You are on page 1of 196

LX-Series Configuration

Guide

Corporate Headquarters
MRV Communications, Inc. Corporate Center
20415 Nordhoff Street
Chatsworth, CA 91311
Tel: 818-773-0900
Fax: 818-773-0906
www.mrv.com (Internet)

Sales and Customer Support
MRV Americas MRV International
295 Foster Street Industrial Zone
Littleton, MA 01460 P.O. Box 614
Tel: 800-338-5316 (U.S.) Yokneam, Israel 20682
Tel: +011 978-952-4888 (Outside U.S.) Tel: 972-4-993-6200
sales@mrv.com (email) sales@mrv.com (email)
www.mrv.com (Internet) www.mrv.com (Internet)

451-0311B

All rights reserved. No part of this publication may be reproduced
without the prior written consent of MRV Communications, Inc. The
information in this document is subject to change without notice and
should not be construed as a commitment by MRV Communications, Inc.
MRV Communications, Inc. reserves the right to revise this publication
and to make changes in content from time to time, without obligation to
provide notification of such revision or changes. MRV Communications,
Inc. assumes no responsibility for errors that may appear in this
document.

Copyright © 2003 by MRV Communications, Inc.

This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young
(eay@cryptosoft.com).

This product includes software written by Tim Hudson
(tjh@cryptosoft.com).

Service Information
Should you experience trouble with this equipment, please contact one of
the following support locations:
• If you purchased your equipment in the Americas, contact MRV
Americas Service and Support in the U.S. at 978-952-4888. (If you are
calling from outside the U.S., call +011 978-952-4888.)
• If you purchased your equipment outside the Americas
(Europe, EU, Middle-East, Africa, Asia), contact MRV
International Service and Support at 972-4-993-6200.

2 451-0311B

Secure Shell Disclaimer
THE SECURE SHELL SOFTWARE IS PROVIDED BY ERIC YOUNG
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OR SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

451-0311B 3

.

.................................................................... 21 SNMP Command Mode ................................................. 24 Related Documents ................................................................ 29 Creating and Loading a Default Configuration File ........................................... 19 PPP Command Mode ........................................ Table of Contents Preface ............................. 23 Disabling (Negating) Features and Settings ................................................... 15 Navigating the LX Command Line Interface (CLI) ............................ 20 Ethernet Command Mode ............................. 21 Interface Command Mode ............................................................... 22 Notification Command Mode ...................... 25 Chapter 1 ............................................................................ 29 Setting Up Local (Onboard) Security for the LX Unit ................................... 27 Configuring TCP/IP ............................................................................................................................................................................... 22 Menu Editing Command Mode .................................................................................................................................................................................................................. 18 Configuration Command Mode ....................................................................................Initial Setup of the LX Unit ............................................................................................................................. SecurID........................... 17 Superuser Command Mode ................................................... 38 Setting Up SecurID ......................................................................................................................................................................................................................................................................................................................................................................................................................... and TACACS+ for the LX Unit ............................................................................. 31 Setting Up RADIUS........ 33 Setting Up RADIUS ............................................................. 22 Menu Command Mode ............................................................................................................................................................................. 18 Asynchronous Command Mode ..................................................................................................................................... 20 Modem Command Mode ............................................................................................................................................................... 27 Setting the TCP/IP Parameters in the IP Configuration Menu ...................................................................................................................... 13 Conventions .......................................................................... 14 Online Help .................................................................................................................... 23 Broadcast Group Command Mode ............................. 16 User Command Mode ................. 27 Configuring TCP/IP Parameters with the Quick Start Configurator ........................................................... 33 Setting Up TACACS+ ............................................................................... 21 Subscriber Command Mode ............. 27 Obtaining TCP/IP Parameters from the Network ........................................ 31 Changing the Password Defaults ............................................................................................................................................................. 13 How This Book is Organized .. 43 451-0311B 5 ........................................................................................... 14 Using the Function Keys .............................................................................

.................................................................................................................................................................................................System Administration ............................ 53 Setting Up Security for a Console Port .......... 69 Booting from the Network ................ 63 Recreating the Zip File in Order to Upload It Onto the LX ............ 49 Making Straight-through Cables ......................................................................................................................................................... 54 Creating Subscribers for Remote Console Management ..................... 62 Saving the Configuration to the Network ......................................... 71 Updating the ppciboot Firmware ........................... 66 ppciboot Factory Default Settings ............................................................................................................................................................................................................................................................................ 65 Scripting On External Units .......................................................................... 73 Booting the System .................................................................................................................................................. 71 IP Configuration Menu ................................................ 68 Upgrading Software with the ppciboot Main Menu ............................................................................. 64 Applying Default Configurations to Other Units .................... 51 Configuring Ports for Remote Console Management .............................................................................................................................................................................................................................................................................. 51 Configuring Asynchronous Ports for Direct Serial Connections ............................................................................................................................................................... 65 Creating a Default Configuration File .............................................................................. 61 Where the Configuration is Stored ........... 70 Setting the Timeout in Seconds ......................................................................................................... 61 Saving the Configuration Into the Flash ...... 73 6 451-0311B ................................. 72 Saving the Configuration ....... 70 Saving the Boot Image to Flash ........................................... 49 Connecting the Console Port to the Network Element ............. 64 Loading the Configuration ................................................................................................................... 61 Saving the Configuration File ................. 58 Specifying Access Methods .......................................... 61 Backup and Recovery ..................................................................................................... 51 Setting Up Modem Ports for Remote Console Management ... 65 Restoring the Default Configuration File to a New Unit ............................................................................................................Setting Up Remote Console Management .......................................... 50 Modular Adapters (RJ-45 to DB-25 and RJ-45 to DB-9) ................... 62 Editing the Files in Windows .................................................................................................................................. 50 Recommendations for Making Cables ....................................................................................................... 66 How to Upgrade the Software ............................................ Chapter 2 ................. 70 Booting from Flash ............................................................ 59 Chapter 3 .......... 71 Setting the Speed and Duplex Mode of the Ethernet Network Link ........................................................................................................................... 62 Editing the Files on a Unix Host .......................... 66 Upgrading Software and ppciboot with the Command Line Interface .............................................................................................................................................................................................................................................................. 72 Resetting to System Defaults ......................................................................

........................................................................................ 103 451-0311B 7 ....................................................................................................................................................................................................................................................... 75 Changing the TFTP Server IP Address ............................................................................................................................................ 81 Overview of User Profiles ..... 88 Displaying Information on the Notification Feature .............................................................................................................................................................................................................. 81 Service Profiles .... 101 Displaying Broadcast Group Summaries .......................................................... 100 Disabling Broadcast Groups ................................................. 76 Defaulting from CLI ............................................................................................................................................................................................................................. 93 SNMP Example ... 89 Displaying Characteristics of Service Profiles ................................................................................................................................................................................................................................................................... 76 Acquiring the IP Configuration .......................................................................................................... 94 Email Example .................................................................... 99 Specifying Port Options ............... 97 Usage Guidelines ................. 92 SNPP Example ......................... 76 Booting from Defaults .................................................................. 91 Localsyslog Example ............................................................................................... 90 Configuration Examples .................................................... 89 Displaying Characteristics of User Profiles ....................................................Setting Up the Notification Feature ........................................................................................................................................ 77 Chapter 4 .. 99 Removing Ports from Broadcast Groups ................................................................................................................................................................................................................ 79 Overview of the Notification Feature ................................................ 76 Defaulting from the Main Menu ....................................................................................................................................................... 93 TAP Example .............................................. 73 Choosing an IP Assignment Method ................... 74 Changing the Unit IP Address .................................................................. 74 Changing the Network Mask ................. 95 Chapter 5 .........Configuring the Data Broadcast Feature ................................................................................................................................................... 95 Web Example ................................................................................................................................. Using the IP Configuration Menu ................................................................................................................................................................................ 92 Remotesyslog Example .......................................... 75 Saving the Configuration .................................... 91 Outbound Asynchronous Port Example .......................................... 79 Configuring the Notification Feature ....................................................................................................................... 101 Displaying Broadcast Group Characteristics ...................................................................................................................................................................... 101 Displaying Broadcast Group Characteristics ................................................................................................................... 97 Setting Up Broadcast Groups ......................... 75 Changing the Gateway Address .....

............................................................................ 136 Displaying the Subscriber TCP Information ......................................... 121 Creating Subscriber Accounts and Entering Subscriber Command Mode ........................... 134 Displaying Subscriber Information ...................................... 115 Displaying Interface Information .............................................................................................................................................. 116 Displaying Interface Port Mapping ..................... 113 Disabling Rotaries .................................................................................................................................................................................................................. 107 Specifying Socket Numbers ............................................................................................................................................. 133 Enabling Audit Logging ......................................................................................................................... Chapter 6 ............... 135 Displaying the Subscriber Status ............................................................................................................. 138 Displaying the Command Log for a Subscriber .................................................................................................................................................................................................................... 135 Displaying Subscriber Characteristics .............................................................................................................................. 117 Displaying Interface Statuses .....................................................................................................................................................................Configuring Subscriber Accounts for the LX Unit .................... 123 Specifying the Subscriber Access Methods .......................................................................................................... 122 Deleting Subscriber Accounts .............................................................................................. 133 Specifying a Preferred Service .................. 134 Enabling Command Logging ...................................................................................................................................... 128 Configuring the Subscriber Password ............... 139 8 451-0311B .. 122 The User Profile ................................................................................................................................................................ or SecurID Authentication on an IP Interface ..................................... 132 Adding Superuser Privileges to a Subscriber Account ..................................... 106 Specifying SSH Keepalive Parameters .......................................................................................... 115 Removing Ports from a Rotary ..................................................................................... 138 Displaying the Audit Log for a Subscriber ............................................................................................................. 123 Setting Up the Session and Terminal Parameters ................................................... 117 Displaying Interface Summaries .......... 121 Creating Subscriber Accounts by Copying ...................................................................................................................................... TACACS+...............Configuring IP Interfaces .................... 110 Configuring Rotaries .... 133 Specifying a Dedicated Service .............................................................................................. 118 Displaying Rotary Information ........................... 137 Displaying the Subscriber Summary Information ............. 134 Enabling Login Menus ........ 110 Configuring RADIUS............................. 118 Chapter 7 ............................................................................................................... 105 Setting Up IP Interfaces ........................... 116 Displaying Interface Characteristics ....................................... 108 Specifying Maximum Transmission Units (MTU) . 109 Configuring Local Authentication on an IP Interface ........................................

..................................................................Configuring Power Control Units ............. 159 Appendix B ..................................................................... 142 Chapter 9 .................................................... 168 TACACS+ Authentication Attributes ..................................... Chapter 8 .......................................................... 147 Displaying Status Information for Power Control Units ........................................................................................................... 148 Displaying Summary Information for Power Control Units ....................................................... 164 Appendix C ............................................. 167 Example of TACACS+ Authentication ................................................ 151 Example: Dropping Packets Based on the Source IP Address ................................................................................................ 147 Displaying Information on Power Control Units .............. 154 Saving Changes in Rules ............................................................................... 161 RADIUS Accounting Client Operation ............................................................ 147 Displaying Status Information for Groups of Power Control Relays .................................................. 144 Configuring Power Control Units ...................................... 161 RADIUS Accounting Attributes ......................................................................................... 149 Chapter 10 .................................................... 145 Naming a Power Control Relay ............................................................................................................................... 146 Naming a Group of Power Control Relays . 155 Appendix A ................................................................ 143 Default Name for a Power Control Relay .................................................... 153 Notes on the iptables Command Options ...................... 157 RADIUS Authentication Attributes ................. 168 451-0311B 9 ........................................Configuring Packet Filters with the iptables Command ..................................... 152 Example: Accepting Packets Based on the Destination IP Address .............................................................................................................................................Overview of RADIUS and TACACS+ Accounting ....Overview of RADIUS Authentication ............................................... 153 Example: Ignoring Telnet Requests from a Specific IP Address ................................................................................................................................................. 145 Specifying the Off Time . 162 TACACS+ Accounting Client Operation ........................... 141 Displaying Sensor Summaries ........................................................................ 163 TACACS+ Accounting Attributes ...... 141 Displaying the Temperature and Humidity .Overview of TACACS+ Authentication ..................................................................... 151 Adding a Rule to a Chain ............................. 143 Configuring an LX Asynchronous Port as a Power Master ................ 145 Assigning Power Control Relays to a Group ...................................................................................................................................................................................................Configuring Ports for Temperature/Humidity Sensors .............................................................. 141 Configuring Sensor Access for an LX Port ...........

............................................................................ 191 Index .... 171 iptables man Pages ..............................Details of the iptables Command ............................................................................................................... 193 10 451-0311B .................... Appendix D ........................................................................................... 190 Appendix 4 .................................................................................................................................................................................. 171 Appendix 3 .........

............... 117 Figure 10 .............................................Device Summary Display for Sensors .............................................................. 119 Figure 13 ................................................................. 136 Figure 15 ......... 50 Figure 3 ................ 91 Figure 5 ...........................User Profile Display .................................................................... 169 451-0311B 11 ......................Interface Characteristics Display ............Service Profile Display .......................Interface Status Display ..............................................Device Status Display for an Alarm Master Port ..................................Broadcast Group Summary Display ...........Audit Log Display ............. 139 Figure 19 .................... 139 Figure 18 ..................................Device Summary Display .......Interface Summary Display .......90 Figure 4 ............... 16 Figure 2 .................. Figures Figure 1 ....................Straight-through Wiring Scheme ... 118 Figure 12 ..........................................................................158 Figure 25 ...........Subscriber TCP Display ....................Subscriber Status Display ...................Subscriber Summary Display .......................................................................... 116 Figure 9 ........... 142 Figure 20 ......Rotary Connections on an IP Interface ............................ 102 Figure 6 ..Command Log Display ............ 149 Figure 24 ............................................................................Device Status Display for a Sensor Port .............................Broadcast Group Characteristics Display ........................... 149 Figure 23 ......Device Status Display for a Power Control Relay Group . 138 Figure 17 ..... 103 Figure 7 ..................................LX Command Modes ........................................ 118 Figure 11 ......Interface Port Mapping Display ...................... 135 Figure 14 .. 137 Figure 16 ........................................ 142 Figure 21 ..............148 Figure 22 ...Subscriber Characteristics Display ............................................................TACACS+ Authentication Process ..............................................Rotary Display .....................................................RADIUS Authentication Process . 113 Figure 8 ...............

.

451-0311B 13 . • Chapter 4 – Describes how to set up the Notification Feature. • Chapter 3 – Describes how to perform system administration on the LX unit. • Chapter 8 – Describes how to configure ports for Temperature/Humidity sensors. • Chapter 9 – Describes how to configure ports for power management. • Chapter 6 – Describes how to configure IP interfaces. • Appendix B – Provides an overview of the RADIUS accounting feature and the TACACS+ accounting feature and describes the RADIUS and TACACS+ accounting attributes. • Chapter 7 – Describes how to configure subscriber accounts. How This Book is Organized This guide is organized as follows: • Chapter 1 – Describes how to do the initial setup of the LX unit. • Appendix A – Provides an overview of the RADIUS authentication feature and describes the RADIUS authentication attributes. • Chapter 10 – Describes how to use the iptables command to configure packet filters for the LX unit. Preface This guide describes how to manage and configure the LX unit and provides background information on all of the configurable features of the LX unit. • Chapter 2 – Describes how to set up remote console management on the LX unit. • Chapter 5 – Describes how to set up the Data Broadcast Feature.

commands are executed when you press <RETURN>. <A> refers to the letter A. displays. and <RETURN> refers to the RETURN key. • Keyboard characters (keys) – Keyboard characters are represented using left and right angle brackets (< and >). For example.Preface • Appendix C – Provides an overview of the TACACS+ authentication feature and describes the TACACS+ authentication attributes. Using the Function Keys The LX Command Line Interface (CLI) supports the following function keys: • Ctrl-F – Moves forward to the next session. 14 451-0311B .e.. Ctrl-B. keywords and commands are shown in lowercase letters. user input. etc.). • Appendix D – Lists the Linux man pages for the iptables command. prompts. Conventions The following conventions are used throughout this guide: • Command execution – Unless otherwise specified. messages. • Up arrow – Recalls the last command. • Typographical conventions – The following typographical conventions are used: Monospace Typeface – indicates text that can be displayed or typed at a terminal (i. italics – are used to indicate variables in command syntax descriptions. • Ctrl-L – Returns you to the Local Command Mode. the notation <CTRL> refers to the CTRL key. • Ctrl-B – Moves back to the previous session. NOTE: You must press the Enter key after you type Ctrl-F. • Command syntax – Where command options or command syntax are shown. or Ctrl-L.

the show version command will be autocompleted. For example. if you type the tab key after you type show ver at the Superuser command prompt. 451-0311B 15 . to display the first keyword of each command that can be executed in that command mode. and the Tab key. For example. For example. Preface • Tab key – Autocompletes a partially typed command. (Note: You must type the first three characters in a command keyword before you can autocomplete it with the Tab key. You could then type show port? to list the next item in the syntax of the show port command. type show? to list the options of the show keyword.) Online Help The question mark character (?). The following guidelines will help you to navigate the online help system: • Type the ? character (or press the Tab key) at the command prompt in any command mode. are used to display online help in the LX Command Line Interface (CLI). the following is displayed when you type the ? character at the User command prompt: InReach:0 > User Commands: clear Clear screen and reset terminal line disconnect Disconnect session enable Turn on privileged commands exit Exits and disconnects user no Negate a command pause Pause enable ping Send echo messages show Show running system information ssh Secure Shell (Triple-DES/Blowfish) telnet Open a telnet connection terminal Set the terminal type • Type the ? character (or press the Tab key) after the displayed keyword to list the options for that keyword.

Each command mode is used to implement a group of related features or functions. For example. 16 451-0311B .. User Enter “enable” command and login to Superuser command mode Superuser Notification Cconfiguration Nnotification Ssnmp SNMP Configuration Pport ethernet Ibroadcast group Pport async Ethernet Ssubscriber Iinterface Asynchronous Broadcast Group Mmenu Interface Subscriber Pppp Mmodem Menu Oopen PPP Modem Menu Editing Figure 1 . Type a question mark (?) (or press the Tab key) at any of the LX CLI command prompts to display the commands that can be executed in the current command mode.LX Command Modes Each command mode has its own command prompt (e.Preface Navigating the LX Command Line Interface (CLI) The LX CLI is structured as a set of nested command modes. Figure 1 lists the command modes in the LX CLI. Config:0 >>) and its own set of commands.g. type a question mark at the Menu :0 >> prompt to display the commands that can be executed in the Menu command mode.

InReach:0 >).. Preface Except for the User command mode. and so on. you would enter the exit command in the Asynchronous command mode to return to the Configuration command mode. • Pinging remote hosts. • Displaying your subscriber-specific information. The User command mode includes commands for doing the following: • Managing your LX session and terminal. You can use the end command to return to the Superuser Command Mode from the Configuration Command Mode or from any command mode that is nested in the Configuration Command Mode.) For example. • Connecting to remote hosts via SSH and Telnet. you are in the User command mode. to enter the Configuration command mode you must enter the configuration command from the Superuser command mode. The rest of this section describes the LX command modes and the commands that are used to access each of them. the Superuser command mode is nested in User command mode. You can use the exit command to return to the previous command mode. User Command Mode When you log on to the LX unit. (The User command mode is the basic command mode of the LX CLI. each command mode is nested in a previous command mode. 451-0311B 17 . This is indicated by the User command prompt (e. To enter a nested command mode. • Displaying information about the LX port to which you are connected. you must enter the appropriate command from the previous command mode. For example. • Accessing the Superuser command mode. For example. the Configuration command mode is nested in the Superuser command mode.g. you are in the User command mode when you log in to the LX unit.

18 451-0311B . You can access the Superuser command mode by executing the enable command in the User command mode. To enter Superuser mode. Superuser Command Mode The Superuser command prompt (e. RADIUS. and all other server-level features. you can perform such tasks as the following: • Specify the server-level configuration of the LX unit. SecurID.g. You can access the Configuration command mode by executing the configuration command in the Superuser command mode. • Access the Configuration command mode.g.. Configuration Command Mode The Configuration command prompt (e. Refer to the “Superuser Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Superuser Command Mode. • Display global information for the LX unit. When you execute the enable command. you must enter a Superuser password at the Password: prompt.Preface Refer to the “User Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the User Command Mode. as well as the following: • Manage the LX unit. Config:0 >>) is displayed when you are in the Configuration command mode. TACACS+. The server-level configuration includes the Superuser password and settings for ppciboot. • Access the Linux shell. you can perform all of the tasks that you can perform in User command mode. In the Configuration command mode.. InReach:0 >>) is displayed when you are in the Superuser command mode. the Password: prompt is displayed. In the Superuser command mode.

• Access the Menu command mode. • Access the PPP command mode. Refer to the “Configuration Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Configuration Command Mode. You can access the Asynchronous command mode by executing the port async command in the Configuration command mode with an LX port number as the command argument. • Access the SNMP command mode.g. • Access the Interface command mode. • Access the Modem command mode. flow control. Asynchronous Command Mode The Asynchronous command prompt (e. and inbound and outbound authentication. Refer to the “Asynchronous Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Asynchronous Command Mode. for example: Config:0 >>port async 4 In the Asynchronous command mode. Preface • Access the Asynchronous command mode. • Access the Ethernet command mode. • Access the Broadcast Group command mode. 451-0311B 19 . For example. autobaud. • Access the Subscriber command mode. APD settings.. the prompt Async 4-4:0 >> indicates that you are in the Asynchronous command mode for port 4. you can do the followng: • Configure asynchronous port settings such as access methods. autodial. Async 4-4:0 >>) is displayed when you are in the Asynchronous command mode. • Access the Notification command mode.

. 20 451-0311B . Refer to the “PPP Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the PPP Command Mode. IPCP parameters.g. You can access the Modem command mode by executing the modem command in the Asynchronous command mode. modem retries. dialout number.Preface PPP Command Mode The PPP command prompt (e. and the modem initialization string. you can configure the Point-to-Point Protocol (PPP) for asynchronous ports. You can access the PPP command mode by executing the ppp command in the Asynchronous command mode.g.. Refer to the “Modem Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Modem Command Mode. authentication. In the Modem command mode. Some of the settings that you can configure include accounting. you can configure external modems for asynchronous ports. Modem Command Mode The Modem command prompt (e. Modem 4-4:0 >>) is displayed when you are in the Modem command mode. Some of the settings that you can configure include type. and LCP parameters. PPP 4-4:0 >>) is displayed when you are in the PPP command mode. In the PPP command mode.

. You can access the Ethernet command mode by executing the port ethernet command in the Configuration command mode with an LX port number as the command argument.g. Preface Ethernet Command Mode The Ethernet command prompt (e. Subscriber Command Mode The Subscriber command prompt (e. Telnet settings.. you can configure the SNMP settings for an LX unit.. for example: Config:0 >>port ethernet 1 In the Ethernet command mode. you can provision subscribers of the LX unit.g. SNMP Command Mode The SNMP command prompt (e. In the SNMP command mode. Some of the subscriber settings include function keys. Refer to the “Ethernet Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Ethernet Command Mode. Subs_mark >>) is displayed when you are in the Subscriber command mode. In the Subscriber command mode. Refer to the “Subscriber Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Subscriber Command Mode. You can access the Subscriber command mode by executing the subscriber command in the Configuration command mode. Ether 1-1:0 >>) is displayed when you are in the Ethernet command mode. and security settings.g. you can configure Ethernet port descriptions and the duplex mode and speed of Ethernet ports. You can access the SNMP command mode by executing the snmp command in the Configuration command mode. Snmp:0 >>) is displayed when you are in the SNMP command mode. 451-0311B 21 .

g. Refer to the “Menu Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Menu Command Mode. Intf 1-1:0 >>) is displayed when you are in the Interface command mode. as well as SSH and Telnet settings. In the Interface command mode.g. Some of the settings that you can configure include the IP settings. In the Menu command mode. For example.. and display menus and access the Menu Editing command mode by executing the open command. mark-1:0 >>) is displayed when you are in the Menu Editing command mode. Refer to the “Interface Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Interface Command Mode. you can create. MTU. Menu :0 >>) is displayed when you are in the Menu command mode. and IP Rotaries for the interface. 22 451-0311B . the prompt mark-1:0 >> indicates that the menu mark is open in the Menu Editing command mode. You can access the Menu Editing command mode by executing the open command in the Menu command mode. Interface Command Mode The Interface command prompt (e. you can configure interfaces for the LX unit. Menu Editing Command Mode The Menu Editing command prompt (e. You can access the Menu command mode by executing the menu command in the Configuration command mode. Menu Command Mode The Menu command prompt (e. import. delete.g... You can access the Interface command mode by executing the interface command in the Configuration command mode.Preface Refer to the “SNMP Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the SNMP Command Mode.

Refer to the “Menu Editing Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Menu Editing Command Mode. In the Notification command mode. you can configure a Broadcast Group. Notification Command Mode The Notification command prompt (e. local files. 451-0311B 23 . In the Broadcast Group command mode. Broadcast Group Command Mode The Broadcast Group command prompt (e. Refer to the “Broadcast Group Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Broadcast Group Command Mode. BrGroups 6:0 >>) is displayed when you are in the Broadcast Group command mode. The Slave Ports receive data broadcasts from the Master Ports. email addresses. SNMP trap clients. You can access the Notification command mode by executing the notification command in the Configuration command mode. you can create and modify menus. and asynchronous ports.. remote hosts. Refer to the “Notification Commands” chapter of the LX-Series Commands Reference Guide for detailed information on the commands that you can execute in the Notification Command Mode. You can access the Broadcast Group command mode by executing the broadcast group command in the Configuration command mode. syslogd. Notification:0 >>) is displayed when you are in the Notification command mode.. you can configure the sending of accounting log messages to pagers. A Broadcast Group consists of Slave Ports and Master Ports.g. Preface In the Menu Editing command mode.g.

you need to execute the no command with the dialout modifier and the number modifier. to reset the dialout number in the Modem command mode. you must execute the no command with one or more modifiers. For example. the no command may require more than one modifier. In some instances. For example. you can disable Autobaud by executing the no command with the autobaud modifier in the Asynchronous command mode. Type the question mark (?) after the first modifier to determine if the no command requires additional modifiers to disable a feature or negate a setting. enter no?.Preface Disabling (Negating) Features and Settings In order to disable a feature or setting. The no command must be executed in the same Command Mode in which the feature or setting was specified. for example: Async 6-6:0 >>no? apd authentication autobaud autodial The above example shows that you can disable the Autodial feature by executing the no autodial command in the Asynchronous command mode. for example: Modem 6-6:0 >>no dialout? number Modem 6-6:0 >>no dialout number? <cr> 24 451-0311B . The full command syntax would look like this: Async 6-6:0 >>no autobaud To display the features and settings that can be disabled or negated in any command mode.

451-0311B 25 . refer to Getting Started with the LX Series (P/N 451-0308E). The LX Quick Start Instructions (P/N 451-0312F) describes how to get the LX unit up and running. refer to the LX-Series Commands Reference Guide (P/N 451-0310E). For more information on the LX hardware. Preface Related Documents For detailed information on the LX commands.

.

Configuring TCP/IP You can allow the LX unit to obtain its TCP/IP parameters from the network. The LX unit can load its TCP/IP parameters from any LAN that runs DHCP. and Xon/Xoff flow control. The Superuser Password prompt appears. (The port values are 9600 bps. you must perform the tasks described in this chapter. BOOTP. Press y (yes) and press <Enter>. the LX unit will attempt to load its TCP/IP parameters from the network when the LX unit boots. (You can access the IP Configuration Menu from the ppciboot Main Menu. eight bits. Plug in the terminal at the DIAG port (port 0) on the LX unit. 451-0311B 27 . Chapter 1 Initial Setup of the LX Unit This section describes how to do the initial setup of the LX unit. no parity. one stop bit. or you can explicitly configure TCP/IP parameters for the LX unit with the Quick Start Configurator or the IP Configuration Menu. or RARP. Configuring TCP/IP Parameters with the Quick Start Configurator Do the following to configure TCP/IP parameters with the Quick Start Configurator: 1. 2.) The Run Initial Connectivity Setup? y/n message appears (when the LX first boots up on default parameters). You can do the tasks described in this chapter after you have installed and powered on the LX unit as described in Chapter 1 of Getting Started with the LX Series. Before you use the LX unit for network management.) Obtaining TCP/IP Parameters from the Network If the TCP/IP parameters for the LX unit have not been explicitly configured.

Enter the password system. The Quick Configuration menu appears: Quick Configuration menu 1 Unit IP address 2 Subnet mask 3 Default Gateway 4 Domain Name Server 5 Domain Name Suffix 6 Superuser Password 7 Exit and Save Enter your choice: 4. 6. 5. 7.1.80.5 2 Subnet mask 255.Initial Setup of the LX Unit 3. Press the number corresponding to the parameter you want to set. Press 7 (Exit and Save) to save your changes. configuring as many parameters as you want. Continue in this way through the menu. Enter the appropriate information and press <Enter> to return to the Quick Configuration menu.0. Once you enter a parameter value.0 3 Default Gateway 4 Domain Name Server 5 Domain Name Suffix 6 Superuser Password Changed 7 Exit and Save Is this information correct? (y/n) : 28 451-0311B . The Is this information correct? message appears. since this is the first time you are configuring the LX unit (the default password is system). NOTE: You should change the Superuser Password. a data entry line specific to that parameter appears on the Quick Configuration menu. CONFIGURATION SUMMARY 1 Unit IP address 10.0. You are not required to configure all parameters.

Press y (yes) and press <Enter>.prm). refer to “Using the IP Configuration Menu” in Getting Started with the LX Series. The default is InReach. 451-0311B 29 . 9. Creating and Loading a Default Configuration File This section explains how to create a default configuration file with which you can load multiple units. Once this is complete. Press y (yes) and press <Enter>. You must rename this .prm file as a template to configure multiple units at one time by changing the last six digits of the mac address to reflect that of the specific unit. The Save this information to flash? message appears. Creating a Default Configuration File After your first LX unit is up and running. The information is saved to flash. 11. For further information. Press <Enter> several times to display the Login: prompt.zip file to lx last six digits of the mac address. Initial Setup of the LX Unit 8. Enter your login name. Setting the TCP/IP Parameters in the IP Configuration Menu You can use the IP Configuration Menu to set the TCP/IP parameters for the LX unit. 10. 12. Enter your password. lx12ab9f. you can save the unit configuration to the network. NOTE: The login username and password are case-sensitive. The default is access. You can now use the LX unit. For more information. you can use this .g.prm (e. refer to “Saving the Configuration to the Network” on page 30.

The configuration file is a . refer to “Saving the Configuration to the Network” on page 62. lx12ab9f. you would rename it to lx last six digits of the mac address. you can load a default configuration file from a TFTP server that is located on the same server from which you obtained your IP address. the LX unit loads it into its configuration table.zip file that contains everything previously described except for the SSH keys.zip extension.g. execute the following command in the Superuser Command Mode: save configuration network filename tftp_server_address NOTE: The filename that you specify in the save configuration network command must not include the . a configuration file must already exist on the TFTP server. it is usable by WinZip or UNIX Unzip.prm). After copying the . You can use the . Since the format is a . If the default file does not exist. it is detected at startup and the unit checks that a TFTP server was passed by ppciboot..prm file as a template to configure multiple units at one time. 30 451-0311B . Saving the Configuration to the Network The TFTP protocol is used to perform the operation of saving the LX configuration to a network host. the Quick Start menu is displayed. If you are not loading via one of these. If this file exists. For more information.prm (e. If the network host is a UNIX host.. since they belong to the unit itself and cannot be used on a different unit.prm). the unit looks on the TFTP server specified in ppciboot.prm (e.zip file. If the configuration is defaulted. lx12ab9f.prm file.Initial Setup of the LX Unit Loading a Default Configuration File If loading via BOOTP and DHCP. If a TFTP server is accessible.g. the LX unit connects to it and tries to download a default file named lx last six digits of the mac address. To save the configuration to the network.

you should change the InReach user’s password to something other than access. and SecurID.) 451-0311B 31 . For more information. he/she could log on to your LX unit. Under Local security. refer to “Setting Up RADIUS. For more information. and SecurID security. If an unauthorized user knew this username/password combination. and TACACS+ for the LX Unit” on page 33. Access the Configuration Command Mode. For this reason. (Refer to “Configuration Command Mode” on page 18 for information on accessing the Configuration Command Mode. refer to “Changing the Password Defaults” (below). TACACS+. SecurID. MRV recommends that you change this password to something other than system. Changing the Password Defaults It is widely known that the default password for the InReach user is access. TACACS+. the user is authenticated against a username/password file that resides on the authentication server. IMPORTANT! MRV Communications recommends that you change the default password for the user InReach before you put the LX unit on a network. Under RADIUS. Initial Setup of the LX Unit Setting Up Local (Onboard) Security for the LX Unit Local security is the default security method for the LX unit. To reduce the risk of an unauthorized user gaining access to the Superuser Command Mode. Changing the Default Password for the InReach User Do the following to change the User-level password of the InReach User: 1. NOTE: The LX unit also supports RADIUS. the user is authenticated against a username/password file that resides on the LX unit. It is also widely known that the default Superuser password is system.

Initial Setup of the LX Unit

2. Access the Subscriber Command Mode for the InReach subscriber. You
do this by entering the subscriber command with InReach as the
command argument; for example:
Config:0 >>subscriber InReach

3. Enter the password command at the Subs_InReach >> prompt; for
example:

Subs_InReach >>password

4. Enter a new User password at the Enter your NEW password:
prompt. The password will be displayed as asterisks, as in the following
example:

Enter your NEW password : ***************

5. Re-enter the new User password at the Re-Enter your NEW
password: prompt. The password will be displayed as asterisks, as in
the following example:

Re-Enter your NEW password: ***************

Changing the Default Superuser Password

To change the Superuser password for the LX unit, do the following:
1. Access the Configuration Command Mode. (Refer to “Configuration
Command Mode” on page 18 for information on accessing the Configu-
ration Command Mode.)

2. Enter the password command at the Config:0 >> prompt; for
example:

Config:0 >>password

3. Enter a new Superuser password at the Enter your NEW password:
prompt. The password will be displayed as asterisks, as in the following
example:

Enter your NEW password : ***************

32 451-0311B

Initial Setup of the LX Unit

4. Re-enter the new Superuser password at the Re-Enter your NEW
password: prompt. The password will be displayed as asterisks, as in
the following example:

Re-Enter your NEW password: ***************

Setting Up RADIUS, SecurID, and TACACS+ for the LX Unit
You can implement SecurID, RADIUS, or TACACS+ authentication on the
LX unit. For more information, refer to the following:
• “Setting Up RADIUS” (below)

• “Setting Up TACACS+” on page 38

• “Setting Up SecurID” on page 43

Setting Up RADIUS
The LX can implement RADIUS authentication and RADIUS accounting
at the server level and for specific interfaces and asynchronous ports. You
must configure RADIUS accounting and/or authentication at the server
level before you can implement it on specific interfaces and asynchronous
ports on the LX unit.

The basic steps for configuring RADIUS authentication on the LX unit are:

1. Installing and configuring the RADIUS server on a Network-based
Host (see page 34).

2. Specifying the RADIUS server settings on the LX (see page 34).

3. Specifying the RADIUS period on the LX (see page 38).
For more information on RADIUS authentication, refer to “Overview of
RADIUS Authentication” on page 157.

For more information on RADIUS accounting, refer to “Overview of
RADIUS and TACACS+ Accounting” on page 161.

451-0311B 33

Initial Setup of the LX Unit

Installing and Configuring the RADIUS Server on a Network-based Host

Before you can authenticate with RADIUS on your LX unit, you must
configure a RADIUS server on your network.

In general, RADIUS server implementations are available on the Internet.
These implementations generally use a daemon process that interacts with
RADIUS clients (located on LX units and on other remote access devices).

The daemon uses a list of clients and associated secrets that it shares with
these clients. The per-client secret is used to encrypt and validate
communications between the RADIUS server and the client. The file used
to keep the client list and secrets is the “clients” file.

Another file used by the daemon to store the users that are authenticated
is the “users” file. The “users” file contains the RADIUS attributes
associated with a particular user. As a minimum, this file must contain
the user’s username, password (depending on the RADIUS server used),
and Service-type.

To configure the RADIUS server, refer to your RADIUS host
documentation. MRV recommends that you use the Merit RADIUS server
implementation. Information for the Merit RADIUS server can be found
at http://www.merit.edu. Refer to the GOPHER SERVER and the MERIT
Network Information Center for new releases.
Specifying the RADIUS Server Settings on the LX

Do the following to specify the RADIUS server settings on the LX unit:

1. Check the primary RADIUS Server host to ensure that the RADIUS
server client database has been configured.
2. Access the Configuration Command Mode on the LX. (Refer to
“Configuration Command Mode” on page 18 for information on accessing
the Configuration Command Mode.)

34 451-0311B

Initial Setup of the LX Unit 3.32. or a RADIUS secondary server. for example: InReach:0 >>show radius characteristics Refer to Table 1 on page 36 for descriptions of all of the settings that you can specify for a RADIUS server. Use the radius primary authentication server port command to specify the socket your RADIUS server is listening to. Use the radius primary authentication server secret command to specify the secret that will be shared between LX unit and the RADIUS primary authentication server. for example: Config:0 >>radius primary authentication server address 146. for example: Config:0 >>radius primary authentication server secret BfrureG 5. refer to the following sections: • “RADIUS Primary Accounting Server Commands” on page 37 • “RADIUS Secondary Authentication Server Commands” on page 37 451-0311B 35 .93 4. For examples of the commands that you would use. Use the radius primary authentication server address command to specify the IP address of the RADIUS primary authentication server. you must specify an IP address and a secret for the respective RADIUS server. In order to use a RADIUS primary accounting server. for example: Config:0 >>radius primary authentication server port 1645 NOTE: The LX listens to port 1812 by default. exit from the Configuration command mode and execute the show radius characteristics command at the Superuser command prompt. 6.87. To verify the LX RADIUS configuration.

65. refer to the applicable commands in the “Configuration Commands” chapter of the LX-Series Commands Reference Guide. Table 1 . you can configure the RADIUS primary accounting server and the RADIUS secondary authentication and accounting servers.Initial Setup of the LX Unit • “RADIUS Secondary Accounting Server Commands” on page 37 NOTE: The use of a RADIUS primary accounting server. is optional.34. For more information. the LX unit will use the default values for these settings. retransmit value. If you do not specify a UDP port. RADIUS Command Examples This section provides examples of all of the commands that are used to specify settings for the RADIUS servers. After you have specified the RADIUS settings for the RADIUS primary authentication server.RADIUS Settings RADIUS Settings Description address IP address of the RADIUS server 1port UDP port of the RADIUS server 1retransmit The maximum number of times that the LX unit will attempt to retransmit a message to the RADIUS server secret The RADIUS secret shared between the LX unit and the RADIUS server 1 timeout The length of time that the LX unit will wait for the RADIUS server to respond before retransmitting packets to it 1. RADIUS Primary Authentication Server Commands Config:0 >>radius primary authentication server address 152. Refer to the “Configuration Commands” chapter of the LX-Series Commands Reference Guide for detailed descriptions of the commands in this chapter.33 36 451-0311B . or timeout value for the RADIUS server. and the use of RADIUS secondary servers.

28.84.68.56 Config:0 >>radius primary accounting server port 1646 Config:0 >>radius primary accounting server retransmit 3 Config:0 >>radius primary accounting server secret reuyyurew Config:0 >>radius primary accounting server timeout 7 RADIUS Secondary Authentication Server Commands Config:0 >>radius secondary authentication server address 178. Initial Setup of the LX Unit Config:0 >>radius primary authentication server port 1645 Config:0 >>radius primary authentication server retransmit 3 Config:0 >>radius primary authentication server secret AaBbCc Config:0 >>radius primary authentication server timeout 7 RADIUS Primary Accounting Server Commands Config:0 >>radius primary accounting server address 181.67.82.77 Config:0 >>radius secondary accounting server port 1813 Config:0 >>radius secondary accounting server retransmit 3 Config:0 >>radius secondary accounting server secret GgJjoreou Config:0 >>radius secondary accounting server timeout 7 451-0311B 37 .20.78 Config:0 >>radius secondary authentication server port 1812 Config:0 >>radius secondary authentication server retransmit 3 Config:0 >>radius secondary authentication server secret AsJkirbg Config:0 >>radius secondary authentication server timeout 7 RADIUS Secondary Accounting Server Commands Config:0 >>radius secondary accounting server address 198.

2.) 2. Access the Configuration Command Mode. refer to “Overview of RADIUS and TACACS+ Accounting” on page 161. The RADIUS period is specified in minutes. For more information on TACACS+ authentication.Initial Setup of the LX Unit Specifying the RADIUS Period on the LX The RADIUS period is the interval at which the LX unit will update the RADIUS accounting server with the status of each RADIUS user. Specifying the TACACS+ period on the LX (see page 42). Specifying the TACACS+ server settings on the LX (see page 39). You must implement TACACS+ accounting and/or authentication at the server level before you can implement it on specific interfaces and asynchronous ports on the LX unit. For more information on TACACS+ accounting. for example: Config:0 >>radius period 10 Setting Up TACACS+ You can implement TACACS+ authentication and TACACS+ accounting at the server level and for specific interfaces and asynchronous ports on the LX unit. Installing and Configuring the TACACS+ Server on a Network-based Host Before you can configure TACACS+ on your LX unit. you must configure a TACACS+ server on your network. refer to “Overview of TACACS+ Authentication” on page 167. Do the following to specify the RADIUS period: 1. The basic steps for configuring TACACS+ authentication on the LX unit are: 1. 3. Use the radius period command to specify the RADIUS period. Installing and configuring the TACACS+ server on a Network-based Host (see page 38). 38 451-0311B . (Refer to “Configuration Command Mode” on page 18 for information on accessing the Configu- ration Command Mode.

password (depending on the TACACS+ server used).89 4. The daemon uses a list of clients and associated secrets that it shares with these clients.19.) 3. The file used to keep the client list and secrets is the “clients” file. for example: Config:0 >>tacacs+ primary authentication server address 149. To configure the TACACS+ server. for example: 451-0311B 39 . and Service-type. The per-client secret is used to encrypt and validate communications between the TACACS+ server and the client. Initial Setup of the LX Unit In general. Use the tacacs+ primary authentication server secret command to specify the secret that will be shared between LX unit and the TACACS+ primary authentication server. As a minimum. Check the primary TACACS+ Server host to ensure that the TACACS+ server client database has been configured. this file must contain the user’s username. 2. Use the tacacs+ primary authentication server address command to specify the IP address of the TACACS+ primary authentication server. These implementations generally use a daemon process that interacts with TACACS+ clients (located on LX units and on other remote access devices).87. (Refer to “Configuration Command Mode” on page 18 for information on accessing the Configuration Command Mode. Another file used by the daemon to store the users that are authenticated is the “users” file. The “users” file contains the TACACS+ attributes associated with a particular user. TACACS+ server implementations are available on the Internet. Specifying the TACACS+ Server Settings on the LX Do the following to specify the TACACS+ server settings on the LX unit: 1. Access the Configuration Command Mode on the LX. refer to your TACACS+ host documentation.

exit from the Configuration command mode and execute the show tacacs+ characteristics command at the Superuser command prompt. you must specify an IP address and a secret for the respective TACACS+ server.Initial Setup of the LX Unit Config:0 >>tacacs+ primary authentication server secret Goitji 5. In order to use a TACACS+ primary accounting server. you can configure the TACACS+ primary accounting server and the TACACS+ secondary authentication and accounting servers. refer to the following sections: • “TACACS+ Primary Authentication Server Commands” on page 41 • “TACACS+ Secondary Authentication Server Commands” on page 42 • “TACACS+ Secondary Accounting Server Commands” on page 42 NOTE: The use of a TACACS+ primary accounting server. 40 451-0311B . for example: InReach:0 >>show tacacs+ characteristics Refer to Table 1 on page 36 for descriptions of all of the settings that you can specify for a TACACS+ server. for example: Config:0 >>tacacs+ primary authentication server port 1687 NOTE: The LX listens to port 1812 by default. After you have specified the TACACS+ settings for the TACACS+ primary authentication server. To verify the LX TACACS+ configuration. For examples of the commands that you would use. and the use of TACACS+ secondary servers. is optional. 6. or a TACACS+ secondary server. Use the tacacs+ primary authentication server port command to specify the socket your TACACS+ server is listening to.

If you do not specify a UDP port.98.33 Config:0 >>tacacs+ primary authentication server port 1687 Config:0 >>tacacs+ primary authentication server retransmit 3 Config:0 >>tacacs+ primary authentication server secret Gfsufsa Config:0 >>tacacs+ primary authentication server timeout 7 451-0311B 41 . Initial Setup of the LX Unit Table 2 . For more information. Refer to the “Configuration Commands” chapter of the LX-Series Commands Reference Guide for detailed descriptions of the commands in this chapter. TACACS+ Command Examples This section provides examples of all of the commands that are used to specify settings for the TACACS+ servers. refer to the applicable commands in the “Configuration Commands” chapter of the LX-Series Commands Reference Guide.36. the LX unit will use the default values for these settings. retransmit value. TACACS+ Primary Authentication Server Commands Config:0 >>tacacs+ primary authentication server address 182.TACACS+ Settings TACACS+ Settings Description address IP address of the TACACS+ server 1port UDP port of the TACACS+ server 1retransmit The maximum number of times that the LX unit will attempt to retransmit a message to the TACACS+ server secret The TACACS+ secret shared between the LX unit and the TACACS+ server 1 timeout The length of time that the LX unit will wait for the TACACS+ server to respond before retransmitting packets to it 1. or timeout value for the TACACS+ server.

20.56.Initial Setup of the LX Unit TACACS+ Primary Accounting Server Commands Config:0 >>tacacs+ primary accounting server address 182.57.56 Config:0 >>tacacs+ primary accounting server port 1664 Config:0 >>tacacs+ primary accounting server retransmit 3 Config:0 >>tacacs+ primary accounting server secret iuhgeuer Config:0 >>tacacs+ primary accounting server timeout 7 TACACS+ Secondary Authentication Server Commands Config:0 >>tacacs+ secondary authentication server address 182.28. This value is specified in minutes.18 Config:0 >>tacacs+ secondary accounting server port 1819 Config:0 >>tacacs+ secondary accounting server retransmit 3 Config:0 >>tacacs+ secondary accounting server secret Geihuige2 Config:0 >>tacacs+ secondary accounting server timeout 7 Specifying the TACACS+ Period on the LX The TACACS+ period is the interval at which the LX unit will update the TACACS+ accounting server with the status of each TACACS+ user.86. Do the following to specify the TACACS+ period: 42 451-0311B .58 Config:0 >>tacacs+ secondary authentication server port 1842 Config:0 >>tacacs+ secondary authentication server retransmit 3 Config:0 >>tacacs+ secondary authentication server secret L3498reiu Config:0 >>tacacs+ secondary authentication server timeout 7 TACACS+ Secondary Accounting Server Commands Config:0 >>tacacs+ secondary accounting server address 182.32.

Initial Setup of the LX Unit

1. Access the Configuration Command Mode. (Refer to “Configuration
Command Mode” on page 18 for information on accessing the Configu-
ration Command Mode.)
2. Use the tacacs+ period command to specify the TACACS+ period;
for example:

Config:0 >>tacacs+ period 10

Setting Up SecurID
You can implement SecurID authentication at the server level and for
specific interfaces and asynchronous ports on the LX unit. You must
implement SecurID authentication at the server level before you can
implement it on specific interfaces and asynchronous ports on the LX unit.

Under SecurID authentication, the user is required to enter a user name
and a PIN number plus the current token code from his or her SecurID
server. The LX unit transmits the information to the RSA ACE/Server,
which approves access when the information is validated.

SecurID supports both DES and SDI encryption.

451-0311B 43

Initial Setup of the LX Unit

The basic steps for configuring SecurID authentication on the LX unit are:

1. Installing and configuring the SecurID server on a Network-based
Host (see page 38).
2. Specifying the SecurID server settings on the LX (see page 39).

For more information on SecurID authentication, go to the RSA SecurID
website (http://www.rsasecurity.com/products/securid/index.html).

Installing and Configuring the SecurID Server on a Network-based Host

Before you can configure SecurID on your LX unit, you must configure a
SecurID server on your network. To configure the SecurID server, refer to
your SecurID host documentation.

Specifying the SecurID Server Settings on the LX

Do the following to specify the SecurID server settings on the LX unit:
1. Check the primary SecurID Server host to ensure that the SecurID
application is running.

2. Access the Configuration Command Mode on the LX. (Refer to
“Configuration Command Mode” on page 18 for information on accessing
the Configuration Command Mode.)

3. Use the securid authentication version command to specify the
SecurID authentication version for the LX unit. You can specify the
authentication version as Version 5, or pre-Version 5 (legacy); for
example:
Config:0 >>securid authentication version version_5
Config:0 >>securid authentication version legacy

4. Use the securid authentication port command to specify the
socket your SecurID server is listening to; for example:

Config:0 >>securid authentication port 1687

NOTE: The LX listens to port 1812 by default.

44 451-0311B

Initial Setup of the LX Unit

5. Use the securid primary authentication server address
command to specify the IP address of the SecurID primary
authentication server; for example:
Config:0 >>securid primary authentication server
address 149.19.87.89

NOTE: If the SecurID authentication version is “legacy”, you must
specify a Master authentication server instead of a Primary
authentication server. For more information, refer to the
securid master authentication server address
command in the LX-Series Commands Reference Guide.

6. Use the securid authentication encryption command to specify
the SecurID encryption method for the LX unit. You can specify DES or
SDI as the encryption method; for example:
Config:0 >>securid authentication encryption des
Config:0 >>securid authentication encryption sdi

7. To verify the LX SecurID configuration, exit from the Configuration
command mode and execute the show securid characteristics
command at the Superuser command prompt; for example:
InReach:0 >>show securid characteristics

SecurID Command Examples

This section provides examples of all of the commands that are used to
specify settings for the SecurID servers. Refer to the “Configuration
Commands” chapter of the LX-Series Commands Reference Guide for
detailed descriptions of the commands in this chapter.

Config:0 >>securid primary authentication server address
138.30.65.34
Config:0 >>securid authentication port 4500
Config:0 >>securid primary authentication server name bigsky1.com
Config:0 >>securid authentication encryption des

451-0311B 45

refer to the applicable commands in the “Configuration Commands” chapter of the LX-Series Commands Reference Guide. Table 3 .SecurID Settings SecurID Settings Description address IP address of the SecurID server 1port UDP port of the SecurID server 1retransmit The maximum number of times that the LX unit will attempt to retransmit a message to the SecurID server 1 encryption The encryption method for SecurID authentication on the LX unit 1version The SecurID authentication version that will be used on the LX unit 1name The host name of the SecurID authentication server for the LX unit 1 timeout The length of time that the LX unit will wait for the SecurID server to respond before retransmitting pack- ets to it 1. retransmit value. or name for the SecurID server. timeout. NOTE: If the SecurID secret on the LX unit does not match the SecurID secret on the SecurID server. For more information. To clear the SecurID secret from the LX unit. If you do not specify a UDP port. the LX unit will use the default values for these settings. encryption. version.Initial Setup of the LX Unit Config:0 >>securid authentication retransmit 7 Config:0 >>securid authentication timeout 3 Config:0 >>securid authentication version version_5 Refer to Table 3 (below) for descriptions of all of the settings that you can specify for a SecurID server. you will need to clear the secret from the LX unit. 46 451-0311B . refer to the zero securid secret command in the LX-Series Commands Reference Guide.

From a web browser: 1. Click on the ‘Admin’ button on the menu bar of the client and entering the Superuser password. and bring up the console. the LX will display a confirmation prompt warning you that the unit will be rebooted. and rebooted. if you answer “yes” to the confirmation prompt. and rebooted. 3. log in to the LX unit. the LX will display a confirmation prompt warning you that the unit will be rebooted. 451-0311B 47 . 4. (Refer to “Configuration Command Mode” on page 18 for information on accessing the Configu- ration Command Mode. Browse to the LX unit’s IP address. for example: Config:0 >>default configuration NOTE: After you enter the above command. 2. This activates a ‘Default’ button on the menu bar. NOTE: After you select a default option. The LX unit will be defaulted. Enter the default Configuration command to reset the LX unit to the factory defaults. or you believe the configuration is somehow corrupt. This may be done in one of several ways: From an LX asynchronous port: 1. Select the option to default the unit. Access the Configuration Command Mode.) 2. you may wish to reset the unit to it’s factory defaults. Initial Setup of the LX Unit Resetting the Unit to Factory Defaults If you believe you have misconfigured the unit. Click on the ‘Default’ button to display the options to default the unit or certain other parameters. The LX unit will be defaulted. if you answer “yes” to the confirmation prompt.

Power-cycle the LX unit. You are prompted for the password. Connect a terminal to the DIAG port of the LX unit. execute the save configuration flash command in the Superuser command mode. Select the asterisk (*) from the menu to display the following options: [1] Reset ppciboot Configuration [2] Reset Linux System Configuration 4. the command erases all of the configurations you have saved. the ppciboot Main Menu is displayed. 6. which is access. it will not be saved to flash.) 5. or if you are unable to make a serial connection to an LX asynchronous port. 3. 1. If you enter the password.Initial Setup of the LX Unit From the LX DIAG port: NOTE: This method is recommended if you no longer have network access. Refer to “Booting from Defaults” on page 76 for further information on defaulting from ppciboot and defaulting from the CLI. Do this only after you have configured the ppciboot options and saved the configuration. To save the configuration to flash. Select [1] to reset the ppciboot configuration to system defaults. 2. except for the ppciboot configuration. When the unit is powered on. Select [2] to reset the Linux system configuration. 48 451-0311B . (Note: Although the ppciboot configuration will be reset to defaults. Press B to Boot the system.

refer to “Making Straight-through Cables” on page 50. This chapter describes how to set up remote console management on an LX unit. to the LX asynchronous ports on which the network elements are attached. You can make the MRV-supplied RJ-45 crossover cables into straight-through cables. Chapter 2 Setting Up Remote Console Management Network Elements can be managed via Telnet connections. For more information. Setting up remote console management involves doing the following: • Connecting the LX asynchronous port to the Network Element (see below). • Configuring the LX asynchronous port for the remote management of the connected Network Element (see page 51). The LX asynchronous-port connectors are female RJ-45 connectors. Use a crossover cable to connect a direct serial line from an LX console port to the serial management port on a network element. or via SSH connections. 451-0311B 49 . MRV Communications provides RJ-45 crossover cables. Connecting the Console Port to the Network Element Network elements can be connected to LX asynchronous ports by a modem or by a direct serial line. • Setting up security for the LX asynchronous port to which the network element is connected (see page 54). • Creating the subscriber(s) that have remote access to the asynchronous port where the Network Element is connected (see page 58). Use a straight-through cable to connect a console port to a modem. This method of managing network elements is known as remote console management.

Straight-through Wiring Scheme Recommendations for Making Cables Keep the following in mind when you make your own cables: • Before crimping the cables. (The die set might be fragile. make sure that the RJ-45 connector is fully inserted into the die-set cavity and that the wire is fully inserted into the RJ-45 connector. and it could break if the RJ-45 connector is not properly seated before you squeeze the handle.) • In order to keep track of the cable type. RJ-4 RJ-45 Connectors Connectors Straight Through Cable Figure 2 . 50 451-0311B .) • Crimp the RJ-45 connector in opposite directions at both ends (see Figure 2). For example. you should use different colored wires for straight-through and crossover cable.Setting Up Remote Console Management Making Straight-through Cables To make an MRV-supplied crossover cable into a straight-through cable. NOTE: MRV Communications recommends that you not use Ethernet Xbase-T crossover or straight-through cable for serial communications. MRV Communications recommends silver wire for making crossover cables and black wire for making straight-through cables. do the following: • Lay the modular cable on a table or on some other flat surface. (The modular cable should lie flat with no rolls or twists in it.

refer to Getting Started with the LX Series. connector. Explicitly Setting LX Asynchronous Port Characteristics It is recommended that you explicitly set the characteristics of an LX asynchronous port to match those of a directly connected Network Element. execute the no autobaud command in the Asynchronous command mode. do the following: 1. To explicitly set the characteristics of an LX asynchronous port.) 2. Configuring Ports for Remote Console Management This section describes how to configure LX asynchronous ports for remote console management. when conditions warrant. Setting Up Remote Console Management Modular Adapters (RJ-45 to DB-25 and RJ-45 to DB-9) You can obtain adapters with male and female DB-25 and female connectors from MRV Communications. you can explicitly set an asynchronous port to non-default values. Use the access remote command in to set the access for the asynchronous port to Remote. To disable autobaud on a port. NOTE: Autobaud must be disabled on ports that are used for remote console management. These adapters direct signals from the RJ-45 connectors on the cable to the correct pin on the DB-25. For more information. However. (Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode. Access the Asynchronous Command Mode for the asynchronous port that you want to configure. Configuring Asynchronous Ports for Direct Serial Connections The default settings for LX asynchronous ports will support direct serial connections to most Network Elements. for example: Async 6-6:0 >>access remote 451-0311B 51 . or DB-9.

In the Asynchronous Command Mode. parity. speed 115200 1200. 38400. stop bits. 200. refer to the LX-Series Commands Reference Guide. 300. enter the appropriate command to set the speed. or none parity even parity odd parity none speed 134. 4800. or 230400 stop bits 1 or 2 stop bits 1 stop bits 2 NOTE: MRV Communications recommends that you enable Autohangup on an LX asynchronous port that will be used to do remote console management. 600. 19200. odd. 6. flow control. Table 4 . or autohangup setting for the asynchronous port.Commands for Setting Asynchronous Port Characteristics Port Allowable Values Command Examples Characteristics autohangup enabled or disabled autohangup enable no autohangup data bits 5. data bits. 115200. Table 4 lists the commands that you can use to set the port characteristics that pertain to remote console management of directly connected Network Elements. 7. when the network element resets DTR at subscriber logout. 2400. 52 451-0311B . or 8 bits 6 flow control xon or cts flowcontrol cts flowcontrol xon parity even. This ensures that the port will drop the connection. 57600. For the full syntax of each command listed in Table 4. 9600.Setting Up Remote Console Management 3.

for example: Async 5-5:0 >>access remote 3. Execute the modem command to access the Modem Command Mode for the port under configuration. In the Modem Command Mode. execute the type command to set the Modem Type to DIALOUT. Execute the access remote command to set the port access to REMOTE. Execute the flow control command to set the port flow control to CTS. Setting Up Remote Console Management Setting Up Modem Ports for Remote Console Management Do the following to set up a Modem Port for remote console management: 1. for example: Async 5-5:0 >>speed 57600 6. for example: Modem 5-5:0 >>type dialout 451-0311B 53 .) 2. (Refer to “Asynchro- nous Command Mode” on page 19 for information on accessing the Asyn- chronous Command Mode. Execute the modem enable command to enable modem control on the port. To set the port speed. use the speed command. Ensure that the port is set to the same speed as the modem to which the port is attached. for example: Async 5-5:0 >>modem 7. Access the Asynchronous Command Mode for the asynchronous port that you want to set up for remote console management. for example: Async 5-5:0 >>modem enable 4. for example: Async 5-5:0 >>flowcontrol cts 5.

or TACACS+ authentication to protect a console port from unauthorized access. for example: Modem 5-5:0 >>retry 6 11. In the Modem Command Mode. Access the Asynchronous Command Mode for the asynchronous port that you want to configure. 10. LOCAL authentication is enabled by default on console ports. In the Modem Command Mode. In the Modem Command Mode. Setting Up Local Authentication Under LOCAL authentication.) You can enable LOCAL authentication on a console port by doing the following: 1. and SecurID. for example: Modem 5-5:0 >>timeout 30 Setting Up Security for a Console Port You can use LOCAL authentication. (Other authentication options on console ports are NONE. SecurID authentication. RADIUS authentication. TACACS+. for example: Modem 5-5:0 >>dialout number 19785558371 9. execute the retry command to specify the Retry value for the modem.) 54 451-0311B . execute the initstring command to specify the initialization string for the modem.Setting Up Remote Console Management 8. RADIUS. execute the timeout command to specify the Timeout value for the modem. (Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode. for example: Modem 5-5:0 >>initstring AT S7=45 S0=1 L1 V1 X4 &C1 &1 Q0 &S1 NOTE: The initialization string may vary between modem types. In the Modem Command Mode. execute the dialout number command to specify the number that the modem will dial to connect with the Network Element on the Public Network. a username/password combination is validated against the local security database. These methods of authentication require a user to enter a valid username/password combination to access the console port.

you may want to implement a backup method (Fallback). (Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode. Access the Asynchronous Command Mode for the asynchronous port that you want to configure. The RADIUS security database is stored on the RADIUS server for the LX unit. refer to “Setting Up Fallback” on page 57. Execute the following command to enable RADIUS authentication on the port: Async 5-5:0 >>authentication outbound radius enable NOTE: If RADIUS authentication is enabled. Setting Up Remote Console Management 2. Refer to “Setting Up RADIUS” on page 33 for information on setting up RADIUS for the LX unit. In order to use RADIUS authentication on a port.) 2. which will be used if the RADIUS server is unreachable. RADIUS authentication is disabled by default on console ports. you must have RADIUS set up for the LX unit. You can enable RADIUS authentication on a console port by doing the following: 1. For more information. Execute the following command to enable LOCAL authentication on the port: Async 5-5:0 >>authentication outbound local enable Setting Up RADIUS Authentication Under RADIUS authentication. Fallback switches to Local Authentication when there is no reply from the RADIUS server(s) after 3 attempts. 451-0311B 55 . a username/password combination is validated against the RADIUS user and client database.

(Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode. Fallback switches to Local Authentication when there is no reply from the TACACS+ server(s) after 3 attempts. a username/password combination is validated against the SecurID user and client database. You can enable TACACS+ authentication on a console port by doing the following: 1. In order to use SecurID authentication on a port. Execute the following command to enable TACACS+ authentication on the port: Async 5-5:0 >>authentication outbound tacacs+ enable NOTE: If TACACS+ authentication is enabled. Access the Asynchronous Command Mode for the asynchronous port that you want to configure. a username/password combination is validated against the TACACS+ user and client database. which will be used if the TACACS+ server is unreachable. In order to use TACACS+ authentication on a port. For more information. you must have SecurID set up for the LX unit. TACACS+ authentication is disabled by default on console ports. you must have TACACS+ set up for the LX unit. The SecurID security database is stored on the SecurID server for the LX unit.Setting Up Remote Console Management Setting Up TACACS+ Authentication Under TACACS+ authentication. refer to “Setting Up Fallback” (below). you may want to implement a backup method (Fallback).) 2. Setting Up SecurID Authentication Under SecurID authentication. The TACACS+ security database is stored on the TACACS+ server for the LX unit. Refer to “Setting Up SecurID” on page 43 for information on setting up SecurID on the LX unit. Refer to “Setting Up TACACS+” on page 38 for information on setting up TACACS+ on the LX unit. 56 451-0311B .

You can enable SecurID authentication on a console port by doing the following: 1. TACACS+. or SecurID). When a user logs in via Fallback. Fallback switches to Local Authentication when there is no reply from the SecurID server(s) after 3 attempts. The LX unit will make three attempts to log in the user via RADIUS. or SecurID) are disabled on the port. his or her username/password combination is validated against the LOCAL security database for the LX unit. Setting Up Remote Console Management SecurID authentication is disabled by default on console ports.. RADIUS. Setting Up Fallback Fallback Authentication can be used as a mechanism for authenticating users when the configured authentication method (i. TACACS+. When all three methods (i.. you may want to implement a backup method (Fallback). which will be used if the SecurID server is unreachable. refer to “Setting Up Fallback” (below). TACACS+. TACACS+. Fallback is ignored by the port. For more information. RADIUS. or SecurID) fails because the authentication server is unreachable. (Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode. After the third attempt at logging in via the configured authentication method (RADIUS. the username/password combination will be validated against the LOCAL security database for the LX unit. Execute the following command to enable SecurID authentication on the port: Async 5-5:0 >>authentication outbound securid enable NOTE: If SecurID authentication is enabled.e. 451-0311B 57 . Access the Asynchronous Command Mode for the asynchronous port that you want to configure. TACACS+. or SecurID before it implements Fallback. or SecurID must be enabled on a port in order for Fallback to function on the port. RADIUS.) 2.e.

he/she must have specific access rights. configure a Service-type of Outbound-User for the subscriber on the RADIUS server. 5.) 2. (Refer to “Subscriber Command Mode” on page 21 for information on creating or accessing a subscriber record. Execute the access port command to specify the console ports that the subscriber can access. Access the Asynchronous Command Mode for the asynchronous port on which you want to enable Fallback. 3. If RADIUS is the outbound authentication method. Execute the access console enable command to specify that the subscriber will have console access to the LX unit. Create. (Refer to “Asynchronous Command Mode” on page 19 for information on accessing the Asynchronous Command Mode.) 2. for example: Subs_mark >>access console enable 4. and 6: Subs_mark >>access port 2 3 5 6 58 451-0311B . do the following to set up the neccessary access rights for the subscriber: 1. the access port command specifies that the subscriber mark can log on to ports 2. For more information. refer to “Specifying Access Methods” on page 59. 3.Setting Up Remote Console Management Do the following to enable Fallback on a port: 1. Execute the following command to enable Fallback authentication on the port: Async 5-5:0 >>authentication fallback enable Creating Subscribers for Remote Console Management In order for a subscriber to do remote console management. or access. If local authentication is used. In the following example. the subscriber record of the subscriber that you want to configure for console-port access. specify one or more access methods for the subscriber to use in connecting to the LX unit. In the Subscriber Command Mode.

for example: Subs_mark >>password The following prompts are displayed: Enter your NEW password : Re-enter your NEW password: 7. and re-enter it at the Re-enter prompt. the Telnet Mode is set to character: Subs_mark >>telnet mode character 451-0311B 59 . Execute the telnet mode command to set the Telnet Mode. Execute the access telnet enable command. for example: Subs_mark >>access telnet enable 2. he/she will be asked to enter. If you want the subscriber to create his or her own login password.) Specifying Access Methods You can specify SSH. In the following example. Telnet. execute the password command. Telnet. Enter the new password at the Enter prompt. or the Web (or any combination of SSH. Because SSH includes data encryption capabilities. it is recommended as the access method for subscribers who will be sending sensitive data to the LX asynchronous ports. his or her new password. If you want to create a login password the subscriber. and the Web) as the method(s) that the subscriber can use to access LX asynchronous ports for remote console management. Setting Up Remote Console Management 5. for example: Subs_mark >>password enable When the subscriber logs in to the LX unit for the first time. execute the password enable command. and confirm. Specifying Telnet As an Access Method 1. 6. (This is the password that the subscriber will be required to enter when he/she logs on to a console port.

and BLOWFISH encryption types. In the following examples. Execute the access ssh enable command. ANY. the Telnet Mode is set to line: Subs_mark >>telnet mode line Specifying SSH As an Access Method 1. Specifying the Web As an Access Method Execute the access web enable command. ANY.Setting Up Remote Console Management In the following example. Execute the ssh cipher command to specify the SSH encryption type for the subscriber. for example: Subs_mark >>access ssh enable 2. for example: Subs_mark >>access web enable 60 451-0311B . the SSH encryption type is set to Triple-DES. and BLOWFISH respectively: Subs_mark >>ssh cipher triple-des Subs_mark >>ssh cipher any Subs_mark >>ssh cipher blowfish Refer to the ssh cipher command in the LX-Series Commands Reference Guide for more information on the Triple-DES.

a file to tell from where the configuration is to be taken (the ConfToBootFrom file). Menus. and load the configuration file. The SHA encryption lets the administrator know if a modified file is being loaded by issuing an alert message when a file not matching the original algorithm is being loaded. After the Config. and the zone information directory (time and date). Subnet Mask. This directory contains the SSH keys.prm file resides on a new unit.prm file has been created on one unit. IP Address. Saving the Configuration File The configuration file (Config.e. Backup and Recovery This section explains how to save. 451-0311B 61 . All other settings will be imported when the LX unit is rebooted. Chapter 3 System Administration This chapter explains how to upgrade the software. Because anyone can easily modify it. it can be copied to other units. edit. The Config. When the Config. as well as some basic maintenance functions.prm file is created when you configure the LX unit. you can copy its contents as appropriate for the new unit.. etc. This way the administrator knows the file was modified and can take the appropriate action. For example. the file is signed with a digest using the SHA encryption algorithm.prm) is saved in a format that is readable in WordPad and the vi editor in UNIX. Configuration.) to the IP settings of the new unit. you can change the IP settings (i. Where the Configuration is Stored All files related to the unit configuration are located in the directory /config.

If you have configured menus. Use the touch command to create the configuration file as a . Open the . Since the format is a .zip file. To edit the files: 1. for example: InReach:0 >>save configuration flash Saving the Configuration to the Network The TFTP protocol is used to save the LX configuration to a network host. The configuration format differs slightly from that described in “How the Configuration is Organized. it is usable by WinZip or UNIX Unzip.prm file so that you can bring multiple units online at one time. a configuration file must already exist on the TFTP server.zip file once the LX unit attempts the TFTP put process. Consequently. Editing the Files on a Unix Host You can edit the Config. the Menu file also appears.zip file contains everything previously described except for the SSH keys.zip file into the directory by entering the following command: unzip filename. 62 451-0311B . Use the following command to save the configuration to the network: save configuration network filename tftp_server_address NOTE: The filename that you specify in the save configuration network command must not include a . execute the save configuration flash command in the Superuser command mode.” The . since they belong to the unit itself and cannot be used on a different unit.zip file.prm file appears. Windows-based workstations will automatically create the . if you are saving to a UNIX host.zip extension.System Administration Saving the Configuration Into the Flash To save the configuration into the flash.zip The Config.

prm file. To edit the files: 1. copy an existing user. Editing the Files in Windows You can edit the Config. Select and copy the section of the Config. If you are adding a new user to the Config. or TACACS+ configurations • Specific Async Port configurations 4.prm file with the WordPad editor.prm file. 3. 3. If you have configured menus. Open the . the Menu file also appears. Open the Config.prm file that you want to modify: • Users that have access to all new LX units • PPP configurations • Broadcast Groups • Interface configurations • RADIUS. 5. Follow the same steps for any other changes you make to the Config.prm file that you want to modify: • Users that have access to all new LX units • PPP configurations 451-0311B 63 . System Administration 2.prm file so that you can bring multiple units online at one time.prm file with any text editor (e. 2..prm file appears. The Config.g.zip file into the directory using winzip. vi or emacs). Select and copy the section of the Config. and make the necessary modifications to the copy. SecurID. paste it into the section directly below the last user. Open the Config.

5. and file1.zip (you can name this whatever you want) is the archive you are writing the files to. Loading the Configuration At the Config prompt. 1. and file3 are the files you are adding to the archive.System Administration • Broadcast Groups • Interface configurations • RADIUS. copy an existing user. If you are adding a new user to the Config. 2. To recreate the zip file. and make the necessary modifications to the copy. SecurID. or TACACS+ configurations • Specific Async Port configurations 4.prm file. Follow the same steps for any other changes you make to the Config.zip file1 file2 file3 where filename. Recreating the Zip File in Order to Upload It Onto the LX NOTE: To perform this procedure.prm file. Right click on the selected files and select Add to Zip. paste it into the section directly below the last user. In Windows. you must be in the directory in which the files to be zipped reside. 3. select the files you want to add to the zip file by clicking on them while holding down the Ctrl key. type the following command in UNIX: zip -o filename. load the configuration as follows: Config:0:>>boot configuration from network tftp_server_address filename Config:0:>>end InReach:0:>>save configuration flash InReach:0:>>reload 64 451-0311B . file2.

If a TFTP server is accessible.zip file to lx last six digits of the mac address. Enter the following command: InReach:0:>>show system status Applying Default Configurations to Other Units This section explains how to create a default configuration file with which you can load multiple units. If this file exists.prm file as a template to configure multiple units at one time by changing the last six digits of the mac address to reflect that of the specific unit. You must rename this .prm). 451-0311B 65 .prm (e. If the configuration is defaulted. check the system status screen to make sure that the LX loaded from the proper place. it is detected at startup and the unit checks that a TFTP server was passed by ppciboot. lx12ab9f. you can use this . you can save the unit configuration to the network. lx12ab9f. the Quick Start menu is displayed. If the default file does not exist. the LX unit loads it into its configuration table. Creating a Default Configuration File After your first LX unit is up and running. For further information.g. refer to “Saving the Configuration to the Network” on page 62. the LX unit connects to it and tries to download a default file named lx last six digits of the mac address. Restoring the Default Configuration File to a New Unit The unit looks on the TFTP server specified in ppciboot.. Once this is complete. System Administration After the LX has reloaded.g.prm).prm (e.

modify the IP configuration. etc. You can use it to write simple scripts to automate interactive applications. NOTE: In superuser mode a check is performed to determine how much space is available before updating the software or ppciboot. refer to “Upgrading Software with the Command Line Interface” for further instructions. For example. refer to “Upgrading Software with the ppciboot Main Menu” and “Using the IP Configuration Menu” for further instructions.img. How to Upgrade the Software You can upgrade the software and enter the IP information on your LX unit via two methods.img. Expect is a common. • To upgrade software via the ppciboot Menu. and establish a PPP configuration to a remote site. Make sure you have a TFTP server up and running. simple. make the LX unit dial out. 66 451-0311B . depending upon your specific needs: • To upgrade software via the Command Line Interface. For information on the LX commands. command line scripting language. refer to the LX-Series Commands Reference Guide. Upgrading Software and ppciboot with the Command Line Interface NOTE: The default filename for the software is linuxito. The ppciboot filename is ppciboot. set up the configuration for any port. you can write an Expect script that can automatically log you in. Eight MB must be available to update software. containing the software image and the ppciboot image. One MB must be available to update ppciboot.System Administration Scripting On External Units The LX unit supports Expect scripting.

4. 451-0311B 67 . do the following: 1. 2. this argument becomes optional. verifying file integrity” message appears. If the check is successful. the software stores in memory the IP address of the TFTP server from which it has booted. If this occurs. Type the following and press <Enter> to save your configuration locally: InReach:0>>save config flash This stores the parameters. the “File OK. NOTE: You can load a default configuration file from a TFTP server while the unit is at its default setting. Type the following and press <Enter>: InReach:0>>update ppciboot tftp_server_ip_address/name NOTE: If the LX unit has a TFTP server address configured. you do not need to include the TFTP server IP Address or the TFTP server name in the update ppciboot command. log in again. copying boot image to flash” message appears (if the check finds a problem. Type the following and press <Enter>: InReach:0>>update software tftp_server_ip_address/name 3. System Administration To download the ppciboot from the command line interface (you must be in superuser mode). The loaded file is checked for integrity. The “TFTP Download complete. Now you must upgrade the software. You have upgraded ppciboot. Type the following and press <Enter> to save your configuration locally: InReach:0>>reload When the reload is complete. The new software is activated. By default. the “Verify failed. Bad ppciboot file” message appears). You must reboot the unit for the new ppciboot to take effect.

refer to the LX-Series Commands Reference Guide. 68 451-0311B . in seconds 8 IP Configuration Menu Configura.System Administration ppciboot Factory Default Settings The following table lists the factory default settings. Main Menu Configuration Factory Default Setting Boot from Network yes Save boot image to flash no Boot from flash yes Time Out. Each LX Series unit is configured at the factory to use a default set of initialization parameters that sets all ports to operate with asynchronous ASCII terminal devices. Factory Default Setting tion IP Assignment method #1 DHCP IP Assignment method #2 BOOTP IP Assignment method #3 RARP IP Assignment method #4 User Defined NOTE: For defaults on specific commands.

or in the Configuration Command Mode of the CLI. ppciboot image. you need only connect a terminal using a console port cable to the DIAG port (port 0) and press <Enter> one or two times. The Main Menu appears: Welcome to In-Reach ppciboot Version x. Use it as a reference for how to use specific menu entries.x Main Menu [1] Boot from network: yes [2] Save software image to flash: no [3] Boot from flash: yes [4] Time Out. To access the menu. System Administration Upgrading Software with the ppciboot Main Menu NOTE: At boot. and the IP address assignment preferences. When you set ppciboot parameters. the software is not loaded on the unit yet. You can access the ppciboot commands through the DIAG port (port 0). 451-0311B 69 . the graphic user interface (GUI). press B or wait eight seconds. Use the ppciboot menu to set load parameters that allow you to get up and running. This section explains how to use the ppciboot Main menu to set up the boot configuration. the DIAG port (port 0) is used to configure the loading method (network or flash) of the Software image. in seconds (0=disabled): 8 [5] IP Configuration Menu [6] Update ppciboot Firmware [7] Ethernet Network Link [*] Reset to System Defaults [S] Save Configuration [B] Boot System Make a choice: __ If you want to accept the defaults.

To boot from flash. Booting from the Network The Boot from network option lets you boot your software image file from the network. type the number corresponding to the configuration action you want to perform. NOTE: MRV recommends that you leave Boot from flash on if you are booting from the network. Do this only after you have configured the ppciboot options and saved the configuration. Press B to Boot the system. To save the software image to flash. 70 451-0311B . 2. Press B to Boot the system. Do this only after you have configured the LX and saved the configuration. By doing so. To boot from the network: 1. Booting from Flash The Booting from Flash option lets you boot your software image from the flash. Press B to Boot the system. Do this only after you have made all configuration changes to the LX and saved the configuration. Press 3 to toggle between yes and no. Saving the Boot Image to Flash The Saving the software image to Flash option lets you save the software image from the network to flash. 2. you provide a fallback method of booting in the event the network becomes unreachable. To boot from the network. Press 1 to toggle between yes and no. choose yes. To boot from the flash: 1. Booting the system can take five or more minutes. Press 2 to toggle between yes and no. choose yes. 2. choose yes. The sections that follow describe each option in detail. To save the software image to flash: 1.System Administration At the "Make a choice" prompt of the Main Menu.

Press the number 4 (Time Out. and TFTP server. Press S to save the configuration. The Update ppciboot Firmware option lets you update the firmware via the Main Menu. To set the timeout (the default is eight seconds): 1. in seconds). You should not enter 0. If the firmware loads successfully (taking only a few seconds). To update ppciboot firmware: 1. Press B to boot the system. Add a time in seconds and press <Enter>. 2. Updating the ppciboot Firmware NOTE: Updating ppciboot firmware from the Main menu works only if you have already set up an ip address. in seconds option lets you set the amount of time the system waits for you to press Boot before booting automatically. for remotely located units. 3. 451-0311B 71 . 4. An Enter Time Out prompt appears. System Administration Setting the Timeout in Seconds The Time Out. A verification check of the firmware is performed. IP Configuration Menu The IP Configuration Menu option lets you change addresses and settings if you do not want to accept the defaults. If an error message appears. the Main menu reappears. 2.) 4. Refer to the “Using the IP Configuration Menu” section for details. 3. The ppciboot firmware begins loading from the TFTP server. ip mask. the ppciboot image may be corrupt. (Note: Entering 0 will disable the timeout. and thus disable the timeout. Press the number 6 (Update ppciboot Firmware). Press S to save the configuration.

Press the asterisk (*) (Reset to System Defaults). Select 1 or 2. The following speed/duplex options are displayed: Auto. you are prompted for the password. 3. If you select [2] Reset Linux System Configuration. To set the speed or duplex mode of your Ethernet Network Link: 1. the command erases all of the configurations you have saved. Press S to save the configuration. except for the ppciboot configuration. which is access. 100 half -for 100TX half duplex 100 full -for 100TX full duplex 10 half -for 10TX half duplex 10 full -for 10TX full duplex 2. 3. Refer to “Booting from Defaults” on page 76 for further information on defaulting from ppciboot and defaulting from the CLI. If you select [1] Reset ppciboot Configuration. Press the number 7 (Ethernet Network Link).System Administration Setting the Speed and Duplex Mode of the Ethernet Network Link The Ethernet Network Link option lets you set the speed and duplex mode of the Ethernet Network Link. Resetting to System Defaults The Reset to System Defaults option lets you reset the unit to system defaults. Press B to Boot the system. Select one of the speed/duplex options from the above display. but it does not save the configuration to flash. the command sets the ppciboot configuration to system defaults. The following options appear: [1] Reset ppciboot Configuration [2] Reset Linux System Configuration 2. To reset to the system defaults: 1. If you enter the password. Do this only after you have configured the ppciboot options and saved the configuration. 72 451-0311B .

enter 5 to open the IP Configuration menu. Welcome to In-Reach ppciboot Version x. See the following sections for specific details. At the Main menu. Press B to boot the system. press S to save the configuration. Using the IP Configuration Menu The IP Configuration Menu option lets you change addresses and settings if you do not want to accept the defaults. System Administration Saving the Configuration The Saving Configuration option lets you save the ppciboot configuration. Be sure to save the configuration and choose a boot method before you boot the system. When you are finished configuring the Main menu. 451-0311B 73 . Choose the number of the field you want to change. Booting the System The Boot System option lets you boot the system.x IP Configuration Menu [1] IP Assignment method #1: DHCP [2] IP Assignment method #2: BOOTP [3] IP Assignment method #3: RARP [4] IP Assignment method #4: User Defined [5] Unit IP Address: [6] Network mask: [7] Gateway: [8] TFTP Server IP Address: [S] Save Configuration [R] Return to Main menu Make a choice: 2. Do this only after you have configured all necessary ppciboot options and saved the configuration. To configure the IP settings: 1.

NOTE: If any of the four IP Assignment methods are set to “User Defined”. 74 451-0311B . or 4 to see the options for IP Assignment method #1-4:. press S to save the configuration. Press 1. To change an IP Address: 1. you will need to complete additional configuration. and tog- gle the options (DHCP. A Unit IP Address prompt appears. Press R to return to the Main Menu. 3. BOOTP. 2. RARP. press S to save the configuration. The IP Configuration menu reappears. If you are finished configuring the IP settings. stop toggling the options for that IP Assignment method and go on to press the numbers corresponding (2 for IP Assignment method #2:. 3. Changing the Unit IP Address The Unit IP Address option lets you change the unit IP address (this applies only to the user-defined IP method). Select the IP Assignment method you want to change. 3. 2. The IP Configuration menu reappears. Press the number 5 (Unit IP Address). To configure an IP Assignment method: 1. When you reach the option you want. etc) to the other IP Assignment methods and make the changes you want in the same way. If you are finished configuring the IP settings.System Administration Choosing an IP Assignment Method The IP Assignment Method option lets you set the method by which you want to assign IPs. and None) by repeatedly pressing the option number. 2. Press R to return to the Main Menu. Type the new address and press <Enter>. User Defined.

A Network Mask prompt appears. press S to save the configuration. If you are finished configuring the IP settings. System Administration Changing the Network Mask The Network Mask option lets you change the Network Mask (this applies only to the user-defined IP method). 3. If you are finished configuring the IP settings. Changing the TFTP Server IP Address The TFTP Server IP Address option lets you change the TFTP Server IP address (the address from where you load the boot image). Type the new Gateway address and press <Enter>. This applies only to the user-defined IP method. Press R to return to the Main Menu. The IP Configuration menu reappears. Press the number 8 (TFTP Server IP address). Press R to return to the Main Menu. A Gateway prompt appears. If you are finished configuring the IP settings. Press R to return to the Main Menu. To change a Network Mask: 1. The IP Configuration menu reappears. A TFTP Server IP address prompt appears. 2. 3. 451-0311B 75 . 3. Type the new TFTP Server IP address and press <Enter>. 2. Changing the Gateway Address The Gateway option lets you change the Gateway address (this applies only to the user-defined IP method). The IP Configuration menu reappears. Press the number 7 (Gateway). press S to save the configuration. press S to save the configuration. 2. To change a Gateway address: 1. To change the TFTP Server IP address: 1. Type the new network mask and press <Enter>. Press the number 6 (Network Mask).

System Administration

Saving the Configuration
The Saving Configuration option lets you save the ppciboot
configuration. To save the configuration:

1. When you are finished configuring using the IP Configuration menu,
press S to save the configuration.

2. Press R to return to the Main Menu.

NOTE: The IP Assignment method #1-4 has precedence over user
defined assignment, but the user defined settings are used as soon
as the User Defined method comes up.

Booting from Defaults
The first time you boot a unit takes longer because the system computes
the SSH keys server and client. The process takes a few minutes. The keys
are saved into the flash.

You can default the configuration in two ways:

• From the Main Menu.

• From the Command Line Interface.

Depending on where you default the configuration from, the effect is not
the same.

Defaulting from CLI
When you default from the CLI, only the configuration (Config.prm) is
erased. The SSH keys are preserved. To default from the CLI, enter the
default configuration command in the Configuration command
mode.

Defaulting from the Main Menu
When you default from the Main Menu the entire configuration, including
the SSH keys, is erased. The next reboot must take the extra time needed
to recompute the SSH keys.

76 451-0311B

System Administration

1. Choose the (*) Reset to System Defaults option from the ppci-
boot menu.

2. Choose [2] Reset Linux System Configuration. The following
display appears:

[2] Reset Linux system configuration
WARNING: This will erase all configuration data in
the system. Do not use unless the configuration is
unusable.

3. Enter the password, which is access. The Main Menu appears.

4. Press B to boot the unit. Various lines of data are displayed on the screen
while the default ppciboot loads. This may take a few minutes.
NOTE: This display is generated by the operational software. The system
must be booted before this occurs.

The default from ppciboot completes.

Acquiring the IP Configuration
The LX software gets its IP configuration from ppciboot or from the
configuration. If the configuration is not loaded yet, the LX unit uses the
IP configuration from ppciboot. Once the configuration file is found and
loaded, the IP is modified according to the configuration. Therefore, if the
configuration is already set, it always overrules the ppciboot configuration.

You can use two commands to display interface information. The show
interface 1 status command displays the actual setting of the
interface. The show interface 1 characteristics command displays
the configuration for the interface. Refer to the LX-Series Commands
Reference Guide for details on how to use these commands.

451-0311B 77

and local or remote syslogd files.ftpd. syslog The syslog daemon (syslogd). For example. a destination could be configured to receive only those messages that originate in a daemon and have a priority of crit. The event messages that are sent to any given destination can be filtered according to the facility and priority (severity level) of the message. daemon A system daemon. 451-0311B 79 . Event Messages can be generated for events that occur in any of the Linux facilities listed in Table 5. outbound asynchronous ports. email addresses. SNMP trap clients. user User processes. This is the default facility. authpriv The Superuser authentication process.Sources of Event Messages Facility Description all Generate messages for all system events. Chapter 4 Setting Up the Notification Feature The Notification Feature is used to send syslog messages of LX system events to pagers. Table 5 . cell phones. such as in. kern The Linux kernel. Overview of the Notification Feature The Notification Feature uses the syslog daemon (syslogd) to generate event messages.

info Normal. but which might require specific procedures to adjust them warning A warning message err A software error condition. such as a hard device error alert A condition that the system administrator needs to correct immediately. 80 451-0311B .Setting Up the Notification Feature Table 6 lists the priorities that can be specified as filters for the Notification Feature. emerg A severe condition. informational messages notice Conditions that are not errors. This is the default priority. the facility for the User Profile must be set to kern. This is the kind of condition that can immediately affect the users’ ability to work on the LX. such as a corrupted system database.Supported Priorities Priority Description none No messages will be logged. Table 6 . To set the facility for a User Profile to kern. crit A critical condition. Note: When this priority is specified. sigsnotice Indicates a state transition of the serial input signals CTS or DCD/DSR. refer to the userprofile facility command in the LX-Series Commands Reference Guide. This setting effectively disables syslog for this User Profile.

For most event notification processes. you can create Service Profiles of the following types: • SNPP – Used to send event messages to pagers with the Simple Network Pager Protocol (SNPP) (see “Configuring SNPP Service Profiles” on page 84). For more information on User Profiles. addresses and telephone numbers) for event notification processes that send event messages by email. refer to “Overview of User Profiles” on page 88. Service Profiles A Service Profile must be created for each desired method of sending event messages to a destination. refer to “Creating Service Profiles” on page 82. For example. For more information. SMTP) or an on-board feature (e. a Service Profile of the TAP type must first be created. the Service Profile also defines the destination to which event messages will be sent. outbound asynchronous ports)..g.e. to send event messages to pagers via the Telocator Alphanumeric Protocol (TAP). you must do the following: • Create a Service Profile. A Service Profile must be fully configured.. For example. A User Profile specifies a facility/priority filter for a destination. before a User Profile can be associated with it. You can create more than one Service Profile for each method of sending event messages. 451-0311B 81 . A Service Profile defines a method for sending event messages to a destination. you can create several Service Profiles of the TAP type. as described in “Creating Service Profiles” on page 82. In the Notification Command Mode. A User Profile also specifies the destinations (i. This method is typically a protocol (e. • Create a User Profile.g.. with each Service Profile specifying a different Short Message Service Center (SMSC) for sending messages. Setting Up the Notification Feature Configuring the Notification Feature In order to use the Notification Feature. cell phones. and pagers.

) 2. • REMOTESYSLOG – Used to send event messages to syslogd on a remote host (see “Configuring REMOTESYSLOG Service Profiles” on page 86). SNMP. • TAP – Used to send event messages to pagers via TAP (see “Configuring TAP Service Profiles” on page 84). or SMTP. WEB. Use the serviceprofile protocol command to create a Service Profile. TAP. • SMTP – Used to send event messages to email addresses (see “Configuring SMTP Service Profiles” on page 87). Under this method.Setting Up the Notification Feature • WEB – Used to send event messages to pagers or cell phones via a Web Driver (see “Configuring WEB Service Profiles” on page 86). Users can receive the event messages by logging in to the outbound asynchronous port. • LOCALSYSLOG – Used to send event messages to a local file on the LX unit (see “Configuring LOCALSYSLOG Service Profiles” on page 83). • SNMP – Used to send event messages to SNMP trap clients (see “Creating Service Profiles” on page 82). 82 451-0311B . (Refer to “Notification Com- mand Mode” on page 23 for information on accessing the Notification Command Mode. syslog messages will be sent out the specified asynchronous port(s) as they occur. LOCALSYSLOG. ASYNC. REMOTESYSLOG. • ASYNC – Used to send event messages to outbound asynchronous ports on the LX unit (see “Configuring ASYNC Service Profiles” on page 85). Access the Notification Command Mode. using the SNPP protocol: Notification:0 >>serviceprofile Skytel protocol snpp You can use the serviceprofile protocol command to create a Service Profile of any of the following types: SNPP. For example. do the following: 1. the following command creates a Service Profile called Skytel. Creating Service Profiles To create a Service Profile.

However. refer to the following sections: • “Configuring LOCALSYSLOG Service Profiles” on page 83 • “Configuring SNPP Service Profiles” on page 84 • “Configuring TAP Service Profiles” on page 84 • “Configuring ASYNC Service Profiles” on page 85 • “Configuring REMOTESYSLOG Service Profiles” on page 86 • “Configuring WEB Service Profiles” on page 86 • “Configuring SMTP Service Profiles” on page 87 NOTE: SNMP Service Profiles do not require any configuration after they are created with the serviceprofile protocol command. in the LX-Series Commands Reference Guide. Configure the Service Profile. For example. you would go to /var/log/Build5 to read the contents of the local file specified in the above serviceprofile file command. This step will vary. you can use the serviceprofile file command to specify the local file to which the event messages will be sent. refer to “Creating a User Profile” on page 88. it must be a Version 1 trap client with a community name of public. For more information. go to /var/log/<filename> in the shell. in order for an SNMP trap client to receive event messages from an LX unit. the event messages that will be sent to the local file. For more information. by facility and priority. depending on the type of the Service Profile. You can create User Profiles to filter. and the trap client community command. Configuring LOCALSYSLOG Service Profiles After you have created a LOCALSYSLOG Service Profile. refer to the trap client version command. 451-0311B 83 . Setting Up the Notification Feature 3. To read the contents of the file. For more information. for example: Notification:0 >>serviceprofile local file Build5 The local syslog writes event messages to the default directory /var/log.

Use the serviceprofile server command to specify the SNPP server to which syslogd will send the log messages. refer to “Creating a User Profile” on page 88. configured for the LX unit. Use the serviceprofile smsc command to specify the SMSC that will be used to send the event messages to the pager. in the LX-Series Commands Reference Guide.g. (The pager mes- sages will be forwarded to the user by the service provider’s server.com NOTE: If you specify a symbolic name (e. you can configure it by doing the following: 1. you must create a User Profile that specifies the pager pin number as its contact field. Use the serviceprofile port command to specify the LX TCP port that will be used to send messages to the SNPP server.Setting Up the Notification Feature Configuring SNPP Service Profiles After you have created an SNPP Service Profile. for example: Notification:0 >>serviceprofile verizon smsc 18668230501 2. Use the serviceprofile parity command to specify the bit parity setting for the Service Profile. and a domain name suffix. For more information. snpp. you must have a primary DNS server. you can configure it by doing the following: 1. Configuring TAP Service Profiles After you have created a TAP Service Profile.) The service provider’s server can be specified as an IP Address or as any symbolic name that can be resolved by DNS. 2. for example: Notification:0 >>serviceprofile verizon parity even 84 451-0311B . refer to the primary dns command. for example: Notification:0 >>serviceprofile Skytel port 7777 In order to send messages to a pager. for example: Notification:0 >>serviceprofile Skytel server snpp.com) as the SNPP server. For more information.Skytel. and the domain name command.Skytel..

the event messages that will be sent to the outbound asynchronous ports. by facility and priority. Setting Up the Notification Feature 3. Use the serviceprofile bits command to specify the bits-per-byte setting for the Service Profile. for example: Notification:0 >>serviceprofile verizon bits 7 4. Configuring ASYNC Service Profiles After you have created an ASYNC Service Profile. and the stop bits setting. In order to send event messages to a pager or cell phone via TAP. refer to “Creating a User Profile” on page 88. that you specify for a Service Profile. 451-0311B 85 . Use the serviceprofile stopbits command to specify the stop bits setting for the Service Profile. Refer to “Creating a User Profile” on page 88 for more information on specifying a modem port for a User Profile. For more information. must match the bits-per-byte setting of any modem port specified in a User Profile based on this Service Profile. for example: Notification:0 >>serviceprofile serialport async port 5 7 You can create User Profiles to filter. for example: Notification:0 >>serviceprofile verizon stopbits 2 NOTE: The bits-per-byte setting. For more information. as well as the LX modem port that will be used to send the event messages to the SMSC. you can use the serviceprofile async port command to specify the outbound asynchronous ports to which event messages will be sent. you must create a User Profile that specifies the cell phone number to which event messages will be sent. refer to “Creating a User Profile” on page 88.

warning /tftpboot/test/user. 86 451-0311B . CELLNET_WEB.warning: user. PAGENET_WEB. by facility and priority. Configuring WEB Service Profiles After you have created a WEB Service Profile. Restart the syslog daemon to make changes to the syslog.warning. CINGULAR_WEB. for example: Notification:0 >>serviceprofile syslogvenus host 10. For more information.warning. refer to “Creating a User Profile” on page 88.log 3.log #chmod 777 /tftpboot/test/user.170. the event messages that will be sent to the remote host. you can use the serviceprofile host command to specify the remote UNIX host to which the event messages will be sent. Create an empty log file as follows: #touch /tftpboot/test/user. PROXIMUS_WEB.conf file take effect: # ps –ef|grep syslog # kill –HUP pid# You can create User Profiles to filter.179. for example: Notification:0 >>serviceprofile freds driver VERIZON_WEB The supported web drivers are ATT_WEB. Edit the file /etc/syslog.log 2.warning. ORANGE_WEB.conf and add the following entry for user.253 Do the following on the UNIX host that you specify in the serviceprofile host command: 1. and VERIZON_WEB.Setting Up the Notification Feature Configuring REMOTESYSLOG Service Profiles After you have created a REMOTESYSLOG Service Profile. you can use the serviceprofile driver command to specify the web driver that will be used to send the event messages to the pager or cell phone.

com) as the SMTP server. for example: Notification:0 >>serviceprofile mrvemail server 10. Configuring SMTP Service Profiles After you have created an SMTP Service Profile. For more information. refer to “Creating a User Profile” on page 88. refer to the date command and the clock command in the LX-Series Commands Reference Guide. or some wireless providers will reject event messages that are sent from it. you can use the serviceprofile server command to specify the SMTP server to which syslogd will send the log messages. To set the date and time for the LX unit. (In addition. you must create a User Profile that specifies the email address as its contact field.g. Refer to the primary dns command in the LX-Series Commands Reference Guide for more information on configuring a DNS server for the LX unit.) The server can be specified as an IP Address or as any symbolic name that can be resolved by DNS. In order to send event messages to a pager or cell phone via a Web Driver. mrv. 451-0311B 87 .. Setting Up the Notification Feature NOTE: You must set the date and time for the LX unit.) In order to send messages to an email address. the LX unit will need to have a fully qualified domain name suffix. refer to “Creating a User Profile” on page 88. you must have a DNS server configured for the LX unit. you must create a User Profile that specifies the pager number or cell phone number as its contact field.176. (The messages will be forwarded by the server to a specific email address.21 NOTE: If you specify a symbolic name (e. For more information.179.

and pagers. and link. pager. Access the Notification Command Mode. Creating a User Profile Do the following to create a User Profile: 1.. for example: Notification:0 >>userprofile adminscell serviceprofile verizon NOTE: You must create. Use the userprofile serviceprofile command to create a User Profile.) 2..Setting Up the Notification Feature Overview of User Profiles A User Profile filters event messages by the type (facility) and severity level (priority) of the event message. the Service Profile verizon. A User Profile also specifies the destinations (i. for example: Notification:0 >>userprofile adminscell contact 9785552222 The contact field specifies the destination (e.com) for User Profiles that are based on Service Profiles of the SMTP type. 8875551212) for User Profiles that are based on Service Profiles of the SNPP type. or WEB type. • Email Address (e. or WEB type. 88 451-0311B .. In the above example.g.. etc. a User Profile to an existing Service Profile. The allowable values for this field are the following: • Pager Pin Number (e. cell phones.g.g. If the User Profile is for a Service Profile of the SNPP. cell phone. jstraw@mrv. SMTP. the User Profile adminscell is created.) for User Profiles that are created for Service Profiles of the SNPP. SMTP. 3.e. addresses and telephone numbers) for event notification processes that send event messages by email. The LX unit supports a maximum of 20 User Profiles. and linked to. you must use the userprofile contact command to specify the contact field for the User Profile. TAP. (Refer to “Notification Command Mode” on page 23 for information on accessing the Notification Command Mode. TAP.

9785552222) for User Profiles that are based on Service Profiles of the TAP or WEB type. user. Use the userprofile priority command to specify a priority characteristic for the User Profile. and all. The allowable values for the facility characteristic are authpriv. crit.g. for example: Notification:0 >>userprofile adminscell facility user Event messages that originate from the specified facility. alert. 4. and have the specified priority (see step 4). you must use the userprofile modem port command to specify the modem port that the LX unit will use to send event messages to the SMSC. 6. daemon. for example: Notification:0 >>userprofile adminscell modem port 17 Displaying Information on the Notification Feature This section describes how to display information about the Notification feature. warning. syslog.. Setting Up the Notification Feature • Pager Number or Telephone Number (e. emerg. will be sent to the destination. If the User Profile is for a Service Profile of the TAP type. 5. and none. to display the characteristics of Service Profiles. err. for example: Notification:0 >>userprofile adminscell priority warning The allowable values for the priority characteristic are info. Displaying Characteristics of Service Profiles Use the show notification serviceprofile command. notice. Use the userprofile facility command to specify a facility characteristic for the User Profile. in the Superuser Command Mode. for example: InReach:0 >>show notification serviceprofile jacklocal 451-0311B 89 . The information that can be displayed includes the characteristics of Service Profiles and the characteristics of User Profiles. kern.

Service Profile Display Displaying Characteristics of User Profiles Use the show notification userprofile command. in the Superuser Command Mode. the characteristics are displayed for the User Profile grogers@mrv. the characteristics are displayed for the Service Profile jacklocal. Use the following syntax to display the characteristics of all Service Profiles on the LX unit: InReach:0 >>show notification serviceprofile all Figure 3 shows an example of the Service Profile display. Use the following syntax to display the characteristics of all User Profiles on the LX unit: InReach:0 >>show notification userprofile all 90 451-0311B . ServiceProfile: syslog Protocol: localsyslog File: syslog ServiceProfile: messages Protocol: localsyslog File: messages ServiceProfile: jackremote Protocol: remotesyslog Remote Host: ServiceProfile: jackasync Protocol: async Async Port: 5 ServiceProfile: jack Protocol: tap SMSC: 18668230501 Bits/Parity/StopBits:8N1 Modem Port(s): 33 ServiceProfile: webjack Protocol: web Driver: verizon_web Figure 3 .Setting Up the Notification Feature In the above example. for example: InReach:0 >>show notification userprofile grogers In the above example. to display the characteristics of User Profiles.

the locallog home directory is /var/log/Build5. Each example includes the commands for creating the Service Profile. UserProfile: messages ServiceProfile: messages Contact: Facility: all Priority: notice UserProfile: debug ServiceProfile: debug Contact: Facility: all Priority: debug UserProfile: grogers@mrv ServiceProfile: N/A Contact: Facility: kern Priority: emerg UserProfile: mark ServiceProfile: N/A Contact: Facility: kern Priority: emerg Figure 4 .User Profile Display Configuration Examples This section contains examples of each type of Service Profile. 451-0311B 91 . Setting Up the Notification Feature Figure 4 shows an example of the User Profile display. along with the commands for creating a User Profile based on the Service Profile. Localsyslog Example The following commands configure the logging of events to the local syslogd: Notification:0 >>serviceprofile local protocol localsyslog Notification:0 >>serviceprofile local file Build5 Notification:0 >>userprofile locallog service local Notification:0 >>userprofile locallog facility user Notification:0 >>userprofile locallog priority warning NOTE: In the above example.

170.253 Notification:0 >>userprofile venus service Rlogvenus Notification:0 >>userprofile venus facility user Notification:0 >>userprofile venus priority warning After you executed the above commands. Create an empty log file as follows: #touch /tftpboot/log/user.log 3. you would do the following on the remote host: 1. Add the following entry to the /etc/syslog.log 2. 6.warning.Setting Up the Notification Feature Outbound Asynchronous Port Example The following commands forwards the logging of events to ports 5. # ps –ef|grep syslog # kill –HUP pid# 92 451-0311B . and 7: Notification:0 >>serviceprofile 3serialport protocol async Notification:0 >>serviceprofile 3serialport async port 5 6 7 Notification:0 >>userprofile serialport service 3serialport Notification:0 >>userprofile serialport facility user Notification:0 >>userprofile serialport priority warning Remotesyslog Example The following commands configure the logging of events to syslogd on a remote host: Notification:0 >>serviceprofile Rlogvenus protocol remotesyslog Notification:0 >>serviceprofile Rlogvenus host 10. Restart the syslog daemon.conf file: user.warning.warning /tftpboot/log/user.log #chmod 777 /tftpboot/log/user.179.warning. to make changes to the syslog. using the following commands.conf take effect.

Sprint. DNS must be configured on the LX unit. Setting Up the Notification Feature SNPP Example The following commands configure the logging of events to a text pager: Notification:0 >>serviceprofile Skytel protocol snpp Notification:0 >>serviceprofile Skytel server snpp.Skytel. TAP Example The following sequence of commands could be used to configure the logging of events via a wireless provider such as Verizon.com Notification:0 >>serviceprofile Skytel port 7777 Notification:0 >>userprofile johnpager service Skytel Notification:0 >>userprofile johnpager contact 8875551212 Notification:0 >>userprofile johnpager facility user Notification:0 >>userprofile johnpager priority warning NOTE: In order to resolve the provider’s address. or AT&T: Notification:0 >>serviceprofile verizon protocol tap Notification:0 >>serviceprofile verizon SMSC 18668230501 (provider’s service phone #) Notification:0 >>serviceprofile verizon bits 7 Notification:0 >>serviceprofile verizon stopbit 1 Notification:0 >>serviceprofile verizon parity even Notification:0 >>userprofile gina’scell service verizon Notification:0 >>userprofile gina’scell contact 785551212 Notification:0 >>userprofile gina’scell facility user Notification:0 >>userprofile gina’scell priority warning Notification:0 >>userprofile gina’scell modem port 17 Notification:0 >>exit Now configure the modem port that will be used for sending messages: Config>>port async 17 Async 17-17:0 >>no apd 451-0311B 93 .

att. 1. 1. 1.nextel.com NOTE: MRV Communications is not responsible for these SMSC phone numbers and cannot guarantee their service. e 801-301-6683 @messaging.179. Please contact your provider for a number near you. 1. e 800-909-4602 @Cingular.com Skytel 8. e 800-841-8837 @mobile. e.com Nextel 7. SNMP Example The following commands configure the logging of events to an SNMP trap client (the LX unit must first have a trap client configured): Snmp:0 >>trap client 0 10. n 866-823-0501 @vtext.com Sprint 7. 1. e 888-656-1727 @sprintpcs.170.com Verizon 7.Setting Up the Notification Feature Async 17-17:0 >>access remote Async 17-17:0 >>modem Modem>>modem enable Modem>>type dialout A list of wireless SMSC phone numbers is provided here for your convenience: Carrier SMSC Number Email Address SMSC Phone#@ AT&T 7. n 800-679-2778 pin@skytel.57 Snmp:0 >>trap client 0 community public Snmp:0 >>trap client 0 version 1 The Service Profile and the User Profile can then be created in the Notification Command Mode: Notification:0 >>serviceprofile ricksnmp protocol snmp Notification:0 >>userprofile ricksnmp service ricksnmp 94 451-0311B . 1. 8.net Cingular 7. 1.

451-0311B 95 .10.21 Notification:0 >>userprofile jsmith service youremail Notification:0 >>userprofile jsmith contact 785551111@vtext. and a primary gateway address. (If the date and the time are not set. some wireless providers will reject the message. The supported web drivers can be retrieved from the CLI help.com (verizon text phone) Notification:0 >>userprofile jsmith facility user Notification:0 >>userprofile jsmith priority warning NOTE: You may need to configure the LX with a Domain suffix.) The date and time are set with the date and clock commands in the Configuration Command Mode. a DNS server address.10. Setting Up the Notification Feature Notification:0 >>userprofile ricksnmp facility user Notification:0 >>userprofile ricksnmp priority warning Email Example The following commands configure the logging of events to an email address: Notification:0 >>serviceprofile youremail protocol smtp Notification:0 >>serviceprofile youremail server 10. Web Example The following commands configure the logging of events to a web driver: Notification:0 >>serviceprofile cingular protocol web Notification:0 >>serviceprofile cingular driver cingular_web Notification:0 >>userprofile kevin service cingular Notification:0 >>userprofile kevin contact 9785551313 Notification:0 >>userprofile kevin facility user Notification:0 >>userprofile kevin priority warning NOTE: The date and time must be set for the LX unit.

.

The Master Ports then broadcast the data to the Slave Ports in the Broadcast Group. to a Master Port. The Slave Ports in a Broadcast Group can only receive data broadcasts from a Master Port in the same Broadcast Group. Access the Configuration Command Mode in the LX CLI. Setting Up Broadcast Groups Do the following to set up a Broadcast Group: 1. Use the broadcast group command to create a Broadcast Group. Any asynchronous port. The source of the data broadcast can be a direct serial connection. All Slave Ports and Master Ports belong to a Broadcast Group. By default. Users can receive data broadcasts by Telneting to a TCP port that is configured as a Slave Port. Chapter 5 Configuring the Data Broadcast Feature The Data Broadcast Feature allows you to specify ports as Slave Ports that receive data broadcasts from. When a port is configured as a Slave Port. Master Ports on the same LX unit. any data that a Slave Port receives is forwarded to the Master Ports in the Broadcast Group. (For more information. and send data broadcasts to.) 2. or a Telnet connection. or TCP port. for example: Config:0 >>broadcast group 4 BrGroups 4:0 >> 451-0311B 97 . it can still receive data from sources other than the Master Ports in its Broadcast Group. refer to “Configuration Command Mode” on page 18. on the LX unit can be configured as a Slave Port or a Master Port.

6. 6. the Telnet mode is specified as line. 5. for example: BrGroups 4:0 >>master port async 5 BrGroups 4:0 >>master port tcp 1500 In the above example. 3. and 7. Use the mode command to specify the Telnet mode for the Broadcast Group. Use the exit command to return to the Configuration Command Mode. asynchronous port 4. 98 451-0311B . for example: Config:0 >>broadcast group 4 enable NOTE: In order to enable a Broadcast Group. asynchronous port 5. for example: BrGroups 4:0 >>mode line In the above example. the Telnet mode can also be specified as character. for example: BrGroups 4:0 >>exit Config:0 >> 7. In the above example. the Broadcast Group Command prompt (BrGroups 4:0 >>) indicates that you are in the Broadcast Group Command Mode for Broadcast Group 4. and TCP port 2500. Use the slave port command to specify the Slave Ports for the Broadcast Group. and TCP port 1500. Use the broadcast group enable command to enable the Broadcast Group that you just created. the Broadcast Group must contain at least one Master Port and one Slave Port. are specified as Slave Ports for Broadcast Group 4. are specified as Master Ports for Broadcast Group 4.Configuring the Data Broadcast Feature This enters the Broadcast Group Command Mode. for example: BrGroups 4:0 >>slave port async 4 6 7 BrGroups 4:0 >>slave port tcp 2500 In the above example. 4. Use the master port command to specify the Master Ports for the Broadcast Group.

Configuring the Data Broadcast Feature Usage Guidelines Keep the following in mind as you add Slave Ports and Master Ports to a Broadcast Group: • You cannot specify a the DIAG port (port 0) as a Slave Port or a Master Port. for example: BrGroups 4:0 >>master port async 4 6 7 timestamp 451-0311B 99 . Specifying Port Options You can specify that a timestamp will be appended to each line of data that is broadcast from a Master Port. Appending a Timestamp Use the timestamp option of the master port command to specify that a timestamp will be appended to each line of data that is broadcast from a Master Port. can be configured for a Broadcast Group. This section describes how to configure these features. • To prevent data overruns. • A maximum of 20 ports. • A maximum of 16 TCP ports can be configured for a Broadcast Group. • A TCP port that is already in use cannot be added to a Broadcast Group. You can also specify that non-broadcast data will be discarded by Slave Ports and that Slave Ports will echo any data that comes into them. it is recommended that the Master Port(s) and Slave Port(s) in a Broadcast Group be set to the same port speed. • You cannot add a port to a Broadcast Group if it is already a member of another Broadcast Group. including Masters and Slaves. • No more than one TCP socket may be open on a single TCP port.

for example: BrGroups 4:0 >>no master port async 5 BrGroups 4:0 >>no master port tcp 1500 In the above examples. asynchronous port 7 and TCP port 2500 are removed from Broadcast Group 4. you can configure Slave Port(s) to discard data without forwarding it to the Master Port(s). execute the no slave port command in the Broadcast Group Command Mode. in the Broadcast Group 4. any data that a Slave Port receives is forwarded to the Master Port(s) in the Broadcast Group. for example: BrGroups 4:0 >>no slave port async 7 BrGroups 4:0 >>no slave port tcp 2500 In the above examples. To do this. asynchronous port 5 and TCP port 1500 are removed from Broadcast Group 4. for example: BrGroups 4:0 >>slave port async 5 7 discard BrGroups 4:0 >>slave port tcp 2500 discard In the above example. 100 451-0311B .Configuring the Data Broadcast Feature Discarding Non-Broadcast Data By default. specify the discard option in the slave port command. the discard option is specified for the asynchronous ports 5 and 7 and the TCP port 2500. To remove Slave Ports from a Broadcast Group. execute the no master port command in the Broadcast Group Command Mode. for example: BrGroups 4:0 >>slave port async 5 7 localecho Removing Ports from Broadcast Groups To remove Master Ports from a Broadcast Group. Echoing Incoming Data at Slave Ports Use the localecho option in the slave port command to specify that Slave Ports will echo any data that comes into them. This data is then broadcast to all of the Slave Ports in the Broadcast Group. However.

refer to “Displaying Broadcast Group Characteristics” on page 101. Displaying Broadcast Group Characteristics Use the show broadcast group characteristics command to display the characteristics of Broadcast Groups. Use the following syntax to display the Broadcast Group characteristics of all Broadcast Groups on the LX unit: InReach:0 >>show broadcast group all characteristics 451-0311B 101 . NOTE: You can not delete a Broadcast Group. the Broadcast Group characteristics are displayed for Broadcast Group 1. Displaying Broadcast Group Characteristics This section describes how to display information about Broadcast Groups. you can remove all of the ports from the Broadcast Group and then disable the broadcast Group. (The deleted ports will not be listed in the Broadcast Group Characteristics Display. Disabling Broadcast Groups To disable a Broadcast Group. Configuring the Data Broadcast Feature To verify that Master Ports or Slave Ports have been deleted from a Broadcast Group. The information includes Broadcast Group characteristics and Broadcast Group Summaries. execute the no broadcast group command in the Configuration Command Mode. for example: Config:0 >>no broadcast group 4 In the above example. for example: InReach:0 >>show broadcast group 1 characteristics In the above example. Broadcast Group 4 is disabled. In lieu of deleting a Broadcast Group.) For more information on the show broadcast group characteristics command. execute the show broadcast group characteristics command.

4 TCP Master port(s) with Timestamp: TCP Master port(s) without Timestamp: Async Slave port(s) with Discard: Async Slave port(s) without Discard: 2-3.Broadcast Group Characteristics Display 102 451-0311B . Time: 08 Nov 2002 16:29:26 US/EASTERN Broadcast Group Number: 1 Mode: Line Mode State: Disabled Async Master port(s) with Timestamp: Async Master port(s) without Timestamp: 1.5-7 TCP Slave port(s) with Discard: TCP Slave port(s) without Discard: TCP Slave port(s) with Local Echo: TCP Slave port(s) without Local Echo: Figure 5 .5-7 Async Slave port(s) with Local Echo: Async Slave port(s) without Local Echo: 2-3.Configuring the Data Broadcast Feature Figure 5 shows an example of the Broadcast Group Characteristics Display.

in the Superuser Command Mode.Broadcast Group Summary Display 451-0311B 103 . for example: InReach:0 >>show broadcast group summary Figure 6 shows an example of the Broadcast Group Summary Display. Configuring the Data Broadcast Feature Displaying Broadcast Group Summaries Use the show broadcast group summary command. to display summary information for all Broadcast Groups on the LX unit. Broadcast group number: State: 1 Enabled 2 Disabled 3 Disabled 4 Disabled 5 Disabled Figure 6 .

.

0. You could then create the IP interfaces shown in Table 7 for the LX unit.255. a Broadcast address of 117.255. and the subnet mask of 255.3 119.65.23 119.0 2 124.255.0.5.0. you could have an LX unit with an IP address of 117. 119. Chapter 6 Configuring IP Interfaces An IP interface is a logical interface for accessing the LX unit from a network.112. The network treats an IP interface as a network element that is no different from an actual server. Table 7 .65.123.0.87.0.87.255 255..0 This would enable you to include the LX unit in three different networks (i.0).255. You can access an LX unit via the Address of the IP interface.112.0.20.255 255. 124.45.255.123 119.255. IP interfaces can be configured as rotaries.123. 451-0311B 105 .0 3 178.e.0 in ppciboot. You can configure up to 4 IP interfaces on an LX unit.255 255. refer to “Configuring Rotaries” on page 113. Each IP interface has its own IP characteristics. For more information.0. and 178.IP Interface Examples Interface IP Address Broadcast Subnet Mask Number Address 1 119.45.0. For example.255. or by the ppciboot (server) Address of the LX unit.0.23.255.20.255.0.19.

do the following: 1.0 In the above example. Refer to “Specifying the Subscriber Access Methods” on page 123 for more information.0. or SecurID Authentication on an IP Interface” on page 110. the Interface Command prompt (e.20.Configuring IP Interfaces An IP interface has the same subscriber database as the LX unit on which it was created. You can authenticate connections via IP interfaces with the same authentication methods that are configured for the LX unit (LOCAL. Intf 1-1:0 >>) is displayed. 106 451-0311B . RADIUS. for example: Config:0 >>interface 1 This enters the Interface command mode for the specified IP interface (IP interface 1 in the above example). 2. Execute the interface command in the Configuration Command Mode. TACACS+. or SecurID).. However.g. the IP Address is specified as 119. IP interfaces support SSH and Telnet as methods for connecting subscribers to the LX unit.3 and the subnet Mask is specified as 255.0.0.112.0.) Setting Up IP Interfaces IP interfaces are created and configured in the Interface Command Mode. you must enable the authentication method on the IP interface before you can use it on the IP interface. To configure an IP interface. or virtual ports. and Subnet Mask. (For more information.20. TACACS+. on the LX unit via an IP interface.0. for the interface.3 mask 255. A subscriber can connect to asynchronous ports. Use the address command to specify an IP Address. for example: Intf 1-1:0 >>address 119. refer to “Configuring Local Authentication on an IP Interface” on page 110 and “Configuring RADIUS. You can enter the Interface Command Mode by executing the interface command in the Configuration Command Mode.112. When you are in the Interface Command Mode.

RADIUS. execute the ssh keepalive interval command.255 4. for example: Intf 1-1:0 >>ssh keepalive interval 30 451-0311B 107 . refer to the following sections: • “Configuring Local Authentication on an IP Interface” on page 110 • “Configuring RADIUS.255. Configure an authentication method (LOCAL. Configuring IP Interfaces 3. between attempts at making an SSH connection to the IP interface. for example: Intf 1-1:0 >>ssh keepalive count 8 Specifying the SSH Keepalive Interval To specify the SSH Keepalive Count. execute the ssh keepalive count command. in seconds. for example: Intf 1-1:0 >>broadcast 119.255. Use the broadcast command to specify the Broadcast Address for the IP interface. For more information. or SecurID) for the IP interface. Specifying the SSH Keepalive Count To specify the SSH Keepalive Count. The SSH Keepalive Interval is the length of time. TACACS+. TACACS+. or SecurID Authentication on an IP Interface” on page 110 Refer to the following sections to configure optional parameters for an IP interface: • “Specifying SSH Keepalive Parameters” on page 107 • “Specifying Socket Numbers” on page 108 • “Specifying Maximum Transmission Units (MTU)” on page 109 Specifying SSH Keepalive Parameters The SSH Keepalive Count is the number of times that an SSH client will attempt to make an SSH connection to an IP interface.

Table 8 lists the default SSH and Telnet Socket Numbers for LX serial ports.Default Socket Numbers for Serial Ports LX Serial Default Default SSH Port Telnet Port Port 0 0 0 1 2100 2122 2 2200 2222 3 2300 2322 4 2400 2422 5 2500 2522 6 2600 2622 7 2700 2722 8 2800 2822 This section describes how to specify SSH Socket Numbers and Telnet socket Numbers for IP interfaces and LX (asynchronous) ports. 108 451-0311B . the Telnet Socket Number for serial port 6 is set to 1297. for example: Intf 1-1:0 >>serial 6 ssh 1297 In the above example. execute the serial command with the telnet modifier. Specifying a Telnet Socket Number for a Serial Port To specify a Telnet Socket Number for a serial port.Configuring IP Interfaces Specifying Socket Numbers IP interfaces have a default SSH Socket Number of 22 and a default Telnet Socket Number of 23. Table 8 . This is typically done to prevent hackers from accessing LX ports via default SSH Socket Numbers or default Telnet Socket Numbers.

execute the telnet port command. Specifying a Virtual Port Socket Number for SSH To specify the Virtual Port Socket Number for making an SSH connection to the IP interface. 451-0311B 109 .) Use the mtu command to specify the MTU for an IP interface. The default MTU size is 1500. Specifying Maximum Transmission Units (MTU) The Maximum Transmission Units (MTU) is the maximum size (in bytes) of frames that can be transmitted on the IP interface. the SSH Socket Number for serial port 4 is set to 983. the Virtual Port Socket Number for making an SSH connection to the IP interface is set to 988. Configuring IP Interfaces Specifying an SSH Socket Number for a Serial Port To specify an SSH Socket Number for a serial port. Frames that are larger than the designated MTU size are fragmented before transmission. (Note that the software fragments frames on the transmit side only. for example: Intf 1-1:0 >>telnet port 1743 In the above example. Specifying a Virtual Port Socket Number for Telnet To specify the Virtual Port Socket Number for making a Telnet connection to the IP interface. for example: Intf 1-1:0 >>ssh port 988 In the above example. the Virtual Port Socket Number for making a Telnet connection to the IP interface is set to 1743. execute the serial command with the ssh modifier. for example: Intf 1-1:0 >>serial 4 ssh 983 In the above example. execute the ssh port command. for example: Intf 1-1:0 >>mtu 1200 You can specify any number from 1000 through 1500 as the MTU size.

Then it must be enabled for the IP interface. for example: Async 4-4:0 >>authentication inbound local enable In the above example. TACACS+. refer to “Setting Up RADIUS. For more information. execute the authentication radius enable command. for example: Intf 1-1:0 >>authentication local enable Configuring RADIUS. In order to enable server-based authentication for an IP interface. TACACS+. to enable local authentication for inbound asynchronous ports.. with the inbound and local modifiers. and TACACS+ for the LX Unit” on page 33 and the authentication enable command in the LX-Series Commands Reference Guide. in the Interface Command Mode. SecurID. local authentication is enabled as the method of inbound authentication for asynchronous port 4. RADIUS. it must be enabled as the method of inbound authentication for the asynchronous port. in the Interface Command Mode. to enable local authentication on the IP interface. the authentication method must be configured for the LX unit and enabled as the method of inbound authentication for the asynchronous port. Execute the authentication enable command. or SecurID Authentication on an IP Interface Server-based authentication methods (i. or SecurID) can be used when a subscriber logs in to an asynchronous port via an IP interface. Execute the authentication local enable command.e. The authentication enable command is executed in the Asynchronous Command Mode. In order to use local authentication. for example: Intf 1-1:0 >>authentication radius enable 110 451-0311B . To enable RADIUS authentication on the IP interface.Configuring IP Interfaces Configuring Local Authentication on an IP Interface Local authentication can be used when a subscriber logs in to a specific asynchronous port via an IP interface.

for example: Intf 1-1:0 >>radius accounting enable Configuring TACACS+ Accounting on an Interface TACACS+ Accounting allows you to log user account information to a remote server in a per-client file. For more information on TACACS+ accounting. For more information. the duration of the session. for example: Intf 1-1:0 >>authentication tacacs+ enable Configuring RADIUS Accounting on an Interface RADIUS Accounting allows you to log user account information to a remote server in a per-client file. execute the authentication tacacs+ enable command. execute the authentication securid enable command. RADIUS accounting must be configured for the LX unit. RADIUS accounting can be used when a subscriber logs in to an asynchronous port via an IP interface. in the Interface Command Mode. refer to “Setting Up RADIUS” on page 33. refer to “Overview of RADIUS and TACACS+ Accounting” on page 161. refer to “Overview of RADIUS and TACACS+ Accounting” on page 161. Client IP address. 451-0311B 111 . in the Interface Command Mode. Configuring IP Interfaces To enable SecurID authentication on the IP interface. For more information on RADIUS accounting. in the Interface Command Mode. Execute the radius accounting enable command. for example: Intf 1-1:0 >>authentication securid enable To enable TACACS+ authentication on the IP interface. In order to enable RADIUS accounting for an IP interface. and the number of bytes/packets that were processed by the LX unit. port number. The file or record can contain information such as the user who logged in. to enable RADIUS accounting on the IP interface.

for example: Intf 1-1:0 >>authentication fallback enable 112 451-0311B . TACACS+. or SecurID. to enable Fallback on the IP interface.e..) When all three methods (i. or SecurID) fails because the authentication server is unreachable. RADIUS.Configuring IP Interfaces Execute the tacacs+ accounting enable command. or SecurID) are disabled on the interface. Execute the authentication fallback enable command.. to enable TACACS+ accounting on the IP interface. or SecurID must be enabled on an IP interface in order for Fallback to function on the interface.e. the username/password combination will be validated against the LOCAL security database for the LX unit. RADIUS. After the third login attempt. in the Interface Command Mode. or SecurID before it implements Fallback. The LX unit will make three attempts to log in the user via RADIUS. Fallback is ignored by the interface. TACACS+. his or her username/password combination is validated against the LOCAL security database for the LX unit. in the Interface Command Mode. for example: Intf 1-1:0 >>tacacs+ accounting enable Configuring Fallback on an IP Interface Fallback Authentication can be used as a mechanism for authenticating users when the configured authentication method (i. (Refer to “Configuring RADIUS. When a user logs in via Fallback. TACACS+. TACACS+. TACACS+. or SecurID Authentication on an IP Interface” on page 110 for information on enabling RADIUS. RADIUS. TACACS+.

g.e.Rotary Connections on an IP Interface The rotary is transparent to users. for example: Config:0 >>interface 1 This enters the Interface Command Mode for the specified interface (i. an IP interface can be configured as a rotary. Interface 1). When a user attempts such a connection. or access an existing one. with LX asynchronous ports as the multiple destinations of the rotary. or an SSH connection. Do the following to configure an IP interface as a rotary: 1. and the LX unit sets up the connection with one of the available ports in the rotary group. 451-0311B 113 .. The user is connected to an available port in the rotary port list.. he/she is connected to an available port that has been configured as one of the destinations of the rotary. On an LX unit. A user can attempt to connect to an IP interface that is configured as a rotary. LX Unit The user initiates a Telnet connection. Figure 7 illustrates a rotary on an LX unit. Configuring IP Interfaces Configuring Rotaries The term “rotary” refers to the assignment of an IP address to multiple destinations that offer the same type of service. A user simply requests a connection to an IP address. Figure 7 . Create a new IP interface. Intf 1-1:0 >>) is displayed. The Interface Command prompt (e. to the IP address of an IP interface that has been configured as a rotary. by executing the interface command in the Configuration Command Mode.

for example: Intf 1-1:0 >>address 10. 114 451-0311B .Configuring IP Interfaces 2. the TCP socket number for the rotary is specified as 3000. Use the rotary tcp port command to assign a TCP socket number to the rotary.100 3. for example: Intf 1-1:0 >>rotary tcp port 3000 In the above example. The allowable values are: first available An incoming call is connected to the First Available (non-busy) port in the rotary. the LX asynchronous ports 1.240.10. for example: Intf 1-1:0 >>rotary type round robin The rotary type is identifies the port search method for the rotary. for example: Intf 1-1:0 >>rotary port 1 2 3 In the above example. round robin The LX unit will search the rotary for an available port. 2. Use the rotary port command to configure the IP interface as a rotary. Use the address command to configure a server IP address for the IP interface. and 3 are assigned to the rotary. and to assign LX asynchronous ports to the rotary. 5. NOTE: The default TCP socket is 1500. starting with the lowest-numbered port in the rotary. 4. This identifies the socket that will be used to make Telnet connections to the rotary. Use the rotary type command to specify the rotary type (Round Robin or First Available).

Configuring IP Interfaces 6. for example: Intf 1-1:0 >>rotary ssh port 3022 In the above example. If the rotary is in fact disabled. Removing Ports from a Rotary To remove asynchronous ports from a rotary. 451-0311B 115 . for example: Intf 1-1:0 >>rotary enable Disabling Rotaries Execute the no rotary command in the Interface Command Mode to disable a rotary. NOTE: The default SSH socket is 1522. it will say “Disabled” in the “Rotary State” column of the display. For more information on the show interface rotary command. for example: Intf 1-1:0 >>no rotary When a rotary is disabled. Use the rotary ssh port command to assign an SSH socket number to the rotary. the configuration of the rotary still exists. Use the rotary enable command to enable the rotary. and you can re-enable it by executing the rotary enable command in the Interface Command Mode. refer to “Displaying Rotary Information” on page 118. execute the show interface rotary command. the asynchronous ports are removed from the rotary on Interface 1. This identifies the socket that will be used to make SSH connections to the rotary. NOTE: Disabling a rotary does not delete the rotary. To verify that a rotary has been disabled. execute the no rotary port command in the Interface Command Mode. for example: Intf 1-1:0 >>no rotary port In the above example. 7. the SSH socket number for the rotary is specified as 3022. it no longer functions as a rotary.

Use the following syntax to display the interface characteristics of all IP interfaces on the LX unit: InReach:0 >>show interface all characteristics Figure 8 shows an example of the Interface Characteristics display. and summaries.0.Interface Characteristics Display 116 451-0311B .0 Learned IP Mask : 255. for example: InReach:0 >>show interface 1 characteristics In the above example.19.191 IP Mask : 0.0 Learned IP Broadcast: 102.0.0.0.0 IP Broadcast : 0. Displaying Interface Information This section describes how to display information about IP interfaces and rotaries.169.Configuring IP Interfaces To verify that asynchronous ports have been removed from a rotary. port mapping.19.0. refer to “Displaying Rotary Information” on page 118.169.0.0 Authentication: Local Radius Accounting: Disabled Authentication FallBack: Disabled Tacacs+ Accounting: Disabled SSH port: 22 Telnet port: 23 SSH Keepalive Interval: 0 SSH Keepalive Count: 3 Figure 8 . to display the characteristics of an IP interface. statuses. For more information on the show interface rotary command.19.0 Learned IP Address : 102. 22 Dec 1969 16:14:27 Interface Name: Interface_1 Bound to : eth0 IP MTU Size: 1500 IP Address : 0. Time: Mon. Displaying Interface Characteristics Use the show interface characteristics command.1 Rotary Feature: Disabled Learned IP DNS : 0. the interface characteristics are displayed for IP interface 1. and the Rotary State.169. The IP interface information includes characteristics.0. the Rotary ports. the Rotary type. they will not appear in the “Serial Ports” column of the display.255 Interface Status: In Use Learned IP Gateway : 102.0.255. in the Superuser Command Mode. execute the show interface rotary command.255. The rotary information includes the Rotary IP Address. If the asynchronous ports have in fact been removed.

Interface Port Mapping Display Displaying Interface Statuses Use the show interface characteristics command. in the Superuser Command Mode. Configuring IP Interfaces Displaying Interface Port Mapping Use the show interface characteristics command. for example: InReach:0 >>show interface 1 port mapping In the above example. Use the following syntax to display the status information for all IP interfaces on the LX unit: InReach:0 >>show interface all status 451-0311B 117 . for example: InReach:0 >>show interface 1 status In the above example. and the SSH Socket Number. to display the Telnet Socket Number. the status information for IP interface 1 is displayed. the port mapping for IP interface 1 is displayed. associated with each serial port on the LX unit. Serial Port Telnet Port SSH Port 0 0 0 1 2100 2122 2 2200 2222 3 2300 2322 4 2400 2422 5 2500 2522 6 2600 2622 7 2700 2722 8 2800 2822 Figure 9 . Use the following syntax to display the port mapping for all IP interfaces on the LX unit: InReach:0 >>show interface all port mapping Figure 9 shows an example of the Interface Port Mapping display. to display the status information for IP interfaces. in the Superuser Command Mode.

Interface Summary Display Displaying Rotary Information Use the show interface rotary command. for example: InReach:0 >>show interface 1 rotary In the above example.0. in the Superuser Command Mode. for example: InReach:0 >>show interface summary Figure 11 shows an example of the Interface Summary display.169. the rotary information for IP interface 1 is displayed.0 0.0.0.0.0. to display information on rotaries. Time: Mon.0.0 eth0:1 Figure 11 .0.19.191 IP Mask: 255. in the Superuser Command Mode. 22 Dec 1969 16:19:34 Interface Name: Interface_1 Bound to : eth0 IP Address: 102.0 IP Broadcast Addr: 102.Interface Status Display Displaying Interface Summaries Use the show interface summary command.0 0.0 0.19.0. Use the following syntax to display the rotary information for all IP interfaces on the LX unit: InReach:0 >>show interface all rotary 118 451-0311B . Mask Bound to Interface_1 0.0 0.255.0.0.0 eth0 Interface_2 0.255 Figure 10 .0.255.169.Configuring IP Interfaces Figure 10 shows an example of the Interface Status display. Name Address Broadcast Addr.0. to display summary information for all of the IP interfaces on the LX unit.

Rotary Ip Address TCP/SSH Port Rotary Type Rotary State Serial Ports 147.3.132.4.145. Configuring IP Interfaces Figure 12 shows an example of the Rotary display.16 1500/1522 First Available Disabled 2.7 Figure 12 .Rotary Display 451-0311B 119 .

.

sub. and no more than 15 characters. and how to display information on subscriber accounts. This chapter describes how to create and delete subscriber accounts. subs. use the subscriber command in the Configuration Command Mode. or to access an existing subscriber account.) 451-0311B 121 . sup. he/she must log in to the unit under a subscriber account. The LX-Series Commands Reference Guide provides a detailed syntax. for each command mentioned in this chapter. for example: Config:0 >>subscriber jack where jack is an example of a subscriber name (user name). The reserved words super and subscriber. and any variation of super and subscriber. The subscriber account defines a User Profile that includes the subscriber’s username and password. The User Profile also defines the subscriber’s Security Level (User or Superuser) and contains all of the settings that affect the subscriber’s use of the LX unit. Creating Subscriber Accounts and Entering Subscriber Command Mode To create a subscriber account. etc. (Variations of super and subscriber include su. Chapter 7 Configuring Subscriber Accounts for the LX Unit In order for a user (subscriber) to use the LX unit. cannot be used as subscriber names. how to modify subscriber accounts. The subscriber name must contain at least 2 characters. and description.

The copy subscriber command creates new subscriber accounts by copying the configuration of an existing subscriber account. 64 on a 32-port unit.Configuring Subscriber Accounts for the LX Unit The maximum number of subscribers on an LX unit is equal to double the number of ports on the unit. to delete a subscriber account. Subs_jack >>) is displayed.. billj. Executing the subscriber command puts you into the Subscriber Command Mode for the subscriber. The Subscriber Command prompt (e. the subscriber account jack is deleted. and edw. NOTE: You can not delete the subscriber InReach. For example. 32 on a 16-port unit. Deleting Subscriber Accounts Use the no subscriber command. Creating Subscriber Accounts by Copying You can also create subscriber accounts by executing the copy subscriber command in the Configuration Command Mode. in the Configuration Command Mode. and 96 on a 48-port unit. 122 451-0311B . for example: Config:0 >>copy subscriber benw to jimk billj edw In the above example.g. the subscriber account configuration of benw is copied to jimk. the maximum number of subscribers is 16 on an 8-port unit. for example: Config:0 >>no subscriber jack In the above example.

refer to “Dialback Access” on page 127. The methods include Telnet. (The InReach subscriber is the default subscriber for the LX unit. Web Browser. For information on specifying each method. and Console. Configuring Subscriber Accounts for the LX Unit The User Profile When you create a new subscriber account with the subscriber command. its User Profile is based on the default User Profile of the InReach subscriber. refer to the following: • “Telnet Access” (see below) • “SSH Access” (see page 124) • “Web Browser Access” (see page 126) • “Console Access” (see page 127) You can also provide subscribers with access via Dialback. For more information.) Refer to the following sections to specify new settings in a User Profile: • “Specifying the Subscriber Access Methods” on page 123 • “Setting Up the Session and Terminal Parameters” on page 128 • “Configuring the Subscriber Password” on page 132 • “Specifying a Preferred Service” on page 133 • “Specifying a Dedicated Service” on page 133 • “Enabling Login Menus” on page 134 • “Adding Superuser Privileges to a Subscriber Account” on page 133 • “Configuring the Subscriber Password” on page 132 • “Enabling Audit Logging” on page 134 • “Enabling Command Logging” on page 134 Specifying the Subscriber Access Methods You can specify up to four methods for the subscriber to access the LX unit. SSH. 451-0311B 123 .

info. SSH Access In order to specify SSH access for a subscriber. for example: Subs_jack >>access ssh enable 2. the subscriber will have Telnet access to virtual ports on the LX unit. for example: Subs_jack >>ssh log level debug The above example of the ssh log level command specifies that SSH messages of the debug class will be logged to syslogd for the subscriber. You can also specify SSH log levels of error. fatal. quiet. for example: Subs_jack >>access telnet enable 2. any. for example: Subs_jack >>telnet mode line Subs_jack >>telnet mode character After you have executed the above commands. Set the ssh access parameter to enabled. verbose. Set the ssh cipher parameter to triple-des. for example: Subs_jack >>ssh cipher triple-des Subs_jack >>ssh cipher any Subs_jack >>ssh cipher blowfish 124 451-0311B . Set the telnet mode parameter to line or character.Configuring Subscriber Accounts for the LX Unit Telnet Access In order to specify Telnet access for a subscriber. do the following: 1. Refer to “Console Access” on page 127 to give the user access to asynchronous ports on the LX unit. or blowfish. Set the ssh log level parameter to the class of SSH messages that will be logged to syslogd. do the following: 1. 3. Set the telnet access parameter to enabled.

it acts on a fixed-length block of plaintext and converts it into a block of ciphertext of the same size by using the secret key). The key length in Triple-DES is 168 bits. In Triple-DES.. Overview of Triple-DES DES is a block cipher (i. After you have executed the above commands. the block size for plaintext is 64 bits. This method differs from algorithms like the RSA encryption which use different keys to encrypt and decrypt a message. See “Usage Guidelines” (below) for more information on the BLOWFISH encryption type. blowfish Specifies that BLOWFISH is the only SSH encryption type supported for this subscriber. In DES. The length of the key is also 64 bits but 8 bits are used for parity. Refer to “Specifying a Unique SSH Key for the Subscriber” on page 126 for more information. we apply 3 stages of DES with a separate key for each stage. Decryption is done by applying the reverse transformation to the block of ciphertext using the same key. DES is a symmetric key cipher. Hence the effective key length is only 56 bits. 451-0311B 125 . Since the same key is used both in encryption and decryption.e. any Specifies that any SSH encryption type is supported for this subscriber. You can specify a unique SSH key for the subscriber. Refer to “Console Access” on page 127 to give the subscriber access to asynchronous ports on the LX unit. Configuring Subscriber Accounts for the LX Unit Description of the Three Encryption Types triple-des Specifies that the Triple Data Encryption Standard (Triple- DES) is the only SSH encryption type supported for this subscriber. the subscriber will have SSH access to virtual ports on the LX unit.

such as the Pentium and the PowerPC. via SSH.Configuring Subscriber Accounts for the LX Unit Overview of Blowfish Blowfish is a variable-length key block cipher. for example: Subs_jack >>access web enable 126 451-0311B .) When a subscriber has a unique SSH key. It is significantly faster than DES when implemented on 32-bit microprocessors with large data caches. Specifying a Unique SSH Key for the Subscriber You can specify a unique SSH key for the subscriber by executing the ssh key command. The SSH key can be any random string of characters. As an alternative to typing the SSH key. It is only suitable for applications where the key does not change often. you can paste a generated SSH key at the above prompt. set the access web parameter to enabled. (The SSH key must be generated on the host from which the subscriber will make SSH connections to the LX unit. without entering a password. (The only requirement is that the user must log on from the host on which his or her SSH key was generated. It takes a variable-length key. for example: Subs_jack >>ssh key When you execute the ssh key command.) Web Browser Access In order to specify Web Browser access for the subscriber. from 32 bits to 448 bits. making it ideal for both domestic and exportable use. Refer to your Linux documentation for more information on generating an SSH key. he/she can log on to the LX unit. like a communications link or an automatic file encryptor. the following prompt is displayed: Please enter your key: Type an SSH key at the above prompt.

for example: Subs_jack >>access console enable 2. Configuring Subscriber Accounts for the LX Unit In order for the subscriber to have access to virtual ports on the LX. The subscriber is then logged in to the LX unit. the subscriber dials in to the LX unit and logs in as he/she would if he/she were a dialin subscriber. Under Dialback. the access to those ports must be configured in the subscriber account. you must configure Telnet or SSH for the subscriber. Dialback Access The LX unit supports Dialback as an access method for LX subscribers. for example: Subs_jack >>access port 2 4 6 enable In the above example. Console Access By default. and calls can be restricted to specific destinations) and to manage connection costs (central site billing). refer to “Telnet Access” on page 124 and “SSH Access” on page 124. SSH. do the following: 1. For more information. 4. Dialback is used for security (the destination is recorded by the Telco for billing. the LX unit calls the subscriber back. the subscriber is given access to asynchronous ports 2. In order for a subscriber to access asynchronous ports. a user can only access virtual ports on the LX when his or her subscriber account has been configured for Telnet. The LX unit then validates the login and terminates the call. 451-0311B 127 . Execute the access console enable command to enable asynchro- nous port access for the subscriber. Execute the access port enable command to specify the asynchronous ports that the subscriber can access. or Web Browser access. To configure a subscriber account for access to asynchronous ports. Refer to “Console Access” on page 127 to give the user access to asynchronous ports on the LX. and 6. If the subscriber login is valid.

These settings include the session timeouts and limits. refer to the following: • Function Keys for Switching Between Sessions – Used to switch between subscriber sessions. You can set the terminal type to ANSI or VT100. • Terminal Type – Use the terminal command to set the terminal type for the subscriber. Specify the dialback retry parameter for the subscriber. for example: Subs_jack >>dialback number 19785551978 The dialback number is the telephone number that the LX modem will dial to call back the subscriber. 3. user prompts. and function keys for switching between sessions. Set the dialback access parameter to enabled. including the Local Command Mode (see “Setting Up the Session Switch Characters” on page 131).Configuring Subscriber Accounts for the LX Unit In order to specify Dialback access for a subscriber. screen pause. for example: Subs_jack >>dialback enable 2. For more information. for example: Subs_jack >>dialback retry 7 The dialback retry parameter is the number of times that the modem on the LX unit can attempt to answer a dialback call Setting Up the Session and Terminal Parameters The session and terminal parameters include all settings that affect the subscriber session and the operation of the subscriber terminal during a subscriber session. for example: Subs_jack >>terminal ansi Subs_jack >>terminal vt100 128 451-0311B . Specify a dialback number for the subscriber. do the following: 1. terminal type. Subscriber session mode.

The Maximum Subscriber Sessions cannot be changed from 1 until the Subscriber Session Mode is disabled with the no shell command (see below). The syntax of the session timeout command is as follows: Subs_jack >>session timeout 36000 The allowable values are 0 through 65535. A value of 0 means that there is no limit to the length of a subscriber session. Configuring Subscriber Accounts for the LX Unit • Maximum Length of a Subscriber Session – Use the session timeout command to set the maximum length (in seconds) of a subscriber session. • Subscriber Session Mode – When the Subscriber session mode is CLI. for example: Subs_jack >>prompt mxxxx9 In the above example. the subscriber is logged into the Linux shell when he/she accesses the LX unit. Use the shell enable command to change the Subscriber session mode from CLI to Shell. the subscriber cannot access the CLI. execute the prompt command. the Maximum Subscriber Sessions is automatically set to 1. when the Subscriber session mode is Shell.. To specify a custom user prompt. When the Subscriber session mode is Shell. • User Prompts – You can specify a custom user prompt of up to 8 ASCII characters to replace the username field of the default login prompt for a subscriber. the subscriber’s default login prompt (e. for example: Subs_jack >>shell enable When the shell enable command is executed. the subscriber can only access the Linux shell and the GUI. jack:0 >) is changed to mxxxx9:0 >. the subscriber is logged into the CLI when he/she accesses the LX unit. for example: Subs_jack >>no shell 451-0311B 129 . Use the no shell command to change the Subscriber session mode from Shell to CLI.g.

for example: Subs_jack >>idletime 1200 A value of 0 means that the Inactivity Timer is effectively disabled. You can use the idletime command to set the Inactivity Timeout to any value from 0 through 65535. for example: Subs_jack >>pause enable • Inactivity Timeout – The Inactivity Timeout is the length of time (in seconds) that the subscriber has to enter keyboard data.Configuring Subscriber Accounts for the LX Unit When the no shell command is executed. for example: Subs_jack >>maxsubscriber 10 • Maximum Subscriber Sessions – Use the session command to specify the maximum number of sessions for a subscriber. the screen will pause after displaying the number of lines specified in the “lines/screen” value for the terminal. • Maximum Simultaneous Connections – You can configure 1 through 255 simultaneous connections for a subscriber. Use the maxsubscriber command to set the maximum simultaneous connections for the subscriber. the Maximum Subscriber Sessions is automatically set to 4. The allowable values are 0 through 4. If the subscriber does not enter keyboard data before the expiration of the Inactivity Timeout. • Screen Pause – When this feature is enabled. To enable this feature for a subscriber. for example: Subs_jack >>session 3 130 451-0311B . he/she is logged out. where a value of 0 disables the subscriber’s access to the LX unit. use the pause enable command.

Configuring Subscriber Accounts for the LX Unit

Setting Up the Session Switch Characters

The LX unit supports up to 4 sessions per subscriber. (Refer to “Setting Up the
Session and Terminal Parameters” on page 128 to configure the number of
sessions for a subscriber.) You can configure Control characters as function keys
for switching to the previous, or next, session. You can also configure a Control
character as a function key for switching to the Local Command Mode.)

To configure Session Switch characters for a subscriber, use the following
commands:

• backward_switch – to specify the Function Key for switching
(backwards) to the previous session; for example:

Subs_jack >>backward_switch ^I

• forward_switch – to specify the Forward Switch (i.e., Control-
character sequence for switching to the next session); for example:

Subs_jack >>forward_switch ^J

• local_switch – to specify the Local Switch (i.e., Control-character
sequence for switching to the Local Command Mode); for example:
Subs_jack >>local_switch ^K

The Session Switch character can be specified as an uppercase alphabetical
character with, or without, a caret (^) before it. When the Session Switch
character is preceded by a caret, the LX command parser interprets it as a
Control-character sequence. For example, ^I is interpreted as CTRL/I;
^J as CTRL/J; and ^M as CTRL/M.

Be sure that there are no conflicting uses for the character you select
(particularly with control characters that are used by applications programs,
or with the character you set for the FORWARD SWITCH, the LOCAL
SWITCH, or any Telnet command characters). If you specify a CTRL
character, when the user types the character, it will be displayed as ^<Key>
(e.g., if the user types CTRL/I, the terminal will echo the characters: ^I).

451-0311B 131

Configuring Subscriber Accounts for the LX Unit

Configuring the Subscriber Password
The default password for an LX subscriber account is access. It is
recommended that you, or the subscriber, change the password from this
default before the subscriber uses it to log in to the LX unit. This prevents
unauthorized users (who might know the default password) from logging
on to the LX unit.

Changing the Subscriber Password

To change the subscriber password, execute the password command; for
example:
Subs_jack >>password

When the password command is executed, the following prompts are
displayed:

Enter your NEW password :
Re-enter your NEW password:

Enter the new password at the Enter prompt, and re-enter it at the
Re-enter prompt. The password string can be up to 16 characters in
length, and it will be masked when you enter it at the above prompts.

Enabling the Subscriber to Change His or Her Own Password

To enable the subscriber to change his or her own password, execute the
password enable command; for example:
Subs_jack >>password enable

The subscriber will be prompted to enter, and verify, his or her new
password the next time he/she logs in to the LX unit.

132 451-0311B

Configuring Subscriber Accounts for the LX Unit

Adding Superuser Privileges to a Subscriber Account
By default, a subscriber password has user privileges on the LX unit. A
subscriber with user privileges can only access the User Command Mode,
or his or her assigned Login menu, when he/she logs in to the LX unit.
You can add Superuser privileges to a subscriber account. With Superuser
privileges, the subscriber can use the enable command in the User
Command Mode to enter the Superuser Command Mode.

Use the security level superuser command to add Superuser
privileges to the subscriber account; for example:

Subs_jack >>security level superuser

Specifying a Dedicated Service
If a dedicated service is specified for a subscriber, the subscriber will begin
running the dedicated service whenever he/she logs in to the LX unit.
Telnet must be enabled for the subscriber in order for him to run a
dedicated service. Refer to “Specifying the Subscriber Access Methods” on
page 123 to enable Telnet for a subscriber.

Use the dedicated service command to specify a dedicated service for
the subscriber; for example:

Subs_jack >>dedicated service 192.173.56.10

Specifying a Preferred Service
Use the preferred service command to assign a service to which the
subscriber will be connected whenever he/she makes a connect request
without specifying a service; for example:

Subs_jack >>preferred service 178.87.42.19

Telnet must be enabled for the subscriber in order for him to run a
preferred service. Refer to “Specifying the Subscriber Access Methods” on
page 123 to enable Telnet for a subscriber.

451-0311B 133

Configuring Subscriber Accounts for the LX Unit Enabling Audit Logging An audit log records all of the port activity for a subscriber. refer to “Displaying the Audit Log for a Subscriber” on page 138. for example: Subs_jack >>command log enable 134 451-0311B . execute the show audit log command in the Superuser Command Mode. and the menu financegroup is specified for him. for example: Subs_jack >>audit log enable To display the contents of the audit log. To enable audit logging for a subscriber. This includes the commands that the subscriber enters as well as the data that is output on the port for the subscriber. The financegroup menu will be displayed for the subscriber jack when he/she logs on to the LX unit. the subscriber jack is enabled for the Login Menu feature. Enabling Command Logging Command logging creates an audit trail of subscriber input in a subscriber session. for example: Subs_jack >>menu financegroup enable In the above example. To enable command logging for a subscriber. In order for a menu to display for a subscriber. For more information. The audit trail is sent to the accounting log and to syslogd. Enabling Login Menus A Subscriber Menu is a menu that displays for a subscriber when he/she logs in to the LX unit. execute the audit log enable command. Use the menu enable command to enable the Login Menu feature and to specify a menu that will be displayed for a subscriber when he/she logs in to the LX unit. you must enable the Login Menu feature and specify a menu for the subscriber. execute the command log enable command.

execute the show command log command in the Superuser Command Mode. Use the following syntax to display the characteristics for all of the subscribers on the LX unit: demo:0 >>show subscriber all characteristics Figure 13 shows an example of the Subscriber Characteristics display. For more information. subscriber status and TCP information.Subscriber Characteristics Display 451-0311B 135 . subscriber summaries. for example: demo:0 >>show subscriber tim characteristics In the above example. to display subscriber characteristics. Subscriber Name: tim Security: Super User Prompt: Demo Preferred Service: Dedicated Service: Command Logging: Disabled User Password: Disabled Maximum Connections: 50 Maximum Sessions: 4 Session Mode: Normal Screen Pause: Enabled Debug Feature: Disabled Debug File: /tmp/D_demo Idle Timeout: 0 Session Timeout: 0 Menu Feature: Disabled Menu Name: /config/M_demo Forward Switch: ^F Local Switch: ^L Backward Switch: ^B Dialback Feature: Disabled Dialback Retry: 4 Dialback Number: Dialback Timeout: 45 Audit Feature: Disabled Port Access list: 1-8 Remote Access list: Telnet Ssh Web_Server Figure 13 . refer to “Displaying the Command Log for a Subscriber” on page 139. Configuring Subscriber Accounts for the LX Unit To display the contents of the command log. in the Superuser Command Mode. the show subscriber characteristics command is used to display the characteristics for the subscriber tim. Displaying Subscriber Characteristics Use the show subscriber characteristics command. and the audit log and command log for a subscriber. Displaying Subscriber Information This section describes how to display subscriber characteristics.

Use the following syntax to display the status information for all of the subscribers on the LX unit: demo:0 >>show subscriber all status Figure 14 shows an example of the Subscriber Status display. 03 Jan 2003 17:44:21 Subs. Displaying the Subscriber Status Use the show subscriber status command. 136 451-0311B . Time: Fri. to display the status information for a subscriber.Configuring Subscriber Accounts for the LX Unit Refer to the show subscriber command in the LX-Series Commands Reference Guide for detailed descriptions of the fields in the Subscriber Characteristics display. the show subscriber status command is used to display the status information for the subscriber tim. Name: tim Number of Connections: 0 Configured TermType: Ansi Session Mode: Normal Figure 14 . in the Superuser Command Mode. for example: demo:0 >>show subscriber tim status In the above command.Subscriber Status Display Refer to the show subscriber command in the LX-Series Commands Reference Guide for detailed descriptions of the fields in the Subscriber Status display.

for example: demo:0 >>show subscriber tim tcp In the above command. Time: Fri. in the Superuser Command Mode.Subscriber TCP Display Refer to the show subscriber command in the LX-Series Commands Reference Guide for detailed descriptions of the fields in the Subscriber TCP display. 03 Jan 2003 17:46:32 Subscriber Name: mark Telnet Line Mode: Character Mode SSH Name: mark SSH Encryption: Any SSH Port: 22 SSH Log Level: INFO Figure 15 . Configuring Subscriber Accounts for the LX Unit Displaying the Subscriber TCP Information Use the show subscriber tcp command. 451-0311B 137 . Use the following syntax to display the TCP information for all of the subscribers on the LX unit: demo:0 >>show subscriber all tcp Figure 15 shows an example of the Subscriber TCP display. the show subscriber tcp command is used to display the TCP information for the subscriber tim. to display the subscriber TCP information.

in the Superuser Command Mode. 138 451-0311B . Displaying the Audit Log for a Subscriber An audit log records all of the port activity for a subscriber.Subscriber Summary Display Refer to the show subscriber summary command in the LX-Series Commands Reference Guide for detailed descriptions of the fields in the Subscriber Summary display. in the Superuser Command Mode.Configuring Subscriber Accounts for the LX Unit Displaying the Subscriber Summary Information Use the show subscriber summary command. to display a Subscriber Summary. This includes the commands that the subscriber enters as well as the data that is output on the port for the subscriber. the show audit log command is used to display the audit log for the subscriber tim. to display the audit log for a subscriber. Use the show audit log command. for example: demo:0 >>show audit log tim In the above command. for example: demo:0 >>show subscriber summary Figure 16 shows an example of the Subscriber Summary display. Name Connections Terminal Type In-Reach 0 Ansi demo 1 Ansi jack 0 Ansi Figure 16 .

Figure 18 shows an example of the Command Log.Audit Log Display Displaying the Command Log for a Subscriber A command log is an audit trail of subscriber input in a subscriber session. the show command log command is used to display the command log for the subscriber tim.Command Log Display 451-0311B 139 . Configuring Subscriber Accounts for the LX Unit Figure 17 shows an example of the Audit Log. in the Superuser Command Mode. Nov 18 16:08:32 tim ttyGN0 0 Subs_tim >>end Nov 18 16:08:50 tim ttyGN0 1 tim:0 >> Nov 18 16:08:50 tim ttyGN0 2 tim:1 > Nov 18 16:08:50 tim ttyGN0 3 tim:2 > Nov 18 16:08:55 tim ttyGN0 3 tim:3 >sho session Nov 18 16:08:55 tim ttyGN0 3 Number Device Program Pid Time Status Nov 18 16:08:55 tim ttyGN0 3 0 /dev/pts/0 Superuser 477 98 - Nov 18 16:08:55 tim ttyGN0 3 1 /dev/pts/3 User 481 5 - Nov 18 16:08:55 tim ttyGN0 3 2 /dev/pts/4 User 482 5 - Nov 18 16:08:55 tim ttyGN0 3 3 /dev/pts/5 User 483 5 * Figure 17 . Use the show command log command. for example: demo:0 >>show command log tim In the above command. Nov 11 12:47:30 tim 0 end Nov 11 12:47:33 tim 0 sho command log Nov 11 12:49:21 tim 23 modem Nov 11 12:49:29 tim 23 end Nov 11 12:49:39 tim 23 show command log tim Figure 18 . to display the command log for a subscriber.

.

to do this. for example: InReach:0 >>show device 4 status In the above example. in the Asynchronous Command Mode. Configuring Sensor Access for an LX Port You must configure an LX port’s access as sensor before you can perform any temperature/humidity monitoring on the port. Use the following syntax to display the temperature and humidity readings for all Temperature/ Humidity Sensors on the LX unit: InReach:0 >>show device all status 451-0311B 141 . in the Superuser Command Mode. The Temperature/ Humidity Sensor provides an accurate measurement of the temperature and humidity in the area in which your LX Series unit is placed. Use the access command. the temperature and humidity readings of the Sensor attached to port 4 are displayed. for example: Async 4-4:0>>access sensor NOTE: The DIAG port (port 0) cannot be configured as a Sensor port. to display the current temperature and humidity readings on a Sensor port. Refer to Getting Started with the LX Series to connect a Temperature/ Humidity Sensor to an LX port. Chapter 8 Configuring Ports for Temperature/Humidity Sensors You can configure ports to act as temperature and humidity monitors when connected to an In-Reach Temperature/Humidity Sensor. Displaying the Temperature and Humidity Use the show device status command.

the Device Summary Display will display information for the attached Power Management Device (IR-5100 or IR-5150).Device Status Display for a Sensor Port Displaying Sensor Summaries Use the show device summary command. in the Superuser Command Mode.00 Temperature (Celsius): 26. to display summary information for all of the Temperature/Humidity Sensors that are currently connected to the LX unit. 142 451-0311B . Device Number Device Type Model Name 1 Sensor N/A Figure 20 . for example: InReach:0 >>show device summary Figure 20 shows an example of the Device Summary display. Time: 29 Aug 2002 17:35:17 US/EASTERN Device Number: 4 Device Type: Sensor Humidity Level(%): 39.80 Figure 19 .00 Temperature (Fahrenheit): 78.Configuring Ports for Temperature/Humidity Sensors Figure 19 shows an example of the Device Status display for a Sensor port.Device Summary Display for Sensors NOTE: If any of the ports on the LX unit are configured as Power outlets.

and the outlet group command in the “Superuser Commands” chapter of the LX-Series Commands Reference Guide. The management tasks that can be performed remotely include rebooting Power Control Relays and turning Power Control Relays on and off. To do this. and log on to the IR-5150 unit. for example: Async 5-5:0>>access power model ir5100 In the above example.) NOTE: You can access the on-board CLI of an IR-5150 unit that is connected to a console port. Chapter 9 Configuring Power Control Units The In-Reach Power Control Units (IR-5100 and IR-5150) can be managed remotely from asynchronous ports on an LX unit. and how to display information on Power Control units. This chapter describes how to configure ports as Power Masters. port 5 is configured as a Power Master for an IR-5100 unit. to configure an LX asynchronous port as a Power Master. Telnet to its LX console port. refer to the outlet command. how to configure Power Control units via Power Masters. in the Asynchronous Command Mode. Use the following syntax to configure an asynchronous port as a Power Master for an IR-5150 unit: Async 5-5:0>>access power model ir5150 451-0311B 143 . Configuring an LX Asynchronous Port as a Power Master Use the access power model command. Power Control units are remotely managed from LX asynchronous ports that are configured as Power Masters. (For information on performing these tasks.

This is because the LX software “knows” that the Alarm Master is the current asynchronous port. For example. For more information. of the Power Control Relay in the outlet name command in the Asynchronous Command Mode. However. You can specify a descriptive name for a Power Control Relay or a Power Control Relay group. of a Power Control Relay. 5:7 is the default name of the 7th Power Control Relay on the Power Control Unit that is managed from Alarm Master port 5. Refer to the LX-Series Commands Reference Guide for more information on the outlet group command and the outlet name command. you can connect a Power Control unit to it. For more information. You must power on the Power Control unit before you can configure it from the LX unit. or the descriptive name. refer to “Naming a Power Control Relay” on page 146 and “Naming a Group of Power Control Relays” on page 147. you only need to specify the number. You must specify the default name. Default Name for a Power Control Relay The default name for a Power Control Relay is derived from its Alarm Master and the number of the relay on the Power Control unit. 144 451-0311B . A descriptive name is a unique text name of up to 15 alphanumeric characters.Configuring Power Control Units When a port has been configured as a Power Master. in the outlet group command in the Configuration Command Mode. The connection to the Power Master port is made using the RJ-45 crossover cable that is supplied with the Power Control unit. refer to the Getting Started guide for the Power Control unit. or descriptive name.

Use the outlet group command to assign Power Control Relays to a group. they can be configured and managed as a group. Specifying the Off Time for a Group of Power Control Relays Use the outlet group off time command. This section describes how to assign Power Control Relays to a group and how to specify the Off Time for Power Control Relays. to specify the Off Time for a group of Power Control Relays. that Power Control Relays must remain off before they can be turned back on. for example: Config:0 >>outlet group 2 2:5 3:7 4:2 4:3 4:5 In the above example. the Off Time for Outlet Group 14 is set to 20 seconds. in seconds. This section describes how to specify the Off Time for a Power Control unit or for a group of Power Control Relays. This can be more efficient than configuring and managing Power Control Relays individually. in the Configuration Command Mode. Assigning Power Control Relays to a Group When Power Control Relays are assigned to a group. Configuring Power Control Units Configuring Power Control Units Power Control Relays can be assigned to a group and managed and configured as a group. for example: Config:0 >>outlet group 14 off time 20 In the above example. The Off Time for Power Control Relays can be specified using the LX CLI. Specifying the Off Time The Off Time is the length of time. the Power Control Relays 2:5 3:7 4:2 4:3 4:5 are assigned to Group 2. 451-0311B 145 .

an Off Time of 15 seconds is specified for all of the Power Control Relays that are managed from asynchronous port 5. 5:2) because the Alarm Master port is implied to be the current port in the Asynchronous Command Mode. NOTE: The power off time command can only be executed on a port that is configured as a Master Alarm port and has a Power Control unit attached to it.. for example: Async 5-5:0>>power off time 15 In the above example. In the above example. (The CLI is in the Asynchronous Command Mode for port 5. the implied Alarm Master is port 5. in the Asynchronous Command Mode. Use the outlet name command. the descriptive name Build5NTserver is assigned to Power Control Relay 2 on the Power Control unit that is managed from Alarm Master port 5.) 146 451-0311B . in the Asynchronous Command Mode. for example: Async 5-5:0>>outlet 2 name Build5NTserver In the above example.g. to specify the Off Time for all of the Power Control Relays that are managed from an Alarm Master port.Configuring Power Control Units Specifying the Off Time for a Power Control Unit Use the power off time command. NOTE: The Alarm Master number is not specified in the outlet name command (e. to specify a descriptive name for a Power Control Relay. Naming a Power Control Relay You can assign a descriptive name of up to 15 alphanumeric characters to a Power Control Relay.

Use the following syntax to display the status for all of the Power Control units that are managed from the LX unit: InReach:0 >>show device all status NOTE: The show device status command displays the status of all Power Control units and Temperature/Humidity sensors that are connected to the LX unit. Displaying Status Information for Power Control Units Use the show device status command. the status for the Power Control unit on port 4 is displayed. Refer to Figure 19 on page 142 for the status display for a Temperature/Humidity Sensor port. The information that can be displayed includes statuses and summaries for Power Control units. in the Configuration Command Mode. Use the outlet group name command. to display status information for a particular Power Control unit. for example: Config:0 >>outlet group 14 TestEquipment In the above example. Configuring Power Control Units Naming a Group of Power Control Relays You can assign a descriptive name of up to 15 alphanumeric characters to a group of Power Control Relays. 451-0311B 147 . for example: InReach:0 >>show device 4 status In the above example. to specify a descriptive name for a group of Power Control Relays. and statuses for groups of Power Control Relays. the descriptive name TestEquipment is assigned to Power Control Relay Group 14. Displaying Information on Power Control Units This section describes how to display information on Power Control units and Power Control Relays. in the Superuser Command Mode.

0 4 5 15 plug15 Off 0.0 3 4 10 plug10 Off 0.0 Outlet Minimum Off Time: 15 Outlet Name State Load Assigned Groups 1 plug1 Off 0. to display status information for groups of Power Control Relays.0 5 Figure 21 .0 1 7 4 plug4 Off 0.0 1 6 10 3 plug3 Off 0.0 2 8 plug8 Off 0.0 3 13 plug13 Off 0. 17 Sep 2002 20:05:47 Device Number: 4 Device Type: IR5100 Model Name: IR-5100-126 Total Outlet Strip Load: 0.0 4 5 14 plug14 Off 0. Time: Tue.0 1 5 plug5 Off 0.0 1 4 13 2 plug2 Off 0.0 2 9 plug9 Off 0. Use the following syntax to display the status for all groups of Power Control Relays that are managed from the LX unit: InReach:0 >>show outlet group all status 148 451-0311B . for example: InReach:0 >>show outlet group TestEquipment status In the above example. in the Superuser Command Mode.0 3 11 plug11 Off 0.0 3 12 plug12 Off 0.Device Status Display for an Alarm Master Port Displaying Status Information for Groups of Power Control Relays Use the show device status command.Configuring Power Control Units Figure 21 shows an example of the Device Status display for an Alarm Master port. the status for the group TestEquipment is displayed.0 2 4 6 plug6 Off 0.0 2 7 plug7 Off 0.0 4 5 16 plug16 Off 0.

for example: InReach:0 >>show device summary Figure 23 shows an example of the Device Summary display. 16 Sep 2002 17:55:19 Group Number: 2 Group Name: TestEquipment Group Off Time: 4 Port Outlet State 2 1 Not configured 2 2 Not configured Figure 22 . Time: Mon.Device Status Display for a Power Control Relay Group Displaying Summary Information for Power Control Units Use the show device summary command. in the Superuser Command Mode. Refer to Figure 20 on page 142 for the Summary Display for a Temperature/Humidity Sensor port. Configuring Power Control Units Figure 22 shows an example of the Device Status display for a Power Control Relay Group. to display summary information for all of the Power Control units that are currently connected to the LX unit. 451-0311B 149 .Device Summary Display NOTE: The show device summary command displays summary information for all Power Control units and Temperature/Humidity sensors that are connected to the LX unit. Device Number Device Type Model Name 4 IR5100 IR-5100-126 5 IR5100 IR-5100-255 Figure 23 .

.

the OUTPUT chain filters packets from the LX destined for the LAN. or not pass. The FORWARD chain is used primarily in routing environments rather than in console management environments. The criteria for accepting. or dropping a packet. denying. denying. for example: In-Reach:/# iptables -L 451-0311B 151 . and other characteristics. or dropping a packet can include the source IP Address. the destination IP Address. execute the shell command in the Superuser Command Mode. The INPUT chain filters packets coming from the LAN to the LX. To access the Linux shell. for example: InReach:0 >>shell When you are in the Linux shell. you can display the chains for the LX unit by executing the iptables command with the -L option. Adding a Rule to a Chain Use the iptables command to add a rule to a chain. On the LX unit (as on all Linux-based systems). or from the LX unit itself. Packet Filters are known as chains. For this reason. The iptables command is executed in Linux shell. Packet Filters can be applied to IP packets that originate from the LAN side of the LX. through an LX unit. the FORWARD chain is not covered in this chapter. Chapter 10 Configuring Packet Filters with the iptables Command Packet Filters are used to allow certain IP packets to pass. which filters packets that are to be forwarded to another network. A chain consists of a series of rules that specify the criteria for accepting. NOTE: The LX unit also supports the FORWARD chain.

. 152 451-0311B .240.10.240).10.10.e. In this case. For detailed information on the iptables command. Example: Dropping Packets Based on the Source IP Address The following iptables command creates a rule that will drop any packets coming to the LX from source address 10. Refer to “Notes on the iptables Command Options” on page 154 for alternatives to the -A option.240 -j DROP The options in the above command are the following: -A Specifies that the rule is to be appended to the specified chain (in this case. the packet is to be dropped.240.240. -s Specifies that the rule applies to the specified source IP Address (in this case. refer to Appendix D (“Details of the iptables Command”) on page 151. -j Specifies the action that is to be taken when a packet matching this criteria is received. or DROP) of the -j option.Configuring Packet Filters with the iptables Command The following sections provide examples of how to create rules using various options of the iptables command.240: In-Reach:/# iptables -A INPUT -s 10. 10. Refer to “Notes on the iptables Command Options” on page 154 for a description of all of the allowable values (i. ACCEPT. the INPUT chain). DENY.

-d Specifies that the rule applies to the specified destination IP Address (in this case. or DROP) of the -j option.146.129: In-Reach:/# iptables -A OUTPUT -d 123. ACCEPT.146. 451-0311B 153 . the OUTPUT chain).17.56. Example: Ignoring Telnet Requests from a Specific IP Address The following iptables command creates a rule that ignores Telnet requests from the IP address 143.114.104: In-Reach:/# iptables -A INPUT -s 143. 123.146.56.129). Refer to “Notes on the iptables Command Options” on page 154 for alternatives to the -A option. In this case.17.17. the INPUT chain).114. Refer to “Notes on the iptables Command Options” on page 154 for a description of all of the allowable values (i. the packet is to be accepted.. -j Specifies the action that is to be taken when a packet matching this criteria is received.e. Refer to “Notes on the iptables Command Options” on page 154 for alternatives to the -A option.129 -j ACCEPT The options in the above command are the following: -A Specifies that the rule is to be appended to the specified chain (in this case. DENY.104 -p tcp --destination-port telnet -j DROP The options in the above command are the following: -A Specifies that the rule is to be appended to the specified chain (in this case. Configuring Packet Filters with the iptables Command Example: Accepting Packets Based on the Destination IP Address The following iptables command creates a rule that will allow the LX unit to output packets to the destination IP address 123.

the -I option specifies that the rule is to be inserted as the 11th rule in the INPUT chain: iptables -I INPUT 11 -s 10.240.Configuring Packet Filters with the iptables Command -s Specifies that the rule applies to the specified destination IP Address (in this case. 143. ACCEPT.112. In the following example. The -R option specifies that the rule will replace a specific rule in the chain. to specify how the rule will be added to the chain. In the following example. instead of the -A option. DENY. Notes on the iptables Command Options • Alternatives to the -A Option – You can use the -I option or the -R option.240 -j DROP The rules that follow the new rule will be bumped up by 1.10.56. -p Specifies that the rule applies to a particular protocol (in this case. In this case.) -j Specifies the action that is to be taken when a packet matching this criteria is received. the -R option specifies that the rule is to replace the 8th rule in the OUTPUT chain: iptables -R OUTPUT 8 -s 89. The -I option specifies that the rule will be inserted at a specified location before the end of the chain. or DROP) of the -j option.e. (In this case..247. TCP). --destination-port Specifies the TCP destination port to which the rule applies. the packet is to be dropped. Refer to “Notes on the iptables Command Options” on page 154 for a description of all of the allowable values (i.93 -j DROP 154 451-0311B . Refer to “Notes on the iptables Command Options” on page 154 for a description of the allowable values of the -p option.104).114. the destination port is the Telnet port.

This file is generated by the utility iptables-save upon reading the filter tables located in the Kernel. INPUT or OUTPUT).conf. Saving Changes in Rules The configuration is kept in the file /config/iptables.. A message is not sent back to the source IP Address.e. A message indicating that the LX is not accepting connections is sent back to the source IP Address. INPUT or OUTPUT). DENY – The packet is not allowed to pass through the specified chain (i.e.conf. Do the following to save the iptables configuration: 1.. The configuration is dynamically applied when an iptables command is entered. UDP. To make this configuration persistent through the reboot. The command iptables-save creates the new configuration file in /config/iptables. for example: In-Reach:/# iptables -L 451-0311B 155 . to access the Linux shell. for example: InReach:0 >>shell 2. Configuring Packet Filters with the iptables Command • Allowable Values of the -j Option – You can specify the following values for the -j option: ACCEPT – The packet is allowed to pass through the specified chain (i.e. in the Superuser Command Mode.. Verify the Iptables configuration with the iptables -L command. INPUT or OUTPUT). Execute the shell command. or ICMP as the value of the -p option. • Allowable Values of the -p Option – You can specify TCP. DROP – The packet is not allowed to pass through the specified chain (i. it is necessary to save the configuration to the flash or the network from the Superuser command line.

for example: In-Reach:/# iptables-save -f /config/iptables.conf 4. for example: InReach:0 >>save configuration flash NOTE: You can use the network option of the save configuration command to save the configuration to a network server. for example: In-Reach:/# exit 5. refer to the save configuration command in the LX-Series Commands Reference Guide. Save the Iptables changes to the /config/iptables.conf file. in the Superuser Command Mode. to save the iptables. Execute the save configuration command. Execute the exit command to return to the Superuser Command Mode.conf file to flash or the network. For more information.Configuring Packet Filters with the iptables Command 3. 156 451-0311B .

The username and password are authenticated by the RADIUS server. The RADIUS server maintains a database that contains user authentication and network service access information. The RADIUS server validates the request and then decrypts the password. the username and password. This is done by generating a random vector and placing it in the request header. 3. NOTE: The user password is encrypted to prevent it from being intercepted and reused by an unwanted user. The LX unit then sends the access-request packet to the designated RADIUS server for authentication. 4. The LX unit prompts the user for a username and password. and the port being used. 451-0311B 157 . Appendix A Overview of RADIUS Authentication RADIUS authentication occurs through a series of communications between the LX unit and the RADIUS server. the LX unit provides that user with access to the appropriate network services. 2. the user attempts to gain access to an LX asynchronous port. 1. In this example. The LX unit takes the username and password and creates an access- request packet identifying the LX unit making the request. A copy of the random vector is MD5 encoded using the configured secret. Once RADIUS has authenticated a user. The user’s password is then encrypted by XORing it with the encoded copy of the random vector. The following example describes the steps in the RADIUS authentication process.

the RADIUS server sends an authentication rejection to the LX unit and the user is denied access to the network. Radius Server Host - authenticates the user.Overview of RADIUS Authentication 5. The LX unit then grants the user the services requested. If at any point in the authentication process conditions are not met. the RADIUS server sends an access- accept packet containing any specific configuration information associated with that user. User attempts to gain access. 6. Figure 24 .RADIUS Authentication Process 158 451-0311B . Access-accept returned to LX unit. Figure 24 shows an example of the RADIUS authentication process. desired services is granted. LX unit sends access-request Access to packet for authentication. Upon successful authentication.

06 Service-Type Type of service allowed for the connection. user is prohibited from accessing the Superuser Command Mode. This Service Type is allowed for local port access. Authenticate-Only Allows local port access for interactive sessions. The sup- ported types are the following: NAS-Prompt Allows local port access for interactive sessions. NOTE: Some attributes appear in start records. 02 User-Password The password for the user to authenticate. The user is prohibited from accessing the Superuser Com- mand Mode. Inter- face virtual port access and access using the GUI. In each case. Interface virtual port access and access using the GUI.Supported RADIUS Authentication Attributes Attribute Name Description 01 User-Name Name of the user to authenticate. user is prohibited from accessing the Superuser Command Mode. the user is prohibited from Superuser access. The RADIUS secondary server is used when the RADIUS primary server cannot be accessed. No-Service-Type Allows local port access for interactive sessions. Table 9 . but the majority of attributes appear in stop records (a few also appear in acct-on and acct-off records). 03 CHAP-Password Indicates the CHAP challenge value found in the CHAP-Challenge attribute. 451-0311B 159 . RADIUS Authentication Attributes Table 9 lists the RADIUS Authentication Attributes that are supported on the LX unit. Overview of RADIUS Authentication The LX implementation of RADIUS supports the use of RADIUS secondary servers. This is true for local port access. RADIUS allows most authentication and configuration attributes to be logged.

otherwise the user’s access is rejected. the LX requires the user's service-type to be Outbound-User.. 13 Framed-Compression The compression protocol for the circuit. If the asynchronous remote-accessed port is configured for outbound RADIUS authentication. 08 Framed-IP-Address The address to be configured for the user. Framed Allows local port access for a Dial-in PPP user. 09 Framed-IP-Netmask The IP Netmask to be configured for the user when the user is a router to the network. Outbound-User Allows only remote port access. This is true for local port access. The user is allowed access to Superuser and Configuration Command Modes. 07 Framed-Protocol Used with a framed service type. Overview of RADIUS Authentication Administrative-User Allows local port access for interactive sessions. Interface virtual port access and access using the GUI. 24 State (challenge/response) Sent by the server to the client in an Access-Chal- lenge. and must be sent unmodified from the client to the server in any Access-Request reply.g. 60 CHAP-Challenge 160 451-0311B . Indicates the type of framed access (e. PPP). NOTE: All remote access ports on the LX require a Service Type of Outbound-User.

It also provides a method for billing customers for account usage. This allows for greater expandability of accounting information in the future. Client IP address. The following section describes RADIUS Accounting. NOTE: RADIUS Accounting is a developing standard that is vendor extensible by design. Refer to “TACACS+ Accounting Client Operation” on page 163 for information about TACACS+ Accounting. are client/server account logging schemes that allow you to log user account information to a remote server in a per-client file. including a provision for vendor-specific extensions. an accounting request (a start request) is sent to the RADIUS accounting server. Appendix B Overview of RADIUS and TACACS+ Accounting RADIUS Accounting. a start record containing the following is created for each user session: • User-name • NAS-Identifier • NAS-IP-Address • NAS-Port 451-0311B 161 . The file or record can contain information such as the user who logged in. RADIUS Accounting Client Operation If a user is validated under RADIUS. The use of RADIUS Accounting. the duration of the session. As a result of the start request. solves the problems associated with local storage of large numbers of records. and the number of bytes/packets that were processed by the LX unit. port number. and TACACS+ Accounting. or TACACS+ Accounting.

RADIUS Accounting Attributes Table 10 lists the RADIUS Accounting Attributes that are supported on the LX unit. • Accounting-on – This record is logged when the LX unit is first booted. The stop record is created when the port is logged out. Table 10 . they are only attempted if the RADIUS protocol is enabled. • Accounting-off – This record is logged. provided that a matching start record was previously sent. if possible. 162 451-0311B .Overview of RADIUS and TACACS+ Accounting • NAS-Port-Type • Acct-Status-Type • Acct-Session-ID • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets (PPP) • Acct-Output-Packets (PPP) The majority of the accounting record information appears in the stop record. 04 NAS-IP-Address IP address associated with the LX unit. These records only contain the NAS-IP-Address. Since these accounting requests only relate to the LX unit using the protocol and not to accounting on a specific port.Supported RADIUS Accounting Attributes Attribute Name Description 01 User-Name Name of the user to authenticate. such as session time and bytes/packets transferred. There are two special records that are logged for RADIUS Accounting. The information in the stop record includes everything in the start record. when the LX unit is shut down. and additional information.

a start record containing the following is created for each user session: • Start-time • Bytes • Bytes-in • Bytes-out • Paks (for PPP connections) • Paks-in (for PPP connections) • Paks-out (for PPP connections) 451-0311B 163 . The valid values are: 1 . 43 Acct-Output-Octets A count of the output octets for the session. 32 NAS-Identifier The ID that identifies the LX unit to the RADIUS server.Stop 42 Acct-Input-Octets A count of the input octets for the session. 48 Acct-Output-Packets A count of the output packets for a PPP session.Asynchronous TACACS+ Accounting Client Operation If a user is validated under TACACS+. an accounting request (a start request) is sent to the TACACS+ accounting server. 40 Acct-Status-Type Indicates whether the session has started or stopped. 47 Acct-Input-Packets A count of the input packets for a PPP session. 61 NAS-Port-Type The type of port being used.Start 2 . As a result of the start request. 44 Acct-Session-ID Session Identifier for the user login. The valid values are: 0 . Overview of RADIUS and TACACS+ Accounting 05 NAS-Port Port or circuit number associated with the request.

Start_time Time (in seconds since epoch) that the accounting started Stop_time Time (in seconds since epoch) that the accounting stopped Elapsed_time The number of seconds the user was logged on for Bytes The total number of bytes transferred Bytes_in The number of bytes received Bytes_out The number of bytes transmitted 164 451-0311B .Overview of RADIUS and TACACS+ Accounting Depending on the Accounting Period Interval. The information in the stop record includes everything in the start record. otherwise equals "shell" Protocol Equals "ip" in PPP connections only Task_id Each set of start. an accounting update request will be sent which will contain the same fields with the newer information. provided that a matching start record was previously sent.Supported TACACS+ Accounting Attributes Attribute Name Description Service Either "ppp" for PPP connection. Table 11 . update. and the following: • Stop-time • Elapsed-time TACACS+ Accounting Attributes Table 11 lists the TACACS+ Accounting Attributes that are supported on the LX unit. The stop record is created when the port is logged out. and stop entries should have unique IDs. The majority of the accounting record information appears in the stop record.

Overview of RADIUS and TACACS+ Accounting Paks The total number of packets transferred (for PPP connections) Paks_in The number of packets received (for PPP connections) Paks_out The number of packets transmitted (for PPP connections) 451-0311B 165 .

.

The entire body of the packet is encrypted using a series of 16 byte MD5 hashes. the enable password will be authenticated against the TACACS+ server database. otherwise it is checked against the LX database "system". and Accounting. Accounting records what the user has done and generally occurs after authentication and authorization. Usually a user is required to enter in a user name and password to be granted access. The TACACS+ server maintains a database that contains user authentication and network service access information. The TACACS+ superuser request attribute is independent from the TACACS+ login. Authentication is the process of determining who the user is. the LX unit provides that user with access to the appropriate network services. TACACS+ uses the Transport Control Protocol (TCP) on port 49 to ensure reliable transfer. Authorization is the process of determining what the user is able to do. Appendix C Overview of TACACS+ Authentication TACACS+ authentication occurs through a series of communications between the LX unit and the TACACS+ server. The TACACS+ superuser request attribute is used to indicate which database to authenticate the superuser password against after a user is logged in. Once TACACS+ has authenticated a user. otherwise the user will only be able to be in user mode. 451-0311B 167 . Authorization. The protocol is split up into 3 distinct categories: Authentication. and the TACACS+ superuser request is enabled. When a user types the enable command. The profile in the TACACS+ server should have a service of exec and a priv-lvl of 15 in order to access Superuser privileges.

168 451-0311B . the user will be allowed to log in. 2. The server responds with a packet that contains an authentication status pass or an authentication status fail. 5. The username is sent to the TACACS+ authentication start packet. otherwise the user will have two more chances to receive an authentication status pass back from the server. The server responds with an authentication reply packet. Overview of TACACS+ Authentication Example of TACACS+ Authentication The following example describes the steps in the TACACS+ authentication process. The LX unit prompts the user for a username and password. the user is prompted for one and the LX sends it to the server in an authentication continue packet. the user attempts to gain access to an LX asynchronous port.Supported TACACS+ Authentication Attributes Attribute Name Description 01 User-Name Name of the user to authenticate. The LX unit then grants the user the services requested. If a password is required. TACACS+ Authentication Attributes Table 12 lists the TACACS+ Authentication Attributes that are supported on the LX unit. 3. In this example. If the request is successful. Table 12 . 4. 7. 02 User-Password The password for the user to authenticate. 1. which will either allow the user access or require a password. 6.

TACACS+ Authentication Process The LX implementation of TACACS+ supports the use of TACACS+ secondary servers. Figure 25 . The TACACS+ secondary server is used when the TACACS+ primary server cannot be accessed. Authentication server authenticates the user. LX unit initiates the Access to authentication process. TACACS+ Server - authenticates the user. desired services is granted. User attempts to gain access. 451-0311B 169 . Figure 25 shows an example of the TACACS+ authentication process. the TACACS+ server denies access to the network. Overview of TACACS+ Authentication If at any point in the authentication process conditions are not met.

.

Each chain is a list of rules which can match a set of packets. iptables man Pages IPTABLES(8) IPTABLES(8) NAME iptables . maintain. Appendix D Details of the iptables Command This appendix contains the Linux man pages for the iptables command. which is introduced in “Configuring Packet Filters with the iptables Command” on page 151. Each rule specifies what to do with a packet 451-0311B 171 . Each table con tains a number of built-in chains and may also contain user-defined chains. and inspect the tables of IP packet filter rules in the Linux kernel. Refer to the man pages in this appendix for detailed information on the iptables command.IP packet filter administration SYNOPSIS iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -P chain target [options] iptables -E old-chain-name new-chain-name DESCRIPTION Iptables is used to set up. Several different tables may be defined.

then the next rule is specified by the value of the target. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched. DROP means to drop the packet on the floor. nat This table is consulted when a packet that creates a new connection is encountered. or RETURN. and OUTPUT (for locally-generated packets). -t. FORWARD (for packets being routed through the box). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. QUEUE means to pass the packet to userspace (if supported by the kernel). The tables are as follows: filter This is the default table. DROP. It consists of three built-ins: PREROUTING (for altering packets 172 451-0311B . QUEUE. and a target. TABLES There are current three independent tables (which tables are present at any time depends on the kernel configura tion options and which modules are present).Details of the iptables Command that matches. If the kernel is configured with automatic module loading. the next rule in the chain is the examined. the target specified by the chain policy determines the fate of the packet. which may be a jump to a user-defined chain in the same table. which can be the name of a user-defined chain or one of the special values ACCEPT. It contains the built-in chains INPUT (for packets coming into the box itself). an attempt will be made to load the appropriate module for that table if it is not already there. If the packet does not match. ACCEPT means to let the packet through. if it does match. This is called a `target'. --table This option specifies the packet matching table which the command should operate on. TARGETS A firewall rule specifies criteria for a packet.

--append Append one or more rules to the end of the selected chain. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing). you need to use only enough letters to ensure that iptables can differen tiate it from all other options. Only one of them can be specified on the command line unless otherwise specified below. the command will fail. For all the long ver sions of the command and option names. Rules are num bered starting at 1. --delete Delete one or more rules from the selected chain. COMMANDS These options specify the specific action to perform. --replace Replace a rule in the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. OUTPUT (for altering locally-generated packets before routing). and POSTROUTING (for altering packets as they are about to go out). -R. 451-0311B 173 . a rule will be added for each possible address combination. When the source and/or destination names resolve to more than one address. mangle This table is used for special ized packet alteration. -D. -A. If the source and/or destination names resolve to multiple addresses. OPTIONS The options that are recognized by iptables can be divided into several different groups. Details of the iptables Command as soon as they come in).

If no chain is selected.) -N. --flush Flush the selected chain. --list List all rules in the selected chain. --delete-chain Delete the specified user-defined chain. -X. --policy Set the policy for the chain to the given target. There must be no target of that name already. If no argument is given. to see the counters immediately before they are cleared. If there are. -L. So. This is equivalent to deleting all the rules one by one. you must delete or replace the referring rules before the chain can be deleted. --list (list) option as well. It is legal to specify the -L. the rule or rules are inserted at the head of the chain. See the section TARGETS for the legal targets. if the rule number is 1. It is legal to specify the -Z (zero) option as well. -Z. --zero Zero the packet and byte counters in all chains.Details of the iptables Command -I. This is also the default if no rule number is specified. --new-chain Create a new user-defined chain by the given name. in which case the chain(s) will be atomically listed and zeroed. it will attempt to delete every non-builtin chain in the table. --insert Insert one or more rules in the selected chain as the given rule number. 174 451-0311B . -F. There must be no references to the chain. (See above. The exact output is affected by the other arguments given. all chains are listed. -P.

or all. and neither built-in nor user-defined chains can be policy targets. A protocol name from /etc/protocols is also allowed. -s. -E. -p. a mask of 24 is equivalent to 255. Protocol all will match with all protocols and is taken as default when this option is omit ted.255. --source [!] address[/mask] Source specification. or it can be a numeric value. The mask can be either a network mask or a plain number. The flag --src is a convenient alias for this option. a network name. Thus.0. icmp. replace and append com mands). udp. and has no effect on the structure of the table. Address can be either a hostname. delete. Details of the iptables Command Only non-user-defined chains can have policies. insert. repre senting one of these protocols or a different one. Give a (currently very brief) description of the command syntax. 451-0311B 175 .255. --protocol [!] protocol The protocol of the rule or of the packet to check. PARAMETERS The following parameters make up a rule specification (as used in the add. A "!" argument before the address specification inverts the sense of the address. This is cosmetic. or a plain IP address. The number zero is equivalent to all. --rename-chain Rename the user specified chain to the user sup plied name. A "!" argument before the protocol inverts the test. -h Help. The specified protocol can be one of tcp. specifying the number of 1's at the left side of the network mask.

the string "+" is assumed. but the coun ters on the rule will be incremented. --jump target This specifies the target of the rule. or an extension (see EXTENSIONS below). OUTPUT and POSTROUTING chains).Details of the iptables Command -d. -j. If this option is omitted. i. If the interface name ends in a "+". See the description of the -s (source) flag for a detailed description of the syntax. -i.. -o. which will match with any interface name. the string "+" is assumed. The target can be a user-defined chain (other than the one this rule is in). then matching the rule will have no effect on the packet's fate. When the "!" argu ment is used before the interface name. one of the special builtin targets which decide the fate of the packet immediately. the sense is inverted. When the "!" argument is used before the interface name. The flag --dst is an alias for this option. If this option is omitted in a rule. which will match with any interface name. --fragment 176 451-0311B . --destination [!] address[/mask] Destination specification. then any interface which begins with this name will match. then any interface which begins with this name will match. the sense is inverted. FORWARD and PREROUTING chains).e. If this option is omitted. [!] -f. --in-interface [!] [name] Optional name of an interface via which a packet is received (for packets entering the INPUT. what to do if the packet matches it. --out-interface [!] [name] Optional name of an interface via which a packet is going to be sent (for packets entering the FORWARD. If the interface name ends in a "+".

REPLACE operations) OTHER OPTIONS The following additional options can be specified: -v. or services (whenever applicable).000 and 1. -n. this causes detailed information on the rule or rules to be printed. the pro gram will try to display them as host names.000. Display the exact value of the packet and byte counters. Since there is no way to tell the source or destination ports of such a packet (or ICMP type). By default. the rule options (if any). This option makes the list command show the interface address. 451-0311B 177 . Details of the iptables Command This means that the rule only refers to second and further fragments of fragmented packets. --numeric Numeric output. the rule will only match head fragments. IP addresses and port numbers will be printed in numeric format. --verbose Verbose output.000. net work names. deletion and replacement. or unfrag mented packets. The packet and byte coun ters are also listed. 'M' or 'G' for 1000. with the suffix 'K'. -c. This option is only relevant for the -L command. APPEND. such a packet will not match any rules which specify them.000. -x. 1. When the "!" argument precedes the "-f" flag.000 multipli ers respectively (but see the -x flag to change this). instead of only the rounded number in K's (multiples of 1000) M's (mul tiples of 1000K) or G's (multiples of 1000M). --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte counters of a rule (during INSERT. --exact Expand numbers. insertion. For appending. and the TOS masks.

An inclusive range can also be specified. 178 451-0311B . if the last is omitted. after these. when -p or --protocol is specified. various extra command line options become available.Details of the iptables Command --line-numbers When listing rules. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. MATCH EXTENSIONS iptables can use extended packet matching modules. use command to load any necessary modules (targets. If the second port greater then the first they will be swapped. This can either be a service name or a port number. corresponding to that rule's position in the chain. If the first port is omitted. or with the -m or --match options. tcp These extensions are loaded if `--protocol tcp' is speci fied. using the format port:port. add line numbers to the begin ning of each rule. and you can use the -h or --help options after the module has been specified to receive help specific to that module. The following are included in the base package. --modprobe=<command> When adding or inserting rules into a chain. depending on the specific module. match extensions. etc). and most of these can be preceded by a ! to invert the sense of the match. These are loaded in two ways: implicitly. "0" is assumed. "65535" is assumed. followed by the matching module name. The flag --sport is an alias for this option. You can specify multiple extended match modules in one line.

ACK SYN.FIN. and the second argument is a comma-separated list of flags which must be set. The first argument is the flags which we should exam ine. for example. The flag --dport is an alias for this option. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. FIN and RST flags unset. See the description of the --source-port option of the TCP extension for details. blocking such packets coming in an interface will prevent incoming TCP connections. but outgoing TCP connections will be unaffected.RST SYN will only match packets with the SYN flag set. written as a comma-separated list. --tcp-flags [!] mask comp Match when the TCP flags are as specified. It is equivalent to --tcp-flags SYN. Details of the iptables Command --destination-port [!] [port[:port]] Destination port or port range specification. Such packets are used to request TCP connection initiation.ACK. the sense of the option is inverted. 451-0311B 179 . [!] --syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. and the ACK.RST. If the "!" flag precedes the "--syn". udp These extensions are loaded if `--protocol udp' is speci fied. --tcp-option [!] number Match if TCP option set. Flags are: SYN ACK FIN RST URG PSH ALL NONE.

which can be a numeric ICMP type. See the description of the --destination-port option of the TCP extension for details. or one of the ICMP type names shown by the command iptables -p icmp -h mac --mac-source [!] address Match source MAC address. the default is 3/hour. --limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached. 180 451-0311B . with an optional `/second'. or `/day' suffix.Details of the iptables Command --destination-port [!] [port[:port]] Destination port or port range specification. --limit rate Maximum average matching rate: specified as a num ber. `/minute'. It must be of the form XX:XX:XX:XX:XX:XX. FORWARD or INPUT chains for packets coming from an ethernet device. A rule using this extension will match until this limit is reached (unless the `!' flag is used). icmp This extension is loaded if `--protocol icmp' is speci fied. It provides the following option: --icmp-type [!] typename This allows specification of the ICMP type. `/hour'. limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. up to this number. the default is 5. Note that this only makes sense for packets entering the PREROUTING.

port]] Match if the source port is one of the given ports. --port [port[. for locally-generated packets.port]] Match if the destination port is one of the given ports. Up to 15 ports can be specified. It is only valid in the OUTPUT chain. and hence never match. mark This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below). --mark value[/mask] Matches packets with the given unsigned mark value (if a mask is specified. --destination-port [port[. this is logically ANDed with the mark before the comparison). It can only be used in conjunction with -p tcp or -p udp. --gid-owner groupid Matches if the packet was created by a process with 451-0311B 181 . --source-port [port[. and even this some packets (such as ICMP ping responses) may have no owner.port]] Match if the both the source and destination ports are equal to each other and to one of the given ports. Details of the iptables Command multiport This module matches a set of source or destination ports. owner This module attempts to match various characteristics of the packet creator. --uid-owner userid Matches if the packet was created by a process with the given effective user id.

tos This module matches the 8 bits of Type of Service field in the IP header (ie.Details of the iptables Command the given effective group id. such as an FTP data transfer. or other wise associated with a connection which has not seen packets in both directions. (use 182 451-0311B . This is regarded as experimental. allows access to the connection tracking state for this packet. ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions. --state state Where state is a comma separated list of the con nection states to match. NEW meaning that the packet has started a new connection. and RELATED mean ing that the packet is starting a new connection. when combined with connection tracking. --tos tos The argument is either a standard name. state This module. --pid-owner processid Matches if the packet was created by a process with the given process id. or an ICMP error. but attempts to match pack ets which seem malformed or unusual. including the precedence bits). --sid-owner sessionid Matches if the packet was created by a process in the given session group. but is associated with an existing connection. unclean This module takes no options. Possible states are INVALID meaning that the packet is associated with no known connection.

conf(5)). --log-level level Level of logging (numeric or see syslog. This is a security risk if the log is readable by users. LOG Turn on kernel logging of matching packets. --log-prefix prefix Prefix log messages with the specified prefix. MARK This is used to set the netfilter mark value associated with the packet. --set-mark mark 451-0311B 183 . It is only valid in the mangle table. or a numeric value to match. --log-tcp-sequence Log TCP sequence numbers. --log-ip-options Log options from the IP packet header. --log-tcp-options Log options from the TCP packet header. TARGET EXTENSIONS iptables can use extended target modules: the following are included in the standard distribution. Details of the iptables Command iptables -m tos -h to see the list). the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with dmesg or syslogd(8)). and useful for distinguishing messages in the logs. up to 29 letters long. When this option is set for a rule.

--set-tos tos You can use a numeric TOS values. icmp-port-unreachable. FORWARD and OUTPUT chains. icmp- proto-unreachable. This is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). It is only valid in the INPUT. or use iptables -j TOS -h to see the list of valid TOS names. The option echo-reply is also allowed. icmp- host-unreachable. icmp-net-prohibitedor icmp-host- prohibited. This target is only valid in the INPUT. and generates a ping reply. TOS This is used to set the 8-bit Type of Service field in the IP header. Several options control the nature of the error packet returned: --reject-with type The type given can be icmp-net-unreachable. and user-defined chains which are only called from those chains.Details of the iptables Command REJECT This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP. which return the appropriate ICMP error message (port-unreachable is the default). It is only valid in the mangle table. and user-defined chains which are only called from those chains. Note that the outgoing packets are NOT seen by any packet filtering 184 451-0311B . Finally. FORWARD and PREROUTING chains. it can only be used for rules which specify an ICMP ping packet. MIRROR This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. the option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back.

It takes one option: --to-source <ipaddr>[-<ipaddr>][:port-port] which can specify a single new source IP address. If no port range is specified. and user-defined chains which are only called from those chains. and optionally. connection tracking or NAT. no port alteration will occur. It takes one option: --to-destination <ipaddr>[-<ipaddr>][:port-port] which can specify a single new destination IP address. a port range (which is only valid if the rule also specifies -p tcp or -p udp). to avoid loops and other problems. a port range (which is only valid if the rule also specifies -p tcp or -p udp). Details of the iptables Command chains. and optionally. and other ports will be mapped to 1024 or above. If no port range is specified. and rules should cease being examined. Where possible. and rules should cease being examined. in the PRE ROUTING and OUTPUT chains. an inclusive range of IP addresses. 451-0311B 185 . then the destination port will never be modified. in the POSTROUTING chain. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be man gled). then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024. SNAT This target is only valid in the nat table. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled). an inclusive range of IP addresses. DNAT This target is only valid in the nat table.

ttl This module matches the time to live field in the IP header. It takes one option: --to-ports <port>[-<port>] This specifies a destination port or range or ports to use: without this. Mas querading is equivalent to specifying a mapping to the IP address of the interface the packet is going out. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway). REDIRECT This target is only valid in the nat table. 186 451-0311B . and user-defined chains which are only called from those chains. This is only valid with if the rule also specifies -p tcp or -p udp). but also has the effect that connections are forgotten when the interface goes down. It takes one option: --to-ports <port>[-<port>] This specifies a range of source ports to use. in the PRE ROUTING and OUTPUT chains. It alters the destina tion IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127. the destination port is never altered. you should use the SNAT target.0. It should only be used with dynami cally assigned IP (dialup) connections: if you have a static IP address. in the POSTROUTING chain. EXTRA EXTENSIONS The following extensions are not included by default in the standard distribution.Details of the iptables Command MASQUERADE This target is only valid in the nat table. overriding the default SNAT source port-selection heuristics (see above).0. This is only valid with if the rule also specifies -p tcp or -p udp).1 address).

When this target is set for a rule. Default is 0 --ulog-qthreshold <size> Number of packet to queue inside kernel. ULOG This target provides userspace logging of matching pack ets. --ttl-inc ttl Increment the TTL by the given value. --ulog-prefix <prefix> Prefix log messages with the specified prefix.g. regardless of its size. --ttl-dec ttl Decrement the TTL by the given value. Setting this value to. Default value is 1. and useful fro distinguish ing messages in the logs. up to 32 characters long. 10 accumulates ten packets 451-0311B 187 . Details of the iptables Command --ttl ttl Matches the given TTL value. the Linux kernel will multicast this packet through a netlink socket. --ulog-nlgroup <nlgroup> This specifies the netlink group (1-32) to which the packet is sent. TTL This target is used to modify the time to live field in the IP header. One or more userspace processes may then subscribe to various multicast groups and receive the packets. It is only valid in the mangle table. --ttl-set ttl Set the TTL to the given value. --ulog-cprange <size> Number of bytes to be copied to userspace. A value of 0 always copies the entire packet. e.

g. COMPATIBILITY WITH IPCHAINS This iptables is very similar to ipchains by Rusty Rus sell. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2. Hence every packet only passes through one of the three chains. Default is 0 --ulog-qthreshold <size> Number of packet to queue inside kernel. BUGS Check is not implemented (yet). The other main difference is that -i refers to the input interface. iptables is a pure packet filter when using the default `filter' table. -o refers to the output interface. This its size. and both are available for packets entering the FORWARD chain. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respec tively. 10 accumulates ten packets inside the kernel and transmits them as one netlink multpart message to userspace.Details of the iptables Command inside the kernel and transmits them as one netlink multpart message to userspace. Default is 1 (for backwards compatibility) DIAGNOSTICS Various error messages are printed to standard error. Setting this value to. Default is 1 (for backwards compatibility) 188 451-0311B . with optional extension modules. e. previously a forwarded packet would pass through all three. and other errors cause an exit code of 1. The exit code is 0 for correct functioning.

iptables is a pure packet filter when using the default `filter' table. and other errors cause an exit code of 1. The other main difference is that -i refers to the input interface. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respec tively. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2. So the following options are handled differ ently: -j MASQ -M -S -M -L There are several other changes in iptables. -o refers to the output interface. Details of the iptables Command DIAGNOSTICS Various error messages are printed to standard error. BUGS Check is not implemented (yet). which details NAT. Hence every packet only passes through one of the three chains. with optional extension modules. COMPATIBILITY WITH IPCHAINS This iptables is very similar to ipchains by Rusty Rus sell. and both are available for packets entering the FORWARD chain. SEE ALSO The iptables-HOWTO. which details more iptables usage. and the netfilter-hacking- HOWTO which details the internals. This should simplify much of the previous confusion over the combination of IP masquerading and packet filtering seen previously. The exit code is 0 for correct functioning. 451-0311B 189 . the NAT-HOWTO. previously a forwarded packet would pass through all three.

-c. TTL match+target and libipulog. then wrote the mangle table. James Morris wrote the TOS target. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables. in early consultation with Michael Neuling. James Morris.Details of the iptables Command AUTHORS Rusty Russell wrote iptables. and tos match. Harald Welte wrote the ULOG target. the owner match. Use I/O-redirection provided by your shell to write to a file. Appendix 3 IPTABLES-SAVE(8) IPTABLES-SAVE(8) NAME iptables-save . Harald Welte and Rusty Russell. The Netfilter Core Team is: Marc Boucher.Save IP Tables SYNOPSIS iptables-save [-c] [-t table] DESCRIPTION iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Jozsef Kadlecsik wrote the REJECT target. --counters include the current values of all packet and byte counters in the output 190 451-0311B . and ran around doing cool stuff everywhere. the mark stuff.

1 release AUTHOR Harald Welte <laforge@gnumonks. output includes all available tables.org> SEE ALSO iptables-restore(8).2. BUGS None known as of iptables-1. and the netfilter-hacking- HOWTO which details the internals.Restore IP Tables SYNOPSIS iptables-restore [-c] [-n] DESCRIPTION iptables-restore is used to restore IP Tables from data specified on STDIN. which details more iptables usage. If not specified. --noflush don't flush the previous contents of the table. --table tablename restrict output to only one table. iptables-restore flushes (deletes) all previous contents of the respective IP Table. 451-0311B 191 . Use I/O redirection provided by your shell to read from a file -c. --counters restore the values of all packet and byte counters -n. If not specified. Details of the iptables Command -t. which details NAT. iptables(8) The iptables-HOWTO. Appendix 4 IPTABLES-RESTORE(8) IPTABLES-RESTORE(8) NAME iptables-restore . the NAT-HOWTO.

and the netfilter-hacking- HOWTO which details the internals. 192 451-0311B . iptables(8) The iptables-HOWTO. the NAT-HOWTO.2.1 release AUTHOR Harald Welte <laforge@gnumonks.Details of the iptables Command BUGS None known as of iptables-1. which details more iptables usage. which details NAT.org> SEE ALSO iptables-restore(8).

See slave ports timestamp parameter 99 A default configuration file Asynchronous command mode. displaying 103 Broadcast Groups. 65 autocompletion 15 loading 30. displaying 116 451-0311B 193 . 65 saving to the network 30 B defaulting from CLI 76 backup 61 defaults Broadcast Group command mode. configuration saving to flash 62 I saving to the network 62 Interface command mode. accessing 19 creating 29. setting up 97 saving the configuration 76 discard parameter 100 using 73 master ports 97 IP interfaces 105 master ports. displaying 101 disabling features and settings 24 summaries. See master ports characteristics. resetting to 47 characteristics. accessing 22 stored in 61 IP configuration Configuration command mode. H command syntax 14 Help. 65 changing the network mask 75 changing the TFTP server IP address 75 D changing the unit IP address 74 Data Broadcast feature 97 choosing an IP assignment method 74 broadcast groups 97 IP configuration menu broadcast groups. See IP interfaces slave ports. See Online help. See Also Data Broadcast E feature Editing the Files in Windows 63 Editing the Files on a Unix Host 62 C Ethernet command mode. accessing 23 booting from 76 Broadcast Groups 97 defaults. INDEX Symbols slave ports 97 . accessing 21 cables external units crossover 49 scripting on 66 straight-through 49 CLI F defaulting from 76 function keys. See CLI. accessing 18 acquiring 77 configuration file IP Configuration menu saving 61 changing the gateway address 75 creating a default configuration file 29. using in the CLI 14 navigating 16 Command Line Interface.

specifying 146 Power Master ports. displaying 117 Online help. displaying 149 loading the configuration 64 ppciboot factory default settings 68 ppciboot Main Menu M upgrading software with 69 Main Menu PPP command mode. configuring 143 L status information. displaying 118 naming 144. specifying 114 Notification command mode. setting up 54 removing 100 subscriber creation 58 timestamp option 99 via direct serial connections 51 Menu command mode. 146. accessing 22 via modem ports 53 Menu Editing command mode. displaying 118 N rotary ports. accessing 20 configuring 113 modular adapters 51 disabling 115 information. configuring 110 Rotaries. displaying 148 IR-5100 units. displaying 147 loading a default configuration file 30. specifying 145 Telnet socket numbers 108 status information. accessing 23 Notification Feature S facility 79 saving configuration to the network 62 priority 80 scripting 66 SecurID authentication 194 451-0311B . accessing 20 boot from flash 70 boot from network 70 R configuring the IP configuration menu 71 RADIUS accounting saving the software image to flash 70 attributes 162 setting the timeout 71 overview 161 updating the ppciboot firmware 71 setting up 33 Main menu RADIUS Accounting Client Operation 161 booting the system 73 RADIUS authentication resetting to system defaults 72 attributes 159 saving the configuration 73 overview 157 setting the duplex mode of the Ethernet setting up 33 link 72 recreating zip files 64 setting the speed of the Ethernet link 72 Related documents 25 Master ports 97 remote console management configuring 98 security. Local authentication. removing 115 no command 24 type. displaying 15 RADIUS authentication. changing 31 SSH Keepalive parameters 107 Power Control Relays 144 SSH socket numbers 108 grouping 145 status. displaying 118 off time. Power control units 143 IR-5150 units. configuring 110 O port mapping. off time. See Rotaries P setting up 106 passwords. See Power control units. 65 summary information. See Power control units. 147 summaries. accessing 22 Rotaries 113 Modem command mode.

123 removing 100 access methods 123 SNMP command mode. 84 temperature. displaying 141 SNPP 81. displaying 138 creating 88 characteristics. accessing 17 localecho option 100 User Profiles 81. displaying 90 upgrading 66 command logging 134 Subscriber accounts 121 contact parameter 88 audit log. 84 summary information. See Service Profiles. See User Profiles. displaying 142 TAP 82. displaying 135 dedicated service 133 command log. displaying 139 facility parameter 89 creating 121 menus 134 deleting 122 password 132 status. 88. accessing 21 audit logging 134 software characteristics. displaying 136 preferred service 133 summary information. setting up 43 obtaining from the network 27 Sensors. See also User Profiles superuser privileges 133 Subscriber command mode. 86 Temperature/Humidity sensors 141 SMTP 82. displaying 141 WEB 82. 83 connecting the 141 REMOTESYSLOG 82. 85 Temperature/Humidity sensor LOCALSYSLOG 82. accessing 21 User Profiles. accessing 18 W T Windows TACACS+ accounting editing files in 63 attributes 164 overview 161 setting up 38 TACACS+ accounting attributes 163 TACACS+ authentication attributes 168 overview 167 setting up 38 TCP/IP parameters 451-0311B 195 . Superuser command mode. displaying 137 session and terminal parameters 128 Subscriber accounts. displaying 89 U configuring 83 UNIX host creating 82 editing files on 62 Service Profiles. 87 configuring 141 SNMP 82 humidity. See Temperature/Humidity sensors setting in Quick Start 27 Service Profile types setting in the LX CLI 29 ASYNC 82. upgrading software Slave ports 97 upgrading software and ppciboot with the configuring 98 command line interface 67 discard option 100 User command mode. 86 typographical conventions 14 Service Profiles 81 characteristics. displaying 138 priority parameter 89 TCP information.