Pinnacle Communications EIPRTR Wireless Bridge/Router User Manual 51328
Pinnacle Communications Inc Wireless Bridge/Router 51328
8a
m- . ......___.._. _—_—_ PINNACLE L ' The Pinnacle LINK Z/E wireless ethernet IP Router is capable of connecting two or more remote Ethernet LANs at speeds onMBPS at distances up to 10 miles. With ZMBPS speeds Pinnacle LINK 2/E obsoletes traditional slower telco Tl wireline solutions. Pinnacle LINK Z/E provides higher performance, without the expense of recurring monthly line charges! Pinnacle LINK Z/E works in conjunction with all wired cthernet networks, including BNC coaxial and twisted pair I 0BaseT, making it the ideal solution for metropolitan area networking Pinnacle LINK v2/E uses proven spread spectrum radio' "technology that provides reliable data transmission, evidenced by the thousands of installed units using this technology. Pinnacle LINK J/E uses the 902- 928 MHz or 2.4_»GHz spread spectrum radio frequency for transmission which means there are NO FCC licensing requirements to be concerned with. The Pinnacle LINK Z/E supports all ethernet and ethernet like protocols making the Pinnacle LINK 2/E easy to integrate into your existing network. Pinnacle LINK Z/E supports point-to-point or multipoint configurations In multipoint configurations a centrally located “hub” station communicates with multiple satellite buildings toforrn ti cell. Each location within that cell has the capability of communicating with the hub sit'e. Multiple cells can be interconnected utilizing any of the Pinnacle wireless solutions yielding infinite wireless networking possibilities. Installation is easy with the Pinnacle LINK 2/E wireless ethernet IP Router. Install the antenna outside and run the coax cable to the Pinnacle LINK unit located inside. The indoor unit is then connected to your LAN via ENC, A U], or IllBaseT cable. WIRELESS CGMMUNICATIGNS‘ Pinnacle LlNK 2/E IP Router Features - Wireless data rates up to 1 maps Ol’aintJa point wireless links up to 10 miles OMultipoint configurations using hub station for campus area networks olnaunry standard 902-923 MHz or 2.4 61-11, spread spearum radio ONO FCC license required 0Immune to environmental interface like rain or snow ODES encryption oSNMI’ management oSupparts all major dilernet protacaLc o.vo monthly recurring line charges ~Supports IEEE 302.3 Ethernet Protocols, IIEEE 1101, 1 a transparent MAC layer bridging and are compliant 1a routing 'Diredi0nal or OMNI directional antenna kit. (Antenna, Cable, Lighting Arrestar) OOne year warranty with free telephone support FCC ID: NSU EIPRTR r: é. PINNACLE CDMMU NICATIDNS INCORPORATED " 1403 Business Center Court . Dayton, Ohio 45410 Voice: 937.154.0141 - Fax 937.254. 0156 OPTIONAL FEATURES SPECIFICATIONS g oAmemm Mounting hardware OPawer 90 - 132 vac 200-255 vac 47—63 Hz 100 Watts Minimum 5 OF all featured installation and set—up utility ' Temperature: 5° to 40°C/40" to 105° F 0 Fiber optic Ethernet inter/ate OHumidity: 20%~30% ‘Law loss Antenna Extension: ‘Dimensions: 6” Ex 16”): 14.25” W ‘4 MB full duplex upgrade kit 0 Frequencies: 0 I4 dBi Yogi Directional Antenna 902 - 928 MHz Spread Spectrum 2.4 - 245 GHz SpreadSpectrum 023 Mi Parabolic Directional Antenna ‘MAX Power output: <4 watt: ERP 06 {187 OMNI Directional Antenna OEthernet Connections: AUI, BNC, 0 15 118i Quad Array High Gain Antenna IOBareT o LlNKamp Amplifier “ml OPawer Cord Connector: NEMA 515 ORDERING INFORMATION WNW...“ : ~ ”mam“ Product Code Product Descrigtion “M'W'w PLZRTR-flfllil Pinnacle LINK 2/E (915 MHz, Dir) 2 Mbps Ethernet IP Router Kit ; " ’ ‘ > ‘- " v PL2RTR—0002 Pinnacle LINK 2/5 (ws MHz, OMNI 2 Mbps Ethernet IP Router Kit PLZRTR-0003 Pinnacle LINK 2/E (2.4 GHz, Dir) 2 Mbps Ethernet IP Router Kit PLZR T 12-0004 Pinnacle LINK 2/E (2.4 GHz, OMNI) 2 Mbps Ethernet [P Router Kit PL2/RB-0flfll Pinnacle LINK Z/E 2 Mbps Ethernet Roaming Bridge Kit Yw - WW _..._._-, v,_fi This manual covers Pinnacle Link Bridge and Pinnacle Link Router Software Version 2.0 PUBLISHED BY Pinnacle Communications, Inc 1403 Business Center Ct. Dayton, OH 45410 (937) 254-0141 Copyright © 1991 through 1995 by Pinnacle Communications, Inc. All rights reserved. No part of the contents of this document may be reproduced or transmitted in any ton-n or by any means without the written permission of the publisher. Permission is hereby granted to end users of the Pinnacle Link Bridge and Pinnacle Link Router software to copy this manual for their own internal use. Revised 1-13»97 FCC Statement (For U.S.A. Only) Federal Communications Commission Radio Frequency Interference Statement Warning: This equipment generates, uses, and can radiate radio frequency energy. If it is not installed and used in accordance with the instruction manual, it may cause inter- ference to radio communications. It has been tested and found to comply with the limits for a Class A computing device pursuant to Part 15 of FCC Rules, which are designed to provide reasonable protection against such interference when operated in a commer- cial environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take what- ever measures may be required to correct the interference. If this equipment causes interference to radio reception (which can be determined by unplugging the power cord from the equipment) try these measures: Re—orient the receiving antenna. Relocate the equipment with respect to the receiver. Plug the equip- ment and receiver into different branch circuits. Consult your dealer or an experienced technician for additional suggestions. Software License Agreement mm: It is important for Users of Pinnacle Link Software to take time to read this License Agreement associated with this software PRIOR TO ITS USE. The End User has paid a License fee to Pinnacle Communications, Inc. for the use of this software on one computer. This License does not extend to any copyrights to the program nor does it License use of the program on more than one computer no to make copies of the program for distribution or resale. A software registration card is located in the front of this manual. Please complete the card within 10 days of receipt of the software and return it to Pinnacle Communications, lnc. hereafter in this License Agreement, Pin- nacle. Registration is required for warranty service and notification of software updates and revisions. License Agreement: The End User is granted a non-exclusive License to use the Li- censed program on a single computer subject to the terms and conditions as set forth in this agreement. The End User may not copy, modify or transfer the reference manual or other documentation or any copy thereof except as expressly provided in this agree- ment. The copyright and all intellectual / industrial rights of this program and associated mate- rial remain the property of Pinnacle Communications, Inc. THE END USER MAY NOT USE, COPY, SUBLICENSE, ASSlGN OR TRANSFER THE LICENSED MATERIALS OR ANY COPIES THEREOF IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS LICENSE AGREEMENT. The End User shall not reverse as- semble or reverse compile the Licensed product or any copy thereof in whole or in part. Upgrades and Revisions: At its sole option and discretion, Pinnacle may from time to time make available for licensing to the End User, in consideration for the payment of an additional fee specified by Pinnacle, future updated versions of the Licensed product. Also, at its sole discretion, Pinnacle may from time to time make available for licensing to End Users, free of charge, revisions to the Licensed product. Warranty and Liability: Pinnacle warrants to the end user/purchaser, that this product will be free from defects, under normal use, in materials and workmanship under normal user and service for a period of one year from the date of original purchase. Pinnacle agrees under this warranty, at its sole option, to repair, replace, or refund the purchase price of any product discovered to be defective during the warranw period. Any such replacement may be, at the sole option of Pinnacle, a new or a re—manutactured prod~ UCI. Pinnacle has made a good-faith effort to ensure that the firewall security filters are implemented in the best way possible. The user/purchaser is solely respon- sible for ensuring that all firewall security filters are setup correctly and function- ing correctly. This warranty shall not apply to any product that has been modified without written approval of Pinnacle, abused, misused, tampered with, damaged by other equipment or systems, or operated or stored under adverse environmental conditions. EXCEPT AS EXPRESSLY SET FORTH ABOVE, PINNACLE MAKES NO OTHER WARRANTIES OR REPRESENTATIONS, EITHER EXPRESSED OR IMPLIED (IN- CLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE). PINNACLE EXPRESSLY DISCLAIMS ALL WARRANTIES NOT STATED HEREIN. YOU ASSUME THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT. SOME STATES DO NOT ALLOW THE EX- CLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS WHICH MAY VARY FROM STATE TO STATE. YOUR SOLE REMEDIES AND PINNACLE’S AND ITS SUPPLIERS, DISTRIBUTORS. RESELLERS, AND AGENTS ENTIRE LIABILITY ARE SET FORTH ABOVE. IN NO EVENT SHALL PINNACLE OR ITS SUPPLIERS. DISTRIBUTORS, RESELLERS. AND AGENTS BE LIABLE TO YOU, OR ANY OTHER PERSON, FOR ANY DAMAGES. INCLUDING ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING. LOST SAVINGS, COST OF REPLACEMENT, OR OTHER EXPENSES ARISING OUT OF THE USE OR INABILITY TO USE THIS PRODUCT, EVEN IF' KARLNET HAS BEEN ADVISED OF SUCH POSSIBLE DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. SOME STATES DO NOT ALLOW THE EXCLUSION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. For product returns, please call Pinnacle Communicatons, Inc. (937) 254-0141. HARDWARE INFORMATION 4-1 Hardware Information 4-2 HARDWARE INFORMATION FRONT PANEL (ETHERNET-TO-ETHERNET) Remote Local Forwarding Rate W.) Receive. 0 0.0.0... 7mm" . . 1 s m 20 m so some Collision Q 0 Port 0 Port 1 Receive: This light will blink whenever a packet is received: Transmit: This light will blink whenever a packet is transmitted. Collision: This light will blink whenever a collision or error is detected on the LAN. Forwarding Hate: This will display the fonNarding rate of the bridge/brouter in percent of the full theoretical Ethernet rate of 10 megabits per second. HARDWARE INFORMATION 46 FRONT PANEL (ETHERNET-TO-WAVELAN) Wired Receive: Wired Transmit: Wired Collision: Wireless Receive: Wireless Transmit: Wireless Collision: Forwarding Rate: Wrong: Low: Good: Excl: . . Forwardan Rate (36) w'm’“ w'wd t 5 to 20 an so so we Receive. . 0....... Transmit. . Wrong Low Good Excl Collision . O O O O . Port 0 Port 1 This light will blink whenever a packet is received. This light will blink whenever a packet is transmitted. This light will blink whenever a collision or error is detected on the LAN. This light will blink whenever a packet is correctly received. This light will blink whenever a packet is transmitted This light will blink whenever a packet is retransmitted (packets will only be retransmitted it the CellWave algorithm is being used). This will display the forwarding rate of the bridge/brouter in percent of the full theoretical Ethernet rate of 10 mega bits per second. This light will blink whenever a packet from another WaveLAN network is detected. This light will blink whenever a CeIIWave "hello" packet is received with a low signal to Noise Ratio. This light will blink whenever a CeIIWave "hello“ packet is received with a good signal to Noise Ratio. This light will blink whenever a CellWave "hello" packet is received with a high signal to Noise Ratio. 4—4 HARDWARE INFORMATION HARDWARE REMOTE CONFIGURATION PROTECTION The Flash ROM version of the Pinnacle Link Bridge/Pinnacle Link Router is configured remotely through the network using KBCONFlG via lP/SNMP. This leaves open the remote possibility that someone on the Internet could guess your SNMP read/write password and use their version of KBCONFIG to reconfigure your Pinnacle Link Bridge/ Pinnacle Link Router. This loophole can be completely closed by use of the SNMP Access Lists (described later in this manual) orjumpers on the Flash ROM card located inside the case. These iumpers positions are as follows: Normal Operation The only protection is through passwords and the SNMP Access Lists, there is no special hardware protection. Write Protection The configuration can be read but not written unless the hardware protections are lowered by use of the front panel protection button. ReadNVrite Protection The configuration cannot be read or written unless the hard- ware protections are lowered by the use of the front panel protection button. ISA BUS FLASH CARD HARDWARE INFORMATION 4-5 FFlONT PANEL Pinnacle Link Bridge/Pinnacle Link Router Flash ROM Module FUNCTION Normal operation Factory Default Write Protection Read/Write Protection Boot on PROM RESET‘I’ING TO THE FACTORY DEFAULT CONFIGURATION The Flash ROM version of the Pinnacle Link Bridge/Router is configured remotely through the network using KBCONFIG via lP/SNMP. In order for KBCONFIG to com- municate through the network two things must be known; the IP Address and the read/ write SNMP password (sometimes called the community name) of the Pinnacle Link Bridge/Router. When shipped from the factory the IP Address is 198.1774254 and the read only and read/write passwords are set to public and public. If you forget what you have changed these to you can restore them to the factory default by placing the jumper on the Flash ROM board located inside the case to the Factory Default position. You must then reboot the Pinnacle Link Bridge/Router and configure it with KBCONFIG using the factory default address and passwords Once you have changed the address and password and saved them with KBCONFIG and the Pinnacle Link Bridge/Router 4-6 HARDWARE INFORMATION has rebooted itself it is ready for use. You should then shut off the Pinnacle Link Bridge/ Router move the jumper back to Normal Operation, or one of the protection settings, and start it back up to verify that your changes have taken effect REMOTE AND LOCAL PORTS The Pinnacle Link Bridge and Pinnacle Link Routers security filters provide isolation between one or more local networks and one or more remote networks. The ports on the standard 2 port Pinnacle Link Bridge and Pinnacle Link Router are labeled Port 0 Remote and Port 1 Local. The work group or computer lab that you wish to isolate should be connected to the Local Port and the external network should be connected to the Remote Port. NOTE: If you have a Pinnacle Link Bridge/Router that supports mixed media or more than 2 ports you will have the option in the Setup-Ports menu to change which port(s) are considered "local" and which port(s) are considered "remote". 115/230 VOLT SETTING The Non-Auto switch Pinnacle Link Bridge/Router is shipped with 115V selected. If your country uses 230V this setting should be changed. The Auto switch version of the Pinnacle Link Bridge/Router automatically detects and adjusts for the proper voltage setting and no manual switch is needed or provided HARDWARE INFORMATION 4-7 ETHERNET INTERFACE (BNC 0F| AUI CONNECTIONS) The 108ase2 (Thin Wire) Pinnacle Link Bridge/Router is shipped with both Ethernet cards setup for BNC (Thin Wire Ethernet). If you wish to use the AUI (transceiver) port you must open the case and change the jumpers located on the appropriate Ethernet card. These Ethernet cards have been customized for use in the commercial Pinnacle Link Bridge/Router and are not interchangeable with the standard Ethernet cards by the same manufacturer. 10 Base T (Twisted Pair) 3,“ ”g, 15 ::n AUI BNC - (Thin Net) SMC Elite 16 Ethernet Card BNC Use this setting it you are connecting your LAN to the BNC connection. AUI & 1oBaseT Use this setting it you are connecting your LAN to either the AUI or the 10BaseT (Twisted Pair) connector. Twisted Pair No Link Use this setting it you are connecting your LAN to the 1OBaseT (T iwsted Pair) connector and wish to have No Link integrity signal active - (This setting is not normally used). 4-8 HARDWARE INFORMATION WAVELAN INTERFACE The commercial version of the Pinnacle Link Bridge/Router supports a standard ATT/ NCR or DEC WaveLAN wireless intenace card. The card is configured in "factory default“ mode (all switches in the up position). It provides a wireless link to other WaveLAN wireless cards within a building. The Omni directional antenna supplied has a range of 800 feet. With the addition of a directional antenna, (wireless network) connec» tions can be made between buildings that are several miles apart. sws swz . . Optional DES chip sw t swr F Connector ‘NOTE: It is highly recommended that you install the WaveLAN card as Pinnacle Link Bridge Port 0. CONFIGURATION 5-1 CONFIGURATION 5-2 CONFI UHATION The Pinnacle Link Bridge/Pinnacle Link Router has been designed to provide several layers of isolation and firewall security protection for many types of local area networks. You will most likely not need to use all of the features and filters provided. FlUNNING THE KBCONFIG PROGRAM (on a floppy based Pinnacle Link Bridge/Pinnacle Link Router) Remove the Pinnacle Link Bridge/Router floppy from the floppy drive and insert it into any standard PC compatible computer that is running DOS version 3 or higher with an EGA or VGA monitor. For this example it is assumed your floppy drive is drive A. 1. Copy the files KBCONFIGEXE, KBC.EXE, KBHELP.HLP, and KBCONFIG.CFG from the ”Flash ROM Remote Configuration" diskette into a directory on your hard disk. 2. Issue the command: KBCONFIG A:KBRIDGE.BIN 3. Set-up the Pinnacle Link Bridge/Pinnacle Link Router features and filters by use of the menus as described in the sections later in this manual. 4. Save your new configuration back into the KBRIDGEBIN file on the floppy by issu- ing the Save command under the File menu. The KBCONFIG program modifies the KBRIDGEBIN file which contains the bridge/ router program and your filter settings, When the floppy is inserted into the Pinnacle Link Bridge/Pinnacle Link Routerfloppy drive and the box is powered up the program KBRIDGEBIN will boot and execute. WARNING: The Pinnacle Link Bridge/Pinnacle Link Router floppy disk boot block pro— gram will only boot the KBRIDGEBIN file if it is contiguous. The only way to guarantee that the KBRIDGEBIN file is contiguous is to copy it to a blank newly formatted disk with a Pinnacle Link Bridge boot block on it. If you copy the KBRlDGEBIN file to a hard disk and then back to a non-blank floppy it may not be contiguous and thus will not boot properly. NOTE: When the KBCONFIG program modifies the KBRIDGEBIN file on the floppy it does not move the KBRIDGE.B|N file and therefore will boot properly. There- fore whenever you change the configuration of the KBRIDGEBlN file on the boot floppy always open the file on the floppy directly from KBCONFIG. RUNNtNG THE KBCONFIG PROGRAM (remotely on Flash ROM Pinnacle Link Bridge/Pinnacle Link Routers) 1. Ensure that a standard "Packet" driver is installed on your MS-DOS computer. It came with the software you received when you pourchased your Ethernet card. If you do not have a packet driver you can use one of the drivers that are included on the "Flash ROM Remote Configuration" diskette provided with your Flash ROM Pinnacle Link Bridge or Pinnacle Link Router. CONFlGURATION 5-3 2. Copy the files KBCONFIGEXE, KBCEXE, KBHELP.HLP, and KBCONFIG.CFG from the "Flash ROM Remote Configuration" diskette into a directory on your hard disk. 3. If you are connected to an existing lP network then setup the KBCONFIGCFG file to reflect your IP address, IP mask, default router, etc. 4. Issuethe command: KBCONFIG. 5. Under the File menu issue an Open Remote then specify the IP address of the network connected remote Pinnacle Link Bridge/Pinnacle Link Router. The factory default forthe Pinnacle Link Bridge/Pinnacle Link Router IP address and the IP address as shipped is 1981774254. 6. Set-up the Pinnacle Link Bridge/Pinnacle Link Router features and filters by use of the menus as described later in this manual. 7. Save your new configuration by issuing the Save command underthe File menu. The KBCONFIG program modifies the configuration section of the Pinnacle Link Bridge/ Pinnacle Link Router Flash ROM and then the remote bridge/router will reboot. KBCONFIG's File Menu KBCONFIG will configure either an executable Pinnacle Link Bridge/Pinnacle Link Router file or configure a remote FIashROM based Pinnacle Link Bridge or Pinnacle Link Router. CONFIGURING AN EXECUTABLE FILE To configure an executable file you can use the Open and Save functions. The file can be either a .EXE or .BIN file. EXE files can be run under DOS and are usually the shareware demo version. BIN files can either be loaded into FIashROM or booted off of the special Pinnacle Link Bridge/Pinnacle Link Router boot diskette. You must have a file open before any other KBCONFIG functions can be performed. After you have made your configuration choices you should then Save them back to the open file. CONFIGUHING A REMOTE Pinnacle Link Bridge or Pinnacle Link Router To configure a remote (network attached) Pinnacle Link Bridge or Pinnacle Link Router you can use the Open Remote and Save functions. You must have a remote bridge or brouter open before any other KBCONFIG functions can be performed. After you have opened the remote device and configured it you can then Save your configuration back to the open device. When you Save back to the remote device its FlashROM will be erased and then reprogrammed with the new configuration. 5-10 CONFIGURATlON ets will take up a small amount of HF air time. If you only have a few wireless stations this is inconsequential, If you have hundreds of wireless stations in your wireless cell and all of these stations are transmitting hello/test packets the wireless LAN will be slowed down. [X] Enable Directional Antenna Support The WaveLAN card is designed to connect to either a special omni-directional antenna or a directional antenna. If you are using a directional antenna you should enable direc- tional antenna support. With directional antenna support enabled, the WaveLAN card stops sending out the 10 Volt. 1 MHz square wave signal needed only by the special omni-directional antenna. Note: A DC blocking device should be connected to the WaveLAN cards antenna port it the WaveLAN card is connected to a DC grounded directional antenna such as the loop yagi. [X] Enable Signal Quality Front Panel Display This function will enable WaveLAN signal quality statistics on the CRT monitor or LCD front panel display. [X] Enable Data Encryption on All Packets Some Pinnacle Link Bridges and Pinnacle Link Routers contain a special software encryption algorithm that is distinct from the optional WaveLAN DES encryption chip. lf Data Encryption is enabled on the General Setup menu and it an Encryption Key is setup in the Data Encryption menu then enabling encryption here will cause all packets transmitted over the WaveLAN wireless network to be software encrypted. (-) WaveLAN Compatibility Mode KarINet, ATT/NCR, DEC, Persoft, Solectek and others can transmit and receive data over WaveLAN wireless networks in an industry compatible way. This setting will enable the Pinnacle Link Bridge/Pinnacle Link Router to transmit and receive its WaveLAN wireless packets in this compatible way. (-) CeIIWave Mode (No Base Station) The industry compatible way of transmitting and receiving data over WaveLAN (and many other) wireless networks cause data packets to be frequently lost. This is due to the fact that a wireless network does not have the ability to detect collisions like an Ethernet network has. In an Ethemet network collisions can be detected by the hard- ware (Ethernet chip) and are automatically retransmitted. Ethernet is referred to as CSMA/CD (Carrier Sense Multiple Access with Collision Detect). Wireless networks are CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). The reason that collisions cannot be detected is because with radio you cannot receive and transmit at the same time hence you cannot detect the collisions. In practice a properly operating WaveLAN point—to-point network will loose, due to collisions, approximately We at the transmitted packets. This packet loss is not normally a problem with protocols such as Novell IPX (without the burst mode NLM) but will cause networks using most other protocols to experience poor performance. CONFIGURATION 5-11 If all of the wireless Pinnacle Link Bridge/Pinnacle Link Routers in your wireless cell can "hear" each other and if you are running a non-Novell IPX protocol or Novell IPX with burst mode NLM then this setting will greatly improve the performance of your wireless network. (-) CeIIWave Base Station Mode (This is a base station) This setting should be used if this wireless Pinnacle Link Bridge/Pinnacle Link Router is the one and only base station in the wireless network (Le. a WaveLAN network with the same Network lD, NWID). With the previously mentioned CeIiWave Mode (No Base Station) setting there is a requirement that all wireless stations be able to transmit to and receive from ALL other stations in the wireless network. This is not always possible due to the particular topology and terrain. The Wireless Pinnacle Link Bridge/Pinnacle Link Router has a special mode where one of the wireless nodes can be setup as a "base" station and all others can be setup as "satellite" stations. In this configuration the only requirement is that each satellite station be able to communicate with the one base station. The base station is responsible for "repeating“ packets that need to travel between satellite stations. The performance of this approach is slightly improved if the base station is connected to the most heavily loaded file server or wired network access point. This is due to the fact that data flowing from one satellite to another satellite station must be repeated (retrans- mitted) by the base station using more of the wireless bandwidth. Data packets flowing from a satellite station to the base station are transmitted directly without the need to be repeated. (-) CelIWave Base Station Mode (This is a satellite station) Set this if this wireless Pinnacle Link Bridge/Pinnacle Link Router is one of the satellite stations in the wireless network. (Le. a WaveLAN network with the same Network ID, NWID). Ethernet Interface There are no special hardware setups needed for Ethemet ports. Port Setup gamete Enable Port 0 WaveLAN [X] [X] Port1 Ethernet [ 1 [x1 Port 2 Synchronous [ ] le "1 Ethernet Setup Nothing to Set for This Port m- Synchronus Interface Port Setup Bemote Enable Port OWaveLAN [X] [X] Port 1Etheme’t [ ] [X] Port 2 Synchronous [ ] 1 [X] [I] Synchronous Setup External Clock 1 lntemal Clock 56K Baud 3 lntemal Clock 128 Baud l lntemal Clock 2043 Baudf Enable Reliable Point-to-Point Communication Enable Packet Compression Enable Data Encryption on All Packets Enable DTFt Dialing VVVV r—nr—ll—nl— (.) External Clock This setting will enable the external clock inputs and disable the internal clock source. (-) Internal Clock One of these settings will enable the internal clock generator to the specified bit rate. [X] Enable Date Encryption on All Packets Some Pinnacle Link Bridges and Pinnacle Link Routers contain a special software encryption algorithm that is distinct from the optional WaveLAN DES encryption chip. If Data Encryption is enabled on the General Setup menu and if an Encryption Key is setup in the Data Encryption menu then enabling encryption here will cause all packets transmitted over the synchronous port to be encrypted. 7T" o v...,,. ,A_~_W CONFIGURATION 5—13 STEP 3: BRIDGE SETUP . General Setup . . . Step 2 : Port Setup . . . : Bridge Setup . . . IP Host Setup . . . Bridging Setup Protocol to Brid-e or Tunnel Appletalk 1 Sr 2 8098 Bridge ._ [X] Pass Ethemet Broadcasts Appletalk ARP 1 & 2 80F3 Bridge [x1 Pass Ethernet Multicasts P 0800 Bridge tP—ARP 0305 Bridge - - . Advanced Features Bridge Tunnel D_op ‘r ‘ Storm Thresholds ( ) Bridge all non-listed protocols (-) Drop all non-listed protocols Tunnel Partners ( ) Pass (0) Drop Following Ethernet Pair Remote Local 00-11-22-3344-55 00.01.02-xx-xx-xx Edit NQIE: The Tunnel and Tunnel Partners Buttons will not appear unless "Remote Bridg- ing using IP Tunnels“ is enabled in the General Setup Menu. Protocol to Bridge or Tunnel This menu specifies the Elhemet protocols to Bridge, Drop or optionally Tunnel. Each protocol can be bridged (a synonym for passed) or can be dropped as selected with the Bridge or Drop button. All other protocols not specified in the menu are then either bridged or dropped depending upon the mode selected by the radio buttons labeled "Bridge all non-listed protocols" or "Drop all non-listed protocols". It is recommended that you bridge only the protocols that you absolutely need and drop all non-listed protocols. If you elect to bridge IP, DECNET, Novell, or AppleTaIk then you will have the opportunity to setup additional filters under the Setup - Security 5-14 CONFIGURAT|ON menus. You will be given the opportunity to specify in more detail the types of services you wish to promote (pass) or restrict (drop) for the particular protocols selected. Tunneling is a method of encapsulating Ethernet packets, received from the "Local" port in a lP/UPD packet and sending them to one or more tunnel partners. Tunneling can be used to setup virtual Ethernet networks. You can tunnel some protocols, bridge other protocols and drop other protocols all simultaneously. (-) Bridge ()Drop all non-listed protocols This setting will determine what is to happen to packets that are not listed in the "Proto- col to Bridge or Tunnel" menu. [x] Pass Ethernet Broadcast Standard Ethernet bridges will always fonivard broadcast packets. Many protocols do not use broadcasts (e.g. AppIeTaIk Phase II, DECNET and others). However, lP/ARP does use broadcasts. If you do not use IP or any other protocol that requires broad- casts then you can drop them. Shutting off broadcast packets will reduce the traffic on your network and will also greatly reduce the number of interrupts that each computer connected to your network experiences. Networks with a high number of broadcasts will slow down the processing of each attached computer even it it is not using the network. [X] Pass Ethernet Muiticasts Standard Ethernet bridges will always forward multicast packets. Some protocols do not use multicast packets, such as IP and Novell IPX. if you do not use protocols that use multicast packets then you can drop them by shutting off multicasts on the Pinnacle Link Bridge. Shutting off multicast packets will reduce the traffic on your network and will also reduce the number of interrupts that each computer connected to your network experiences. (-) Pass () Drop Following Address Pair This menu specifies the Ethernet addresses that should be either Passed or Dropped both the source and destination address are checked against this filter. An entire 6 byte Ethernet address can be filtered or just portions of it. This menu can be used to inhibit or promote communication with a several particular Ethernet addresses or groups of Ethernet addresses. This approach of specifying Ethernet addresses is similar to a standard bridge that supports Ethemet address filtering. We have found this approach to not be very useful, however, support it for completeness. As an example if the menu is set to "Drop following Paif‘ and an address pair of: 00-11-22—33‘44-55 & OO-O1-O2-XX-XX-XX is specified then data packets from the address 00-1 1-22-33—44-55 to any addresses that start with 00-01-02 will be dropped. CONFlGURATION 5-15 Advanced Features This menu contains advanced bridging options. These options should be changed from their default only if you clearly understand their functions and how they may impact your network. Bridging Setup Protocol to Brid-e or Tunnel Appletalk 1 & 2 8098 Bridge Appletalk ARP l & 2 BOFS Bridge [X] Pass Ethernet Broadcasts [X] Pass Ethernet Multicasts 35 IP 0800 Bridge lP-ARP 0806 Bridge Est Advanced Features End 9 Tunnel - _____.Advanced Features — ( ) Bridge allnon-listed prot- (') Drop all non-listed protoc Pass Bad Ethernet Source Pass Unleamed Ethernet Source ( ) Pass (°) Drop Follow Enable Learned Table Lockdown Remote Enable Expanded lP ARP Support 00-11-2263-4-4-55 00—01 -l [X] Pass Bad Ethernet Source The standard Ethernet bridges we have tested will pass Ethernet packets with a broad cast or multioast address as their source (is. the first bit set to 1). The Ethemet specifi- cation ior Transparent (i.e. Non-Source Routing) bridges does not allow these types of packets and are considered as "bad" packets. Our studies have shown that a common failure mode of many Ethernet interfaces and networking software is to transmit packets like these. If you do not need the Pinnacle Link Bridge to pass Source Routing packets it is suggested that you set it to drop these packets. Default: Pass [X] Pass Unseen Ethernet Source Standard Ethernet bridges will always forward packets with destination addresses that have not been "Ieamed" (i.e. not been seen as a source address of a packet) This characteristic is needed for the proper operation of an Ethernet bridge. The down side to this is that our studies have shown that the failure mode of many Ethernet interface cards is to send out erroneous packets with good CFlC's but with random Ethernet 5-16 CONFIGURATION destination and source addresses. Standard bridges will pass these erroneous packets since they have not "Ieamed" the random destination address and then add this packets random source address to theirfinite "learned" table. This situation is not uncommon and can greatly hinder the operation of standard bridges. If you chose to Drop un- learned packets then the Pinnacle Link Bridge will not fonivard unicast packets to Ethernet addresses that have not already been seen as a source address. This scheme works for most protocols because it relies on the characteristics of most upper- layer protocol to transmit ARP requests or Hello packets. It should be set to Drop with care by a qualified network engineer. Default: Pass [X] Enable Learned Table Lock down A standard bridge watches the source addresses of each packet it receives on any of its ports. As new addresses are seen, entries are added in the "learned table" that contain the particular source address and the port number that address was received on. If that source address is later seen on a different port the bridge will immediately change the port number in the Ieamed table entry. This condition could happen in a correctly func- tioning network if someone moved the computer to a different part of the network. This could also happen if someone was trying to capture network packets by spoofing the bridge. Enabling Ieamed table lock down will prevent the port number from being changed once the source address has been seen. A standard bridge will also time-out the learned table records every 10 minutes. If learned table lock down is enabled then these records will not be timed out, once a record is Ieamed it will not change or be deleted until eitherthe bridge reboots or the Ieamed table becomes completely filled and needs to be reset. Note: A typical Pinnacle Link Bridge Ieamed table can contain over 12,000 records. Default: Disabled [X] Enable Expanded IP ARP Support Enabling this feature will cause the bridge to also watch the lP/ARP packets that occur on the network. No action is taken in response to an IP/AHP packet (since that is the role of an lP router) other than the bridge will add the IP address to it‘s lP/AFtP table. This feature is helpful on an IP network because it will build a database of MAC layer address to lP address pairs. An SNMP monitoring program such as KBCONFIG can at any time extract this information. NOTE: 1) The lP/AFtP table is nevertimed out in this mode. 2) This feature is not available if the Pinnacle Link Router is routing IP. Default: Disabled CONFlGURATlON 5-17 Storm Thresholds One of the unique and very useful features of the Pinnacle Link Bridge/Pinnacle Link Router is its ability to keep Broadcast and Multicast storms from spreading throughout a network. Network storms are common and can cause bridges, routers, workstations, sewers and PC's to slow down or crash Storms occur it network equipment is contig- ured incorrectly, if network software is not functioning correctly, or it poorly designed programs such as network games are used. Bridging Setup Protocol to Brid-e or Tunnel Appletatk 1 at 2 3095 Bridge Appletalk ARF' 1 & 2 80F3 Bridge lP 0800 Bridge lP-ARP 0806 Bridge [X] Pass Ethemet Broadcasts [X] Pass Ethernet Multicasts Advanced Features Storm Thresholds Storm Thresholds ( ) Bridge all non-listed protocols (.) Dro Broadcast Multicast ( ) Address Threshold 15 15 Port 0 Threshold 30 30 Port 1 Threshold 30 30 Port 2 Threshold 30 30 Note: Threshold values are in packets per second Address Threshold > Broadcast This setting determines the maximum number of broadcast packets that can occur each one second period before a storm condition is declared for a particular Ethernet address (host). Once it is determined that a storm is occurring then any additional broadcast packets from that host address will be dropped until the storm is determined to be over. The storm will be determined to be over when 30 seconds has passed where every 1 second period has less then the stated threshold in broadcast packets. 5-18 CONFIGURATION Address Threshold > Multicast This setting determines the maximum number of multicast packets that can occur each one second period before a storm condition is declared for a particular Ethernet address (host). Once it is determined that a storm is occurring then any additional multicast packets from that host address will be dropped until the storm is determined to be over. The storm will be determined to be over once 30 seconds has passed where every 1 second period has less then the stated threshold in multicast packets. Port Threshold > Broadcast This setting determines the maximum number of broadcast packets that can occur each 1 second period before a storm condition is declared for a particular port. Once it is determined that a storm is occurring then any additional broadcast packets received on that port will be dropped until the storm is determined to be over. The storm will be determined to be over once a 1 second period has occurred with no broadcast packets received on that port. Port Threshold > Multicast This setting determines the maximum number of multicast packets that can occur each 1 second period before a storm condition is declared for a particular port. Once it is determined that a storm is occurring then any additional multicast packets received on that port will be dropped until the storm is determined to be over. The storm will be determined to be over once a 1 second period has occurred with no multicast packets received on that port. Preset Button This button sets the Broadcast and Multicast storm thresholds to the recommended values. These values have been determined to offer good protection without interfering with the operation of the typical network. These values may need to be tuned for your panicular network. CONFIGURATION 5-19 Tunnel Partners Bridging Setup Protocol to Bride or Tunnel Appletatk 1 & 2 8098 Bridge [X] Pass Ethernet Broadcasts Appletalk ARP 1 & 2 80F3 Bridge ' [X] Pass Ethernet Multicasts IP 0800 Bridge lP~ARP 0806 Bridge Advanced Features Storm Thresholds ( ) Bridge all non-listed protocols (0) Drop all non-listed protocols Tunnel Partner lP Tunnel Partner 128.146.1010 198177420 [ ] Encrypt Bridge Tunnel Packets Tunneling is a method of encapsulating Ethernet packets, received from the "Local" port in an IP/UPD packet and sending them to one or more tunnel partners. Tunneling can be used to setup virtual Ethernet networks. Tunnel Partners In the General Setup menu if the "Remote Bridging using IP Tunnels" is enabled then Tunnel Partners can be setup. This menu specifies the IP addresses of each of the Pinnacle Link Bridge/Pinnacle Link Routers that are setup to participate in the tunnel group. Specify the addresses of all the bridges that are participating in the tunnel group but DO NOT specify the IP address of this bridge. 5-20 CONFIGURATION [X] Encrypt Bridge Tunnel Packets Some Pinnacle Link Bridges and Pinnacle Link Houters contain a special software encryption algorithm that is distinct from the optional WaveLAN DES encryption chip on Wireless Pinnacle Link Bridge/Pinnacle Link Routers. If Data Encryption is enabled on the General Setup menu and if an Encryption Key is setup in the Data Encryption menu then enabling encryption here will cause all packets transmitted to tunnel partners to be encrypted and any packets received from tunnel partners to be decrypted Generic Ethernet Tunneling (Through an IP Network) Standard Ethemel Packet /Ethernet Packet\ \ Encapsulated in / Ethernet Packet Encapsulated in lP/U DP \ Standard / Ethernet Packet \ t Internet or Campus IP Network The three Pinnacle Link Bridges are setup to tunnel one or more protocols and each is a Tunnel Partner to the others. This configuration allows LAN A. LAN B and LAN C to become a virtual private Ethernet network with the Internet as the transport mechanism for data between them. The encapsulated data packets can be optionally encrypted to make the virtual private network more secure. 5-21 STEP 4a: lP HOST SETUP General Setup . . . Step 2 Port Setup . . . Bridge Setup . . . IP Host Setups Our IP Address: 128.140.1020 Our Subnet Mask: FFFFFFOO Default Flouter: 128.146.101 Default Tl'L: 64 Syslog Host Address: 0.0.0.0 Syslog Host Facility: 1 NOTE: IP Routing in the General Setup Menu must be disabled for this menu to be used. Our IP Address This is the IP address of the Pinnacle Link Bridge itself. If you wish to configure or monitor your Pinnacle Link Bridge or if your network supports P and you wish to enable the Ping support and IP/SNMP support of the Pinnacle Link Bridge set this to a valid IP address. Setting this address to 0.0.00 will disable bridges Ping and lP/SNMP support. Please note that unless you enable IP Routing the Pinnacle Link Bridge is not an IP router. It has only one IP address and that address applies to both the Remote and Local networks (i.e. both sides of the bridge). Having two Ethernet interfaces with the same IP address is different than a standard IP host, but is appropriate for a Transpar- ent Bridge. It is interesting to note that the Ethernet address of both ports is also the same, Our Subnet Mask Every IP network has what is referred to as a Subnet mask. This should be set to the appropriate mask for your network. Note that this is a hex number, hence the mask 255.255.2550 should be specified as FFFFFFOO. Default Router Most every IP network has a default IP router and that address should be specified here. Detault TTL IP hosts on the Internet send out packets with a default time to live parameter. If you wish to override the factory default of 64 you can specify your new default here. 5-22 CONFlGURATION Syslog Host Address There are many events that the Pinnacle Link Bridge/Pinnacle Link Router can log. One of the places these events can be logged is on a computer equipped with the standard UNIX Syslog facility. If you want logs of this type to be kept then the IP address of the host that will take the logs must be entered here Syslog Host Facility On Unix computers that you are using to log Pinnacle Link Bridge/Pinnacle Link Router events there are 7 categories of syslog messages available to you. This number speci- fies which category will be used. If this number is set to "1", then the facility used is Iocal1, so the line in the syslog.cont file should be: " Iocal1.debug tilename“. On most computers there must be exactly one tab between the word "debug“ and the filename. CONFIGURATION STEP 4b: IP ROUTER SETUP Step 1 . General Setup . . . Step 2 : Port Setup . . . Step 3 : Bridge Setup . . . Step 4a : IP Host Setup. . . Step 4b : IP Router Setup . . . IP Router Setup IP Address/Route Mask Ta -et Router Port/Cost 128146104 FFFFFFOO Direct 128.146.11.1 FFFFFFoo Direct Add/Direct Addr’lndn'ect Default Router: 128.1461 .1 Default Router Port: 0 Preferred IP Address: 128.146.10.1 Default TTL: 84 Syslog Host Address: 0.0.0.0 Syslog Host Facility: 1 [ ] Disable ARP Cache Aging N TE: |P Routing in the General Setup Menu must be enabled forthis menu to be used. Default Router (IP Address) This entry should be set to the IP Address of the default router that this Pinnacle Link Router is to use when it does not know where to route a particular IP packet. it the port that the default router is connected to is a serial port then this entry is ignored. 5-23 5-24 CONFIGURATION Default Router Port This entry should be set to the port that the default router is connected to. If the port that the default router is connected to is a serial port then this defines the pod that is used for the default router. Preferred IP Address From time to time the Pinnacle Link Router will transmit unsolicited lP packets such as SNMP Traps. Syslog, RIP or lP ARP packets. Most routers randomly use one of the IP addresses from one of the router ports as the source lP address forthese packets. On the Pinnacle Link Router you can specify the source IP address that you preferto use for these packets. Default TTL IP hosts on the Internet send out packets with a default time to live parameter. if you wish to override the factory default of 54 you can specify your new default here. Syslog Host Address There are many events that the Pinnacle Link Bridge/Pinnacle Link Router can log. One of the places these events can be logged is on a computer equipped with the standard UNIX Syslog facility. If you want logs of this type to be kept then the IP address of the host that will take the logs must be entered here. Syslog Host Facility On Unix computers that you are using to log Pinnacle Link Bridge/Pinnacle Link Router events there are 7 categories of syslog messages available to you. This number speci- fies which category will be used. if this number is set to "1", then the facility used is Iocal1, so the line in the syslog.conf file should be: ' Iocal1.debug filename". On most computers there must be exactly one tab between the word "debug" and the filename. [X] Disable ARP Cache Aging Use this option if you want to keep a permanent record of the IP to Ethernet addresses table for each computer directly connected to a port on this Pinnacle Link Router. This feature is helpful when used in conjunction with a corporate wide SNMP monitoring tool to create a database of all Ethernet to IP address combinations on your network. A standard IP router and the Pinnacle Link Router will age it's ARP cache entries. It will timeout and delete the ARP entries after a certain specified period (usually 10 min- utes). The Pinnacle Link Router has the option of not aging (deleting) any ARP cache entries. This will not normally cause any IP network problems but could result in a large ARP cache table. Since the typical Pinnacle Link Router can hold over 10,000 ARP entries this is not normally a problem. , 7 . . "‘i" - __,.. .-______A CONFIGURATION 5-25 Add/Direct This button activates a menu which is used to specify the "direct" routes for each of the ports on the Pinnacle Link Router. Direct routes are those that are directly connected to the ports. As an example if port 0 is to have subnet 128.146.6tX connected to it and an IP address of 128.146.6.1 with a subnet mask of 2552552551) then an entry in this menu should be setup as: IP Address = 128.146.6 1; IP Mask = FFFFFFOO; and Port = 0. IP Router Setup IP Address/Route Mask Ta -et Flouter Port/Cost 128146101 FFFFFFOO Direct 128146111 FFFFFFOO Direct 12814661 FFFFFFOO Direct Add/Direct Addi’lndirect Input IP Route IP Address IP Mask Port I— 5-26 CONFIGURATION Add/Indirect This button activates a menu which is used to specify the "indirect" routes for this Pin- nacle Link Router. These routes are sometime referred to as static routes. You can use indirect routes to define the way to get to subnets that are attached to other routers in your network. As an example, if subnet 198.17.74.0 is attached to a router 128.1461 1.20 in orderfor this Pinnacle Link Router to route packets to 198.17.74.1 you should specify an entry that is setup as: IP Address = 198.17.74.0; tP Mask = FFFFFFOO; Next Hop = 128.146.1120 with a Cost: 1. IP Router Setup IP Address/Route Mask T1 at Router Port/Cost 1281464101 FFFFFFOO Direct 128.1461 1.1 FFFFFFOO Direct 128146131 FFFFFFOO Direct Addr’Direct Add/Indirect Input IP Route IP Address IP Mask 19817740 FFFFFFOO Tar-et Router Cost 1281461120 CONFIGURATION 5-27 Step 5: SNMP SETUP . General Setup. . . Step 2 : Port Setup . . . Step 3 : Bridge Setup . . . Step 4a : lP Host Setup . . . Step 4b : lP Router Setup . . . : SNMP Setup . . . Q 'h It? egg“, gab-avail) Setup > Read Password public Read/Write Password XY‘ZSB System Contact Joe Smith System Name Brouter #1 System Location First Floor Closet Trap Host IP Address Ttap Host Password i t i ] Enable SNMP ColdNVarm Start Trap [ ] Enable SNMP Authentication Trap ~ Delete SNMP IP Access List Address Mask Port Edit 128.146.it.1 FFFFFFOO 164.254.040 FFFFFFOO OK Read Password This is the read only password used for SNMP support. It is the SNMP password needed to read the Flash ROM Configuration and SNMP MIB Variables The factory default value for this variable is the string public. ReadNVrite Password This is the read/write password used for SNMP support. It is the SNMP password needed to write the Flash ROM configuration and SNMP MIB variables in to the bridge/ router. The string should be set to a value that is known only by you. The factory de— fault value for this variable is the string public and should be changed to a string known only to you. 5-28 CONFIGURATION System Contact This field should contain the identification of the contact person for this SNMP managed node, (iti., this bridge/router) together with inlormation on how to contact this person. System Name This field should contain the administratively assigned name for this managed node. By convention, this is the node's fully-qualified Internet domain name(ex: bridge20.karlnet.com). System Location This field should contain the physical location of this node (e.g.,‘telephone closet, 3'rd floor“). Trap Host IP Address This is the IP address of a network connected host that is setup to receive SNMP Trap messages from this bridge/router. If you do not have an SNMP Trap host then set this to 0.0.0.0. Trap Host Password This is the SNMP read/write password (community name) of the host that is setup to receive SNMP Trap messages. This field is ignored it the Trap Host IP Address de- scribed above is 0.0.0.0. [X] Enable SNMP Cold/Warm Start Trap If Cold/Warm Start traps are enabled then an SNMP Trap will be sent to the trap host whenever this bridge/router powers up, is restarted because of an internal software error, has just completed a Flash ROM reprogram and restart cycle, or reboots because the watchdog timer expired. Please see "Enable Watchdog Reboot Timer" under the General Setup Menu. [X] Enable SNMP Authentication Traps ll SNMP authentication Traps are enabled adn a Trap Host is setup properly then an SNMP Trap will be sent to the to the trap host whenever an SNMP request is made of the bridge/router where the password (community name) is wrong. SNMP IP Access List You can optionally setup a list of networks, subnets and hosts that are authorized to access the Pinnacle Link Bridge/Pinnacle Link Router via SNMP. SNMP access lists are used in conjunction with well picked SNMP passwords and the special SNMP hard- ware protection jumpers to prohibit unauthorized access into the Flash ROM configura» tion database of this bridge/router. 5-29 Examples: 1. IP Address: 128.146.110 Mask: FFFFFFOO Pen: 1 will only allow SNMP access from the Network 128.146.11.x and only if the SNMP request was made from the ponion of the network anached to Pon 1. 2. IP Address: 164.254.00 Mask: FFFFOOOO Pon: X will only allow SNMP access from the network 164.254.x.x received from any pon. STEP 6: SECURITY {FIREWALLl SETUP . General Setup Step 2 : Port Setup Step 3 : Bridge Setup Step 43 : lP Host Setup Step 4b : IP Ftouter Setup Step 5 : SNMP Setup StepG : Security (Firewall) setup > UDPITCP. .. Step 7 : Data Encryption Setiip 3243-5?“ - Novell (IPX) . . . Security firewalls are enabled in the "General Setup" menu. If Security Filters are en- abled and if the protocols that have security firewall capability (i.e. IP/UDP/TCP, AppleTaIk, DECNET, or Novell IPX) are enabled to be passed through the bridge/ brouter then additional protection is added with these protocols. Security filters will cause the Pinnacle Link Bridge/Pinnacle Link Router to analyze on the application level each packet to determine if it should be passed or dropped. Remote & Local Menus Some of these menus are marked "Remote" and some are marked “Local". Remote menus configure filters that pertain to networks, subnets, and/or hosts that are con- nected to the Remote network (i.e. the Remote port of the Pinnacle Link Bridge/Pin- nacle Link Router). Local menus configure filters that pertain to network, subnets, and/ or hosts that are connected to the Local network (i.e. the Local port of the Pinnacle Link Bridge/Pinnacle Link Router) You can determine weather a port is remote and local by looking at the Port Setup Menu. Pass or Drop Menu modes: The menus can be in a mode to either pass (permit) or drop (deny) their items. The concept is that in most situations one wants to either drop a few selected items or to pass a few selected items of each type, If the menu is EMPTY and is set-up to "Pass Following..." then all packets of that type will be dropped. This is because you are pass- ing an empty menu therefore nothing will be passed. If the menu is EMPTY and is set- up to "Drop Following..." then all packets of that type will be passed. CONFIGURATION IP/UDP/TCP Security Filter (This will only appear if IP is being bridged or routed) UDP/TCP . . . AppleTaIk. . . DE T . . . ONE UDP/TCP Security Filter Local lP Address & Mask 128.146.100 FFFFFFOO 128.126.100 FFFFFFOO 0.0.0.0 00000000 Remote IP Address & Mask 19820200 FFFFFFOO <_> 0.0.0.0 00000000 <,> 0.0.0.0 00000000 <fi> Pass All lP Source Rooted Packets Log Break-tn attempts Enable Destination Unreachable Messages Pass IP Multicasts Packets Enable Authenticated Firewall By-Pass Pass IP Packets with suspicious IP header Log all TCP Establish Packets .—u—.—.—-u—-—u—- Remote/Local IP Address Menu & Mask This menu specifies the lP network, subnet, and/or single machine that is to have its IP packets passed, dropped, logged, or encrypted. Each packet's IP source and destina- tion address is checked against each entry in the list to determine what action should be performed on the packet. Matching is performed on the first entry first and then goes down the list looking for the first match. When a match is found the action specified by the socket menus for that line is performed immediately. The packet's lP addresses are logically ”anded" with the mask and then compared with the lF’ address to determine if a match has occurred. NQTE: This menu specifies the IP networks, lP subnets and IP Hosts on the remote network that hosts on the local network can communicate with. This menu does not specify lP routes and is not used to setup lP Routing. 5-31 5-32 CONFIGURATION [X] Pass All lP Source Routed Packets Source routed packets are special IP packets that are rarely used. There are certain situations where they can also be used by hackers to spoof firewalls. You should set this to drop unless you know you need to pass source routed packets. [X] Log Break-in Attempts Enabling the logging of break-in attempts will cause a Syslog packet to be sent to the Syslog server each time the security filter module detects and drops a packet. [X] Enable Destination Unreachable Messages Destination unreachable messages are normally sent by routers when a packet is unable to be delivered to it‘s final destination due to one of several reasons. If the dropped packet is a UDP packet then usually an ICMP Destination Unreachable packet is sent to the originator of the dropped IP packet. if the packet is a TCP packet then a TCP Reset packet is usually sent. if you enable this feature then the Pinnacle Link Bridge/Pinnacle Link Router‘s security module will send either an ICMP destination unreachable packet or a TCP Fteset packet to the originator of the dropped packet. This feature is helpful because software such as telnet will quickly detect that a connec» tion cannot be made. This feature is helpful but can also tip off a potential hacker that a security firewall is being used. [X] Pass IP Multicast Packets IP multicast packets are normally used for M—Bone audio and video data transmissions on a local network. IP multicast packets will penetrate through bridges and can cause abnormal behavior on some network attached computers. It is recommended that you Drop IP multicast packets unless you know you need them. [X] Enable Authenticated Firewall By-Pass The Pinnacle Link Bridge/Pinnacle Link Router’s UDP/TCP firewall filters can be dy- namically bypassed. This feature enables data between particular subnets or hosts to flow through the firewall untouched by any security filters. This feature is very powerful and can be used to create a way to authenticate access by logging into a particular network or host. If enabled this feature can also be used by a hacker to gain unautho— rized access to your network. if you enable this feature you must take great care to setup SNMP passwords and access lists to prevent such unauthorized tampering with your firewall. [X] Pass IP Packets with suspicious IP header if you set this to "drop" than each IP packet that passes through the Pinnacle Link Bridge/Pinnacle Link Router is checked for inconsistencies in its IP header. If an anomaly is found the packet is dropped. CONFIGURATlON 5-33 [X] Log all TCP Establish Packets Each IP/TCP packet that travels through the bridge/router is checked to see if it is the special TCP/IP SYN packet. This type of packet is always sent in a TCP/IP network to initiate a TCP connection. As an example when the Telnet client attempts to connect to a Telnet server it sends a TCP SYN packet. If you enable this setting a SYSLOG mes- sage will be sent to the SYSLOG server each time a TCP program attempts to connect to another TCP program such as the Telnet or FTP server. 5-34 CONFlGURATlON UDPITCP Security Filter Remote IP Address & Mask Local IP Address & Mask 19820200 FFFFFFOO <_> 128.146.100 FFFFFFOO 0.0.0.0 00000000 <_> 128.126.100 FFFFFFOO 0.0.0.0 00000000 <_> 0.0.0.0 00000000 UDP/TCP Security Filter for Connection 19820200 FFFFFFOO "and 128.146.100 FFFFFFOO (-) Pass () Drop (-) Pass ( )Drop (0) Pass ( ) Drop Followin Remote Sewers Followin- Local Servers Followin- > 1024 Servers Domain Name Server UTELNET T SMTP < drop all others > < drop all others> [ ] Enable Data Encryption on Packets - [X] Pass iP/ICMP Packets (incldg PING) [ ] Pass IP Packets that are not TCPIUDP - Once a packets source and destination IP address matches an entry in the Flemote/ Local lP Address Menu the UDP/TCP sockets are tested against this menu to deter- mine if the packet is to be passed or dropped. Following Remote Sewers This menu specifies which sockets with values less then 1024 on computers connected to the remote port are to be passed and which are to be dropped. CONFIGURATlON 5-35 Following Local Sewers This menu specifies which sockets with values less then 1024 on computers connected to the local port are to be passed and which are to be dropped. Following > 1024 Sewers This menu specifies which sockets with values greater then or equal to 1024 on com- puters connected to eitherthe local or remote port are to be passed and which are to be dropped [X] Enable Data Encryption on Packets After a packets source and destination IP address matches an entry in the Remote/ Local IP Address Menu then he data portion of the UDP or TCP packet can be option- ally encrypted (if received on the local port and destined forthe remote port) or de- crypted (if received on the remote port and destined for the local port). You can specify the encryption/decryption key on the Setup » Data Encryption Menu. [X] Pass lPIICMP Packets (including Ping) After a packets source and destination IP address matches an entry in the Remote/ Local IP Address Menu then it can be tested to see it it is an ICMP packet. You can optionally drop any lCMP packets to/from the matched IP addresses. This is helpful if you wish to allow ping packets to pass through the firewall. You can drop all ICMP (including Ping) packets if you wish to hide the computers on the other side of the firewall from potential hackers using ping to discover their existence. [X] Pass lP Packets that are not TCPIUDP It a packets source and destination iP address matches an entry in the Remote/Local lP Address Menu and if it is either TCP or UDP its socket number will be tested to see if it should be passed or dropped. It the packet is not UDP nor TCP then a decision must be made what to do with the packet since it does not have a socket number. Most IP packets are UDP or TCP with the exception of IGP. Since most LANs do not use IGP it is best to drop packets that are not UDP/TOP. This is helpful so keep hackers from sending non-UDP and non-TOP packets through the firewall. 5-36 CONFIGURATION APPLETALK FILTERS (Will only appear if AppIeTalk is being bridged) UDP/TCP . . . AppIeTalk . . . DECNET . . . AppleTalk Services Filter (.) Pass () Drop (0) Pass ( ) Drop -) Pass () Drop Followin - Zone Names Following Remote Sewers Following Local Sewers Engineering Zone (-) Pass (5 Drop (-) Pass ( ) Drop Add Following Remot- Printers Followin Local Printers Expensive Laser Delete Edit OK When Macintosh's are networked together, one of the undesirable side effects is that all Macintosh‘s can "see" in their Choosers all sewers and all printers that are connected to the network. If multiple zones are specified then there is some form of protection but a user needs to only specify a zone and then can choose a printer to print to anywhere in the network. These menus will configure the Pinnacle Link Bridge to selectively restrict access to specified Apple sewers and/or Apple printers. The Pinnacle Link Bridge is not an AppleTeIk router. It does not have any of the characteristics of an AppleTalk router. The Pinnacle Link Bridge is simply a bridge that for AppIeTalk can promote or prohibit the appearance of server and/or printer names in the chooser. QAQTIQN: It is common characteristic of AppleTaIk networks with multiple routers to have configuration problems if all of the routers do not agree on zone names and networks numbers. The Pinnacle Link Bridge is not an AppleTaIk Router, it does not contribute to this problem. These menus will not, however, remedy this problem. If you wish to isolate a local AppleTaIk network from a remote AppleTaIk network you must be sure to drop AppleTalk and AppleTalk AFlP in the "Ethernet Protocol Menu". CONFlGURATION 5-37 (-) Pass ( ) Drop Apple Zone Name Menu: This menu specifies the AppIeTalk Zone names that are to be passed or dropped. Each of the Apple Zones can be named in this menu. The menu entry " (single asterisk) is the standard AppIeTaIk code that means "my Zone". As an example; it the Local LAN‘s Zone name is Tiger and if you wish to see in your chooser printers and sewers from a Remote LAN with the Zone name Tiger, then two entries must appear in this menu, the string Tiger and on the next line an ". This is because sometimes AppIeTaIk explicitly asks for printers and servers in the Zone Tiger and sometimes it uses the ' as short- hand for Tiger (i.e. "my Zone"). (0) Pass ( ) Drop Apple Remote Sewers Menu: This menu specifies the Remote file servers that are to appear in the Local LAN's Macintosh Choosers, regardless of Zone. if the Local LAN's Macintoshes are not to see any Remote file servers then this menu should be set to "Pass Apple Remote Servers" with no entries in it. This will force the Pinnacle Link Bridge to pass none of the Remote file server names to the Local LAN. It all Remote file servers are to be seen by the Local LAN then this menu should be empty and set to "Drop Apple Remote Sewers". (.) Pass ( ) Drop Apple Local Sewers Menu: This menu specifies the Local file servers that are to appear in the Remote LAN's Macintosh Choosers, regardless of Zone. If the Remote Macintoshes are not to see any Local file servers then this menu should be set to "Pass Apple Local Servers" with no entries in it. This will force the Pinnacle Link Bridge to pass none of the Local LAN's file server names to the Remote network. if all of the Local file sewers are to be seen by the Remote network then this menu should be empty and set to "Drop Apple Local Servers". (0) Pass ( ) Drop Apple Remote Printers Menu: This menu specifies the Remote printers that are to appear in the Local LAN's Macintosh Choosers, regardless of Zone. If the Local LAN‘s Macintoshes are not to see any Remote printers then this menu should be set to "Pass Apple Remote Printers" with no entries in it. This will force the Pinnacle Link Bridge to pass none of the Remote printer names to the Local LAN. It all Remote printers are to be seen by the Local LAN then this menu should be empty and set to "Drop Apple Remote Printers”. (0) Pass ( ) Drop Apple Local Printers Menu: This menu specifies the Local printers that are to appear in the Remote LAN’s Macintosh Choosers, regardless of Zone. It the Remote Macintoshes are not to see any Local printers then this menu should be set to "Pass Apple Local Printers" with no entries in it. This will force the Pinnacle Link Bridge to pass none of the Local LAN's printer names to the Remote network. if all of the Local printers are to be seen by the Remote network then this menu should be empty and set to "Drop Apple Local Print- SFS. 5-38 CONFIGURATION DECNET FILTERS (Will only appear if DECNET is being bridged) UDP/TCP . . . Apple'l'alk . t . DECNET . . . DECNET Services Filter (-) Pass () Drop (o) Pass () Drop -) Pass () Drop Followin- Address & Mask Followin- Remote Ob'ects Followin- Local Ob'ects 20.1022 3F.3FF CTERM (Sethost) 42 CTERM (SETHOST) 42 n 21.0 3FAO 17 27 (-) Pass ()Drop -) Pass () Drop Add Following Remote Object o Followin Local Objecto Delete "q Ed|t OK (-) Pass ( ) Drop Following Address & Mask Menu: This menu specifies the DECNET Areas and Hosts that are to be passed or dropped. Each entry consists of a DECNET Address and an special Mask; a packet that matches is then either passed or dropped as specified. Each DECNET packet's source and destination address is checked against each entry in the list to determine if the packet is to be passed or dropped. Matching is performed on the first entry first and then goes down the list. When a match is found the action specified on that line is performed immediately. The packet's DECNET addresses are logically "ended" with the mask and then compared with the IP address to determine if a match has occurred. Addresses are specified in the standard DECNET syntax: Area.Host. The special mask is a hexa- decimal numberthat specifies a bit mask to be "anded" with the packet's DECNET address prior to being comparing with the specified DECNET address. NOTE: The Pinnacle Link Bridge is not a DECNET Router, This menu specifies the DECNET hosts and/or DECNET areas that hosts on either the local or remote network can communicate with. ‘ CONFIGURATION 5—39 (-) Pass ( ) Drop Remote Objects Menu: This menu specifies the DECNET Objects on remote DECNET hosts that are to be passed or dropped. Each DECNET connect packet is checked against each entry in the list to determine if the packet is to be passed or dropped. (-) Pass ( ) Drop Remote Object 0 Menu: This menu specifies the DECNET Object 0 names on remote hosts that are to be passed or dropped. Each DECNET connect packet to DECNET Object 0 is checked against each entry in the list to determine if the packet is to be passed or dropped. (-) Pass ( ) Drop Local Objects Menu: This menu specifies the DECNET Objects on the local hosts that are to be passed or dropped. Each DECNET connect packet is checked against each entry in the list to determine if the packet is to be passed or dropped. (-) Pass ( ) Drop Local Object 0 Menu: This menu specifies the DECNET Object 0 names that are to be passed or dropped. Each DECNET connect packet to DECNET Object O is checked against each entry in the list to determine it the packet is to be passed or dropped. 5-40 CONFIGURATION NOVELL (IPX) FILTERS (Will only appear if Novell is being bridged) UDP/TCP . . . AppIeTaIk. . . DECNET. t . Novell (IPX) . . . NOVELL Services Filter (0) Pass () Drop 0) Pass () Drop (0) Pass 0 () Drop Followin- Networks Followin- Re Ole Sewers Followin- Sewers 00000040 SERVER 1 (-) Pass () Drop (0) Pass () Drop Following Remote Sewers Following Local Services ‘ Print Queue [X] Enable Outgoing SLIST Commands [ ] Enable Incoming SLIST Commands When Novell systems are networked together, one of the undesirable side effects is that all Novell servers can be seen by all other Novell sewers and clients that are connected to the network. These menus wiII configure the Pinnacle Link Bridge/Pinnacle Link Router to selectively restrict access to specific Novell networks, sewers and/or services. The Pinnacle Link Bridge/Pinnacle Link Router is not a Novell router. it does not have any of the characteristics of a Novell router. The Pinnacle Link Bridge/Pinnacle Link Router is simply a bridge that for Novell IPX can promote or prohibit specific sewices. Following Networks This menu specifies the Novell networks that will be passed (permitted) or dropped (denied) through the Pinnacle Link Bridge/Pinnacle Link Router. You can use it to firewall off specific Novell networks from other Novell networks. CONFIGURAT|0N 5-41 Following Remote Servers This menu specifies the Remote Novell sewers that are to be accessible by the Local LAN‘s. Following Local Sewers This menu specifies the Local Novell sewers that are to be accessible by the Remote LAN‘s. Following Remote Services This menu specifies the Remote Novell services that are to be accessible by the Local LAN's. Following Local Services This menu specifies the Local Novell services that are to be accessible by the Remote LAN's. [X] Enable Outgoing SLIST Commands The Novell SLIST and related commands bypass the normal Novell Remote Server Pinnacle Link Bridge/Pinnacle Link Routertilters. This is a special filter that enables or disables the Novell server listing commands from local clients to remote servers. [X] Enable Incoming SLIST Commands The Novell SLIST and related commands bypass the normal Novell Remote Server Pinnacle Link Bridge/Pinnacle Link Router filters. This is a special filter that enables or disables the Novell server listing commands from remote clients to local sewers. 5-42 CONFIGURATION STEP 7: DATA ENCRYPTION SETUP . General Setup. . . Step 2 : Port Setup . , . Step 3 : Bridge Setup . . . Step 4a : lP Host Setup . . Step 4b : lP Router Setup . . . Step 5 : SNMP Setup . . . ' Security (Firewall) Setup > - Data Encrvption Setup . . . Encryption Passwor Password ' Data Encryption The Pinnacle Link Bridge/Pinnacle Link Router contains a proprietary software encryp- tion algorithm developed in the United Kingdom. This encryption algorithm can be applied to Pinnacle Link Bridge Tunneled packets, lP UDP/TCP packets or all packets sent to or received from a particular non—Ethemet port. CONFIGURATION Adding Data Encryption (To lP/UDP/TCP Packets) Standard IP/UDP/TCP Packet Secure Encrypted IP Packet if Destined for Pinnacle Bridge Decrypter Encrypted iP Packet if Destined for Pinnacle Bridge Decrypter Internet or Campus Hem“ Standard |p Network “mace IP/UDP/TCP / Insecure Standard LAN 1 PM D P/TCP Packet 5-43 5-44 CONF|GURATION Generic Ethernet Tunneling (Through an IP Network) Standard Ethemel Packet /Elhemet Packe4\,k \ Encapsulated m / Ethernet Packet Encapsuiated in lP/UDP Internet or Campus E1532; IP Network Standard / Ethernet Packet \
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.3 Linearized : Yes Create Date : 2001:05:25 17:24:25 Producer : Acrobat Distiller 4.0 for Windows Author : jsoscia Title : 51328.pdf Modify Date : 2001:05:25 17:24:44-04:00 Page Count : 51EXIF Metadata provided by EXIF.tools