.
For this configuration, you need to attach the Ethernet devices called ethernet and usb-ethernet to the bridge. By default, your ethernet device is already attached to the bridge using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.88.253:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.88.253 At your web browser, enter the new IP address as the URL: http://192.168.88.253 The EmWeb Welcome page is displayed.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
313
Routed configurations
Clear any existing IP interfaces or Ethernet transports by following the instructions below:
a b
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa VPI: 0 VCI: 700 (click on the WAN IP address radio button) WAN IP address: 192.168.103.3 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.103.2. You do not need to change the other default settings. Click on OK. From the left-hand menu, click on Configuration>Save config. At the Save configuration page, click on Save.
You should now be able to send data from all these systems: Ping the router (ISOS System A) from PC A over the USB port. Ping the router (ISOS System A) from PC B over the Ethernet port. Ping PC A from the router (ISOS System A). Ping PC B from PC A (via the router ISOS System A). Ping the gateway (ISOS System B) from PC A and PC B.
314
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
14.5
Bridged/Routed configurations
14.5.1 Ethernet - USB / PPPoE over RFC1483 The configuration in this section is similar to the PPPoE routing setup in PPPoE Client over RFC1483 on page 254. However, traffic is routed between any of the three interfaces; USB, Ethernet and ATM. PPPoE (over RFC1483) is used to encapsulate Ethernet packets over the ATM link. This configuration is a combination of the bridge and routed examples described in Ethernet - USB bridged on page 306 and Ethernet - USB / IPoA on page 309.
PC A
USB BUN RFC1483 192.168.101.x Bridge 192.168.101.1 Ethernet
ISOS System A
ATM
ISOS System B
BUN RFC1483 Bridge
PC C
192.168.100.1
PC B
Figure 74 Ethernet-USB/PPPoE PC (USB)-attached Gateway configuration Configure your PCs PC A and PC B should have a mechanism to communicate with the PPPoE AC (PC C), such as ICMP ping capabilities, or Telnet. PC C must have a PPPoE Access Concentrator (server) application installed, and should have ping and/or telnet capabilities. There are several PPPoE Server (Access Concentrator) applications available as freeware for Unix and Windows based operating systems. Here is a list of some of the most popular applications: Windows: RASPPPoE
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
315
Bridged/Routed configurations
UNIX (Linux and Solaris): Roaring Penguin. See the GlobespanVirata Licensee Server Knowledge Base for details of How to set-up Roaring Penguin (PPPoE Client) on Linux.
This example uses RASPPPoE (V2.2) as the PPPoE server. The PPP Server configuration is as follows: Dial-out user name: viratauser Dial out password: viratapass Authentication Protocol: CHAP Select the ISOS software image for ISOS System A Use an ISOS image built from the usb-gateway system file. The usb-gateway file calls the generic gateway file to use as its system file. Check that the following line is present in the gateway system file for ISOS System A (atmos/system/gateway): The CYAN_POOL1_PREFIX must be configured as 48 bytes or larger for the packet header encapsulation used in PPPoE. (The default value is 128):
Config.hs CYAN_POOL1_PREFIX (48)
The following device and port (physical port 0 on ISOS System A) need to have been configured in the ISFS initbun configuration file for the usb-gateway product (atmos/products/usb-gateway/flashfs/initbun). Verify that the PPPoE driver is added to the atm_device definition in the initbun file:
device : atm_device = debug, assignmac, chameleon, pppoe, rfc1483, atm_phy, atm_transport
Also, check that the atm_device has been defined correctly. This is the default entry:
port : a1 = atm_device / PhysicalPort = 0 / PortSpeed = 59111 /NewAttribute=<bool:outside=true>
The initbun file must also contain definitions for the Ethernet ports as described in ISOS System initbun configuration file on page 304.
316
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Select the ISOS software image for ISOS System B Use an ISOS image built from the eth-gateway system file. Configure ISOS System A using the CLI
1
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces transports clear dhcpclient update Add two new transports for the Ethernet ports ethernet and usb-ethernet: ethernet add transport eth1 ethernet ethernet add transport eth2 usb-ethernet Create two interfaces on the bridge and attach the Ethernet transports to the bridge interfaces: bridge add interface bridge1 bridge attach bridge1 eth1 bridge add interface bridge2 bridge attach bridge2 eth2 Add the bridge to the router using an IP interface. ip add interface bridge 192.168.101.1 ip attachbridge bridge system config save
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
317
Bridged/Routed configurations
Add the IP/PPPoE configuration. Configure the PPP device and then attach the PPP device to the interface: pppoe add transport mypppoe dialout pvc 1 atm 0 800 ip add interface ppp_device ip set interface ppp_device tcpmssclamp enabled pppoe set transport mypppoe welogin chap pppoe set transport mypppoe username viratauser pppoe set transport mypppoe password viratapass ip attach ppp_device mypppoe PPP automatically adds the IP address and default route upon connection.
Clear any existing IP interfaces and transports. Clearing the IP interfaces also deletes any existing DHCP client settings on those interfaces. This change to DHCP is not updated in the DHCP client configuration until you enter the dhcpclient update command. Type the following commands: ip clear interfaces bridge clear interfaces transports clear dhcpclient update Add the RFC1483 bridging configuration. ethernet add transport eth1 ethernet bridge add interface mybridge1 bridge attach mybridge1 eth1 rfc1483 add transport myrfc1483 a1 0 800 llc bridged bridge add interface mybridge2 bridge attach mybridge2 myrfc1483
PC A and PC B should now both be able to ping the PPPoE AC at PC C, once the PPP session is up and running.
318
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
For this configuration, you need to attach the Ethernet devices called ethernet and usb-ethernet to the bridge. By default, your ethernet device is already attached to the bridge using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 192.168.101.1:
a
From the Status page, click on the LAN Settings hyperlink or from the left-hand menu, click on Configuration>LAN connection. The LAN connections page is displayed. Click on Change default LAN port IP address. In the Default LAN Port section, click on the Primary IP Address text box and type 192.168.101.1. Click on Apply. At your web browser, enter the following URL: http://192.168.101.1
c 2
From the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the Status page, click on the LAN Settings hyperlink or from the left-hand menu, click on Configuration>LAN connection. The LAN connections page is displayed. Click on Create a new service. Click on the Ethernet bridged radio button, then click on Configure. At the LAN connection: Ethernet bridged page, complete the following: Description: eth2 Port: usb-ethernet Click on Apply. The LAN connections page is displayed, containing details of the new Ethernet transport. From the left-hand menu, click on Configuration>Save config. At the Save configuration page, click on Save.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
319
Bridged/Routed configurations
4 5
The ethernet devices are attached to the bridge, and the bridge is attached to the router by default via the iplan IP interface. Add the IP/PPPoE configuration. Configure the PPP device and then attach the PPP device to the interface:
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the PPPoE routed radio button, then click on Configure. At the WAN connection: PPPoE routed page, complete the following: Description: PPP VPI: 0 VCI: 600 CHAP (click on the CHAP radio button) User name: viratauser Password: viratapass Click on the Edit Tcp Mss Clamp link at the top of the page and set Tcp Mss Clamp to enabled. You do not need to make changes to the other default settings. At the WAN Connection: PPPoE routed page, click on Apply. The WAN connections page is displayed, containing details of the new PPPoE transport.
From the WAN connections table, click on the PPP Edit link. The Edit Service page is displayed. Click on Edit PPP. You can check that the Interface ID is set to 1, and that Dialout Authentication is set to CHAP. PPP automatically adds the IP address and default route upon connection.
e
Add the RFC1483 bridging configuration. By default, your Ethernet device is already attached to the Bridge using a default LAN connection called iplan, IP address 192.168.1.1. To check this, click on Configuration>Ports>Ethernet and check the IP address and port name.
a
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service.
320
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the RFC 1483 bridged radio button, then click on Configure. At the WAN connection: RFC 1483 bridged page, complete the following: Description: myrfc1483 VPI: 0 VCI: 800 Encapsulation method: LLC/SNAP Click on Apply. The WAN connections page is displayed, containing details of the new RFC 1483 transport.
PC A and PC B should now both be able to ping the PPPoE AC at PC C, once the PPP session is up and running.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
321
Bridged/Routed configurations
322
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure the ISOS System in typical Switch configurations. You need to understand how to use the CLI interface before you can follow the instructions in this chapter. For more information, refer to Using the CLI on page 125.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
323
Introduction
15.1
Introduction
This chapter describes how to configure the ISOS System in some typical Switch configurations. The configuration of the ISOS System is performed from the CLI, rather than editing configuration files or programming Flash.
15.2
Pre-requisites
In order to connect up any type of ATM switch configuration, the second ATM port on the ISOS System which is configured as an ATM switch must be enabled. Note: For BD6000 Series systems ATM port 0 is the port on the right (furthest away from the power connector) or nearest to the power connector if using BD6221. It is enabled as port a1. The second ATM port is enabled by default in the initbun file of an atm-switch image. However, you still need to make the following changes to your hardware file:
1
where platform is the hardware file appropriate for the ISOS system you are using. For example, for a BD6100 system the file to change is bd6100.hw. (For a full list of the appropriate hardware files for all BD6000 Series systems, refer to Hardware type on page 66.)
a
You can now build a new atm-switch image with the second port enabled. Note: For BD6000 Series systems. This second port uses the chip's glueless interface for connection to the Utopia Level 1 ATM25 phy. This glueless interface for Utopia level 1 devices is restricted to ports a2 to a31. These interfaces have a buffer
324 ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
FIFO depth of 1. Users of the glueless connection to Utopia level 1 devices faster than ATM25 should note that this method is not suitable for them, since restricting the FIFO depth to 1 has an unacceptable performance hit on fast ports. If you are in this position, please contact your GlobespanVirata support representative to discuss your options.
15.3
ISOS System - A
Console
ATM25
PC B
Console
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
325
15.3.2 Network connections In the diagram above: The ATM25 connections are made using an ATM crossover cable. (Note that an ATM crossover cable is not the same as an Ethernet crossover cable.) ATM port 0 (a1) of ISOS System A is connected to ATM port 0 (a1) of ISOS System (ATM). ATM port 0 (a1) of ISOS System B is connected to ATM port 1 (a2) of ISOS System (ATM). Note The physical location of ATM Port 0 (a1) is different on BD6000 Series ISOS Systems: For BD6100, BD6200 and BD6210 systems: ATM Port 0 is the ATM port furthest from the DC Power In connector. For BD6221 systems: ATM Port 0 is the port nearest to the DC Power In connector.
15.3.3 Configuring IPoA using SVCs This section describes how to configure an IP connection over ATM (IPoA) (using SVCs) using two ISOS Systems in Gateway mode and a third ISOS System configured as a Switch, as shown in Network layout on page 325. For more information about Gateway configurations, refer to What configurations are supported by an ISOS System? on page 8. Network configuration The settings required for each element of the network is shown in the table below:
System ISOS System (ATM) Feature MAC address ATM25 Port connections ISOS System (A) MAC address IP address Description 00:20:2B:00:75:20 A1, A2 00:20:2B:00:79:B0 1.1.1.1
326
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
System
Description
00:20:2B:00:76:50 1.1.1.2 A1
Build the following ISOS images for the ISOS System: eth-gateway image. The eth-gateway file includes the gateway system file. You need to include the signalling package, si, in the build. To do this, comment in the following Package line in the gateway system file:
% si includes UNI Signalling, SSCOP and ILMI. Uncomment to include. %Package si
atm-switch. For more information on how to build images, refer to Building an ISOS image on page 79.
2
Download the images to the ISOS Systems: Download the eth-gateway image to both ISOS System (A) and ISOS System (B).
Download the atm-switch image to ISOS System (ATM). For more information on downloading an image, refer to Booting the ISOS System in Gateway mode on page 99.
3
On ISOS System (A), enter the command: ip clear interfaces transports clear ip add interface ipoa1 1.1.1.1 255.0.0.0 ipoa add transport t1 svc ip attach ipoa1 t1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
327
Restart ISOS System (A) using the command: system config save system restart The ISOS System will restart. On ISOS System (B), enter the command: ip clear interfaces transports clear ipoa clear transports ip add interface ipoa1 1.1.1.2 255.0.0.0 ipoa add transport t1 svc ip attach ipoa1 t1 Restart ISOS System (B) using the command: system config save system restart The ISOS System will restart. Both ISOS System systems are now configured with an IP device. To confirm that an IPoA device has been added, enter: ip list interfaces The following information is displayed: -->ip list interfaces
IP Interfaces:
ID
Name
IP Address
DHCP
Transport
-------------------------------------------------------------------
To confirm that the ARP server has been setup, enter: ipoa list transports The following information is displayed: -->ipoa list transports
IPoA transports:
ID
Name
SVC
-----|------------|----------|--------------------------------------------
328
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The ISOS System is now functioning as an ARP server. In a typical IP network, only one network device should be functioning as an ARP server. Therefore, we need to re-configure one of the ISOS Systems to use the other ISOS System as its ARP server.
7
To re-configure ISOS System (A) to use ISOS System (B) as its ARP server, enter (on one line): ipoa set transport t1 arpserver 47.00.83.00.00.00.00.00.20.2b.00.75.20.00.20. 2b.00.76.50.00 This command configures ISOS System (A) to use ISOS System (B) as its ARP server, by specifying the ATM address of ISOS System(B). To confirm that this has been setup correctly, enter the following command on ISOS System (A): -->ipoa list transports The following information is returned:
IPoA transports: ID | Name | SVC | ATM ARP Server ---|------|--------|----------------------------------------------------------1 | t1 | ENABLED| 7.00.83.00.00.00.00.00.20.2b.00.75.20.00.20.2b.00.76.50.00 -------------------------------------------------------------------------------
The ARM ARP Server table entry shows the ATM address of ISOS System (B) to be used as the ARP server. You should now be able to send IP packets between the two ISOS Systems.
8
Using the console, enter the following command to enable ilmi on all ATM ports on ISOS System ATM: portcli setportflag all ilmi
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
329
Using the console, check that ilmi is enabled on ATM port a1 on ISOS System A and B by entering the following command: portcli portinfo If no flag is set for port a1, enable ilmi on this port by entering the following: portcli setportflag a1 ilmi To see the setup, enter: portcli portinfo
port type a1 Utopia (phy) flags +uni40 ilmi
If you now save this configuration using the CLI command system config save, ilmi will still be enabled on a1 after future reboots.
10 From ISOS System (B), enter:
ip ping 1.1.1.1 This attempts to ping ISOS System (A), with IP address (1.1.1.1). The following information is returned: ip: ping - reply received from 1.1.1.1 To see the SVC entries which have been setup, enter the following console command on ISOS System (ATM): switchcli list Note The atm-switch build is not supported by the VMI, so only the console process is provided. The following information is displayed by the command:
Displaying non-permanent entries for all ports for all processes verbosely. port a1 a2 vp 0 0 vc 32 ==> 32 ==> port a2 a1 vp 0 0 vc 32 32 cells 4 4 creator q93b q93b
You can also use the following console command for more information about the setup: q93b info For more information about the commands that you can use to obtain more information about the network that has been setup, refer to Obtaining and changing system setup information on page 387.
330
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to configure security on the ISOS System using Firewall and NAT features in ISOS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
331
Introduction
16.1
Introduction
This chapter describes how to configure Security on the ISOS System. There are two example network setups described in this chapter: a network featuring three ISOS Systems; a Firewall, WAN Router and separate DMZ Router. See Configuring a network containing a Firewall, WAN Router and DMZ Router on page 332. a network featuring two ISOS Systems; a Firewall and a WAN Router. A separate DMZ is created as a virtual interface attached to the Firewalls LAN interface. See Configuring a network containing a Virtual DMZ interface on page 332. 16.1.1 Configuring a network containing a Firewall, WAN Router and DMZ Router If you want to configure a network containing a Firewall, WAN Router and DMZ Router using the CLI, read the following sections: Firewall, WAN Router & DMZ Router network on page 334 Initial Firewall, WAN Router & DMZ Router configuration (CLI) on page 337 Security configuration (CLI) on page 345 NAT example configurations (CLI) on page 346 Firewall example configurations (CLI) on page 348 If you want to configure a network containing a Firewall, WAN Router and DMZ Router using EmWeb, read the following sections: Firewall, WAN Router & DMZ Router network on page 334 Initial Firewall, WAN Router & DMZ Router configuration (EmWeb) on page 353 Configuring the security interfaces (EmWeb) on page 359 Firewall example configurations (EmWeb) on page 378 NAT example configurations (EmWeb) on page 383 16.1.2 Configuring a network containing a Virtual DMZ interface If you want to configure a network containing a virtual DMZ interface using the CLI, read the following sections: Virtual DMZ interface network on page 340 Initial virtual DMZ interface network configuration (CLI) on page 342
332
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Security configuration (CLI) on page 345 NAT example configurations (CLI) on page 346 Firewall example configurations (CLI) on page 348
To configure a network containing a virtual DMZ interface using EmWeb, read the following sections: Virtual DMZ interface network on page 340 Initial virtual DMZ interface configuration (EmWeb) on page 372 Configuring the security interfaces (EmWeb) on page 375 Firewall example configurations (EmWeb) on page 378 NAT example configurations (EmWeb) on page 383 16.1.3 Further information Note - If you are configuring Security using the CLI, you must understand how to use the CLI interface. For more information, refer to Using the CLI on page 141. Note - If you are configuring Security using EmWeb, you must understand how to use the EmWeb interface. For more information, refer to Using the EmWeb server on page 157. For troubleshooting information and useful tips on trying to solve any configuration problems refer to Troubleshooting network configurations on page 421. For more information about the commands you can use to obtain more information about the network that has been setup, refer to Obtaining and changing system setup information on page 387. For more information about the syntax of the commands used in this chapter, refer to the appropriate chapters in the ISOS 8.2 CLI Reference Manual, DO-009430-PS. For more information about Security, refer to the ISOS Security (NAT and Firewall) Functional Specification, DO-008557-PS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
333
16.2
192.168.101.2 192.168.100.1
ATM2
LAN
WAN
172.16.2.2
PC C
172.16.1.2
Figure 76 16.2.1
Configuration information PC configuration The following table shows the configuration of the PCs included in the network:
PC
A B C
IP address
10.1.1.2 192.168.100.2 172.16.1.2
Netmask
255.255.255.0 255.255.255.0 255.255.255.0
Gateway
10.1.1.1 192.168.100.1 172.16.1.1
334
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following table shows the configuration of the ISOS System (WAN Router) included in the network:
ISOS System (WAN Router)
ATM interface ETH interface Default route
IP address
192.168.101.2 192.168.100.1 0.0.0.0
Netmask
255.255.255.0 255.255.255.0 0.0.0.0
Gateway
192.168.101.1
ISOS System (DMZ Router) configuration The following table shows the configuration of the ISOS System (DMZ Router) included in the network:
ISOS System (DMZ Router)
ATM interface ETH interface Default route
IP address
172.16.2.2 172.16.1.1 0.0.0.0
Netmask
255.255.255.0 255.255.255.0 0.0.0.0
Gateway
172.16.2.1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
335
ISOS System (Firewall) configuration The following table shows the configuration of the ISOS System (Firewall) included in the Demo network:
ISOS System (Firewall)
ETH interface ATM1 (WAN) interface ATM2 (DMZ) interface
IP address
10.1.1.1 192.168.101.1 172.16.2.1
Netmask
255.255.255.0 255.255.255.0 255.255.255.0
ISOS Software images For ISOS System (WAN Router) and (DMZ Router) you can use images built from the eth-gateway system file with no changes. For the ISOS System (Firewall), use the eth-gateway image. (By default, this system file includes Firewall support.) Before building this image, you need to define a second ATM port as two ATM connections are required to connect to the WAN and DMZ areas. Note - For BD6000 Series systems ATM port 0 is the port on the right (furthest away from the power connector) or nearest the power connector if using BD6221. It is enabled as port a1. To enable the second ATM port as port a2, follow the procedure below:
1
where platform is the hardware file appropriate for the ISOS system that you are using. For example, for a BD6100 system the file to change is atmos/source/hardware/bd6100.hw. (For a full list of the appropriate hardware files for all ISOS systems, refer to Hardware type on page 67.)
a b
336
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Ensure that the hardware BUN configuration file for the ISOS system you are using has defined a second ATM port. For example, if you are using a BD6100 system the hardware BUN configuration file is atmos/source/hardware/initbun/bd6100. Check that this line contains the following port definition:
port : a2 = atm/PhysicalPort=2/PortSpeed=59111/NewAttribute=<bool:V MI=true>/NewAttribute=<bool:outside=true>
The second port should now be enabled when you build a new eth-gateway image. Note - For BD6000 Series systems. This second port uses the chip's glueless interface for connection to the Utopia Level 1 ATM25 phy. This glueless interface for Utopia level 1 devices is restricted to ports a2 to a31. These interfaces have a buffer FIFO depth of 1. Users of the glueless connection to Utopia level 1 devices faster than ATM25 should note that this method is not suitable for them, since restricting the FIFO depth to 1 has an unacceptable performance hit on fast ports. If you are in this position, please contact your GlobespanVirata support representative to discuss your options. You can now configure your security network: If you want to configure the network using the CLI, see Initial Firewall, WAN Router & DMZ Router configuration (CLI) on page 337. If you want to configure the network using EmWeb, see Initial Firewall, WAN Router & DMZ Router configuration (EmWeb) on page 353.
16.3
To configure the ISOS System (WAN and DMZ routers ). See Configure the Routers using the CLI on page 338. To configure the ISOS System (Firewall). See Configure the ISOS System (Firewall) using the CLI on page 339.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
337
Configure the Routers using the CLI The following configuration table shows the example settings used to configure the ISOS Systems as Ethernet/IPoA routers:
ISOS System (Routers)
Ethernet ATM
Transport name
eth1 ipoa1
Interface name
ip1 ip2
The same transport and interface names are used for both routers. To configure your routers, follow the instructions below: For ISOS System (WAN Router):
1
Clear any existing IP interfaces, routes and transports by typing the following commands: ip clear interfaces ip clear routes transports clear Add an Ethernet and an IPoA transport: ethernet add transport eth1 ethernet ip add interface ip1 192.168.100.1 255.255.255.0 ip attach ip1 eth1 ipoa add transport ipoa1 pvc a1 0 100 ip add interface ip2 192.168.101.2 255.255.255.0 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System (Firewall) as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.1
338
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Enter the following commands: ip clear interfaces ip clear routes transports clear ethernet add transport eth1 ethernet ip add interface ip1 172.16.1.1 255.255.255.0 ip attach ip1 eth1 ipoa add transport ipoa1 pvc a1 0 100 ip add interface ip2 172.16.2.2 255.255.255.0 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System (Firewall) as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 172.16.2.1
For more information about the commands used in this section and further explanation of the configuration steps followed, refer to the full example of this type of configuration in Ethernet - IPoA routed on page 246. Configure the ISOS System (Firewall) using the CLI To configure all the interfaces and routes used by the ISOS System (Firewall) enter the following commands, using the information in the table below:
ISOS System (Firewall)
Ethernet ATM1 ATM2
Transport
eth0 ipoa1 ipoa2
Interface
lan wan dmz
Clear any existing IP interfaces, routes and Ethernet and IPoA transports by typing the following commands: ip clear interfaces ip clear routes ethernet clear transports ipoa clear transports
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
339
Configure the LAN interface using the following commands: ethernet add transport eth0 ethernet ip add interface lan 10.1.1.1 255.255.255.0 ip attach lan eth0 Configure the DMZ interface using the following commands: ipoa add transport ipoa2 pvc a2 0 100 ip add interface dmz 172.16.2.1 255.255.255.0 ip attach dmz ipoa2 Configure the WAN interface using the following commands: ipoa add transport ipoa1 pvc a1 0 100 ip add interface wan 192.168.101.1 255.255.255.0 ip attach wan ipoa1 Add a route to the DMZ network behind the DMZ router: ip add route ToDMZ 172.16.1.0 255.255.255.0 gateway 172.16.2.2 Add a default route to the WAN network (i.e. 192.168.101.2): ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.2
At this point the network can now be configured for various types of security configurations. See Security configuration (CLI) on page 345.
16.4
340
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
192.168.101.1
192.168.101.2 192.168.100.1
PC C
Figure 77
The DMZ virtual interface appears as a separate internal interface. DMZ traffic is transported between PC C and the Firewall via the Ethernet transport attached to the LAN interface. 16.4.1 Configuration information PC configuration The following table shows the configuration of the PCs included in the network:
PC
A B C
IP address
10.1.1.2 192.168.100.2 172.16.1.2
Netmask
255.255.255.0 255.255.255.0 255.255.255.0
Gateway
10.1.1.1 192.168.100.1 172.16.1.1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
341
ISOS System (WAN Router) configuration The following table shows the configuration of the ISOS System (WAN Router) included in the network:
ISOS System (WAN Router)
ATM interface ETH interface Default route
IP address
192.168.101.2 192.168.100.1 0.0.0.0
Netmask
255.255.255.0 255.255.255.0 0.0.0.0
Gateway
192.168.101.1
ISOS System (Firewall) configuration The following table shows the configuration of the ISOS System (Firewall) included in the Demo network:
ISOS System (Firewall)
ETH interface ATM1 (WAN) interface virtual interface
IP address
10.1.1.1 192.168.101.1 172.16.1.1
Netmask
255.255.255.0 255.255.255.0 255.255.255.0
ISOS Software images For ISOS System (WAN Router) use the eth-gateway image. For the ISOS System (Firewall), use the eth-gateway image. (By default, this system file includes Firewall support.) You can now configure your security network: If you want to configure the network using the CLI, see Initial virtual DMZ interface network configuration (CLI) on page 361. If you want to configure the network using EmWeb, see Initial Firewall, WAN Router & DMZ Router configuration (EmWeb) on page 353.
16.5
342
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
1 2
Configure the ISOS System (WAN router). See Configure the WAN Router using the CLI on page 343. Configure the ISOS System (Firewall). See Configure the ISOS System (Firewall) using the CLI on page 343.
Configure the WAN Router using the CLI To configure the WAN Router, follow the instructions below:
1
Clear any existing IP interfaces, routes and transports by typing the following command: ip clear interfaces ip clear routes transports clear Add an Ethernet and an IPoA transport: ethernet add transport eth1 ethernet ip add interface ip1 192.168.100.1 255.255.255.0 ip attach ip1 eth1 ipoa add transport ipoa1 pvc a1 0 100 ip add interface ip2 192.168.101.2 255.255.255.0 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System (Firewall) as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.1
For more information about the commands used in this section and further explanation of the configuration steps followed, refer to the full example of this type of configuration in Ethernet - IPoA routed on page 246. Configure the ISOS System (Firewall) using the CLI To configure the interfaces and routes used by the ISOS System (Firewall) enter the following commands:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
343
Clear any existing IP interfaces, routes and Ethernet and IPoA transports by typing the following commands: ip clear interfaces ip clear routes ethernet clear transports ipoa clear transports Configure the LAN interface using the following commands: ethernet add transport eth0 ethernet ip add interface lan 10.1.1.1 255.255.255.0 ip attach lan eth0 Configure the virtual DMZ interface using the following commands: ip add interface dmz 172.16.1.1 ip attachvirtual dmz lan The virtual interface dmz is attached to the real LAN interface. The LAN interface (lan) has already been attached to an ethernet transport (eth0). The dmz interface uses the eth0 transport to transfer data. Configure the WAN interface using the following commands: ipoa add transport ipoa1 pvc a1 0 100 ip add interface wan 192.168.101.1 255.255.255.0 ip attach wan ipoa1 Add a default route to the WAN network (i.e., 192.168.101.2): ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.2
344
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Check that the IP interfaces are configured correctly by entering the following command: ip list interfaces
ID | Name | IP Address | DHCP | Transport
----|----------|-----------------|----------|------------1 | lan 2 | dmz 3 | wan | 10.1.1.1 | 172.16.1.1 | 192.168.101.1 | disabled | eth0 | disabled | [lan] | disabled | ipoa1
----------------------------------------------------------
Notice that the DMZ transport is displayed as [lan]. This shows that the DMZ is attached to the real LAN interface. At this point the network can now be configured for various types of security configurations. See Security configuration (CLI) on page 345.
16.6
Configure the security interfaces on the ISOS System (Firewall). See Configuring the Security interfaces using the CLI on page 345. Start security on the ISOS System (Firewall). See Starting Security using the CLI on page 346.
At this point the network can now be configured for various types of security configurations. The above steps are described in the following sections. 16.6.1 Configuring the Security interfaces using the CLI With all interfaces and routes setup, we can now begin to configure the security interfaces: security add interface lan internal security add interface wan external security add interface dmz dmz
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
345
To check that the interfaces have been added, enter: security list interfaces The following output is displayed:
Security Interfaces: ID | Name | Type
----------------------------
16.6.2
Starting Security using the CLI To start Security enter the following command: security enable To check that this has been enabled, enter: security status The following output is displayed:
Security enabled. Firewall disabled. Firewall security level: none. Firewall session logging enabled. Firewall blocking logging enabled. Firewall intrusion logging disabled. NAT disabled
Now you can configure NAT and/or the Firewall. To configure NAT, see NAT example configurations (CLI) on page 346. To configure the Firewall, see Firewall example configurations (CLI) on page 348.
16.7
346
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The examples in this section assume that you have followed all the steps in Security configuration (CLI) on page 345. 16.7.1 Enabling NAT (CLI) To enable NAT between the internal (LAN) and external (WAN) Security interfaces, enter the following command: nat enable n1 wan internal This configures NAT to translate addresses from the internal security interface to the wan security interface. To demonstrate the effect of this configuration, execute a ping command from PC A to PC B. If you have access to a packet sniffer, attach this to the WAN side of the network and you can see that the IP address of PC A has changed - been translated by NAT - from 10.1.1.2 to 192.168.101.1. If you ping PC C to PC B, this too will be translated by NAT from 172.16.1.2 to 192.168.101.1 Compare this to the example ping output between PC A to PC B in Firewall portfilters (CLI) on page 350. 16.7.2 Global address pools and reserved map (CLI) This section describes how to create two global address pools on your WAN interface, then use the global addresses to create reserved mappings. The reserved mappings allow NAT to translate packets between the WAN interface and each of the two different inside interfaces (LAN and DMZ). Firstly, create secondary addresses for the addresses that will be added to the global address pool: ip interface wan add secondaryipaddress 100.100.100.100 255.255.255.0 ip add interface wan add secondaryipaddress 100.100.100.101 255.255.255.0 To create two global pools on the WAN interface for each of the inside interfaces (internal and DMZ) enter: nat add globalpool g1 wan internal 100.100.100.100 endaddress 100.100.100.100
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
347
nat add globalpool g2 wan dmz 100.100.100.101 endaddress 100.100.100.101 If you have followed the instructions in Enabling NAT (CLI) on page 365, NAT will already be enabled between the internal and WAN interfaces and between the DMZ and WAN interfaces. To create reserved mappings between the WAN virtual interfaces and the internal PCs IP addresses (internal = 10.1.1.2, DMZ = 172.16.1.2), enter the following commands: nat add resvmp r1 globalip wan 100.100.100.100 10.1.1.2 all nat add resvmp r2 globalip wan 100.100.100.101 172.16.1.2 all To demonstrate the effect of the above commands, execute the following ping commands: ping from PC B to IP address 100.100.100.100. PC A (IP address 10.1.1.2) will be seen to respond to this request. ping from PC B to IP address 100.100.100.101. PC C (IP address 172.16.1.2) will be seen to respond to this request.
16.8
348
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The high, medium and low levels contain default policy and portfilter configurations for each of your network interface connections, so you do not need to set your own individual policies and portfilters. For more information about the configurations contained in each level, see the Firewall chapter of the ISOS 8.2 CLI Reference Manual: DO-009787-PS. 16.8.3 Creating Firewall policies You can create your own Firewall policies between the security interfaces: firewall add policy etoi external-internal blockonly-val firewall add policy etod external-dmz blockonly-val firewall add policy dtoi dmz-internal blockonly-val To check that the policies have been added, enter:
firewall list policies
ID |
Name
Type 1
Type 2
-----------------------------------------------------------------1 | dtoi 2 | etod 3 | etoi | dmz | external | external | internal | dmz | internal | false | false | false
------------------------------------------------------------------
If you do not want to set your own policies, and would rather use one of the default Security levels containing predefined policies and portfilters, see Using a default Security level (CLI) on page 348.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
349
16.8.4
Firewall portfilters (CLI) These examples assume that you have not set a default Firewall level, but that you have followed all the steps in the previous Firewall sections. Portfilters are individual rules that determine what kind of traffic can pass between two particular interface types. You can add many portfilters to an existing firewall policy. Setting up an ICMP portfilter (CLI) For example, to allow pings between PC A (in the LAN) and PC B (in the WAN) enter the following command: firewall add portfilter ping etoi icmp both The above command adds a portfilter called ping to the firewall policy etoi. etoi is the policy name between the internal (LAN) and external (WAN) security interfaces. The portfilter ping allows the ICMP protocol to be used in both directions. To check that the portfilter has been setup correctly, enter: firewall list portfilters etoi
Firewall Port Filters:
ID |
Name
In
| Out
| Raw
| TCP
| UDP
--------------------------------------------------------------------
You can now check that pings are allowed between PC A and PC B: ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) from 10.1.1.2 : 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=0 ttl=253 time=2.2 ms 64 bytes from 192.168.100.2: icmp_seq=1 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=2 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=3 ttl=253 time=1.9 ms 64 bytes from 192.168.100.2: icmp_seq=4 ttl=253 time=1.9 ms
--- 192.168.100.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
350
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
16.8.5
Firewall validators (CLI) This example assumes that you have followed all the steps in the previous section. Validators allow you to filter traffic based on the source and/or destination IP address and netmask. For example, if PC B was a suspicious host outside the network, you can create a validator that blocks traffic sent to PC A from PC Bs IP address and netmask. The policy etoi is already set to block only the IP address featured in the following validator command: firewall add validator pcb etoi inbound 192.168.100.2 255.255.255.255 This adds a validator called pcb to the firewall policy etoi. etoi is the policy name between the internal (LAN) and external (WAN) security interfaces. The validator pcb only blocks inbound traffic (data sent from PC B to PC A). It does not block outbound traffic, so PC A can still send data to PC B. To block outbound traffic to PC B, delete the existing inbound validator (using the firewall delete validator command) and enter the firewall add validator outbound command. To block inbound and outbound traffic, delete the inbound validator then enter the firewall add validator both command. To check which validators are set on an existing policy, enter the following command:
firewall list validators etoi
Firewall Host Validators: ID | Name | Direction | Host IP | Mask
-------------------------------------------------------------
16.8.6
Security triggers (CLI) This example assumes that you have followed all the steps in the previous section. Security triggers are used to allow an application to open a secondary port in order to transport data.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
351
To setup a trigger on the Firewall to allow Netmeeting (H323) from PC A to PC B, but not from PC B to PC A, enter the following commands: Create an outbound-only portfilter (called h323) for Netmeeting and add it to the etoi policy: firewall add portfilter h323 etoi tcp 1720 1720 outbound Note - If you are using Internet Locator Service (ILS), you also need to create a portfilter for Lightweight Directory Access Protocol (LDAP). LDAP uses TCP port 389. To verify that the portfilter has been added, enter: firewall list portfilters etoi
Firewall Port Filters:
ID |
Name
| Type |
Port Range
In
| Out
| Raw
| TCP
| UDP
-----------------------------------------------------------------------1 | h323 2 | ping | | 6 1 | 1720 - 1720 | 0 - 0 |false |true |true |true |false |true |true |false
|false |false
------------------------------------------------------------------------
To enable the netmeeting (H323) data channel you need to add a trigger using the command: security add trigger h323-trigger netmeeting To verify that the trigger has been added, enter: security list triggers
Security Triggers: ID | Name | Type | Port Range | Interval
----------------------------------------------------
This adds a trigger called h323-trigger to allow Netmeeting to pass data through the Firewall. You should now be able to use netmeeting commands to pass data between PC A and PC B.
352
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
16.8.7
Firewall dmz (CLI) This example assumes that you have followed all the steps in the previous section. To allow HTTP traffic to pass from PC B (WAN) to PC A via the Firewalls DMZ interface, you need to create an inbound HTTP portfilter to the external-dmz policy (etod): Enter the command: firewall add portfilter http etod tcp 80 80 inbound To verify that the portfilter has been added to the etod policy, enter: firewall list portfilters etod The following information is displayed:
Firewall Port Filters:
ID |
Name | Type |
Port Range
In
| Out
| Raw
| TCP
| UDP
--------------------------------------------------------------------
You should now be able to send HTTP traffic from PC B to PC C, via the Firewalls DMZ interface.
16.9
Configure the ISOS System (WAN, LAN and DMZ routers ports). Configure the ISOS System (Firewall). Configure all the interfaces and routes on the ISOS System (Firewall). Configure the security interfaces on the ISOS System (Firewall). Start security and enable the Firewall on the ISOS System (Firewall).
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
353
At this point the network can be configured for various types of security configurations. The above steps are described in the following sections. 16.9.1 Configure the Routers (EmWeb) To configure your routers, follow the instructions below: For ISOS System (WAN Router):
1
From the Status page, click on the WAN Settings hyperlink or from the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.100.1:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.100.1 At the PC B web browser, enter the new IP address as the URL: http://192.168.100.1 The EmWeb Welcome page is displayed.
Add an IPoA device to the router configured to run over VCI 100 with a PCR of 50000:
a
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service.
354
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 192.168.101.2 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the WAN connections table, Click on the IPoA Edit link. From the Edit Service page, click on Edit ATM Channel. Set the Peak Cell Rate text box to 50000. You do not need to change the other default settings. Click on Change. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.101.1. You do not need to change the other default settings. Click on OK.
From the Status page, click on the WAN Settings hyperlink or from the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
355
address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 172.16.1.1:
a b
At the console, enter the following command: ip set interface iplan ipaddress 172.16.1.1 At the PC C web browser, enter the new IP address as the URL: http://172.16.1.1 The EmWeb Welcome page is displayed.
Add an IPoA device to the router configured to run over VCI 100 with a PCR of 50000:
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 172.16.2.2 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the WAN connections table, Click on the IPoA Edit link. From the Edit Service page, click on Edit ATM Channel. Set the Peak Cell Rate text box to 50000. You do not need to change the other default settings. Click on Change. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 172.16.2.1. You do not need to change the other default settings. Click on OK.
For more information about the commands used in this section and further explanation of the configuration steps followed, refer to the full example of this type of configuration in Ethernet - IPoA routed on page 246.
356
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
16.9.2
Clear any existing IP interfaces, routes and Ethernet and IPoA transports by following the instructions below:
a
From the Status page, click on the WAN Settings hyperlink or from the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Configure the LAN interface. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 10.1.1.1:
a b
At the console, enter the following command: ip set interface iplan ipaddress 10.1.1.1 At the PC A web browser, enter the new IP address as the URL: http://10.1.1.1 The EmWeb Welcome page is displayed. From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa2 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 172.16.2.1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
357
c d
Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. The default port setting for new ATM transports is port a1. You need to set ipoa2 to use the second ATM port (a2) - a1 is needed for the WAN interface. From the WAN connections table, click on the ipoa2 Edit link. At the WAN connection edit page, click on the Edit Atm Channel link. At the Port text box, type a2. Click on Change. From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 192.168.101.1 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. Type the following: Destination: 172.16.1.0 Gateway: 172.16.2.2 Netmask: 255.255.255.0 You do not need to change the Cost or Interface settings. Click on OK. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.101.2. You do not need to change the other default settings. Click on OK.
c 5
358
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
From the left-hand menu, click on Configuration>Security. The Security Interface Configuration page is displayed:
From the Security Interfaces section, click on the Add Interface link. At the Add Interface page, configure the following security interface: Name: ipoa-1 Interface Type: external Click on Apply. The Security Interface Configuration page is displayed. The Security Interface section contains a table displaying the security interface that you have just created. Create two more security interfaces by repeating steps two and three, using the following configuration information: a Name: ipoa-0 Interface Type: dmz
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
359
You can now add Firewall policies between the security interfaces:
1
Scroll down the to the Security Interface Configuration page to the Policies, Triggers and Intrusion Detection section. Click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. Click on New Policy. The Firewall Add Policy page is displayed. Configure your first Firewall policy as follows: Between interface of types: external internal Validators will block traffic Click on Apply. The Firewall Policy Configuration page is displayed. The Current Firewall Policies table contains details of the policy that you have just created. Create two more policies by repeating steps two and three using the following configuration information: a Between interface of types: external dmz Validators will block traffic b Between interface of types: dmz internal Validators will block traffic
If you do not want to set your own policies, and would rather use one of the default Security levels containing predefined policies and portfilters, see Using a default Security level (EmWeb) on page 378. 16.10.1 Start Security and enable the Firewall (EmWeb) To start Security and enable the Firewall:
1 2 3
At the Security Interface Configuration page, click on the Security Enabled radio button. Click on Change State. The page is refreshed and Security is enabled. Click on the Firewall Enabled radio button. Click on Change State. The page is refreshed and the Firewall is enabled.
At this point the network is now secure. All the interfaces which have been defined are protected; all traffic is blocked between different interface types.
360
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
16.10.2 Start Security and enable the Firewall (EmWeb) To start Security and enable the Firewall:
1 2 3
At the Security Interface Configuration page, click on the Security Enabled radio button. Click on Change State. The page is refreshed and Security is enabled. Click on the Firewall Enabled radio button. Click on Change State. The page is refreshed and the Firewall is enabled.
At this point the network is now secure. All the interfaces which have been defined are protected; all traffic is blocked between different interface types. You can now configure the Firewall to allow certain types of data transfer to take place between the PCs on different networks. See Firewall example configurations (EmWeb) on page 378.
Configure the ISOS System (WAN router). See Configure the WAN Router using the CLI on page 343. Configure the ISOS System (Firewall). See Configure the ISOS System (Firewall) using the CLI on page 343.
Configure the WAN Router using the CLI To configure the WAN Router, follow the instructions below:
1
Clear any existing IP interfaces, routes and transports by typing the following command: ip clear interfaces ip clear routes transports clear
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
361
Add an Ethernet and an IPoA transport: ethernet add transport eth1 ethernet ip add interface ip1 192.168.100.1 255.255.255.0 ip attach ip1 eth1 ipoa add transport ipoa1 pvc a1 0 100 ip add interface ip2 192.168.101.2 255.255.255.0 ip attach ip2 ipoa1 ipoa transport ipoa1 set pvc 1 pcr 50000 Add a default route, with ISOS System (Firewall) as the gateway: ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.1
For more information about the commands used in this section and further explanation of the configuration steps followed, refer to the full example of this type of configuration in Ethernet - IPoA routed on page 246. Configure the ISOS System (Firewall) using the CLI To configure the interfaces and routes used by the ISOS System (Firewall) enter the following commands:
1
Clear any existing IP interfaces, routes and Ethernet and IPoA transports by typing the following commands: ip clear interfaces ip clear routes ethernet clear transports ipoa clear transports Configure the LAN interface using the following commands: ethernet add transport eth0 ethernet ip add interface lan 10.1.1.1 255.255.255.0 ip attach lan eth0
362
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Configure the virtual DMZ interface using the following commands: ip add interface dmz 172.16.1.1 ip attachvirtual dmz lan The virtual interface dmz_virtual is attached to the real LAN interface. The LAN interface (lan) has already been attached to an ethernet transport (eth0). The dmz_virtual interface uses the eth0 transport to transfer data. Configure the WAN interface using the following commands: ipoa add transport ipoa1 pvc a1 0 100 ip add interface wan 192.168.101.1 255.255.255.0 ip attach wan ipoa1 Add a default route to the WAN network (i.e., 192.168.101.2): ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.101.2
Check that the IP interfaces are configured correctly by entering the following command: ip list interfaces
ID | Name | IP Address | DHCP | Transport
----|----------|-----------------|----------|------------1 | lan 2 | dmz 3 | wan | 10.1.1.1 | 172.16.1.1 | 192.168.101.1 | disabled | eth0 | disabled | [lan] | disabled | ipoa1
----------------------------------------------------------
Notice that the DMZ transport is displayed as [lan]. This shows that the DMZ is attached to the real LAN interface. 16.11.1 Security Configuration (CLI) This section contains instructions on configuring Security using the CLI.
1
Configure the security interfaces on the ISOS System (Firewall). See Configuring security interfaces using the CLI on page 364.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
363
Start security and enable the Firewall on the ISOS System (Firewall). See Starting Security and enabling the Firewall using the CLI on page 364.
At this point the network can now be configured for various types of security configurations. The above steps are described in the following sections. Configuring security interfaces using the CLI With all interfaces and routes setup, we can now begin to configure the security interfaces: security add interface lan internal security add interface wan external security add interface dmz dmz To check that the interfaces have been added, enter: security list interfaces The following output is displayed:
Security Interfaces: ID | Name | Type
----------------------------
Starting Security and enabling the Firewall using the CLI To start Security and enable the Firewall, enter the following commands: security enable firewall enable To check that this has been enabled, enter: security status
364
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
365
16.12.2 Global address pool and reserved map (CLI) This section describes how to create two global address pools on your WAN interface, then use the global addresses to create reserved mappings. The reserved mappings allow NAT to translate packets between the WAN interface and each of the two different inside interfaces (LAN and DMZ). Firstly, create secondary addresses for the addresses that will be added to the global address pool:
ip interface wan add secondaryipaddress 100.100.100.100 255.255.255.0 ip add interface wan add secondaryipaddress 100.100.100.101 255.255.255.0
To create two global pools on the WAN interface for each of the inside interfaces (internal and DMZ) enter:
nat add globalpool g1 wan internal 100.100.100.100 endaddress 100.100.100.100 nat add globalpool g2 wan dmz 100.100.100.101 endaddress 100.100.100.101
If you have followed the instructions in Enabling NAT (CLI) on page 365, NAT will already be enabled between the internal and WAN interfaces and between the DMZ and WAN interfaces. To create reserved mappings between the WAN virtual interfaces and the internal PCs IP addresses (internal = 10.1.1.2, DMZ = 172.16.1.2), enter the following commands:
nat add resvmp r1 interfacename virtual_lan 100.100.100.100 10.1.1.2 all nat add resvmp r2 interfacename virtual_dmz 100.100.200.200 172.16.1.2 all
To demonstrate the effect of the above commands, execute the following ping commands: ping from PC B to IP address 100.100.100.100. PC A (IP address 10.1.1.2) will be seen to respond to this request. ping from PC B to IP address 100.100.100.101. PC C (IP address 172.16.1.2) will be seen to respond to this request.
366
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
367
------------------------------------------------------------------1 | etoi 2 | etod 3 | dtoi | external | external | dmz | internal | dmz | internal | false | false | false
-------------------------------------------------------------------
If you do not want to set your own policies, and would rather use one of the default Security levels containing predefined policies and portfilters, see Using a default Security level (CLI) on page 367. At this point, the network is secure. All of the defined interfaces are protected; all traffic is blocked between different interface types. The next sections describe how to configure the Firewall to allow certain types of data transfer to take place between the PCs on different networks. 16.13.3 Firewall portfilters (CLI) These example assume that you have not set a default Firewall level, and that you have followed all the steps in the previous section, Initial virtual DMZ interface network configuration (CLI) on page 361. Portfilters are individual rules that determine what kind of traffic can pass between two particular interface types. You can add many portfilters to an existing firewall policy. Setting up an ICMP portfilter (CLI) For example, to allow pings between PC A (in the LAN) and PC B (in the WAN) enter the following command: firewall add portfilter ping etoi icmp both The above command adds a portfilter called ping to the firewall policy etoi. etoi is the policy name between the internal (LAN) and external (WAN) security interfaces. The portfilter ping allows the ICMP protocol to be used in both directions. To check that the portfilter has been setup correctly, enter:
368
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
ID |
Name
In
| Out
| Raw
| TCP
| UDP
--------------------------------------------------------------------
You can now check that pings are allowed between PC A and PC B: ip ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) from 10.1.1.2 : 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=0 ttl=253 time=2.2 ms 64 bytes from 192.168.100.2: icmp_seq=1 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=2 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=3 ttl=253 time=1.9 ms 64 bytes from 192.168.100.2: icmp_seq=4 ttl=253 time=1.9 ms
--- 192.168.100.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.9/2.0/2.2 ms
16.13.4 Firewall validators (CLI) This example assumes that you have followed all the steps in the previous section. Validators allow you to filter traffic based on the source and/or destination IP address and netmask. For example, if PC B was a suspicious host outside the network, you can create a validator that blocks traffic sent to PC A from PC Bs IP address and netmask. The policy etoi is already set to block only the IP address featured in the following validator command:
firewall add validator pcb etoi inbound 192.168.100.2 255.255.255.255
This adds a validator called pcb to the firewall policy etoi. etoi is the policy name between the internal (LAN) and external (WAN) security interfaces.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
369
The validator pcb only blocks inbound traffic sent from PC B to PC A via the Firewalls LAN interface. It does not block inbound traffic sent from PC B to PC A via the Firewalls DMZ interface. It also does not block outbound traffic, so PC A can still send data to PC B. To block outbound traffic to PC B, delete the existing inbound validator (using the firewall delete validator command) enter the firewall add validator outbound command. To block inbound and outbound traffic, delete the inbound validator then enter the firewall add validator both command. To check which validators are set on an existing policy, enter the following command:
firewall list validators etoi
Firewall Host Validators: ID | Name | Direction | Host IP | Mask
-------------------------------------------------------------
16.13.5 Security triggers (CLI) This example assumes that you have followed all the steps in the previous section. Security triggers are used to allow an application to open a secondary port in order to transport data. To setup a trigger on the Firewall to allow Netmeeting (H323) from PC A to PC B via the Firewalls LAN interface, but not from PC B to PC A, enter the following commands: Firstly, create an outbound-only portfilter (called h323) for Netmeeting and add it to the etoi policy: firewall add portfilter h323 etoi tcp 1720 1720 outbound
370
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
To verify that the portfilter has been added, enter: firewall list portfilters etoi
Firewall Port Filters:
ID |
Name
| Type |
Port Range
In
| Out
| Raw
| TCP
| UDP
-----------------------------------------------------------------------1 | h323 2 | ping | | 6 1 | 1720 - 1720 | 0 - 0 |false |true |true |true |false |true |true |false
|false |false
------------------------------------------------------------------------
To enable the netmeeting (H323) data channel you need to add a trigger using the command: security add trigger h323-trigger netmeeting To verify that the trigger has been added, enter: security list triggers
Security Triggers: ID | Name | Type | Port Range | Interval
----------------------------------------------------
This adds a trigger called h323-trigger to allow Netmeeting to pass data through the Firewall. You should now be able to use netmeeting commands to pass data between PC A and PC B via the Firewalls LAN interface. 16.13.6 Firewall dmz (CLI) This example assumes that you have followed all the steps in the previous section. To allow HTTP traffic to pass from PC B (WAN) to PC A via the Firewalls DMZ interface, you need to create an inbound HTTP portfilter to the external-dmz policy (etod): Enter the command: firewall add portfilter http etod tcp 80 80 inbound
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
371
To verify that the portfilter has been added to the etod policy, enter: firewall list portfilters etod The following information is displayed:
Firewall Port Filters:
ID |
Name | Type |
Port Range
In
| Out
| Raw
| TCP
| UDP
--------------------------------------------------------------------
You should now be able to send HTTP traffic from PC B to PC C, via the Firewalls DMZ interface.
Configure the ISOS System (WAN and LAN router ports). Configure the ISOS System (Firewall). Configure all the interfaces and routes on the ISOS System (Firewall). Configure the security interfaces on the ISOS System (Firewall). Start security and enable the Firewall on the ISOS System (Firewall).
At this point the network can now be configured for various types of security configurations. The above steps are described in the following sections. 16.14.1 Configure the Routers (EmWeb) To configure your routers, follow the instructions below: For ISOS System (WAN Router):
1
372
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
From the Status page, click on the WAN Settings hyperlink or from the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Add the Ethernet device to the router. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. The LAN IP address must be on the same subnet as your PC IP address. For this configuration, you need to change the default LAN IP address to 192.168.100.1:
a
At the console, enter the following command: ip set interface iplan ipaddress 192.168.100.1 At the PC B web browser, enter the new IP address as the URL: http://192.168.100.1 The EmWeb Welcome page is displayed.
Add an IPoA device to the router configured to run over VCI 100 with a PCR of 50000:
a b
From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 192.168.101.2 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
373
From the WAN connections table, Click on the IPoA Edit link. From the Edit Service page, click on Edit ATM Channel. Set the Peak Cell Rate text box to 50000. You do not need to change the other default settings. Click on Change. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.101.1. You do not need to change the other default settings. Click on OK.
16.14.2 Configure the ISOS System (Firewall) (EmWeb) To configure the Firewall:
1
Clear any existing IP interfaces, routes and Ethernet and IPoA transports by following the instructions below:
a
From the Status page, click on the WAN Settings hyperlink or from the left-hand menu, click on Configuration>WAN connections. The WAN connections page is displayed. If there are any connections listed, click on the Delete hyperlink, then click on Delete this connection. Repeat until all WAN connections have been deleted. From the left-hand menu, click on Configuration>IP routes. If there are any routes listed, check the Delete? checkbox and click on Apply. Repeat until all IP routes have been deleted.
Configure the LAN interface. By default, your Ethernet device is already attached to the router using a default LAN connection called iplan, IP address 192.168.1.1. For this configuration, you need to change the default LAN IP address to 10.1.1.1:
a b
At the console, enter the following command: ip set interface iplan ipaddress 10.1.1.1 At the PC A web browser, enter the new IP address as the URL: http://10.1.1.1 The EmWeb Welcome page is displayed.
374
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Click on the Create a new virtual interface... hyperlink at the bottom of the LAN connections page. On the Create virtual interface page, type the following: IP Address: 172.16.1.1 Netmask: 255.255.255.0 Click on the Apply button. The LAN connections page is displayed. The virtual interfaces section displays details of the DMZ virtual interface that you have created. The virtual interface is called item0 by default. From the left-hand menu, click on Configuration>WAN connections. Click on Create a new service. Click on the IPoA routed radio button, then click on Configure. At the WAN connection: IPoA routed page, complete the following: Description: ipoa1 VPI: 0 VCI: 100 (click on the WAN IP address radio button) WAN IP address: 192.168.101.1 Click on Apply. The WAN connections page is displayed, containing details of the new IPoA transport. From the left-hand menu, click on Configuration>IP routes. Click on the Create new IP V4Route link. The Create IP V4Route page is displayed. In the Gateway text box, type 192.168.101.2. You do not need to change the other default settings. Click on OK.
c 5
16.14.3 Configuring the security interfaces (EmWeb) With all interfaces and routes setup, we can now begin to configure the security interfaces:
1
From the left-hand menu, click on Configuration>Security. The Security Interface Configuration page is displayed:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
375
From the Security Interfaces section, click on the Add Interface link. At the Add Interface page, configure the following security interface: Name: ipoa-1 Interface Type: external Click on Apply. The Security Interface Configuration page is displayed. The Security Interface section contains a table displaying the security interface that you have just created. Create two more security interfaces by repeating steps two and three, using the following configuration information: a Name: item0 Interface Type: dmz b Name: iplan Interface Type: internal
376
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
You can now add Firewall policies between the security interfaces:
1
Scroll down the to the Security Interface Configuration page to the Policies, Triggers and Intrusion Detection section. Click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. Click on New Policy. The Firewall Add Policy page is displayed. Configure your first Firewall policy as follows: Between interface of types: external internal Validators will block traffic Click on Apply. The Firewall Policy Configuration page is displayed. The Current Firewall Policies table contains details of the policy that you have just created. Create two more policies by repeating steps two and three using the following configuration information: a Between interface of types: external dmz Validators will block traffic b Between interface of types: dmz internal Validators will block traffic
If you do not want to set your own policies, and would rather use one of the default Security levels containing predefined policies and portfilters, see Using a default Security level (EmWeb) on page 378. 16.14.4 Start Security and enable the Firewall (EmWeb) To start Security and enable the Firewall:
1 2 3
At the Security Interface Configuration page, click on the Security Enabled radio button. Click on Change State. The page is refreshed and Security is enabled. Click on the Firewall Enabled radio button. Click on Change State. The page is refreshed and the Firewall is enabled.
At this point the network is now secure. All the interfaces which have been defined are protected; all traffic is blocked between different interface types.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
377
You can now configure the Firewall to allow certain types of data transfer to take place between the PCs on different networks. See Firewall example configurations (EmWeb) on page 378.
At the Security Level section of the Security Interface Configuration page, click on the drop-down list and select the level that you want to set; none, high, medium or low. Click on the Change Level button.
The high, medium and low levels contain default policy and portfilter configurations for each of your network interface connections, so you do not need to set your own individual policies and portfilters. To see the policies and portfilters set by the default level, from the Security Interface Configuration page, click on Firewall Policy Configuration>Port Filters. For more information about the configurations contained in each level, see the Firewall chapter of the ISOS 8.2 CLI Reference Manual: DO-009787-PS. 16.15.2 Firewall portfilters (EmWeb) These example assume that you have not set a default Firewall level, and that you have followed all the steps in the previous section, Initial Firewall, WAN Router & DMZ Router configuration (EmWeb) on page 353. Portfilters are individual rules that determine what kind of traffic can pass between two particular interface types. You can add many portfilters to an existing firewall policy.
378
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Setting up an ICMP portfilter (EmWeb) For example, to allow pings between PC A (in the LAN) and PC B (in the WAN) you need to add an ICMP portfilter to the external-internal policy:
1
At the Security Interface Configuration page, click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. At the Current Firewall Policies table, click on the Port Filters link that corresponds to the external - internal policy. The Firewall Port Filters: external-internal page is displayed. Click on Add Raw IP Filter. Configure the table by typing the following information about the ICMP portfilter: Transport Type: 1 Direction Inbound: Allow Direction Outbound: Allow Click on Apply. The Firewall Port Filters: external-internal page is displayed, containing details of the portfilter that you have just created.
For details of protocol transport types and ports, see the Assigned Numbers RFC 1700 at http://www.faqs.org/rfcs/rfc1700.html. You can now check that pings are allowed between PC A and PC B, by entering the following at PC A: ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) from 10.1.1.2 : 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=0 ttl=253 time=2.2 ms 64 bytes from 192.168.100.2: icmp_seq=1 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=2 ttl=253 time=2.0 ms 64 bytes from 192.168.100.2: icmp_seq=3 ttl=253 time=1.9 ms 64 bytes from 192.168.100.2: icmp_seq=4 ttl=253 time=1.9 ms
--- 192.168.100.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.9/2.0/2.2 ms
16.15.3 Firewall validators (EmWeb) This example assumes that you have followed all of the steps in the previous section.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
379
Validators allow you to filter traffic based on the source and/or destination IP address and netmask. For example, if PC B was a suspicious host outside the network, you can create a validator that blocks traffic sent to PC A from PC Bs IP address and netmask. The policy external-internal is already set to block only the IP address featured in the following validator:
1
At the Firewall Policy Configuration page, click on the Host Validators link that corresponds to the external - internal policy. The Configure Validators: external-internal page is displayed. Click on Add Host Validator. The Firewall Add Host Validator page is displayed. Configure the validator by typing the following information: Host IP Address: 192.168.100.2 Host Subnet Mask: 255.255.255.255 Direction: inbound Click on Apply. The Configure Validators page is displayed, containing details of the host validator that you have just created.
This adds a validator to the firewall policy between the internal (LAN) and external (WAN) security interfaces. The validator only blocks inbound traffic (data sent from PC B to PC A). It does not block outbound traffic, so PC A can still send data to PC B. To block outbound traffic to PC B, delete the existing inbound validator (by clicking on Delete Host Validator at the Configure Validators page) and repeat steps two and three, replacing: Direction: inbound with: Direction: outbound To block inbound and outbound traffic, delete the inbound validator then repeat steps two and three replacing: Direction: inbound with: Direction: both
380
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
16.15.4 Security triggers (EmWeb) This example assumes that you have followed all the steps in the previous section. Security triggers are used to allow an application to open a secondary port in order to transport data. To setup a trigger on the Firewall to allow Netmeeting (H323) from PC A to PC B, but not from PC B to PC A: Firstly, create an outbound-only portfilter for Netmeeting and add it to the external - internal policy:
1
From the left-hand menu click on Configuration>Security to display the Security Interface Configuration page. From the Policies, Triggers and Intrusion Detection section, click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. At the Current Firewall Policies table, click on the Port Filters link that corresponds to the external - internal policy. The Firewall Port Filters: external-internal page is displayed. Click on Add TCP Filter. Configure the table by typing the following information about the Netmeeting portfilter: Port Range Start: 1720 Port Range End: 1720 Direction Inbound: Block Direction Outbound: Allow Click on Apply. The Firewall Port Filters: external-internal page is displayed, containing details of the portfilter that you have just created.
For details of protocol transport types and ports, see the Assigned Numbers RFC 1700 at http://www.faqs.org/rfcs/rfc1700.html. To enable the Netmeeting data channel you need to add a trigger:
1
From the left-hand menu click on Configuration>Security to display the Security Interface Configuration page. From the Policies, Triggers and Intrusion Detection section, click on Firewall Trigger Configuration. The Firewall Trigger Configuration page is displayed.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
381
Click on New Trigger. At the Firewall Add Trigger page, configure the table by typing the following information: Transport Type: tcp Port Number Start: 1720 Port Number End: 1720 Allow Multiple Hosts: Block Max Activity Interval: 3000 Enable Session Chaining: Block Enable UDP Session Chaining: Block Binary Address Replacement: Block Address Translation Type: none
This adds a trigger called tcp-trigger to allow Netmeeting (H323) to pass data through the Firewall. You should now be able to use netmeeting commands to pass data between PC A and PC B. 16.15.5 Firewall dmz (EmWeb) This example assumes that you have followed all the steps in the previous section. To enable HTTP from PC B (WAN) to PC C (DMZ) you need to create an inbound HTTP portfilter to the external-dmz policy (etod):
1
From the left-hand menu click on Configuration>Security to display the Security Interface Configuration page. From the Policies, Triggers and Intrusion Detection section, click on Firewall Policy Configuration. The Firewall Policy Configuration page is displayed. At the Current Firewall Policies table, click on the Port Filters link that corresponds to the external - dmz policy. The Firewall Port Filters: external-dmz page is displayed. Click on Add TCP Filter. Configure the table by typing the following information about the Netmeeting portfilter: Port Range Start: 80 Port Range End: 80 Direction Inbound: Allow Direction Outbound: Block Click on Apply. The Firewall Port Filters: external-dmz page is displayed, containing details of the portfilter that you have just created.
382
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
You should now be able to send HTTP data from PC B to PC C. You should not be able to send data from PC C to PC B.
From the left-hand menu, click on Configuration>Security. The Security Interface Configuration page is displayed. At the Security Interfaces section, click on the Enable NAT to internal interfaces button that corresponds to the ipoa-1 - external interface connection. The page is refreshed and NAT is configured to translate addresses from the internal security interface to the wan security interface.
To demonstrate the effect of this configuration, execute a ping command from PC A to PC B. If you have access to a packet sniffer, attach this to the WAN side of the network and you can see that the IP address of PC A has changed - been translated by NAT - from 10.1.1.2 to 192.168.101.1. Compare this to the example ping output between PC A to PC B in Firewall portfilters (CLI) on page 350. 16.16.2 Global address pool and reserved map (EmWeb) This section describes how to create two global address pools on your WAN interface, then use the global addresses to create reserved mappings. The reserved mappings allow NAT to translate packets between the WAN interface and each of the two different inside interfaces (LAN and DMZ).
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
383
If you have followed the instructions in Enabling NAT (EmWeb) on page 383, NAT will already be enabled between the internal and WAN interfaces. To enable NAT between the DMZ and WAN interfaces:
1 2
From the left-hand menu, click on Configuration>Security. The Security Interface Configuration page is displayed. At the Security Interfaces section, click on the Enable NAT to DMZ interfaces button that corresponds to the ipoa-1 - external interface connection. The page is refreshed and NAT is configured to translate addresses from the dmz security interface to the wan security interface. At the Security Interface Configuration page scroll down to the Security Interfaces section. Click on the Advanced NAT Configuration link that corresponds to the ipoa-1 - external interface connection. The Advanced NAT Configuration page is displayed. Click on the Add Global Address Pool link. Configure the global address pool by entering the following information: Interface type: internal Use Subnet Configuration: Use IP Address Range IP Address: 100.100.100.100 Subnet Mask/IP Address 2: 100.100.100.100 Click on the Add Global Address Pool button. The Advanced NAT Configuration: ipoa-1 page is displayed, containing details of the global address pool that you have just created. Repeat steps two and three. At step two, change the following configuration: Interface type: dmz Use Subnet Configuration: Use IP Address Range IP Address: 100.100.100.101 Subnet Mask/IP Address 2: 100.100.100.101
To create reserved mappings between the global IP addresses and the internal PCs IP addresses (internal = 10.1.1.2, DMZ = 172.16.1.2):
384
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
From the Advanced NAT Configuration page: ipoa-1, click on the Add Reserved Mapping link. At the Add Reserved Mapping table, enter the following configuration information: Global IP Address: 100.100.100.100 Internal IP Address: 10.1.1.2 Transport Type: all Port Number: 0 Click on the Add Reserved Mapping button. The Advanced NAT Configuration: ipoa-1 page is displayed, containing details of the reserved mapping that you have just created. Repeat steps one and two. At step one, use the following configuration: Global IP address: 100.100.100.101 Internal IP Address: 172.16.1.2 Transport Type: all Port Number: 0
To demonstrate the effect of the above commands, execute the following ping commands: ping from PC B to IP address 100.100.100.100. PC A (IP address 10.1.1.2) will be seen to respond to this request. ping from PC B to IP address 100.100.100.101. PC A (IP address 172.16.1.2) will be seen to respond to this request. Note: You will need to set up a portfilter to allow ICMP traffic to pass between PC B and PC C. See Firewall portfilters (EmWeb) on page 378.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
385
386
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter provides information about how to obtain and change various system and setup information about the ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
387
Introduction
17.1
Introduction
This chapter describes how to obtain and change various system and setup information about a ISOS System and the software that is used with it: Obtaining information about images and configuration files; see Image validation and verification on page 388. Obtaining version information for all installed ISOS software packages; see Obtaining software package version information on page 391. Obtaining and changing system information such as network addresses, module information; see Obtaining system information on page 393. Analyzing system setup; Setup analysis on page 396. Obtaining diagnostic information; Getting diagnostic information on page 399. Note You must be able to access the console from the CLI in order to use some of the commands described in this chapter. For information on CLI access permissions, see Access permissions to the CLI on page 129. For details of how to access the console, see Entering console commands from the CLI on page 137.
17.2
388
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Image validation information is stored in a header in the image file. You can manipulate the contents of the image validation header using the image validation library. For details on how to manipulate the image validation library, see ATMOS Image Validation Library Functional Specification: DO-008611-PS. Note To include the image validation library, you must add the line package imagevalidate to your system file. This package is included in many of the default product builds provided in ISOS. The image validation header is added to the beginning of the image during the build process:
Start of image Image validation header Image (possibly compressed) End of image
Figure 78
The File Manager also provides a command which enables you to find out information about an ISOS image. To view details about the ISOS image in the default filesystem, enter the console command:
fm info image
The following files have image headers which can be read by this command: image NPimage. Both text and binary files are supported by image validation. The headers for text and binary files contain different information: Binary file image validation header:
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
389
Build ID; a unique eighteen-character ID for the image. If you need to contact GlobespanVirata Technical Advice Center (TAC) regarding your image, you will need to give them the build ID. Run-time memory requirements - the amount of memory that the system should contain Size and checksum of the image Compression method of the image Raw header of the binary file
Details about the processor, board support package identifier, chip support package identifier and version of the software Text file image validation header: Build ID; a unique eighteen-character ID for the image. If you need to contact GlobespanVirata Technical Advice Center (TAC) regarding your image, you will need to give them the build ID. Size and checksum of the image Board support package identifier Chip support package identifier Software version
390
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The most important information shown here is: Build date; provides information about the date the image was built. Chip support package; provides information about the CSP and version of ISOS which was used to build the image. Board support package; provides information about the BSP and version of ISOS which has been used to build the image. System; provides information about the product type that was specified in the build. Checksum; a unique id for the image. You can print the contents of your image validation header using the printf function. For more information on image validation, see the ATMOS Image Validation Library Functional Specification: DO-008611-PS.
17.3
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
391
isos-ver can be used to scan a specified ISOS source directory tree and return information about the various ISOS releases and packages which have been installed in the directory. This includes: Source releases Source release Enhancement packs Source release Service packs Chip Support packages Chip Support package Service packs Board Support packages/Source code overlays Board Support package/Source code overlay Service packs Tools release - but not any patches which have been added to a Tools release For the isos-ver command to return an accurate description of the atmos install directory contents all the software packs in the directory must have been installed with a software version information file (*.ivi) file included in the Zip file. These files are copied into the atmos/version_information directory and used by isos-ver to return information about the packages which have been installed. Version information files have only been used in releases made for ISOS R8.1 and later. Therefore, isos-ver will not return information for ISOS source releases made prior to ISOS R8.1. 17.3.2 Using isos-ver The syntax of the isos-ver command is:
isos-ver [-d <directory>] [-f <version file>]
The options are described below: When executed with the -d option, isos-ver will look in the specified <directory> for all files with an extension *.ivi. For each file it finds isos-ver will display a one line summary of the package associated with this file. When executed with the -f option, isos-ver will attempt to parse the specified <version file> and display a summary of the package associated with this file.
392
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
When executed with no options, isos-ver will attempt to find a valid version_info directory in the current directory and if this fails it will look for a directory called atmos/version_info. If it finds either of these directories isos-ver will behave as if it was invoked with the -d option.
The information returned by isos-ver for a typical ISOS installation directory called atmos installed on a Linux platform is given below: isos-ver -d atmos/version_info
Version directory: version_info
DO-400599-LS (Issue 3) : (8.2 SR2) ISOS source release DO-400600-LS (Issue 3) : (8.2 SR2) Augustus CSP
GlobespanVirata tools version: 8.20.00.03 O/S version: RedHat version: Libc version: GCC version: Arm-GCC version: 2.95 Linux 2.4.7-10 Red Hat Linux release 7.2 (Enigma) 6
For each software package installed in the directory, isos-ver will display a one line summary containing the following information: The part number of the software package. The issue number of the software package. The major software version of the ISOS release. The version number must be the same for all packages. If two major version numbers are found, an error message will be returned. A description of the software package. 17.3.3 Further information For more information about the isos-ver command and the options which can be used with it, refer to the isos-ver manual page.
17.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
393
Module information
17.4.1 System information To obtain general system information, use the CLI command:
system info
This command displays the Vendor ID, URL, MAC address and software and hardware versions of your system. This command is now superceded by the isos-ver command. For more information, refer to Obtaining software package version information on page 391. 17.4.2 System uptime To find out how long the ISOS System has been up since it was last rebooted, use the uptime console command:
uptime up 5 hours 39 minutes
This shows that the ISOS System has been up for 5 hours and 39 minutes. 17.4.3 Version information To find out what build and version of ISOS software you have running on the ISOS System, use the version console command. This command is now superceded by the isos-ver command. For more information, refer to Obtaining software package version information on page 391.
17.5
Module information
17.5.1 Version information You can obtain information about the version of each of the ISOS software modules provided with the release. For example, to find out which version of FlashFS you are using on the system, enter the console command: flashfs version FLASHFS v2.20
394
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
17.5.2 MAC Address information The MAC address of the system can be viewed using the CLI command: system info This will show amongst other things the MAC address of the system. 17.5.3 Changing the MAC address The MAC address of a ISOS System is held on the Serial ROM on the ISOS System. To change the MAC address you need to use the Serial ROM console command configeeprom. To configure the MAC address, follow the procedure below:
1 2
Hold down the space-bar on the keyboard of the PC connected to the ISOS System. Keep holding down the space-bar as the ISOS System boots up. The ISOS System will drop-down to the Serial ROM console prompt, as shown below: SDRAM size = 0x800000 Key pressed, stopping boot. Entered console ... User request. ]
At the ] prompt, enter: configeeprom mac 00:25:2b:00:76:20 This command sets the MAC address to the new value. To confirm that you have set the MAC address correctly, enter: configeeprom mac The following information will be returned:
Valid configuration information found MAC: 00:25:2b:00:76:20
along with other configuration information. For more information about the Serial ROM commands, refer to DO-007286-TC, Helium Boot Procedure Developers Reference document.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
395
Setup analysis
17.5.4 Viewing IP addresses The IP addresses which have been configured on the system can be viewed using the CLI command: ip list interfaces
IP Interfaces: ID | Name | IP Address | DHCP | Transport
-------------------------------------------------------------------
17.5.5 Setting IP addresses To set the address of the ISOS System to 192.168.1.2, use the ip set interface command. For example: ip set interface iplan ipaddress 192.168.1.1 To confirm that you have set the address, enter: ip list interfaces
IP Interfaces: ID | Name | IP Address | DHCP | Transport
-------------------------------------------------------------------
17.6
Setup analysis
The following commands can be issued from the console to examine the features of any network setup involving the ISOS System. Note You must be able to access the console from the CLI in order to use the setup analysis commands. For information on CLI access permissions, see Access permissions to the CLI on page 129. For details of how to access the console, see Entering console commands from the CLI on page 137.
396
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
17.6.1 Memory utilization To see how much memory is being used, enter the console command:
chips mem
This command will output the memory used by each process running in ISOS and then total up the memory usage at the end. The typical output returned from this command is shown below:
... Total 3719136 12384 3168 362816 1280 = 4098784
useable memory 0x5c3c00 - 0x2000000, 27490480 bytes number of ATMOS_KMEMORY entries is 1205
17.6.2 Module status The general status of most ISOS modules can be viewed using the CLI command show after the module name. For example:
webserver show info
To see more detailed information, use the console command status after the module name. For example:
webserver status
The listing below shows the information that is returned when the two commands are used.
-->webserver show info
EmWeb release: R6_1_0 Enabled: true Interface: iplan HTTP port: 80 UPnP port: 280 Management IP address: 0.0.0.0
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
397
Setup analysis
--> console enable Switching from CLI to console mode - type 'exit' to return
192.168.1.1> webserver status WebServer is enabled. The HTTP port is 80. The UPnP port is 280. The interface is iplan. WebServer archive filename is //expand/isfs/derived_data.dat. The derived archive currently loaded is '//expand/isfs/derived_data.dat'. Variable allocation pool: total pool size free allocated mean alloc chunk max free chunk Buffer pool: total pool size free allocated mean alloc chunk max free chunk 25568 22576 2992 166 19296 99968 45536 54432 78 40784
17.6.3 Transmission / Receive statistics To see the number of packets which have been received and transmitted over a configuration, use the console command:
bun list channels
The output returned from this command for a usb-gateway configuration is shown below:
192.168.1.1> bun list channels Port loopback has no open channels Port join 0: Port usb 0: 1: 2: Port atm 0: oam RxVPI/VCI: 1: oam RxVPI/VCI: 2: oam RxVPI/VCI: 3: oam RxVPI/VCI: TxPkts: 0/0 TxPkts: 0/0 TxPkts: 0/3 TxPkts: 0/4 0/0 0/0 0/0 0/0 RxPkts: RxPkts: RxPkts: RxPkts: 0/0 0/0 0/0 0/0 TxVPI/VCI: TxVPI/VCI: TxVPI/VCI: TxVPI/VCI: 0/0 0/0 0/3 0/4 TxPkts: TxPkts: TxPkts: 0/0 1/0 0/0 RxPkts: RxPkts: RxPkts: 0/0 0/0 0/0 TxPkts: 1/0 RxPkts: 0/0
398
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
2/0
RxPkts:
0/0
TxVPI/VCI:
3842/0
RxPkts:
9389/0
Port usb-ethernet has no open channels Port pc-ethernet has no open channels Port vvb 0: 1: 2: TxPkts: TxPkts: TxPkts: 1/0 0/0 0/0 RxPkts: RxPkts: RxPkts: 0/0 0/0 0/0
17.7
From this point, all events generated will be written to the event buffer and displayed on the console. To stop the printing of events to the console, enter:
event unshow
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
399
You can also view the contents of the event buffer using the event command, with a suitable option. For example, to view the most recent events which have been written to the event buffer, enter:
event r
Up to 24 lines of the event buffer are displayed. For more information on the event command, refer to DO-009430-PS, ISOS (8.2) CLI Reference Manual. 17.7.2 Setting trace output information You can obtain detailed trace information for many of the ISOS software modules, using the trace (or event) command. To receive trace output you must make a debug version of the ISOS image. For more information, refer to Building a debug image on page 80. Note Most ISOS modules support trace information. Some modules call this the trace command, others use the event command. Refer to the Functional Specification for the module to discover which command is used for outputting Trace information. An ISOS module will generate trace information when it is in use. The information is categorized in terms of its severity/importance and you can set the category of trace information you wish to receive.
400
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following table summarizes the category levels and provides a general description of each level, although be aware that some modules may not conform exactly to the levels described below:
Level 1 2 3 4 5 Description Only very serious errors reported. Definite protocol errors or very significant events reported. Links going up/down reported. Every packet and significant state change is reported. Every packet sent/received is disassembled, and hex dumped.
Table 30:
In summary, the lower the trace level, the least detailed the event reporting will be. For example, to set level 4 tracing for the q93b module, enter:
q93b event 4 event set to 4
All trace information, up to and including level 4 will be written to background output. To view the output on the console, enter:
event show
Trace information generated will show the level of severity for each event in the output. For example, the following trace information shows level 3 and level 4 information:
q93b: 91904: 3: port a2: Send RESTART q93b: 91904: 3: port a2: Received RESTART q93b: 91904: 4: port a2: Send RESTART ACKNOWLEDGE q93b: 91904: 3: port a2: Restart complete
Trace information at high levels can output a lot of information. To return trace information back to its default level (1) for the q93b module, enter:
q93b event 1
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
401
402
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to upgrade various software images on an ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
403
Introduction
18.1
Introduction
You may need to update the following software on the ISOS System: Upgrading Serial ROM on page 404. Upgrading Boot ROM on page 410 Updating software from a running image on page 411. This chapter describes the update procedure to follow for all types of software images that can be updated on a ISOS System. Note You must be able to access the console from the CLI in order to carry out some upgrading and updating tasks. For information on CLI access permissions, see Access permissions to the CLI on page 129. For details of how to access the console, see Entering console commands from the CLI on page 137.
18.2
404
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Run the console command virata-tools-ver which reports on the GlobespanVirata Tools version you have installed.
On older GlobespanVirata Tools versions, this command is absent. Instead, examine the path output by the command, which aconfig. The output will contain the version number. You have set up a suitable bootserver to enable images to be downloaded to the ISOS System. (For more information, refer to Booting the ISOS System in Gateway mode on page 99.)
18.2.2 Updating a ISOS System with a new serial image This section describes how to update your Serial ROM. This task involves creating a new Serial image using ISOS tools and then downloading this image to the ISOS System. The procedure below describes how to do this:
1 2
Ensure you have met the pre-requisites of this procedure, as described in Pre-requisites on page 404. Produce an update.bin image for the Serial ROM. To do this, run the command: mkproduct serialboot bd6100 This command produces the following image files: serialrom.bin serialrom.hex
The update.bin image is the image you need to download to the ISOS System.
3
Copy the update.bin file to a suitable download directory so that this image can be downloaded to the ISOS System. For more information on how to download an image for your type of configuration, refer to the following chapters: For a PC-attached configuration, refer to Booting the ISOS System in PC-attached mode on page 111. For a Gateway configuration, refer to Booting the ISOS System in Gateway mode on page 99.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
405
Download the update.bin file to the ISOS System. You should see the following text appear on the console:
Helium 100/Helium 2xx serial ROM update utility (3.12) ================================ Copyright (C) Virata Limited 2001 Reading in serial rom Found valid config area in serial rom. Old config area will be preserved. Press '!' to update serial ROM. If you're not sure what you're doing, press reset on your board now!
Press ! and wait. The new image is uploaded. The upload takes about 80 seconds and the monitor counts up from 0 to 1FF while it is happening. Caution - Do not reset the ISOS System during this operation as you will end up with a non-functional Serial ROM. The following information is displayed:
Writing serial ROM Sectors Left: Verifying Programming successful VRTA>
Replace the update.bin file with a normal flash.bin image in your download directory. Reset the ISOS System. You should see the following text appear on the console:
He2xx Family Ethernet / USB boot v3.7 MAC 00:20:2b:80:0e:80 SDRAM 0x01000000 bytes
If the procedure goes wrong and you get into a situation where the Serial ROM does not function, refer to Updating an ISOS System with no on-board serial image on page 407 to update it.
406
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
18.2.3 Updating an ISOS System with no on-board serial image To update a ISOS System with no current on-board serial image, the Serial ROM chip must be removed from the ISOS System, and programmed using a ROM programmer unit. To prepare an image for programming, follow the procedure below:
1 2
Ensure you have met the pre-requisites of this procedure, as described in Pre-requisites on page 404. Edit the file to include the MAC address of your system. The file to edit is called atmos/source/hf_serialboot/augustus_mksrom.cfg. The line of this file to edit is:
macaddress 0:0:0:0:0:0
If you do not edit this file, the default MAC address 0:0:0:0:0:0 is used in the image. (You can change the MAC address of the system using a special console command. For more information, refer to Changing the MAC address on page 395.)
3
You can now use the serialrom.bin or serialrom.hex file to program the Serial ROM chip. 18.2.4 Building a serial ROM update package or PROM-programmable image This section explains how to recreate the files used in the previous two sections. You may wish to recreate the files to personalize the manufacturer and device names that are displayed on the PC when the ISOS System is booting over USB.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
407
Edit the appropriate source files to contain your specific information. For more information about what can be changed or configured, see the comments in atmos/source/hf_serialboot/hf_serialboot.module. If you would like to change the USB manufacturers name and Vendor ID, edit the lines in the following system file, atmos/system/serialboot_main:
Config.hs USB_MANUFACTURER "XYZ Inc." Config.hs USB_VENDOR_ID "My widget"
For product-specific USB information, you should edit the appropriate hardware file in atmos/source/hardware/bd6100.hw.
Edit the file to include the MAC address of your system. The file to edit is called atmos/source/hf_serialboot/augustus_mksrom.cfg. The line of this file to edit is:
macaddress 0:0:0:0:0:0
If you do not edit this file, the default MAC address 0:0:0:0:0:0 is used in the image. (You can change the MAC address of the system using a special console command. For more information, refer to Changing the MAC address on page 395.)
3
Create the serial ROM update package, using the command: mkproduct serialboot bd6100 This command produces the following image files: serialrom.bin serialrom.hex
Copy the update.bin file to a suitable download directory so that this image can be downloaded to the ISOS System.
408
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Reboot the ISOS System to download this file. You should see the following text appear on the console:
Helium 100/Helium 2xx serial ROM update utility (3.12) ================================ Copyright (C) Virata Limited 2001 Reading in serial rom Found valid config area in serial rom. Old config area will be preserved. Press '!' to update serial ROM. If you're not sure what you're doing, press reset on your board now!
Press ! and wait. The new image is uploaded. The upload takes about 80 seconds and the monitor counts up from 0 to 1FF while it is happening. Caution - Do not reset the ISOS System during this operation as you will end up with a non-functional Serial ROM. The following information is displayed:
Writing serial ROM Sectors Left: Verifying Programming successful VRTA>
Replace the update.bin file with a normal flash.bin image in your download directory. Reset the ISOS System. You should see the following text appear on the console:
He2xx Family Ethernet / USB boot v3.7 MAC 00:20:2b:80:0e:80 SDRAM 0x01000000 bytes
If the procedure goes wrong and you get into a situation where the Serial ROM does not function, refer to Updating an ISOS System with no on-board serial image on page 407 to update it.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
409
18.3
Ensure that you have setup the ISOS System to boot over Ethernet or USB. Gateway configurations: For booting over Ethernet, refer to Booting the ISOS System in Gateway mode on page 99. PC-attached configurations: For booting over USB, refer to Booting the ISOS System in PC-attached mode on page 111.
Build the following image, using the mkproduct command: mkproduct flash-rewrite bd6100 This produces the file:
atmos/build/products/bd6100-flash-rewrite/flash.bin
Copy the flash.bin file to a suitable download directory so that this image can be downloaded to the ISOS System.
410
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Reboot the ISOS System to download this file: You should see the following text appear on the console:
Starting mkflash image NBnZ PP Boot 8.2.0.7 (25 March 2002) Copyright (c) 2002 GlobespanVirata, Inc. SDRAM size = 0x1000000 NPnFound valid boot information block Valid configuration (size 256) Flash Rewrite version 8.2.0.7 (25 March 2002) BSP: BD62x1 BSP v1.0 (ISOS 8.2) CSP: He100/2xx CSP v2.3 (ISOS 8.2) NP software version is 0x00000820 (reply took 9us) Copyright (c) 2002 GlobespanVirata, Inc. 0:20:2b:80:e:80>
This writes the boot images to the first 64kb of the Flash memory chips.
6 7
Replace the flash.bin file with a normal flash.bin image in your download directory. Reset the ISOS System.
18.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
411
18.4.1 Files which can be copied over You can copy over firmware images and configuration files using either FTP or TFTP. The files and images are copied into ISFS. Any existing files of the same name will be over-written. Once the files are in ISFS you can then save the files to Flash using the CLI command: system config save which will write the files to FlashFS. You can use a special command in TFTP to automatically write the files to FlashFS. If you wish to save the files to another FlashFS partition or rename the files you can use the ISOS File Manager. For more information, refer to Using the ISOS File Manager on page 201. For more information about the location of the image files and configuration files which would typically be copied into ISFS using TFTP or FTP, refer to Building an ISOS image on page 61. 18.4.2 Using FTP In an FTP upgrade the ISOS System is acting as an FTP server and the attached computer is acting as an FTP client. Pre-requisites Check the following points before trying an FTP update. The FTP update requires the image to include the ftpd package. Thus, you need to check that the running image on the ISOS System includes FTP support or that the image you are building includes FTP support. To check whether the running image includes the FTP package, enter the following console command:
help ftpd ftpd [<command>] - send command to ftpd process
412
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
To check whether a system file will build an image that includes FTP, check for the following line in the system file:
Package ftpd
If this line is present, and has not been commented out, the system file will produce an image which includes support for FTP. The update also requires adequate free memory on the ISOS System or it will fail. If you need FTP updates to work, you should check through your system file and make sure that you are not including packages that you don't need. (For more information on how to build a custom image and how to remove packages from a build, refer to Building an ISOS image on page 61.)
Usage The example script below demonstrates the use of FTP to update the NP image (image) on the ISOS System: Here is the example FTP session:
jjf magic ~ > ftp ftp> open 192.168.86.202 Connected to 192.168.86.202. 220 ISOS FTP Server (1.00) ready Name (192.168.86.202:jjf): admin 331 User name okay, need password. Password: 230 User logged in, proceed. ftp> lcd ~/atmos/build/bd62x1-np_rt Local directory now /home/jjf/atmos/build/bd62x1-np_rt ftp> binary 200 TYPE command okay. ftp> put image local: image remote: image 200 PORT command okay. 150 BINARY store ready; //isfs/image. 226 Store complete. //isfs/image (9320 bytes) 9320 bytes sent in 0.03 secs (286.1 kB/s) ftp> exit 121 User logging out. jjf magic ~ >
The script example above copies to the ISOS System, a new NP image to ISFS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
413
The actions of each of the commands in the example are described in detail below:
ftp
Open a connection to the ISOS System (with IP address 192.168.86.202). If the connection is successful, a message will be displayed by the FTP server.
Name (192.168.86.202:jjf): admin 331 User name okay, need password. Password: 230 User logged in, proceed.
Log in to the ISOS System. For more information, refer to Logging in to the system on page 127.
lcd ~/atmos/build/bd62x1-np_rt
Change to the local directory on the computer which contains the file you wish to copy.
binary
Put FTP into binary mode, as you are copying a binary image.
put image local: image remote: image 200 PORT command okay. 150 BINARY store ready; //isfs/image. 226 Store complete. //isfs/image (9320 bytes) 9320 bytes sent in 0.03 secs (286.1 kB/s)
Copy the NP image file called image. If the transfer is successful, a series of messages will be displayed indicating that the file has been copied.
exit
Exit from the FTP session. The files are copied to ISFS but not written to FlashFS. The write to FlashFS must be performed manually. See Files which can be copied over on page 412. For further information on the FTP update process, refer to DO-008908-PS, ISOS FTP Server.
414
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
18.4.3 Using TFTP Note The TFTP update described in this section is different from the BOOTP/TFTP boot procedure (described in Booting the ISOS System in Gateway mode on page 99). The BOOTP/TFTP boot in this section uses TFTP code implemented by the Boot ROM, and it can only accept one file, representing the whole of ISFS. Once the ISOS System has a running image, it can be updated using a more sophisticated TFTP protocol that allows many files to be downloaded. It is this update that is described in this section. In a TFTP upgrade the ISOS System is acting as a TFTP server and the attached computer is acting as a TFTP client. Booting the system via TFTP uses the ISOS System as a TFTP client and the attached computer as a TFTP server. Pre-requisites Check the following points before trying a TFTP update. The TFTP update requires the image to include the TFTP package. Thus, you need to check that the running image on the ISOS System includes TFTP support and that the image you are building includes TFTP support. To check whether your running image includes TFTP code, type the console command:
tftp help
at the console prompt. If a list of TFTP commands is displayed, then the TFTP module is installed. To check whether a system file will build an image that includes TFTP, check for the following line in the system file:
Package tftp
If this line is present, and has not been commented out, the system file will produce an image which includes support for TFTP.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
415
The update also requires adequate free memory on the ISOS System or it will fail. If you need TFTP updates to work, you should check through your system file and make sure that you are not including packages that you don't need. (For more information on how to remove packages from a build, refer to Building an ISOS image on page 61.) Before performing the update, check that the ISOS System's running image has the TFTP port configured. To do this, enter the console command:
ip portname list
Then restart and reboot the ISOS System (e.g., by pressing the Reset button). The ISOS System is now ready to accept a TFTP update. Usage The example script below demonstrates the use of TFTP to update the following software components on the ISOS System: NP image file PP image file snmpinit configuration file Here is the example script:
connect 192.168.219.178 binary put ./password tftplock.key put ./empty tftpupdt.beg put ./PPimage image put ./image NPimage put ./snmpinit snmpinit put ./empty tftpupdt.rbt put ./empty tftpupdt.end
(The command syntax is appropriate for the Unix version of TFTP but is very similar to the Windows NT version.)
416
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The script example above copies to the ISOS System, a new PP and NP image and also a new configuration file for the SNMP module. The script assumes that several files exist in the current directory: A file called password containing the single word password. A file called empty of zero length. A PP image file called PPimage. The PP image is created from source and is copied into the build directory for the product you are building. For example, if you build an bd6100-usb-gateway image, the PP image would be located in the directory: atmos/build/bd6100-usb-gateway/ The file is called image.comp. An NP image file called NPimage. The pre-compiled NP image for an ISOS System is provided as a compiled binary. It will be installed in the directory: atmos/build/bd6100-np_rt/ The file is called image. An ISFS configuration file called snmpinit. Note that the names of the local files on your PC can be anything you choose. However, you must copy them over using the filenames specified in the script. In addition, the files do not have to be located in the same directory, but are in this particular example to simplify the script. The actions of each of the commands in the script are described in detail below: connect 192.168.219.178 Connects to the ISOS System (with IP address 192.168.219.178).
binary
A special file is sent to unlock the ISOS System for update (tftplock.key). TFTP has no security mechanism, so this special file implements a simple password system. The password contained in the file should be the same as the SNMP/Telnet password for the ISOS System.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
417
A special file to indicate the beginning of the update process. The contents of this file are ignored, so it can be an empty file.
put ./PPimage image
Copy the PP image file called PPimage as image. This file must be copied using the name image.
put ./image NPimage
Copy the NP image file called image as NPimage. This file must be copied using the name NPimage.
put ./snmpinit snmpinit
Copy the configuration file for the SNMP module. This file must be copied as snmpinit. (For a list of the configuration file names for ISOS modules, refer to ISOS Module Configuration files on page 444.)
put ./empty tftpupdt.rbt
A special file to indicate the end of the update process. The contents of this file are ignored, so it can be an empty file, but the file must be copied using the name tftpupdt.rbt.
put ./empty tftpupdt.end
A special file to indicate that the system should be automatically rebooted after the update process. The contents of this file are ignored, so it can be an empty file, but the file must be copied using the name tftpupdt.end. The script copies the block of files to ISFS on the ISOS System. The files are enclosed in two special files, one at the beginning (tftpupdt.beg) and one at the end (tftpupdt.end). The files are copied to ISFS and then written to FlashFS. The write to FlashFS is triggered by the file tftpupdt.end. For further information on the TFTP update process, refer to DO-007137-PS, TFTP Functional Specification.
418
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes how to troubleshoot problems you may be having with setting up a network configuration. The chapter describes both CLI and Console diagnostic commands.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
419
Introduction
19.1
Introduction
This chapter describes some tips for solving configuration problems that you may experience when setting up a network configuration. Note You must be able to access the console from the CLI in order to use some of the commands in this section. For information on CLI access permissions, see Access permissions to the CLI on page 129. For details of how to access the console, see Entering console commands from the CLI on page 137. The following sections are contained in this chapter: General troubleshooting guidelines that you should follow; see General guidelines on page 420. Troubleshooting at the device driver level; see Troubleshooting at the device driver level on page 421. Troubleshooting ATM protocols; see Troubleshooting the ATM protocols on page 423. Troubleshooting bridged systems; see Troubleshooting bridged systems on page 425. Troubleshooting routed systems; see Troubleshooting routed systems on page 426.
19.2
General guidelines
One golden rule to follow is: Always draw a diagram of your network before you start. A good, clear, fully-annotated design plan of your network will save time and difficulty later on. Include IP/ATM address details for all interfaces and label all nodes and entities. All this information will also assist in discussing any technical problems with GlobespanVirata Technical Advice Center. If you have set up one of the networks described in this guide, and you think your network is not working properly, first check if you can ping from one PC to the other. The ping command sends ICMP echo requests to a host and prints a message when it receives responses, and is a standard command supplied with both Linux and Windows IP networking. If you can ping successfully, but higher level protocols such
420
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
as network drive sharing are not working, it is most likely that the problem is with that part of the PC configuration, rather than the rest of the network. If you cannot ping successfully, try and trace the path of the packets through the network. Follow the progress of the pings from the first PC, through the first ISOS System, through the second ISOS System, to the second PC and back again, as described in Troubleshooting at the device driver level on page 421.
19.3
Check whether packets are being transmitted or received on the PCs Ethernet interface using the command: ifconfig (Linux) or: netstat -e (Windows). If no data is being sent by the PC while you are pinging, double check the PCs network configuration. Check that the packets are being received or transmitted on the Ethernet interface of each ISOS System using the following commands:
console enable bun list channels ethernet:0
or:
console process bun list channels ethernet:0
This will show the number of packets received and transmitted by the BUN Ethernet device. The parameter ethernet:0 means the first port of type Ethernet.
3
If no Ethernet traffic is received by the ISOS System, even when you have verified it is being sent by the PC, or if data is being sent by the ISOS System but not received by the PC, check the Ethernet cable. You should either use an Ethernet crossover cable or two straight-through cables and an Ethernet Hub (set to the correct speed for the ISOS System you are using 10Mbps or 100Mbps).
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
421
Check that each packet leaving the ATM interface of one ISOS System is received by the other ISOS System using the following command:
console enable bun list channels atm:0
or:
console process bun list channels atm:0
to show the number of packets received and transmitted by BUN on each open VC on the first ATM port in the system.
5
There may be a number of different channels in use by different software modules; you can find the channel you are interested in by looking for the VCI you are using in the TxVPI/VCI and RxVPI/VCI fields. The TxPkts and RxPkts fields will then tell you the number of AAL-5 packets transmitted and received respectively. The RxPkts field shows two numbers separated by a slash; the first is the number of packets received successfully, the second is the number of packets received with errors. If the packets leaving each ISOS System are not successfully received by the other ISOS System, check the ATM cable: you should be using an ATM crossover cable, which is not the same as an Ethernet crossover cable. Check that the cable is plugged into ATM port 0 on the ISOS System. Note The physical location of ATM Port 0 (a1) is different on ISOS System systems: For BD6100, BD6200 and BD6210 systems: ATM Port 0 is the ATM port furthest from the DC Power In connector. For BD6221 systems: ATM Port 0 is the port nearest to the DC Power In connector.
422
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
19.4
Following the tests in the previous section may tell you that although data is being received at your ISOS Systems Ethernet port, it is never transmitted on the ATM port, or vice versa. In this case, the next thing to check is correct operation of the ATM protocol (RFC1483, PPP or IPOA). Check the ISOS Systems event log. Type the following commands:
console enable event p event n
These commands show the previous (event p) and next (event n) part of the event buffer. They will show any background output, including error messages from modules when the system booted. For example, you may see a message telling you that a protocol module has failed to open a VC. This is most commonly caused by configuring two different protocol modules such that they try to use the same VC.
3
Next check the diagnostic commands provided by the protocol module itself. These are described in detail in DO-009430-PS, ISOS (8.2) CLI Reference Manual. Examples of useful diagnostic commands for the protocols mentioned in this guide - from the CLI - include: IPOA:
ipoa show transport {<name>|<number>}
RFC 1483:
rfc1483 show transport {<name>|<number>}
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
423
PPP:
pppoa show transport {<name>|<number>}
For example:
rfc 1483 show transport t1 RFC1483 Transport: t1 Description: Default LAN port Encapsulation: LlcBridged ATM port: Tx VPI: Rx VPI: Tx VCI: Rx VCI: a1 0 0 800 800
QOS class: UBR Peak cell rate: 2000 Sustainable cell rate: 0 Minimum cell rate: 0
Examples of useful diagnostic commands for the protocols mentioned in this guide - from the console - include: RFC 1483:
r1483 pvc r1483 status
PPP:
ppp <channel>|all info [all]
Many protocols support a standard set of interface console commands, including a useful stats command which provides statistics on all traffic sent and received by the protocol. For example:
r1483 interface stats [reset] ppp interface <interface>|all stats [reset]
These commands produce a standard set of output, which shows the SNMP statistics gathered for the interface. Here is example output, with some of the values useful for debugging annotated:
Device: ppp1 ifIndex: ifType: 13 6
424
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
ifMtu: ifSpeed: ifAdminStatus: ifOperStatus: ifLastChange: ifInOctets: ifInUcastPkts: ifInNUcastPkts: ifInDiscards: ifInErrors: ifInUnknownProtos: ifOutOctets: ifOutUcastPkts: ifOutNUcastPkts: ifOutDiscards: ifOutErrors: ifOutQLen:
- total bytes received from network - unicast packets received - broadcast/multicast packets received \ - packets not successfully received / - total bytes sent to network - unicast packets sent - broadcast/multicast packets sent - packets not successfully sent / - packets currently waiting to be sent
19.5
19.6
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
425
Ensure the correct transports are attached to the bridge, using the CLI command:
bridge list interfaces
You can find out the MAC addresses of all hosts detected by the bridge on each port, using the console command:
bridge filter
Check that the PCs are configured correctly; they should have IP addresses on the same subnet, as they will communicate directly with each other through the bridged network without needing a gateway. Ensure that the MAC address of the ISOS System is configured correctly. The CLI command:
system info
will print the systems MAC address; this should be the same as is printed on the label attached to the unit.
19.7
Check that each PC can ping the IP address of the Ethernet interface of the ISOS System it is directly attached to.
426
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
If this fails, check that the router interfaces have been configured correctly with the desired devices. From the CLI, enter:
ip list interfaces
Ensure none of the devices are listed with #FAILED next to them; this probably means that the device is already in use by the bridge module. If so, remove them using the CLI command:
bridge delete interface {<name>|<number>}
Also refer to the low-level troubleshooting in Troubleshooting at the device driver level on page 421.
3 4
Next, check that each PC can ping the IP address of the ATM interface of the ISOS System it is directly attached to. If this fails, check that the PC has been configured with the correct gateway address. This is the address of the router to which it will forward packets for destinations other than the local network. Each PCs gateway should be the IP address of the Ethernet interface of the ISOS System to which it is connected. Obviously, in all IP networks, the gateway will always be on the same subnet as the machines own IP address. Check that each ISOS System can ping the ATM interface of the other ISOS System, using the CLI command:
ip ping <address>
6 7
If this fails, check the ATM protocol and the low-level troubleshooting tips, as described earlier in this section. If the system still does not work, check the routes on the ISOS Systems. Each ISOS System is directly connected to two of the three subnets present in the whole network, but must have a route to the other subnet (the Ethernet segment to which it is not directly connected). Either a specific route or a default route (as used in the configurations in this chapter) must be added. From the CLI, enter:
ip list routes
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
427
If problems still persist, check that IP is not picking up spurious routes from other hosts using the RIP protocol. RIP can be disabled using the CLI commands:
ip set interface {<name>|<number>} rip accept none ip set interface {<name>|<number>} rip send none
You can display the whole of the IP modules current configuration using the CLI command:
ip show interface {<name>|<number>}
Refer to DO-009430-PS, ISOS (8.2) CLI Reference Manual, for more information about the output of this command.
428
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter describes the modules which are used in the configurations supported on a ISOS System running ISOS.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
429
Introduction
20.1
Introduction
This chapter describes the various ISOS software modules which can be run on the ISOS System for all supported configurations. A general description is given of the core software and software modules that are provided as part of the GlobespanVirata ISOS software suite. Reading this chapter will help you to appreciate where the various GlobespanVirata software modules would be used and needed in the development of a particular network device. This chapter also includes information about how each of the modules have been implemented by GlobespanVirata and where to find more information about each module. For a more general introduction to the supported configurations, refer to What are the features of each supported configuration? on page 10.
430
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
20.2
OSI Model
Communications software protocols (or stacks) are typically grouped into layers based upon the services provided to upper layers as well as the services utilized from lower layers. The most commonly used partitioning of these layers is defined in the Open Systems Interconnect (OSI) reference model. This model defines seven layers as briefly summarized in the table below: Layer Layer Name Purpose 1 Physical layer The physical layer provides transparent transmission and reception of a bit stream over a physical connection. The physical layer includes the hardware and electrical interfaces. 2 Data Link The data link layer provides, over the physical layer, a reliable protocol interface. Such functions include error detection and error correction. 3 Network The network layer provides (to the Transport layer) a reliable, in-sequence delivery of data. This layer handles routing and retransmission of packets. Example xDSL, Ethernet PHY, SONET.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
431
OSI Model
Session
Purpose Example TCP, UDP The transport layer provides services to the session layer, such as multiplexing of the network interface and providing different classes of service using the network layer. For example, TCP provides a class of service that includes reliability (i.e., retransmission when necessary) whereas UDP provides an unreliable interface. The session layer DNS, DHCP establishes, over the transport layer, a logical conversation or session between two network entities such as a user terminal and a host. Functions such as flow control, configuration, and security (network logon) are performed at this layer.
432
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Application
Purpose The presentation layer implements standards for video and text display formats. Applications use this layer to handle any necessary conversion and formatting transparently. This is the topmost layer that actually makes the services below useful. Applications run at this layer and use the services below to reliably and transparently send and receive formatted data to remote entities.
Telnet, FTP
It should be noted that the OSI model is an abstraction which is useful for discussion but which doesnt rigidly match actual implementations. For example, ATM exhibits characteristics of both layers 2 and 3. For simplicity, many people simply discuss ATM as a layer 2 protocol and, anything above ATM (TCP, IP, Telnet, DHCP, NAT) as layer 3 and above.
20.3
Core processors
The GlobespanVirata Helium communications processor contains two ARM 7 RISC processors: Protocol Processor (PP). Network Processor (NP). The NP acts an intelligent DMA hardware engine to provide real-time support for networking functions such as cell switching and flow control. The PP provides layer 2 and layer 3 protocol processing functions such as UNI signalling and IP Routing. The next section provides a brief description of each of the major protocols currently provided by GlobespanVirata on the PP. In the following sections, the ATM protocols and the encapsulations are considered part of layer 2 even though some portions (such as
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
433
ISOS
signalling) are technically layer 3 functions. The GlobespanVirata device drivers are part of layer 1. The software categorized as Layer 3 and Higher Protocols represent the top 5 layers of the OSI Reference Model.
20.4
ISOS
The GlobespanVirata OS Kernel, ISOS, is a lightweight RTOS, which runs on Helium. It is a small, flat, operating system kernel optimized for embedded systems used to deliver network services. As a result of this focused purpose, ISOS represents about 15k of code that can be modularly expanded as required to meet the needs of a specific system. The primary tasks of ISOS is task scheduling and inter-process communication and synchronization.
20.5
ATM Protocols
The protocols described in this section are the core of the GlobespanVirata ATM technology. Though implementation details are extremely complex by necessity, the descriptions below provide a straightforward view of the most important components. 20.5.1 ATM Driver The ATM Driver passes data between application software tasks and a physical ATM port. It performs ATM cell segmentation and reassembly (SAR), AAL encapsulation, and multiplexes concurrent data streams. It provides support for ATM Forum UNI 3.0, 3.1 and 4.0 traffic parameters and AAL types and also supports pacing of individual virtual circuits. Note that cell switching between UTOPIA ports on the ISOS System does not take place in the ATM driver that runs on the PP. The switching occurs entirely within the Network Processor, but is controlled and monitored from the Protocol Processor.
434
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
20.5.2 AAL ATM Adaptation Layer that defines the rules governing segmentation and reassembly of data into cells. Various AALs are defined to support diverse traffic requirements. For example, low latency requirements for voice traffic are best satisfied using AAL-2, while efficiency and throughput are benefits which make AAL-5 more appropriate. 20.5.3 AAL-0 The GlobespanVirata AAL-0 interface passes raw cells through to the NP. AAL-0 is useful because it allows customers to implement an AAL not supported by the GlobespanVirata software on another processor or within the GlobespanVirata software stack. The customers AAL then sends and receives data transparently through the AAL-0 interface. 20.5.4 AAL-2 AAL-2 is typically used for transporting voice traffic. AAL-2 comprises two layers, CPCS and SSCS. The lower layer (CPCS) handles common tasks such as trailer addition, padding, CRC checking. The upper layer (SSCS) handles service specific tasks such as data transmission assurance. 20.5.5 AAL-5 AAL-5 is the most commonly implemented AAL. It provides an efficient and reliable transport for data with the intent of optimizing throughput. 20.5.6 ILMI GlobespanVirata provides an ILMI 4.0 implementation which handles address registration (switch-to-end device) and notification (end-device-to switch) as well as auto-configuration. ILMI uses SNMP over AAL-5 for transport. 20.5.7 OAM Operations Administration and Maintenance. Refers to control packets defined in [I.610] to facilitate network management and administration. The GlobespanVirata I.610 implementation provides full support including AIS/RDI, Loop-Back, Continuity-Check, Performance Monitoring, and an example Console management application.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
435
Device Drivers
20.5.8 UNI Signalling Signalling provides a means for dynamically establishing VCs between two points. VCs established in such a manner are called Switched Virtual Circuits (SVCs) as compared to Permanent Virtual Circuits (PVCs) which are provisioned once, when network service is first provided to the CPE. The GlobespanVirata network communications software includes support for all of the standard ATM UNI Signalling standards: UNI 3.0, 3.1, and 4.0 as well as the relevant call and connection control standards (Q.2931 and Q.2971). 20.5.9 SSCOP SSCOP is the reliable transport layer used for signalling. It has the following objectives: Reliable sequential delivery packet retransmissions, etc. Flow control using a credit based scheme Keep alive for connections even when no data is flowing There are two relevant but incompatible versions of SSCOP: Q.SAAL and the ITU Q.2931 (formerly known by CCITT name of Q.93B). GlobespanVirata supports both SSCOP specifications.
20.6
Device Drivers
20.6.1 BUN Device Driver Framework The Broadband Unified Network (BUN) interface provides a generic interface to a broad range of packet and cell based hardware devices. BUN is frequently termed a device driver framework. It isolates hardware-independent functions from hardware-dependent primitives and in doing so, simplifies device driver development, maintenance, and debugging. 20.6.2 I.432 The BUN I.432 driver supports the I.432 interface on Helium including ATM cell pacing and Header Error Control (HEC) generation and reception. The interface is layered on top of the Utopia interface and hence inherently provides VP and VC support as well. The interface
436
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
provides a method of connection to ADSL PHYs that support I.432. This sometimes provides a less expensive solution than connecting via a Utopia interface. 20.6.3 HDLC The BUN HDLC driver controls HDLC transmission and reception on communications processors, such as Helium, which have a physical HDLC interface. The HDLC device driver is a lightweight process that is not processing intensive. 20.6.4 Ethernet The BUN Ethernet driver provides data transport to and from an Ethernet hardware interface at 10BaseT or 100BaseT. In addition, functions useful for debugging, such as loopback, are also provided. 20.6.5 Frame Relay The BUN Frame Relay driver provides multiple Frame Relay channels over a single HDLC channel. The driver uses two layers of multiplexing: Firstly, each FR channel is identified by Data Link Channel Identifier (DLCI - an analogy of ATM VPI/VCI). Secondly, each DLCI can be multiplexed further if you are using RFC1490 multiprotocol encapsulation over FR. The FR channel can be uniquely identified by DLCI and ProtocolType. The Frame Relay driver supports a complete set of Frame Relay management protocols and also FRF.12 interface and DLCI level segmentation. 20.6.6 PCI There is no PCI support provided on Helium. 20.6.7 USB The GlobespanVirata BUN Driver for Universal Serial Bus (USB) supports the USB 1.1 implementation for Helium.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
437
Encapsulations
The GlobespanVirata BUN driver for USB supports Helium as a PC-attached device.
20.7
Encapsulations
The commonly used methods of encapsulating user data to be sent over an ATM link are: IPoA (RFC 1577) PPPoA (RFC 2364) PPPoE Relay Agent RFC 1483 Some of these methods encapsulate layer 2 data (RFC 1483) and some encapsulate layer 3 data (IPoA). These encapsulation processes are considered layer 2 or layer 2.5 protocols, as layer 3 and other layer 2 protocols rely upon them for transport over ATM. The GlobespanVirata flexible architecture allows these encapsulations, and hence the logical connections below them to be treated generically as are other interfaces such as Ethernet. For example, encapsulations can be attached to the Spanning-tree Bridge (see Other Layer 2 Protocols on page 440) or IP Router (see Layer 3 and Higher Protocols on page 440) just as the Ethernet interface can be attached. This provides the ability to easily: route or bridge between ports with traditional packet interfaces and ports with encapsulations or simply route or bridge between ports with encapsulations. 20.7.1 IPoA (RFC 1577) User data in the form of IP packets is encapsulated into AAL-5 PDUs for transport over ATM. The fact that the user data is routed at an IP layer instead of bridged at a MAC layer allows the source and destination to be on different subnets. A notable drawback of IPoA is the lack of authentication and configuration that would be provided by PPP.
438
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
20.7.2 PPPoA (RFC 2364) From a system perspective, the use of PPPoA is similar to IPoA in that user data for transmission is in the form of IP packets. In this case, however, a PPP session is established (using the GlobespanVirata PPP stack) to the remote NSP. The PPP packets are encapsulated according to RFC 2364 for transmission over an ATM link. On the receive side, the de-encapsulation is performed. The PPP session is terminated in the PP and the IP data can be delivered to the end user over, for example, Ethernet. 20.7.3 PPPoE Relay Agent This encapsulation method is used to transport PPP traffic over Ethernet. Using this encapsulation allows PPP sessions to be terminated on PCs that are connected to the Helium communications processor by Ethernet. In this case, there may be multiple PPP sessions, each from a PC in the CPE to a PPP aggregator, such as a router, in the CO. These multiple sessions can be to separate end networks (for example Internet and Corporate Network). The GlobespanVirata PPPoE relay agent recognises when locally originated PPPoE traffic is to be sent to the CO. Such traffic is, without unnecessary processing, forwarded to the correct destination network. This security is useful to prevent, for example, corporate bound data from being exposed to the Internet. The actual ATM encapsulation used in the PPPoE case is actually RFC 1483 because the local user data, though PPP, is encapsulated into Ethernet frames. 20.7.4 RFC 1483 RFC 1483 provides the simplest method of connecting end stations over an ATM network. User data in the form of Ethernet packets is encapsulated into AAL-5 PDUs for transport over ATM. Like IPoA, RFC 1483 provides no authentication and configuration that would be provided by PPP.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
439
20.8
20.9
440
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
20.9.4 DHCP The GlobespanVirata implementation of Dynamic Host Control Protocol (DHCP) provides both client and server functions. The client can be used, for example, to obtain a public IP address from an ISP. The DHCP server can be used to configure many local devices with private IP addresses. NAT can then be employed to allow the devices on the private network to send and receive data on the public network by sharing the public IP address. 20.9.5 NAT The Network Address Translator (NAT) implements Port Address Translation (PAT) and provides Network Address Port Translation (NAPT), also known as IP Masquerading. NAT allows a single real IP address on the WAN side to be shared among many devices on the LAN side, each of which have private addresses. 20.9.6 IP Router The GlobespanVirata software provides implementations of RIP v1 and RIP v2, either or both of which can be run on each interface. The IP router is an IPv4 router (no support for IPv6 is provided) which includes support for MTU path discovery. 20.9.7 PPTP The Point-to-Point Tunnelling Protocol (PPTP) provides the ability to transfer PPP data through a secure tunnel over a non-secure network such as the Internet. The usefulness is that the physical and logical terminations of the point-to-point link terminate in the unsecured network while the authentication and control terminate in the secure network. This allows, for example, an ISP to provide world wide local dial-in to corporate users. The corporate users dial into the ISP but their data is tunnelled over the Internet to a corporate PPTP network server (PNS). GlobespanVirata has implemented the client portion of PPTP that provides a PPTP Access Concentrator (PAC). 20.9.8 L2TP GlobespanVirata also provides a Layer 2 Tunnelling Protocol (L2TP) client or Access Concentrator (LAC). L2TP has the same primary function as PPTP that is to securely and transparently tunnel PPP data over an unsecured network.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002) 441
Miscellaneous
L2TP, however, is a far more complex protocol that provides support for advanced security such as IPSec. PPTP is more commonly used in xDSL applications. Note To use L2TP on Windows 2000, IPSec is required. IPSec support is available from a number of third-party vendors. 20.9.9 Telnet GlobespanVirata provides a simple Telnet server that allows administrative access to the platform over TCP/IP. The implementation supports only a single session at a time. 20.9.10TFTP The GlobespanVirata TFTP implementation is primarily aimed at allowing files to be updated over a network connection. These updates are handled securely through GlobespanVirata extensions to TFTP. Access is provided to files stored on Flash through FlashFS (Flash memory filing system) and to files stored in memory through ISFS (In-Store Filing System).
20.10 Miscellaneous
20.10.1GlobespanVirata IPG The GlobespanVirata Inter-Processor Gateway (IPG) is the hardware interface between the PP and NP. Issues of synchronization and memory contention are transparent to the software process through such hardware assistance as doorbell registers, interrupts, and shared registers. 20.10.2Optional Windows Drivers To support PC-Attached applications such as PCI and USB ADSL modems, GlobespanVirata provides CoNDIS-5 drivers for use on Microsoft Windows 98SE and Windows 2000. The GlobespanVirata implementation extends BUN to the PC using the Virata Virtual Bus (VVB). The VVB simplifies development and maintenance of PC drivers. The CoNDIS-5 drivers allow PC-99 and
442
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
WHQL compliance and support the Microsoft architecture in which many of the layer 2 and layer 3 protocols (including ATM) are run on the PC. It should be noted, however, that the GlobespanVirata implementation performs SAR of AAL-5 PDUs on the Helium communications processor, which reduces the PC CPU requirements and driver complexity.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
443
444
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Table 31:
The following files are also normally found in ISFS. They are described in the table below:
Module banner.txt derived_data.dat dhclient.leases dhcpd.leases im.conf Module file webserver webserver dhcp dhcp Description GlobeSpanVirata startup text on CLI EmWeb Derived archive DHCP client lease database DHCP server lease database VMI configuration file used by many ISOS processes to store their configuration. Default VMI configuration file. im.conf.factory im.descriptions This file can be used to restore a default configuration. List of attribute text descriptions. VMI configuration file used to store system-specific Port information for a particular product. PP compiled image file NP compiled image file
im.system
image NPimage
Table 32:
For more information about how to include files in an image, refer to Including files in an image on page 91.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
445
446
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
This chapter provides a quick overview of the BD6000 Series ISOS Systems and their capabilities and explains how to install the systems.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
447
A.1
A.2
448
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The main differences between the systems at a user level are the network and expansion interfaces provided. The following table summarizes the differences between all four chips:
Feature Clock speed Network interfaces Expansion interfaces He100 48 Utopia; 10Base-T He200 60 Utopia; MII EIO; USB; PCMCIA He 210 60 Utopia; MII; 10/100 Base-T EIO; USB; PCMCIA He210-80 80 Utopia; MII; 10/100 Base-T EIO; USB; PCMCIA
EIO; USB
The Helium 200 processor does not contain an on-chip Ethernet PHY. On BD6200 systems an Ethernet PHY is provided on the board as an external component which interfaces to the Helium processor via the MII interface. All other processors contain an on-chip physical Ethernet interface called an Ethernet PHY for either 10 or 10/100 Base-T Ethernet connections. The Helium 100 processor does not contain a PCMCIA interface.
A.3
A.4
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
449
PC
Ethernet
ISOS System
ATM25
PC
Ethernet
ISOS System
Figure 79
Using this setup, you can configure the ISOS System system in a number of ways to show it transferring data using different network protocols. Refer to the following chapters for more information about how to configure ISOS System systems: Configuring the ISOS System in Gateway mode on page 235. Configuring the ISOS System in PC-attached Gateway mode on page 275. Configuring the ISOS System in Switch mode on page 323. For more information about the protocols which can be used in the above configurations, refer to What configurations are supported by an ISOS System? on page 8.
450
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
A.5
Installation overview
To install the ISOS System system in any type of configuration, you need to carry out the following steps:
1 2 3 4
Unpack and inspect the ISOS System system and its components; see Unpacking the ISOS System on page 452. Read all appropriate safety, warning and legal notices; see Reading important notices on page 453. Position the ISOS System; see Positioning the ISOS System on page 453. Connect up the ISOS System; see Connecting the ISOS System on page 453.
The above steps are described in the following sections. After completing this chapter, you will then need to refer to subsequent chapters to install appropriate supporting software.
A.6
Pre-requisites
Before starting the ISOS System installation procedure, ensure that you meet or have considered the following points: There are various configuration options supported for a ISOS System. Ensure that you know which type of basic configuration you wish to setup. (The options available are described in What are the features of each supported configuration? on page 10.) Ensure that you have the correct versions of GlobespanVirata software and tools for the operating system that you are using. Ensure that you have a computer running an operating system which supports your chosen ISOS System configuration. (The currently supported OSs are listed in What software platforms are supported? on page 18.) All the above information is described in Introduction on page 7.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
451
A.7
452
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
A.8
A.9
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
453
2 3
Make all necessary management connections to the ISOS System. Make a power connection to the ISOS System.
The above steps are covered in the following sections for each possible configuration supported for the ISOS System. 20.11.5For a Gateway configuration To connect an ISOS System in a Gateway configuration, follow the steps below:
1
For the data connection: connect the Ethernet port on the ISOS System (10BASET or 10/100BASET (depending on the system you are installing)) to the Ethernet port on your computer. The connection can be made using an Ethernet Hub, or directly using an Ethernet crossover cable. For the management connection: connect the Serial port on the ISOS System (RS232) to the Serial port on your computer. (The characteristics of the Terminal connection are given in Serial port settings on page 354.) For the power connection:
a
Connect the DC power supply cable from the AC/DC power supply unit to the power supply port on the ISOS System (DC POWER IN 5V/4A). If you have a switched power supply, connect the AC/DC power supply unit to the electricity supply using the supplied power cable, but do not supply power from the electric supply yet. If you do not have a switched power supply, locate the power supply cable but do not yet plug it in. Warning - If the cable supplied does not match the local system, do not attempt to use it; contact the GlobespanVirata Technical Advice Center for a replacement cable.
454
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following diagram shows the connections which should now be present between your computer and the ISOS System:
The diagram below illustrates how you would connect up a ISOS System to develop a PC-attached
PC
ISOS System
Serial
RS232
HUB Ethernet
10/100BaseT DC POWER IN
DC supply
Power supply
p
Figure 80 Connecting the ISOS System (Gateway) The next step is to power on the ISOS System. Refer to Powering on the ISOS System on page 459. 20.11.6For a PC-attached Gateway configuration To connect up an ISOS System in a PC-attached Gateway configuration, follow the steps below:
1
Connect the Ethernet port on the ISOS System (10BASET or 10/100BASET (depending on the system you are installing)) to the Ethernet port on your computer. The connection can be made using an Ethernet Hub, or directly using an Ethernet crossover cable.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
455
Connect the USB port on the ISOS System (USB) to the USB port on your computer. The connection can be made using a standard USB interconnect cable.
For the management connection: connect the Serial port on the ISOS System (RS232) to the Serial port on your computer. (The characteristics of the Terminal connection are given in Serial port settings on page 354.) For the power connection:
a
Connect the DC power supply cable from the AC/DC power supply unit to the power supply port on the ISOS System (DC POWER IN 5V/4A). If you have a switched power supply, connect the AC/DC power supply unit to the electricity supply using the supplied power cable, but do not supply power from the electric supply yet. If you do not have a switched power supply, locate the power supply cable but do not plug it in yet. Warning - If the cable supplied does not match the local system, do not attempt to use it; contact the GlobespanVirata Technical Advice Center for a replacement cable.
456
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following diagram shows the connections which should now be present between your computer and the ISOS System:
The diagram below illustrates how you would connect up a ISOS System to develop a PC-attached
PC
DC supply
Power supply
p
Figure 81
The next step is to power on the ISOS System. Refer to Powering on the ISOS System on page 459. 20.11.7For a Switch configuration To connect an ISOS System in a Switch configuration, follow the steps below:
1
For the data connection: connect the ATM25 port on the ISOS System to the ATM port on your ATM network device. The type of ATM cable you use depends on the type of ATM network device you are connecting up with the ISOS System system: For a connection to an ATM switch, use a crossover cable. For a connection to an ATM network end-point such as an ATM NIC card, use a straight-through cable.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
457
For the management connection: connect the Serial port on the ISOS System (RS232) to the Serial port on your computer. (The characteristics of the Terminal connection are given in Serial port settings on page 354.) For the power connection:
a
Connect the DC power supply cable from the AC/DC power supply unit to the power supply port on the ISOS System (DC POWER IN 5V/4A). If you have a switched power supply, connect the AC/DC power supply unit to the electricity supply using the supplied power cable, but do not supply power from the electric supply yet. If you do not have a switched power supply, locate the power supply cable but do not plug it in yet. Warning - If the cable supplied does not match the local system, do not attempt to use it; contact the GlobespanVirata Technical Advice Center for a replacement cable.
458
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
The following diagram shows the connections which should now be present between your computer and the ISOS System:
The diagram below illustrates how you would connect up a ISOS System to develop a PC-attached
PC
ISOS System
Serial
RS232
DC supply
Power supply
p
Figure 82
The next step is to power on the ISOS System. Refer to Powering on the ISOS System on page 459.
Supply power to the ISOS System. When the ISOS System has powered up correctly, the bank of LEDs on the front panel will be lit.
The ISOS System will boot up using the ISOS image it has pre-installed in Flash memory, although, this is a test image and is not suitable for use. Refer to Installing ISOS software on page 27 to install the software and build a usable image.
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
459
460
ISOS (8.2 Service Release 2) User Guide DO-009467-PS (Issue 4, 6th Dec 2002)
Index
Symbols
$VIRATA_TOOLS 46 /etc/bootptab 103 /etc/dhcpd.conf 101 /etc/inetd.conf 103 /tftpboot 101 /usr/sbin/bootpd 103 /usr/sbin/tcpd 103 augustus_pp_boot 410
B
Boot ROM 410 Boot ROM console 122, 123 Bootp server 106 BOOTP/TFTP server 240 bootptab 105 BOOTREQUEST 113 Bridge configuration file 444 Bridged configuration examples 238, 302 BUN 436 Bun configuration file 444 bun list channels console command 398 BUN RFC 1483 243
A
AAL encapsulation 434 AAL-2 435 AAL-5 435 aconfig 405 Adobe Acrobat 5 ADSL 9 ADSL PHYs 437 air circulation 453 AIS 435 application layer 433 ARM 7 433 ATM 9 ATM Adaptation Layer 435 ATM crossover cable 239, 326 ATM Driver 434 ATM Forum 434 ATM port 0 239, 326 ATMOS bridge module 243 atm-switch 69 augustus_np_boot 410
C
Caution symbol 5 CCITT 436 CHAP authentication 270, 272 Chip support package 29 chips console command 395 chips mem console command 397 Classical IP 250 CLI access permissions 129 CO 439 CoNDIS-5 442 config list console command 224 config print ip console command 224 Config.h 10
461
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
configeeprom 121, 122 configuration files 219 console help 139 navigating 138 console enable 137 conventions typographical 4 CPCS 435 CPE 436, 439 CSP 29 customized images 94 CYAN_POOL_PREFIX 269, 277, 285, 286, 316
E
EMC Warning notice 453 Emweb configuration file 444 end stations 439 error correction 431 error detection 431 Ethernet 9 Ethernet driver 437 Ethernet PHY 431 eth-gateway 69 eth-gateway-recovery 69 event buffer 399 event console command 399 extra-sw 69
D
data connections 453 data link layer 431 DC Power In connector 240, 326, 422 Debian (Linux) 35 Debian packages 35 device driver framework 436 dhclient.conf 444 DHCP 432 DHCP client configuration file 444 DHCP relay configuration file 444 DHCP server configuration file 444 dhcpd reload 102 dhcpd.conf 444 dhcpd.leases 101 dhcrelay.conf 444 DMA 433 DNS 432 dpkg 35 DSL PHY 13 Dynamic Host Control Protocol 441
F
Feedback 5 File 202 FLANE 288 Flash booting 17 Flash memory filing system 442 FLASH partitions 203 flash.bin 65 FLASHFS 241, 305 FlashFS 202, 442 flashfs console command 394 flashfs rewrite 411 flashfs update console command 214 flash-rewrite 69, 410 Frame Relay 431 FTP 433
G
Gateway 9 gateway 74
462
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
Gateway configuration connecting 454, 457 gdbterm 126 Getting Started CD 29 GNU make 23 gunzip 42, 43, 44, 45
H
Hardware type 65 HDLC 9, 437 he_serialboot_main 116 HEC 436 home-router 69 HyperTerminal 24, 127
IP Masquerading 441 ip portname 416 IP Router 9 IP Router configuration file 444 IP Routing 433 IPG 442 IPoA 326, 438 IPSec 442 IPv4 441 IPv6 441 ISFS 10, 202, 442 isfs ls console command 206 ISOS source 30 ISOS tools 33 ISP 441 ITU X.410 433
I
I.432 436 I.610 435 ICMP 431, 440 ICMP Ping 268, 315 ILMI 241, 435 ILMI configuration file 444 image validation header 389 initbridge 444 initbun 444 initilmi 444 initnat 444 initppp 444 initpptp 444 initq93b 444 initwebserver 444 In-Store Filing System 442 Internet Explorer 5 Inter-Processor Gateway 442 IP 440 IP address 396
L
L2TP 441 LAC 441 LAN Emulation Client 440 Layer 2 bridging 243 layer 2.5 protocols 438 line endings 226 Linux 22
M
MAC address 395 management connections 454 Minicom 127 minicom 22 mkflash 227 mkproduct 80, 81, 87, 407 MTU path discovery 441
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
463
N
NAPT 441 NAT 433, 441 NAT configuration file 444 netmask 101 NetScape Navigator 5 network layer 431 Note symbol 5, 24, 39, 68, 277, 281, 285,
286
PPP Ethernet-encapsulated data 267 PPPoA 438 PPPoA peer 298 PPPoE Access Concentrator 268, 315 PPPoE Access Concentrator (AC) 267 PPPoE Relay Agent 438 PPTP Access Concentrator 295, 441 PPTP configuration file 444 PPTP Network Server 295 presentation layer 433 Product type 65
O
OS Kernel 434 OSI model 433 OSI Reference Model 434
Q
Q.2931 431, 436 Q.2971 436 Q.93B 436 Q.SAAL 436 q93b signalling configuration file 444
P
PAC 298, 441 PAP authentication 270, 272 PAT 441 PC Driver software 52 PC-99 compliance 442 PC-attached Gateway 9 connecting 455 PCI support 437 pci-modem product 65 PDUs 438 peak cell rate 252, 254, 310, 312 physical layer 431 pkgadd 38 PNS 298, 441 Point-to-Point Tunnelling Protocol 441 power connection 454 power supply 452 PPP 9 PPP configuration file 444
R
RDI 435 rebooting 119 RedHat (Linux) 36 RedHat rpms 35 Release notes 32 Reset button 109, 121, 122, 123 resolve 444 RFC 1483 438 RFC 1577 438 RFC 1918 241, 304 RFC 2364 438 RFC1577 250 RIP v1 441 RIP v2 441 RISC processor 433 Routed configuration examples 238
464
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
S
Safety Warning notice 453 SAR 434, 443 serial ROM 405 serialboot_loader 69 services 444 SNMP configuration file 444 SNMP statistics 424 snmpinit 417, 444 Solaris 23, 38 Solaris packages 35 SONET 431 source (CLI) 135 spanning-tree 440 SSCOP 436 SSCS 435 SVC 241 symbolic link 102 Symbols, used in this guide 5 System Properties dialog box 40, 47
tmp, NT environment variable 40 Trace output 399 transparent bridge 440 transport layer 432 Tunnelling configuration examples 238 typographical conventions 4
U
UDP 432, 440 UNI signalling 433 unzip 22 uptime console command 394 USB 9, 437 usb-gateway 69 usb-gateway-lean 69 User Datagram Protocol 440 UTOPIA 434 UTOPIA/EIO port 13
V
VCI 241 VIRATA_TOOLS 36, 37, 39 virata-tools-ver console command 405
T
TCP 432, 440 Telnet 433, 442 temp, NT environment variable 40 TFTP 116 TFTP Boot server 22, 23 TFTP configuration file 444 TFTP server 14 tftpd server 113 tftplock.key 417 tftpupdt.beg 418 tftpupdt.end 418
W
Warning symbol 5 which aconfig 405 WHQL compliance 443 Windows 2000 19 Windows 98 FE 19 Windows 98 SE 19 Windows ME 19 Windows NT 23 Windows NT executables 35
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002
465
WinZip 24
X
xDSL 431, 440, 442
Z
Zip 41
466
ISOS (8.2 Service Release 2) User Guide Issue 4, 6th Dec 2002